CW35S1-DATA AND INFORMATION SECURITY UNITI-INTRODUCTION UNITI. INTRODUCTION 9 History, What is Information Security?, Critical Characteristics of Information, NSTISSC Security Model, Components of an Information System, Securing the Components, Balancing Security and Access, The SDLC, The Security SDLC. 1. _History- How Did Malware Start? Bob Thomas was the brains behind the first malware. His project was based on the realization a ‘computer program could move across a network leaving trails behind, He created a self-replicating program that became the first computer worm. Today, computer worms’ self-replicating capabilities are used to not just infect computers, but also to remain active on computer systems it has already infected. How Did Information Security Start? While most people believe cyber security started back in the 1970s, the concept of information security goes back much further to February 1883. Auguste Kerckhofis was a linguist and professor of German at HEC. On this date, he published an article in the Journal of Military Science that unwittingly provided a foundation on which all modern cryptography would be based. Kerckhofis is now regarded as the father of computer security and Kerckhoffs’s principle was at the heart of algorithm creation. He is the originator of passwords and pin codes still so important to information security measures to this day. How Did Cyber Security Start? In the 1970s, the true birth of cybersecurity began with a project called The Advanced Research Projects Agency Network (ARPANET). ARPANET was the network developed prior to the internet. It consisted of two networks: 1, ARPANET for researchers and 2. MILNET for military use. MILNET required strong security measures like encryption and restricted access control. However, even in the 1960s computers were at risk due to vulnerable points of access. At this time basic computer security measures were used such as passwords to protect sensitive data. When Did the First Hacker Attack Take Place? In the 1970s the internet was still the twinkle in the eye of its creators. Despite there being no global network, large organizations and governments started linking computers using telephone lines. The good old modem made it far too easy to infiltrate computers, and as a result, the first group of hackers was born. They used phone lines to hack into the systems and steal valuable data andpersonal information. By the 1980s “hacking” became a burgeoning international crime issue. It was time to find security solutions. Cybersecurity in the 1980s With hacking on the rise, limited information security systems were unable to keep up with the constantly adapting hacker approaches used to break into computer systems. However, it wasn’t until a small group of teenagers from Milwaukee successfully broke into over 60 military and corporate computers that the seriousness of hacking hit the fan so to speak. Dubbed "the 414s" the teens stole over $70 million from U.S. banks. Governments perked up their ears and realized they had a crisis on their hands. As a result, they started pursuing cyberattacks and hackers as criminals although sentences were light. Organized Crime Gets Into the Hacking Business Ever vigilant,_organized crime members caught on to the opportunitics of hacking. With the introduction of the worldwide web in 1989, they realized people were putting their personal information online. This presented a new revenue source allowing them to create very intricate systems to steal data from people and governments. Although security controls such as firewalls and antivirus programs helped prevent cyber theft, at that time the internet was an unsecured playground for cybercriminals. Cybercrimes are Recognized in the 2000°s Since the 414s stole tens of millions of dollars, governments continued to pursue cybercriminals. However, because of the light punishments, criminals didn’t feel they had much to lose and so much to gain, As the problem escalated, governments realized hacking presented many dangers. Punishments went from the mere five-year sentence the 414s received for stealing millions, to decades by 2010, Despite increased sentences, cybercriminals continued to use their skills to maintain anonymity and successfully infiltrate computer networks and operating systems. Therefore, experts tured their focus on prevention through network security instead of depending, on criminals being scared off by the threat of jail time Encryption the Power Behind Information Security in the 2010’s Although data encryption has been around since the 1970's, beyond the 2010’s data eneryption has provided a go-to approach to security to prevent unauthorized access. Encryption scrambles data to make it unreadable to hackers. Encryption can occur at multiple levels protecting not just networks, but individual digital files both in storage and during data transmissions. Organizations implement information security policies to ensure employees follow best practices to deter data breaches of their data management systems and archives. Data security describes the protection of digital data from a cyberattack or a data breach. A data breach is the unauthorized opening of data, typically to read or copy the information. Stolen datamay contain confidential information, such as customer data, credit card numbers, or trade secrets, A eyberattack is much more aggressive. It is an effort by hackers to cripple or destroy a computer system or network. For example, a few years ago,hackers attacked a petrochemical plant located in Saudi Arabia, and gained control of a critical safety shut-off system used for catastrophic events. Malicious software, called Triton