INFORMATION ASSURANCE AND SECURITY 2

Unit 1: I. The need for Information Assurance and Security

The Need for Information Assurance and Security

Introduction

“Computer systems are not vulnerable to attack. We are vulnerable to attack

through our computer systems.”- Robert Seacord

This unit is a continuation of concepts discussed in Information Assurance and

Security 1.The topics to be discussed are as follows:

Topic 1: Information Security Functions

Topic 2: Threats to Information Security

Learning Objective:

After studying this topic, you will be able to:

1. Understand the different categories of threats and its examples; and
2. Identify the different attacks on the intellectual property.

Activating Prior Knowledge

1. Site a scenario/s of Cyber attacks and specify what type of attack is being used:

Presentation of Content

Before we begin, let’s define first what is Information Security? According

to Jim Anderson Inovant (2002), is a “well-informed sense of assurance that the
information risks and controls are in balance.” Security professionals must review
the origins of this field to understand its impact on our understanding of information
security today.
 INFORMATION ASSURANCE AND SECURITY 2
Unit 1: I. The need for Information Assurance and Security

What is Security?
-“The quality or state of being secure—to be free from danger”
- The protection of information and its critical elements, including systems and
hardware that use, store, and transmit that information

A successful organization should have multiple layers of security in place:

1. Physical security- protect the physical items, objects, or areas of an
organization from unauthorized access and misuse.
2. Personal security – protect the individual or group of individuals who are
authorized to access the organization and its operations.
3. Operations security – protect the details of a particular operation or series
of activities.
4. Communications security – protect an organization’s communications
media, technology, and content.
5. Network security – protect networking components, connections, and
contents.
6. Information security- the protection of information and its critical elements,
including the systems and hardware that use, store, and transmit that
information.

As stated in the IAS-1, the CIA Triad is a well-known model for security policy
development and a standard based for confidentiality, Integrity and Availability and been
considered the industry standard for computer security since the development of the
mainframe and now expanded into a list of critical characteristics of information.

The figure above is a component of Information Security

 INFORMATION ASSURANCE AND SECURITY 2
Unit 1: I. The need for Information Assurance and Security

As we go on with our discussion in our subject, it is necessary for us to know the

definitions of the following Key Information Security Concepts:

Key Terms

Access - a subject or object’s ability to use, manipulate, modify, or affect another

subject or object.
Asset - the organizational resource that is being protected.
Attack - an act that is an intentional or unintentional attempt to cause damage or
compromise to the information and/or the systems that support it.
Control, Safeguard, or Countermeasure - security mechanisms, policies, or
procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and
otherwise improve the security within an organization.
Exploit - to take advantage of weaknesses or vulnerability in a system.
Exposure - a single instance of being open to damage.
Hack - Good: to use computers or systems for enjoyment; Bad: to illegally gain
access to a computer or system.
Object - a passive entity in the information system that receives or contains
information.
Risk - the probability that something can happen.
Security Blueprint - the plan for the implementation of new security measures in
the organization.
Security Model - a collection of specific security rules that represents the
implementation of a security policy.
Security Posture or Security Profile - a general label for the combination of all
policies, procedures, technologies, and programs that make up the total security effort
currently in place.
Subject - an active entity that interacts with an information system and causes
information to move through the system for a specific end purpose
Threats - a category of objects, persons, or other entities that represents a
potential danger to an asset.
Threat Agent - a specific instance or component of a more general threat.
Vulnerability - weaknesses or faults in a system or protection mechanism that
expose information to attack or damage.

“When considering the security of information systems components, it is

important to understand the concept of the computer as the subject of an attack as
opposed to the computer as the object of an attack. “
“When a computer is the subject of an attack, it is used as an active tool to
conduct the attack and when a computer is the object of an attack, it is the entity being
attacked. “
 INFORMATION ASSURANCE AND SECURITY 2
Unit 1: I. The need for Information Assurance and Security

To deeply understand, here is a representation of Computer as a subject of an

attack:

Since we have mentioned the CIA Triad in our early discussions, Information
Assurance and Security: Confidentiality, Integrity and Availability is represented by
McCumber cube under Committee on National Security Systems (CNSS) Model.
The cube brings together desired goals (confidentiality, integrity, and availability),
information states (storage, transmission, and processing), and safeguards (policies and
practices, human factors, and technology). Below is a representation of the CNSS
Security Model:

