Micros, George

Project

CS 565: Introduction to Information Assurance

Instructor: Ravi Mukkamala, Ph.D
Spring 2015

Contents
1 Introduction

2 Background
2.1 Threats, Vulnerabilities and Risks . . . . . . . . . . . . . . . . . . . . . . . .
2.2 The Significance of Information Assurance . . . . . . . . . . . . . . . . . . .

3
3
4

3 Business Requirements

4 IA Metrics
4.1 Organizational Security Metrics . . . . . .
4.1.1 IA Program Developmental Metrics
4.1.2 Support Metrics . . . . . . . . . . . . .
4.1.3 Operational Metrics . . . . . . . . . . .
4.1.4 Effectiveness Metrics . . . . . . . . . .
4.2 Technical Target of Assessment Metrics .
4.2.1 Strength Assessment Metrics . . . . .
4.2.2 Weakness Assessment Metrics . . . .

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

5
6
6
6
6
7
7
7
7

5 IA Models
5.1 Information States . . . . .
5.2 Security Services . . . . . .
5.2.1 Availability . . . . . .
5.2.2 Integrity . . . . . . .
5.2.3 Authentication . . .
5.2.4 Confidentiality . . .
5.2.5 Non-Repudiation . .
5.3 Security Countermeasures
5.3.1 Technology . . . . . .
5.3.2 Operations . . . . . .
5.3.3 People . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

7
. 8
. 8
. 8
. 9
. 9
. 9
. 9
. 9
. 9
. 9
. 10

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

6 References

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

10

Introduction

The cornerstone of economic growth, prosperity and sustainable development is the availability of
capital on the consumer level. A consumer that is active and has the necessary buying power to
make purchases is a very strong driving force of the economy. The ability to spend money in a
sustainable and consistent way is very important. Individuals can develop and live to a certain
standard of living and industries can expect and predict a certain level of demand for their products
and regulate their supply accordingly to reduce waste and improve efficiency. It is for the greater
benefit if a population and a nation as a whole can maintain a stable level of circulation of revenue.
Therefore it is vital that individuals have the funds necessary to allow them to extend their lifestyle
in a maintainable way. The average individual can cover most of their cost through the salary of
their job.
However, there are few people that in a a financial situation that enables them to cover all of the
cost and expenditure that they require. Certain items that are purchased infrequently and require
significant funds - such as an automobile, a house, the cost of education - and it is difficult for an
individual to save that amount of money at a rate that would be reasonable. In this situation it is
important for individuals to have access to some form of incremental payment. Usually this comes
in the form of loans, i.e. car loans, mortgages, student loans. Assuming the individual continues
to bring in their personal salary and can afford a certain monthly payment then this is a desirable
solution.
The issue that arises is that personal income fluctuates and is dependent of the person. The
persons sense of responsibility at his job and obligation to his debt are very important factors in
making sure that a loan will be paid off in a timely manor without delays and missed payments. It is
evaluating an individuals trustworthiness in the context of their financial debt that is crucial to the
lender, such as large banking institutions. This trustworthiness is summarized in a metric known
as credit and an an individuals personal credit scores dictates where or not he will be considered
for a loan. It is important for individuals to maintain a good credit score because this metric is
used to evaluate the risk of the investment that a bank must take by giving out a loan.
Generally, credit scores are based on you financial transaction history. Several factors come
into consideration when calculating a credit score. A credit score can be based on an individuals
payment history and their ability to repay their debts on time. The amount of total debt acquired
and the type of debt that has been accumulated is important. Other factors are related to how an
individual manages their debt over the course of time. Because all these factors are related to debts
responsibility individuals that have not had personal debt are at a disadvantage and are rated with
a low credit score. This is because there is no available loan history to evaluate the individuals
trustworthiness.
An individuals trustworthiness and ability to meet the demands of their debts can be easily
inferred by their character and personality traits. For instance a newly graduate that has performed
highly through their academic career and successfully balanced many extra-curricular activities can
be expected to transfer the same level of organization and responsibility to their financial obligations. It is clear that such personal information can be incorporated into a credit score to provide
a more accurate estimate of financial trustworthiness. Also, an individuals social environment can
provide significant clues about their financial responsibility. A young individual that interacts socially with people that have a high credit score is likely to seek advice and follow the same practices
to maintain financial diligence. Social information can also be an important factor in estimating
an individuals credit score. Also an individuals personal medical history can provide insight into
their lifestyle.
Incorporating personal, social and medical data info credit rating can help provide a better
2

