CHAPTER 1

Information Assurance Process

Information Assurance - is the practice
1.​ Identify and classify information
of assuring information and managing
risks related to the use, processing, assets
2.​ Perform risk assessment
storage, and transmission of information or
data and the systems and processes used 3.​ Identify vulnerabilities
for those purposes. 4.​ Determine probability of threats
5.​ Analyze impact of threats
●​ Availability 6.​ Calculate total risk (probability ×
●​ Integrity impact)
●​ Authentication
IA is an iterative process—it is
●​ Confidentiality
continuously reviewed and improved
●​ Non-repudiation

It includes protection, detection, reaction,

and restoration of information systems Risk Management Plan
using physical, technical, and
administrative controls With the risk assessment complete, the IA
practitioner then develops a risk
Why Information Assurance Is Needed management plan. Risk management plan
proposes countermeasures
Information protection evolved through
three stages: 1.​ Detection,
2.​ Accepting
1.​ COMSEC (Communication
3.​ Mitigating/ justify
Security)
4.​ Response to threats.
○​ Focused on cryptography
5.​ Eliminating
and encryption
6.​ Considers prevention
2.​ INFOSEC (Information Systems
7.​ Transferring the risks,
Security)
○​ Protected stored and
processed data Countermeasures - Countermeasure is an
3.​ Information Assurance (IA) action, device, procedure, or technique that
○​ Protects data during reduces a threat, a vulnerability, or an
storage, processing, and attack by eliminating or preventing it, by
transmission minimizing the harm it can cause, or by
○​ Includes detection and discovering and reporting it so that
response to attacks corrective action can be taken.

IA is broader than information security Examples:

and supports business continuity,
●​ Firewalls
governance, and risk management
●​ Anti-virus software
 ●​ Security policies -​ Information Assurance (AI):
●​ Regular backups Measures that protect and defend
●​ Employee training information and information
●​ CERT / CSIRT teams systems by ensuring their
availability, integrity,
Goal: manage risks cost-effectively, not authentication, confidentiality, and
eliminate all risks non-repudiation.
-​ Information protection (or
Five Pillars of Information Assurance - information security as defined by
These pillars and any measures taken to the NIST): The protection of
protect and defend information and information and information
information systems, to include providing systems from unauthorized access,
for the restoration of information systems, use, disclosure, disruption,
constitute the essential underpinnings for modification, or destruction in
ensuring trust and integrity in information order to provide.
systems.
Information security
1.​ Availability – Information is
accessible when needed -​ sometimes shortened to InfoSec, is
2.​ Integrity – Information is accurate the practice of defending
and trustworthy information from unauthorized
3.​ Authentication – Verification of access, use, disclosure, disruption,
identity modification, perusal, inspection,
4.​ Confidentiality – Protection from recording or destruction.
unauthorized access
Two major aspects of information security
5.​ Non-repudiation – Proof that an
are
action or transaction occurred
IT security - Focuses on protecting
Information Assurance strategy
computers, servers, and networks
●​ Cyber security awareness and
●​ Prevents cyber-attacks and system
education;
breaches
●​ Strong cryptography;
●​ Prevents cyber-attacks and system
●​ Good security-enabled commercial
breaches
information technology;
●​ An enabling global Security
Management Infrastructure; and
●​ A civil defense infrastructure Information assurance - Ensures data is
equipped with an attack sensing not lost due to:
and warning capability and
coordinated response mechanism ○​ Disasters
○​ System failure
Difference between information ○​ Theft
protection and information assurance in ●​ Common solution: off-site
Data Protection backups
Functionalities of Information remain accessible and productive to its
Assurance and Security intended users.

