Information Assurance and Security

Download as pdf or txt
Download as pdf or txt
You are on page 1of 25

Information Assurance and

Security: Overview
Information Assurance
“Measures that protect and defend
information and information systems by
ensuring their availability, integrity,
authentication, confidentiality, and non-
repudiation. These measures include
providing for restoration of information
systems by incorporating protection,
detection, and reaction capabilities.”

National Information Assurance (IA) Glossary


Maconachy, Schou, Ragsdale
(MSR) Cube

Maconachy, Schou, Ragsdale and Welch, A Model for Information Assurance:


An Integrated Approach, Proceedings of the 2001 IEEE Workshop on IAS,
USMA, West Point, NY 5-6 June 2001.
Security Services:
What types of problems can occur?

 Confidentiality
 Integrity
 Availability
 Authentication
 Non Repudiation
Confidentiality

“the assurance that information is not


disclosed to unauthorized persons,
processes or devices.”

Maconachy, Schou, Ragsdale and Welch, A Model for Information Assurance:


An Integrated Approach, Proceedings of the 2001 IEEE Workshop on IAS,
USMA, West Point, NY 5-6 June 2001.
Integrity
“the assurance that data can not be
created, changed, or deleted without
proper authorization”

Wikipedia: Information Assurance


Availability:

“Timely, reliable access to data and


information services for authorized
users.”
Authentication

Security service “designed to establish


the validity of a transmission,
message, or originator, or a means of
verifying an individual’s authorizations
to receive specific categories of
information”
Non-Repudiation

“The assurance the sender of the data


is provided with proof of delivery and
the recipient is provided with proof of
the sender’s identity, so neither can
later deny having processed the data”
Maconachy, Schou, Ragsdale
(MSR) Cube
Information States:
Where is the data?

 Transmission
 Storage
 Processing
Transmission

Time in which the data is in transit


between processing/process steps.
Storage

Time during which data is on a


persistent medium such as a hard
drive or tape.
Processing

Time during which the data is actually


in the control of a processing step.
Security Countermeasures:
Who can enforce/check security?

 People
 Policy and Practice
 Technology
People

 The heart and soul of secure


systems.
 Awareness, literacy, training,
education in sound practice.
 Must follow policy and practice or
the systems will be compromised no
matter how good the design!
 Both strength and vulnerability.
Policy and Practice (operations)

 System users
 System administrators
 Software conventions
 Trust validation

Also a countermeasure and a


vulnerability.
Technology
 Evolves rapidly
 Crypto systems
 Hardware
 Software
 Network
 Firewalls
 Routers
 Intrusion detection
 Other….
 Platform
 Operating systems
 Transaction monitoring
 Other….
 Especially vulnerable to misconfiguration and other
“people” errors. (Does what we tell it to!)
Time

 Relationships between all parts


change over time…
The attack model.
 Threat: Something that might happen
 Vulnerability: point in the system where a
Threat could compromise the system.
 Risk: The combination of the probability of an
event and its consequences
 Attack: Application of a threat to a system.
 Exploit: A successful attack
 Remediation: security team tries to figure out
what happened and come up with a fix to
restore things and a countermeasure.
 Countermeasure: What you do to fix a
vulnerability so the threat can’t be exploited.
Security Mindset:
 Managed Paranoia
 They are out to get me..
 How could they get me?
 Do I care?
 What is the real risk?
 What countermeasures can I apply to mitigate the risks (threats)?
 Where am I vulnerable?
 What will it cost to fix it?
 Is it worth it?
 Apply countermeasure…
 Attacks teach you many things.
 It is important to know you’ve been attacked!
 You must design and build security into a system, bolting it on after
just doesn’t work.
 Patches suck, but you have to fix known vulnerabilities or your
insurance company won’t pay damages and you might get thrown in
jail… especially if you work with medical or personnel records.
 Still want to be an IT major?
 That’s why they pay us the big bucks…
Summary
 We discussed a model for
understanding how one thinks
about assuring that one can trust
information.
 There are information states,
security services, and
coutermeasures.

You might also like