usna. . si110. LT Brian Kiehl. MIch. 373 | 410.293.0938. kiehl@usna.edu. What are we protecting?. Network?. If so, disconnect it from the Internet. Computers?. …then, turn it off and store in a waterproof/ fireproof safe. ID: 478515
DownloadNote - The PPT/PDF document "Information assurance" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Presentations text content in Information assurance
Slide1
Information assuranceusna si110
LT Brian Kiehl
MIch
373 | 410.293.0938
kiehl@usna.edu
Slide2
What are we protecting?
Network?If so, disconnect it from the InternetComputers?…then, turn it off and store in a waterproof/ fireproof safeData?Disconnect the hard drive and store in a waterproof/fireproof safe Then what?
Information Assurance
Slide3
Data vs. Information
Data: raw facts with no contextOften stored in a databaseJust numbers and text stored on diskExample:Is 70301?The date 7/03/01$70,301The zip code for Thibodaux, LAData is only useful when put into contextData with context is information
Information Assurance
Slide4
Information Systems
Systems that store, process, and transmit dataData can beSummarizedOrganizedAnalyzedProcessing of data adds contextThe resulting information has value to the organizationThe goal: protect the informationProtect key attributes of the information
Information Assurance
Slide5
Information Assurance
Information Assurance is defined as the set of measures intended to protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.
Information Assurance
Slide6
Pillars of InformationAssurance (IA)
C – ConfidentialityI – IntegrityA – AvailabilityN – Non-repudiationA – AuthenticationFundamental properties of informationthat must be maintained!
Information Assurance
This is CIANA. She will help you remember the pillars of IA.
Slide7
Information Assurance
Risk managementAssess the risk(s) against an information system’sConfidentialityIntegrityAvailabilityNon-repudiationAuthenticationMitigate risk to maintain the above attributesRisks can includeMalicious threatsHuman errorAccidentsNatural disasters
Information Assurance
Slide8
Confidentiality
Assurance that information is not disclosed to unauthorizedIndividualsProcessesDevices
Information Assurance
A
B
Nice! I can use this info.
Slide9
Integrity
Information is not subject to unauthorized modification or destructionMust ensure information isCorrectCompleteConsistent
Information Assurance
A
B
I’ll go ahead change that target coordinate for
ya
!
Slide10
Availability
Authorized users have timely, reliable access to the information
Information Assurance
A
B
Let me redirect you! I do not want B to have this info.
?
Slide11
Non-repudiation
Assurance thatRecipient of information is provided proof of the sender’s identitySender is provided proof the information was deliveredNeither can deny having processed the information
Information Assurance
A
B
That packet was from A, had his credentials right?
Slide12
Authentication
Measures to ensure/verifyValidity of a transmission or messageThe identity of the originator or recipient of informationIncludes an individual’s authorization to originate or receive information
Information Assurance
A
B
Don’t worry A,
That packet made it there safe and sound.
Slide13
Categorizing an Attack
Attackers often target one (or more) IA pillarsUnderstanding an attack requires understanding which pillar(s) is violatedScenariosXSS injection to always redirect a pageAvailabilityTrick user into posting “My SI110 instructor is a doofus” on the message board by clicking a bad URLNon-repudiationUsing Wireshark to view HTTP traffic transiting a networkConfidentialityUsing XSS to steal a user’s login credentialsAuthenticationError in program causes all values of “5” to be changed to “6”Integrity
Information Assurance
Slide14
Security vs. Usability
Fundamental tension between security and usabilityComputer is a fireproof/waterproof safe is very secureNot very usableThe more services available → more opportunities for an attackerRisk management approachMust weigh the value of a service against the security implications of allowing it
Information Assurance
Slide15
Risk
Risk = Likelihood x ImpactRisk requiresVulnerabilityThreatCapability
Information Assurance
Impact
Likelihood
Slide16
Vulnerability vs. Threat
VulnerabilityWeakness or defect in a system that could be exploitedThreatAn actor who wants to exploit a vulnerability in a systemActor has the ability (is capable) to exploit a vulnerability
Download this presentation
DownloadNote - The PPT/PDF document "Information assurance" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Presentations text content in Information assurance
Information assuranceusna si110
LT Brian Kiehl
MIch
373 | 410.293.0938
kiehl@usna.edu
Slide2What are we protecting?