estimate for financial trustworthiness. This will have a number of benefits to individuals and
banking institutions. Individuals can receive loan and enter the market easier and earlier in life
allowing them to get a head start on payments that will extend over their lifetime. Also financial
institutions will be able to more accurate estimate their return on investment and the level of risk
associated with giving a loan to an individual. Also individuals that are just starting to use debt
will not be plagued by higher interest rates because of their lack of financial history and will have
access to more appealing loans that accommodate their needs. The use of this information will
benefit both parties and strengthen the institution of loaning and debt.
In order personal, social and medical data to be incorporated into credit rating it important to
respect the information and establish the proper information assurance policies and procedure. It
is vital that the information operations used protect and defend the information and information
system by ensuring their availability, integrity, authentication, confidentiality and non-repudiation.

Background

Information Assurance (IA) is defined by the techniques and methods we use to protect and defend automated information and information systems through risk management techniques in order to provide reasonable stratums of availability, integrity, authentication, confidentiality, and
non-repudiation. The technical and managerial measures designed to ensure the confidentiality,
possession or control, integrity, authenticity, availability and utility of information and information
systems.
IA is concerned with information security, information operations and information warfare.
The main concern and focus of IA is the protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional. This protection is
spans multiple levels including the physical level, the information infrastructure and the perceptual
level. The goal of IA is to minimize and eliminate the inherent risks, threats and vulnerabilities
associated with handling sensitive information as well as defending against attacks on the system
infrastructure.

2.1

Threats, Vulnerabilities and Risks

A thread is the potential to cause a harmful or damaging incident. Risks describe the potential
that a given threat will exploit some system vulnerability or take advantage of some infrastructure
weakness or flaw to gain unauthorized information. Vulnerabilities are security flaws in the system
that allow for an attack to take place and be successful. An attack is an action taken against a
target with the intent of harming it and penetrating the system. These concept are at the core of
IA and must be taken into consideration in the context of the business requirements to determine
the proper solution and general IT requirements to meet the IA needs of the business.
In this situation the IA system must be developed specifically to assure and protect the personal,
social and medical information of individuals as well as their financial records. There are different
risk and threats that are associated with each one and the infrastructure must accommodate for
all of them to eliminate system vulnerabilities that may be exploited by an attack. IA is not only
limited to the storing and processing of the data, but also the secure transmission and dissemination
of the information to the authorized parties. Each aspect of this information has different standards
and policies that are already established and the IA solution that is developed must comply and
follow them.
Considering the application in mind and the data that is involved a general assessment of the
risks and threats involved must be performed. A risk assessment is performed to determine the
3

most important potential security breaches to address now, rather than later. Analyzing risk can
help one determine appropriate security budgeting, for both time and money, and prioritize security
policy implementations so that the most immediate challenges can be resolved the most quickly. A
threat assessment is performed to determine the best approaches for securing a system against a
particular threat, or class of threats. While risk assessments focus more on analyzing the potential
and tendency of ones resources to fall prey to various attacks, threat assessments focus more on
analyzing the attackers resources. Analyzing threats can help one develop specific security policies
to implement in line with policy priorities and understand the specific implementation needs for
securing ones resources.
Finally, once IA system is developed and the IT infrastructure completed it must be tested
for vulnerabilities and weaknesses on a regular basis. Vulnerability testing should be performed on
an ongoing basis by the parties responsible for resolving such vulnerabilities, and helps to provide
data used to identify unexpected dangers to security that need to be addressed. Vulnerabilities are
not particular to technology, they can also apply to social factors such as individual authentication
and authorization policies. Testing for vulnerabilities is useful for maintaining ongoing security,
allowing the people responsible for the security of ones resources to respond effectively to new
dangers as they arise. It is also invaluable for policy and technology development, and as part of a
technology selection process; selecting the right technology early on can ensure significant savings
in time, money, and other business costs further down the line.

