Information and Assurance Security

Information assurance and security are related but separate concepts. “The
terms are inherently linked and share an ultimate goal of preserving the integrity of
information,” Information assurance is about protecting information assets while
Information assurance and security is the management and protection of knowledge,
information, and data.
Information assurance, which focuses on ensuring the availability, integrity,
authentication, confidentiality, and non-repudiation of information and systems.
These measures may include providing for restoration of information systems by
incorporating protection, detection, and reaction capabilities. Focuses on
gathering data.

Information security, which centers on the protection of information and

information systems from unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide confidentiality, integrity, and
availability. Keeping the data safe.

Non-repudiation - Assurance that the sender of information is provided with proof

of delivery and the recipient is provided with proof of the sender's identity, so
neither can later deny having processed the information.
Non-repudiation is the assurance that someone cannot deny the validity of
something. Non-repudiation is a legal concept that is widely used in information.
 Information Technology Security Threats
1. Common Threats- Threats originate with humans, technology, and
environmental conditions. Examples are human errors when entering
information, misconfigured systems, malicious software, and natural disasters
such as floods and earthquakes. When these threats exist and the associated
vulnerabilities are not controlled, information could be lost, become unavailable,
or become corrupt, hence compromising information assurance.) Threats can be
divided into four categories: force majeure, deliberate acts, human failure, and
technical failure.

2. Errors and Negligence- People are prone to make errors when using
computers, especially after long hours of work. Typographical errors can occur
when entering data, and if these errors are not checked, validated, and corrected
they affect the accuracy and integrity of information. Even the most advanced
programs may not detect all input errors or negligence. A thorough awareness
program for all employees is beneficial in reducing or eliminating employee error
and neglect. Another source of errors is misconfigured systems and failures to
patch software in a timely fashion. While a technical error, a misconfigured
system may leave vulnerable services running. These services are ripe for
hackers to exploit.

3. Fraudulent and Theft Activities- Fraud and theft activities are common in the
business world. In modern financial systems using IT, fraud involving checks,
credit cards, and automatic teller machine (ATM) networks can add up to
multimillion-dollar losses. With technical advancement and downloadable
materials from the Internet, anyone with basic knowledge of system penetration
may successfully trespass sensitive areas of financial information systems.
How to avoid: An example is transferring large amounts of money into personal
accounts online. Someone internal or external to the organization can carry out
this type of crime. Internal parties are more familiar with the targeted system.
These internal threats are not limited to technical employees. These threats can
be exploited by administrative or even suspended employees whose access
rights have not been revoked appropriately. As long as the IT infrastructure
connects to the outside world, external exploits can come from anywhere
including wireless communications.

4. Loss of Infrastructure- Modern organizations connect through internal and

external infrastructures which are not under their direct control. It is crucial to
ensure that an organization’s physical and virtual infrastructures are well
maintained to avoid loss from these communication channels. These services
are interdependent; therefore, malfunctions in one area may affect another.
Suggested infrastructure support would include communication channels, power
lines, and specific peripherals used to support the mission. Infrastructure
interruption may cause significant disruption to the organization’s usual
operations. This leads to losses in terms of money, time, and resource use.

5. Malware- Malware, or malicious software, penetrates systems resulting in

damage to the system. Malware is actually a piece of code or software program
that is hostile, intrusive, or at least annoying. Examples of malware are Trojan
horses, viruses, worms, and logic bombs. The costs of eradicating malware may
amount to thousands of dollars to repair the affected information systems. In
addition to the time and other resources involved in dealing with the problem,
malware may affect the overall organization’s productivity level. Although the
amount is widely debated, the first worm (the Morris worm in 1988) was
estimated by industry to have cost between $250,000 and $96 million dollars.
6. Attackers- Attackers are those who penetrate an organization’s system either
internally or externally with or without authorization. Internal attackers may be
disgruntled employees, and their specialized knowledge potentially makes them
a highly capable adversary. Despite this, an external attacker’s threat is usually
seen as a high-risk threat. Generally, the organization has limited information
about the reason of such attacks, whether for fun, for information theft, or simply
to cause disruptions to the organization’s business process.

