CS 307: Introduction to Information Assurance

Lecture 1

3/15/2011

CIVE-UDOM

What is Information Assurance?

According to the U.S. Department of Defense, IA involves: Actions taken that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality and nonrepudiation. This includes providing for restoration of information systems by incorporating protection, detection and reaction capabilities. Information Assurance (IA) is the study of how to protect your information assets from destruction, degradation, manipulation and exploitation. But also, how to recover should any of those happen. Notice that it is both proactive and reactive.
3/15/2011 CIVE-UDOM 2

What is IA? (cont)

According to the DoD definition, these are some aspects of information needing protection: Availability: timely, reliable access to data and information services for authorized users; Integrity: protection against unauthorized modification or destruction of information; Confidentiality: assurance that information is not disclosed to unauthorized persons; Authentication: security measures to establish the validity of a transmission, message, or originator. i.e the assurance that the communicating entity is the one that it claims to be. Non-repudiation: assurance that the sender is provided with proof of a data delivery and recipient is provided with proof of the senders identity, so that neither can later deny having processed the data.

3/15/2011

CIVE-UDOM

A Different View of IA
According to Debra Herrmann (Complete Guide to Security and Privacy Metrics), IA should be viewed as spanning four security engineering domains:
physical security personnel security IT security operational security

The simple truth is that IT security cannot be accomplished in a vacuum, because there are a multitude of dependencies and interactions among all four security engineering domains. (Herrmann, p. 10) So threats/risks to IA should be considered along these dimensions as well.
3/15/2011 CIVE-UDOM 4

Four Security Domains

Physical security refers to the protection of hardware, software, and data against physical threats to reduce or prevent disruptions to operations and services and loss of assets. Personnel security is a variety of ongoing measures taken to reduce the likelihood and severity of accidental and intentional alteration, destruction, misappropriation, misuse, misconfiguration, unauthorized distribution, and unavailability of an organizations logical and physical assets, as the result of action or inaction by insiders and known outsiders, such as business partners.

3/15/2011

CIVE-UDOM

Four Security Domains

IT security is the inherent technical features and functions that collectively contribute to an IT infrastructure achieving and sustaining confidentiality, integrity, availability, accountability, authenticity, and reliability. Operational security involves the implementation of standard operational security procedures that define the nature and frequency of the interaction between users, systems, and system resources, the purpose of which is to:
achieve and sustain a known secure system state at all times, and prevent accidental or intentional theft, release, destruction, alteration, misuse, or sabotage of system resources.

3/15/2011

CIVE-UDOM

Information Assurance Model

3/15/2011

CIVE-UDOM

Security Services
(What is protected)
Availability
Data When You Need It

Integrity
Data is unchanged (how you left it)

Authentication
Verifying who is trying to see the data

Confidentiality
Only the authorized people see the data

Non-Repudiation
Cant say it wasnt you (sending, receiving or accessing)

3/15/2011

CIVE-UDOM

Security Countermeasures
(How it is protected) Technology Policy and Practice People

3/15/2011

CIVE-UDOM

Information States
(Where is the data) Transmission Storage Processing

3/15/2011

CIVE-UDOM

10

Importance of IA
Human safety Environmental safety Property safety Economic stability and security Social stability Privacy, both individual and corporate National security
CIVE-UDOM 11

3/15/2011

The Security Trinity

The three legs of the "security trinity," prevention, detection, and response, comprise the basis for security. The security trinity should be the foundation for all security policies and measures that an organization develops and deploys

3/15/2011

CIVE-UDOM

12

The security trinity

3/15/2011

CIVE-UDOM

13

Prevention
The foundation of the security trinity is prevention. To provide some level of security, it is necessary to implement measures to prevent the exploitation of vulnerabilities.

3/15/2011

CIVE-UDOM

14

Detection
Once preventative measures are implemented, procedures need to be put in place to detect potential problems or security breaches, in the event preventative measures fail. It is very important that problems be detected immediately. The sooner a problem is detected the easier it is to correct and cleanup.

3/15/2011

CIVE-UDOM

15

Response
Organizations need to develop a plan that identifies the appropriate response to a security breach. The plan should be in writing and should identify who is responsible for what actions and the varying responses and levels of escalation.

