Information Security

information security is about how to prevent attacks, or failing that, to detect attacks on information-based systems Information Security requirements have changed in recent times traditionally provided by physical and administrative mechanisms computer use requires automated tools to protect files and other stored information use of networks and communications links requires measures to protect data during transmission Introduction Primary mission of information security is to ensure systems and contents stay the same If no threats existed, resources could be focused on improving systems, resulting in vast improvements in ease of use and usefulness Attacks on information systems are a daily occurrence Information security performs four important functions for an organization Protects ability to function Enables safe operation of applications implemented on its IT systems Protects data the organization collects and uses Safeguards technology assets in use

Protecting the Functionality of an Organization anagement !general and IT" responsible for implementation Information security is both management issue and people issue #rganization should address information security in terms of business impact and cost Enabling the Safe Operation of Applications #rganization needs environments that safeguard applications using IT systems anagement must continue to oversee infrastructure once in place$not relegate to IT department Protecting Data that Organizations Collect and Use #rganization, %ithout data, loses its record of transactions and&or ability to deliver value to customers '

Protecting data in motion and data at rest are both critical aspects of information security Safeguarding Technology Assets in Organizations #rganizations must have secure infrastructure services based on size and scope of enterprise Additional security services may be needed as organization gro%s ore robust solutions may be needed to replace security programs the organization has outgro%n (ritical (haracteristics of Information The value of information comes from the characteristics it possesses) Availability, (onfidentiality Integrity Accuracy Authenticity *tility Possession

Confidentiality +hen information is read or copied by someone not authorized to do so, the result is kno%n as loss of confidentiality. ,or some types of information, confidentiality is a very important attribute(onfidentiality is the property of preventing disclosure of information to unauthorized individuals or systemsExamples include research data, medical and insurance records, ne% product specifications, and corporate investment strategies- In some locations, there may be a legal obligation to protect the privacy of individuals- This is particularly true for banks and loan companies. debt collectors. businesses that extend credit to their customers or issue credit cards. hospitals, doctors/ offices, and medical testing laboratories. individuals or agencies that offer services such as psychological counseling or drug treatment. and agencies that collect taxesIn highly secure government agencies ,such as 0epartment #f 0efence ,confidentiality ensures that the public can not access private informationIn businesses , confidentiality ensures that private information ,such as payroll and personal data,is protected from competitors and other organisations-

In the e2commerce %orld ,confidentiality ensures that customers/ data cannot be used for illegal purpose-

Integrity Information can be corrupted %hen it is available on an insecure net%ork- +hen information is modified in unexpected %ays, the result is kno%n as loss of integrity. This means that unauthorized changes are made to information, %hether by human error or intentional tampering- Integrity is particularly important for critical safety and financial data used for activities such as electronic funds transfers, air traffic control, and financial accountingIn Information Security Integrity means data can not be modified %ithout authorizationIntegrity is violated %hen virus infects a computer ,%hen an employee is able to modify his o%n salary in a payroll database,%hen an unauthorized user vandalizes a %ebsite

availability Information can be erased or become inaccessible, resulting in loss of availability. This means that people %ho are authorized to get information cannot get %hat they need- Availability is often the most important attribute in service2oriented businesses that depend on information !for example, airline schedules and online inventory systems"Availability of the net%ork itself is important to anyone %hose business or education relies on a net%ork connection- +hen users cannot access the net%ork or specific services provided on the net%ork, they experience a denial of service. To make information available to those %ho need it and %ho can be trusted %ith it, organizations use authentication and authorization Authentication is proving that a user is the person he or she claims to be- That proof may involve something the user kno%s !such as a pass%ord", something the user has !such as a 3smartcard4", or something about the user that proves the person/s identity !such as a fingerprint"Authorization is the act of determining %hether a particular user !or computer system" has the right to carry out a certain activity, such as reading a file or running a programAuthentication and authorization go hand in hand- *sers must be authenticated before carrying out the activity they are authorized to perform- Security is strong %hen the means of authentication cannot later be refuted$the user cannot later deny that he or she performed the activity- This is kno%n as nonrepudiation. Threats Threat) an ob5ect, person, or other entity that represents a constant danger to an asset 6

anagement must be informed of the different threats facing the organization #verall security is improving Compromises to ntellectual Property!Piracy " Copyright" infringement# Intellectual property !IP") 3o%nership of ideas and control over the tangible or virtual representation of those ideas4 The most common IP breaches involve soft%are piracy T%o %atchdog organizations investigate soft%are abuse) Soft%are 7 Information Industry Association !SIIA" 8usiness Soft%are Alliance !8SA" Enforcement of copyright la% has been attempted %ith technical security mechanisms

Deliberate Soft$are Attac%s alicious soft%are !mal%are" designed to damage, destroy, or deny service to target systems Includes) 9iruses +orms Tro5an horses :ogic bombs 8ack door or trap door Polymorphic threats 9irus and %orm hoaxes

