Module Two: A Different View of Information Assurance
Information Assurance (IA) is the foundation of keeping our digital world safe.
It goes beyond just computer security — it protects people, data, technology, and networks through four main domains: physical, personnel, IT, and operational security.
In simple terms, IA is like having a smart security system that guards everything — from the computers we use to the people who use them — so that information is never stolen, lost, or misused.
1. A Different View of Information Assurance
A Different View of Information Assurance
According to Debra Herrmann (Complete Guide to Security and Privacy Metrics), IA should be viewed as spanning four security engineering domains: physical security, personnel security,
IT security and Operational security. Enforcing hard-to-guess passwords encrypting your hard drive locking sensitive documents in a safe stationing a marine guard outside an embassy assigning security clearances to staffers using SSL for data transfers having off-site backup of documents.
Physical security refers to the protection of hardware, software, and data against physical threats to reduce or prevent disruptions to operations and services and loss of assets.
Personnel security is a variety of ongoing measures taken to reduce the likelihood and severity of accidental and intentional alteration, destruction, misappropriation, misuse, misconfiguration, unauthorized distribution, and unavailability of an organization’s logical and physical assets, as the result of action or inaction by insiders and known outsiders, such as business partners.
IT security is the inherent technical features and functions that collectively contribute to an IT infrastructure achieving and sustaining confidentiality, integrity, availability, accountability, authenticity, and reliability.
Operational security involves the implementation of standard operational security procedures that define the nature and frequency of the interaction between users, systems, and system resources, the purpose of which is to 1 achieve and sustain a known secure system state at all times, and 2 prevent accidental or intentional theft, release, destruction, alteration, misuse, or sabotage of system resources.
According to Raggad’s taxonomy of information security, a computing environment is made up of five continuously interacting components. The comprehensive security plan must take all of these into account: activities, people, data, technology, and networks.
IA includes computer and information security, but more besides.
According to Blyth and Kovacich, IA can be thought of as protecting information at three distinct levels: physical: data and data processing activities in physical space; information infrastructure: information and data manipulation abilities in cyberspace; perceptual: knowledge and understanding in human decision space.
IA Levels: The Physical
The lowest level focus of IA is the physical level: computers, physical networks, telecommunications and supporting systems such as power, facilities and environmental controls. Also at this level are the people who manage the systems. Desired Effects: to affect the technical performance and the capability of physical systems, to disrupt the capabilities of the defender. Attacker’s Operations: physical attack and destruction, including: electromagnetic attack, visual spying, intrusion, scavenging and removal, wiretapping, interference, and eavesdropping. Defender’s Operations: physical security, OPSEC, TEMPEST
IA Levels: The Infrastructure
The second level focus of IA is the information structure level. This covers information and data manipulation ability maintained in cyberspace, including: data structures, processes and programs, protocols, data content and databases. Desired Effects: to influence the effectiveness and performance of information functions supporting perception, decision making, and control of physical processes. Attacker’s Operations: impersonation, piggybacking, spoofing, network attacks, malware, authorization attacks, active misuse, and denial of service attacks. Defender’s Operations: information security technical measures such as: encryption and key management, intrusion detection, anti-virus software, auditing, redundancy, firewalls, policies and standards.
IA Levels: The Perceptual
The third level focus of IA is the perceptual level, also called social engineering. This is abstract and concerned with the management of perceptions of the target, particularly those persons making security decisions. Desired Effects: to influence decisions and behaviors. Attacker’s Operations: psychological operations such as: deception, blackmail, bribery and corruption, social engineering, trademark and copyright infringement, defamation, diplomacy, creating distrust. Defender’s Operations: personnel security including psychological testing, education, and screening such as biometrics, watermarks, keys, passwords.
The Information Warfare Spin on IA
The flip side of Information Assurance is Information Warfare (IW). In fact, one can think of the offensive part of IW as “information operations,” and the defensive part as information assurance. Type I involves managing an opponent’s perception through deception and psychological operations. In military circles, this is called Truth Projection. Type II involves denying, destroying, degrading, or distorting the opponent’s information flows to disrupt their ability to carry out or co-ordinate operations. Type III gathers intelligence by exploiting the opponent’s use of information systems. IW can be carried out against individuals, corporations, or nations.
Is hacking IW?
Nature of the Threat
Necessary for IW, as for any related activity, are motive, means, and opportunity. In general, the offensive players in the world of IW come in six types: Insiders: consists of employees, former employees and contractors. Hackers: one who gains unauthorized access to or breaks into information systems for thrills, challenge, power, or profit. Criminals: target information that may be of value to them: bank accounts, credit card information, intellectual property, etc.
Corporations: actively seek intelligence about competitors or steal trade secrets. Governments and agencies: seek the military, diplomatic, and economic secrets of foreign governments, foreign corporations, and adversaries. May also target domestic adversaries. Terrorists: usually politically motivated and may seek to cause maximal damage to information infrastructure as well as endanger lives and property.
Is there overlap among these categories of actors? Which do you think is the biggest threat? Does it depend on the target?
IA Functional Components
IA is both proactive and reactive involving: protection, detection, capability restoration, and response.
i. IA environment protection pillars: ensure the availability, integrity, authenticity, confidentiality, and non-repudiation of information
ii. Attack detection: timely attack detection and reporting is key to initiating the restoration and response processes.
iii. Capability restoration: Relies on established procedures and mechanisms for prioritizing restoration of essential functions. Capability restoration may rely on backup or redundant links, information system components, or alternative means of information transfer. A post-attack analysis should be conducted to determine the command vulnerabilities and recommended security improvements.
iv. Attack response: Involves determining actors and their motives, establishing cause and complicity, and may involve appropriate action against perpetrators... contributes by removing threats and enhancing deterrence.
IA Applies to Info Infrastructure
Global Information Infrastructure: “worldwide interconnection of communication networks, computers, databases, and consumer electronics that make vast amounts of information available to users.” National Information Infrastructure: those within or serving the U.S., for government, commerce and research. Defense Information Infrastructure: those within or serving the DoD (e.g. nodes on SIPRNET and NIPRNET).
Critical Infrastructure Protection
Presidential Decision Directive (PDD-63) of 1998 Civilian systems are “essential to the minimum operations o f the economy and government” Examples: telecommunications, energy, banking, transportation and emergency services Increased vulnerability as: information systems have become automated and interlinked; information systems are using COTS technology, subject to viruses, worms, etc. Every federal department CIO is responsible for information assurance.