CHAPTER 4

Information Assurance Concepts

Information assurance is a broad, interdisciplinary field. Executives and senior management should understand what risk the organization is being protected from. Failure to understand the security requirements means you will not be able to apply the best security protection to the user environment. There are fundamental security concepts that you should know. This chapter discusses three popular concepts in information security: the confidentiality, integrity, and availability (CIA) triad. Additionally, it covers concepts in information assurance such as nonrepudiation and identification, authentication, authorization, and accountability (IAAA). Among the three, the CIA triad (information security) was the earliest and remains the most common assurance concept discussed in the industry. When these concepts are combined with the idea that information assurance must begin with the design of a system and account for all assets through dissolution, they form the Maconachy-Schou-Ragsdale (MSR) model.

Defense in Depth

If the 19th century military strategist Helmuth von Moltke is right, he could discourage even the best planner with his aphorism of “No plan survives contact with the enemy.” Once engaged, attackers have the advantage: They know what they are going to do and what their objective is. To provide an effective defense, each layer must be composed of multiple countermeasures of varying complexity, application, and rigor; this is defense-in-depth. Defense-in-depth provides an adequate information assurance posture, but it tends to be reactive. Defense must always be planned because it is the de facto deployment in response to the escalating sophistication of attack experiences. As former U.S. Defense Secretary Donald H. Rumsfeld stated, “You go to war with the army you have, not the army you might want or wish to have at a later time.” A defensive strategy cannot be expected to respond to unknown and potentially urgent risk situations such as last-minute patches and catch-up planning, but it can reduce the impact of such weaknesses. A proper defense-in-depth strategy may mean the difference between a difficult survivability and being put out of business.

A correctly planned, dynamic, information assurance strategy becomes an essential emergent property of the system it protects. To provide defense-in-depth, the strategy and the program it defines cannot be static. Rick Dove, an expert on systems and artificial intelligence, proposes that defense-in-depth must provide parity with the agility of intelligent attacking systems. A defense-in-depth strategy must have six characteristics.

      • Self-organizing

      • Adapting to unpredictable situations

      • Evolving in concert with an ever-changing environment

      • Reactively resilient

      • Proactively innovative

      • Harmonious with system purpose

Defense-in-depth is most appropriately defined as part of an organization’s security architecture. Smaller to mid-size organizations may not have the resources to develop fully an information assurance architecture and will therefore often rely on risk assessments to help find weaknesses in their security posture. The security architecture of an organization must develop defenses for every level of an application, system, or workflow using physical, logical, and technical countermeasures to slow the attack of an adversary. To slow the attackers, defenders must present numerous challenges through various dimensions of countermeasures.

Defense-in-depth relies heavily on the application of segmentation. Segmentation ensures that a single compromised element of a system cannot compromise the system as a whole. Segmentation also ensures the most efficient use of controls throughout the organization. Information and services require varying degrees of defensive protection depending on their value to the organization. Figure 4-1 illustrates the relationship between assets, impacts, and segmentation.

Figure 4-1 Defense-in-depth conceptual model

Confidentiality, Integrity, and Availability

When dealing with information assurance and its subcomponent information security, you should be familiar with three primary security objectives—confidentiality, integrity, and availability—to identify problems and provide proper solutions. This concept is widely known as the CIA triad, as shown in Figure 4-2.

Figure 4-2 CIA triad

Confidentiality

Confidentiality and privacy are related terms but are not synonymous. Confidentiality is the assurance of data secrecy where no one is able to read data except for the intended entity. Confidentiality should prevail no matter what the data state is—whether data resides on a system, is being transmitted, or is in a particular location (for example, a file cabinet, a desk drawer, or a safe). Privacy, on the other hand, involves personal autonomy and control of information about oneself. Both are discussed in this chapter. The word classification merely means categorization in certain industries.

Assign an appropriate sensitivity categorization to information to maintain confidentiality. Different categorizations will address the degree of security controls needed. For example, a range of military classification (categorization in the military) includes unclassified, confidential, secret, and top secret. A military document classified (categorized) as top secret will require control mechanisms to eliminate threats that may expose the location or characteristics of an important asset.

Integrity

People understand integrity in terms of dealing with people. People understand the sentiment “Jill is a woman of integrity” to mean Jill is a person who is truthful, is trustworthy, and can be relied upon to perform as she promises. When considering integrity in an information assurance perspective, organizations will use it not only from a personnel perspective but also from a systems perspective.

In information systems, integrity is a service that assures that the information in a system has not been altered except by authorized individuals and processes. It provides assurance of the accuracy of the data and that it has not been corrupted or modified improperly. Integrity may be achieved by applying a mathematical technique whereby the information will later be verified. Examples of integrity controls are watermarks, bar codes, hashing, checksums, and cyclic redundancy check (CRC). A second form of integrity control manages the processes to enter and manipulate information. For example, a physician (and the patient) would want the integrity of medical records. The records should reflect the actual data from the laboratory, and once the data is stored, it should be stored so it is unchangeable outside defined processes.

Availability

Availability is the service that assures data and resources are accessible to authorized subjects or personnel when required. The second component of the availability service is that resources such as systems and networks should provide sufficient capacity to perform in a predictable and acceptable manner. Secure and quick recovery from disruptions is crucial to avoid delays or decreased productivity. Therefore, it is necessary that protection mechanisms should be in place to ensure availability and to protect against internal and external threats.

Availability is also often viewed as a property of an information system or service. Most service level agreements and measures of performance for service providers surround availability above all else. The availability of a system may be one of its most marketable properties.

