lock over keyboard
Article

The 5 Pillars of Information Assurance



For businesses that store or exchange sensitive proprietary or personal data using information networks, the individual machines used in their networks are typically not at great risk; the information inside of them is what needs protection. As network security issues became more prevalent, information assurance (IA) has grown to become an essential professional discipline that is critical to the safety of public and private information. Professionals in this field require a flexible skill set that they can adapt to protect an organization against a range of threats, such as cyber espionage and cyber attacks. The following five pillars of information assurance, according to the Department of Defense Cyber Security Model, are oft-referenced guidelines for maintaining an information system’s safety against manmade and natural threats.

Availability

Availability means that users can access the data stored in their networks or use services that are featured within those networks. Without easy data access, the system’s users are limited in their ability to access important information or perform critical tasks. Threats to availability are becoming more complex because more of the world’s information is online and vulnerable to hackers. For instance, if a cybercriminal renders an automated car’s operation system inoperable, the car could cause an accident. Businesses have the same risk. If a company’s leaders can’t access important data when making business decisions, the company could lose revenue as a result. IA professionals must know how to avoid threats that could block data availability using tools like firewalls and implement other, more complex security measures.

Integrity

Upholding an information system’s integrity involves keeping its network intact and uncompromised; thus, the primary goal of this pillar is to set up safeguards that deter threats. For example, viruses and malicious code are the most common threats to a system’s integrity. To prevent viruses from deleting or damaging files, IA professionals use antivirus software and other tools to stop them before they enter the computer system. They also develop policies to keep users in their organizations from mishandling data and run penetration testing to simulate system attacks. These tests ensure that their networks are strong; if the IA professionals detect weaknesses, they work to repair and secure the system and protect the integrity of the data therein. Having the right IA rules and practices in place helps keep organizations’ information and systems secure.

Authentication

IA professionals use authentication methods to verify a user’s identity before allowing them to access data. Common authentication methods include a username and password combination, and biometric logins, such as fingerprint scanning recognition. When these authentication systems are compromised, data can be stolen, and information services can be impaired. A high-profile example of an authentication attack occurred in 2011, when hackers managed to use a combination of phishing techniques and malware to take control of a computer being operated by an employee of RSA, a large security company. RSA disclosed that the cyber criminals, once in control, managed to steal several account passwords from the employee, and then used them to gain access to the company’s proprietary systems.

With those passwords in hand, the hacker was able to bypass authentication protocols and download sensitive data from the company. The hacker’s entry method was blocked and the vulnerable data secured, but the attack caused RSA lasting damage. While RSA has not disclosed the full extent of the data that was stolen, the company did state that the breach has damaged their reputation and possibly decreased the effectiveness of some of their security products. The RSA attack is an example of a very complex authentication attack, but attackers can also attempt to force their way through authentication systems using simple methods like brute force attacks, which involve using malicious programs to rapidly test thousands or even millions of password combinations until one works. When it comes to combatting attacks like these, it is up to IA professionals to investigate any exploitable flaws that might exist in their authentication systems and take action to eliminate them.

Confidentiality

Keeping sensitive data private using safeguards like data encryption is an extremely important function of IA professionals. Confidentiality involves protecting private information from disclosure to any unauthorized users, systems, or other entities. Confidentiality must be considered in terms of the data, not just in terms of access or permissions. Only those who are authorized can access the data, the devices or the processes that contain the data.  Prioritizing information confidentiality helps companies defend themselves from having their ideas stolen while protecting their customers from the exploitation of their personal information.

In early 2018, international shipping giant FedEx discovered that hackers had managed to steal scanned images of approximately 119,000 of its customers’ personal documents, including passports and driver's licenses. Surprisingly, these images were being stored on an unsecured third-party server that has since been closed. According to a statement by FedEx officials, an internal investigation concluded that none of the information had been misappropriated. This was a stroke of luck for FedEx, but this is a compelling example of how a simple mistake can put a large amount of private data at risk.

Non-repudiation

When individuals send information through a network, it is important that the information system be able to provide proof of delivery to confirm that the data was properly transmitted. The same applies to the receiving end—recipients should have confirmation of the sender’s identity. This information, called non-repudiation, is necessary to confirm the individual responsible for processing certain data. Repudiation attacks are not common, but a general example is the manipulation of the access logs on a computer to make it difficult or impossible to identify which user was logged in at a specific time. If a user engages in unauthorized activity during the attack, it would be hard for the organization to determine who was responsible for that activity, limiting their ability to prevent future attacks. Today non-repudiation attacks are rare, but this is due to the work of diligent IA workers who have developed network infrastructure capable of consistently tracking and verifying cross-network data exchanges with minuscule margins of error.

Implementing the Five Pillars of Information Assurance

Information security analysts use their knowledge of computer systems and networks to defend organizations from cyber threats. They monitor the networks to keep track of any possible security breaches, and they investigate any that they find. Additionally, they are responsible for setting up protective measures within information systems. To ensure that those measures will comply with the five pillars of information assurance, they also conduct penetration tests that simulate attacks so they can identify vulnerabilities real attackers could exploit. In recent years, the information technology and security fields have been rapidly growing due to the increased reliance most industries have on information networks, and, as a result, information security specialists are in high demand. In fact, the Bureau of Labor Statistics (BLS) reported information security analysts across the U.S. earned a remunerative median annual salary of $95,520 in 2017 with a forecasted 28 percent increase in available jobs between 2016 and 2026; that’s an additional 28,500 jobs added to the approximate 100,000 that were available in 2016.

While some entry-level positions in information security require a bachelor’s degree, many IA professionals choose a Master of Science in Information Security and Assurance degree program because they believe it might give them a competitive edge when competing for jobs, especially executive-level leadership positions in information security, information assurance or risk management. All of these jobs borrow from the Five Pillars of Information Assurance, which go beyond cyber security and encompass anything that can compromise data, ranging from malicious attacks to power surges. Whatever the issue, information assurance professionals can rely on the Five Pillars to provide a framework for protecting data and users.

Learn More

As the nation’s oldest private military college, Norwich University has been a leader in innovative education since 1819. Through its online programs, Norwich delivers relevant and applicable curricula that allow its students to make a positive impact on their workplaces and communities.

At Norwich University, we extend a tradition of values-based education, where structured, disciplined, and rigorous studies create a challenging and rewarding experience. Online programs, such as the Master of Science in Information Security & Assurance, have made our comprehensive curriculum available to more students than ever before.

Norwich University has been designated as a National Center of Academic Excellence in Cyber Defense by the National Security Agency and Department of Homeland Security. Students enrolled in the online Master of Science in Information Security & Assurance program can choose from five concentrations that are designed to provide an in-depth examination of policies, procedures, and overall structure of an information security program.

Recommended Reading

Understanding Data Loss Prevention Strategies

7 Books on Information Assurance & Cyber Security

7 High-Level Tips to Help Businesses in Protecting Data

Sources

Pillars of Cyber Security, United States Naval Academy

Information Assurance, United States Naval Academy

Information Security Analysts, Bureau of Labor Statistics

The most infamous data breaches, Techworld

Hacking crisis costs EMC reputation in security, Reuters

The RSA Hack: How They Did It, The New York Times