Capabilities of Attackers:
Elite hackers- These highly technical individuals seek new vulnerabilities
in systems and can create scripts and programs to exploit vulnerabilities. These
actors are often sponsored by terrorists, nation states, military, or organized
crime, or they are engaged in industrial espionage.
Script writers- are the next step down on the family tree of attackers.
Although less technically qualified in finding vulnerabilities, they are capable of
building and executing scripts to exploit known vulnerabilities.
Script kiddies who possess neither the expertise to find vulnerabilities
nor the skills to exploit them. Their knowledge is limited to downloading and
executing scripts and tools that others have developed. These individuals
constitute the majority of the threat community. Despite their lack of skills, large
numbers of script kiddies constitute a threat. When large numbers of script
kiddies are active, they provide sufficient traffic and increased risks for defensive
systems by masking activities of the elite hackers.
Motivation of Attackers: Attackers have diverse motivations. Some are
motivated by greed and money; others are motivated by prestige or revenge.
A. Hackers and hacktivist- Hackers use technical and social means to gain
authorized/unauthorized access to information assets, computer systems,
and networks. Some of the technical means include delving deep into the
code and protocols used in computer systems and networks.
a. White-hat hackers who use their skills to determine whether
systems are in fact secure. White hats operate within strict rules of
engagement and with the explicit permission of a system’s owner.
They also often subscribe to professional codes of ethics as part of
their professional credentialing.
b. Black-hat hackers who are motivated by using their skills to
penetrate systems by the path of least resistance without
authorization from the system owner.
c. Gray hat attempts to walk the line between the black hat and the
white hat. White hats will often state there is no “gray”; once a
hacker gives up on ethics and the strict rules of engagement, their
credibility as a white hat is compromised.
d. Hacktivists are motivated to use their skills for political purposes.
Hacktivists are becoming more common and can take the form of
script kiddies, the elite, or anywhere in between. Often, information
systems connected with political agendas or national security
systems are the targets of hacktivists.
B. Criminal Attackers- These attackers view the computer and its contents
as the target of a crime—it’s something to be stolen or it’s used to
perpetrate the crime. These individuals are motivated simply by profit and
greed. Since most large financial transactions occur on networks,
electronic crimes include fraud, extortion, theft, embezzlement, and
forgery.
C. Nation States- Nation states are motivated by espionage and economic
gain. While nation states spy on each other to gain political information,
nation states may also engage in industrial espionage.
D. National warfare, asymmetric warfare, and terrorism- Nations depend
on information systems to support the economy, infrastructure, and
defense, which are all important assets. They are now targets not only of
 unfriendly foreign powers that are sources of highly structured threats but
also of terrorists who are somewhat less structured. Independent of
source, their actions constitute information warfare.
E. Information Warfare- Information warfare is using information technology
as a weapon to impact an adversary. Several recent examples have
shown how customized malware and computer viruses can dramatically
impact the progression of secret nuclear ambitions or severely cripple the
command and control infrastructure of an opponent.
Types of Attacks: For this type of attack, the attacker may create false content or
deface the appearance. This may damage the organization’s image and reputation in
terms of customer confidence and providing reliable services to its clients.
A. Technical Attacks- For this type of attack, the attacker may create false
content or deface the appearance. This may damage the organization’s
image and reputation in terms of customer confidence and providing
reliable services to its clients.
B. Social Engineering (SE) Attacks- rely on trust. These attacks are
performed over the phone after sufficient background information has
been obtained concerning the target. Electronic SE attacks seem to be
overtaking the phone SE attacks.
C. Physical Attacks- rely on weaknesses surrounding computer systems.
These may take the form of dumpster diving for changed passwords and
configuration information, organizing unauthorized access to a wiring
closet and installing a Wi-Fi bridge to hack from a parking lot outside.
There are several steps commonly used in executing an attack. First, the
perpetrator will profile the organization they want to attack. They will do simple things
such as Google the organization or use a Whois lookup. Armed with that data, they will
try to determine what systems are exposed by using tools such as Nmap or a ping
sweep. The third step is finger printing. Using knowledge of the exposed systems, they
will use tools such as a banner grab to identify the operating system and the open ports.
After intelligence gathering, the attack begins by the attacker searching for
vulnerabilities and exploits that match; then, they will systematically execute exploits.
Appropriate countermeasures are discussed later; however, significant protection
comes from simple steps such as limiting the amount of information exposed to the
outside world. This makes system hardening and patching even more effective.
7. Employee Sabotage- When considering deliberate human acts, you should
consider the motive means, and opportunity of the individual or group. As
mentioned earlier, disgruntled employees who know the internal technical details
of systems present a continuous threat to the organization. Employees may carry
out antisocial or unwanted actions, such as the following:
 Damaging the organization’s key infrastructure.
 Revealing secret and confidential information to competitors.
 Creating tensions and rifts among employees by spreading hoaxes or
anonymous rumors.
 Threatening the health and safety of others.
 Stealing important documents
An employee might resort to sabotage because of the following:

 Belief that management will not treat them fairly.

