Fundamentals of

Information Assurance
and Security
 The History of Information Security

 The history of information security begins with the

concept of computer security. The need for computer
security arose during World War II when the first
mainframe computers were developed and used to
aid computations for communication code breaking
messages from enemy cryptographic devices like the
Enigma
 Multiple levels of security were implemented to
protect these devices and the missions they served.
This required new processes as well as tried-and-true
methods needed to maintain data confidentiality
The 1960s

 During the Cold War, many more mainframe computers

were brought online to accomplish more complex and
sophisticated tasks. These mainframes required a less
cumbersome process of communication than mailing
magnetic tapes between computer centers. In response
to this need, the Department of Defense’s Advanced
Research Projects Agency (ARPA) began examining the
feasibility of a redundant, networked communications
system to support the military’s exchange of
information
 The 1970s and 80s

 During the next decade, ARPANET became more popular and

saw wider use, increasing the potential for its misuse. In
1973, Internet pioneer Robert M. Metcalfe (pictured in Figure
1-3) identified fundamental problems with ARPANET security.
 As one of the creators of Ethernet, a dominant local area
networking protocol, he knew that individual remote sites did
not have sufficient controls and safeguards to protect data
from unauthorized remote users.
 Date Documents

 1968 - Maurice Wilkes discusses password security in Time-Sharing Computer

Systems.
 1973 - Schell, Downey, and Popek examine the need for additional security in military
systems in “Preliminary Notes on the Design of Secure Military Computer Systems.”5
 1975 - The Federal Information Processing Standards (FIPS) examines Digital
Encryption Standard (DES) in the Federal Register.
 1978 - Bisbey and Hollingworth publish their study “Protection Analysis: Final Report,”
discussing the Protection Analysis project created by ARPA to better understand the
vulnerabilities of operating system security and examine the possibility of automated
vulnerability detection techniques in existing system software.6.
 1979 - Morris and Thompson author “Password Security: A Case History,” published in
the Communications of the Association for Computing Machinery (ACM). The paper
examines the history of a design for a password security scheme on a remotely
accessed, time-sharing system.
 Date Documents

 1979 - Dennis Ritchie publishes “On the Security of UNIX” and “Protection of Data File Contents,”
discussing secure user IDs and secure group IDs, and the problems inherent in the systems.
 1984 - Grampp and Morris write “UNIX Operating System Security.” In this report, the authors
examine four “important handles to computer security”: physical control of premises and
computer facilities, management commitment to security objectives, education of employees,
and administrative procedures aimed at increased security.7
 1984 - Reeds and Weinberger publish “File Security and the UNIX System Crypt Command.” Their
premise was: “No technique can be secure against wiretapping or its equivalent on the computer.
Therefore no technique can be secure against the systems administrator or other privileged users
… the naiveuser has no chance.”8
 1992 - Researchers for the Internet Engineering Task Force, working at the Naval Research
Laboratory, develop the Simple Internet Protocol Plus (SIPP) Security protocols, creating what is
now known as IPSEC security.
  This paper signaled a pivotal
 RAND Report R-609 was the first moment in computer security
widely recognized published history—the scope of computer
document to identify the role of security expanded significantly
management and policy issues in from the safety of physical
locations and hardware to include:
computer security. It noted that
the wide use of networking  Securing the data
components in military  Limiting random and
information systems introduced unauthorized access to that
security risks that could not be data
mitigated by the routine  Involving personnel from
practices then used to secure multiple levels of the
these systems. organization in information
security
 MULTICS Much of the early research on computer
security centered on a system called Multiplexed
Information and Computing Service (MULTICS). Although
it is now obsolete, MULTICS is noteworthy because it was
the first operating system to integrate security into its
core functions. It was a mainframe, time-sharing
operating system developed in the mid-1960s by a
consortium of General Electric (GE), Bell Labs, and the
Massachusetts Institute of Technology (MIT).
after the restructuring of the MULTICS project,
several of its developers (Ken Thompson, Dennis
Ritchie, Rudd Canaday, and Doug McIlroy)
created a new operating system called UNIX.
While the MULTICS system implemented multiple
security levels and passwords, the UNIX system
did not. Its primary function, text processing, did
not require the same level of security as that of
its predecessor.
 The 1990s

 At the close of the twentieth century, networks of computers became

more common, as did the need to connect these networks to each
other. This gave rise to the Internet, the first global network of
networks. The Internet was made available to the general public in the
1990s, having previously been the domain of government, academia,
and dedicated industry professionals.
 The Internet brought connectivity to virtually all computers that could
reach a phone line or an Internet-connected local area network (LAN).
After the Internet was commercialized, the technology became
pervasive, reaching almost every corner of the globe with an
expanding array of uses.
 2000 to Present
 Today, the Internet brings millions of unsecured computer networks
into continuous communication with each other. The security of each
computer’s stored information is now contingent on the level of
security of every other computer to which it is connected. Recent years
have seen a growing awareness of the need to improve information
security, as well as a realization that information security is important
to national defense.
 The growing threat ofcyber attacks have made governments and
companies more aware of the need to defend the computer-controlled
control systems of utilities and other critical infrastructure. There is
also growing concern about nation-states engaging in information
warfare, and the possibility that business and personal information
systems could become casualties if they are undefended.
What Is Security?

