ITE 185 – INFORMATION ASSURANCE

SK TAHIL

LESSON 1
INTRODUCTION OF INFORMATION ASSURANCE
AND SECURITY

History of Information Security

Information security begun during the World War II, immediately following the
development of Mainframes. It was done for code-breaking computations where multiple
level of security implemented in order to have a physical control on the information
assurance and security. This security is rudimentary against the physical theft, espionage,
and sabotage,
Evolution of Information Security
Information flows throughout computer systems like fish in the sea. This presents
a wealth of opportunities for people to steal data; that is why information security is a
necessity. The evolution of information security over the years:
1960s
Password protection: It was during the 1960s when organizations first started
to become more protective of their computers. The largest security concerns at this
interval were at the points of access. With the absences of internet or network, the
security was largely focused on the physical measures, and preventing access to
people with enough knowledge about how to work a computer that could break into a
facility and start accessing sensitive data. In order to do this, passwords and multiple
layers of security protection were added was protected. Fire safety measures were
also implemented, to ensure that the stored data was protected. Aft er all, there was
no iCloud available back in those days, so computers had to be secured by other
means.
1970s
From CREEPER to Reaper: At this point in the history of information security,
network computing was in its infancy. Cybersecurity’s history began with a research
project on what was then known as the ARPANET (The Advanced Research Projects
Agency Network). Bob Thomas created a computer program name ‘CREEPER’ to
move ARPANET’s network, leaving a small trail wherever it went. Ray Tomlinson the
man who invented email, later designed a program which took CREEPER to the next
level, making it self-replicating and the first ever computer worm. He wrote another
program called Reaper which chased CREEPER and deleted it, providing the first
example of antivirus software.
Though there was no massive global network that connect every device during this
time, large organizations and governments were linking their computers via the
ITE 185 – INFORMATION ASSURANCE
SK TAHIL

telephone lines to create their own networks. People started to seek ways to infiltrate
phone lines connected to computers, so that they could steal data. These people became
the first groups of hackers.
1980s
The internet goes mad: During this time hacking had already burgeoned into an
international crime issue. Since, computers started to become more and more
connected, computer viruses became more advanced, and information security
systems could not keep up with the constant barrage of innovative hacking approaches.
In 1988, One of the major turning points in the history of information security.
Network usage began to expand rapidly, and more and more universities, militaries and
governments became connected to it. That meant that the security measures required
had to gradually become more expansive as well, which gave birth to the Morris Worm.
This worm is named after its inventor Robert Morris, the worm was designed to
propagate across networks, infiltrate terminals using a known bug, and then copy itself.
Its aim was to identify lacking areas in a network intrusion prevention system. However,
its ability to self-replicate would be its downfall, as the worm replicated so aggressively
that it rendered targeted computers inoperable and slowed the internet down to a
crawling pace. It also spread quickly throughout the network, and caused untold
damage. In fact, the damage it caused was so severe that Robert Morris became the
first person to become successfully charged under the Computer Fraud and Misuse
Act. The Computer Emergency Response Team (CERT) was also formed as a result,
in order to prevent cyber issues like these happening again.
It was also during this time that the ARPANET network became more commonly
known as the internet, and became available to the public as the worldwide web.
1990s
The rise of firewalls: After the worldwide web was made available in 1989, people
started putting their personal information online; organized crime entities saw this as a
potential revenue source, and started to steal data from people and governments via the
web. In mid of 1990s, network security threats had increased exponentially and, as
such, firewalls and antivirus programs had to be produced on a mass basis to protect
the public. It was a NASA researcher who created the very first firewall program design,
following a computer virus attack at their California base. The creation a virtual ‘firewall’
which was modelled on the physical structures that could prevent the spread of actual
fires within buildings or structures. Firewalls and antivirus programs helped protect
against this, but the web was a mostly unsecured and rapidly burgeoning network.
2000s
Proper punishment: In the early 2000s, while governments had been pursuing
cyber criminals for decades, most punishments were light, often being limited to a
confiscation of computer equipment and a ban from computer use for a certain period of
time. Though this changed as governments started to recognize the dangers of hacking.
ITE 185 – INFORMATION ASSURANCE
SK TAHIL

