Information Assurance (eBook)

Second Edition Dedications 6
Quotations 7
Foreword 8
Second Edition Preface 10
Acknowledgements 14
Contents 15
Section 1 An Introduction to Information Assurance 16
1 What is Information Assurance? 17
1.1 Information Assurance and Its Subset: Information Security 17
1.1.1 Interruption, Interception, Modification and Fabrication 18
1.1.2 Information Assurance in Context 19
1.2 Information Warfare 21
1.2.1 Perspectives on Information Warfare 23
1.2.2 Nature of the Threat 24
1.3 Information Operations 25
1.3.1 The Physical Level 26
1.3.2 The Information Structure Level 27
1.3.3 Perceptual Level 27
1.4 Summary 29
2 The World of Information 30
2.1 What is Information? 30
2.2 Properties of Information 30
2.3 Information and Competitive Advantage 31
2.3.1 Proprietary Advantage 32
2.3.2 One-Step Ahead 32
2.3.3 Discontinuity 32
2.3.4 Implementation 33
2.4 Birth of the Internet and Cyber-Crime 33
2.5 Power of Information 35
2.6 Consumer-Provider Model of Information Usage 37
2.6.1 Generation, Validation and Propagation 38
2.6.2 Acquisition, Integration and Selection 38
2.7 Intelligence Model of Information Usage 39
2.8 Summary 41
3 The Theory of Risks 42
3.1 Threats, Vulnerabilities and Risks 42
3.2 Threats and Threat Agents 42
3.2.1 The Natural Threat Agents 45
3.2.2 The Unintentional Threat Agents 45
3.2.3 The Intentional Threat Agents 46
3.3 Threat Components Applying to Malicious Threats 48
3.3.1 Threat Agent 48
3.3.2 Capability 49
3.3.3 Threat Inhibitors 49
3.3.4 Threat Amplifiers 50
3.3.5 Threat Catalysts 51
3.3.6 Threat Agent Motivators 51
3.4 Vulnerabilities 52
3.5 Risk and Risk Management 57
3.5.1 Threat Matrix 60
3.5.2 Risk Management 61
3.5.3 Five Principles of Risk Management 61
3.5.4 Sixteen Successful Practices 61
3.6 Summary 64
4 The Information World of Crime 65
4.1 Introduction 65
4.2 Information Systems and Crime 66
4.3 Modus Operandi 67
4.4 Information Systems Crime Adversarial Matrix 68
4.4.1 Organisational Characteristics 69
4.4.2 Operational Characteristics 69
4.4.3 Behavioural Characteristics 70
4.4.4 Resource Characteristics 70
4.5 Motives of the Cyber Criminal 71
4.5.1 Power Assurance (aka Compensatory) 71
4.5.2 Power Assertive (aka Entitlement) 73
4.5.3 Anger Retaliatory 74
4.5.4 Sadistic 75
4.5.5 Profit Oriented 75
4.6 A Model of Information SystemsÌ Intrusions 76
4.6.1 Target Identification 77
4.6.2 Motivational Factors 78
4.6.3 Choice Criteria 79
4.6.4 Target Selection and Intelligence 79
4.6.5 Open Source Intelligence 80
4.6.6 Topology 81
4.6.7 The Deployment Decision 81
4.6.8 Vulnerability Management 81
4.7 Summary 82
5 IA Trust and Supply Chains 83
5.1 Introduction 83
5.2 Developing a Conceptual Model of Trust 84
5.2.1 NICE Model of Trust 85
5.2.2 Trust Footprint 87
5.3 Supply Chains 88
5.4 Analysis of Supply Chains 92
5.4.1 Primary Activities 93
5.4.2 Support Activities 94
5.4.3 Industry Value Chain Showing Strategic Alliances Between Organisations 94
5.5 Summary 96
6 Basic IA Concepts and Models 97
6.1 Introduction 97
6.2 IA Goals and Objectives 98
6.3 Three Basic Concepts 98
6.3.1 Access Controls 98
6.3.2 Individual Accountability 99
6.3.3 Audit Trails 100
6.4 The Information Value Model 101
6.4.1 Valuing Information 101
6.4.2 How to Determine the Value of Corporate Information 101
6.4.3 The Value of Information 102
6.5 Three Basic Categories of Information 103
