INTRODUCTION TO INFORMATION

SECURITY AND ASSURANCE

MICHAEL MARVIN P. CRUZ, MSIT

MICHAEL MARVIN P. CRUZ,

 QUICK QUESTION

Suppose you visit an e-commerce website such as your bank, stock

broker, etc.
Before you type in highly sensitive information, you’d like to have
some assurance that your information will be protected.
Do you have such assurance? How can you know?
What security-relevant things do you want to happen, or not
happen when you use such website?
• You might want:
• Privacy of your data
THOUGHT
EXPERIMENT
• Protection against
• Phishing
• Integrity of your data
• Authentication
• Authorization
• Confidentiality
• Non-repudiation
• Availability
• What else?

Which of these do you think fall under Information Assurance?

 ISO STANDARD

• According to ISO/IEC Standard 9126-1 (Software Engineering-

Product Quality), the following are all aspects of system quality;
• Functionality
• Usability
• Reliability
• Performance
• Security

Which of these do you think apply to IA?

 INFORMATION ASSURANCE

Information in computer terms may tend to be:

Useful
Gathered
The results of processing Data

Assurance on the other hand means a positive declaration

intended to give confidence or a promise.
 INFORMATION ASSURANCE

Information Assurance (IA) is the study of

how to protect your information assets from
destruction, degradation, manipulation and
exploitation. But also, how to recover should
any of those happen. Notice that it is both
proactive and reactive.
 ASPECTS OF INFORMATION THAT
NEEDS PROTECTION

• Availability: timely, reliable access to data and

information services for authorized users;
• Integrity: protection against unauthorized
modification or destruction of information;
• Confidentiality: assurance that information is not
disclosed to unauthorized persons;
 ASPECTS OF INFORMATION THAT
NEEDS PROTECTION

• Authentication: security measures to establish the

validity of a transmission, message or originator;
• Non-repudiation: assurance that the sender is
provided with proof of a data delivery and
recipient is provided with proof of the sender’s
identity, so that neither can deny having processed
the data.
 DIFFERENT VIEW OF IA

According to Debra Hermann (Complete Guide to Security and Privacy

Metrics), IA should be viewed as spanning four security engineering
domains:
physical security
personnel security
IT security
operational security
So threat/ risks to IA should be considered along these dimensions as well.
The simple truth is that IT security cannot be
accomplished in a vacuum, because there are
multitude of dependencies and interactions
among all four security engineering domains.

- Hermann
 LET’S MATCH

• Physical security Enforcing hard-to-guess passwords

• Personnel security Encrypting your hard drive
• IT security Locking sensitive documents in a safe
• Operational security Stationing a marine guard outside an
embassy
Assigning security clearances to staffers
Using SSL for data transfers
Having off-site backup of documents
 LET’S MATCH

• Physical security Enforcing hard-to-guess passwords

• Personnel security Encrypting your hard drive
• IT security Locking sensitive documents in a safe
• Operational security Stationing a marine guard outside an
embassy
Assigning security clearances to staffers
Using SSL for data transfers
Having off-site backup of documents
 FOUR SECURITY CATEGORIES

Physical security refers to the protection of hardware, software, and data

against physical threats to reduce or prevent disruptions to operations and
services and loss of assets.

Personnel security is a variety of ongoing measures taken to reduce the

likelihood and severity of accidental and intentional alteration,
destruction, misappropriation, misuse, misconfiguration, unauthorized
distribution, and unavailability of an organization’s logical and physical
assets, and the result of action or inaction by insiders and known
outsiders, such as business partners.
 FOUR SECURITY CATEGORIES

IT Security is the inherent technical features and functions that

collectively contribute to an IT infrastructure achieving and
sustaining confidentiality, integrity, availability, accountability,
authenticity, and reliability.

Operational security involves the implementation of standard

operational security procedures that define the nature and
frequency of the interaction between users, systems, and system
resources.
 ACTIVITY #1: LET’S TRY

Think of yourself as a newly hired MIS Officer of a

newly established university. As a MIS Officer, you are
responsible in assessing the current security environment of
the new processes and technology of the entire university
system.
As you go on with your duties and responsibilities,
identify some of the possible risk, opportunities, and actions
you will take based on the four security engineering domains
(physical security, personnel security, IT security,
operational security).
 ANOTHER POV

According to Raggad’s taxonomy of information security, a computing

environment is made up of five continoulsy interacting components:
Activities
People
Data
Technology
Networks
A comprehensive security plan must take all of these into account.
 ANOTHER VIEW
COMPONENTS FOR INFORMATION ASSURANCE

IA includes computer and information security, but more besides.

