LESSON 1 – Introduction to Information

Different Views of Information Assurance

Assurance and Security 1 (IAS)
How does an information become:

Noise – Raw facts with unknown coding system.

Data - Raw facts with known coding system.
Information – Processed data.
Knowledge – Accepted facts, principles, or rules of
thumb that are useful for specific domains.
“Measures that protect and defend information and
Characteristics of data, information, and knowledge information systems by ensuring their availability,
(adopted from de Vries 2018) integrity, authentication, confidentiality, and non-
repudiation…” – US DoD
DATA INFORMATION KNOWLEDGE
Is objective Should be Is subjective Security refers to how well a product or system protects
objective information and data from security vulnerabilities. – ISO
Has no meaning Has a meaning Has a meaning 25010
for a specific
purpose IA should be viewed as spanning 4 security domains:
Is unprocessed Is processed Is processed and physical, personnel, IT, and operational security. – Debra
understood Herrman
Is quantifiable, Is quantifiable, Is not
there can be there can be quantifiable, InfoSec is a computing environment made up of 5
data overload information there is no interacting components: activities, people, data,
overload knowledge technology, and networks. – Raggad’s Taxonomy of
overload Information Security

What is Information Assurance Security (IAS)? IA is composed of physical, infrastructure, and

perceptual levels – Blyth and Kovacich
Information Assurance
- The practice of managing information-related ISO 9126:2001 / ISO 25010:2011
risks and the steps involved to protect International Organization for Standardization
information systems such as computer and
network systems. - The ISO 25010 model was a software quality
Security testing and evaluation model and part of the
- The state of being free from danger or threat and Quality Model Division of Software Product
the protection of data, networks and computing Quality Requirements and Evaluation (SQuaRE).
power. - Contains definition for the quality in use model,
- The protection of data (information security) is which is subdivided into 5 characteristics and
given the most importance. sub-characteristics; and the product quality
- The protection of networks is important to model, which is subdivided into 8 characteristics
prevent loss of server resources as well as to and sub-characteristics.
protect the network from being used for illegal - ISO 25010 added security and compatibility to
purposes. product quality model of ISO 9126.

Classification of Personally Identifiable Information

Personal Information
- Name; Address; Place of Work; Contact
Information; Gender; Location at a particular
time; IP Address; Birthdate and Birthplace;
Citizenship……
Sensitive Personal Information
- Race, Ethnicity; Marital Status, Sexual Life; Age;
Product Quality Model Characteristics (ISO 25010:2011)
Health; Philosophical and Religious Affiliation;
1. Function Suitability
Education; Genetics; Social Security Number;
2. Reliability
Banking Information…..
3. Performance Efficiency
Privileged Information
4. Useability
- Data or information received within the context
5. Security
of a protected relationship.
6. Compatibility
- Husband and wife; attorney and client; priest and
7. Maintainability
penitent; doctor and patient.
8. Portability
 1. Function Suitability 4. Usability
- Refers to how well a product or system is able to - Refers to how well a product or system can be
provide functions that meet the stated and used to achieved specified goals effectively,
implied needs. efficiently, and satisfactorily.
- Functional Completeness - Appropriateness Recognizability
o Refers to the set of functions that covers o How well you can recognize whether a
all of the specified tasks and user product or system is appropriate for your
objectives. needs.
- Functional Correctness - Learnability
o Refers to how well a product or system o How easy it is to learn how to use a
provided the correct results with the product or system.
needed degree of precision. - Operability
- Functional Appropriateness o Whether a product or system has
o Refers to how well functions are able to attributes that make it easy to operate
accomplish specified tasks and and control.
objectives. - User Error Protection
Examples: o How well a system protects users against
- The platform was able to cover all user’s needed making errors.
features for selling and buying agricultural - User Interface Aesthetics
products. o Whether a user interface is pleasing
- The platform provides an accurate result with - Accessibility
respect to its functions and features. o How well a product or system can be
- The platform provides functions and features used with the widest range of
that are able to accomplish the specified task and characteristics and capabilities.
objectives. Example:
- The platform provides clear and concise
2. Reliability instructions and information, making it easy for
- Refers to how well a system, product, or its users to recognize whether it is appropriate
component is able to meet your needs for for their needs.
reliability.
- Maturity 5. Security
o Refers to how well a system or product, - Refers to how well a product or system protects
or components is able to meet your information and data from security
needs for reliability. vulnerabilities.
- Availability - Confidentiality
o Refers to whether a system, product or o How well a product or system is able to
component is operational and ensure that data is only accessible to
accessible. those who have authorized access.
- Fault Tolerance - Integrity
o Refers to whether a system, product or o How well a system, product, or
component operates despite hardware component is able to prevent
and/or software faults. unauthorized access and modification to
- Recoverability computer programs and/or data.
o Refers to whether a product or system - Non-repudiation
can recover data in the event of an o How well actions or events can be
interruption or failure. proven to have taken place.
- Accountability
3. Performance Efficiency o Actions of an unauthorized user can be
- Refers to the performance related to the amount trace back to them.
of resources used. - Authenticity
- Time Behavior o How well the identity of a subject or
o Refers to the response and processing resource can be proven.
times, and throughput rates of a product
or system while it’s performing its 6. Compatibility
functions. - Refers to how well a product, system, or
- Resource Utilization component can exchange information as well as
o Refers to the amounts and types of perform its required functions while sharing the
resources used by a product or system same hardware or software environment.
while performing its functions. - Co-existence
- Capacity o How well a product can perform its
o Refers to the maximum limits of a required functions efficiently while
product or system parameter. sharing a common environment and
 resources with products, without o Data and processing activities in physical
negatively impacting any other product. space
- Interoperability - Infrastructure
o How well two or more systems, products o Information and data manipulation
or components are able to exchange abilities in cyberspace.
information and use that information. - Perceptual
o Knowledge and understanding in human
7. Maintainability decision space.
- Refers to how well a product or system can be
modified to improv, correct, or adapt to changes
in the environment as well as requirements.
- Modularity
o Refers to whether the components of a
system or program can be changes with
minimal impact on the other
components.
- Reusability
o How well an asset can be used in more
than one system.
- Analysability
o Effectiveness of an impact assessment
on intended changes.
- Modifiability
o How well a product or system can be
modified without introducing defects or
degrading existing product quality.
- Testability
o How effective the test criteria is for a
system.