6.5.1 Personal, Private Information 103
6.5.2 Business Information 104
6.6 Determining Information Value Considerations 105
6.6.1 Questions to Ask When Considering Information Value 106
6.7 Another View of Information Valuation 107
6.7.1 The Information Environment 107
6.7.2 Value of Information 108
6.8 The Need-To-Know Model 108
6.9 The Confidentiality-Integrity-Availability Model 110
6.9.1 Confidentiality 110
6.9.2 Integrity 110
6.9.3 Availability 110
6.10 The Protect-Detect-React-Deter Model 111
6.10.1 Protect 111
6.10.2 Detect 111
6.10.3 Case Example Ò Do not Rush to Judgement 113
6.10.4 React 114
6.10.5 Deter 115
6.10.6 Questions and Some Answers to Think About 115
6.11 IA Success Considerations 116
6.12 Summary 116
7 The Role of Policy in Information Assurance 117
7.1 Introduction 117
7.2 A Model of Policy Development 117
7.3 Types of IA Policies 118
7.4 Acceptable Usage Policy 120
7.5 Summary 121
Section 2 IA in the World of Corporations 122
8 The Corporate Security Officer 123
8.1 A Short History of the World of Corporate Security 123
8.2 The Corporate Security Officer 126
8.3 Corporate Security Duties and Responsibilities 127
8.4 Corporate Security Support Tools and Processes 128
8.5 The More Things Change the More They Don´t 129
8.6 Information Assurance: Whose Responsibility Is It? 130
8.7 Is IA a Corporate Security Responsibility? 131
8.8 Summary 133
9 Corporate Security Functions 134
9.1 Introduction 134
9.2 Corporate Security IA-Related Functions 135
9.2.1 Evaluate Current Security Requirements 135
9.2.2 Corporate Security Plan 136
9.2.3 Management Direction for Security Activities 136
9.2.4 Interface with Other Directors 137
9.2.5 Comply with Contractual, Customer and Regulatory Requirements 137
9.2.6 Corporate-Wide InfoSec Program 138
9.2.7 Corporate-Wide Crisis Management Program 138
9.2.8 Establish Common Security Processes 139
9.2.9 Provide Productive and Safe Working Environment 139
9.2.10 Corporate Security Measurement System 139
9.2.11 Common Managerial Accountabilities 140
9.2.12 Physically Secure Environment 140
9.2.13 Government Compliance Requirements 142
9.2.14 Corporate Management Guidance 142
9.2.15 Security Liaison Activities 143
9.2.16 Co-ordinate Corporate Security Policies and Procedures 143
9.2.17 Corporate-Wide Contingency Plan 144
9.2.18 Corporate Crisis Management Room 145
9.2.19 Corporate-Wide Security Measurement System 145
9.2.20 Law Enforcement Liaison 145
9.2.21 Chair Corporate Security Council 145
9.2.22 Corporate Security Policy and Procedures 146
9.2.23 CSO as IA Leader 147
9.3 Summary 147
10 IA in the Interest of National Security 148
10.1 Introduction 148
10.1.1 IA: A Definition 149
10.1.2 Levels of Protection 150
10.1.3 System Assurance 150
10.2 National Security Classified Information 150
10.2.1 An Example of National Security Information Impact 153
10.3 IA Requirements in the National Security Arena 153
10.3.1 IA Objective in the National Security Environment 155
10.3.2 Responsibilities 155
10.3.3 Collective IA Controls 156
10.3.4 Government Customer Approval Process 156
10.3.5 AIS Modes of Operation 157
10.3.6 The Appointment of the Defence Industry-Related CorporationÌs Focal Point for IA 158
10.3.7 Documenting and Gaining Government Customer Approval for Processing, Storing and Transmitting National Security Information 158
10.4 Summary 160
A Case Study 161