 Desire for revenge because of perceived wrongs against the individual,
colleagues, or management.
 Need for material gain for themselves or someone they care for.
Sabotage is difficult to detect in a timely manner. To improve early detection,
establishing a whistleblower policy within the organization is important. This policy
allows individuals reporting suspected wrongdoings to remain anonymous. This is a
good mechanism to curb sabotage.
8. Industrial Espionage- the act of spying or of using agents to obtain confidential
information about business competitors. Industrial espionage attacks have
precise motivations, for example, to gain an advantage over the competition by
stealing trade secrets and market strategies. Some examples of these illegal
methods are bribery, blackmail, and technological surveillance.
Controls such as restricting the use of flash drives and monitoring employee
workstations could be considered as a deterrent, yet they do not eliminate the threat.
The users within an organization need to be trusted in order for work to be done.
Industrial espionage focuses on the theft of trade secrets for use by a competitor. The
motivation of industrial espionage is often commercial. Research results, manufacturing
techniques, chemical formulas, source code, and designs are targets since these assets
use significant resources to develop. The attacker hopes to shortcut their research by
stealing someone else’s. Manufacturing, research, and technology-heavy industries are
often the targets of industrial espionage.
9. Invasion of Privacy- While organizations continue to compile information about
their customers, competitors, and employees, they must be concerned with
protecting personally identifiable information. The following trends are prevalent
and contribute to invasion of privacy:
 Increased surveillance.
 More information kept about travelers.
 New and existing antiterrorism laws and governmental measures offering
powerful search capabilities and increased sharing of information among law
enforcement authorities.
 Poor management of personal data such as racial origin, health condition, and
offenses.
 Users unknowingly providing their personal information to “free” services such as
social media.
10. Phishing- is an illegal activity, fraud, or swindle carried out by deceiving users
into revealing sensitive information for the benefit of the attacker. Phishing can be
done via e-mail notification as well as through false links promoted via instant
messengers. The usual tactic is to trap the receiver into disclosing personal
information for illegal use or manipulation. Personal and account details are often
the favorite targets.
Spear Phishing- is similar to phishing except it targets specific individuals with
personalized messages and attachments that may appear to be relevant to the user
but that contain malware that gives the attacker access to the victim’s computer.
11. Spamming- is the mass sending of e-mail. It causes network traffic jams and
junk mails. Spam e-mails generally contain advertising for some products whose
reliability is unknown or as a vector for phishing.
12. Vulnerabilities- Vulnerabilities are weaknesses inherent within the information
asset that are exploitable by emerging threats. Lack of antivirus software on a
workstation, inadequate hiring procedures, and the absence of physical access
controls in the server room are examples of vulnerabilities.
Generally, there are three ways how users can get information about vulnerabilities:
 Newsletter- This is for any confirmed vulnerability that has no exploitable
characteristic and poses no harm. The parties who discover the vulnerability
should inform US-CERT and have the findings published in the newsletter.
 Advisory- For a confirmed vulnerability, this has low and medium levels of local
or remote exploitability. Advice should be accompanied by remedies or
workaround solutions.
  Alert- This is for a confirmed vulnerability that has a high level of local or remote
exploitability and poses a definite threat to the information system. Immediate
escalation and action needs to be performed depending on the severity of the
alert triggered.
13. Controls- Controls are actions taken or mechanisms established to resolve
information assurance issues. Controls to protect identified assets vary from one
organization to another because they depend on issues such as an organization’s
objectives, availability of resources, and risk profiles.
The implementation of controls is driven by the following factors:

 To protect critical and sensitive information assets.