CIA Balance

The three fundamental security requirements are not equally critical in each application. For example, to one organization, service availability and the integrity of information may be more important than the confidentiality of information. A web site hosting publicly available information is an example. Therefore, you should apply the appropriate combination of CIA in correct portions to support your organization’s goals and provide users with a dependable system.

Nonrepudiation and Authentication

As illustrated in the MSR model, the addition of nonrepudiation and authentication complete the concept of information assurance. These concepts relate to providing assurances and trust surrounding the actions of an individual or a system proactively and reactively.

Nonrepudiation

The MSR model of information assurance describes additional services associated with nonrepudiation. Digital transactions are prone to frauds in which participants in the transaction could repudiate (deny) a transaction. A digital signature is evidence that the information originated with the asserted sender of the information and prevents subsequent denial of sending the message.

Digital signatures may provide evidence that the receiver has in fact received the message and that the receiver will not be able to deny this reception. This is commonly known as nonrepudiation. In large organizations such as the U.S. government, efforts are in place to implement digital signatures through smartcards, mobile devices, and even biometrics.

The term nonrepudiation describes the service that ensures entities are honest in their actions. There are variants of nonrepudiation, but the most often used are as follows:

      • Nonrepudiation of source prevents an author from false refusal of ownership to a created or sent message, or the service will prove it otherwise.

      • Nonrepudiation of acceptance prevents the receiver from denying having received a message, or else the service will prove it otherwise.

Identification, Authentication, Authorization, and Accountability

Identification, authentication, authorization, and accountability are the essential functions in providing an access management system. This service as described by the MSR model of information assurance is summarized as authentication but reflects the entire IAAA process. The overall architecture of an access management system includes the means of identifying its users, authenticating a user’s identity and credentials, and setting and controlling the access level of a user’s authorization. In addition, it should provide for logging and auditing the trail of a user’s activity in search of privilege violations or attempted violations and accounting for system resource usage.

The current industry practice for implementing IAAA security is identity management. Identity management includes, as its first step, the use of logon IDs and passwords. The system verifies that the password entered by a user matches the password linked with the individual’s logon ID. A policy should state that the password needs to be changed frequently and must have a minimum strength. Strong passwords must not be guessed easily, such as a mother’s maiden name or place of birth, and they must have a combination of characters, symbols, and numbers to increase security. Bear in mind the current threat environment almost renders passwords useless unless combined with other controls or factors to increase the strength of authentication.

In the United States, the Federal Financial Institutions Examination Council (FFIEC) has ruled that a normal username/password authentication is not sufficient for electronic banking purposes that expose users to risks such as identity theft and transaction fraud. In this case, multiple layers of authentication mitigate those risks. Figure 4-3 depicts the steps to access a system and the act of recording a user’s actions during system access.

Figure 4-3 Steps of IAAA

Identification

Identification is a method for a user within a system to introduce oneself. In an organization-wide identification requirement, you must address identification issues. An example would be more than one person having the same name. Identifiers must be unique so that a user can be accurately identified across the organization.

Each user should have a unique identifier, even if performing multiple roles within the organization. This simplifies matters for users as well as the management of an information system. It also eases control in that an organization may have a centralized directory or repository for better user management.

A standard interface is crucial for ease of verification process. The same goes for the availability of the verification process itself. This is to ensure that access can be granted only with verification.

Authentication

Authentication validates the identification provided by a user. In other words, it makes sure the entity presenting the identification can further prove to be who they claim. To be authenticated, the entity must produce minimally a second credential. Three basic factors of authentication are available to all types of identities.

      • What you should know (a shared secret, such as a password, which both the user and the authenticator know)

      • What you should have (a physical identification, such as a smartcard, hardware token, or identification card)

      • What you are (a measurable attribute, such as biometrics, a thumbprint, or facial recognition)

In addition, organizations may consider having an implicit factor such as a “where you are” factor.

      • Physical location, such as within an organization’s office.

      • Logical location, such as on an internal network or private network.

      • A combination of those factors can be considered to provide different strength levels of authentication. This improves authentication and increases security.

The following are examples of technology used for authentication:

      • Public Key Infrastructure (PKI) is a system that provides authentication with certificates based on a public key cryptography method. Public key cryptography provides two independent keys generated together; one key is made public, and another is kept private. Any information protected by one key (public) can be opened only with another key (private). If one key is compromised, a new key pair must be generated.

      • Smartcards can store personal information accessible by a personal identification number (PIN). An organization may consider smartcard implementation to provide another identification method via physical identification (physical security) and electronic identification (electronic access).

Authorization

Once a user presents a second credential and is identified, the system checks an access control matrix to determine their associated privileges. If the system allows the user access, the user is authorized.

Accountability

The act of being responsible for actions taken within a system is accountability. The only way to ensure accountability is to identify the user of a system and record their actions. Accountability makes nonrepudiation extremely important.

Privacy’s Relationship to Information Assurance

As mentioned earlier, a security concept that is often confused with confidentiality is privacy. Privacy describes the control people have to regulate the flow of information about themselves selectively. In contrast, confidentiality requires that only an authorized party access information. This makes confidentiality one of the goals in information assurance but with a less personal emphasis. Despite the subtle difference, both concepts are interrelated. For example, identity theft could be a result of lack of privacy or failure in confidentiality.

After several incidents affecting human lives, governments worldwide have taken stronger measures to monitor information about individuals. In some countries, these intelligence and security measures are seen as invading the privacy rights of individuals.

