Information Assurance and Security

 

Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. It uses physical, technical and administrative controls to accomplish these tasks. While focused predominantly on information in digital form, the full range of IA encompasses not only digital but also analog or physical form. These protections apply to data in transit, both physical and electronic forms as well as data at rest in various types of physical and electronic storage facilities. Information assurance as a field has grown from the practice of information security.

 

Overview

Information assurance is the process of adding business benefit through the use of IRM (Information Risk Management) which increases the utility of information to authorized users, and reduces the utility of information to those unauthorized. It is strongly related to the field of information security, and also with business continuity.

IA relates more to the business level and strategic risk management of information and related systems, rather than the creation and application of security controls. Therefore in addition to defending against malicious hackers and code (e.g., viruses), IA practitioners consider corporate governance issues such as privacy, regulatory and standards compliance, auditing, business continuity, and disaster recovery as they relate to information systems. Further, while information security draws primarily from computer science, IA is an interdisciplinary field requiring expertise in business, accounting, user experience, fraud examination, forensic science, management science, systems engineering, security engineering, and criminology, in addition to computer science. Therefore, IA is best thought of as a superset of information security (i.e., umbrella term), and as the business outcome of Information Risk Management.

Information Assurance is also the term used by governments, including the government of the United Kingdom, for the provision of holistic security to information systems. In this use of the term, the interdisciplinary approach set out above is somewhat lessened in that, while security/ systems engineering, business continuity/ enterprise resilience, forensic investigation and threat analysis is considered, management science, accounting and criminology is not considered in developing mitigations to the risks developed in the risk assessments conducted. HMG Information Assurance Standard 1&2, which has replaced HMG Information Security Standard, sets out the principles and requirements of risk management in accordance with the above principles and is one of the Information Assurance Standards currently used within the UK public sector.

 

Information assurance process

The information assurance process typically begins with the enumeration and classification of the information assets to be protected. Next, the IA practitioner will perform a risk assessment for those assets. Vulnerabilities in the information assets are determined in order to enumerate the threats capable of exploiting the assets. The assessment then considers both the probability and impact of a threat exploiting vulnerability in an asset, with impact usually measured in terms of cost to the asset's stakeholders. The sum of the products of the threats' impact and the probability of their occurring is the total risk to the information asset.

With the risk assessment complete, the IA practitioner then develops a risk management plan. This plan proposes countermeasures that involve mitigating, eliminating, accepting, or transferring the risks, and considers prevention, detection, and response to threats. 

Countermeasures may include technical tools such as firewalls and anti-virus software, policies and procedures requiring such controls as regular backups and configuration hardening, employee training in security awareness, or organizing personnel into dedicated computer emergency response team (CERT) or computer security incident response team (CSIRT). The cost and benefit of each countermeasure is carefully considered. Thus, the IA practitioner does not seek to eliminate all risks, were that possible, but to manage them in the most cost-effective way.

After the risk management plan is implemented, it is tested and evaluated, often by means of formal audits. The IA process is an iterative one, in that the risk assessment and risk management plan are meant to be periodically revised and improved based on data gathered about their completeness and effectiveness.

 

Information Security History

Since the early days of communication, diplomats and military commanders understood that it was necessary to provide some mechanism to protect the confidentiality of correspondence and to have some means of detecting tampering. Julius Caesar is credited with the invention of the Caesar cipher c. 50 B.C., which was created in order to prevent his secret messages from being read should a message fall into the wrong hands, but for the most part protection was achieved through the application of procedural handling controls. Sensitive information was marked up to indicate that it should be protected and transported by trusted persons, guarded and stored in a secure environment or strong box. As postal services expanded, governments created official organizations to intercept, decipher, read and reseal letters (e.g., the UK Secret Office and Deciphering Branch in 1653).

 

In the mid-19th century, more complex classification systems were developed to allow governments to manage their information according to the degree of sensitivity. The British Government codified this, to some extent, with the publication of the Official Secrets Act in 1889. By the time of the First World War, multi-tier classification systems were used to communicate information to and from various fronts, which encouraged greater use of code making and breaking sections in diplomatic and military headquarters. In the United Kingdom this led to the creation of the Government Code and Cypher School in 1919. Encoding became more sophisticated between the wars as machines were employed to scramble and unscramble information. The volume of information shared by the Allied countries during the Second World War necessitated formal alignment of classification systems and procedural controls. An arcane range of markings evolved to indicate who could handle documents (usually officers rather than men) and where they should be stored as increasingly complex safes and storage facilities were developed. Procedures evolved to ensure documents were destroyed properly and it was the failure to follow these procedures which led to some of the greatest intelligence coups of the war (e.g., U-570).

 

During the 1990s, the computer security industry witnessed a revolution in the mainstream emergence of the hacking subculture. Hackers suddenly had different motives: greed, ideology, and revenge. In early 2002, a Russian hacker was arrested for attempting to extort $10,000 from a U.S. bank after breaking into one of its Web servers and stealing a customer list with names, addresses, and bank account numbers. Governments are getting into the act too: Almost every civilized nation has some sort of information warfare program designed to cripple the computing infra-structure of an adversary’s military. Finally, a huge number of attacks have originated from disgruntled employees and former employees of companies who know and exploit the soft spots in a corporate security policy.

 

The end of the 20th century and early years of the 21st century saw rapid advancements in telecommunications, computing hardware and software, and data encryption. The availability of smaller, more powerful and less expensive computing equipment made electronic data processing within the reach of small business and the home user. These computers quickly became interconnected through the Internet.