Hackers were jailed for years as punishment for cybercriminal activity. Information
security continued to advance as the internet grew as well but, unfortunately, so did
viruses. Hackers quickly became able to create viruses that could not only target
specific organizations, but whole cities, states and even continents as well.
2010s
Information security becomes serious: Although criminal prosecutions, firewalls
and antivirus software had served as deterrents to cybercriminals, it did not stop hackers
to break into computer networks. At this point in the history of information
security, security experts started to realize that the best way to protect data was to make
it truly inaccessible to hackers. To this end, data encryption, which scrambles data to
render it unreadable to unauthorized users, became more widespread. In many
cases, encryption occurs at multiple levels, including on digital files, networks and during
data transmissions. Organizations now also implement comprehensive information
security policies that prevent their employees from making any mistakes that make data
accessible to intruders.
Since, hacking became ever more complicated over the years that followed, and
a number of major data breaches now largely define the era. These include:
• Snowden & The NSA, 2013. Edward Snowden a former CIA employee and
contractor for the US Government, copied and leaked classified information from
the National Security Agency (NSA), highlighting the fact that the government was
effectively ‘spying’ on the public. He is controversially thought of as a hero to
some, and a traitor to others.
• Yahoo, 2013 – 2014. Hackers broke into Yahoo, jeopardizing the accounts and
personal information of all their three billion users. They were fined $35 million for
failing to disclose news of the breach in a timely manner, and Yahoo’s sale price
decreased by $350 million as a result.
• WannaCry, 2017. More widely known as the first ‘ransomworm’, WannaCry
targeted computers running the Microsoft Windows operating system and
demanded ransom payments in the Bitcoin cryptocurrency. In only one day, the
worm infected over 230,000 computers across 150 countries.

What is Security?
This is the age of universal electronic connectivity, where the activities like hacking,
viruses, electronic fraud are very common. Unless security measures are taken, a
network conversation or a distributed application can be compromised easily.
Security for information technology (IT) refers to the methods, tools and personnel used
to defend an organization's digital assets. It is also a protection of information and its
critical elements, including systems and hardware that use, store, and transmit that
information.
ITE 185 – INFORMATION ASSURANCE
SK TAHIL

Information security, sometimes shortened to InfoSec, is the practice of defending

information from unauthorized access, use, disclosure, disruption, modification, perusal,
inspection, recording or destruction. It is a general term that can be used regardless of
the form the data may take (electronic, physical, etc...)
Two major aspects of information security are:
➢ IT security: Sometimes referred to as computer security, Information Technology
Security is information security applied to technology (most often some form of
computer system). It is responsible for keeping all of the technology within the
company secure from malicious cyberattacks that often attempt to breach into
critical private information or gain control of the internal systems.
➢ Information assurance: The act of ensuring that data is not lost when critical
issues arise. These issues include but are not limited to: natural disasters,
computer/server malfunction, physical theft, or any other instance where data has
the potential of being lost. Since most information is stored on computers in our
modern era, information assurance is typically dealt with by IT security
specialists. One of the most common methods of providing information assurance
is to have an off-site backup of the data in case one of the mentioned issues
arises.
Computer security is a branch of computer technology known as information security as
applied to computers and networks. The objective of computer security includes
protection of information and property from theft, corruption, or natural disaster, while
allowing the information and property to remain accessible and productive to its intended
users.
The term computer system security means the collective processes and mechanisms by
which sensitive and valuable information and services are protected from publication,
tampering or collapse by unauthorized activities or untrustworthy individuals and
unplanned events respectively.
The strategies and methodologies of computer security often differ from most other
computer technologies because of its somewhat elusive objective of preventing unwanted
computer behavior instead of enabling wanted computer behavior.
➢ Computer Security - generic name for the collection of tools designed to protect
data and to thwart hackers
➢ Network Security - measures to protect data during their transmission
➢ Internet Security - measures to protect data during their transmission over a
collection of interconnected networks
Why Security?
Computer security is required because most organizations can be damaged by hostile
(unfriendly and not liking or agreeing with something a hostile crowd) software or
intruders. There may be several forms of damage which are obviously interrelated. These
include:
ITE 185 – INFORMATION ASSURANCE
SK TAHIL

▪ Damage or destruction of computer systems.

▪ Damage or destruction of internal data.
▪ Loss of sensitive information to hostile parties.
▪ Use of sensitive information to steal items of monitory value.
▪ Use of sensitive information against the organization's customers which may result
in legal action by customers against the organization and loss of customers.
▪ Damage to the reputation of an organization.
▪ Monitory damage due to loss of sensitive information, destruction of data, hostile
use of sensitive data, or damage to the organization's reputation.