2.2

The Significance of Information Assurance

The types of information involved in this venture require an IA system and IT infrastructure to
guarantee IA. The demand for IA safeguard primarily stems from the law restrictions and federal
regulations associated with dealing with this type of information. Medical information is very
closely protected and there are very detailed regulations outlining the requirements that need to be
meet to be able to handle medical information. Similar regulations exist for other forms of personal
data. Therefore it is a matter of legal obligation and compliance that the needs of the IA system
be evaluated closely and given the necessary resources to be properly implemented.
In addition to the legal requirements, there is a strong motivation to have strong IA from a
financial and business standpoint. Users will have less trust in a system that does not demonstrate
its integrity and commitment to information safeguarding. Also, attacks on the system and the
information can have very serious consequences. There are many financial and legal cost associated
with a security breach of personal information. An IA system in place demonstrates the companys
character and core values as respecting individuals and their personal, social, financial and medical
information.
The need and necessity of a strong IA system and IT infrastructure is clear. It will provide a
strong foundation for business expansion and financial growth. Therefore an IA system is necessary
and desired for this venture to be successful. Protecting the data, information and knowledge of
the company is not only for the security of the customers, but also for the competitiveness for the
company. Protecting against competition attacks is also covered in the IA strategy. In order to
maintain and proprietary advantage and maintain trade secrets that make the company successful
it needed to secure all company information.
For the purposes of information security, from the perspective of information provider as well
as consumer, we should ensure that information is provided to the intended recipient and that
confidentiality, integrity, and availability of the information have not been compromise. It is also
important to consider misinformation. Misinformation can be used to corrupt the information base
of the opponent and cause damage to their perspective or validity of other data
4

Business Requirements

The business requirements are dictates by the goals of the venture being considers. Starting from
the goal and objectives of the company and developing the requirements top down will provide for
an iterative approach to develop a detailed guide of the requirements that need to be met. Initially
the goal of the company must be considered and the objective that are intended to be met. This
will help guide, measure and communicate the direction of the company as well as a time line for
event to follow. The performance objectives give a more detailed and thorough description of the
time line milestones and objective and the method that they will be pursued. At this point it
is necessary to consider and incorporate the IA design requirements to develop a general outline
of the system design and needs. The performance goal will set strict metric that will be used to
measure the system and its performance over the course of time and also serve as a comparison
for the system evolution.

IA Metrics

The current information intensive environment has forced security professionals to expanded the
scope, and thus the understanding of information and systems protection under an umbrella term
referred to as IA. In order to better understand IA and the way it interacts with information IA
metrics and models have been developed. These metrics and models are not an abstract academic
concept, but rather integral parts of the system and its proper operation and continued maintenance.
The information needed to understand the system behavior and future actions is accessible through
the metrics and models used in the IA system. An IA systems without a model and metrics to
guide it is not secure and will not be maintainable or scalable with the size of a company varying.
Metrics serve the purpose of expressing a quantitative means to compare different systems,
different vulnerabilities, different attacks, different costs. the metrics used must be accurate, precise
and valid. this is the benchmark of any IA system metric and this is the bar we shall hold the
system to. Accuracy of a measurement of an attribute was true or exact according to the standard
unit of measure. Precision quantifies how well identically performed measurements agree with each
other. Validity checks whether or not a metric really measures what it was really intended to
measure. Correctly used metric can reveal a lot of useful data that can help dictate process, policy
and procedure.
However, the metrics used be accurate, precise and valid in the highest form. The metrics of
the system must be developed around the intended goal to the system. They are based on the
type of security that is needed, the sensitivity of the information you are trying to protect and the
risk associated your system. The criticality of the system you are trying to protect as well as the
volume of the information, processes, components as also strong factors in the selection of proper
metric.
Metric aim to help represent the system and information state in a quantitative way. The
aim of metrics is to provide a means for comparison between alternative system states, variations
over time and deviations relative to others. This allows an organizations IA to be bench-marked
and evaluated. Also they facilitate a comparison across organizations that following best practices,
general recommendations as well as standard of due care and what any organization would do
in similar circumstances. Finally they provide a process that an organization can use to ensures
standards provide adequate protections.
There are several categories of security and privacy metrics that can be used to evaluate an IA
system. Compliance metrics measure the systems compliance with current security and privacy

regulations and standards. In the case of medical records HIPAA dictates the standards and
requirements for IA of medical information. Resilience metrics provide a measure of the resilience
of controls relating to physical security, personnel security, IT security, and operational security
both before and after a product, system or network is deployed. Finally, return on investment
(ROI) metrics are an indicator of the ROI in physical, personnel, IT, and operational security
controls to guide capital investment.
It is necessary to develop a metric taxonomy to organize metrics based on the needs of the
application. In developing a classification and taxonomy of our metric it important to identify the
important and priority of the system factors and how they are measured. This is directly linked with
the requirements of the system and the information that it is handling. The regulations that are
associated with the information will help guide this effort. Metric can be classified into to general
categories managerial, metrics for organizational security, and statistical, metric for technical target
assessment.