3/15/2011

CIVE-UDOM

16

Security Attacks
Passive Attacks
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are release of message contents and traffic analysis.
3/15/2011 CIVE-UDOM 17

Active Attacks
Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service. A masquerade takes place when one entity pretends to be a different entity
3/15/2011 CIVE-UDOM 18

Active Attacks
Replay involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect Modification of messages simply means that some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effect The denial of service prevents or inhibits the normal use or management of communications facilities
3/15/2011 CIVE-UDOM 19

Security Attacks

3/15/2011

CIVE-UDOM

20

Security Attacks
Interruption: This is an attack on availability Interception: This is an attack on confidentiality Modification: This is an attack on integrity Fabrication: This is an attack on authenticity
3/15/2011 CIVE-UDOM 21

Security Goals
Security Goals:
Confidentiality: Need access control, Cryptography, Existence of data Integrity: No change, content, source, prevention mechanisms, detection mechanisms Availability: Denial of service attacks, Confidentiality, Integrity and Availability (CIA)

The opposite of CIA is disclosure, alteration, and denial (DAD).

3/15/2011 CIVE-UDOM 22

Military Example
Confidentiality: target coordinates of a missile should not be improperly disclosed Integrity: target coordinates of missile should be correct Availability: missile should fire when proper command is issued

3/15/2011

CIVE-UDOM

23

Commercial Example
Confidentiality: patients medical information should not be improperly disclosed Integrity: patients medical information should be correct Availability: patients medical information can be accessed when needed for treatment
3/15/2011 CIVE-UDOM 24

Security Policies
A security policy is a statement of what is, and what is not, allowed. Example 1: "do not delete or corrupt another's files, and any file not protected may be read." Example 2 Students are not allowed to share solutions of the assignments

3/15/2011

CIVE-UDOM

25

 A security policy sets the context in which we can define a secure system. What is secure under one policy may not be secure under a different policy. More precisely: A secure system is a system that starts in an authorized state and cannot enter an unauthorized state.

3/15/2011

CIVE-UDOM

26

 A security policy considers all relevant aspects of confidentiality, integrity, and availability. With respect to confidentiality, it identifies those states in which information leaks to those not authorized to receive it. This includes not only the leakage of rights but also the illicit transmission of information without leakage of rights, called information flow. Also, the policy must handle dynamic changes of authorization, so it includes a temporal element. For example, a contractor working for a company may be authorized to access proprietary information during the lifetime of a nondisclosure agreement, but when that nondisclosure agreement expires, the contractor can no longer access that information. This aspect of the security policy is often called a confidentiality policy.
3/15/2011 CIVE-UDOM 27

 With respect to integrity, a security policy identifies authorized ways in which information may be altered and entities authorized to alter it. Authorization may derive from a variety of relationships, and external influences may constrain it; for example, in many transactions, a principle called separation of duties forbids an entity from completing the transaction on its own. Those parts of the security policy that describe the conditions and manner in which data can be altered are called the integrity policy.
3/15/2011 CIVE-UDOM 28

 With respect to availability, a security policy describes what services must be provided. It may present parameters within which the services will be accessiblefor example, that a browser may download Web pages but not Java applets. It may require a level of service for example, that a server will provide authentication data within 1 minute of the request being made. This relates directly to issues of quality of service.
3/15/2011 CIVE-UDOM 29

Types of Security Policies

A military security policy (also called a governmental security policy) is a security policy developed primarily to provide confidentiality. A commercial security policy is a security policy developed primarily to provide integrity.

3/15/2011

CIVE-UDOM

30

Two other terms describe policies related to security needs: A confidentiality policy is a security policy dealing only with confidentiality. An integrity policy is a security policy dealing only with integrity.

3/15/2011

CIVE-UDOM

31

 Both confidentiality policies and military policies deal with confidentiality; however, a confidentiality policy does not deal with integrity at all, whereas a military policy may. A similar distinction holds for integrity policies and commercial policies.

3/15/2011

CIVE-UDOM

32

Security Mechanism
A security mechanism is a method, tool, or procedure for enforcing a security policy. Example 1: Default access for new files set to owner read, write, execute; group read; and no access for other.

3/15/2011

CIVE-UDOM

33

Security Mechanisms
Encryption: transforming data into something an attacker cannot understand, i.e., providing a means to implement confidentiality, as well as allowing user to check whether data have been modified. Authentication: verifying the claimed identity of a subject, such as user name, password, etc. Authorization: checking whether the subject has the right to perform the action requested. Auditing: tracing which subjects accessed what, when, and which way. In general, auditing does not provide protection, but can be a tool for analysis of problems.

3/15/2011

CIVE-UDOM

34