Another issue that gives rise to privacy concern is the proliferation of tools and computing power that could gather personal information at ease. An example of this is the collection of information such as spending pattern, financial standing, and contact information from the web-based applications such as social media. This is often referred to as big data. Big data is a vague term, but definitions describe it in terms of size, complexity, and analytics capability. Gartner describes big data as “high-volume, high-velocity, and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making.” While useful for business and research, big data leads to serious privacy and security considerations. Through aggregation, big data and the associated analytics that it enables can predict and uncover patterns about individuals never seen before. Forbes reporter Kashmir Hill illustrated this in an article about privacy and predictive analytics.

Hill’s article “How Target Figured Out a Teen Girl Was Pregnant Before Her Father Did” explains how Target analyzes and mines data about its customers to try to determine what they may need to buy. Target then markets specific products and services based on the results. In the article, Hill notes Target found a correlation between the purchases of unscented lotion and the third trimester of pregnancy. It also discovered a correlation between pregnancy and the purchase of supplements such as calcium, magnesium, and zinc. Finally, when people buy large quantities of scent-free soap and large bags of cotton balls in addition to hand sanitizers and washcloths, it signals the due date is near. Target was able to use 25 such indicators to not only determine whether a shopper may be pregnant but also predict a due date for the baby!

Countries and economies have laws protecting individual privacy. The European Union, for example, has the Data Protection Act. Organizations that collect personal data must register with the government and take precautions against misuse of that data. In many countries, privacy issues are addressed in criminal law and civil law. In the United States, the Privacy Act of 1974 exists to protect citizens’ personally identifiable information from unlawful collection and processing by the government. You can find more information about privacy laws around the world in Appendix F. Several organizations such as the Electronic Privacy Information Center (http://epic.org/) exist not only to help protect the privacy of individuals but also to help organizations understand their duty to protect private information.

Assets, Threats, Vulnerabilities, Risks, and Controls

Information assets have unique vulnerabilities, and they are continuously exposed to new threats. The combination of vulnerabilities and threats contribute to risk. To mitigate and control risks effectively, organizations should be aware of the shortcomings in their information systems and should be prepared to tackle them in case the shortcomings turn into threats to activities or business.

Understanding these entities and their interactions is crucial to ensuring the controls are cost effective and relevant. This chapter provides an overview of threats and vulnerabilities as well as the controls that are implemented to manage their risks.

Figure 4-4 shows the relationships among assets, threats, vulnerabilities, and controls (countermeasures) to risks.

Figure 4-4 Relationships between assets, threats, vulnerabilities, and controls to risks, according to ISO 15408:2005

An asset is anything valuable to the organization. An information asset, if compromised, may cause losses should it be disclosed, be altered, or become unavailable. An information asset can be tangible or intangible, such as hardware, software, data, services, and people. The losses can also be tangible or intangible, such as the number of machines or a smeared reputation.

Threats are potential events that may cause the loss of an information asset. A threat may be natural, deliberate, or accidental.

Vulnerabilities are weaknesses exploited by threats. They are threat independent, and if exploited, they allow harm in terms of the CIA triad. Examples of vulnerabilities include software bugs, open ports, poorly trained personnel, and outdated policy. You can find a more complete list of vulnerabilities in Appendix C.

A risk expresses the chance of something happening because of a threat successfully exploiting a vulnerability that will eventually affect the organization. Examples of impact are loss of competitive edge, loss of confidential information, systems unavailability, failure to meet a service level agreement, and tarnished reputation.

The probability of a particular risk occurring is known as likelihood. To manage risks, controls are established. Controls are protective measures or mechanisms that reduce risks.

The types and likelihood of threats vary based on the nature of the business, location, and time. The next section discusses the general threats found in a typical IT environment.

Common Threats

Threats originate with humans, technology, and environmental conditions. Examples are human errors when entering information, misconfigured systems, malicious software, and natural disasters such as floods and earthquakes. When these threats exist and the associated vulnerabilities are not controlled, information could be lost, become unavailable, or become corrupt, hence compromising information assurance.

There are formal organizations that identify and list threat types. According to the German BSI (Bundesamt für Sicherheit in der Informationstechnik), threats can be divided into four categories: force majeure, deliberate acts, human failure, and technical failure (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/download/it-grundschutz-kataloge_2005_pdf_en_zip.zip?__blob=publicationFile). You can find a suggested list of threats in Appendix B.

An organization planning to perform a threat identification exercise should refer to lists like these. The relevance of the list depends on factors such as geographical location and time. The following sections discuss some common threats and controls.

Errors and Negligence

People are prone to make errors when using computers, especially after long hours of work. Typographical errors can occur when entering data, and if these errors are not checked, validated, and corrected they affect the accuracy and integrity of information. Even the most advanced programs may not detect all input errors or negligence. A thorough awareness program for all employees is beneficial in reducing or eliminating employee error and neglect.

Another source of errors is misconfigured systems and failures to patch software in a timely fashion. While a technical error, a misconfigured system may leave vulnerable services running. These services are ripe for hackers to exploit.

Unfortunately, security concerns are often neglected during product development processes in order to maintain deadlines. In addition, the design phase sometimes omits consideration of full data validation and verification measures prior to live production. Of course, there are always programming errors, also known as bugs, that have become threats to organizations and in some cases are causing damage to organizations. A frequently found bug is a buffer overflow that is a programming error that is caused by improper data validation.

Recently, major organizations have incorporated security as a requirement in system design. This has changed what was traditionally known as the software development life cycle (SDLC) into the secure software development life cycle (SSDLC). You can find a further discussion in Chapter 15.

