Information Assurance

To print the text from this module, select "Print" from the "File" menu.
When you're finished, select "Close" from the "File" menu to return to the course.

Introduction

Information Assurance begins with confidentiality, integrity, and availability of systems and information. Homeland Security Presidential Directive Seven, or HSPD-7, mandates, "All Federal department and agency heads are responsible for the identification, prioritization, assessment, remediation, and protection of their respective internal critical infrastructure and key resources." In this topic, we will introduce you to some terms used in Information Assurance, how to create passwords, and the need to protect information systems from various threats.

Objectives

Upon completion of this topic, you will be able to recognize Internet safety precautions and Information Assurance. Such safety precautions include: safe use of the Internet, creating strong passwords for your system, and identifying some system threats and vulnerabilities.

Information Assurance

Department of Defense Directive Number 8500.1 defines Information Assurance as, “Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.” Authentication and non-repudiation support confidentiality, integrity, and availability. Select each concept to learn more.

     Confidentiality

     Confidentiality is defined as, "Assurance that information is not disclosed to unauthorized individuals, processes, or devices." Loss of confidentiality results when information is improperly disclosed. Time sensitive information, procurement information, and information covered by the privacy act are examples of information that could be improperly disclosed. Employing confidentiality measures can protect this information.

     Integrity

     In computer security considerations, integrity basically means employing measures designed to protect against unauthorized modification or destruction of information. Unauthorized access to your computer can lead to integrity problems. For example, someone could alter the data in your file unintentionally by entering a wrong number or letter. Someone who desires to do harm and defeats system protection can add widespread or subtle changes, according to their purposes.

     Availability

     Availability is "Timely, reliable access to data and information services for authorized users." Availability involves information that needs to be accessible at a specific time, even instantaneously, such as payroll information and law enforcement support.

     Authentication

     Authentication is a "Security measure designed to establish the validity of a transmission, message, originator, or a means of verifying an individual's authorization to receive specific categories of information." Passwords and smart cards are used by government employees to authenticate their messages. Biometric methods of authentication, such as thumbprints and retinal scans are becoming more popular. Unfortunately, many of these authentication methods can be tricked or circumvented. Combinations of authentication methods provide the best promise of security.

     Non-repudiation

     Non-repudiation is "Assurance the sender of the data is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the data." Smart cards and digital signatures support non-repudiation. DoD has recently implemented smart cards called the Common Access Card. These cards use Public Key Infrastructure, or PKI, for authentication and encryption. You can find out more about PKI through the Defense Information Systems Agency course catalog.

Passwords

Strong passwords are worthwhile measures to support confidentiality, integrity, and availability. Passwords should never relate to the user, for example, license plate, birthday, child or pet names, and should never be dictionary words. Passwords should combine upper and lower case letters, numbers, and special characters. Using the first letters of a meaningful phrase can make the password easier to remember. Your security policy will specify password length and aging. Aging defines how often you should change your password.

Privacy

DoD Web Policies and Procedures of November 25, 1998, with Amendments and Corrections, dictates that sensitive information, such as that marked "For Official Use Only," be protected by access control using hardware or software Public Key Infrastructure, or PKI, and transmission control using encrypted text. Restricting access to .gov or .mil sites only limits who can access the data on your computer. If that data is not encrypted, it might be harvested by interested parties as it travels over the Internet. Significant laws pertaining to the area of monitoring include the Fourth Amendment and the Wiretap Statute. These laws and the case law interpreting both have established a framework addressing the right of privacy, which might be abridged by monitoring. Now we’ll discuss a few concepts with which you may not be familiar.

Cookies

Cookies have developed a reputation as troublesome items. Some say to turn them ALL off! If they are all bad, why are they used in the first place? Some Web sites have cookies that will remember your information and sell it to third party companies. Cookies can be used to track a Web surfer’s individual habits. Usually this collection is done without the surfer’s knowledge. Some items tracked describe your computer — location, hardware and software used; details of links selected; mouse movements; banner ads selected; and perhaps form entries and email addresses. These items can reveal more than just your name and address. They can reveal your age, income, ethnicity, lifestyle, names and ages of children, purchases, and medical records. For your safety, be sure you read the Privacy terms on each Web site you visit.

