Information System

protection and Security

Need for Information System Security

With the invent of computers and telecommunication systems, organizations have started using more and more computers based information systems, especially the networked systems

So, information system have become easy targets of threat as the internet has thousands of unsecured computer networks which are in communication with each other.

INFORMATION SYSTEMS SECURITYA discipline that protects the

Confidentiality, Integrity and Availability

of information and information services

Threats to Computerized Information Systems

Hardware failureSoftware failurePersonnel actionsTerminal access

penetrationTheft of data, services,

equipment

FireElectrical problemsUser errorsUnauthorized program

changesTelecommunication

problems

Threats to Computerized Information Systems

In general major threats to the IS are categorized as Human error or failures Manipulation of data/system Theft of data/system Destruction from virus Technical failure/errors of systems Natural disasters like flood, fire, earthquake etc

Human errors or failuresIn this, unintentional errors are made by an

authorized user.The authorized user may commit errors like

entry of wrong data, accidental deletion or modification of data, storage of data in unprotected areas like a desktop,.

Errors happens because of lack of experience, improper training or other circumstances.

Manipulation of Data/System

This category of threat happens because of the deliberate acts of some persons or organizations designed to harm the data or information systems of an organization.

In this an unauthorized individual gains an access to the private/confidential data and purposefully do some wrong acts like delete, corrupt or steal the data.

Theft of Data/Systems

It is a deliberate attempt of some person to steal the important data of an organization.

Hackers: are the persons, who intercepts the communication lines to steal data without the knowledge of the owner of the data.

Crackers: illegally break into other people’s secure systems and networks

Cyber Terrorists: threaten and attack other people’s computers .

The challengeEspionageMischiefMoney (extortion or theft)Revenge

Motivation for Hackers:

Destruction from Virus (Threats: MALWARE)

Malware is Malicious Software - deliberately created and specifically designed to damage, disrupt or destroy network services, computer data and software.

There are several types...

Malware Types

Viruses: Conceal themselvesInfect computer

systemsReplicate themselves

Worms:Programs that are capable of

independently propagating throughout a computer network.

They replicate fast and consume large amounts of the host computers memory.

Malware Types

Trojan Horses:Programs that contain hidden

functionality that can harm the host computer and the data it contains.

THs are not automatic replicators - computer users inadvertently set them off.

Malware Types

Software Bombs:Time Bombs - triggered by

a specific time/date Logic Bombs - triggered by

a specific eventBoth are introduced some

time before and will damage the host system

Malware Types

Technical Failure /errors of system

This category of threat includes technical failures or errors, which may occur because of the manufacturing defects in the hardware or the hidden faults in the software.

Natural Disasters

The threats may be from the acts of God that cannot be prevented or controlled.

It includes fire, flood, earthquake, lighting etc

Protecting Information SystemThe organization plans and implement

various kinds of IS Controls so as to avoid, reduce and manage the risks of the threats.

The controls are Physical controls Technical controls Administrative controls General controls Application controls

Physical controls

This includes protecting computer hardware, software, database etc. The location and layout of the computer centre

must be designed well planned. i.e. the computer centre should be water proof, fireproof, have proper air-conditioning, extinguishing systems, have emergency power shutoffs and backup systems.

Technical controlsTechnical controls are implemented in the

application of IS itself.It includes

Access controls: refers to the restrictions imposed for the unauthorized access of any user.

The identification of user can be obtained through unique user identifier such as password, digital signature, voice, fingerprint etc

Technical controls

Data Security controls: can be implemented through operating systems, database security, access control programmes, backup and recovery procedures.

Administrative controls: includes guidelines, rules of the organizations to use and deployment of IS resources.

Application controls: includes i/p controls, processing controls and o/p controls

Information system security technology

Firewall: refers to a protection device that allows selected data flow into or out of the organization based on the predefined rules.

It acts like a watch man, which does not allow any unauthorized user to access the server of an organization.

Proxy ServersIt acts as a representative of the true server of an

organization.When any person from outside requests a

particular web page, the proxy server receives the request, and in turn asks for the information from the true server, and then responds to the request of a person as a proxy for the true web server.

The person gets the information without getting in direct contact with the true web server

Authentication and data encryption

Authentication and data encryption

In encryption the message is coded in to an unreadable form and transmit over the network.

Disaster recovery plan

It involves the following steps Commitment of the top management: the top

management must provide with enough amount of resources.

Responsibility of all the employee: IS is not the sole responsibility an an individual employee, the concept of shared responsibility of all the employee is very important

Disaster recovery plan

Appointment of business recovery coordinator: There should be a team of persons drawn from all the departments of the organization

Establishment of priorities: the committee should know what actions are required to be taken and in what order.

Disaster recovery plan

Execution of plan: the committee should find various plan and has to select one depending on the situation, and should immediately execute.

Review and updation of the disaster recovery plan