Information Assurance

and
Security

By Yitbarek W. 2015 E.C

 Chapter-One: Overview of IAS
Information Assurance

• According to the U.S. Department of Defense(DoD), Information assurance

involves:

Actions taken that protect and defend information and information

systems by ensuring their availability, integrity, confidentiality,

authentication and non-repudiation.

 This includes providing for restoration of information systems by

incorporating protection, detection and reaction capabilities.

 Cont.…

Information Assurance

• According to Debra Herrmann (Complete Guide to Security and Privacy

Metrics),

• Information assurance should be viewed as spanning four security engineering

domains:
• Physical security
• Personnel security
• IT security
• Operational security
 Cont.…
• “Physical security refers to the protection of hardware, software, and data
against physical threats to reduce or prevent disruptions to operations and
services and loss of assets.”

• “Personnel security is a variety of ongoing measures taken to reduce the

likelihood and severity of accidental and intentional alteration, destruction,
misappropriation, misuse, misconfiguration, unauthorized distribution, and
unavailability of an organization’s logical and physical assets, as the result of
action or inaction by insiders and known outsiders, such as business partners.”
 Cont.…
• “IT security is the inherent technical features and functions that collectively
contribute to an IT infrastructure achieving and sustaining confidentiality,
integrity, availability, accountability, Authenticity, and reliability.”

• “Operational security involves the implementation of standard operational

security procedures that define the nature and frequency of the interaction between
users, systems, and system resources, the purpose of which is to achieve and
sustain a known secure system state at all times, and prevent accidental or
intentional theft, release, destruction, alteration, misuse, or sabotage of
system resources”.
 Information Assurance
Generally, Information Assurance
• Measures focused at protecting and safeguarding critical system and
information.
• Measures also provides for restoring information systems after an attack by
putting in place proper protection, detection and reaction abilities.
• Is the study of how to protect your information assets from destruction,
degradation, manipulation and exploitation. But also, how to recover
should any of those happen.
• Notice that it is both proactive and reactive.
 Security
• The quality or state of being secure—to be free from danger”.

• Security is often achieved by means of several strategies usually undertaken

simultaneously or used in combination with one another.

• Specialized areas of security

• Physical security, which encompasses strategies to protect people, physical

assets, and the workplace from various threats including fire, unauthorized
access, or natural disasters.
 Security Cont..

• Personal security, which overlaps with physical security in the protection of the
people within the organization.

• Operations security, which focuses on securing the organization’s ability to

carry out its operational activities without interruption or compromise

• Communications security, which encompasses the protection of an

organization’s communications media, technology, and content, and its
ability to use these tools to achieve the organization’s objectives.
 Security

• Network security: measures to protect data during their transmission. It

addresses the protection of an organization’s data networking devices,
connections, and contents, and the ability to use that network to accomplish the
organization’s data communication functions.

• Computer Security: generic name for the collection of tools designed to

protect data and to thwart hackers.

• Information security includes the broad areas of information security

management, computer security, data security, and network security.
 Security
Information Security
• Is the practice of defending information from unauthorized access, use,
disclosure, disruption, modification, destruction etc..
• Development and deployment of security applications and infrastructures.
• Is composed of computer security, network security and Internet security.
• Information security is more than just computer security and computer
security.
• It also includes a wide range of physical security measures such as protecting
your information assets against natural disasters or theft.
Security Goals
 Cont.…
Confidentiality

• Hide the data or information from unauthorized people.

• What to do for Confidentiality?  encryption

Integrity

• Prevent unauthorized modification

• Includes data integrity (content) and

origin integrity (source of data also called authentication)

• What to do for integrity?  hashing

 Cont.…
Availability

• Ensures timely and reliable access and use of information.

 What to do for availability?

 Developing efficient network design,

 Preventing Malicious activity (DDoS),
 Having sufficient bandwidth,…etc
 OSI Security Architecture
• International Telecommunications Union (ITU) is a United Nations sponsored agency that
develops standards relating to telecommunications and to Open system Interconnection
(OSI).
 Cont.…
• The OSI security architecture focuses on security attacks, mechanisms and
services.

