Principles of Information Assurance
Corey Schou
Dan Shoemaker
Copyright 2003
Introduction to Information Assurance (CDS) 15
McCumber Model (CDS) 15
International View (DAN) 15
BS 7799 (DAN) 15
ISO 17799 (DAN) 15
Assurance Management 15
Confidentiality (CDS) (0011) 15
Integrity (CDS) (0011) 15
Availability (CDS) (0011) 15
Access Control (0010) 15
Access Control Administration (0010) 15
Centralized Systems (0010) 15
Diameter (0010) 15
RADIUS (0010) 15
TACAC (0010) 15
Decentralized Systems (0010) 15
Access Control Models and Techniques (0010) 15
Categories of Access Control (0011) 15
System Access Controls (0011) 15
Data Access Controls (0011) 15
Access Control Techniques (0010) 15
Capability Tables and ACL (0010) 15
Content Dependent Access Control (0010) 15
Restricted Interfaces (0010) 15
DAC (0010) 15
MAC (0010) 15
RBAC (0010) 15
Concepts of Access Control (0011) 15
Control Types (0011) 15
Access Control Services (0011) 15
Identification and Authentication (0010) 15
Authentication (0010) 15
Biometrics (0010) 15
Cognitive Password (0010) 15
Cryptographic Keys (0010) 15
Memory Cards (0010) 15
One Time Passwords (0010) 15
Passphrase (0010) 15
Passwords (0010) 15
Smart Cards (0010) 15
Authorization (0010) 15
Stage Setting 15
Intrusion Detection Systems (0010) (0100) 16
Behavior Based (0010) 16
Host Based (0010) 16
Network Based (0010) 16
Signature Based (0010) 16
Pros and Cons (0010) 16
Single Sign-On Technology (0010) 16
Directory Services (0010) 16
KERBEROS (0010) 16
SESAME (0010) 16
Thin Clients? (0010) 16
Unauthorized Access Control and Attacks (0010) 16
Unauthorized Disclosure of Information (0010) 16
Emanation Security (WAP and TEMPEST) (0010) 16
Attack Types (0010) 16
Network Attacks 16
Syn Flood 16
ICMP Flood 16
UDP Flood 16
SMURF 16
Fraggle 16
Teardrop 16
Spoofing 16
Penetration Testing (Right Place?) (0010) 16
Applications and Systems Development (0010) 16
Knowledge Based Systems and Intelligence (0010) (0011) 16
Artificial Neural Network (0010) (IGGY) 16
Expert Systems (0010) 16
Application Security Controls 16
Abstraction (0011) 16
Accountability (0011) 16
Data Hiding (0011) 16
Defense in Depth (0011) 16
Hardware Segmentation (0011) 16
Process Isolation (0011) 16
Reference Monitor (0011) 16
Security Kernel (0011) 16
Separation of Privilege (0011) 16
Service Level Agreements (0011) 16
Supervisor and User Modes (0011) 16
System High Mode (0011) 16
Data and Information Security (0011) (CDS) 16
Primary Storage (0011) 16
Real and Virtual (0011) 16
Secondary Storage (0011) 16
Databases (0010) 16
Aggregation and Inference (0010) 16
Concurrency Issues (0010) 16
Data Mine (0010) 16
Data Warehouse (0010) 16
Database Interface Languages (0010) 16
Database Security 16
Distributed Data Model (0010) 16
Hierarchical Database (0010) 16
Network Database Management System (0010) 16
Object Oriented Database (0010) 16
Relational Data Model (0010) 17
Database Dictionary (0010) 17
Structured Query Language (0010) 17
Distributed Computing (0010) 17
Distributed Applications (0011) 17
Agents (0011) 17
Applets (0011) 17
Security in Distributed Systems (0011) 17
Examples to Discuss (CDS) 17
ActiveX (0010) 17
CGI (0010) 17
COM an DCOM (0010) 17
Cookies (0010) 17
Enterprise Java Bean (0010) 17
Java Applet (0010) 17
OLE (0010) 17
ORB and CORBA (0010) 17
Malicious Actions (0010) 17
Brute Force (0011) 17
Denial of Service (0010) 17
Distributed Denial of Service 17
Dictionary attack (0011) 17
Eavesdropping (0011) 17
Hidden Code (0011) 17
Inference (0011) 17
Logic Bomb (0010) 17
Pseudo Flaw (0011) 17
Remote Maintenance (0011) 17
Smurf Attacks (0010) 17
Sniffing (0011) 17
