Download The Importance of Information Security in Business and more Study notes Aerospace Practicum in PDF only on Docsity!
NEED OF INFORMATION SECURITY IN THE 21ST^ CENTURY: WITH
SPECIAL EMPHASIS TO COMPUTER SECURITY
Anjana Bhatnagar
Abstract
We are living in a society dominated by information technology and in an era of information where huge amount of Information can be speedily processed and saved on easily accessible media.
Information plays a really important part in decision making in an organization. For an organization
a wrong decision can lead to drastic result. This is on reason why information is steadily acquiring
a more central role in business. In the world of today information is becoming increasing important.
Generally speaking the standard of information security has not kept pace with this development.
For example, information that before was saved on a large amount of paper and physically difficult
to steal can today be saved on a disk that can easily remove.
In this article author has discussed, what information security is. Why it is needed in an organization
of 21 century. The CIA Relationship of information security is discussed with diagram. The information
security chain has twelve modules and eighty sub modules. The overview of information security
cannot be complete in such small paper; therefore author delimits herself to the most prominent
module computer security. In the last future and conclusion of information security are highlighted.
Information Security of IIT Kanpur system is also consulted in some of the modules. The paper is
of particular value for newcomers in this area.
Keywords : Information Security, Computer Security, Computer Viruses, Data Encryption,
Biometric Methods
1. Introduction
Information security deals with several different ‘trust’ aspects of information. Another common
term is information assurance. Information security is not confined to computer systems, nor to
information in an electronic or machine-readable form. It applies to all aspects of safeguarding or
protecting information or data, in whatever form. Information security chain is needed when information
is threatened, lost or misused.
5 th^ Convention PLANNER -2007, Gauhati University, Guwahati, December 7-8, 2007 © INFLIBNET Centre, Ahmedabad
PLANNER-
2. Methodology
The paper is aimed at presenting the need of information security in 21st^ century. The Data for this paper is based on conceptual study including personal observation and interaction with students, faculty, staff involved in it and library research referring to the important journals, periodicals, publications and research volumes and making use of the web to build up first hand information for future analysis. Data display involves organizing and assembling reduced data into diagrammatic or visual display.
3. Scope of the Information Security
Information security is a protection of the interests of those relying information and the information systems and communications that deliver the information from harm resulting from failures of availability, confidentiality, and integrity. [ 1 ]
The organization’s information security policy aims to ensure that:
- its information systems are properly assessed for security
- confidentiality, integrity and availability (CIA) are maintained. These three concepts are at the core of almost every security program—if not by name, at least in practice. They are most commonly described as a triangular view of security, with each side directly related to the other two. As shown in Figure1. Confidentiality – information access is confined to those with specified, explicit authority to view the information. Integrity – safeguarding the accuracy and completeness of information. Availability – ensuring that authorized users have access to information when needed.
- staff are aware of their responsibilities, roles and accountability
- procedures to detect and resolve security breaches are in place
- information security issues are dealt with consistently throughout the organization
Figure 1: The CIA Relationship
Information Security
Confidentiality Availability
Integrity
4.11 Attitudes toward ISEC Issues : Written Security Policy, Information Security Culture. 4.12 Various Security Questions : Atmospheric Humidity, Document Security, Temperature, Dust, Smoke, and Particles, Optical Spying, the Environment, Tailgating, Scavenging, Shoulder Surfing, Building, Mail Security.
5. Computer Security
Computer security measures, procedures, and controls which provide an acceptable degree of safety of information resources from accidental or intentional disclosure, modification, or destruction. Sub modules of computer security are as below.
5.1 Backup
Backup means having multiple copies of the same data so that the duplicate ones can be used in case the original one gets corrupted or erased accidentally. Though having backups may seem as a waste of time but they often come in handy when one actually needs them. [3] Backups must also be tested so as to avoid failure owing to human or machine malfunctioning. Of the different media that can be used for doing backups it is important to have effective, reliable and user friendly backup software. Instead of having a backup of all the files, it is advised to have it for just the most important ones. Backup in IIT- Kanpur - User home directories on the central file server are backed-up on daily basis. The daily incremental backup is taken and kept for a week. On first Sunday of every calendar month, all files are saved on tapes. This backup is retained for one year. On other Sundays of the month a weekly backup is taken which is retained for a month. From Monday to Saturday, incremental backup is taken which is recycled in the next week.[4] Computer Centre operates 24 hours a day, 365 days an year. It has a power back up through a 180 KVA UPS and a 320 KVA generator set. Air conditioning is provided by the central air conditioning plant and split air conditioners.
