Cyber security refers to the ability to defend against cyber-attacks, protect resources, and prevent cyber-attacks while information assurance is to ensure the confidentiality, possession or control, integrity, authenticity, availability and utility of information and information systems.
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Cyber security vs information assurance
1. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
Cyber Security VS Information
Assurance
Olufemi Vaughan CISA, ITIL
Instructor, DeAfrica
July, 2015
2. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
Table of Contents:
Cyber Security vs Information Assurance: What is
the difference?
Introduction to Cyber Security and Information
Assurance: What is the difference?
Careers in Cyber security: challenges and issues
and how to prepare for them
3. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
Introduction
Richard Clarke was famously heard to say, "If
you spend more on coffee than on IT security,
then you will be hacked. What's more, you
deserve to be hacked.”
The growing number of attacks on our cyber
networks has become, in President Obama’s
words, “one of the most serious economic and
national security threats our nation faces.”
4. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
What is Cyber Security?
Cyber security is the process of applying security
measures to ensure confidentiality, integrity, and
availability of data. Cyber security attempts to assure the
protection of assets, which includes data, desktops,
servers, buildings, and most importantly, humans. The
goal of cyber security is to protect data both in transit and
at rest.
5. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
Who and What is at Risk?
Economy
Defense
Transportation
Medical
Government
Telecommunications
Energy Sector
Critical Infrastructure
Computers/Cable TV/Phones/MP3/Games
6. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
What is Information Assurance?
Information assurance is the process of adding
business benefit through the use of Information
Risk Management which increases the utility of
information to authorized users, and reduces
the utility of information to those unauthorized.
It is strongly related to the field of information
security, and also with business continuity.
7. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
Fundamental Concept of
Information Assurance
Confidentiality (privacy)
Integrity (quality, accuracy, relevance)
Availability (accessibility)
8. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
Information Assurance Process
The information assurance process typically
begins with the enumeration and classification
of the information assets to be protected. Next,
the IA practitioner will perform a risk
assessment for those assets. Vulnerabilities in
the information assets are determined in order
to enumerate the threats capable of exploiting
the assets.
9. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
Information Assurance Process
The assessment then considers both the
probability and impact of a threat exploiting a
vulnerability in an asset, with impact usually
measured in terms of cost to the asset's
stakeholders. The sum of the products of the
threats' impact and the probability of their
occurring is the total risk to the information
asset.
10. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
Information Assurance Process
With the risk assessment complete, the IA
practitioner then develops a risk management
plan. This plan proposes countermeasures that
involve mitigating, eliminating, accepting, or
transferring the risks, and considers prevention,
detection, and response to threats. A
framework published by a standards
organization, such as Risk IT, CobiT, PCI DSS
or ISO/IEC 27002, may guide development.
11. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
Information Assurance Process
After the risk management plan is
implemented, it is tested and evaluated, often
by means of formal audits. The IA process is
an iterative one, in that the risk assessment
and risk management plan are meant to be
periodically revised and improved based on
data gathered about their completeness and
effectiveness.
12. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
Concept of Information Security
Physical Security: This is a significant part of any security system
and cannot be ignored as it is an important line of defense for
most organizations. Hardware Security can be primarily
considered under Physical Security, even though some of the
components of the hardware can be considered under other
securities such as Network Security. TCP/IP is the underlying
protocol for computer communication that facilitates distributed
connectivity and communication facilities for sharing data between
two computers present at different locations. TCP/IP is the
underlying protocol that resulted in the invention of the Internet
and the World Wide Web (WWW).
13. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
Concept of Information Security
Network Security: This is extremely essential to protect the data that is being
transmitted and guarantee that the data is not tampered with during the
transmission.
Communications Security, that is, securing communications through the use of
various mechanisms, can be considered broadly as a part of Network Security.
Secure routing mechanisms, secure session mechanisms, and secure encryption
mechanisms may be considered as part of Communications Security.
Software Security, which broadly deals with the Operating System Security, the
Application Security, and the security of software utilities/tools, including the
security of tools used to provide information security. Operating systems provide
many of the functionalities required for the servers and computers to work
effectively, including communication capabilities with other systems, processing of
information, and effective functioning of applications.
14. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
Human or personnel security is another important layer.
Keeping personnel motivated, making them aware of the
information security risks, and involving them in the
implementation of the same is an important aspect of information
security which cannot be forgotten at any cost. Employees
(permanent or temporary), contractors, and suppliers are all
significant in this regard.
15. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
Internet Usage
In 1995, 16 million users (0.4%)
In 2010, 1.6 billion users (23.5%)
In 2015, 3 billion users (47%)
Unable to treat physical and cyber security
separately, they are intertwined.
17. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
A threat is any potential danger to information and
systems
3 levels of cyber threats
Unstructured
Structured
Highly structured
Two types of threats: Internal and External
Security Threats
18. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
External Threats
19. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
Internal Threat
Internal threats originate from within the organization. The
primary contributors to internal threats are employees,
contractors, or suppliers to whom work is outsourced. The
major threats are frauds, misuse of information, and/or
destruction of information. Many internal threats primarily
originate for the following reasons:
20. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
Internal Threat
Weak Security Policy
Weak Security Administration
Lack of User Security Awareness
Layered Security and Defense In-depth
Security
21. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
Layered Approach to Security
22. Distance Education for Africa / Enseignement á Distance Pour L’Afrique WWW.DEAFRICA.COM
Questions?
For more information,
please visit
www.deafrica.org
or email
info@deafrica.org