According to Blyth and Kovacich, IA can be thought of as protecting
information at three distinct levels:
Physical:
Data and data processing activities in physical space;
Information infrastructure:
Information and data manipulation abilities in cyberspace
Perceptual:
Knowledge and understanding in human decision space.
 LOWEST LEVEL: PHYSICAL

Desired Effects:
To affect the technical performance and the capability of physical
systems, to disrupt the capabilities of the defender.
Attacker’s operations:
Physical attack and destruction, including electromagnetic attack, visual
spying, intrusion, scavenging and removal, wiretapping, interference,
and eavesdropping.
Defender’s operation:
Physical security
 2 N D LEVEL: INFO INFRASTRUCTURE

Desired effects: to influence the effectiveness and performance of information

functions supporting perception, decision making and control of physical
processes.
Attacker’s operation: impersonation, piggybacking, spoofing, network attacks,
malware, authorization attacks, active misuse, and denial of service attacks
Defender’s operation: information security technical measures such as:
encryption and key management, intrusion detection, anti-virus software,
auditing, redundancy , firewalls, policies, and standards.
 3 R D LEVEL: PERCEPTUAL LEVEL

Also called Social Engineering.

Desired Effects: to influence decisions and behaviors
Attacker’s operation: psychological operations such as:
deception, blackmail, bribery and corruption, social engineering,
trademark, and copyright infringement, defamation, creating
distrust
Defender's operations: personnel security including psychological testing,
education, and screening such as biometrics, watermarks, keys,
passwords
 ASPECTS OF INFORMATION
ASSURANCE

• COMPUTER SECURITY
• COMMUNICATIONS AND NETWORK SECURITY
• IT SECURITY (combination of comsec and compsec)
• OPERATIONS SECURITY
 QUOTE

If you entrench yourself behind strong fortifications, you compel

the enemy to see a solution elsewhere. – Carl Von Clausewitz

Principle of Easiest Penetration: An attacker on any information

system will use the simplest means of subverting system security.

A recent headline in the AAS read: “The Biggest Threat to

Computer Security? Carelessness”
 FAILURES OF IA

In 1996, news of possible signs of life in a Martian meteorite called

ALH84001 leaked out ahead of a press conference that had been
scheduled by the NASA.
This was partly because a high-ranking
White House official told a prostitute about
the meteorite, whom then sold the information
to a tabloid.
NASA had to scramble to reschedule its press conference to an earlier
date to satisfy the growing demand for information from the press and
public.
 INFORMATION WARFARE

The flip side of Information Assurance is

Information Warfare (IW). In fact, one can think of
the offensive art of IW as “information operations”
and the defensive part as information assurance.
 TYPES OF INFORMATION WARFARE

• Type I involves managing an opponent’s perception though deception and

psychological operations. In military circles, this is called Truth
Projection.
• Type II involves denying, destroying, degrading, or distorting
theopponent’s information flows to disrupt their ability to carry out or co-
ordinate operations.
• Type III gathers intelligence by exploiting the opponent’s use of
information systems.
Necessary for IW, as for any related activity, are motive, means, and
opportunity.
OFFENSIVE PLAYERS IN INFORMATION
WARFARE

Insiders: consists of employees, former employees and

contractors.
Hackers: one who gains unauthorized access to or breaks into
information system for thrills, challenge, power or profit.
Criminals: target information that may be value of them:
bank accounts, credit card information, intellectual property,
etc.
OFFENSIVE PLAYERS IN INFORMATION
WARFARE

Corporations: actively seek intelligence about competitors or steal

trade secrets.
Governments and agencies: seek military. Diplomatic, and
economic secrets of foreign governments, foreign corporations,
and adversaries. May also target domestic adversaries.
Terrorists: usually politically motivated and may seek to cause
maximal damage to information infrastructure as well as
endanger lives and property.
 WHY DO IT?

While experts may disagree on the definition of cyber war, there is

significant evidence that nations around the world are developing, testing
and in some cases using or encouraging cyber means as a method of
obtaining political advantage. – McAfee Virtual Criminology Report 2009

A plausible worst-case worm could cause $50 billion or more in direct

economic damage by attacking widely used services in Microsoft Windows
and carrying a highly destructive payload.” – Nicholas Weaver and Vern
Paxson, 6/14/04
 IA FUNCTIONS

Note that IA is both proactive and reactive involving: protection, detection,

capability restoration, and response.
IA environment protection pillars: “ensure the availability, integrity,
authenticity, confidentiality, and non-repudiation of information”

Attack detection: “timely attack detection and reporting is key to

initiating the restoration and response processes.
 IA FUNCTIONS

Capability Restoration:
• “relies on established procedures and mechanisms for prioritizing
restoration of essential functions. Capability restoration may rley on
backup or redundant links, information system components, or
alternative means of information transfer.”
• “A post-attack analysis should be conducted to determine the
command vulnerabilities and recommended security improvements.”
 IA FUNCTIONS

• Attack response: “involves determining actors and their

motives, establishing cause and complicity, and may
involve appropriate action against perpetrators…
contributes … by removing threats and enhancing
deterrence.”
ACTIVITY #1: LET’S TRY