General overview of CIA, and Risk Management.

1. CIS 264
Highline Community College
Dan Morrill

2.  CIA is:
 Confidentiality
 Integrity
 Availability
 The entire information security industry is based on
this concept for Defense
 Offense is a totally different matter, we want to corrupt
CIA as much as possible for the other person
 There are entire manuals on this subject
 http://csrc.nist.gov/publications/nistpubs/800-
33/sp800-33.pdf is a good start

3.  Confidentiality refers to preventing the disclosure of information
to unauthorized individuals or systems. For example, a credit
card transaction on the Internet requires the credit card number
to be transmitted from the buyer to the merchant and from the
merchant to a transaction processing network. The system
attempts to enforce confidentiality by encrypting the card
number during transmission, by limiting the places where it
might appear (in databases, log files, backups, printed
receipts, and so on), and by restricting access to the places where
it is stored. If an unauthorized party obtains the card number in
any way, a breach of confidentiality has occurred.
 Confidentiality is necessary (but not sufficient) for maintaining
the privacy of the people whose personal information a system
holds

4.  In information security, data integrity means
maintaining and assuring the accuracy and
consistency of data over its entire life-cycle. This
means that data cannot be modified, unauthorized, or
undetected. This is not the same thing as referential
integrity in databases, although it can be viewed as a
special case of Consistency as understood in the classic
ACID model of transaction processing. Integrity is
violated when a message is actively modified in transit.
Information security systems typically provide
message integrity in addition to data confidentiality.

5.  For any information system to serve its purpose, the
information must be available when it is needed. This
means that the computing systems used to store and
process the information, the security controls used to
protect it, and the communication channels used to
access it must be functioning correctly. High
availability systems aim to remain available at all
times, preventing service disruptions due to power
outages, hardware failures, and system upgrades.
Ensuring availability also involves preventing denial-
of-service attacks.

7.  Identification – am I who I say I am when I log in? If I
know your router operating system – I know how to
hack it and fake the router out
 Authentication – same thing – if I can fake it I can
make it do my own thing
 Accountability – if I can log in as someone else, no one
will hold me accountable
 Authorization – if I am root, I can do anything I want
to do
 How long does it take to crack a Cisco Password using
IOS 12.0(10)W5(18g)

8. Oh really?
Thanks Google and
Shodan
If I own two routers
on the internet
What can I do?
Where are the limits
Can I get caught?

9. And this is why they have formal development and
management processes

10.  IATF (Information Assurance Technical Framework)
 People
 There must be a commitment to the process
 Training, Roles and Responsibilities, Policies and
Procedures, Commitment, Penalties for violating
 Technology
 That the organization has the proper technologies in place
 Risk Assessment, Patching, Architecture, Validated products in
use, Configuration
 Operations
 Day to Day activities promote effective security
 Enforcement, certification and accreditation, key management

12.  System Characterization
 Threat Identification
 Vulnerability Identification
 Control Analysis
 Likelihood determination
 Impact analysis
 Risk determination
 Control determination
 Results documentation

13.  Risk Assumption
 Risk Avoidance
 Risk Limitation
 Risk Planning
 Research and Development
 Risk Transference
 Supporting, Preventative, Detection and Recovering
Controls