Social Engineering (0011) 17
Timing Attacks (0010) 17
Traffic Analysis (0011) 17
Trojan Horse (0010) 17
Virus (0010) 17
Worm (0010) 17
Object Oriented Environments and Principles (0010) 17
Abstraction (0010) 17
Application Threat(s (0010) 17
Classes and Objects (0010) 17
Polyinstantiation (0010) 17
Polymorphism (0010) 17
Project development (0010) 17
Software Lifecycle (0010) 17
Software Development Models (0010) 17
Acceptance Testing (0010) 17
Accreditation (0011) 17
Certification (0011) 17
Change Management (0011) 17
Code (0011) 17
Code Review (0011) 17
Conceptual definition (0011) 17
Configuration Management (0011) 17
Design (0011) 17
Disposal (0010) 17
Functional Design Analysis and Planning (0010) 17
Functional Requirements (0011) 17
Functional Specifications (0011) 17
Implementation (0010) 18
Maintenance (0010) (0011) 18
Operations (0010) 18
Project Initiation (0010) 18
Software Development (0010) 18
System Design Specification (0010) 18
System Test (0011) 18
Writing Secure Code (???) 18
Awareness, Training and Education (CDS/VIC) 18
Tools (CDS) 18
Standards 18
Cryptography (0100) (0010) Stuff from my book? 18
Cryptography Defined 18
Classes of Ciphers 18
Cipher Types (0010) 18
Asymmetric Cryptography (0010) 18
Block Cipher (0010) 18
Kerckhoff Principle (0010) 18
Key Escrow (0010) 18
Stream Cipher (0010) 18
Substitution Cipher (0010) 18
Symmetric Cryptography (0010) 18
Transposition Cipher (0010) 18
Key Clusters (0011) 18
Encryption and Decryption (0011) 18
Work Factor Force times effort and work (0011) 18
Message Authentication 18
Digital Signatures 18
Message Digests 18
Non Repudiation 18
Attacks (0010) 18
Adaptive Chosen Plaintext Attack (0010) 18
Analytic Attack (0010) (0011) 18
Brute Force (0011) 18
Implementation Attacks (0011) 18
Known Plaintext Attack (0010) 18
Man in the Middle Attack (0010) 18
Statistical Attacks (0011) 18
Specific Methods of Attack 18
Chosen Ciphertext Attack (0010) 18
Chosen Plaintext Attack (0010) 18
Ciphertext – Only Attack (0010) 18
Key Issues (0011) 18
Key Change (0011) 18
Key Control (0011) 18
Key Disposal (0011) 18
Key Distribution (0011) 18
Key Generation (0011) 18
Key Installation (0011) 18
Key Escrow and Recovery (0011) 18
Key Storage (0011) 18
Cryptographic Applications (0010) 18
Encryption at Different Layers (0010) 18
One Time Pad (0010) 18
Public Key Infrastructure (PKI) (0010) 18
Certificate Revocation List (CRL) (0010) 18
Certification Authority (CA) (0010) 19
PKI Steps (0010) 19
Registration Authority (0010) 19
Cryptographic Protocols (0010) 19
Internet Security (0010) 19
HTTPS (0010) 19
IPSec (0010) 19
S/MIME (0010) 19
Secure Hypertext Transfer Protocol (S-HTTP) (0010) 19
Secure Sockets Layer (SSL) (0010) 19
SET (0010) 19
SSH2 (0010) 19
Message Security Protocol (MSP) (0010) 19
Pretty Good Privacy (PGP) (0010) 19
Privacy Enhanced Mail (PEM) (0010) 19
Cryptography Definitions (0010) 19
Attacks (0010) 19
Keys and Text (0010) 19
Keyspace (0010) 19
Spy Cipher (0010) 19
Steganography (0010) 19
Strength of Crypto Systems (0010) 19
Hybrid Approaches (0010) 19
Asymmetric Algorithm (0010) 19
Diffie Hellman Key Exchange (0010) 19
El Gamal (0010) 19
Elliptic Curve Cryptosystems (ECC) (0010) 19
Data Encryption (0010) 19
Key Management (0010) 19
Security Goals (0010) 19
Symmetric Algorithms (0010) 19
Advanced Encryption Standard (AES) (0010) 19
DES (0010) 19
Triple DES (0010) 19
Message Integrity and Digital Signatures (0010) 19
Electronic Signaling (0010) 19
DSS? (0010) 19
Message Authentication Code (0010) 19
Message Integrity (0010) 19
Attacks on Hashing Functions (0010) 19
Hashing Algorithms (0010) 19
One Way Hash (0010) 19