Fraudulent and Theft Activities

Fraud and theft activities are common in the business world. In modern financial systems using IT, fraud involving checks, credit cards, and automatic teller machine (ATM) networks can add up to multimillion-dollar losses. With technical advancement and downloadable materials from the Internet, anyone with basic knowledge of system penetration may successfully trespass sensitive areas of financial information systems. The trespass allows the perpetrator to modify the information. The checklist below provides some tips for avoiding fraud and theft.

An example is transferring large amounts of money into personal accounts online. Someone internal or external to the organization can carry out this type of crime. Internal parties are more familiar with the targeted system. These internal threats are not limited to technical employees. These threats can be exploited by administrative or even suspended employees whose access rights have not been revoked appropriately. As long as the IT infrastructure connects to the outside world, external exploits can come from anywhere including wireless communications.

Loss of Infrastructure

Modern organizations connect through internal and external infrastructures which are not under their direct control. It is crucial to ensure that an organization’s physical and virtual infrastructures are well maintained to avoid loss from these communication channels. These services are interdependent; therefore, malfunctions in one area may affect another. Suggested infrastructure support would include communication channels, power lines, and specific peripherals used to support the mission. Infrastructure interruption may cause significant disruption to the organization’s usual operations. This leads to losses in terms of money, time, and resource use.

Malware

Malware, or malicious software, penetrates systems resulting in damage to the system. Malware is actually a piece of code or software program that is hostile, intrusive, or at least annoying. Examples of malware are Trojan horses, viruses, worms, and logic bombs.

The costs of eradicating malware may amount to thousands of dollars to repair the affected information systems. In addition to the time and other resources involved in dealing with the problem, malware may affect the overall organization’s productivity level. Although the amount is widely debated, the first worm (the Morris worm in 1988) was estimated by industry to have cost between $250,000 and $96 million dollars.

Attackers

Attackers are those who penetrate an organization’s system either internally or externally with or without authorization. Internal attackers may be disgruntled employees, and their specialized knowledge potentially makes them a highly capable adversary. Despite this, an external attacker’s threat is usually seen as a high-risk threat. Generally, the organization has limited information about the reason of such attacks, whether for fun, for information theft, or simply to cause disruptions to the organization’s business process.

Capabilities of Attackers There are three levels of attacker capabilities. The most dangerous are the elite or expert hackers. These highly technical individuals seek new vulnerabilities in systems and can create scripts and programs to exploit vulnerabilities. These actors are often sponsored by terrorists, nation states, military, or organized crime, or they are engaged in industrial espionage.

Script writers are the next step down on the family tree of attackers. Although less technically qualified in finding vulnerabilities, they are capable of building and executing scripts to exploit known vulnerabilities.

The most numerous attackers are script kiddies who possess neither the expertise to find vulnerabilities nor the skills to exploit them. Their knowledge is limited to downloading and executing scripts and tools that others have developed. These individuals constitute the majority of the threat community. Despite their lack of skills, large numbers of script kiddies constitute a threat. When large numbers of script kiddies are active, they provide sufficient traffic and increased risks for defensive systems by masking activities of the elite hackers. Figure 4-5 illustrates the relationship among attackers, capabilities, and impacts.

Figure 4-5 Attackers, motivation, and impact

Motivation of Attackers Attackers have diverse motivations. Some are motivated by greed and money; others are motivated by prestige or revenge. Still others are motivated by ideology or patriotism. Most modern militaries employ hackers who make hacking their day job. Hackers’ motivations are as complex and interconnected as human relations can be. Understanding people and comprehending the function of an organization can greatly help professionals understand the motivation of hackers.

      • Hackers and hacktivist Hackers use technical and social means to gain authorized/unauthorized access to information assets, computer systems, and networks. Some of the technical means include delving deep into the code and protocols used in computer systems and networks.

         Some are white-hat hackers who use their skills to determine whether systems are in fact secure. White hats operate within strict rules of engagement and with the explicit permission of a system’s owner. They also often subscribe to professional codes of ethics as part of their professional credentialing. Their opponents are called black-hat hackers who are motivated by using their skills to penetrate systems by the path of least resistance without authorization from the system owner. A third type of hacker is called the gray hat. The gray hat attempts to walk the line between the black hat and the white hat. White hats will often state there is no “gray”; once a hacker gives up on ethics and the strict rules of engagement, their credibility as a white hat is compromised.

         Some hackers, called hacktivists, are motivated to use their skills for political purposes. Hacktivists are becoming more common and can take the form of script kiddies, the elite, or anywhere in between. Often, information systems connected with political agendas or national security systems are the targets of hacktivists.

      • Criminal attackers These attackers view the computer and its contents as the target of a crime—it’s something to be stolen or it’s used to perpetrate the crime. These individuals are motivated simply by profit and greed. Since most large financial transactions occur on networks, electronic crimes include fraud, extortion, theft, embezzlement, and forgery.

      • Nation states Nation states are motivated by espionage and economic gain. While nation states spy on each other to gain political information, nation states may also engage in industrial espionage.

      • National warfare, asymmetric warfare, and terrorism Nations depend on information systems to support the economy, infrastructure, and defense, which are all important assets. They are now targets not only of unfriendly foreign powers that are sources of highly structured threats but also of terrorists who are somewhat less structured. Independent of source, their actions constitute information warfare—warfare conducted against the information and information-processing equipment used by an adversary.

      • Information warfare Information warfare is using information technology as a weapon to impact an adversary. Several recent examples have shown how customized malware and computer viruses can dramatically impact the progression of secret nuclear ambitions or severely cripple the command and control infrastructure of an opponent.