5.2 Computer Viruses
Viruses are defined as ‘A section of code introduced into a program for malicious purposes, e.g. at some stage the inserted code will trigger a process which will, for example, eliminate files. The virus is present in a program, and when the program is run the virus writes itself into other programs in main memory or backing store. The effects of virus can thus be extended to many users’. [5] There are many kinds of computer viruses like Worms, Bombs, Trojan horses and Computer viruses. A way to avoid computer viruses is always to test the software before installing it and to avoid pirated software. Viruses can be spread through emails also. Some of the most well known viruses are Bugbear, Klez, Lovebug, Melissa, Bubbleboy, Code Red, Nimda. There are six recognized categories of virus as below:
Boot Sector Virus: Replaces or implants itself in the boot sector—an area of the hard drive (or any other disk) accessed when you first turn on your computer. This kind of virus can prevent you from being able to boot your hard disk. Eg. Disk Killer, Michelangelo, stoned File Virus: Infects applications. These executables then spread the virus by infecting associated documents and other applications whenever they’re opened or run. Eg. Jerusalem and Cascade Macro Virus: Written using a simplified macro programming language, these viruses affect Microsoft Office applications, such as Word and Excel, and account for about 75 percent of viruses found in the wild. A document infected with a macro virus generally modifies a pre-existing, commonly used command (such as Save) to trigger its payload upon execution of that command. Eg. W97M.Melissa, WM.NiceDay, W97M.Groov Multipartite Virus: Infects both files and the boot sector—a double whammy that can re- infect your system dozens of times before it’s caught. Eg. One_Half, Emperor, Anthrax, Tequilla. Polymorphic Virus: Changes code whenever it passes to another machine; in theory these viruses should be more difficult for antivirus scanners to detect, but in practice they’re usually not that well written. Stealth Virus: Hides its presence by making an infected file, not appear infected, but doesn’t usually stand up to antivirus software.
5.2.1 Worm
A worm is a program that is designed to replicate and spread throughout a computer system. It will usually hide within files (for example, Word documents), and distribute those files through any available network connections. Worms are often used to drain computer resources such as memory and network access, simply by replicating on a large scale. Eg. W32.Mydoom.Ax@mm
5.2.2 Trojan Horse
A Trojan horse is a malicious program, usually disguised as something useful or desirable. When activated, they can cause loss, damage or even theft of data. The critical difference between a Trojan horse and a virus is that a Trojan horse cannot replicate itself. The only way that a Trojan horse can spread is if someone helps it. Trojan.Vundo is a Trojan. For example, saving the program from an e-mail attachment, or downloading it from the Internet. Some common features of Trojan horse programs include:
- Rounding (carving off small parts of payments from a large number of accounts or transactions),
- Causing payment triggers (causing illicit payments to be activated),
- Making configuration changes,
- Distributing security information, providing unauthorized access paths (known as backdoors and trapdoors).
is suitable. In a company where there are several servers and networks in use, user has to remember many passwords. In this case the user tends to use similar passwords for different systems, which in turn increases the security risk. Thus to avoid this access control packages that includes passwords, logs, encryption and so forth must be used. By using such packages it can be possible to avoid using many password systems. Vendor supplied passwords should be changed immediately. IIT Kanpur Computer Centre provides login and passwords to the faculty, staff and students for their research and teaching. It has a users base of more than 6000+ users with more than 1000 active users at any given point of time.
5.4 Data Encryption
Data encryption is a means of securing data by changing the meaningful text into some code which looks like null and void to others. It’s a reasonably easy way to protect information. The user has to remember the key and the software and hardware is secure and user friendly. According to Hoffman there are 900 cryptography hardware and software products on the market. [7]
The System administrator normally has access to all files in an information system, therefore the administrator can be a great information security risk, and the risk can be minimized, however, if the classified files are encrypted. The administrators still do his work. [8]
5.4.1 How does Encryption Work?
Encryption involves taking an original message or plaintext and converting it into cipher text (unreadable format) using an encryption algorithm and an encryption key. Only those who posses a secret key can decipher the message into plain text. Historically, encryption acted on letters of the alphabet. The Caesar Cipher, one of the oldest techniques, gives a very simple example:
- Take the plaintext is Parliament is in session;
- Encrypt according to the encryption algorithm ‘replace each letter with that X places to the right of it in the alphabet’, where X, the encryption key, is 3;
- The cipher text is sduoldphqw lv lq vhvvlrq and can be converted back to plaintext with a decryption algorithm and decryption key, in this case ‘replace each letter with that three places to the left of it in the alphabet’.