1.​ "Preservation of confidentiality, Computer Security - generic name for the

integrity and availability of collection of tools designed to protect data
information. Note: In addition, and to thwart hackers
other properties, such as
authenticity, accountability, Network Security - measures to protect
non-repudiation and reliability can data during their transmission
also be involved."
Internet Security - measures to protect
2.​ "The protection of information and
data during their transmission over a
information systems from
collection of interconnected networks
unauthorized access, use,
disclosure, disruption,
modification, or destruction in Importance of Security
order to provide confidentiality,
Organizations need security to prevent:
integrity, and availability."
3.​ "Ensures that only authorized users ●​ Data loss or destruction
(confidentiality) have access to ●​ Theft of sensitive information
accurate and complete information ●​ Legal consequences
(integrity) when required ●​ Damage to reputation
(availability)." ●​ Financial loss
4.​ "Information Security is the
process of protecting the CIA Triad (Core Security Principles)
intellectual property of an
organization." 1. Confidentiality
5.​ "...information security is a risk
management discipline, whose job ●​ Prevents unauthorized disclosure
is to manage the cost of ●​ Uses encryption, access control,
information risk to the business." and training
6.​ "A well-informed sense of ●​ Protects privacy and sensitive data
assurance that information risks
and controls are in balance." 2. Integrity
7.​ "Information security is the
●​ Prevents unauthorized modification
protection of information and
●​ Ensures data accuracy and
minimises the risk of exposing
consistency
information to unauthorized
●​ Protects against attacks like
parties."
Man-in-the-Middle
Computer security - includes protection
of information and property from theft, 3. Availability
corruption, or natural disaster, while
●​ Ensures systems and data are
allowing the information and property to
accessible to authorized users
 ●​ Protects against denial-of-service There are more detailed definitions of
attacks. technical terms in the relevant chapters,
which you can find using the index.
Information security - involves
protecting information and information 1.​ a product or component, such as a
systems from unauthorized access, use, cryptographic protocol, a smartcard
disclosure, disruption, modification, or the hardware of a PC;
perusal, inspection, recording, or 2.​ a collection of the above plus an
destruction. operating system, communications
and other things that go to make up
Enterprise security - is about building an organization’s infrastructure;
systems to remain dependable in the face 3.​ the above plus one or more
of malice, error, or mischance. applications (media player,
browser, word processor, accounts /
payroll package)
4.​ any or all of the above plus IT
staff;
5.​ any or all of the above plus internal
users and management;
6.​ any or all of the above plus
customers and other external users.

Good Enterprise security requires four

things to come together. The business-driven approach prioritizes
enabling an organization's objectives by
1.​ Policy - what you’re supposed to managing operational risk, differentiating
2.​ Mechanism - the ciphers, access it from traditional methods focused solely
controls, hardware on technical threats
tamper-resistance and other
machinery that you assemble in Cyber defense - is defined as the
order to implement the policy. computer network defense mechanism
3.​ Assurance - the amount of involving response actions, critical
confidence you can place on each infrastructure protection, and information
particular mechanism. assurance for networks and entities
4.​ Incentive - the motive that the
Cyber defense primarily focuses on
people guarding and maintaining
protecting assets, preventing attacks, and
the system have to do their job
responding to threats using strategic and
properly, and also the motive that
technical analysis.
the attackers have to try to defeat
your policy. Prevention and Response - It works on
preventing, detecting, and providing
Enterprise Security within an
timely responses to cyber attacks or
Enterprise Architecture Context
threats.
Protection of Sensitive Information- Cryptanalysis - The study of “breaking
Cyber defense is essential for most entities the code”.
to protect sensitive information and
safeguard assets. Cryptology - Cryptography and
cryptanalysis together constitute the area
Strategy Development - It helps in of cryptology.
devising and driving the necessary
strategies to counter malicious attacks or Cryptography has five ingredients
threats.
Plaintext - The original, readable message
Reducing Appeal to Attackers - By that needs to be protected.
improving security, it reduces the overall
Encryption algorithm - The specific
appeal of the environment to potential
method or scheme used to convert the
attackers.
plaintext into ciphertext.
Technical Analysis - Cyber defense also
Secret Key - A crucial piece of
involves carrying out technical analysis to
information used by the encryption and
identify specific threats.
decryption algorithms to set parameters; its
Optimizing Resources - It helps in secrecy is vital for security.
enhancing security strategy utilizations
Ciphertext - The encoded, unreadable
and resources effectively, especially in
result of the encryption process.
critical locations.
Decryption algorithm -The method used
Asset Protection - Ultimately, cyber
to recover the original plaintext from the
defense protects an organization's most
ciphertext, typically requiring the secret
important business assets against attack.
key.

CHAPTER 2

Cryptography (Encryption Techniques)

Cryptography - Schemes for encryption

and decryption.

Encryption - The process by which

plaintext is converted into cipher-text.

Decryption - Recovering plaintext from

the cipher-text.

Secret key - Used to set some or all of the

various parameters used by the encryption
algorithm.