INFORMATION ASSURANCE is a way of assessing the usefulness and effectiveness of an information security system. In this chapter, you will explore the major concepts behind information assurance and how those concepts can be applied to access controls, resulting in a more secure IT architecture.
Information assurance (IA) is the practice of managing IT risks related to the storage, transportation, creation, and handling of information. The concept of IA originated in the U.S. government, specifically the military and intelligence infrastructure. An outgrowth of both communications security and information security, IA is focused on guaranteeing that the information received matches the information sent.
Information assurance and information security are terms that are often used interchangeably. Although there is a lot of overlap between the two fields, they are not the same thing. IA should be seen as a superset of information security. IA is concerned with a larger picture than information security. Included in IA are issues of privacy, compliance, audits, and disaster recovery.
Note
Every IA plan must consider three factors: the protection of information, the detection of breaches, and the reaction to a breach.
Information assurance is all about risk assessment and mitigation. You can never make something 100 percent secure. The goal of IA is to make information as secure as reasonably possible using efficient methods. Risk assessment and information classification play a large role in IA. Understanding what information needs to be secured, and how much time, energy, and money to spend securing a given piece of information, is at the heart of IA.
There are three main models of information assurance. These models help an organization define risk and assist in all aspects of IA for the organization:
The following sections examine each of these models in detail.
The CIA triad is one of the oldest and most widely known IA models. Most people in the IT security field are familiar with it, and it is still utilized heavily in teaching information assurance concepts. The CIA triad is comprised of three criteria for maintaining secure information: confidentiality, integrity, and availability. The CIA triad is shown in Figure 15-1.
Note
The CIA triad is also known as the A-I-C triad, which stands for availability, integrity, and confidentiality.
The model was created to help organizations think about the important aspects of information assurance, develop security policies, and identify problem areas. The next sections cover each aspect.
According to the Committee on National Security Systems Instruction No. 4009 (CNSSI-4009), confidentiality is "The property that information is not disclosed to system entities (users, processes, devices) unless they have been authorized to access the information."1 In other words, information must be viewed, used, or copied only by individuals who have the proper level of access as well as a legitimate need to access the information. A confidentiality breach occurs when an unauthorized individual gains access to sensitive information.
If someone watched over your shoulder while you were entering your automated teller machine (ATM) PIN, a confidentiality breach occurred. Confidentiality breaches can also happen when hardware containing sensitive information is lost or stolen. Any time an unauthorized user can access confidential information, a breach has occurred.
Confidentiality is maintained through proper utilization of access controls such as limited access to information on a need-to-know basis and properly assigning security levels to information.
CNSSI-4009 defines integrity as "The property whereby an entity has not been modified in an unauthorized manner."2 Data integrity refers to the notion that information cannot be changed, created, or deleted without proper authorization; however, integrity in the CIA triad goes beyond that. It is also the concept that the path the information travels and the location where it rests is also secure. A modification of the network path via a man-in-the-middle style attack would be as much a violation of integrity as an unauthorized user modifying financial data in an organization's records.
Information integrity refers to the ability to trust that the information received is the same as the information originally created. It is also the ability to trust that a document stored in multiple locations contains the exact same information.
Data integrity isn't just concerned with information security. Accidental data loss and data corruption through transmission are also major causes of integrity failure. Coping with accidental loss and corruption is one of the areas where IA moves beyond information security into information verification.
CNSSI-4009 defines availability as "The property of being accessible and useable upon demand by an authorized entity."3 In other words, information is accessible when it is needed. This requires that the network and systems used to store the information are working correctly. Availability can be compromised by accidents and system failure as well as malicious attacks. A hard drive or network card failure can cause a breach of availability, as can denial of service (DoS) attacks.
The five pillars of IA were developed by the National Security Telecommunications and Information Systems Security Committee (NSTISSC). Detailed in CNSSI-4009, it is an expansion of the CIA model.
The three tenets of the CIA model make up the foundation of the five pillars of IA. Two further tenets were added to better model the situation that complex organizations face when dealing with IA. CNSSI- 4009 defines IA as "Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities."4 Authentication and non-repudiation are the two factors added to the traditional CIA framework.