Network?If so, disconnect it from the InternetComputers?…then, turn it off and store in a waterproof/ fireproof safeData?Disconnect the hard drive and store in a waterproof/fireproof safe Then what?
Information Assurance
Slide3Data vs. Information
Data: raw facts with no contextOften stored in a databaseJust numbers and text stored on diskExample:Is 70301?The date 7/03/01$70,301The zip code for Thibodaux, LAData is only useful when put into contextData with context is information
Information Assurance
Slide4Information Systems
Systems that store, process, and transmit dataData can beSummarizedOrganizedAnalyzedProcessing of data adds contextThe resulting information has value to the organizationThe goal: protect the informationProtect key attributes of the information
Information Assurance
Slide5Information Assurance
Information Assurance is defined as the set of measures intended to protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.
Information Assurance
Slide6Pillars of InformationAssurance (IA)
C – ConfidentialityI – IntegrityA – AvailabilityN – Non-repudiationA – AuthenticationFundamental properties of informationthat must be maintained!
Information Assurance
This is CIANA. She will help you remember the pillars of IA.
Slide7Information Assurance
Risk managementAssess the risk(s) against an information system’sConfidentialityIntegrityAvailabilityNon-repudiationAuthenticationMitigate risk to maintain the above attributesRisks can includeMalicious threatsHuman errorAccidentsNatural disasters
Information Assurance
Slide8Confidentiality
Assurance that information is not disclosed to unauthorizedIndividualsProcessesDevices
Information Assurance
A
B
Nice! I can use this info.
Slide9Integrity
Information is not subject to unauthorized modification or destructionMust ensure information isCorrectCompleteConsistent
Information Assurance
A
B
I’ll go ahead change that target coordinate for
ya
!
Slide10Availability
Authorized users have timely, reliable access to the information
Information Assurance
A
B
Let me redirect you! I do not want B to have this info.
?
Slide11Non-repudiation
Assurance thatRecipient of information is provided proof of the sender’s identitySender is provided proof the information was deliveredNeither can deny having processed the information
Information Assurance
A
B
That packet was from A, had his credentials right?
Slide12Authentication
Measures to ensure/verifyValidity of a transmission or messageThe identity of the originator or recipient of informationIncludes an individual’s authorization to originate or receive information
Information Assurance
A
B
Don’t worry A,
That packet made it there safe and sound.
Slide13Categorizing an Attack
Attackers often target one (or more) IA pillarsUnderstanding an attack requires understanding which pillar(s) is violatedScenariosXSS injection to always redirect a pageAvailabilityTrick user into posting “My SI110 instructor is a doofus” on the message board by clicking a bad URLNon-repudiationUsing Wireshark to view HTTP traffic transiting a networkConfidentialityUsing XSS to steal a user’s login credentialsAuthenticationError in program causes all values of “5” to be changed to “6”Integrity
Information Assurance
Slide14Security vs. Usability
Fundamental tension between security and usabilityComputer is a fireproof/waterproof safe is very secureNot very usableThe more services available → more opportunities for an attackerRisk management approachMust weigh the value of a service against the security implications of allowing it
Information Assurance
Slide15Risk
Risk = Likelihood x ImpactRisk requiresVulnerabilityThreatCapability
Information Assurance
Impact
Likelihood
Slide16Vulnerability vs. Threat
VulnerabilityWeakness or defect in a system that could be exploitedThreatAn actor who wants to exploit a vulnerability in a systemActor has the ability (is capable) to exploit a vulnerability
Information Assurance
Slide17Slide18