Date post: | 16-Dec-2015 |
Category: |
Documents |
Upload: | elvin-carson |
View: | 220 times |
Download: | 1 times |
Information System
protection and Security
Need for Information System Security
With the invent of computers and telecommunication systems, organizations have started using more and more computers based information systems, especially the networked systems
So, information system have become easy targets of threat as the internet has thousands of unsecured computer networks which are in communication with each other.
INFORMATION SYSTEMS SECURITYA discipline that protects the
Confidentiality, Integrity and Availability
of information and information services
Threats to Computerized Information Systems
Hardware failureSoftware failurePersonnel actionsTerminal access
penetrationTheft of data, services,
equipment
FireElectrical problemsUser errorsUnauthorized program
changesTelecommunication
problems
Threats to Computerized Information Systems
In general major threats to the IS are categorized as Human error or failures Manipulation of data/system Theft of data/system Destruction from virus Technical failure/errors of systems Natural disasters like flood, fire, earthquake etc
Human errors or failuresIn this, unintentional errors are made by an
authorized user.The authorized user may commit errors like
entry of wrong data, accidental deletion or modification of data, storage of data in unprotected areas like a desktop,.
Errors happens because of lack of experience, improper training or other circumstances.
Manipulation of Data/System
This category of threat happens because of the deliberate acts of some persons or organizations designed to harm the data or information systems of an organization.
In this an unauthorized individual gains an access to the private/confidential data and purposefully do some wrong acts like delete, corrupt or steal the data.
Theft of Data/Systems
It is a deliberate attempt of some person to steal the important data of an organization.
Hackers: are the persons, who intercepts the communication lines to steal data without the knowledge of the owner of the data.
Crackers: illegally break into other people’s secure systems and networks
Cyber Terrorists: threaten and attack other people’s computers .
The challengeEspionageMischiefMoney (extortion or theft)Revenge
Motivation for Hackers:
Destruction from Virus (Threats: MALWARE)
Malware is Malicious Software - deliberately created and specifically designed to damage, disrupt or destroy network services, computer data and software.
There are several types...
Malware Types
Viruses: Conceal themselvesInfect computer
systemsReplicate themselves
Worms:Programs that are capable of
independently propagating throughout a computer network.
They replicate fast and consume large amounts of the host computers memory.
Malware Types
Trojan Horses:Programs that contain hidden
functionality that can harm the host computer and the data it contains.
THs are not automatic replicators - computer users inadvertently set them off.
Malware Types
Software Bombs:Time Bombs - triggered by
a specific time/date Logic Bombs - triggered by
a specific eventBoth are introduced some
time before and will damage the host system
Malware Types
Technical Failure /errors of system
This category of threat includes technical failures or errors, which may occur because of the manufacturing defects in the hardware or the hidden faults in the software.
Natural Disasters
The threats may be from the acts of God that cannot be prevented or controlled.
It includes fire, flood, earthquake, lighting etc
Protecting Information SystemThe organization plans and implement
various kinds of IS Controls so as to avoid, reduce and manage the risks of the threats.
The controls are Physical controls Technical controls Administrative controls General controls Application controls
Physical controls
This includes protecting computer hardware, software, database etc. The location and layout of the computer centre
must be designed well planned. i.e. the computer centre should be water proof, fireproof, have proper air-conditioning, extinguishing systems, have emergency power shutoffs and backup systems.
Technical controlsTechnical controls are implemented in the
application of IS itself.It includes
Access controls: refers to the restrictions imposed for the unauthorized access of any user.
The identification of user can be obtained through unique user identifier such as password, digital signature, voice, fingerprint etc
Technical controls
Data Security controls: can be implemented through operating systems, database security, access control programmes, backup and recovery procedures.
Administrative controls: includes guidelines, rules of the organizations to use and deployment of IS resources.
Application controls: includes i/p controls, processing controls and o/p controls
Information system security technology
Firewall: refers to a protection device that allows selected data flow into or out of the organization based on the predefined rules.
It acts like a watch man, which does not allow any unauthorized user to access the server of an organization.
Proxy ServersIt acts as a representative of the true server of an
organization.When any person from outside requests a
particular web page, the proxy server receives the request, and in turn asks for the information from the true server, and then responds to the request of a person as a proxy for the true web server.
The person gets the information without getting in direct contact with the true web server
Authentication and data encryption
Authentication and data encryption
In encryption the message is coded in to an unreadable form and transmit over the network.
Disaster recovery plan
It involves the following steps Commitment of the top management: the top
management must provide with enough amount of resources.
Responsibility of all the employee: IS is not the sole responsibility an an individual employee, the concept of shared responsibility of all the employee is very important
Disaster recovery plan
Appointment of business recovery coordinator: There should be a team of persons drawn from all the departments of the organization
Establishment of priorities: the committee should know what actions are required to be taken and in what order.
Disaster recovery plan
Execution of plan: the committee should find various plan and has to select one depending on the situation, and should immediately execute.
Review and updation of the disaster recovery plan