Information Assurance

CERT Home Computer Security CenterComputer Security InstituteThis is a site that provides different hacking and defensive techniques
Election Security: This article briefly discusses some of the computer issues related to the State Board of Elections. The audit was conducted by the Department of Legislative Services. Some of the corruption uncovered includes reporting of inadequate accounting, obvious vulnerabilities to hackers which could also in turn effect election resultsCyberinsurance: Wow, I never would have imagined finding an article of this sort but here it is…an article that actually discusses the advantages of "cyber risk insurance." However, from the look of sales from certain competitors, prospects of making a buck off of this product look grim. When asked through an Ernst & Young Global Information Security Survey, 33% of participants stated that they mistakenly thought their current insurance covered this type of loss. Examples of available coverage include first-party business interruption, electronic data damage, extortion, third-party network security liability, downstream network liability, and media liability.A website created by individuals at the National Institute of Health
High Assurance Security Medical Information Systems - by Robert M. Barnhart; A 3-page glossy article - probably a pamphlet or handout - that provides a light overview of Assurance from the perspective of Medical Systems. Topics covered include What is Assurance (and why it's important), forms of assurance (design, developmental, operational), how assurance is evaluated, and how much assurance is sufficient. This pdf describes what security assurance is, as well as gives an example of a high assurance medical system. In addition, the pdf discusses how assurance is evaluated and addresses the idea of how much assurance is necessary. Medicine offers a very important example of why security assurance is vital to a secure system.Defense in Depth - This pdf offers a unique perspective on the evaluation process for information assurance systems, and the defenses deployed. The pdf shows that information assurance has three components: people, technology, and operations. Then, each component is discussed and examples of defenses by each component are given.Information Assurance and Security - This website has some nice diagrams and examples of the layered model of defense. In addition, it has some examples of tools that can help in the management of distributed systems. There is a nice diagram describing a dynamic information architecture system.
There are also some nice links off of this page to other computer security-related sections.
Information Assurance: New Tools for Managing Business Risk Risk by Mike Rothery; Very nice pdf. It is really like viewing an oversized slide show, but the information is very helpful. It begins by defining information assurance, then addresses where IT fits in, followed by some vulnerabilities and finishes with the human factor.Life Cycle Security - This pdf deals with ways in which to assure a computer stays secure, even as the system and network continue to grow and both complexity and functionality. The basic process of ensuring that a system stays trustworthy is through certification. As the article states, the goal is in "preserving the public trust" without "unintended consequences."I like this site because of the idea that I might have the opportunity to attend the conference. It describes the keynote speakers (whom are recognized IA industry leaders), the various sessions that are to be offered. I would recommend this site and this conference for anyone that might be interested in going into this type of career field.
CERT's page for Survivable Systems Analysis, formerly Survivable Network Analysis. - The field of survivable systems engineering explores the current state of systems to identify problems and propose engineering solutions. The work described on this site focuses on the development lifecycles for both new development and COTS-based systems. It includes analysis of how susceptible these systems are to sophisticated attacks and suggestions for improving the design of systems based on this analysis.
Current work in the area of models and assessment includes the development of the Survivable Systems Analysis (SSA) method, formerly known as Survivable Network Analysis (SNA). SSA is a practical engineering process that enables you to systematically assess the survivability properties of proposed systems, existing systems, and modifications to existing systems.
The Center for High Assurance Computing Systems, a branch within the Information Technology Divison of the Naval Research Laboratory
The Center for High Assurance Computing Systems conducts interdisciplinary research and development in techniques for processing and communicating data that preserve critical system properties, such as security, safety, availability, and timely delivery of computational results.
Independent Systems Assurance Testing: How do I know I can trust this system. This is a presentation from the 1998 ACS Annual Conference. The material covered is by no means outdated in today's assurance environment. This presentation covers "the components of a thorough system assurance program": Defining Technical Standards - including acceptance criteria in several categories; Planning for testing from project conception; Reviewing system specifications; Creating and reviewing test plans; Co-ordinating test plans and test with third party providers; Testing & Reviewing of Test results; Re-testing corrected systms; and System acceptance. It concludes with a pitch for independent systems assurance and third-party testing.
Network Security Assurance Group - The Network Security Assurance Group provides data and network security auditing, managed security services, federal security compliance including HIPAA and Gramm-Leach-Bliley, disaster recovery planning, and other information security services.
They have worked with the US and Canadian governments and have an average of 12 years of experience. However, most interesting is the Internet news page on this site. It has up-to-date articles that deal with the security issues of the here and now.