or Trisis, was used, which can run unapproved programs. The malware can also scan and map the control system, providing reconnaissance and issuing commands. Once this type of malware (called a RAT or Remotely Accessible Trojan), has invaded a system, it takes control by way of a remote network connection. This presents a new phase in attacks on the control-systems of utilities, chemical plants, and factories CyberX, an industrial cybersecurity firm, believes Triton/Tris organizations in Saudi Arabia. was developed by Iran, to target The 1980s Data security became a significant concer in the 1980s, a time when computer clubs began forming, as did malware. The very first viruses were mistakes — an error within the algorithm, with the ability to replicate itself, After the discovery of their existence, viruses were often designed to communicate a joke, or perhaps proof of someone's programming abilities. Interest in viruses, particularly malicious viruses, continued to grow. In 1985, a German computer engineer, named Ralf Berger, gave the keynote speech for the Chaos Computer Club (currently, Europe’s largest hacker’s club), encouraging others to explore this new aspect of computer programming + The Brain Virus The first deliberately malicious computer virus, referred to as Brain, was developed in 1986, and attacked floppy disks. (Originally, the program was used by the IBM PC, to follow and trace a heart monitoring program, which pirates had been distributing illegal copies of.) The virus aspect was developed by two brothers, Amjad and Basit Farooq Alvi, claiming they were worried their software was being copied. Brain works on IBM PC computers, altering a floppy dise by replacing its boot sector with the virus. The virus will slow down the disk drive, and blocks seven kilobytes of ‘memory. The Computer Fraud and Abuse Act became law the same year, but did not cover viruses. The 1990s Viruses and hackers were creating chaos at an alarming rate in the 1990s, and the “modem” version of data security came into being. Efforts were made to block unauthorized entry into computer systems, and warnings and memos were issued to computer staff on ways to detect viruses. These efforts included making isolated backups, so the data, if corrupted in the computer, was still available at a separate location. Software quickly became a popular method for storing backup data. Passwords and encryption became popular in terms of blocking hackers+ The Solar Sunrise Breach In 1998, two sixteen-year-old’s in California, and their 18 year-old mentor in Israel, hacked into the USS. Department of Defense’s computer systems and gained control of computer systems operated by the government, the military, and private sectors. The attack was performed with the help of a virus and initially investigators suspected Iragi hackers were responsible. The DoD was very concerned, and requested help from NASA, the FBI, the CIA, the US Department of Justice. The operation to catch the attackers was known as ‘Solar Sunrise’ and, after the attacks, the Defense Department took drastic actions to prevent future incidents of this kind. The New Millenium — 2000s In the 21" Century's first decade, malicious intemet activity was transformed into a profitable criminal activity, focused primarily on monetary gain. The Sobig Worm was a computer worm that infected millions of Intemet-connected, Microsoft Windows computers in August 2003. This was closely followed by the infamous “MyDoom,” in 2004. + Sobig Sobig is both a computer worm (it replicates by itself) and a Trojan horse (pretending to be something other than malware). The Sobig worm appears as a normal email, with an imnocent subject heading, such as, “Thank you!” and an attachment designed to spark your interest, and get you to open it + MyDoom MyDoom, described as the world’s most vicious worm, was discovered in January of 2004. It comes as an email attachment, and is activated when opened. It originally came with a preprogrammed end date of February 12, 2004, The end date actually means very little, partly because the worm opens a backdoor that allows the worm’s creator to access your computer, at any time, and partly because “new” internet criminals have started using it. The email worm, MyDoom, is still around, and still active. Those in the computer security community agree that the MyDoom virus family has far surpassed the damage caused by any other malware, including Sobig. Ian Hameroff, a security associate at Computer Associates, said: “The biggest damage is the deni It’s more a loss of productivity, so far.” en .¢ attacks (DOS). There is no other damage to the data, Large Data Breaches In this current decade, data breaches and cyber attacks have grown in scale, with tactics and access strategies evolving.Major computer attacks were taking place all over the world in this decade. In March of 2012 a major credit reporting agency within the United States, suffered the largest big data breach in history. They had purchased a business called Court Ventures, which used public records to collect, information. Court Ventures sold information quite regularly to third parties. One third party was a “Vietnamese fraudster service,” who offered its customers the personal information of many Americans, including financial information and Social Security numbers, The breach went on for over 10 months, after the acquisition of Court Ventures. Though the true number of exposed records is unknown, it is estimated over 200 million records were breached. “After the acquisition of Court Ventures, the U.S. Secret Service notified us that Court Ventures had been and was continuing to resell data from a U.S. Info