 To ensure compliance with regulatory and legislation requirement.
 To gain competitive edge.
 To mitigate risks and avoid unnecessary operational, financial, and customer
losses.
Categories of Control:
A. Management Controls- are security controls that are strategic and suitable for
planning and monitoring purposes. Examples of controls in this category are the
information assurance policy and information assurance risk management
exercises.
B. Operational Controls- are controls used in day-to-day operations to ensure the
secure execution of business activities. Examples of controls in this category are
mechanisms or tools for IT support and operations, physical and environmental
security controls, and information security incident-handling processes and
procedures.
C. Technical Controls- are the possible technical and physical implementation of
information assurance solutions and recommendations. Examples of controls in
this category are access controls, as well as security audit and monitoring tools.
14. Key Considerations- The implementation of controls is a constant interplay of
competing risk models and efficacy of policies, rules, and tools. Controls require
organizational resources to install, maintain, and ultimately remove them. The
following sections discuss some of the key considerations to be made when
implementing a control.
Establish Balance Between Managing Risk and Implementing Controls:

 Balancing the costs and benefits of countermeasures is a risk management

exercise. Risk Management identifies assets, threats, the effect of the threat,
and, finally, how the organization can mitigate the loss.
 Intangible costs such as loss of reputation and image are subjective and difficult
to measure. Despite the difficulty, consider all tangible and intangible costs.
 Organizations can make a more effective decision about security controls by
understanding the risks associated with each asset, the value of each asset, and
the cost of protecting the asset. Better decisions can be made about suitable
countermeasures after the objectives for information asset protection are
understood and documented. Subsequently, policies and procedures are defined
to put those decisions into practice.
Ensure the Proper Controls Are Selected and Implemented

Organizational considerations should include identifying the following:

 The end users of the controls.
 How the security controls act as supporting mechanisms in achieving the
organization’s mission.
 The operational issues such as day-to-day work involved, maintenance, and
training on the controls.
  The organization’s security requirements, with relevance to the higher regulatory
requirements and internal policies.
 The sensitivity of the data in accordance to information classification.
Considerations pertaining to the control itself should include the following:

 Existing vulnerabilities in the control.

 Implementation requirements and frequency history for patches.
 Interactions with the current infrastructure setup.
 Scalability and compatibility requirements.
 Test requirements.
 Total life-cycle costs (including purchase acquisition, maintenance, and support).
 User friendliness.
Assess and Review Controls- Once a control has been implemented, it should be
assessed and reviewed periodically to determine whether the control is performing as
expected. Undertake monitoring, assessing, and reviewing controls to do the following:
 Detect errors in information processing results
 Enable management to determine whether the security activities are performing
as intended
 Identify any attempted or successful intrusions into information systems
 Record whether previous actions taken to resolve security breaches were
effective
Usually, you can assess the performance of implemented security controls by using
information system scans, audit reports, logs, risk assessment reports, or by reviewing
security policies. It is vital to benchmark and measure against best practices whether
security controls are functioning objectively, as intended, to avoid unwanted security
breaches.
Continuous monitoring- is often used and touted as a replacement for
assessments. Continuous monitoring as an approach is not flawed; however, unless all
controls are studied and base lined to determine appropriate frequency and quality of
assessment, the approach may give a false sense of security. Continuous monitoring
focuses on automating controls such as vulnerability scanning and patching systems.
While this automation is desirable, it is largely meaningless unless a vulnerability on one
system can be compared against the same vulnerability on other systems in terms of
risk and effect on the organization.

Codes- differs from a cipher in that a code consists of letters, whole words, and phrases
with code groups (numbers and/or words) that replace the plain text. People desiring to
read the encoded message need a codebook to translate the code to plain text. For
example, a nine-digit customer account number is a code.
Ciphers- uses the individual letters as the basic plain-text units and uses a key (or
password), which tells the composition of letters in the cipher alphabet or the pattern of
rearranging letters in a message. Messages sent unencoded or unenciphered are in
plain language, in the clear, or in clear text.
Types of Encryption:
A. Symmetric Encryption- is when the sender and receiver use the same private
key to encrypt and decrypt a message. The key and the plain-text (unencrypted)
message are combined systematically to yield a cipher text. If the encryption is
secure, others cannot recover the message from the cipher text unless they
know both the key and the systematic process used (called the encryption
algorithm). Symmetric encryption is relatively fast.
B. Asymmetric Encryption- uses two different keys (one is public and the other is
kept private) and an algorithm for mathematic al functions that would require
extensive resources to break. One key, called a public key, is used to encrypt a
 message, and a second key, called a private key, is used to decrypt the message
(using the mathematical function)
Encryption Key Escrow- When individuals use encryption without central mandatory
control, the availability of organizational data is threatened. Employees who are fired or
die unexpectedly are equally unlikely to return and provide the company with the
encryption keys that secure their important files. Senior leaders must ensure the
management of encryption is closely monitored. Organizations should implement rules
that include termination for unauthorized use of encryption.