The McCumber Cube
In the early 1990s, the CIA triad model was expanded by John McCumber into a cube to look deeper at IA. McCumber took the CIA framework and added two more triads to it, forming a multidimensional cube as shown in Figure 15-2. The concept behind the cube was to allow an organization to look at all aspects of IA fully, without over-emphasizing any one aspect. McCumber proposed three dimensions of IA:
Goals—Represented by the CIA triad
Information states—Where data is located at any given moment
Safeguards—What is being done to secure data
There are three information states in the cube: transmission, storage, and processing. Storage and transmission are just other terms for data at rest and data in motion, which you encountered in earlier chapters. The "processing" state refers to the time when data is being acted upon by a system. This is a data state that is often overlooked.
Another dimension of the cube includes safeguards. This includes the policies and practices in place to secure information. Human factors such as information security training, and technological safeguards like antivirus software, intrusion detection systems, and firewall systems, are included in the concept of safeguards.
Other than the three triads, there is a fourth dimension: time. According to the cube framework, all three triads must be addressed in connection with each other, over time. Understanding the interdependencies of these factors over time is essential to IA.
Some organizations use an expanded McCumber cube model that replaces the CIA triad with the five pillars of IA on the "goals" dimension of the cube.
CNSSI-4009 defines authentication as "The process of verifying the identity or other attributes claimed by or assumed of an entity (user, process, or device), or to verify the source and integrity of data."5 This entails knowing that the person who accesses the information is who they say they are. You learned in previous chapters how authentication can be achieved through the three tests of "what you know," "what you have," and "what you are." An example of an authentication breach is if an unauthorized user accesses a system using an authorized username and password obtained through illegitimate means.
Non-repudiation is defined in CNSSI-4009 as "Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the information."6 In this concept, both the sender and the receiver are accountable for the information. To implement non-repudiation, there must be a way for the sender to verify that the receiver got the information and for the receiver to verify the sender's identity. With non-repudiation in place, neither side can deny actions they took on the data.
A good example of non-repudiation can be seen in a banking wire transfer. When a wire transfer is sent, the sender verifies its credentials with the Federal Reserve Bank. The Federal Reserve then moves the wire transfer to the receiver. The recipient of the wire verifies receipt of the transfer, and the amount received, back to the sender. This way the banking system can mitigate the risk of fraud.
Since their creation in 2001, the five pillars of IA have become the standard IA framework for U.S. governmental organizations. Inside the government these pillars are utilized based on sensitivity, threat, and other risk management decisions. They form the core of any governmental IA operation.
The Parkerian hexad, as shown in Figure 15-3, is an IA framework developed by Donn B. Parker in 2002. It was developed to expand the CIA model and uses the CIA triad as a base. This was developed in response to the limitations of the CIA framework. Parker described these elements as fundamental and non-overlapping. Most security breaches compromise more than one element at a time.
The three additional elements of the hexad are possession or control, authenticity, and utility. Next you'll look at each of these aspects.
Possession or control is related to confidentiality. It is the concept that control of the information can be breached without a confidentiality breach. For example, a thumb flash drive containing the master copy of sensitive data is lost. The possession of that data is now breached, but until it is accessed, it is still confidential. The basis of control is preventing contact with confidential information by unauthorized users. This idea also covers unauthorized copying of or use of intellectual property. An example of a breach of possession is the piracy of copyrighted music files.
Authenticity is the appropriateness of the labeling of information. Does the information correspond correctly to its intended meaning? The idea behind this element is to avoid garbled data and fraud. A breach may be caused by an incorrect address in an e-mail database.
Utility describes the usefulness of data. Information that is stored in an obsolete format that can no longer be read would be a breach of utility. Encrypted information with a lost encryption key is also an example of a utility breach.
The hexad and the five pillars of IA both expand upon the CIA model. It is important to remember that these are just frameworks or guidelines. Even the CIA model, which is the most simplistic of the three, is a useful guideline for IA. These frameworks give an organization a starting point for developing a robust IA infrastructure. These models are not to be taken literally, but used as a tool to craft your own organization's IA policies and procedures.