Disaster Recovery (DRP) and Business Continuity (BCP) (0010) (DAN?) 19
A Background for DRP and BCP (0011) 19
Classes of Disasters (0011) 19
Natural Disaster (0011) 19
Man Made Disaster (0011) 19
Disaster Recovery vs. Business Continuity (0010) (0011) 19
BCP Keeps Ops Running (0011) 19
DRP Restores Normal OPS (0011) 19
Commonality (0011) 19
Identify Critical Business Functions (0011) 19
Identify Experts (0011) 19
Identify Possible Disaster Scenarios (0011) 19
BCP Development (0011) 19
Backups and Off-Site Storage (0011) 19
Document Strategy (0011) 20
Documentation (0011) 20
Emergency Response (0011) 20
External Communications (0011) 20
Fire Protection (0011) 20
Identify Success Factors (0011) 20
Logistics and Supplies (0011) 20
Maintain the Plan (0011) 20
Organization awareness and Training (0011) 20
Personnel Notification (0011) 20
Project Team Management (0011) 20
Senior Management Involvement (0011) 20
Senior Management Support (0011) 20
Simplify Critical Functions (0011) 20
Software Escrow Agreements (0011) 20
Utilities (0011) 20
Backups and Off-Site Facilities (0010) 20
Backup Facility Alternatives (0010) 20
Hot site (0010) 20
Cold site (0010) 20
Warm site (0010) 20
Choosing a Software Backup Storage Facility (0010) 20
Employees and Working Environment (0010) 20
Business Impact Analysis (0010) 20
Criticality Assessment (0011) 20
Defining the Resource Requirements (0011) 20
Identifying Key Players (0011) 20
Setting Maximum Tolerable Downtime (0011) 20
Threats (0011) (0010) 20
Vulnerability Assessment (0011) 20
DRP and BCP Objectives (0010) 20
Documentation (0010) 20
Emergency Response (0010) 20
Maintenance (0010) 20
Phase Breakdown (0010) 20
Prevention (0010) 20
Recovery and Restoration (0010) 20
Testing and Drills (0010) 20
DRP Development (0011) 20
Facilitate External Communication (0011) 20
Maintain Physical Security (0011) 20
Personnel Identification (0011) 20
Prepare for Emergency Response (0011) 20
Test Recovery Plan 20
Test Continuity Plan 20
Product Life Cycle (0010) 20
Project Initiation Phase (0010) 20
Threats (0010) 20
Law, Investigation, and Ethics (0010) 20
Types of Law (0011) 20
Common Law 20
Constitutional Law 20
International Law 20
Computer Crime Investigation (0010) 20
Admissibility of Evidence (0010) 20
Collecting Evidence (0010) 20
Enticement and Entrapment (0010) 21
Evidence Types (0010) 21
Best Evidence 21
Hearsay Evidence 21
Secondary Evidence 21
Forensics (0010) 21
Incident Handling (0010) 21
Incident Response Plan (0010) 21
Incident Response Team (0010) 21
Search and Seizure (0010) 21
Trial (0010) 21
Who should Perform Investigation (0010) 21
Ethics (0010) 21
General Ethics Discussion 21
Computer Ethics Institute 21
Internet Activities Board 21
ISC2 21
Types of Attacks 21
Hacking (0010) 21
Terrorist Attacks 21
Military Attacks 21
Intelligence Attacks 21
Financial Attacks 21
Business Attacks 21
Grudge Attacks 21
Recreation 21
Tools 21
Data Diddling 21
Dumpster Diving 21
Excessive Privilege 21
IP Spoofing 21
Password Sniffing 21
Salami 21
Social Engineering 21
Wiretapping 21
Prosecution Problems 21
Investigation 21
Evidence 21
Conducting Investigation 21
Incident Handling and Response 21
What does an attacker look like? 21
Hackers (0011) 21
Script Kiddies (0011) 21
Virus Writers (0011) 21
Phreakers (0011) 21
Organization Liabilities and Ramifications (0010) 21
Legal Liability 21
Employee Suits 21
Downstream Liability 21
Privacy Issues 21
Electronic Communicat9ion Privacy Act of 1986 21
Employee Monitoring 21
Gramm Leach Bliley Act 1999 21
Health Insurance Portability and Accountability Act (HIPPA) 21
Privacy Act of 1974 21
