Info Assurance & Security Lecture 3,4

Threats and Vulnerbilities

strategies: specific goal we want to achieve
principle: high level

  • information
    telephone, records

Information are not just computer information

  • Threat is a potential occurrence that can have an undesirable effect on the system.
  • A vulnerability is a weakness that makes a threat possibily occur, and there is not way to ensure no vulnerability

Four categories of threats

  • disclosure: Unauthorized access to information
    • snooping
  • deception: Acceptance of false data
    • altenation
    • spoofing
    • denial of receipt ( when we sent people a email, how to make sure we are sending to the right person? Using public and private keysg)

Security principles

  • Auditability and Accountability

    • Auditability is the ability to verify the activities of a control
    • Accountability is to hold Individual answeable responsible or liable
  • Access Control

    • Separation of functions - No one owns all process, control all security features, or process unrestricted access to all information i.e. (CEO has the right to know everything, but checker need to write record)
    • Role-based access control (RBAC)
      • Asscoiate role with each individual
      • Individual needs to be authentication
    • Situation-aware c
  1. Confidentiality
    • confidentiality principles include:
      1. need to know: An individual should possess combination of clearance, privilege of access, and need-to-know,before being authorized access
      2. Data seperation
      3. Compartmentalization: seperate tasks
      4. Classification: Assign labels to information to identify the appropriate level of protection, handling and control the information
        • Corporation: public use - registered- confidential
        • US Goverment - Official use only - top secret
      5. Encryption
        • A reversible process of transforming plain text