The McCumber Cube

 INFORMATION ASSURANCE AND SECURITY 2
Unit 1: I. The need for Information Assurance and Security

Components of an Information System

Information system (IS) is entire set of components necessary to use information as a

resource in the organization
• Software
• Hardware
• Data
• People
• Procedures
• Networks

To fully understand the importance of information security, it is necessary to briefly

review the elements of an information system. An information system (IS) is much more
than computer hardware; it is the entire set of software, hardware, data, people, and
procedures necessary to use information as a resource in the organization

Balancing Information Security and Access

• Impossible to obtain perfect security
• Process, not an absolute
• Security should be considered balance between protection and availability
• Must allow reasonable access, yet protect against threats

Balancing Information Security and Access

 INFORMATION ASSURANCE AND SECURITY 2
Unit 1: I. The need for Information Assurance and Security

The Need for Security

“Information security’s primary mission is to ensure that systems and their

contents remain the same!”

Cyberattacks has been rampant nowadays especially for systems and

websites with weak securities. That is why data security and privacy is very
important and the protection from cyberattacks must have to deal with it. With the
presence of hackers, even the least information could be possibly access and this
must not be taken for granted and must kept confidentially especially if we handle
and protect a sensitive information.

The following are the categories of Threats with the corresponding

examples:
Categories of Threats Example
Compromises to Intellectual Property Piracy, copy infringement
Software Attacks Viruses, Worms, Macros, Dos
Deviation in quality of service ISP, power, WAN service issues from
service providers
Espionage or trespass Unauthorized access and/or data
collection
Forces of nature Fire, Flood , earthquake, lightning
Acts of human error or failure Accidents, employees mistakes
Information extortion Blackmail or Information
Deliberate acts of theft Illegal confiscation of equipment or
information
Missing, inadequate or incomplete Network Compromised because no
controls firewall security controls
Sabotage or vandalism Destruction of systems or information
Theft Illegal confiscation of equipment or
information
Technical hardware failures or errors Equipment failure
Technical software failures or errors Bugs, code problems, unknown
loopholes
Technological obsolescence Antiquated or outdated technologies
 INFORMATION ASSURANCE AND SECURITY 2
Unit 1: I. The need for Information Assurance and Security

Let’s dig deeper with the concepts on Threats Basics in Information

Security:
Intellectual Property- is defined as “the ownership of ideas and control over the
tangible or virtual representation of those ideas. Use of another person’s intellectual
property may or may not involve royalty payments or permission, but should always
include proper credit.”

Intellectual Property has the following:

 Trade
 Copyright
 Trademark
 Patents

Deliberate Software Attacks

 Malicious code
 Malicious software
 Malware
 First business hacked out of existence
o Denial-of-service attack
o Cloudnine
 British Internet service provider
Virus
 Segments of code
 Attaches itself to existing program
 Takes control of program access
 Replication
Worms
 Malicious program
 Replicates constantly
 Doesn’t require another program
 Can be initiated with or without the user download

Other Malware…
 Trojan Horse
o Hide their true nature
o Reveal the designed behavior only when activated
 Back door or trap door
o Allows access to system at will with special privileges
 Polymorphism
o Changes it apparent shape over time
o Makes it undetectable by techniques that look for preconfigured signatures
 INFORMATION ASSURANCE AND SECURITY 2
Unit 1: I. The need for Information Assurance and Security

 Hoaxes

 Intelligence Gathering
o Legal – competitive intelligence
o Illegal – industrial espionage
o Thin line
o One technique – shoulder surfing
 Trespass
o Protect with
 Authentication
 Authorization

Hackers
 2 levels
o Experts
 Develop software scripts
 Develop program exploits
o Novice
 Script kiddie
 Use previously written software
 Packet monkeys
 Use automated exploits

System Rule Breakers

 Crackers
o Individuals who crack or remove software protection designed to
prevent unauthorized duplication
 Phreakers
o Use public networks to make free phone calls

Forces of Nature
• Pose some of most dangerous threats
• Unexpected and occur with little or no warning
Examples:
 Fire
 Tornado
 Tsunami
 Electrostatic discharge
 Dust contamination
 Flood
 Earthquake
 INFORMATION ASSURANCE AND SECURITY 2
Unit 1: I. The need for Information Assurance and Security

