LECTURE 2

INFORMATION ASSURANCE CONCEPTS

 Defense in Depth

• To provide an effective defense, each layer must be composed

of multiple countermeasures of varying complexity, application,
and rigor; this is defense-in-depth.
• A defense-in-depth strategy must have six characteristics:
 Self-organizing
 Adapting to unpredictable situations
 Evolving in concert with an ever-changing environment
 Reactively resilient
 Proactively innovative
 Harmonious with system purpose

TIA2221 Info Assurance & Security 2

 Defense in Depth

• Defense-in-depth is most appropriately defined as part of an

organization’s security architecture.
• Rely heavily on the application of segmentation. Segmentation
ensures that a single compromised element of a system cannot
compromise the system as a whole.
• Information and services require varying degrees of defensive
protection depending on their value to the organization.

TIA2221 Info Assurance & Security 3

 Defense-in-Depth Conceptual Model

The relationship
between assets,
impacts, and
segmentation

TIA2221 Info Assurance & Security 4

Confidentiality, Integrity, and Availability (CIA Triad)

TIA2221 Info Assurance & Security 5

 Confidentiality

• Confidentiality is the assurance of data secrecy where no one is

able to read data except for the intended entity. Confidentiality
should prevail no matter what the data state is.
• Privacy: involves personal autonomy and control of information
about oneself.
• Classification merely means categorization in certain industries.
• Different sensitivity categorizations will address the degree of
security controls needed. E.g., a range of military classification
includes unclassified, confidential, secret, and top secret.

TIA2221 Info Assurance & Security 6

 Integrity

• In information systems, integrity assures that the information

has not been altered except by authorized individuals and
processes.
• It provides assurance of the accuracy of the data and that it has
not been corrupted or modified improperly.
• Examples of integrity controls: watermarks, bar codes, hashing,
checksums, and cyclic redundancy check (CRC).
• A second form of integrity control manages the processes to
enter and manipulate information; e.g. integrity of medical
record: actual data from the lab.

TIA2221 Info Assurance & Security 7

 Availability

• Availability assures data and resources are accessible to

authorized subjects or personnel when required.
• The second component of the availability service is that
resources such as systems and networks should provide
sufficient capacity to perform in a predictable and acceptable
manner.
• Availability is also often viewed as a property of an information
system or service.

TIA2221 Info Assurance & Security 8

 CIA Balance

• CIA are not equally critical in each application.

• E.g., to one organization, service availability and the integrity of
information may be more important than the confidentiality of
information. A web site hosting publicly available information is
an example.
• Therefore, one should apply the appropriate combination of CIA
in correct portions to support the organization’s goals and
provide users with a dependable system.

TIA2221 Info Assurance & Security 9

 Nonrepudiation
• Digital transactions are prone to frauds in which participants in
the transaction could repudiate (deny) a transaction.
• A digital signature is evidence that the information originated
with the asserted sender of the information and prevents
subsequent denial of sending the message.
• It also provides evidence that the receiver has in fact received
the message and that the receiver will not be able to deny this
reception.
• Nonrepudiation of source prevents an author from false refusal
of ownership to a created or sent message, or the service will
prove it otherwise.
• Nonrepudiation of acceptance prevents the receiver from
denying having received a message, or else the service will
prove it otherwise.
TIA2221 Info Assurance & Security 10
 Identification, Authentication, Authorization,
Accountability (IAAA)
• Summarized as authentication but reflects the entire IAAA
process.
• The current industry practice for implementing IAAA security is
identity management.
• Identity management includes: the use of logon IDs and
passwords; a policy should state that the password needs to be
changed frequently, must have a minimum strength, etc.

TIA2221 Info Assurance & Security 11

Steps of IAAA

TIA2221 Info Assurance & Security 12

 Identification

• Identification is a method for a user within a system to

introduce oneself.
• Identifiers must be unique so that a user can be accurately
identified.
• A standard interface is crucial for ease of verification process.
• This is to ensure that access can be granted only with
verification.

TIA2221 Info Assurance & Security 13

 Authentication
• Authentication validates the identification provided by a user.
• To be authenticated, the entity must produce minimally a
second credential.
• 3 basic factors of authentication:
 What you should know (a shared secret, such as a password, which
both the user and the authenticator know)
 What you should have (a physical identification, such as a
smartcard, hardware token, or identification card)
 What you are (a measurable attribute, such as biometrics, a
thumbprint, or facial recognition)
 In addition, organizations may consider having an implicit factor
such as a “where you are” factor (physical location, logical
location)
• E.g. of technology used for authentication: PKI, smart card (PIN)

TIA2221 Info Assurance & Security 14

 Authorization, Accountability

• Once a user presents a second credential and is identified, the

system checks an access control matrix to determine their
associated privileges.
• If the system allows the user access, the user is authorized.
• Accountability: the act of being responsible for actions taken
within a system.
• The only way to ensure accountability is to identify the user of a
system and record their actions.
• Accountability makes nonrepudiation extremely important.