A computer &irus is a program %ritten to enter your computer system surreptitiously!secretly" and ;infect; it by installing or modifying files or establishing itself in memory- Some viruses are benign and %on<t harm your system, %hile others are destructive and can damage or destroy your data- 9iruses can spread via any of the methods used to get information into your computer) net%ork connections, shared folders, e2mail, and shared media such as flash memory, (0s, and diskettes#nce they are established on your computer, viruses %ork at transferring themselves to other computers'orms are viruses that self2replicate and spread via e2mail or net%orksIn computers, a Tro(an horse is a program in %hich malicious or harmful code is contained inside apparently harmless programming or data in such a %ay that it can =

get control and do its chosen form of damage - Tro(ans are seemingly legitimate computer programs that have been intentionally designed to disrupt your computing activity or use your computer for something you did not intend A logic bomb is a piece of code intentionally inserted into a soft%are system that %ill set off a malicious function %hen specified conditions are met- ,or example, a programmer may hide a piece of code that starts deleting files !such as a salary database trigger"- To be considered a logic bomb, the payload should be un%anted and unkno%n to the user of the soft%are- As an example, trial programs %ith code that disables certain functionality after a set time are not normally regarded as logic bombsA bac%door in a computer system !or cryptosystem or algorithm" is a method of bypassing normal authentication, securing illegal remote access to a computer, obtaining access to plaintext, and so on, %hile attempting to remain undetectedSoft%are that is inherently malicious, such as viruses and %orms, often contain logic bombs that execute a certain payload at a pre2defined time or %hen some other condition is met- This techni>ue can be used by a virus or %orm to gain momentum and spread before being noticed- Some viruses attack their host systems on specific dates- Tro5ans that activate on certain dates are often called ;time bombs;Polymorphic mal$are is harmful, destructive or intrusive computer soft%are such as a virus, %orm, Tro5an or spy%are that constantly changes !;morphs;", making it difficult to detect %ith anti2mal%are programs )oa*es+ transmission of a virus hoax %ith a real virus attached. more devious form of attack-

De&iations in ,uality of Ser&ice Includes situations %here products or services are not delivered as expected Information system depends on many interdependent support systems Internet service, communications, and po%er irregularities dramatically affect availability of information and systems Internet service issues Internet service provider !ISP" failures can considerably undermine availability of information#utsourced +eb hosting provider assumes responsibility for all Internet services as %ell as hard%are and +eb site operating system soft%are-

(ommunications and other service provider issues 0eviations in @uality of Service !cont/d-" Po%er irregularities (ommonplace #rganizations %ith inade>uately conditioned po%er are susceptible (ontrols can be applied to manage po%er >uality ,luctuations !short or prolonged" Excesses !spikes or surges" A voltage increase Shortages !sags or bro%nouts" A lo% voltage :osses !faults or blackouts" A loss of po%er

Espionage or Trespass Access of protected information by unauthorized individuals (ompetitive intelligence !legal" vs- industrial espionage !illegal" Shoulder surfing can occur any%here a person accesses confidential information (ontrols let trespassers kno% they are encroaching on organization/s cyberspace Backers use skill, guile, or fraud to bypass controls protecting others/ information Espionage or Trespass !cont/d-" Expert hacker 0evelops soft%are scripts and program exploits C

*sually a master of many skills +ill often create attack soft%are and share %ith others *nskilled hacker any more unskilled hackers than expert hackers *se expertly %ritten soft%are to exploit a system 0o not usually fully understand the systems they hack

Espionage or Trespass !cont-d.# #ther terms for system rule breakers) (racker) 3cracks4 or removes soft%are protection designed to prevent unauthorized duplication Phreaker) hacks the public telephone net%ork

Forces of /ature ,orces of nature are among the most dangerous threats 0isrupt not only individual lives, but also storage, transmission, and use of information #rganizations must implement controls to limit damage and prepare contingency plans for continued operations )uman Error or Failure Includes acts performed %ithout malicious intent (auses include) Inexperience Improper training Incorrect assumptions Employees are among the greatest threats to an organization/s data E

)uman Error or Failure !cont-d.# Employee mistakes can easily lead to) Fevelation of classified data Entry of erroneous data Accidental data deletion or modification 0ata storage in unprotected areas ,ailure to protect information any of these threats can be prevented %ith controls

nformation E*tortion Attacker steals information from computer system and demands compensation for its return or nondisclosure(ommonly done in credit card number theft0issing" nade1uate" or ncomplete In policy or planning, can make organizations vulnerable to loss, damage, or disclosure of information assets+ith controls, can make an organization more likely to suffer losses %hen other threats lead to attacks Sabotage or 2andalism Threats can range from petty vandalism to organized sabotage +eb site defacing can erode consumer confidence, dropping sales and organization/s net %orthThreat of hacktivist or cyberactivist operations rising(yberterrorism) much more sinister form of hackingTheft Illegal taking of another/s physical, electronic, or intellectual propertyPhysical theft is controlled relatively easilyElectronic theft is more complex problem. evidence of crime not readily apparen-t Technical )ard$are Failures or Errors #ccur %hen manufacturer distributes e>uipment containing fla%s to users (an cause system to perform outside of expected parameters, resulting in unreliable or poor service G