4.1

Organizational Security Metrics

Organizational security metrics measure the performance of the programs and processes within the
organization. These metrics will be useful in providing feedback to improve the IA posture of the
organization. These metrics can be further elaborated an broken down
4.1.1

IA Program Developmental Metrics

IA program developmental metrics provide a set of program areas that measure the extent that
IA is effective in an organization. Together they help guide the organizations ability to provide
IA. These metrics measure if the organization has chosen policies and process that are relevant to
the information handled and in compliance with regulations. The metrics measure the extent to
which the IA program is being used and are held dictate security strategy, policy, implementation of
policy and compliance with policy. The allow to quantify the security engineering activities during
deployment and throughout the life cycle of the system.
4.1.2

Support Metrics

Support metrics measure the support for security programs and processes within the organization
and its employees. People are an integral part of any company and as the come in contact with
the information handled it is important that the follow the appropriate process do to so. Personal
must be certified practitioners that develop, operate, defend, attack and evaluate the system. The
measure of financial support and resource availability for IA programs and processes is an indicator
of the companys resource support to IA
4.1.3

Operational Metrics

Operational metrics are an indicator of the organizations operational readiness in terms of its
security program and operational readiness to provide IA. Readiness metrics measure support of
information security processes in the organization. These metrics are mostly static and can be
obtained through questionnaire-based assessments and generated by reviews of organizational policy and procedures. Technical readiness id a measure of the readiness state of technical support
and the organizations ability to provide information assurance while performing operational missions. Practice metrics measure the security practices of people who directly or indirectly affect an
organizations IA posture. These metrics assess the culture and attitude towards IA.
6

4.1.4

Effectiveness Metrics

Effectiveness measures measure how effective the program is providing defense-in-depth.

4.2

Technical Target of Assessment Metrics

This metric measures how much a technical object, system or product is capable of providing
assurance in terms of protection, detection and response. This type of metrics is often used in
comparing or differentiating between alternative and competing TTOA and help optimize the IA
system.
4.2.1

Strength Assessment Metrics

The purpose of this metric is to determine the strength of the TTOA. The strength factor is
used for assessing the strengths of the TTOA based on the typical environment when there is no
adversarial activity going to compromise the TTOA.These metrics measure the capabilities that the
TTOA should have in order to provide information assurance under normal circumstances. They
can be used for assessing the claimed features of a TTOA. Also this metric provides information
about its capabilities and when there is some adversarial force working against the TTOA. These
metrics are used for measuring the TTOAs capabilities in the face of adversarial activities working
to compromise the TTOA. They measure the TTOAs strength in resistance to and in response to
attacks.
4.2.2

Weakness Assessment Metrics

Weakness assessment metrics are complimentary to the strenght assessment metrics and assess the
weaknesses of the TTOA in terms of threats, vulnerabilities, risks, anticipation of losses in face
of attack and any operational limitations of the TTOA. These metrics also take into account he
operational limitations that are associated with the system and can affect functionality.

IA Models

The current technologically intensive environment forces security professionals to expand the scope
and understanding of information and systems protection under an umbrella term referred to as
IA. In order to gain a better understanding of information and all its properties it is useful to
create models. These models will enable the representation of information and its properties in
a clearer way that will help reinforce IA. The most widely used model in IA was developed by
John McCumber[2]. The key insight that the model provides is that it classifies four parameters
or dimensions that characterize information. In his model he identifies the four dimensions as:
Information States
Security Services
Security Countermeasures
Time
By using these four dimensions and their relationship to each other to study information we
can create a more secure IA system.

5.1

Information States

Information states is a way to identify the state that information is in and consequently use different
ways to protect it. Information can be found in a number of state, namely storage, processing and
transmission.