Tech ignorance, vague laws lead to mistaken conviction - Posted Oct. 25, 2003; This article is about a Computer administrator Bret McDanel who alerted his managers of a flaw. They ignored his pleas to them to fix the problem. He quit and notified their customers of the problem. He was convicted and served time. Then his prosecutors asked an appeals court to reverse his conviction.VIGILANTe This site offers one company's take on what security assurance is. They are in the business of providing security assurance to their Internet customers. They test their customer's site for vulnerability. They secure networks, servers, software and firewalls, as well as engage in other security practices which make the Internet and IT environment a safer place to carry out the almost infinite variety of activities to improve operational performance Security assurance, as policy, practice, and procedure to make sense and dollars. The have a news page in this site also relates to security.
Computer Science and Telecommunications Board Topic: Security, Assurance and Privacy. - A pioneer in framing and analyzing Internet policy, CSTB provides independent assessments of technical and public policy issues relating to computing and communications. Composed of leaders in information technology and complementary fields from industry and academia, CSTB is unique in its scope and its interdisciplinary approach to technical, economic, social, and policy issues. This site has a list of projects in progress and publications that deal with security assurance and privacy. This is a great site for research into different areas of security of which security assurance is an important one at this site.klockwork - This is the site of an AI company that sells software that allows you to check the assurance of your code. They have created software that uncovers code defects and correcting leaks, overflows, and other code defects that leave your system vulnerable to malicious code. When you start to look for software to check the assurance of your code this is one place to start looking. They even have qickstart software designed to get you on the road to a more secure system in less than a week.This is a wonderful website that explains the partnership that has developed between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). This Government initiative was created to meet the overwhelming need for security evaluation, security assessment, and security testing. They have been responsible for new projects pertaining to certification and accreditation. Also for establishing the national security requirements project.
"XP flaw due to 'buffer overflow'" - Author: The Associated Press, December 21, 2001; Summary: The article talks about the buffer overflow problem in Windows XP and other software products. The buffer overflow problem could allow possible hackers to take over the computer and erase disk, alter data and install their own programs. The bug was an unchecked buffer in the Universal Plug and Play Software Service, used to detect and link to other networked devices. This program was found after Microsoft proclaimed to have paid special attention to the buffer overflow problem. The article quotes a member of the Computer Emergency Response team in saying that Buffer Overflow problems are usually a failure of individual programmers to see that they have enough space to store data."Unix Flaws and Vulnerabilities," - Author: Unknown; Summary: This would be a good paper for UNIX users to read. The topics that are covered in the papers are some of the flaws that come with the UNIX environment. The paper refers to them as "box flaws." The first flaw that is mentioned is the one of Buffer Overflows. Some of the problems that create buffer overflows are due to the programmers not checking boundaries, failure to check return codes of functions/procedures, and pointer problems/wrap arounds. "Make your software behave: Preventing buffer overflows," - Author: Gary McGraw and John Viega, Reliable Software Technologies, March 1, 2000; Summary: This article provides insight to the major security issues in the C programming language. The objective is to aid a programmer in protecting their code from "buffer overflow attacks through defensive programming." The article gives a list of problems that cause overflow problems in the C programming language and say they are usually associated with the C library. The article recommends that you avoid constructs such as strcpy(), scanf(), strecpy(), strtrns(), and several others. But they also show another method of performing the same task. The methods with reduce/eliminate the buffer overflow problem associated with the constructs. At the end of the article they provide a summary that list the constructs that should be avoided or used with precaution, they give the severity of the use of the construct, and the solution to overcome the problem.
"Session Title: Operational Assurance," - Author: WITAT `96 Session Notes, Summary: The session notes are in regards to operational assurance. The notes state that even if information technology was 100% free of flaws, people will still have to install it, configure it, and use it correctly for the system to be secure. Therefore, Operation Assurance is not only dependent of the information technology, but the environment and process involved. There are nine operational objectives listed in the article and for each objective there are recommendations made referenced from Certification and Accreditation, Inspector General, Inspections and Security Audits Information Systems Security Officer."Our computer assurance review is designed to give clients...," - Author: Grant Thornton's Audit; Summary: This site is a service that is offered to people regarding the adequacy of their security systems. I think it is interesting because this is an organization whose goal is to help other organizations establish a safe and secure system. This article gives an overview of the things they are looking for helping to determine the safety and security of an information system. The following are the areas that are covered, segregation of duties, physical and logical access controls, environmental controls, disaster recovery planning, management and supervisory controls, program change control, and network security and implications of use of the Internet.This site appears to be a little different. Global Information Assurance Certification (GIAC) appears to be a new and possibly upcoming IA certification. The site contained a lot of information pertaining to GIAC but not much on overall general IA information.