Some errors are terminal. some are intermittent Technical Soft$are Failures or Errors Purchased soft%are that contains unrevealed faults(ombinations of certain soft%are and hard%are can reveal ne% soft%are bugsEntire +eb sites dedicated to documenting bugsTechnological Obsolescence Anti>uated&outdated infrastructure can lead to unreliable, untrust%orthy systems Proper managerial planning should prevent technology obsolescence IT plays large role

Ensuring 8usiness (ontinuity

Downtime: Period of time in which a system is not operational Fault-tolerant computer systems: Redundant hardware, software, and power supply components to provide continuous, uninterrupted service High-availability computing: Designing to maximi e application and system availability !oad balancing: Distributes access re"uests across multiple servers #irroring: $ac%up server that duplicates processes on primary server Recovery-oriented computing: Designing computing systems to recover more rapidly from mishaps Disaster recovery planning: Plans for restoration of computing and communications disrupted by an event such as an earth"ua%e, flood, or terrorist attac% $usiness continuity planning: Plans for handling mission-critical functions if systems go down

&uditing:
#'( audit: 'dentifies all of the controls that govern individual information systems and assesses their effectiveness (ecurity audits: Review technologies, procedures, documentation, training, and personnel Sample Auditors List of Control Weaknesses

'H

Access Control &ccess control: )onsists of all the policies and procedures a company uses to prevent improper access to systems by unauthori ed insiders and outsiders &uthentication: Passwords *o%ens, smart cards $iometric authentication

Firewalls, Intrusion Detection Systems, and Antivirus Software Firewalls: Hardware and software controlling flow of incoming and outgoing networ% traffic 'ntrusion detection systems: Full-time monitoring tools placed at the most vulnerable points of corporate networ%s to detect and deter intruders

''

&ntivirus software: (oftware that chec%s computer systems and drives for the presence of computer viruses and can eliminate the virus from the infected area +i-Fi Protected &ccess specification Encryption and u!lic "ey Infrastructure

Public %ey encryption: ,ses two different %eys, one private and one public- *he %eys are mathematically related so that data encrypted with one %ey can be decrypted using only the other %ey .ncryption is the process of translating plain text data / plaintext0 into something that appears to be random and meaningless /ciphertext0- Decryption is the process of converting ciphertext bac% to plaintext-

'1

Encryption and u!lic "ey Infrastructure #essage integrity: *he ability to be certain that the message being sent arrives at the proper destination without being copied or changed Digital signature: & digital code attached to an electronically transmitted message that is used to verify the origin and contents of a message & digital signature uses encryption technology to do two things- 't proves that the message hasn1t been changed in transit, called message integrity, and it also lin%s ownership to the information, called non-repudiationDigital certificates: Data files used to establish the identity of users and electronic assets for protection of online transactions Public 2ey 'nfrastructure /P2'0: ,se of public %ey cryptography wor%ing with a certificate authority Di#ital certificates$ 'n general use, a certificate is a document issued by some authority to attest to a truth or to offer certain evidence- & digital certificate is commonly used to offer evidence in electronic form about the holder of the certificate- 'n P2' it comes from a trusted third party, called a certification authority /)&0 and it bears the digital signature of that authority& common use for a digital certificate is to associate or 3bind4 a person to a public %ey, which is contained in the certificate- *he )& is asserting that this uni"ue public %ey belongs to one individual5 that individual is the person who holds the lin%ed private %ey- 6nly the person who holds the private %ey can decrypt something that1s encrypted with the public %eyDigital certificates are also commonly used in electronic commerce, where the owner of a secure site will obtain a digital certificate that1s chec%ed by a browser for a secure session- 'n this case, the )& is asserting that the public %ey belongs to the business5 it1s bound to the domain- *he information associated with this certificate is also used to set up an encrypted session so that others cannot see personal information li%e credit card numbers when they are in transit over the web-

'6

(ecure (oc%ets !ayer /((!0 and its successor *ransport !ayer (ecurity /*!(0: protocols for secure information transfer over the 'nternet5 enable client and server computer encryption and decryption activities as they communicate during a secure +eb session(ecure Hypertext *ransfer Protocol /(-H**P0: used for encrypting data flowing over the 'nternet5 limited to +eb documents, whereas ((! and *!( encrypt all data being passed between client and serverrotection a#ainst %alware$ 7ood user education is vital in fighting against malware2eep your 6perating (ystem upto date by installing 6( security fixes and program patches,se firewall protection'nstall anti 8spyware softwares#onitor logs for unusual traffic-

W&en usin# an e'mail$ .nsure you are addressing right person prior to sending e-mail$eware of e-mails from un%nown partiesDo not open unsolicited mails9ever respond to unsolicited emails'=

.-g:-you have won $1,00,000 .kindly send your bank details for crediting your account. These are scams also known as social engineering attacks.

(uspicious attachments must not be opened-e-g-.xucutable files/with -exe,-com,-bat,-reg extensions0 Regularly purge unnecessary emails//including emptying 1Deleted 'tems10to free storage spaceDo not open or reply to spam messages&void registering unnecessarily to mailing list,se properly configured and regularly updated spam filter,antivirus ,antispyware software ,se firewall as well-

'?