As you've seen in the descriptions of various frameworks, access control is essential to IA, and IA concepts should be applied to an organization's access control infrastructures. Information assurance models are a guideline to use when building or sourcing an access control system. When designing any access control system, you should first determine which information assurance model best represents your organization's IA requirements.
From there, you can determine specific requirements based on the chosen IA model. These requirements will be the basis for choosing or designing an access control system that ensures confidentiality, integrity, and availability at a minimum.
One of the primary functions of any access control system is to allow or deny access to resources and data. By denying access to unauthorized users, the system maintains data confidentiality. Those users without authorization to a given data object cannot view it. Depending on how the access control system is configured, an unauthorized user may not even be aware that a data object exists.
Access controls prevent the loss of data integrity by preventing unauthorized users from modifying data objects either accidentally or intentionally. If the user does not have modify or write privileges on a file, that user cannot make changes to the data contained within the file.
By enforcing confidentiality and integrity, access control systems can also ensure availability. A strong access control system will prevent all but the most determined attacker from destroying data or compromising the servers and networks that make that data available to authorized users.
Simply implementing technological access controls is not sufficient to ensure information assurance. Managers, staff, systems administrators, and security engineers must be constantly aware of the information assurance implications of their actions and vigilant as they watch for signs of attack.
Often the first people to notice an anomaly are the staff members who use a resource every day. They are the ones who will notice that the database is slower than usual or that a Web application is not behaving as expected. Without some training in the basics of information assurance, those staff members may not realize the importance of their observations and those observations will go unreported.
Simply having an access control system is not enough to secure sensitive information and resources. Those access control systems must be continuously monitored to ensure they are working properly and that no unauthorized user has been granted access. Access control reporting can take the form of real-time alerts sent to systems administrators notifying them of a breach in progress, or after-the-fact tabulations of access control activity over a period of time.
There are several primary goals achieved through monitoring and reporting on an access control system:
Accuracy—In order to be useful, a monitoring system must have a high level of accuracy. Authorized users must be granted access reliably, and unauthorized users must be denied access. Unfortunately, no system is 100 percent accurate and will have a rate of both false positives and false negatives. False positives occur when a system labels normal activity as anomalous. False negatives occur when a system overlooks anomalous activity.
Variety—A monitoring system must be able to detect many types of suspicious activity.
Timeliness—The system must report suspicious activity quickly enough for systems administrators to cut off an attack in progress.
Ease of use—The system's reporting facility must create reports that are easy to read and understand.
An intrusion detection system (IDS) is a hardware- or software-based solution that monitors network traffic, looking for signs of a security breach. Intrusion detection systems are based on several models of anomalous behavior:
Anomaly detection—Anomaly detection operates on two core principles: what is known is good, and what is unusual is bad. Therefore, any activity that is unknown must be reported as suspicious. Early anomaly detection systems were based on statistical models of system behavior. Any activity that fell outside a standard deviation from that model was considered anomalous. Later, models were proposed that were based on logic-based descriptions of system behavior. Modern anomaly detection applications use a hybrid approach to compute an anomaly score. Any activity that generates a score higher than a predetermined acceptable level is flagged. An IDS-based on anomaly detection requires a period of training to create a baseline of normal system behavior.
Misuse detection—This model operates on a simple premise: what is bad is known. This type of IDS compares activity to a blacklist of known suspicious events. This type of intrusion detection has the benefit of being useful immediately upon installation. A misuse detection IDS includes a large database of known attack signatures. The system compares system activity to these attack signatures and triggers an alert on a matching event.
Specification detection—This model is similar to misuse detection, except that it operates on a whitelist principle instead of a blacklist. Whitelist principles are: we know what is good, and what is not good is bad. Any behavior that does not correspond to predefined specifications must be considered suspicious. A specification detection system will describe the range of normal system and application behaviors and will trigger an alert on any activity that does not fall within normal ranges.