Search database to third parties, possibly engaged in illegal activity. The suspect in this case posed as a legitimate business owner and obtained access to U.S. Info Search data through Court Ventures.” + The Target Breach In 2013, hackers accessed Target's servers, and stole the personal information of roughly 70-110 million customers. This particular data breach incurred an estimated loss of over $162 million. The data came from shoppers visiting Target stores for three weeks, starting the day before Thanksgiving. Target was unaware of the attack, and did not detect it on its own. It was instead alerted by credit card processors, who noticed an upsurge in fraudulent transactions using credit cards previously used at Target. + The Yahoo Breach ‘Also in 2013, all 3 billion of Yahoo's email customers became victims of cybercrime. The breach was discovered during a review of data supplied by law enforcement in 2014. Andrew Komarov, chief investigator for InfoArmor, and contracted by Yahoo, discovered evidence a darkweb seller was offering a list of over one billion Yahoo accounts, for roughly $300,000. + The Adult FriendFinder Breach In mid-October of 2016, more than 412 million accounts in the FriendFinder Network were breached, with hackers collecting twenty years of data, stored on six databases that included names, email addresses and passwords. The six databases included adult content and casual hookup websites, such as Adult Friend Finder, Cams, Penthouse, and Stripshow. The majority of passwords were weakly protected by only a SHA-1 hashing algorithm, and were easily bypassed. + The 2015 Voter Database Breach A database, with the information of 191 million voters, was exposed to the open intemet in late 2015. It is unknown how many people accessed the “accidental” breach. The problem was a result of human error. The database had been incorrectly configured and left open to the internet. Thepersonal information — email addresses, mailing addresses, names, party affiliations, dates of birth, and more — of all the registered voters within the 50 state of Columbia. This was, to date, the biggest U.S. government data breach in history. Data Security as a Re Data breaches can take place for a variety of reasons, ranging from hackers to losing a device with unencrypted information to accidentally opening a website’s private information to the general public, The number of data breaches has increased steadily year by year, Measures are constantly being taken by organizations to increase their data security, it’s a multi-billion dollar industry. Unfortunately, criminals are constantly finding new methods and techniques to hack into a business’ database, and human error is a constant reality. The information preferred by hackers includes names, social security numbers, dates of birth, and other personal information used to steal identities. Preventing data breaches requires discipline, a plan, and a defensive mindset. 2. What is Information Security? What is Information Security? Introduction : Information security is the practice of protecting information by mitigating information risks. It involves the protection of information systems and the information processed, stored and transmitted by these systems from unauthorized access, use, disclosure, disruption, modification or destruction. This includes the protection of personal information, financial information, and sensitive or confidential information stored in both digital and physical forms. Effective information security requires a comprehensive and multi-disciplinary approach, involving people, processes, and technology. Information Security is not only about securing information from unauthorized access. Information Security is basically the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. Information can be a physical or electronic one. Information can be anything like Your details or we can say your profile on social media, your data on mobile phone, your biometrics etc. Thus Information Security spans so many research areas like Cryptography, Mobile Computing, Cyber Forensics, Online Social Media, ete. During First World War, Multi-tier Classification System was developed keeping in mind the sensitivity of the information. With the beginning of Second World War, formal alignment of the Classification System was done, Alan Turing was the one who successfully decrypted Enigma Machine which was used by Germans to encrypt warfare data. Effective information security requires a comprehensive approach that considers all aspects of the information environment, including technology, policies and procedures, and people. It alsorequires ongoing monitoring, assessment, and adaptation to address emerging threats and vulnerabilitis Why we use Information Security? We use information security to protect valuable information assets from a wide range of threats, including theft, espionage, and cybercrime. Information security is necessary to ensure the confidentiality, integrity, and availability of information, whether it is stored digitally or in other forms such as paper documents. Here are some key reasons why information security is important: 1 Protecting sensitive information: Information security helps protect sensitive information from being accessed, disclosed, or modified by unauthorized individuals. This includes personal information, financial data, and trade secrets, as well as confidential government and military information. Mitigating risk: By implementing information security measures, organizations can mitigate the risks associated with cyber threats and other security incidents. This includes minimizing the risk of data breaches, denial-of-service