Types of Attacks

Since an organization’s web site is a purposely exposed asset, attacks may focus on it. For this type of attack, the attacker may create false content or deface the appearance. This may damage the organization’s image and reputation in terms of customer confidence and providing reliable services to its clients. To work internationally, worldwide financial institutions are required by law, regulating authorities, or common interest to provide adequate security against threats. The list below provides some common attacks.

There are several steps commonly used in executing an attack. First, the perpetrator will profile the organization they want to attack. They will do simple things such as Google the organization or use a Whois lookup. Armed with that data, they will try to determine what systems are exposed by using tools such as Nmap or a ping sweep. The third step is finger printing. Using knowledge of the exposed systems, they will use tools such as a banner grab to identify the operating system and the open ports. After intelligence gathering, the attack begins by the attacker searching for vulnerabilities and exploits that match; then, they will systematically execute exploits.

Appropriate countermeasures are discussed later; however, significant protection comes from simple steps such as limiting the amount of information exposed to the outside world. This makes system hardening and patching even more effective.

Employee Sabotage

When considering deliberate human acts, you should consider the motive means, and opportunity of the individual or group. As mentioned earlier, disgruntled employees who know the internal technical details of systems present a continuous threat to the organization. Employees may carry out antisocial or unwanted actions, such as the following:

      • Damaging the organization’s key infrastructure

      • Revealing secret and confidential information to competitors

      • Creating tensions and rifts among employees by spreading hoaxes or anonymous rumors

      • Threatening the health and safety of others

      • Stealing important documents

An employee might resort to sabotage because of the following:

      • Belief that management will not treat them fairly

      • Desire for revenge because of perceived wrongs against the individual, colleagues, or management

      • Need for material gain for themselves or someone they care for

Sabotage is difficult to detect in a timely manner. To improve early detection, establishing a whistleblower policy within the organization is important. This policy allows individuals reporting suspected wrongdoings to remain anonymous. This is a good mechanism to curb sabotage.

Industrial Espionage

Industrial espionage is the act of spying or of using agents to obtain confidential information about business competitors. Industrial espionage attacks have precise motivations, for example, to gain an advantage over the competition by stealing trade secrets and market strategies. Some examples of these illegal methods are bribery, blackmail, and technological surveillance.

Since information is processed and stored on information systems, information assurance can protect against threats related to technology. However, not much can be done to reduce the threat if authorized employees are selling the information. Controls such as restricting the use of flash drives and monitoring employee workstations could be considered as a deterrent, yet they do not eliminate the threat. The users within an organization need to be trusted in order for work to be done.

Industrial espionage focuses on the theft of trade secrets for use by a competitor. The motivation of industrial espionage is often commercial. Research results, manufacturing techniques, chemical formulas, source code, and designs are targets since these assets use significant resources to develop. The attacker hopes to shortcut their research by stealing someone else’s. Manufacturing, research, and technology-heavy industries are often the targets of industrial espionage.

Invasion of Privacy

The ubiquitous and widespread use of modern technology and social media has greatly increased the possibility that private and personal information may be leaked. While organizations continue to compile information about their customers, competitors, and employees, they must be concerned with protecting personally identifiable information. The following trends are prevalent and contribute to invasion of privacy:

      • Increased surveillance

      • More information kept about travelers

      • New and existing antiterrorism laws and governmental measures offering powerful search capabilities and increased sharing of information among law enforcement authorities

      • Poor management of personal data such as racial origin, health condition, and offenses

      • Users unknowingly providing their personal information to “free” services such as social media

Phishing and Spear Phishing

Phishing is an illegal activity, fraud, or swindle carried out by deceiving users into revealing sensitive information for the benefit of the attacker. Phishing can be done via e-mail notification as well as through false links promoted via instant messengers. The usual tactic is to trap the receiver into disclosing personal information for illegal use or manipulation. Personal and account details are often the favorite targets. Figure 4-6 shows an example of a phishing attack.

Figure 4-6 Phishing attack, www.irs.gov/pub/irs-utl/phishing_email2.pdf

Spear phishing is similar to phishing except it targets specific individuals with personalized messages and attachments that may appear to be relevant to the user but that contain malware that gives the attacker access to the victim’s computer.

Spamming

Spamming is the mass sending of e-mail. It causes network traffic jams and junk mails. Spam e-mails generally contain advertising for some products whose reliability is unknown or as a vector for phishing.

Recently, there have been efforts to fight spam by applying technological and legal countermeasures. This approach has had limited success, and it is still impossible to eliminate spam. Consequently, some online service providers have used mechanisms to manage the spamming of their subscribers through regular blacklist updates and filters. An unintended outcome of this approach is that valid mail is blocked inadvertently. More than 37 countries have legislation regarding spam. Organizations must ensure their customer communication and marketing strategy both include safeguards and restrictions to prevent legal exposure from spam.

Vulnerabilities

Vulnerabilities are weaknesses inherent within the information asset that are exploitable by emerging threats. Lack of antivirus software on a workstation, inadequate hiring procedures, and the absence of physical access controls in the server room are examples of vulnerabilities. An exhaustive list of standard vulnerabilities faced by organizations needs to be verified with the business process and asset owners. In the United States, the U.S. Computer Emergency Readiness Team (US-CERT) informs users about vulnerabilities and tackles reported ones. Users can access the US-CERT (www.us-cert.gov/) or other National CERT/CSIRT web pages to learn about the latest vulnerabilities. Generally, there are three ways how users can get information about vulnerabilities.

      • Newsletter This is for any confirmed vulnerability that has no exploitable characteristic and poses no harm. The parties who discover the vulnerability should inform US-CERT and have the findings published in the newsletter.

