Information System Security

History of IS

Role of IS

Support CompetitiveAdvantage

Support Business

Decision Making

Support of Business Processes and Operations

Importance of IS

Basics of IS

IS Framework

Components of IS

Attribute of Information Quality

Business Area wise Information

Changing Nature of IS

From mainframe to client server to web based IS.

Alvin Toffler’s “Third wave” – Agricultural, Industrial and Information waves.

4th wave can be assumed as mobile technology

Powerful worldwide changes that have altered business environment are- Globalization Rise of information economy Transformation of business enterprise Emergence of digital firms

Modern business systems are decentralized, autonomous and heterogeneous.

Today IS are distributed and component based.

Mainframe based IS

Client Server Based IS

Architecture of Web Based I.S.

Need of Distributed Information System

A computer service that runs at a single central location is more likely to become unavailable than a service distributed to many sites.

There are two ways in which a service can be made to run at many sites: replication of the service, and distribution of the service.

Distributed services i.e. services that have distinct components, at many different sites, that collaborate to ensure the quality of service

3 mantras of success in digital economy Liberalization Privatization Globalization

Businesses now have no geographical boundaries.

With the rise of M-Commerce we are in the era of anywhere, anytime computing.

Protecting the data and information is crucial as business make knowledge based decision.

Prior to e-business days not only suppliers and consumers remain separated, but the knowledge producers and workers and business personnel also remained unconnected.

Connectivity is a great boon of Internet. Connectivity built a bridge between the

thinkers, business people, governments, common people, academicians and so on.

We need to consider the modern day IS in this global context.

Scope of IS 1950s : Technical changes 1960-70 : Managerial Controls 1980-90 : Institutional Core activities Today : Digital Information webs

extending beyond enterprises

Wider scope of I.S.

Today’s firms are digital in terms of their rapid operations.

IS links the buyers and sellers to exchange information, products, services and payments via e-business and e-commerce.

Thus today the era is extended enterprise

To serve the needs of such organization, I.S. is no more confined to a single location.

Role of Internet and Web Services

The Internet

Web is designed to exchange unstructured information.

While people can read web pages and understand their meaning, computers can not.

If corporations want to do business over the web, humans have to involve unless there is a way for computers to communicate on their own.

This is where web services comes in.

Web services are self contained modular applications that can be described, published, located and invoked over a network, generally over www. – IBM

Web services perform functions ranging from simple request to complex business process.

Once a web service is developed, other applications and web services can discover and invoke the deployed service through universal description, discovery and integration.

Web services make it easier to build service based architecture without the applications being locked-in to a particular software vendor’s products.

Web services have been prone to give a strong return on investment (ROI) and make computer based I.S. more adaptable.

They also help bring productivity, flexibility and low maintenance cost in the development of IS by integrating components from various third party vendors.

Information System Threats and Attacks

Threat is a possible event that can harm an information system.

Vulnerability is the degree of exposure in view of threat.

Countermeasure is a set of actions implemented to prevent threats.

Information level / based Threat Threats that involve the purposeful

dissemination of information in such a way that organizations, their operations and their reputations may be affected.

Dissemination may be active via sending e-mails or passive via setting up a web site.

Network based Threats To become effective and potential

attackers require network access to corporate computer systems or to networks used by corporate computer systems.

Examples are – hacking of computer systems and launching DoS attacks as well as spreading malicious code such as viruses.

Other issues related with network based threats are – confidentiality, authentication, integrity and non repudiation.

Sources of Threats Human Error Computer abuse or crime Natural and political disasters Failure of hardware / software

Computer crime and abuse Computer crime is defined as any illegal act in

which computer is used as a primary tool. Computer abuse is unethical use of computers. Security threats related to computer crime /

abuse are – Impersonation

Identification and authentication control defeated Trojan horse method

Hiding of an authorized program a set of instructions that will cause unauthorized actions.

Logic bombs Unauthorized instructions which stay inactive until a

specific event occurs or until a specific time comes at which time they bring into effect an unauthorized act.

Computer viruses Execute itself by inserting its malicious

code in the execution path of another application And

Self replicate by replacing existing files with copies of files containing the viral code.