Principles of Security (Goals)

These three concepts form what is often referred to as the CIA triad (Figure 1) . The three
concepts embody the fundamental security objectives for both data and for information
and computing services. FIPS PUB 199 provides a useful characterization of these three
objectives in terms of requirements and the definition of a loss of security in each
category:

These three concepts such as Confidentiality, Integrity and Availability form, what is often
referred to as the CIA triad (Figure 1)

Fig 1: Key Security Concepts

ITE 185 – INFORMATION ASSURANCE
SK TAHIL

Confidentiality
• Confidentiality is a set of rules that limits access to information.
• Measures undertaken to ensure confidentiality are designed to prevent sensitive
information from reaching the wrong people, while making sure that the right
people can in fact get it.
• Training can help familiarize authorized people with risk factors and how to guard
against them.

Confidentiality is perhaps the element of the triad that most immediately comes to
mind when you think of information security. Data is confidential when only those
people who are authorized to access it can do so; to ensure confidentiality, you need
to be able to identify who is trying to access data and block attempts by those without
authorization. Passwords, encryption, authentication, and defense against penetration
attacks are all techniques designed to ensure confidentiality.

When information is read or copied by someone not authorized to do so, then it will
be “loss of confidentiality”. For sensitive information, confidentiality is a very important
criterion. Bank account statements, personal information, credit card numbers, trade
secrets, government documents are some examples of sensitive information. This goal
of the CIA triad emphasizes the need for information protection. For example,
confidentiality is maintained for a computer file, if authorized users are able to view it,
while unauthorized persons are blocked from seeing it.

Integrity
• Integrity is the assurance that the information is trustworthy and accurate.
• Integrity involves maintaining the consistency, accuracy, and trustworthiness of
data over its entire life cycle.
• Data must not be changed in transit, and steps must be taken to ensure that data
cannot be altered by unauthorized people (for example, in a breach of
confidentiality).
• This goal defines how we avoid our data from being altered. MiTM (Man in the
middle attacks) is the example threat for this goal.
Integrity means maintaining data in its correct state and preventing it from being
improperly modified, either by accident or maliciously. Many of the techniques that
ensure confidentiality will also protect data integrity after all, a hacker can't change
data they can't access but there are other tools that help provide a defense of integrity
in depth: checksums can help you verify data integrity, for instance, and version control
software and frequent backups can help you restore data to a correct state if need be.
Integrity also covers the concept of non-repudiation: you must be able to prove that
you've maintained the integrity of your data, especially in legal contexts.
Information can be corrupted or manipulated if it’s available on an insecure network, and
is referred to as “loss of integrity.” This means that unauthorized changes are made to
ITE 185 – INFORMATION ASSURANCE
SK TAHIL

information, whether by human error or intentional tampering. Integrity is particularly

important for critical safety and financial data used for activities such as electronic funds
transfers, air traffic control, and financial accounting. For example, banks are more
concerned about the integrity of financial records, with confidentiality having only second
priority. Some bank account holders or depositors leave ATM receipts unchecked and
hanging around after withdrawing cash. This shows that confidentiality does not have the
highest priority. In the CIA triad, integrity is maintained when the information remains
unchanged during storage, transmission, and usage not involving modification to the
information.

Availability
• It means that assets are accessible to authorized parties at appropriate times.
• Availability is very much a concern beyond the traditional boundaries of computer
security. We want to ensure that a malicious attacker cannot prevent legitimate
users from having reasonable access to their systems.

Availability is the mirror image of confidentiality: while you need to make sure that
your data can't be accessed by unauthorized users, you also need to ensure that
it can be accessed by those who have the proper permissions. Ensuring data
availability means matching network and computing resources to the volume of data
access you expect and implementing a good backup policy for disaster recovery
purposes.

Information can be erased or become inaccessible, resulting in “loss of

availability.” This means that people who are authorized to get information are restricted
from accessing. Availability is often the most important attribute in service-oriented
businesses that depend on information. Denying access to information has become a
very common attack nowadays. Almost every week you can find news about high profile
websites being taken down by Denial of Service attacks. The CIA triad goal of availability
is the situation where information is available when and where it is rightly needed.