The major difference between specification detection and anomaly detection lies in how each system knows what normal behavior is. An anomaly detection system observes system behavior over a period of time, and then uses statistical and logical models to create a baseline. A specification detection IDS uses a behavior modeling language to describe what activities and behaviors developers and systems administrators expect under normal circumstances.
Many access control breaches originate internally. To guard against this risk as well as the risk of external attack, a system of checks and balances should be in place. This way, even a trusted internal user, such as a systems administrator, will know that his or her activities are monitored and any unusual behavior will be noticed.
Event-type audit logs record specific events on a system. Tracking the events recorded in these audit logs ensures that the events leading up to a security breach, the events that comprise the breach, and any after effects of the breach are understood. No security breach happens in a vacuum. There are discernable events that create favorable conditions for an attack. Careful monitoring of event logs can give hints that an attack is about to take place and allow you to stop it before it happens. Tracking the events before, during, and after an attack can give systems administrators valuable information to reduce the risk of similar attacks in the future.
There are three levels of events:
System-level events—These focus on user logon attempts, system resource usage, and other low-level events that affect the integrity of the entire system.
Application-level events—These are specific to a given application, including error messages, file modifications, and security alerts within the application.
User-level events—These are initiated by individual users. This type of event log is discussed in the next section.
Each of these event types holds valuable information about potential and actual security breaches.
User audit logs store information on authentication attempts, resources used, commands and applications run, and security violations committed by users. Most importantly, this type of log provides accountability because it ties specific actions to individual users. When suspicious activity is detected in the event audit log, it can be cross-referenced with the user log to determine who was logged onto the system at the time of the breach, and what he or she was doing.
Unauthorized access attempts are a key signal that an attack may be in progress. A single failed access attempt is likely just a typing error on the part of a legitimate user, but 10 failed access attempts signal an attempt at password cracking. The information stored in this audit log can be combined with the user and event logs to give a complete picture of the system before, during, and after an attack.
Consider the case of Acme Communications, a mobile phone manufacturer. The company stores proprietary and experimental product designs, project plans, and long-term strategy documents on a file server. The file server is located behind a firewall and protected by an intrusion detection system, and is relatively secure against an attack from outside the organization.
In a press release, the company's major competitor announces that it has a working prototype and will release a consumer model with many of the same features and cutting-edge technology that Acme has spent the past three years developing. It is clear to Acme management that its competitor must have obtained the designs stored on the file server.
While analyzing the audit logs, systems administrators locate several instances of access to product design documents on the file server over several months originating from a workstation in the customer service department. Normally, there would be no reason for anyone outside of engineering to access those documents.
Digging further, the systems administrator cross-references with the user audit log and discovers the same customer service representative accessed the design documents in each instance. Before accusing the employee of leaking the designs, the systems administrators checked the unauthorized access audit log. They discovered that in the weeks before the first incident, there were hundreds of unsuccessful attempts to log on to that user's network account.
By analyzing information from all three audit logs, systems administrators were able to get a clear idea of what happened. The customer service representative's network account was breached, and the attacker used that access to find sensitive information, which was then leaked to Acme's competitor.
Log files contain a wealth of data about system conditions and activity. Turning that data into useful information requires two things:
Log file management—A system of storing and rotating log files. The data recorded and stored in log files may be necessary legal evidence when the time comes to prosecute the attacker in a security breach. Because of this, log files should be kept for at least a length of time allowed under the statute of limitations in your jurisdiction. However, keeping several years' worth of log files on a production server is unwieldy. Log files should be regularly backed up and deleted from production servers to conserve space.
Log file parsing—Parsing is the process of translating and reformatting raw log files into useful reports. In the midst of an attack, systems administrators do not have time to dig through raw log files. They need specific, actionable information in an easy-to-use format.
An audit trail is a series of events gleaned from parsed log file reports over a period of time. These events generally revolve around a specific user, or a larger event such as a security breach. An audit trail is a useful tool in piecing together the events leading up to and including a security breach.
Once log files are effectively managed and parsed, they must be analyzed. On a production system, the auditing system can produce gigabytes of data per day—too much data to be effectively analyzed in its raw state. Trying to manually analyze that much raw data would take an excessive amount of time, and it would quickly become difficult to separate the important from the trivial log entries.