      • Advisory For a confirmed vulnerability, this has low and medium levels of local or remote exploitability. Advice should be accompanied by remedies or workaround solutions.

      • Alert This is for a confirmed vulnerability that has a high level of local or remote exploitability and poses a definite threat to the information system. Immediate escalation and action needs to be performed depending on the severity of the alert triggered.

The likelihood for the occurrence of threats and existing vulnerabilities would influence the selection of controls needed to manage risk.

Controls

Controls are actions taken or mechanisms established to resolve information assurance issues. Controls to protect identified assets vary from one organization to another because they depend on issues such as an organization’s objectives, availability of resources, and risk profiles.

The implementation of controls is driven by the following factors:

      • To protect critical and sensitive information assets

      • To ensure compliance with regulatory and legislation requirement

      • To gain competitive edge

      • To mitigate risks and avoid unnecessary operational, financial, and customer losses

Categories of Controls

There are three types of controls used to meet the needs of an organization, namely, management, operational, and technical.

      • Management controls are security controls that are strategic and suitable for planning and monitoring purposes. Examples of controls in this category are the information assurance policy and information assurance risk management exercises.

      • Operational controls are controls used in day-to-day operations to ensure the secure execution of business activities. Examples of controls in this category are mechanisms or tools for IT support and operations, physical and environmental security controls, and information security incident-handling processes and procedures.

      • Technical controls are the possible technical and physical implementation of information assurance solutions and recommendations. Examples of controls in this category are access controls, as well as security audit and monitoring tools.

Parts II, III, and IV will provide more discussion on the various types of controls.

Key Considerations

The implementation of controls is a constant interplay of competing risk models and efficacy of policies, rules, and tools. Controls require organizational resources to install, maintain, and ultimately remove them. The following sections discuss some of the key considerations to be made when implementing a control.

Establish Balance Between Managing Risk and Implementing Controls Balancing the costs and benefits of countermeasures is a risk management exercise. Risk management identifies assets, threats, the effect of the threat, and, finally, how the organization can mitigate the loss. Refer to Chapter 11 for details on risk management.

Intangible costs such as loss of reputation and image are subjective and difficult to measure. Despite the difficulty, consider all tangible and intangible costs.

Organizations can make a more effective decision about security controls by understanding the risks associated with each asset, the value of each asset, and the cost of protecting the asset. Better decisions can be made about suitable countermeasures after the objectives for information asset protection are understood and documented. Subsequently, policies and procedures are defined to put those decisions into practice.

Ensure the Proper Controls Are Selected and Implemented Organizational considerations should include identifying the following:

      • The end users of the controls

      • How the security controls act as supporting mechanisms in achieving the organization’s mission

      • The operational issues such as day-to-day work involved, maintenance, and training on the controls

      • The organization’s security requirements, with relevance to the higher regulatory requirements and internal policies

      • The sensitivity of the data in accordance to information classification

Considerations pertaining to the control itself should include the following:

      • Existing vulnerabilities in the control

      • Implementation requirements and frequency history for patches

      • Interactions with the current infrastructure setup

      • Scalability and compatibility requirements

      • Test requirements

      • Total life-cycle costs (including purchase acquisition, maintenance, and support)

      • User friendliness

Assess and Review Controls Once a control has been implemented, it should be assessed and reviewed periodically to determine whether the control is performing as expected. Undertake monitoring, assessing, and reviewing controls to do the following:

      • Detect errors in information processing results

      • Enable management to determine whether the security activities are performing as intended

      • Identify any attempted or successful intrusions into information systems

      • Record whether previous actions taken to resolve security breaches were effective

Usually, you can assess the performance of implemented security controls by using information system scans, audit reports, logs, risk assessment reports, or by reviewing security policies. It is vital to benchmark and measure against best practices whether security controls are functioning objectively, as intended, to avoid unwanted security breaches.

The term continuous monitoring is often used and touted as a replacement for assessments. Continuous monitoring as an approach is not flawed; however, unless all controls are studied and base lined to determine appropriate frequency and quality of assessment, the approach may give a false sense of security. Continuous monitoring focuses on automating controls such as vulnerability scanning and patching systems. While this automation is desirable, it is largely meaningless unless a vulnerability on one system can be compared against the same vulnerability on other systems in terms of risk and effect on the organization.

Cryptology

Cryptology is a complex topic. This is a high-level presentation of the topic of cryptography intended to provide an overview for senior leaders and managers. Cryptology is the study of codes and cyphers and includes cryptography (secret writing) and cryptanalysis (breaking codes). Cryptography does not attempt to conceal the existence of a message but rather makes the message incomprehensible by transforming the plain text, which is the original, clearly intelligible message to be hidden (cypher text). Plain text is called clear text because it can be read without assistance in a system.

Encryption security is generally adequate if the time required to decrypt and read a message is longer than the time an encrypted file needs to be secure. Security may also be adequate if the cost (in computer time or other resources) required to defeat the encryption is greater than the value of the encrypted file. The caveat here is that the value judgment of an adversary might be different from the organization’s, particularly since the adversary can only guess at the content of the file. For more information about asset valuation, see “Assets, Threats, Vulnerabilities, Risks, and Controls”.

Codes and Ciphers

A code differs from a cipher in that a code consists of letters, whole words, and phrases with code groups (numbers and/or words) that replace the plain text. People desiring to read the encoded message need a codebook to translate the code to plain text. For example, a nine-digit customer account number is a code. On the other hand, a cipher uses the individual letters as the basic plain-text units and uses a key (or password), which tells the composition of letters in the cipher alphabet or the pattern of rearranging letters in a message. Messages sent unencoded or unenciphered are in plain language, in the clear, or in clear text.