What are Cookies?

What exactly is a cookie? A cookie is information that a Web site you visit leaves on your machine. The World Wide Web is stateless, which means it does not maintain a connection with the user visiting a Web site. Cookies were designed as one way to maintain the continuity of the net session across many separate requests. Cookies are valuable because they improve the quality of Web visits and can provide a context for your visit -– for example, whether you have visited previously, what parts of the site you previously visited, and the date of your last visit.

Cookie Types

Cookies can be used to track the habits and characteristics of users. Privacy concerns may arise based on the use of that information. Each cookie is unique – ranging from random numbers used to identify repeated visitors to recorded information identifying a specific customer. There are three kinds of cookies – session cookies, persistent cookies, and third party cookies. Select each cookie to learn more.

     Session Cookies

     Session cookies are stored temporarily, either in your computer's RAM, or in a temporary files folder. They are not intended to be saved from session to session, and are destroyed when you close your browser, or when you clear your cache.

     Persistent Cookies

     A persistent cookie is saved to your hard drive. Persistent cookies have an expiration date, perhaps one year or even 10 to 20 years from the time of creation. DoD sites only use persistent cookies under very specific conditions, which include the personal approval of the Secretary of Defense.

     Third-Party Cookies

     Advertisers may set persistent cookies from the domain of the advertiser instead of the domain of the site you visited. This allows your cookies to be made available to many marketing entities. Microsoft’s “Passport” is the ultimate third-party cookie. The data collected at one Microsoft site is available to any Microsoft-owned site, not just the domain from which it was sent.

Check on Learning

Select the best response to the question.

Firewall

A firewall is used to defend the perimeter of a network. A firewall is placed between the public network and the intranet. It can be used to prevent unauthorized users or packets from reaching the server. A firewall acts as a filter. It does this by controlling access based on content behavior or the origin of data packets. Firewalls defend against external attacks on protocols or applications.

Hacker

A hacker snoops and sometimes alters computer programs or systems. Not all hackers are out to cause damage — hacking motives range from curiosity to religious or political zeal. The goal of most amateur hackers is to see how much system control they can get. More experienced hackers are quietly effective — leaving backdoors in order to return and regain access to a server. When access to a system has been gained, a hacker may be able to gain the privileges of an insider. This is a dangerous situation if the defenses are pointed only at external threats. Beware the ubiquitous hacker!

Buffer Overflows

A buffer overflow occurs when an attacker sends more information than a program is designed to handle, or when poor programming allows extra data elements to overflow in a computer program. The overflow may corrupt other nearby programs or may contain code directing the computer to take destructive actions. When the program is overwhelmed, it often simply opens the system. This can give an intruder root privilege, depending on the program. Root privilege means complete and absolute control of the system. Buffer overflows commonly provide an open door to intruders.

Viruses

A virus is a program written to cause problems. It is inserted into a normally benign program, then is triggered by some user or system action. Viruses can be delivered hidden in email, as attachments to communication or can be hidden in files users download from the Internet. Viruses are very dangerous to computers and networks. Some destroy all information on the hard drive, others flood the network with spurious or infected email. Viruses also infect clean copies of programs. This differentiates them from Trojan horses and worms.

Avoiding Viruses

Would YOU care to be known as the person who let loose the "Dogs of War" virus on your base, command, or agency's network? This is not career-enhancing. Make sure you have up-to-date virus protection software on your system. Make a habit of scanning your system manually at regular intervals. Viruses are commonly spread through email. Be suspicious of email attachments that end in .exe, or .vbs. If you don’t know the sender, the rule of thumb is NOT to open the email or the attachment. Tens of thousands of Web users "innocently" spread viruses in that manner. Never open an attachment to an email from an unknown sender. Detach attachments from known senders, and run them through a virus scan before opening them. Email is not always from the person in the sender line. Stay informed! Be aware of the latest bugs, viruses, and security alerts.