11 The Corporate IA Officer 165
11.1 The Corporate Information Assurance Officer1 165
11.1.1 CIAO Position 166
11.1.2 CIAO Duties and Responsibilities 166
11.1.3 Goals and Objectives 168
11.1.4 Leadership Position 169
11.1.5 Vision, Mission and Quality Statements 171
11.2 Summary 173
12 IA Organisational Functions 174
12.1 Determining Major IA Functions 174
12.2 IA Functions and Process Development 177
12.2.1 IA Requirements Function 177
12.2.2 IA Policy Function 178
12.2.3 IA Procedures Function 179
12.2.4 Systems IA Architecture Function 180
12.2.5 IA Awareness and Training Function 180
12.2.6 Access Control and Audit Records Analyses Functions 182
12.2.7 Evaluation of all Hardware, Firmware and Software Functions 184
12.2.8 Applying Risk Management Principles and Establishing a Risk Management Function 186
12.2.9 IA Tests and Evaluations Function 187
12.2.10 IA Non-Compliance Inquiries Process 188
12.2.11 IA Contingency Planning and Disaster Recovery Function 189
12.3 Summary 192
13 Incident Management and Response 194
13.1 Incident Triage 196
13.2 Incident Coordination 196
13.3 Incident Resolution 197
13.4 Proactive Activities 197
13.4.1 Information Provision and Sharing 197
13.4.2 Security Tools 198
13.4.3 Education and Training 198
13.4.4 Product and Services Evaluation 199
13.4.5 Site Security Auditing 199
Section 3 Technical Aspects of IA 200
14 IA and Software 201
14.1 Operating Systems and Trusted Systems 201
14.1.1 Security Policies 201
14.1.2 Models of Security 202
14.1.3 Security Methods of Operating Systems 204
14.1.4 Typical Operating System Flaws 205
14.2 Databases and Database Security 205
14.2.1 Physical Database Integrity 206
14.2.2 Logical Database Integrity 207
14.2.3 Element Integrity 208
14.2.4 Access Control 209
14.2.5 Auditability 210
14.2.6 User Authentication 210
14.2.7 Availability 211
14.2.8 Database Case Study 211
14.3 Application Software 212
14.3.1 Malicious Code 212
14.3.2 Viruses 217
14.3.3 Bots and Bot-Nets 218
14.4 Digital Tradecraft 219
14.4.1 Digital Tradecraft Defined 219
14.4.2 Digital Dead Drop 220
14.5 Steganography 221
14.6 Summary 222
15 Applying Cryptography to IA 223
15.1 Principles of Encryption 223
15.2 Symmetric Ciphers 225
15.3 Asymmetric Ciphers 225
15.4 Digital Signatures and Certificates 226
15.5 Key Management and Key Distribution 229
15.6 Summary 231
16 IA Technology Security 232
16.1 Biometrics 232
16.1.1 The Role and Function of Biometrics 232
16.1.2 Analysis of Basic Biometric Models 233
16.1.3 Fingerprint Verification 234
16.1.4 Iris Analysis 235
16.1.5 Facial Analysis 236
16.1.6 Hand Geometry 236
16.1.7 Speech Analysis 237
16.1.8 Hand-Written Signature Verification 237
16.1.9 Threats and Risks to Biometrics 238
16.2 EMP Weapons and HERF Guns 239
16.3 TEMPEST 239
16.4 Closed Circuit Television 241
16.5 Microsoft and Network Security 243
16.6 Summary 244
17 Security Standards 245
17.1 BS7799 and ISO17799 245
17.2 ISO13335 247
17.3 Common Criteria 248
17.4 Summary 250
Section 4 The Future and Final Comments 251
18 The Future, Conclusions and Comments 252
18.1 Information Assurance: Getting There 252
18.1.1 The New Threat of Terrorism 253
18.2 Welcome to the World of Constant Change 254
18.2.1 Changes in Societies 254
18.2.2 Economic, Global Competition 256
18.2.3 Technology 257
18.2.4 The IA Professional 260
18.3 Summary 261
Biography 262
Index 264