Usability Assurance- Date: September, 1998; Author: Jonathan Earthy; Summary: The article discusses usability assurance. Usability assurance provides a way for IT suppliers to demonstrate the consideration of users and usability and it may give a market edge. It allows purchasers to reduce the risk associated with selecting a new IT-based product or system. Assurance also provides a convenient means to demonstrate the fulfillment of contract requirements.The Mother Of All Security Standards? - Author: Stephen Cobb; Summary: The article discusses ISO standard, ISO 17799. The article addresses four different types of information security assurance that every organization needs. The four types are organizational assurance, product assurance, service provider assurance, and business trading partner assurance. According to the article, the first three items are an excellent way of analyzing an organization's information security concerns and fourth concerns the security of the entities with whom you do business.What Is Information Assurance? - Date: July, 2002; Author: Walter L. McKnight; Summary: The article defines information assurance from a technical viewpoint, addressing the five attributes of information assurance: availability, integrity, authentication, confidentiality, and non-repudiation. Each term is illustrated for better understanding and will show where the various disciplines associated with information assurance fit into the overall picture. There are concluding references that provide a more in-depth understanding. An understanding of information assurance is critical because its activities involve many disciplines and the activities permeate all phases of software life-cycle development and system maintenance.
Build High-Quality E-Business Applications - Author: Phil Hollows; Summary: Because errors in performance and functionality can be insidious, result from multiple causes, and are risky and costly to fix, e-businesses are becoming more proactive in their Web testing. The question then becomes not whether a Web application has been tested but how well was that testing done? Quality assurance shouldn't just happen at the end of the application development life cycle. The testing approach should be changed to launch applications with confidence.Government official blasts security vendors - Date: July 28, 2000; Author: Ann Harrison; Summary: The National Security Agency's senior technical director lambasted developers of security tools, which he said were so weak that they encouraged attacks by computer crackers. According to the article, the senior technical director believes that crackers and script kiddies demonstrate that assurance technology is barely adequate and will not hold up in malicious environments. Therefore, assurance as a confidence-building activity demonstrates that a system possesses only desired properties and that functions are implemented correctly. Furthermore, assurance can be provided through a structured design process, documentation, and testing. It was conceded that assurance problems such as insecure operating systems and reoccurring buffer overflow vulnerabilities are not likely to improve over the next five years.This is good site that you can get lost in. It contains so much information on Information Assurance. It contains on everything from conferences, to overviews, news, and other useful links. It also contains information on IEEE's Information Assurance Standards Committee, Task Force on Information Assurance, and Technical Committee on Security and Privacy.
National Information Assurance Partnership - This is a web site that is sponsored by the NIAP and is a collaborative effort between the NIST (National Institute of Standards and Technology) , NSA (National Security Agency), as well as, other public and private corporations. The goal is in supporting the 1997 Computer Security Act. There is plenty of useful and detailed information on the development of secure computing environments. Including the development, implementation, testing and evaluation of computer systems.The center for education and research in information assurance and security at Purdue university. This web site offers a great deal of information about information assurance, testing and evaluation. Including a great library of searchable papers from the Bibtext link. This library would be a great source of research documentation for a security or assurance project.Software Quality Assurance - Author Chalapati; This is a 6 page paper that discusses software quality assurance planning and execution. The paper does a good job of reviewing some of the details of the necessary steps in planning for software quality assurance.
Security Assurance - Author: Raymond Muth; This is a great article about the authors personal experience as a CPA and dealing with the penetration testing of the on line banking industry. This article is perfecdtly in line with the 1st discussion question for this section. That is confidence in a vendors claim. The author tells how the quality of testing was not up to standard, so the results from the testing would be questionable as well.Assurance - Author Cliff Clifton ; OCT 03; This is an information assurance presentation from a student at Purdue University. It covers most of the key topics in chapter 18 of our text. It followed very closely with my own personal notes I took from the text.his is a great site for up to date news, a brief description on what Information Assurance is, contains an IA acronym list and an IA related links. This is also an overall great site for all types of information including: PKI, Upcoming IA Events, IA Training Products, information on Computer Network Defense, Wireless Security, and Ports and Protocols. Put this on your list of Favorites and visit it often.
Quality Assurance - Great site that gives an overview of Quality Assurance testing. It describes the approaches to QA, testing phases, principles of software testing and testing automation.The Waterfall Model - This site gives a nice explanation of the waterfall model. It displays a clear flow of how the model is intended to function in order to assist in attaining assurance.Software QA and Testing FAQ - Rick Hower; This site provides FAQs regarding Quality Assurance. It explains the role of quality assurance in software testing. It includes a discussion of the software life cycle and the roles of verification and validation in testing.
Common Criteria Security Assurance Requirements This site gives a brief overview of what assurance is, why assurance is important and how assurance is gained.The State of Biometrics Security Assurance - Matt King; February 15, 2002; This site discusses the importance of testing in achieving security assurance for Biometrics.Defending Against Information Sabotage: Security Solutions for Libraries - includes an extensive list of resources


Back to Information Assurance e-Library Index   Back to Information Assurance e-Library Index


Click here to return to Wayne's World's homepage: return to Wayne's World


written by Wayne Summers summers_wayne@ColumbusState.edu