• Security Attack: any action that compromises the security of information.

• Security Mechanism: a mechanism that is designed to detect, prevent, or

recover from a security attack.

• Security Service: a service that enhances the security of data processing systems
and information transfers.

• A security service makes use of one or more security mechanisms.

 Security Attacks
• Interruption: this is an attack on availability
• Disrupting traffic.
• Physically breaking communication line.

• Interception: an attack on confidentiality

• Overhearing, eavesdropping over a communication line.
 Security Attacks

• Modification: an attack on integrity

• Corrupting transmitted data or tampering with it before it reaches its
destination.

• Fabrication: an attack on authenticity

• Faking data as if it were created by a legitimate and authentic party.
Security Attacks/Threats
 Passive and Active Attacks

• Security attacks are usually classified as passive or active:

• Passive- attempts to learn or make use of information from the system,

but does not affect system resources.

• Active- attempts to alter system resources or affect their operation.

 Passive attacks….
• Passive attacks- goal to obtain information
• No modification of content or fabrication
• Eavesdropping to learn contents or other information (transfer patterns,
traffic flows etc.)
• Release of message contents
• Traffic analysis
 Active attacks….

• Active attacks- modification of content and/or participation in

communication to

 Impersonate legitimate parties (Masquerade)

 Replay or retransmit

 Modify the content in transit

 Launch denial of service attacks

Passive attack
Passive attack
Active attack
Active attack
Summary of Passive and Active Threats
 Security Mechanism

• Feature designed to detect, prevent, or recover from a security attack

• No single mechanism that will support all services required

• However one particular element underlies many of the security mechanisms

in use:
• Cryptographic techniques

• Hence our focus on this topic

 Security Mechanism
• Two types

• Specific mechanisms existing to provide certain security services. E.g. encryption

used for authentication. Other examples: encipherment, digital signatures, access

controls, data integrity, authentication exchange, routing control, notarization

• Pervasive mechanisms which are general mechanisms incorporated into the

system and not specific to a service. E.g. security audit trail

• Other examples: trusted functionality, security labels, event detection, security

recovery
 Security Mechanism

• Security mechanisms for controlling unwanted access fall into two

categories.

• Using this model requires us to:

1. Select appropriate gatekeeper functions to identify users (for example,
password-based login procedures).
2. Implement security controls to ensure only authorised users access
designated information or resources (for example, monitor activities
and analyse stored information to detect the presence of intruders.
 Security Services

 Authentication-Ensuring the proper identification of entities and origins of data

before communication

-Have both peer-entity & data origin authentication

 Access control- Preventing unauthorized access to system resources

 Data confidentiality- Preventing disclosure to unauthorized parties

 Data integrity- Preventing corruption of data

 Non-repudiation-Collecting proof to prevent denial of participation in transaction

Availability-Protection against denial-of-service
 Attack vs Threat

• Attack - an intelligent act that is a deliberate attempt to evade security

services and violate the security policy of a system. (an assault on system
security).

• Threat - a potential for violation of security or a possible danger that might

expose a vulnerability.
 Program Threats

• Two Types of Program threats

• Information access threats

• Intercept or modify data on behalf of users who should not have access to that data.
• E.g. corruption of data by injecting malicious code

• Service threats
• Exploit service flaws in computers to inhibit use by legitimate uses.
• Viruses and worms are examples of software attacks.
General Security Access Model
 Safeguards and Vulnerabilities

• A Safeguard is a countermeasure to protect against a threat.

• A weakness in a safeguard is called a vulnerability.

• Can you mention some examples of vulnerability ?

 Methods of Defense
• Encryption

• Software Controls
• (access limitations in a data base, in operating system protect each user from other
users)

• Hardware Controls
• (smartcard)

• Policies
• (frequent changes of passwords)

• Physical Controls
Thank You!!!