TIA2221 Info Assurance & Security 15

 Assets, Threats, Vulnerabilities, Risks, and Controls

• An asset is anything valuable to the organization.

• Threats are potential events that may cause the loss of an
information asset.
• Vulnerabilities are weaknesses exploited by threats.
• A risk expresses the chance of something happening because of
a threat successfully exploiting a vulnerability that will
eventually affect the organization.
• Controls are protective measures or mechanisms that reduce
risks.

TIA2221 Info Assurance & Security 16

 Relationships between assets, threats,
vulnerabilities, and controls to risks, according to
ISO 15408:2005

TIA2221 Info Assurance & Security 17

 Common Threats
• Errors and Negligence
 Typographical errors
 Misconfigured systems and failures to patch software in a timely
fashion
 Programming errors/bugs, e.g. buffer overflow
• Fraudulent and Theft Activities
 Fraud involving checks, credit cards, and automatic teller machine
(ATM) networks

TIA2221 Info Assurance & Security 18

 Common Threats
• Loss of Infrastructure
 Modern organizations connect through internal and external
infrastructures which are not under their direct control
• Malware
 Malware/ malicious software: a piece of code or software program
that is hostile, intrusive, or annoying
 E.g.: Trojan horses, viruses, worms, and logic bombs
• Attackers
 Those who penetrate an organization’s system either internally or
externally with or without authorization
 Internal attackers may be disgruntled employees; external
attacker’s threat is usually seen as a high-risk threat

TIA2221 Info Assurance & Security 19

 Capabilities of Attackers
• There are 3 levels of attacker capabilities:
 The elite or expert hackers: the most dangerous; highly technical
individuals seek new vulnerabilities in systems and can create
scripts and programs to exploit vulnerabilities; often sponsored by
terrorists, nation states, military, or organized crime, or they are
engaged in industrial espionage.
 Script writers: although less technically qualified in finding
vulnerabilities, they are capable of building and executing scripts
to exploit known vulnerabilities.
 Script kiddies: the most numerous attackers; possess neither the
expertise to find vulnerabilities nor the skills to exploit them;
limited to downloading and executing scripts and tools that others
have developed; large numbers of script kiddies constitute a
threat.

TIA2221 Info Assurance & Security 20

 Motivation of Attackers

• Hackers and hacktivist

 Use technical and social means to gain authorized/unauthorized
access to information assets, computer systems, and networks.
 White-hat hackers use their skills to determine whether systems
are in fact secure.
 Black-hat hackers use their skills to penetrate systems by the path
of least resistance without authorization from the system owner.
 Gray-hat hackers are between the black hat and the white hat.
 Hacktivists are motivated to use their skills for political purposes.

TIA2221 Info Assurance & Security 21

 Motivation of Attackers
• Criminal attackers
 View the computer and its contents as the target of a crime;
motivated simply by profit and greed.
• Nation states
 Motivated by espionage and economic gain.
• National warfare, asymmetric warfare, and terrorism
 Nations depend on information systems to support the economy,
infrastructure, and defense, which are all important assets. They
are targets of unfriendly foreign powers and terrorists.
• Information warfare
 Using information technology as a weapon to impact an adversary.

TIA2221 Info Assurance & Security 22

Attackers, Motivation, and Impact

TIA2221 Info Assurance & Security 23

 Common Threats

• Employee Sabotage
 Damaging the organization’s key infrastructure
 Revealing secret and confidential information to competitors
 Creating tensions and rifts among employees by spreading
hoaxes or anonymous rumors
 Threatening the health and safety of others
 Stealing important documents

TIA2221 Info Assurance & Security 24

 Common Threats
• Industrial Espionage
 The act of spying or of using agents to obtain confidential
information about business competitors
 Industrial espionage attacks have precise motivations, for
example, to gain an advantage over the competition by stealing
trade secrets and market strategies
 E.g.: bribery, blackmail, and technological surveillance
 Research results, manufacturing techniques, chemical formulas,
source code, and designs are targets since these assets use
significant resources to develop
• Invasion of Privacy
 Trends that contribute to invasion of privacy:
• Increased surveillance • More information kept about travelers •
New and existing antiterrorism laws and governmental measures •
Poor management of personal data • Users unknowingly providing
their personal information to “free” services such as social media
TIA2221 Info Assurance & Security 25
 Common Threats
• Phishing and Spear Phishing
 An illegal activity, fraud, or swindle carried out by deceiving users
into revealing sensitive information for the benefit of the attacker
 Can be done via e-mail notification, false links
 Spear phishing is similar to phishing except it targets specific
individuals with personalized messages and attachments
• Spamming
 Mass sending of e-mail causes network traffic jams and junk mails
 Generally contain advertising for some products whose reliability
is unknown