Other Types of Incidents

An intruder seeks information for entertainment, financial gain, knowledge, power, or attention. Web users should be aware of these kinds of threats from intruders: probe, scan, packet sniffer, denial of service, and malicious code. Select each incident to learn more.

     Probe

     A probe is an attempt to access or get information about a system by scanning ports or by logging into an unused account. Probes are often used to locate vulnerabilities that can serve as the basis for serious attacks.

     Scan

     A scan is an automated series of probes of system ports. Each computer has about 65,000 virtual ports. A scan can probe all of these, or limit its probes to only those with known vulnerabilities. Some scans can result in system or data changes, but most are a precursor to a directed attack on system vulnerabilities. Scanning is not illegal.

     Packet Sniffer

     There are programs that capture data from packets as they travel over the network. These programs are called packet sniffers. The packet sniffer can grab data, such as user names, passwords, and proprietary information that travels unencrypted over the network. Intruders can launch widespread attacks on systems, using passwords captured by the sniffer. Using a sniffer without proper authority can violate the wiretap statute. A system or network administrator could use a packet sniffer for security purposes. It is important to note that sniffers are also used by government investigators to conduct content monitoring. Such uses must conform to the Federal Wiretap Act, the Electronic Communications Privacy Act, and other applicable law.

     Denial of Service

     Denial-of-service attacks prevent use of a service by its authorized users. A denial-of-service attack can come in different forms. They may be generated from outside or from within an information technology system. Attackers may "flood" a network with large volumes of data. They can overwhelm specific ports so no traffic can pass. Denial-of-service attacks may require the computer to attend to an endless list of requests, consuming all its processing power in a useless effort. System and network administrators must be vigilant for advance indicators of a denial of service attack, or a distributed denial of service attack, which originates from a multitude of different computers.

     Malicious Code

     Malicious code is a general term for programs written to damage or intrude on other systems. We presented one type of malicious code — the virus. There are also time bombs and logic bombs. These bombs activate based on time, or on a specific program event, or lack of an event.
Malicious code includes Trojan Horses and worms. A Trojan Horse is an apparently useful program that does more or less than a user expects, usually maliciously. For example, if one of your command files had been Trojanized, you might request a list of files in a directory, and receive a list of all the files...except those added by the hacker. You could download an apparently innocent game which will erase your hard drive while you are playing.
Worms have one purpose — to reproduce, and to find space to reproduce again, filling all available disk or memory space. Worms can also carry viruses as payloads, delivering unwanted gifts as they pile through systems and circuits. Malicious code today more often blurs distinctions, combining features of worms, viruses, and Trojan Horses.

Check on Learning

Select the correct response to the question.

Check on Learning

Select the correct response to the question.

Information Assurance Summary

We have addressed some of the threats posed by viruses, worms and Trojans. There are hardware and software available to deal with many of the problems posed by this malware, but the evolving nature of the threat requires an evolving response. Some software has been designed to recognize patterns and anomalies to better deal with the evolving threat. Humans continue to play a key role, however. Additionally, even the best of hardware and software defenses can sometimes be circumvented through social engineering. Social engineering is the duping of insiders in order to get them to reveal helpful information. For example, a hacker posing as a General officer may call an enlisted system administrator and pretend he forgot his password. If the system administrator falls for this social engineering, the hacker will be able to enter the system with the password and bypass all the hardware and software defenses.

Basic Internet Summary

This completes the Basic Internet Module. In this module, you learned the history of the Internet, information flow, and Information Assurance. Staff Judge Advocates need to be familiar with normal and abnormal network operations to properly analyze legal issues and to apply appropriate case law, which is addressed in the next module. Return to the Main Menu to go to the module entitled "Law in Cyberspace."