Types of Encryption

Encryption falls into two broad categories: symmetric and asymmetric. They have different characteristics and strengths.

Symmetric Encryption Symmetric encryption is when the sender and receiver use the same private key to encrypt and decrypt a message. The key and the plain-text (unencrypted) message are combined systematically to yield a cipher text. If the encryption is secure, others cannot recover the message from the cipher text unless they know both the key and the systematic process used (called the encryption algorithm). Symmetric encryption is relatively fast.

Historically, one of the most common block cypher symmetric encryption tools was the Data Encryption Standard (DES). The algorithm was an internationally standardized symmetric cipher that performs 16 iterations of the same series of operations. One software instantiation of DES, called Triple DES, uses three applications of DES, one after the other, yielding a total of 48 iterations. DES is now obsolete because of the small key size and has been largely supplanted by the Advanced Encryption Standard (AES).

For example, suppose a CEO wants encrypted, private communication with each of a company’s 300 operating managers to ensure privacy among the managers. The CEO must have 300 encryption keys to communicate with all the managers. In addition, the CEO wants managers to have secure communication among them. When a secret key encryption system is used, the first manager must have 299 keys to communicate with the remaining managers; the second must have 298 (299 minus the key shared with the first manager), the third 297, and so on—for a total of 44,850 keys. This is unmanageable particularly if each key must be securely transmitted to each of the parties who will use it. If an unencrypted key is transmitted to one of the managers, how does the CEO know it was not intercepted? Since most algorithms are publicly available and the security of a cipher is in the key, any effort expended selecting an algorithm is wasted if users are careless with the keys. This means each manager must keep secret the 299 keys received from the CEO. If the keys are publicly disclosed or shared, the CEO must issue new keys. Asymmetric encryption was designed to help alleviate these problems.

Asymmetric/Public Key Encryption Asymmetric encryption uses two different keys (one is public and the other is kept private) and an algorithm for mathematical functions that would require extensive resources to break. One key, called a public key, is used to encrypt a message, and a second key, called a private key, is used to decrypt the message (using the mathematical function).

For example, suppose Hord wants to send Nina a message using public key encryption. Hord must possess his own matched private key and public key. Nina must also have her own matched private key and public key. Keys are generated in pairs. Therefore, each key has a mate and will work only with its mate. If a private key is compromised, both keys are discarded for new ones. Nina must ensure Hord can access her public key but doesn’t need to worry if other people have it. In fact, she may post her public key on her web site so anyone can get to it. Hord encrypts his message with her public key; Hord cannot decrypt the resulting message with the public key. The message can be decrypted only by using Nina’s private key. This is how the keys are matched.

When asymmetric encryption is used in the earlier example, the CEO must produce only 300 key pairs for each of the 300 operating managers. Each manager must store 300 keys, but only that particular manager’s own private key must be kept secret. The public keys can be published on a public web site.

Because of their mathematical complexity, asymmetric algorithms are slow and are generally used for encrypting small messages. Examples of these short messages are digital signatures and key exchanges allowing for the faster symmetric encryption. Their use of key exchange allows secure transmission of private (symmetric) keys. The most widely used public key encryption algorithm is RSA, named for its inventors Rivest, Shamir, and Adelman.

Encryption Key Escrow

When individuals use encryption without central mandatory control, the availability of organizational data is threatened. Employees who are fired or die unexpectedly are equally unlikely to return and provide the company with the encryption keys that secure their important files. Senior leaders must ensure the management of encryption is closely monitored. Organizations should implement rules that include termination for unauthorized use of encryption.

The easiest management tool for managing crypto keys is key escrow, which is an agreement that describes the rules for storing critical keys in trusted storage. So, if an employee departs the organization, the associated keys are released from escrow to a designated individual or organization. Managers concerned about encryption data security might build an audit program beginning with the following questions. These questions are general and provide only a starting point for identifying encryption security issues.

      • What is the cryptography experience and education of the person who selects and approves encryption software?

      • How does the person who selects and approves encryption software keep abreast of developments in cryptanalysis (so the person will know when the encryption algorithm is broken)?

      • Who decides what information will be encrypted and what will not?

      • How is encryption used to secure the transmission of information?

      • What use of encryption algorithms is made for each of the following: authentication, secrecy, integrity check, and nonrepudiation?

      • How is encryption used to secure stored files, including backup tapes and sensitive information on laptops?

      • What, if any, use does the organization make of internal key escrow (to prevent inaccessible data when an employee is discharged or absent)?

      • What use does the organization make of private-key algorithms (such as DES) that requires exchanging keys in secret?

      • If a block cipher (such as DES) is used, what use is made of block-chaining or feedback (to prevent a block-replay attack)?

      • What are the procedures for storing, exchanging, and protecting encryption keys?

      • Does the company use encryption software that compresses messages before encryption to eliminate recurring blocks?

      • What physical security measures are in place for computers that contain encryption software and/or private keys?

      • To what extent are computers that contain encryption software and/or private keys linked to networks of any type?

      • How are plain-text files of encrypted or other sensitive information obscured after they are deleted?

      • Does the company encrypt all communication to and from a particular server or back up files from a remote location (exposing plain-text files to interception in route)?

      • What procedures does the organization use to authenticate each message and the sender of each message to avoid spoofing?

      • What reliance is placed on the password security typically offered in word processing, spreadsheet, and other software packages?

      • What encryption standards such as FIPS 140-2 must the organization meet?