To avoid these problems, it is crucial to follow an effective and efficient analysis system that allows systems administrators to manage such large amounts of data. A good analysis system will overcome these issues:
Time—Digging through log files looking for signs of malicious activity that may or may not exist is a tedious and time-consuming task. Automated analysis and reporting can help by putting all that data into a more easily understood format. Procedures that dictate a regular log analysis can also help remind systems administrators to spend the necessary time on this task.
Normalization—Normalization is the process of translating log files from various systems into a common format. This allows administrators to easily compare and correlate events from a UNIX-based Web server and a Windows-based domain controller, for example.
Prioritization—Prioritization is the process of determining which log files and/or entries are important and may require action versus which are less-important or informational only. Knowing what to look for makes the job of analyzing log files more efficient because it allows administrators to quickly discard log entries that are not of immediate interest. Most of the time, log file analysis is done to answer a specific set of questions:
"Are we now, or have we recently been under attack?"
"Did the attack succeed?"
"How extensive is the damage from the attack?"
"Has this ever happened before?"
Tunnel vision—The downfall of prioritizing is that some very interesting and important data can be overlooked because it does not directly answer the immediate questions. You might know what a DoS attack looks like in the logs. However, if you are looking specifically for a DoS attack, it is easy to miss the warning signs of a code injection attack.
Automated log analysis software can help make this task more manageable but ultimately there is no substitute for time and expertise. A good systems administrator who is not rushed can often find a crucial piece of evidence in the log files that allows them to prevent an attack before it starts.
A security information and event management (SIEM) system is a software solution that attempts to solve several of the issues discussed in the previous section. It is designed to centralize storage and normalize log files from a wide variety of applications and devices. Most include real-time analysis and notification features that alert systems administrators immediately if the SIEM recognizes an attack in progress.
SIEMs also simplify the task of manually analyzing log files because they give a consistent interface and the ability to cross-reference logs from a variety of devices, such as a firewall, router, Web server, and intrusion detection system.
Integrating the SIEM with applications is more difficult due to a lack of standard auditing policies. Even if applications developed in-house follow a strict auditing and logging policy, third-party applications may not. The SIEM cannot analyze logs that were never created. An application without an audit trail or with logs that are never monitored is an obvious target for an attacker.
Consider the case of a pharmaceutical company running a Windows Web farm. The servers generated several hundred megabytes of data every day—far too much for systems administrators to analyze manually. For years, those logs had simply been rotated and overwritten. The company decided to implement a Web-based e-mail system and realized it needed to pay more attention to security on its Web servers. Personnel implemented an SIEM solution and quickly discovered that probe attacks against their Web servers were being launched from a foreign university every 15 minutes. Without the SIEM, the pharmaceutical company would not have realized it was under scrutiny until it was too late to prevent an attack.
Whether access control system assurance is done for regulatory compliance or simply because it is good business practice, there are some best practices to make the task more effective:
Follow a defined model—The CIA triad, five pillars of IA, and Parkerian hexad are all well-known and tested models of information assurance.
Use access controls to enforce IA—Regardless of which model you use, access control systems within the organization should be chosen and developed to enforce the key tenets of confidentiality, integrity, and availability.
Implement an IDS—An intrusion detection system is a key tool for recognizing and stopping an attack in progress.
Make audit trail analysis a priority—Log files and audit trails that are rarely analyzed are the digital equivalent of a paperweight. They are of limited use and take up a lot of space. Tools such as SIEMs make this task easier.
Implement an ongoing training policy—This will ensure that all personnel, not just security engineers, are aware of information assurance concepts and know how to recognize potentially important anomalies as they encounter them.
Following these best practices will help you implement information assurance within your organization.
Information assurance can be a difficult concept to understand in practical terms. In this section, you will read about how information assurance is implemented in real-world situations.
The human element of IA is an important and often overlooked factor. As previously mentioned, training is an important aspect of implementing IA and a vital part of any IA program. Below you'll learn how implementing a training program assisted an organization in securing its environment and strengthening its IA.