Computers store electronic data in binary form, as sequences of ‘bits’ (1s and 0s). Modern algorithms are mathematical functions that act on these data with keys that are themselves sequences of 1s and 0s. Keys are generally stored in computer files that are themselves encrypted and can be accessed only with a pass phrase (similar to a password but longer). We can see its working Figure 2. Encrypted messages can sometimes be broken by cryptanalysis (coding breaking) but modern
cryptography techniques are virtually unbreakable, eg. Cryptography is to protect- email messages, credit card. Most popular systems used on the internet are Pretty Good Privacy because it is effective and free. [9]
Figure 2: How does cryptography work
5.5 Biometric Methods Biometric methods include those of voice, face, hand geometry, fingerprints, eye, signature and typing rhythms as shown in Figure 3. When combined with good password security, can give high information security but it need high cost biometric instruments.
Figure 3: Examples of Biometric Methods
5.6 Off-Site Storage
Off-site storage means storing the backup files in a secure place. They should preferably be encrypted. So many commercial organizations are available in the market in specializing in storing
faxes is that the sender can easily dial the wrong number by mistake. Managers should have their own fax machine. This naturally implies that the managers are reliable enough and they do not use the fax for sending out sending out documents to a competitor.
5.13 Diskette Security
A diskette containing, important information should not be sent my mail. Such a procedure should be avoided since the diskette can be stolen, copied, or damaged during transportation. Electronic data interchange should be used. Diskettes are stored in properly in a safe place and in an organized manner.
5.14 Rescue Diskette
rescue diskette should include the most important utilities, in the case of a PC, especially the .com, .dat, .exe, .ini and .sys files. The rescue disk can be very useful, when a user is attacked by computer viruses. The rescue diskette has to be properly stored.
5.15 Distributed Systems, Outsourcing, Time Sharing and Remote Office
Distributed systems, outsourcing, time sharing and remote office fairly new processes in IT bring new information security concepts. Distributed system means moving from traditional large computers to open client / server systems. In distributed environment every employee’s responsibility for information security increases. Time sharing means that organizations share computing services and in that way decrease costs. Risk increase in this. The resources saved by using shared premises and outsourcing can easily be lost in an information security break. Those involves have to be extremely reliable. Remote office means carrying out the work at home or at another location by means of modern telecommunication. Data transmission should be encrypted. Information security must not hinder an organization from carrying out a remote office operation, but the questions for information security have to be observed.
5.16 Log Functions
A log function registers when a PC was used. By using a log it is possible to determine, afterwards, if files have changed in order to commit a fraud.
5.17 Locked Hardware
Hardware should be locked, for example, office furniture etc. This makes it more difficult to steal the hardware. Thieves are interested in only Computers and especially hard disks.
6. Conclusion
Information security is the ongoing process of exercising due care and due diligence to protect information, and information systems, from unauthorized access, use, disclosure, destruction, modification, or
disruption. The never ending process of information security involves all modeules of information security. The academic disciplines of information security and information assurance emerged along with numerous professional organizations during the later years of the 20th century and early years of the 21st century. The profession of information security chain has seen an increased demand for security professionals who are experienced in network security auditing, penetration testing, and digital forensics investigation. The Prabhu Goel Research Centre for Computer and Internet Security at IIT Kanpur was established by Dr. Prabhu Goel in 2003. The vision of the centre is to become the nodal R&D centre in the country for all aspects of computer security and to educate various governmental and non-governmental organizations on the security issues and help them in this regard. The centre is therefore undertaking research, training, and consulting activities in the area of computer and Internet security. The centre also collaborates with defense and security agencies in developing various security technologies. IIT Kanpur has already been doing work in the area of Computer Security. The establishment of this centre is expected to give a tremendous fillip to this activity.
Biometric methods will grow in popularity as the price of biometric instruments declines and their operational security increases. Cryptographic methods remain the most obvious tool for information security. As hardware gets faster, the processing load for encryption and authenticating messages can be expected to decline. This is obviously true if the key length stays the same, and almost as certain if measured as the time it takes to encrypt a message which takes a fixedX hours decrypt (as supercomputers get better, the required key length rises). Thus, everything else being equal, cryptographic methods will see greater use, and information security will rise.
The profession of information security chain has seen an increased demand for security professionals who are experienced in network security audint, auditing, prenetration testing and digital forensics investigation. So to secure an organization there is a need of information security in 21st^ century organization.
References
(IFAC 1998. Exclusive Summary) Managing security of information of information technology committee, website at www.ifac.org/new]
Thomas V. Finne ; Encyclopedia of Library and Information Science By Allen Kent Marcel Dekker, New york V.65 p.p 139-
J. Maynard,Computer Audit Update, UK, Dec.1994, pp 15-
http://www.iitk.ac.in/cc/services.htm#login accessed October 27, 2007
W. Caelli, D. Longley and M. Shain,Information Security for Mangers, Stockton, Uk, 1989