Further Reading

      • ACM Computing Curricula Information Technology Volume: Model Curriculum. ACM, Dec. 12, 2008. http://campus.acm.org/public/comments/it-curriculum-draft-may-2008.pdf.

      • Armistead, Edwin L. Information Warfare Separating Hype from Reality. Potomac Books, 2007.

      • Catalogue of Threat 2004 in IT-grundschutz Manual 2004, BSI (Bundesamt für Sicherheit in der Informationstechnik). Federal office for Information Security, Germany, 2004. www.bsi.de/english/gshb/manual/download/threat-catalogue.pdf.

      • CERT-SA, Computer Emergency Response Team: Saudi Arabia, 2008. www.cert.gov.sa/.

      • Data classification. HDM Clariza Initiatives. June 16, 2007. www.trehb101.com/index.php?/archives/71-DATA-cLASSIFATIoN.html.

      • DeCew, Judith W. In Pursuit of Privacy: Law, Ethics, and the Rise of Technology. Cornell University Press, 1997.

      • Electronic Privacy Information Center. http://epic.org/.

      • Encyclopedia of Applied Ethics. Academic Press, 1998.

      • FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems. National Institute of Standards and Technology, 2004. http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf.

      • Friedlob, George T., C. D. Schou, and F.J. Plewa. “An Auditor’s Primer on Encryption.” CPA Journal, 67.11 (1997): 40–46.

      • Friedlob, George T., F.J. Plewa, and L.F. Schleifer. “An Auditor’s Introduction to Encryption.” Institute of Internal Auditors, 1998.

      • Frost, J.C., J.M. Springer, and C.D. Schou. Instructor guide and materials to accompany principles of Introduction to Principles of Computer Security: Security+ and Beyond. McGraw-Hill Education, 2004.

      • Hill, K. “How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did.” Forbes, 2014. www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/.

      • Holtzman, David H. Privacy Lost: How Technology Is Endangering Your Privacy. Jossey-Bass, 2006.

      • Howard, M., and S. Lipner. The Security Development Lifecycle, Microsoft Press, 2006.

      • Hellman, Martin E. “The Mathematics of Public-Key Cryptography.” Scientific American, August 1979, pp.146–157.

      • Malaysian Public Sector Information Security Risk Assessment Methodology (MyRAM)., 2006, Malaysian Administrative Modernisation and Management Planning Unit (MAMPU), Malaysia.

      • MyCERT, Malaysia Computer Emergency Response Team. 2013. www.mycert.org.my/en/index.html.

      • Nash, A., et al. PKI: Implementing and Managing E-security. McGraw-Hill Education, 2001.

      • National Institute of Standards and Technology Federal Information Processing Standard 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004.

      • National Institute of Standards and Technology. Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. NIST, June 2004.

      • National Institute of Standards and Technology. Special Publication 800-12, An Introduction to Computer Security. NIST, 1996.

      • National Institute of Standards and Technology. Special Publication 800-60 Volume I Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories. NIST, 2008. http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf.

      • NSTISSI-4011, National Training Standard for Information Systems Security (INFOSEC) Professionals, CNSS, 2004. www.cnss.gov/Assets/pdf/nstissi_4011.pdf.

      • Official Journal of the European Communities, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2000 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), http://www.planetdata.com/site/uploads/Directive_2002-58-EC_of_the_European_Parliament_and_of_the_Council_1_Oct_2002.pdfPipkin, D. Information Security: Protecting the global enterprise. Hewlett-Packard, 2000.

      • Schmidt, Howard A. Patrolling Cyberspace: Lessons Learned from a Lifetime in Data Security. Larstan Publishing, 2006.

      • Schou, Corey D., and K.J. Trimmer “Information assurance and security,” Journal of Organizational and End User Computing, vol. 16, no. 3, July/September 2004.

      • Schou, Corey D., and D.P. Shoemaker Information Assurance for the Enterprise: A Roadmap to Information Security. McGraw-Hill Education, 2007.

      • Tipton, Harold F., and S. Hernandez, ed. Official (ISC)² Guide to the CISSP CBK 3rd edition. ((ISC)²) Press, 2012.

      • Trimmer, Kenneth J., et al. “Enforcing Early Implementation of Information Assurance Precepts throughout the Design Phase.” Journal of Informatics Education
Research, 2007.

      • U.S CERT. United States Computer Emergency Readiness Team, 2013. www.us-cert.gov/.

Critical Thinking Exercises

        1. An executive receives an e-mail from a known colleague with an urgent message about the financial state of their organization attached in a PDF. What should the executive do? The executive is unaware of any financial problems with the organization, and the executive didn’t request this information.

        2. An organization has always kept a “decentralized” information technology infrastructure, which has led to servers under desks, coat closets arbitrarily being turned into wiring closets, and numerous portable hard drives floating around the organization. What could happen if the organization needed to institute a reduction in force because of changing market conditions? What can an organization do to prevent the risk of these changes?

        3. An organization’s web site has been collecting the actions of users for several years now. The web site was a social media overnight success, and the organization never got around to completing a privacy statement or terms of service. The organization has been selling the demographic information to advertisers and market researchers as part of its core business for more than a year now. The organization receives a legal summons related to privacy concerns of the site. What could have been done in the beginning to prevent the legal exposure?

        4. What information does your organization use, and what requirements must be met to ensure the confidentiality, integrity, and availability of the information? What drives these requirements for your organization?

        5. Your organization has a web site used for advertising your products or services around the world. The site is used only for disseminating information about your organization and its mission. What requirements (if any) should be in place regarding confidentiality, integrity, and availability?