Acme Tech Systems is one of the largest providers of IT services, systems integration, and training to the U.S. government. Nearly 80 percent of Acme's business is with the U.S. Department of Defense and other U.S. federal government agencies.
Due to the nature of its work, Acme always had IA as a priority. The nature of the information Acme deals with is often classified and highly confidential. Unfortunately, in early 2003, Acme's systems were being targeted at an increasing rate. Acme's research showed that its network was being attacked over 1,000 times an hour, and a number of those attackers were getting through Acme's perimeter defenses. Acme recognized that its critical information was being exposed to malicious users all over the world.
Improving the security of Acme's network was a daunting task, and the small security team was often overwhelmed by the size and complexity of the system. Although a number of initiatives were started to further secure the system, a training program was seen as one of the most successful. Acme decided the best way to assist the security team was to have all of Acme's systems administrators (SA) gain at least a basic knowledge of information security.
This was a challenge, with nearly 3,000 SAs to train. Acme implemented a two-phase program with computer-based training courseware and instructor-led courses, most of which consisted of hands-on labs. In fact, 60 percent of the course work was lab-based. This gave the SAs invaluable practice preventing hackers from accessing the network. The courses helped Acme's SAs learn the skills and develop the tools needed to help them identify system vulnerabilities and implement countermeasures.
The results of the training were immediate. Within months of implementing the program, the number of successful attacks decreased by half. The training also provided valuable feedback to help further strengthen Acme's overall network. Ongoing training allows the SAs to stay current with the tricks malicious users use as well as current security trends.
By enhancing the security awareness of all of its SAs, Acme was able to insure the confidentiality and integrity of its critical information. By maintaining an ongoing training program Acme is able to verify that it had a strong IA infrastructure going forward.
In 2003, a major university medical center piloted its new teleradiology program. The program allowed radiologists and physicians to share and view patient images digitally. Due to concerns over Health Insurance Portability and Accountability Act (HIPAA) compliance, the medical center embarked on an information assurance risk assessment project during the planning phase of the teleradiology program.
The information assurance risk assessment project was carried out in three phases: Organizational View, Technological View, and Strategy and Plan Development. In each of these phases, a multidisciplinary team of senior management, operational management, IT staff, and clinical staff participated in workshops, discussions, and information-gathering activities. The result of this multidisciplinary approach was that the medical center identified areas of its planned teleradiology project that were inherently insecure before those insecurities were introduced into actual practice. The IA process led to better project planning and a more successful end result.
In Phase I, Organizational View, members of the team met to determine the most critical resources involved in the teleradiology project. They initially brainstormed over 30 resources including people, patient images, servers, and laptops. They narrowed the list to the five most critical and focused the rest of their efforts on those resources.
The analysis team gathered opinions on the following:
Critical assets
Threats to those assets
The relative importance of confidentiality, integrity, and availability of those assets
The medical center's existing practices that either supported or undermined information assurance
The team met for extensive debate and discussion of these topics and eventually came to a consensus.
In Phase II, Technological View, the IT staff on the team conducted a vulnerability scan on the IT infrastructure and reported their findings back to the rest of the team members.
In Phase III, Strategy and Plan Development, the team integrated and analyzed all the data gathered in the first two phases. From this analysis, they conducted a formal risk analysis, indentifying, categorizing, and prioritizing the impact of various types of breaches on the five critical assets identified in Phase I.
From there, the team created an information security risk management plan. The plan was broken down into three parts: action items, mitigation plans, and protection strategy. The action items were tasks that could be undertaken immediately, with no need for new staff, policies, or funding that would result in a significant improvement in the overall security outlook for the project. Some example action items included changing default passwords and deleting user accounts for former employees.
The mitigation plans focused on high-impact threats to critical assets and included methods to recognize, resist, and recover from a security incident. These plans were designed to have a broad impact on both critical assets as well as secondary ones.
The final section of the risk management plan was the protection strategy. This section detailed plans to improve the medical center's overall information security stance by implementing best practices for information assurance.