8. Portability
- Refers to how well a system product, or
component can be transferred from one
environment to another.
- Adaptability
o How well a product or system can be
adapted for different or evolving
hardware, software, or other usage
environments.
- Installability
o How successfully a product or system
can be installed and/or uninstalled.
- Replaceability
o How well a product can replace another
comparable product.

4 Security Domains by Debra Herrmann

1. Physical Security
a. Protection of hardware, software, and
data against physical threats.
2. Personnel Security
a. Protection from accidental or intentional
alteration, destruction,
misconfiguration, and misuse of physical
assets.
3. IT Security
a. Technical features and functions that
contribute to the 5 pillars of security.
4. Operational Security
a. Implementation of standard operational
security procedures.

3 IA Levels according to Blyth and Kovacich

- Physical
 This type of malware includes:
- Spyware: software that gathers information
Security Trends without user consent.
Assets Threats Threat Actor - Adware: program that delivers advertising
The resource A category of A specific content in manner unexpected and unwanted by
being entities, or a instance of a the user.
protected. They circumstance, threat - Ransomware: prevents a user’s device from
have a value that poses a properly operating until a fee is paid.
worth potential
protecting. danger to an Malware (Launch Attacks)
asset. These attacks are designed to cause harm to a computer,
Risk Vulnerability Exploit server, or computer network, and are used by
Possibility that a A weakness or A method for cybercriminals to obtain data for financial gain.
particular threat fault in a system taking This type of malware includes:
will adversely that exposes advantage of a - Zombie: an infected computer that is under the
impact an information to known remote control of an attacker.
information attacks. vulnerability. - Social Engineering Attacks: a means of gathering
system by information for an attack by relying on the
exploiting a weaknesses of individuals.
vulnerability. - Psychological Approaches: to persuade the
victim to provide information or take actions.
Assets include: - Impersonation: attacker pretends to be
- Physical someone else.
o Devices, computers, people - Phishing: sending an email claiming to be from
- Logical legitimate source. Variations of phishing attacks:
o Information, data, intellectual property o Pharming – automatically redirects user
- System to a fraudulent website.
o Any software, hardware, data, o Spear phishing – email messages target
administrative, physical, specific user.
communications, or personnel resource o Whaling – going after the “big fish”.
within an information system. Target wealthy individuals.
o Vishing (Voice phishing) – attackers call
Threats can be categorized by: victim with recorded “bank” message
- Intent with callback number.
o Accidental or purposeful (error, fraud,
hostile intelligence)
- Kind of entity involved
o Human (hackers, someone flipping a
switch), processing (malicious code,
sniffers), natural (flood, earthquake)
- Impact
o Type of asset, consequences.
Examples of Threats
- Interruption: an asset becomes unusable,
unavailable, or lost.
- Interception: an unauthorized party gains access
to an information asset.
- Modification: an unauthorized party tampers
with an asset.
- Fabrication: an asset has been counterfeit.

Malware (Malicious Software). Common Malware are:

- Virus: spread by transferring infected files
- Worms: is a malicious program that uses a
computer network to replicate.
Common Malware are:
- Trojan Horse: an executable program that does
something other than advertised. Contain
hidden code that launches an attack.

Malware (Collect Data)

Different types of malware are designed to collect
important data from the user’s computer and make it
available at the attacker.