The rapid growth and widespread use of electronic data processing and electronic business conducted through the Internet, along with numerous occurrences of international terrorism, fueled the need for better methods of protecting the computers and the information they store, process and transmit. The academic disciplines of computer security and information assurance emerged along with numerous professional organizations – all sharing the common goals of ensuring the security and reliability of information systems.

 

Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc...) Two major aspects of information security are:

•       IT security: Sometimes referred to as computer security, Information Technology Security is information security applied to technology (most often some form of computer system). It is worthwhile to note that a computer does not necessarily mean a home desktop. A computer is any device with a processor and some memory (even a calculator). IT security specialists are almost always found in any major enterprise/establishment due to the nature and value of the data within larger businesses. They are responsible for keeping all of the technology within the company secure from malicious cyber-attacks that often attempt to breach into critical private information or gain control of the internal systems.

•       Information assurance: The act of ensuring that data is not lost when critical issues arise. These issues include but are not limited to: natural disasters, computer/server malfunction, physical theft, or any other instance where data has the potential of being lost. Since most information is stored on computers in our modern era, information assurance is typically dealt with by IT security specialists. One of the most common methods of providing information assurance is to have an off-site backup of the data in case one of the mentioned issues arises.

Governments, military, corporations, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers.

 

Definitions:

1.  "Preservation of confidentiality, integrity and availability of information. Note: In addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved." 

2.  "The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability." 

3.  "Ensures that only authorized users (confidentiality) have access to accurate and complete information (integrity) when required (availability)." 

4.        "Information Security is the process of protecting the intellectual property of an organization."

5.  "...information security is a risk management discipline, whose job is to manage the cost of information risk to the business." 

6.  "A well-informed sense of assurance that information risks and controls are in balance."

7.  "Information security is the protection of information and minimizes the risk of exposing information to unauthorized parties."

 

Computer security  

Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain accessible and productive to its intended users. The term computer system security means the collective processes and mechanisms by which sensitive and valuable information and services are protected from publication, tampering or collapse by unauthorized activities or untrustworthy individuals and unplanned events respectively. The strategies and methodologies of computer security often differ from most other computer technologies because of its somewhat elusive objective of preventing unwanted computer behavior instead of enabling wanted computer behavior.

¾ Computer Security - generic name for the collection of tools designed to protect data and to thwart hackers

¾ Network Security - measures to protect data during their transmission

¾ Internet Security - measures to protect data during their transmission over a collection of interconnected networks

 

Why Security?

Computer security is required because most organizations can be damaged by hostile (unfriendly and not liking or agreeing with something a hostile crowd) software or intruders. There may be several forms of damage which are obviously interrelated. These include: 

™  Damage or destruction of computer systems. 

™  Damage or destruction of internal data. 

™  Loss of sensitive information to hostile parties. 

™  Use of sensitive information to steal items of monitory value. 

™  Use of sensitive information against the organization's customers which may result in legal action by customers against the organization and loss of customers. 

™  Damage to the reputation of an organization. 

™  Monitory damage due to loss of sensitive information, destruction of data, hostile use of sensitive data, or damage to the organization's reputation. 

 

Principles of Security (Goals)

These three concepts form what is often referred to as the CIA triad (Figure 1). The three concepts embody the fundamental security objectives for both data and for information and computing services. FIPS PUB 199 provides a useful characterization of these three objectives in terms of requirements and the definition of a loss of security in each category:

These three concepts such as Confidentiality, Integrity and Availability form, what is often referred to as the CIA triad (Figure 1)

The three concepts embody the fundamental security objectives for both data and for information and computing services. FIPS PUB 199 provides a useful characterization of these three objectives in terms of requirements and the definition of a loss of security in each category:

1. Confidentiality: 

™ Confidentiality is a set of rules that limits access to information. 

™ Measures undertaken to ensure confidentiality are designed to prevent sensitive information from reaching the wrong people, while making sure that the right people can in fact get it.

™ Training can help familiarize authorized people with risk factors and how to guard against them.  Further aspects of training can include strong passwords and password-related best practices and information about social engineering methods.

Historically, security and secrecy were closely related. Even today, many people still feel that the main objective of computer security is to stop unauthorized users from learning sensitive information. Confidentiality (privacy, secrecy) captures this aspect of computer security.

The terms privacy and secrecy are sometimes used to distinguish between the protection of personal data (privacy) and the protection of data belonging to an organization (secrecy).

Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. 

For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.

Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal information a system holds.       

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information. “Prevention of unauthorized disclosure of information”.

  

2. Integrity: 

Integrity is about making sure that everything is as it is supposed to be, and in the context of computer security, the prevention of unauthorized modification of information as illustrated in Figure 3.

However, additional qualifications like “being authorized to do what one does” or following the correct procedures” have also been included under the term integrity, so that users of a system, even if authorized, are not permitted to modify data items in such a way that assets or accounting records of the company are lost or corrupted.

™ Integrity is the assurance that the information is trustworthy and accurate.  

™ Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle.

™ Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people (for example, in a breach of confidentiality). 

™ This goal defines how we avoid our data from being altered. MiTM (Man in the middle attacks) is the example threat for this goal.

 

In Computer security, integrity means that data cannot be modified undetectably. This is not the same thing as referential integrity in databases, although it can be viewed as a special case of Consistency as understood in the classic ACID model of transaction processing. Integrity is violated when a message is actively modified in transit. Computer/ Information security systems typically provide message integrity in addition to data confidentiality

Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information. Prevention of unauthorized modification of information.

Figure 4: Illustration of Availability

™ It means that assets are accessible to authorized parties at appropriate times.

™ Availability is very much a concern beyond the traditional boundaries of computer security. We want to ensure that a malicious attacker cannot prevent legitimate users from having reasonable access to their systems.  

For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks. Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. Prevention of unauthorized withholding of information or resources.