Worms are independent programs that make and transmit copies of themselves through telecommunication networks.

Dos Rendering the system unusable by legitimate users.

Dial diddling (cheating) Changing data before or during input often to change the

content of database Salami techniques

Diverting small amount (not noticed) of money from large numbers of accounts maintained by the system.

Spoofing Configuring a computer system to masquerade (pretend to be)

as another system over the network in order to gain unauthorized access.

Super zapping Using a system’s programs that can bypass regular system

control to perform unauthorized act.

Scavenging Unauthorized access to information by

searching through the residue after a job has been run on a computer.

Data leakage Wiretapping Theft of mobile devices

Damage Assessment

Security Issues in Mobile Computing

The three distinguishing features of emerging mobile computing environments are- mobility of users mobility of network elements (i.e.

portable computing devices) wireless networking

Mobility of Users Global Authentication

A mechanism for flexible global authentication is essential to support user mobility.

Authentication often forms the basis of other security services such as authorization.

Privacy The need to ensure privacy of users becomes more

pronounced. In static environments, the location of a user or network

element is unlikely to be secret information. Users and network elements are stationary. However, in a mobile computing environment, it may

be necessary to protect information about the locations and activities of users.

Contd…….. Eavesdropping

Eavesdropping is the act of secretly listening to the private conversation of others without their consent.

Assumptions about physical security of the network no longer hold true when inter-domain interactions enter the picture.

Even if the foreign domain claims its network to be physically secure, a visiting user may not be willing to accept this assurance.

Thus, some sort of cryptographic protection becomes unavoidable.

An issue that is common to the mobility of users and network elements is the availability of resources.

Mobility of Network Elements Mobile users may carry portable computing

devices. Portability introduces the following issues- Risks to data

Due to the higher risks of physical damage, loss, or theft, mobility of devices implies that there is a higher risk of loss for the data stored on them.

Asymmetry in resources Portable devices have comparatively fewer resources

available to them. Technological advancements will improve the quantity

and quality of the available resources.

Wireless Networking Wireless networking is necessary to

support continuous user and device mobility.

This introduces additional issues of concern-

Eavesdropping The convenience of wireless networks has a

cost: it is more convenient for an eavesdropper to listen in on the traffic.

It is often asserted that the primary security concern with wireless networks is that communication is susceptible to eavesdropping and tampering.

While it is true that in wireless networks, links have no physical security at all, the situation is not much better with wired but open networks. Thus cryptographic protection is necessary in both wireless and fixed networks

Hando Another issue that arises when dealing

with multiple domains is that of hando . In a wireless network with mobile users,

a user might wander into neighbouring cells while a session is active.

Security systems must provide convenient and fast means for the session to be transferred (“handed to") from a cell in one domain to a cell in a different domain.

Bandwidth/Error rate Wireless networks typically have lower

bandwidth and suffer from higher error rates compared to wire line networks.

Consequently, traffic over wireless networks is expensive.

Security protocols meant to be used over wireless networks should therefore pay special attention to minimizing the number of messages, message sizes and frequencies of exchange

Frequent Disconnections In contrast to wire line networks,

disconnections will be frequent in wireless networks.

Many researchers are working on finding ways to design robust protocols and applications that can withstand such disconnections.

There are security implications as well.

Credit Card Frauds in mobile and wireless computing era

Credit Card Transaction Environment

An Australian Company “Alarcity” introduce a system known as CLEW (closed loop environment for wireless).

Steps of CLEW A merchant send transaction to bank. The bank transmits to card holder

authorization request. Cardholder approves / rejects

(password protected) The bank/merchant is notified. The credit card transaction is

completed.

Limitation of Wireless Wireless processing equipment is

expensive. Wireless processing comes with extra fee. Wireless credit card machines are subject

to cellular coverage blackouts. Wireless credit card processing uses a business

cellular network called Motient or Mobitex network.

Not sufficient security or encryption to process wireless transactions.

Cryptographic security

LDAP Security for Hand held devices

LDAP Directory Structure

RAS Security for Mobile Devices

Media Player Control Security

Organizational Measures of Mobile devices

Encrypting Database Include mobile devices in security

strategy Enterprise can do the followings-

Use of RFID in M-Commerce