5.2

Security Services

One of the fundamental concepts in IA is security services that can be in one of five states
Availability
Integrity
Authentication
Confidentiality
Non-repudiation
5.2.1

Availability

Availability is defined as the timely, reliable access to data and information services for authorized
users. Often, this security service is viewed as a function, which is not entirely security, related.
Availability is equated with information system operations such as back-up power, spare data
channels, off site capabilities, and continuous signal. Availability is the utility part of security
services. There may be times during the course of operations that demand system availability at
the expense of the other security services. The decision to abandon the other security services is
a risk mitigation decision often driven by threats and vulnerabilities that fall beyond the system
security parameters. [2]
8

5.2.2

Integrity

Integrity is defined by the NSA as The quality of an information system reflecting logical correctness and reliability of an operating system; the logical completeness of the hardware and software
implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data.[3] In a formal security mode, integrity is interpreted more narrowly to
mean protection against unauthorized modification or destruction of information. Data integrity
is a matter of degrees of trust. Integrity must include the elements of accuracy, relevancy, and
completeness. Data and system integrity implies robustness.
5.2.3

Authentication

Authentication is a security service as defined by the NSA is designed to establish the validity
of a transmission, message, or originator, or a means of verifying an individuals authorizations to
receive specific categories of information. [3] The need for authentication was born out of system
spoofing which became rampant in the mid 1990s.
5.2.4

Confidentiality

As defined by the NSA confidentiality is the assurance that information is not disclosed to unauthorized persons, processes or devises.[3] The application of this security service implies information
labeling and need-to-know imperatives are aspects of the system security policy.
5.2.5

Non-Repudiation

The NSA defines non-repudiation as the assurance the sender of the data is provided with proof
of delivery and the recipient is provided with proof of the senders identity, so neither can later
deny having processed the data. [3] This is quite a step up from previous identify friend or foe
systems. Non-repudiation has ramifications for electronic commerce as well as battlefield orders.

5.3

Security Countermeasures

Fundamentally, any defense in depth program must account for technology, operations and people. If, in fact, any of those three measures are not accounted for, systems become immediately
vulnerable.
5.3.1

Technology

Technology is ever evolving. Technology encompasses more than the adjunctive crypto systems
of the past. Technology, in a security context now includes hardware, software and firmware that
comprise a system or network. Technology, from a security perspective now includes devises such
are firewalls, routers, intrusion detection monitors, and other security components.
5.3.2

Operations

Operations, as a security countermeasure, goes beyond policy and practices required for use in
secure systems. Operations encompass the procedures employed by system users, the configurations
implemented by system administrators, as well as conventions invoked by software during specified
system operations. Operations also address areas such as personnel and operational security.

5.3.3

People

People are the heart and soul of secure systems. People require awareness, literacy, training and
education in sound security practices in order for systems to be secured. This progression in
thinking has been described as a continuum upon which system users, designers, as well as security
professionals increase their knowledge and understanding of IA. We can characterize the people
component by describing it as the action users take. Do they follow the policy? What happens
when they are confronted by a new situation that is not addressed by the policy?

References

References
[1] Vaughn Jr, Rayford B., Ronda Henning, and Ambareen Siraj. Information assurance measures
and metrics-state of practice and proposed taxonomy. System Sciences, 2003. Proceedings of
the 36th Annual Hawaii International Conference on. IEEE, 2003.
[2] Maconachy, W. Victor, et al. A model for information assurance: An integrated approach.
Proceedings of the 2001 IEEE Workshop on Information Assurance and Security. Vol. 310. New
York, USA, 2001.
[3] National Security Agency. National Information Systems Security Glossary. NSTISSI 4009 Fort
Meade, MD. Sept. 2000
10

[4] http://digitalpbk.com/perl/perl-script-check-google-pagerank
[5] http://www.google.com
[6] http://jakevdp.github.io/blog/2012/10/14/scipy-sparse-graph-module-word-ladders/
[7] http://curl.haxx.se/docs/httpscripting.html
[8] http://www.crummy.com/software/BeautifulSoup/bs4/doc/
[9] http://www.rmi.net/~lutz/
[10] http://www.cs.cornell.edu/home/kleinber/networks-book/
[11] http://thomassileo.com/blog/2013/01/25/using-twitter-rest-api-v1-dot-1-with-python/
[12] http://www.cs.odu.edu/~mklein/cs796/lecture/

11