 Security is protection. Protection from adversaries—those who

would do harm, intentionally or otherwise—is the ultimate
objective of security. National security, for example, is a
multilayered system that protects the sovereignty of a state, its
assets, its resources, and its people. Achieving the appropriate
level of security for an organization also requires a multifaceted
system. A successful organization should have multiple layers of
security in place to protect its operations, physical infrastructure,
people, functions, communications, and information.
Key Information Security Concepts

 Access: A subject or object’s ability to use, manipulate, modify,

or affect another subject or object. Authorized users have legal
access to a system, whereas hackers have illegal access to a
system. Access controls regulate this ability.
 Asset: The organizational resource that is being protected. An
asset can be logical, such as a Web site, information, or data; or
an asset can be physical, such as a person, computer system, or
other tangible object. Assets, and particularly information assets,
are the focus of security efforts; they are what those efforts are
attempting to protect.
 Key Information Security Concepts

 Attack: An intentional or unintentional act that can cause damage to or

otherwise compromise information and/or the systems that support it.
Attacks can be active or passive, intentional or unintentional, and direct or
indirect. Someone casually reading sensitive information not intended for
his or her use is a passive attack.
 A hacker attempting to break into an information system is an intentional
attack.
 A lightning strike that causes a fire in a building is an unintentional attack.
 A direct attack is a hacker using a personal computer to break into a
system.
 An indirect attack is a hacker compromising a system and using it to
attack other systems.
 Key Information Security Concepts

 Control, safeguard, or countermeasure: Security mechanisms,

policies, or procedures that can successfully counter attacks, reduce risk,
resolve vulnerabilities, and otherwise improve the security within an
organization. The various levels and types of controls are discussed more
fully in the following chapters.
 Exploit: A technique used to compromise a system. This term can be a
verb or a noun. Threat agents may attempt to exploit a system or other
information asset by using it illegally for their personal gain. Or, an
exploit can be a documented process to take advantage of a vulnerability
or exposure, usually in software, that is either inherent in the software or
is created by the attacker. Exploits make use of existing software tools or
custom-made software components.
 Key Information Security Concepts

 Exposure: A condition or state of being exposed. In information security,

exposure exists when a vulnerability known to an attacker is present.
 Loss: A single instance of an information asset suffering damage or
unintended or unauthorized modification or disclosure. When an
organization’s information is stolen, it has suffered a loss.
 Protection profile or security posture: The entire set of controls and
safeguards, including policy, education, training and awareness, and
technology, that the organization implements (or fails to implement) to
protect the asset. The terms are sometimes used interchangeably with
the term security program, although the security program often
comprises managerial aspects of security, including planning, personnel,
and subordinate programs.
 Key Information Security Concepts

 Risk: The probability that something unwanted will happen. Organizations

must minimize risk to match their risk appetite—the quantity and nature of
risk the organization is willing to accept.
 Subjects and objects: A computer can be either the subject of an attack—
an agent entity used to conduct the attack—or the object of an attack—the
target entity. A computer can be both the subject and object of an attack,
when, for example, it is compromised by an attack (object), and is then used
to attack other systems (subject).
 Threat: A category of objects, persons, or other entities that presents a
danger to an asset. Threats are always present and can be purposeful or
undirected. For example, hackers purposefully threaten unprotected
information systems, while severe storms incidentally threaten buildings and
their contents.
 Key Information Security Concepts

 Threat agent: The specific instance or a component of a threat. For

example, all hackers in the world present a collective threat, while
Kevin Mitnick, who was convicted for hacking into phone systems, is a
specific threat agent. Likewise, a lightning strike, hailstorm, or tornado
is a threat agent that is part of the threat of severe storms.
 Vulnerability: A weaknesses or fault in a system or protection
mechanism that opens it to attack or damage. Some examples of
vulnerabilities are a flaw in a software package, an unprotected
system port, and an unlocked door. Some well-known
vulnerabilities have been examined, documented, and published;
others remain latent (or undiscovered).
Critical Characteristics of
Information

 The value of information comes from the characteristics

it possesses. When a characteristic of information
changes, the value of that information either increases,
or, more commonly, decreases. Some characteristics
affect information’s value to users more than others do.
 Critical Characteristics of
Information

 Availability - Availability enables authorized users—persons or

computer systems—to access information without interference or
obstruction and to receive it in the required format. Consider, for
example, research libraries that require identification before entrance.
Librarians protect the contents of the library so that they are available
only to authorized patrons. The librarian must accept a patron’s
identification before that patron has free access to the book stacks.
Once authorized patrons have access to the contents of the stacks,
they expect to find the information they need available in a useable
format and familiar language, which in this case typically means
bound in a book and written in English.
 Critical Characteristics of
Information

