Basic Concepts of Information Assurance Objective To provide background on the basic concepts of information assurance that create a framework of how to protect information systems Basic Security Concepts CIA triad is a widely-used information assurance (IA) model which identifies confidentiality, integrity and availability as the fundamental security characteristics of information. The three characteristics of the idealized model are also referred to as IA services, goals, aims, tenets or capabilities. http://en.wikipedia.org/wiki/CIA_triad Confidentiality Confidentiality is assurance of data privacy. Only the intended and authorized recipients (individuals, processes, or devices) may access and read the data. Disclosure to unauthorized entities, for example using unauthorized network sniffing is a confidentiality violation. Confidentiality is often provided through the use of cryptographic techniques http://en.wikipedia.org/wiki/CIA_triad Integrity Integrity is assurance that data has not been altered. Data integrity is having assurance that the information has not been altered or corrupted in transmission from source to destination, willfully or accidentally, before it is read by its intended recipient. Source integrity is the assurance that the sender of that information is who it is supposed to be. Source integrity may be compromised when an agent spoofs its identity and supplies incorrect information to a recipient. Digital Signatures and hash algorithms are examples of mechanisms used to provide data integrity. http://en.wikipedia.org/wiki/CIA_triad Availability Availability is confidence in timely and reliable access to data services by authorized users. It ensures that information or resources are available when needed. This means that the resources are available at a rate which is fast enough for the system to perform its intended task. It is possible that confidentiality and integrity can be protected, but an attacker may cause resources to become less available than required, or not available at all. A Denial of Service (DoS) attack is an example of a threat against availability. Robust protocols and operating systems, redundant network architectures and system hardware without any single points of failure help to ensure system reliability and robustness. http://en.wikipedia.org/wiki/CIA_triad Summary This section provides background on the basic security concepts that create a framework of how to protect information systems List of References http://en.wikipedia.org/wiki/CIA_triad http://www.sans.org/reading_room/whitepapers/policyi ssues/498.php http://www.sharepointsecurity.com/content-130.html http://media.wiley.com/product_data/excerpt/29/07645 393/0764539329.pdf http://securityrenaissance.com/2007/04/11/the-c-i-a- triad-%e2%80%93-weighed-and-found-wanting/ http://en.wikipedia.org/wiki/Parkerian_hexad CyberPatriot wants to thank and acknowledge the CyberWatch program which developed the original version of these slides and who has graciously allowed their use for training in this competition.