 Lightning
 Landslide
 Mudslide
 Hurricane/typhoon

Acts of Human Error or Failure

 Acts performed without intent or malicious purpose by and authorized user
 Greatest threat to org info security
o Organization’s own employees
o Closest to the data
o Mistakes
 Revelation of classified data
 Entry of erroneous data
 Accidental deletion or modification of data
 Storage of data in unprotected areas
 Failure to protect information

 Prevention
o Training
o Ongoing awareness activities
o Controls
 Require user to type a critical command twice
 Verification of commands

Deliberate Acts
 Information Extortion
o Attacker or trusted insider steals information
o Demands compensation
o Agree not to disclose information
Missing, Inadequate or Incomplete Controls

 controls are:
o Missing
o Misconfigured
o Antiquated
o Poorly designed or managed
 Make org more likely to suffer loss
 INFORMATION ASSURANCE AND SECURITY 2
Unit 1: I. The need for Information Assurance and Security

Sabotage or Vandalism

 Deliberate sabotage of a computer system or business

 Acts to destroy an asset
 Damage to an image of an organization
 Hackterist or cyber activist
o Interfere with or disrupt systems
o Protest the operations, policies, or actions
 Cyber terrorism
 Theft

Theft
 Illegal taking of another’s property
o Physical
o Electronic
o Intellectual
o Constant
 Problem – crime not always readily apparent

Technical Hardware Failures or Errors

 Best known
o Intel Pentium II chip
o First ever chip recall
 Technology obsolescence
o Can lead to unreliable and untrustworthy systems
 Large quantities of code written, published, and sold with bugs
 Bugs undetected and unresolved
 Combinations of software can cause issues
 Weekly patches

Technology Obsolescence
 Outdated hardware or software
 Reliability problems
 Management problem
o Should have plan in place
 Non-support of legacy systems
 Can be costly to resolve
 INFORMATION ASSURANCE AND SECURITY 2
Unit 1: I. The need for Information Assurance and Security

It is also been discussed in the previous lesson that cyberattack is an assault launched
by cybercriminals using one or more computers against a single or multiple computers or
networks. A cyberattack can maliciously disable computers, steal data, or use a
breached computer as a launch point for other attacks.
Examples of attacks with its corresponding definitions are the following:

Vector Definition
IP scan and attack Infected system scans IP addresses and
targets vulnerabilities
Web browsing Infects web content files infectious

Virus Infect other machines

Unprotected shares Infects any device that is unprotected
Mass mail e-mailing to all addresses in an address
book
Simple Network Use common password employed in early
Management Protocol (SNMP) versions of the protocol the attacking
program can gain control of device
 INFORMATION ASSURANCE AND SECURITY 2
Unit 1: I. The need for Information Assurance and Security

Methods of Attack

Initial Three-Way Handshake

Client SYN Server

(Received by welcome port)

SYN-ACK

ACK
(Establish connection)

The Methods of Attack comprise Password Cracking, Brute Force, and

Dictionary. Moreover, the design of the network infrastructure and communication
protocols are a major contributor. Attacks can also be:

 IP-Spoofing
o IP address of the source element of the data packets are altered and
replaced with bogus addresses
o
 SYN spoofing
o The server is overwhelmed by spoofed packets
o
 Scanning
o Way of determining which ports are open and can be used
 INFORMATION ASSURANCE AND SECURITY 2
Unit 1: I. The need for Information Assurance and Security

 Denial of service
o Smurf send large amount of spoofed ping packets
o Overwhelms the system
o Can stop response
 Spam
 Mail bombing
 Sniffing
o Monitors data traveling over a network
o legitimated and non-legitimate purposes
o Packet sniffing

-----------------End of Topic I and II-------------------------

 INFORMATION ASSURANCE AND SECURITY 2
Unit 1: I. The need for Information Assurance and Security

Formative Assessment
Answer briefly but substantially the following questions:

1. Discuss the McCumber Cube.

2. You are using an Information Management System of your company, how will you
keep the confidentiality and security of the files? Explain.

3. Your boss noticed that there are suspicious activities in the system were the
company is using, what possible solutions would you recommend in order to
solve the problem?

4. Discuss the Components of Information Security.