The information assurance risk assessment provided valuable insight to the medical center, and allowed the teleradiology department to prevent security issues in the planning stages. For example, the team's original plan had been to instruct radiologists to use their personal computers to manage patient images after hours. During the risk assessment project, the team identified three high-priority concerns surrounding the use of personal computers:
Technical support—IT staff could not effectively troubleshoot or support equipment privately owned by individual radiologists. This could affect the availability of patient images, in the event of a computer crash.
Threats to confidentiality of patient images—Radiologists' home computers were often located in public areas of the home where family members and guests could easily look over the radiologists' shoulder and view protected health information. This constituted a serious breach of HIPAA regulations.
Threats to integrity of patient images—Because images would be stored on home computer hard drives, there was the potential for those images to be altered using photo manipulation software.
To mitigate these concerns, the medical center decided to purchase dedicated laptops for use by on-call radiologists.
Availability is one of the three components of the CIA model of information assurance, and in the case of access controls it is a vitally important component. Consistent and quick availability of the information allow physical security to work efficiently. Take a look at how the U.S. Coast Guard maintains the availability of information to maintain the security of Hawaii's ports.
To deal with availability of IA, the Coast Guard implemented a centralized, IP network-based access control card system. Through a secure Web site, many state and federal agencies, including the Coast Guard, Hawaiian Department of Transportation, Immigration and Naturalization, and U.S. Customs and Border Protection, as well as private maritime organizations and others can share information related to all activities and data for the port. This allows the Coast Guard to have a centralized clearinghouse for all expected activity, allowing them to focus their security efforts.
This system, referred to as the "Hawaii Integrated Maritime Information System" (HIMIS), allows authenticated users to access and update information. This allows for information sharing quickly and real-time data to enhance the Coast Guard's security practices. This information can be entered both in flexible custom reports and on nautical charts.
The high availability of the HIMIS system greatly enhances the Coast Guard's ability to secure the Hawaiian ports.
Information assurance is a guideline for planning, implementing, and assessing a secure IT infrastructure. This chapter examined several models, including the CIA triad, five pillars of IA, and the Parkerian hexad. An organization should choose the one that most accurately reflects its IA requirements.
Ideally, every component of infrastructure should be evaluated for its contribution to information assurance on critical resources. Staff members, both technical and nontechnical, should participate in regular training on information assurance concepts so they are aware of the security implications of their decisions and are able to recognize important anomalies when they occur. When security incidents do occur, careful analysis and cross-referencing of various audit logs provides key information about the incident. This information is a valuable resource for preventing similar breaches in the future.
Audit trail
Blacklist
False negative
False positive
Normalization
Parsing
Prioritization
Security information and event management (SIEM) system
Whitelist
According to the CIA triad, the three pillars of information assurance are________,________, and________.
Non-repudiation provides the sender of information with which of the following?
Read receipt
Notification that the message was deleted without being opened
Proof of delivery
Notification that the message was forwarded to a third party by the original recipient
The Parkerian hexad adds which elements to the CIA triad? (Select three.)
Possession or control
Non-repudiation
Authenticity
Utility
Authentication
Only security engineers need training in information assurance.
True
False
Timeliness is an important goal of any access control monitoring system.
True
False
Intrusion detection systems that operate on the principle of misuse detection compare activity to a________of known suspicious events.
Intrusion detection systems that operate on the principle of specification detection use a ________to identify normal ranges of behavior.
Which type of events in an audit log report user logon attempts and system resource usage?
System-level
Application-level
User-level
Unauthorized access-level
Which events in an audit log report user authentication attempts, commands and applications used, and security violations committed by users?
System-level
Application-level
User-level
Unauthorized access-level
Which events in an audit log report error messages, file modifications, and security alerts generated by individual applications?
System-level
Application-level
User-level
Unauthorized access-level
What is normalization?
The process of rotating older audit logs into long-term storage
The process of translating log files from various systems into a common format
The process of separating normal events from anomalies
The process of analyzing log files
Automated audit log analysis software makes manual log analysis unnecessary.
True
False
An SIEM is which type of tool?
Access control
Risk analysis
Audit log analysis
Training