 Accuracy Information has accuracy when it is free from mistakes or

errors and it has the value that the end user expects. If information
has been intentionally or unintentionally modified, it is no longer
accurate. Consider, for example, a checking account. You assume that
the information contained in your checking account is an accurate
representation of your finances. Incorrect information in your checking
account can result from external or internal errors. If a bank teller, for
instance, mistakenly adds or subtracts too much from your account,
the value of the information is changed. Or, you may accidentally
enter an incorrect amount into your account register. Either way, an
inaccurate bank balance could cause you to make mistakes, such as
bouncing a check.
 Critical Characteristics of
Information

 Authenticity - Authenticity of information is the quality or state of being

genuine or original, rather than a reproduction or fabrication. Information is
authentic when it is in the same state in which it was created, placed, stored, or
transferred. Consider for a moment some common assumptions about e-mail.
When you receive e-mail, you assume that a specific individual or group created
and transmitted the e-mail—you assume you know the origin of the e-mail. This
is not always the case. E-mail spoofing, the act of sending an e-mail message
with a modified field, is a problem for many people today, because often the
modified field is the address of the originator. Spoofing the sender’s address can
fool e-mail recipients into thinking that messages are legitimate traffic, thus
inducing them to open e-mail they otherwise might not have. Spoofing can also
alter data being transmitted across a network, as in the case of user data
protocol (UDP) packet spoofing, which can enable the attacker to get access to
data stored on computing systems.
Critical Characteristics of
Information

 Another variation on spoofing is phishing, when an attacker

attempts to obtain personal or financial information using
fraudulent means, most often by posing as another individual or
organization. Pretending to be someone you are not is
sometimes called pretexting when it is undertaken by law
enforcement agents or private investigators. When used in a
phishing attack, e-mail spoofing lures victims to a Web server
that does not represent the organization it purports to, in an
attempt to steal their private data such as account numbers and
passwords.
 Critical Characteristics of
Information

 Confidentiality Information has

 Information
confidentiality when it is protected from classification
disclosure or exposure to unauthorized  Secure
individuals or systems. Confidentiality document
storage
ensures that only those with the rights and
 Application of
privileges to access information are able to general security
do so. When unauthorized individuals or policies
systems can view information, confidentiality  Education of
is breached. To protect the confidentiality of information
custodians and
information, you can use a number of end users
measures.
Critical Characteristics of
Information

 Integrity Information has integrity when it is whole,

complete, and uncorrupted. The integrity of information
is threatened when the information is exposed to
corruption, damage, destruction, or other disruption of
its authentic state. Corruption can occur while
information is being stored or transmitted. Many
computer viruses and worms are designed with the
explicit purpose of corrupting data damage,
destruction, or other disruption of its authentic state.
Corruption can occur while information is being stored
or transmitted.
Critical Characteristics of
Information

 Many computer viruses and worms are designed with the explicit
purpose of corrupting data. For this reason, a key method for detecting
a virus or worm is to look for changes in file integrity as shown by the
size of the file.
 Another key method of assuring information integrity is file hashing,
in which a file is read by a special algorithm that uses the value of the
bits in the file to compute a single large number called a hash value.
The hash value for any combination of bits is unique
 File corruption is not necessarily the result of external forces, such as
hackers. Noise in the transmission media, for instance, can also cause
data to lose its integrity. Transmitting data on a circuit with a low
voltage level can alter and corrupt the data.
Critical Characteristics of
Information

 Utility The utility of information is the quality or state

of having value for some purpose or end. Information
has value when it can serve a purpose. If information is
available, but is not in a format meaningful to the end
user, it is not useful. For example, to a private citizen
U.S. Census data can quickly become overwhelming
and difficult to interpret; however, for a politician, U.S.
Census data reveals information about the residents in
a district, such as their race, gender, and age. This
information can help form a politician’s next campaign
strategy.
 Critical Characteristics of
Information

 Possession The possession of information is the quality or state of ownership or

control. Information is said to be in one’s possession if one obtains it, independent
of format or other characteristics. While a breach of confidentiality always results
in a breach of possession, a breach of possession does not always result in a
breach of confidentiality. For example, assume a company stores its critical
customer data using an encrypted file system. An employee who has quit decides
to take a copy of the tape backups to sell the customer records to the competition.
The removal of the tapes from their secure environment is a breach of possession.
But, because the data is encrypted, neither the employee nor anyone else can
read it without the proper decryption methods; therefore, there is no breach of
confidentiality. Today, people caught selling company secrets face increasingly stiff
fines with the likelihood of jail time. Also, companies are growing more and more
reluctant to hire individuals who have demonstrated dishonesty in their past.
CNSS Security Model

 The definition of information security presented in this text is

based in part on the CNSS document called the National Training
Standard for Information Systems Security Professionals NSTISSI
No. 4011.
 This document presents a comprehensive information security
model and has become a widely accepted evaluation standard
for the security of information systems. The model, created by
John McCumber in 1991, provides a graphical representation of
the architectural approach widely used in computer and
information security; it is now known as the McCumber Cube
 McCumber Cube

 If extrapolated, the three

dimensions of each axis
become a 3 3 3 cube with
27 cells representing
areas that must be
addressed to secure
today’s information
systems. To ensure
system security, each of
the 27 areas must be
properly addressed during
the security process.