Transborder Information Flow 21
Security Principles 22
Types of Law (0010) 22
International Laws 22
Australia 22
United Kingdom 22
Netherlands 22
Administrative Law 22
Civil Law 22
Criminal Law 22
18 US Code 1029 (Credit Card Fraud) 22
18 US Code 1030 (Computer Fraud and abuse) 22
18 US Code 2319 (Copyrights) 22
18 US Code 2511 (Interception) 22
18 US Code 2701 (Access to Electronic Info) 22
Child Pornography 22
Computer Security Act of 1987 22
Mail Fraud 22
Patriot Act 22
Wire Fraud 22
Federal Policies 22
Computer Fraud and Abuse Act 1986 22
Economic Espionage act of 1996 22
Federal Sentencing Guidelines 22
State Laws 22
Texas 22
Georgia 22
Florida 22
Maryland 22
Intellectual Property 22
Copyright 22
Patent 22
Trade Secret 22
Trademark 22
Software Piracy 22
Operations Security (0010) 22
A General Concept (0011) 22
Anti Virus Management (0011) 22
Backup of Critical Information (0011) 22
Need to know (0011) 22
Least Privilege (0011) 22
Privileged Functions (0011) 22
Privacy (0011) 22
Legal Requirements (0011) 22
Illegal Activities (0011) 22
Records Retention (0011) 22
Handling Sensitive Information (0011) 22
Configuration Management and Media Control (0010) 22
Data Controls (Input and Output) 22
Media Controls 22
Operations Control (0010) 22
Administrative Control 22
Clipping levels 22
Job Rotation 22
Least Privilege 22
Mandatory Vacations 22
Need to Know 22
Separation of Duties 23
Control Categories 23
Due Care 23
Reacting to failures and recovering (0010) 23
Trusted Recovery (0010) 23
Operational Responsibility 23
Deviation from Standards 23
Unscheduled Initial Program Loads 23
Unusual or Unexplained Occurrence 23
Software Backups (0010) 23
Backups 23
Network Availability 23
Physical Security (0010) 23
Location Selection 23
Choose a Secure Location 23
Designate a Security Facility 23
Electrical Power and Environmental Issues (0010) 23
Environmental Consideration (0010) 23
Power Interference (0010) 23
UPS (0010) 23
Ventilation (0010) 23
Water, Steam and Gas (0010) 23
Fire Detection and Suppression (0010) 23
Emergency Response (0010) 23
Fire Detection (0010) 23
Fire Extinguishing Issues (0010) 23
Fire Prevention (0010) 23
Fire Suppression(0010) 23
Fire Types (0010) 23
Halon (0010) 23
Water Sprinkler (0010) 23
Perimeter Security (0010) 23
Entrance Protection (0010) 23
Facility Access (0010) 23
Fencing (0010) 23
Intrusion Detection (0010) 23
Lighting (0010) 23
Locks (0010) 23
Surveillance Devices (0010) 23
Physical Security Controls (0010) 23
Computing Area (0010) 23
Facility Construction (0010) 23
Facility Location (0010) 23
Hardware Backup (0010) 23
Security Management Practices (0010) 23
Security Audit 23
Audit Trails 23
Anatomy of an Audit Record 23
Types of Audit Trail 23
Finding Trouble in Logs 23
Problem Management and Audit Trail 23
Retaining Audit Logs 23
Protection of Audit Logs 23
Monitoring 23
Facilities Monitoring 23
Intrusion Detection 23
Keystroke Monitoring 24
Penetration Testing 24
Responding to Events 24
CERT? 24
Traffic and Trends Analysis 24
Violation Analysis 24
Employee Management (0010) 24
Operational and Administrative Controls (0011) 24
Background Checking (0011) 24
Background Checks and Security Clearance (0011) 24
Employment Agreements (0011) 24
Hiring and Termination Practice (0011) 24
Job Description (0011) 24
Job Requirements (0011) 24
Job Rotation (0011) 24
Job Specifications (0011) 24
Roles and Responsibilities (0011) 24
Separation of Duties (0011) 24
Information Classification (0010) 24
Government vs Commercial model (CDS) 24
Commercial Data Classification (0011) 24
Governmental Data Classification (0011) 24
Management Responsibilities (0010) 24