Information Assurance, Lecture notes of Information Systems

Introduction of Information Assurance

Typology: Lecture notes

2020/2021

Uploaded on 12/02/2021

piercy-lee
piercy-lee 🇵🇭

2 documents

1 / 22

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
An Introduction to
Information Assurance
IAS | Information Assurance and Security
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16

Partial preview of the text

Download Information Assurance and more Lecture notes Information Systems in PDF only on Docsity!

An Introduction to

Information Assurance

IAS | Information Assurance and Security

IAS | AURORA STATE COLLEGE OF TECHNOLOGY

Definitions  Security Attack: Any action that compromises the security of information.  Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack.  Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.

Security Services (Goals)  Confidentiality – concealment of information or resources. Includes whether or not data exists. Implies “authorization” so that only authorized people can access confidential data.

Security Services (cont)  Availability – the ability of authorized entities to use the information or resource. Denial of service attacks inhibit this service  CIA: Confidentiality, Integrity, Availability

Vulnerabilities, Threats and Attacks  A vulnerability is a weakness in the system that might be exploited to cause loss or harm (and a violation of security services).  A threat is a potential violation of security. Security services counter threats.  An attack is the actual attempt to violate security. It is the manifestation of the threat.

Types of Attacks  Interruption: This is an attack on availability  Interception: This is an attack on confidentiality  Modification: This is an attack on integrity  Fabrication: This is an attack on integrity

Additional Threats/Attacks  (^) Repudiation of origin – a false denial that an entity sent or created something (I didn’t send that order to but Enron stock the day before it crashed). Attack on integrity  (^) Denial of receipt – a false denial that an entity received some information or message. (I didn’t receive the diamond shipment). Attack on integrity and availability.  Denial of Service – long term inhibition of information or service. Attack on availability.

Security Policy and Mechanisms  A security policy is a statement of what is and is not allowed.  A security mechanism is a method, tool, or procedure for enforcing security policy.  These should clearly be separate things.

Policy and Mechanism Example  Policy – only the systems administrator is allowed to access the password file and then only in encrypted form  (^) Mechanism – the password file is not stored in clear text, but only in encrypted form with algorithm XYZ. The O.S. checks the access authorization of any process attempting to read the password file immediately before the access; whenever access is denied, that attempt is recorded in a log of suspicious activity.

Prevention Mechanisms  (^) Adequate prevention means that an attack will fail. Prevention usually involves mechanisms that the user cannot override.  (^) Prevention mechanisms are often cumbersome and do not always work perfectly or fail because they are circumvented.  (^) Passwords are a prevention mechanism to prevent unauthorized access. They fail when the password becomes known to a person other than the owner.

Detection Mechanisms  Detection is used when an attack cannot be prevented and it also indicates the effectiveness of prevention measures.  The goal is to determine that an attack is underway or has occurred and report it.  Audit logs are detection mechanisms. When you log into the design center’s unix servers, it gives you the IP address of the last successful login.

Example: Private Property  Prevention: locks at doors, window bars, walls round the property  Detection: stolen items are missing, burglar alarms, closed circuit TV  Recovery: call the police, replace stolen items, make an insurance claim …

Example E-Commerce  (^) Prevention: encrypt your orders, rely on the merchant to perform checks on the caller, don’t use the Internet (?) …  (^) Detection: an unauthorized transaction appears on your credit card statement  (^) Recovery: complain, ask for a new card number, etc.  Footnote: Your credit card number has not been stolen. Your card can be stolen, but not the number. Confidentiality is violated.