an introduction to information assurance
DESCRIPTION
An Introduction to Information Assurance. COEN 150 Spring 2007. Reading Assignment. Read section 3 of faq http://www.w3.org/Security/Faq/ - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/1.jpg)
An Introduction to Information Assurance
COEN 150 Spring 2007
![Page 2: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/2.jpg)
![Page 3: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/3.jpg)
Reading Assignment
Read section 3 of faq http://www.w3.org/Security/Faq/
CERT is a coordination center for Internet security operated by Carnegie Mellon. Read CERT article on security http://www.cert.org/encyc_article/tocencyc.html
![Page 4: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/4.jpg)
This course is part of the SCU Information
Assurance curriculum which was recently certified by the Committee on National Systems Security of the National Security Agency as meeting the standards of the National INFOSEC Education and Training Program.
http://www.nsa.gov/ia/academia/iace.cfm
![Page 5: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/5.jpg)
4011 Certificate Requirements
BSCE: AMTH 387, COEN 250; 12 units from COEN 150, 178, 252, 253, 350, 351; and approved senior design project.
MSCE: AMTH 387, COEN 250, 252, 253, 351 and either COEN 350, 254, or 352.
![Page 6: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/6.jpg)
Terminology Overview
Attacks, Services and Mechanisms Security Services Threats, Attacks and Vulnerabilities Security Policies and Mechanisms for
Defense Readings, standards, etc.
![Page 7: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/7.jpg)
Definitions Security Attack: Any action that
compromises the security of information. Security Mechanism: A mechanism
that is designed to detect, prevent, or recover from a security attack.
Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.
![Page 8: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/8.jpg)
Security Services (Goals)
Confidentiality – concealment of information or resources. Includes whether or not data exists. Implies “authorization” so that only authorized people can access confidential data.
![Page 9: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/9.jpg)
Security Services (cont)
Integrity – the trustworthiness and the correctness of data or resources. Usually in terms of preventing improper or
unauthorized change.
Can have several types of integrity: data integrity and origin integrity Was the email spoofed?
Two types of integrity services: prevention and detection.
![Page 10: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/10.jpg)
Security Services (cont)
Availability – the ability of authorized entities to use the information or resource. Denial of service attacks inhibit this service
CIA: Confidentiality, Integrity, Availability
![Page 11: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/11.jpg)
Vulnerabilities, Threats and Attacks
A vulnerability is a weakness in the system that might be exploited to cause loss or harm (and a violation of security services).
A threat is a potential violation of security. Security services counter threats.
An attack is the actual attempt to violate security. It is the manifestation of the threat.
![Page 12: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/12.jpg)
Classifying Communication Attacks
![Page 13: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/13.jpg)
Types of Attacks
Interruption: This is an attack on availability
Interception: This is an attack on confidentiality
Modification: This is an attack on integrity
Fabrication: This is an attack on integrity
![Page 14: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/14.jpg)
Additional Threats/Attacks Repudiation of origin – a false denial that
an entity sent or created something (I didn’t send that order to but Enron stock the day before it crashed). Attack on integrity
Denial of receipt – a false denial that an entity received some information or message. (I didn’t receive the diamond shipment). Attack on integrity and availability.
Denial of Service – long term inhibition of information or service. Attack on availability.
![Page 15: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/15.jpg)
Passive and Active Threats
![Page 16: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/16.jpg)
Security Policy and Mechanisms
A security policy is a statement of what is and is not allowed.
A security mechanism is a method, tool, or procedure for enforcing security policy.
These should clearly be separate things.
![Page 17: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/17.jpg)
Policy and Mechanism Example
Policy – only the systems administrator is allowed to access the password file and then only in encrypted form
Mechanism – the password file is not stored in clear text, but only in encrypted form with algorithm XYZ. The O.S. checks the access authorization of any process attempting to read the password file immediately before the access; whenever access is denied, that attempt is recorded in a log of suspicious activity.
![Page 18: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/18.jpg)
Security Mechanisms
Prevention, Detection, Recovery Prevention:
Encryption Software Controls (DB access limitations,
operating system process protection) Enforce policies (frequent password change) Physical Controls
Detection: Intrusion detection systems (IDS)
![Page 19: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/19.jpg)
Prevention Mechanisms
Adequate prevention means that an attack will fail. Prevention usually involves mechanisms that the user cannot override.
Prevention mechanisms are often cumbersome and do not always work perfectly or fail because they are circumvented.
Passwords are a prevention mechanism to prevent unauthorized access. They fail when the password becomes known to a person other than the owner.
![Page 20: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/20.jpg)
Detection Mechanisms
Detection is used when an attack cannot be prevented and it also indicates the effectiveness of prevention measures.
The goal is to determine that an attack is underway or has occurred and report it.
Audit logs are detection mechanisms. When you log into the design center’s unix servers, it gives you the IP address of the last successful login.
![Page 21: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/21.jpg)
Recovery
Recovery has several aspects. The first is to stop an attack and repair the damage.
Another is to trace the evidence back to the attacker and discover the identity of the attacker (this could result in legal retaliation).
Yet another aspect is to determine the vulnerability that was exploited and fix it or devise a way of preventing a future attack.
![Page 22: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/22.jpg)
Example: Private Property
Prevention: locks at doors, window bars, walls round the property
Detection: stolen items are missing, burglar alarms, closed circuit TV
Recovery: call the police, replace stolen items, make an insurance claim …
![Page 23: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/23.jpg)
Example E-Commerce
Prevention: encrypt your orders, rely on the merchant to perform checks on the caller, don’t use the Internet (?) …
Detection: an unauthorized transaction appears on your credit card statement
Recovery: complain, ask for a new card number, etc.
Footnote: Your credit card number has not been stolen. Your card can be stolen, but not the number. Confidentiality is violated.
![Page 24: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/24.jpg)
Problems with Security Mechanisms
Laws and Customs - is it legal? Might not be legal to retaliate against an attacker.
Is it acceptable practice? How many hoops do we have to jump through to authenticate?
Is it convenient? Users with security needs are often not aware of vulnerabilities and will not put up with excessive cost and inconvenience.
![Page 25: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/25.jpg)
Other Terminology
CompuSec: computer security (protect computers and the information in them)
ComSec: communication security (protect information as it is transmitted)
OpSec: operations security (security policies and procedures)
![Page 26: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/26.jpg)
Non-required but Worth a Glance
Common vulnerabilities and Exposures http://www.cve.mitre.org/
SANS top 20 vulnerabilities http://www.sans.org/top20/
NIST Computer Security Resource Center http://csrc.nist.gov/
![Page 27: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/27.jpg)
What the Government is Doing
National Strategy to Secure Cyberspace http://www.whitehouse.gov/pcipb/
![Page 28: An Introduction to Information Assurance](https://reader035.vdocuments.site/reader035/viewer/2022062301/568149e6550346895db70fb8/html5/thumbnails/28.jpg)
What you can do
Scholarships for IA study designated CAEhttp://www.c3i.osd.mil/iasp/studentsMain.htm
http://cisr.nps.navy.mil/scholarships.html
IA at SCUAMTH 387 Cryptology
COEN 250 Info Security Management
COEN 252 Computer Forensics
COEN 253 Secure Systems Development
COEN 350 Secure Distributed Systems
COEN 351 Internet and E-Commerce Security