TIA2221 Info Assurance & Security 26

 Phishing Attack

www.irs.gov/pub/irs-utl/phishing_email2.pdf

TIA2221 Info Assurance & Security 27

 Vulnerabilities

• Vulnerabilities are weaknesses inherent within the information

asset that are exploitable by emerging threats.
• E.g.: Lack of antivirus software, inadequate hiring procedures,
absence of physical access controls in the server room
• Users can access the US-CERT (www.us-cert.gov/) or other
National CERT/CSIRT web pages to learn about the latest
vulnerabilities.

TIA2221 Info Assurance & Security 28

 Vulnerabilities

3 ways how users can get information about vulnerabilities:

• Newsletter: For confirmed vulnerability that has no exploitable
characteristic and poses no harm. The parties who discover the
vulnerability should inform US-CERT and have the findings
published in the newsletter.
• Advisory: For a confirmed vulnerability that has low and
medium levels of local or remote exploitability. Advice should be
accompanied by remedies or workaround solutions.
• Alert: For a confirmed vulnerability that has a high level of local
or remote exploitability and poses a definite threat to the
information system. Immediate escalation and action needs to
be performed depending on the severity of the alert triggered.

TIA2221 Info Assurance & Security 29

 Controls

• The likelihood for the occurrence of threats and existing

vulnerabilities would influence the selection of controls needed to
manage risk.
• Controls are actions taken or mechanisms established to resolve
information assurance issues.
• The implementation of controls is driven by the following factors:
 To protect critical and sensitive information assets
 To ensure compliance with regulatory and legislation requirement
 To gain competitive edge
 To mitigate risks and avoid unnecessary operational, financial, and
customer losses

TIA2221 Info Assurance & Security 30

 Categories of Controls
• Management controls
 Strategic and suitable for planning and monitoring purposes.
 E.g.: information assurance policy; information assurance risk
management exercises
• Operational controls
 Used in day-to-day operations to ensure the secure execution of
business activities.
 E.g.: mechanisms/tools for IT support and operations; physical and
environmental security controls; and information security incident-
handling processes and procedures
• Technical controls
 Possible technical and physical implementation of information
assurance solutions and recommendations.
 E.g.: access controls; security audit and monitoring tools
TIA2221 Info Assurance & Security 31
 Key Considerations in Implementing Control

• Establish Balance Between Managing Risk and Implementing

Controls
• Ensure the Proper Controls Are Selected and Implemented
• Assess and Review Controls

TIA2221 Info Assurance & Security 32

 Cryptology

• Cryptology: the study of codes and ciphers; includes

cryptography (secret writing) and cryptanalysis (breaking codes).
• Cryptography: makes the message incomprehensible by
transforming the plaintext, which is the original intelligible
message to be hidden (ciphertext).

TIA2221 Info Assurance & Security 33

 Types of Encryption

• Symmetric Encryption
 The sender and receiver use the same private key to encrypt and
decrypt a message. The key and the plaintext are combined
systematically to yield a ciphertext. If the encryption is secure,
others cannot recover the message from the ciphertext unless
they know both the key and the encryption algorithm.
 Symmetric encryption is relatively fast.
 The most common block cipher: Data Encryption Standard (DES)-
an internationally standardized symmetric cipher that performs 16
iterations of the same series of operations. Triple DES, uses 3
applications of DES, with a total of 48 iterations. DES is now
replaced by the Advanced Encryption Standard (AES) due to the
small key size.

TIA2221 Info Assurance & Security 34

 Types of Encryption

• Asymmetric/Public Key Encryption

 Use 2 different keys (public and private) and a mathematical
algorithm that would require extensive resources to break. The
public key is used to encrypt while the private key is used to
decrypt the message.
 Due to the mathematical complexity, asymmetric algorithms are
slow and generally used for encrypting small messages.
 The most widely used algorithm is RSA, named after its inventors
Rivest, Shamir, and Adelman.

TIA2221 Info Assurance & Security 35

 Summary

• Have considered
 Defense in Depth
 Definitions of 5 Basic Services
 Assets, Threats, Vulnerabilities, Risks, and Controls
 Basic Terminology of Cryptology

TIA2221 Info Assurance & Security 36