Chapter - One

Introduction to Information
Assurance and Security

11/10/2019 1
Overview of Information assurance & security
(What is security?)
Security is a continuous process of protecting an object from attack. That
object may be a person, an organization such as a business, or property such
as a computer system or a file.

When we consider a computer system, for example, its security involves

the security of all its resources such as its physical hardware components
such as readers, printers, the CPU, the monitors, and others. In addition to
its physical resources, it also stores non-physical resources such as data and
information .
11/10/2019 2
Overview (Cont’d …)
(What is info assurance? How does it differ from
info security?)
Information Security: is concerned with the confidentiality, integrity
and availability of data regardless of the form that data may take.

Information assurance focuses on the reasons for assurance that

information is protected, and is thus reasoning about information
security.

It is the practice of assuring information and managing risks related to

the use, processing, storage, and transmission of information or data and
the systems and processes used for those purposes.
11/10/2019 3
Overview (Cont’d …)
what is security in Distributed computer system ?
In a distributed computer system such as a network, the protection
covers physical and non-physical resources that make up the network
including communication channels and connectors like modems,
bridges, switches, and servers, as well as the files stored on those
servers.

In each one of these cases, therefore, security means preventing

unauthorized access, use, alteration, and theft or physical damage to
these resources.
11/10/2019 4
Overview (Cont’d …) Security Goals
 Security involves the following three goals:

• Confidentiality: closed information.

• Concealment of information or resources

• Integrity: Original information.

• Trustworthiness of data or resources

• Availability: Available at any time for use.

• Ability to use information or resources

11/10/2019 5
Overview (Cont’d …) Security Goals
Confidentiality: only sender, intended receiver should “understand”
message contents

– sender encrypts message

– receiver decrypts message

Message Integrity: sender, receiver want to ensure message is not

altered (in transit, or afterwards) without detection.

Access and Availability: services must be accessible and available to users

when they want.
11/10/2019 6
Overview (Cont’d …) Confidentiality

To prevent unauthorized disclosure of information to third parties.

This includes the disclosure of information about resources.

Need for keeping information secret arises from use of computers in

sensitive fields such as government and industry.

Access mechanisms, such as cryptography, support confidentiality

• Example: encrypting income tax return.

11/10/2019 7
Overview (Cont’d …) Integrity
To prevent unauthorized modification of resources. It includes the integrity of system
resources, information, and personnel. The alteration of resources like information may be
caused by a desire for personal gain or a need for revenge.

Often requires preventing unauthorized changes.

Includes data integrity (content) and origin integrity ( source of data also called
authentication)

Include prevention mechanisms and detection mechanisms

Example: Newspaper prints info leaked from White House and gives wrong source

Includes both correctness and trustworthiness.

11/10/2019 8
Overview (Cont’d …) Availability
To prevent unauthorized withholding of system resources from those
who need them when they need them.

Is an aspect of reliability and system design

Attempts to block availability, called denial of service attacks are

difficult to detect
Example: bank with two servers –one is blocked, the other provides false
information

11/10/2019 9
Enterprise Security
Enterprise security is the process by which an organization protects its information
assets (data, servers, workstations, storage, networking, applications, etc.) from
infringement of Confidentiality , integrity, or availability.
 It includes policies and procedures which provide guidance on the who, what, why,
and how to implement the protection mechanism for an organization’s information
assets.
Since Cyber threats are real and they can happen to any organization, Organizations
must now focus much more on information and data:
understanding where it is and how it is managed both within and outside the
enterprise boundary.

11/10/2019 10
Enterprise Security(Cont’d..)
Enterprise security encompasses:
Information security: how information technology supports safe
business practices.
Business security: security processes and the security control
framework, in the context of the business.
Physical security: how facilities and access control support the
logical security model.
Operational risk management: providing a risk-based approach.
11/10/2019 11
Cyber Defense
(what is cyber? What about Cyberspace?)
Cyber is a prefix used to describe a person, thing, or idea as part of the
computer and information age.
Cyber defense is a computer network defense mechanism which includes response
to actions and critical infrastructure protection and information assurance for
organizations, government entities and other possible networks.
Cyber defense focuses on preventing, detecting and providing timely responses to
attacks or threats so that no infrastructure or information is tampered with. With the
growth in volume as well as complexity of cyberattacks, cyber defense is essential
for most entities in order to protect sensitive information as well as to safeguard
assets.
Cyberspace is a domain characterized by the use of electronics and the
electromagnetic spectrum to store, modify, and exchange information.
11/10/2019 12
Cyber Defense
(Cont’d)
PRESENT
Cyber security is a young and immature field
The attackers are more innovative than defenders
FUTURE
Cyber security will become a scientific discipline
It will be application & technology centric
It will never be “solved” but will be “managed”

13

11/10/2019
Cyber Defense
(Cont’d)
Defending schemes:

OLD: Defend the entire network to the same degree

NEW: Defend selectively and dynamically

OLD: End user Blame and harass

NEW: The end user is part of the solution

OLD: Defend against yesterday’s attacks

NEW: Be proactive, get ahead of the curve, future-proof

11/10/2019 14
Enterprise security Architecture
.

Enterprise security architecture is a comprehensive plan for

ensuring the overall security of a business using the available
security technologies.

11/10/2019 15
Cont’’’d

ENTERPRISE ARCHITECTURE

Business Architecture

Security Architecture

Development Order
Information Systems Architecture

Information Architecture Application Architecture

Technical Architecture
Reasons for Implementing security
(Why do we need security?)
Increased reliance on Information technology with or with out the use of
networks

The use of IT has changed our lives drastically.

We depend on E-mail, Internet banking, and several other governmental

activities that use IT

Increased use of E-Commerce and the World wide web on the Internet as a
vast repository of various kinds of information (immigration databases,
flight tickets, stock markets etc.)
11/10/2019 17
Reasons (Cont’d …) (Why do we need security?)
Computer Security - the collection of tools designed:
• to protect data/services and

• to prevent hackers

Network security or internet security- security measures needed to

protect data during their transmission.

11/10/2019 18
Reasons (Cont’d …) (What if not secured?)
Damage to any IT-based system or activity can result in severe
disruption of services and losses.
Results of Security Breach:
Destruction of Resources
Corruption of Data and Applications
Denial of Services
Theft of Services
Theft of Resources

11/10/2019 19
Reasons (Cont’d …) (That is why…)
we need security

• To safeguard the confidentiality, integrity, authenticity and availability of

data transmitted over insecure networks.

• Internet is not the only insecure network in this world

• Many internal networks in organizations are prone to insider attacks

• In fact, insider attacks are greater both in terms of possibility of happening

and damage caused

11/10/2019 20
Reasons (Cont’d …) (security controls)
 Security controls
Authentication
• Password--- What we know
• Cards---------What we have
• Biometrics--- who we are
Encryption
Administrative procedures
Standards
Physical Security
 Laws

11/10/2019 21
Reasons (Cont’d …)(security policy, service &
mechanism )
A security policy is a statement of what is allowed and what is not
allowed.

A security service is a measure to address a threat

E.g. authenticate individuals to prevent unauthorized access

A security mechanism is a means to provide a service

E.g. encryption, cryptographic protocols

11/10/2019 22
Reasons (Cont’d …) (security services)

Five Categories of Security Services

A. Authentication (who created or sent the data)

B. Access control (prevent misuse of resources)

C. Confidentiality (privacy)

D. Integrity (has not been altered)

E. Non-repudiation (the order is final)

11/10/2019 23
//End of chap-1

THE END OF CHAP-ONE

!!!
Q&A?
11/10/2019 24