attacks, and other malicious activities, Compliance with regulations: Many industries and jurisdictions have specific regulations governing the protection of sensitive information. Information security measures help ensure compliance with these regulations, reducing the risk of fines and legal liability. Protecting reputation: Security breaches can damage an organization's reputation and lead to lost business. Effective information security can help protect an organization’s reputation by minimizing the risk of security incidents. Ensuring business continuity: Information security helps ensure that critical business functions can continue even in the event of a security incident. This includes maintaining access to key systems and data, and minimizing the impact of any disruptions. Information Security programs are build around 3 objectives, commonly known as CIA ~ Confidentiality, Integrity, Availability. Confidentiality — means information is not disclosed to unauthorized individuals, entities and process. For example if we say I have a password for my Gmail account but someone saw while T was doing a login into Gmail account, In that case my password has been compromised and Confidentiality has been breached Integrity — means maintaining accuracy and completeness of data. This means data cannot be edited in an unauthorized way. For example if an employee leaves an organisation then in that case data for that employee in all departments like accounts, should be updated to reflect status to JOB LEFT so that data is complete and accurate and in addition to this only authorized person should be allowed to edit employee data. Availability — means information must be available when needed. For example if one needs to access information of a particular employee to check whether employee has outstanded the number of leaves, in that case it requires collaboration from different organizational teams like network operations, development operations, incident response andpolicy/change ‘management. Denial of service attack is one of the factor that can hamper the availability of information. Apart from this there is one more principle that governs information security programs, This is Non repudiation. Non repudiation — means one party cannot deny receiving a message or a transaction nor can the other party deny sending a message or a transaction. For example in cryptography it is sufficient to show that message matches the digital signature signed with sender’s private key and that sender could have a sent a message and nobody else could have altered it in transit, Data Integrity and Authenticity are pre-requisites for Non repudiation, Authenticity — means verifying that users are who they say they are and that each input arriving at destination is from a trusted source.This principle if followed guarantees the valid and genuine message received from a trusted source through a valid transmission. For example if take above example sender sends the message along with digital signature which ‘was generated using the hash value of message and private key. Now at the receiver side this digital signature is decrypted using the public key generating a hash value and message is again hashed to generate the hash value. If the 2 value matches then it is known as valid transmission with the authentic or we say genuine message received at the recipient side Accountability — means that it should be possible to trace actions of an entity uniquely to that entity. For example as we discussed in Integrity section Not every employee should be allowed to do changes in other employees data. For this there is a separate department in an organization that is responsible for making such changes and when they receive request for a change then that letter must be signed by higher authority for example Director of college and person that is allotted that change will be able to do change after verifying his bio metrics, thus timestamp with the user(doing changes) details get recorded. Thus we can say if'a change goes like this then it will be possible to trace the actions uniquely to an entity advantages to implementing an information classification system in an organization’s information security program: 1 Improved security: By identifying and classifying sensitive information, organizations can better protect their most critical assets from unauthorized access or disclosure. Compliance: Many regulatory and industry standards, such as HIPAA and PCI-DSS, require organizations to implement information classification and data protection measures. Improved efficiency: By clearly identifying and labeling information, employees can quickly and easily determine the appropriate handling and access requirements for different types of data. Better risk management: By understanding the potential impact of a data breach or unauthorized disclosure, organizations can prioritize resources and develop more effective incident response plans. Cost savings: By implementing appropriate security controls for different types of information, organizations can avoid unnecessary spending on security measures that may not be needed for less sensitive data,6. Improved incident response: By having a clear understanding of the criticality of specific data, organizations can respond to security incidents in a more effective and efficient manner. There are some potential disadvantages to implementing an information classification system in an organization’s information security program: 1. Uses Information security has many uses, includin; Complexity: Developing and maintaining an information classification system can be complex and time-consuming, especially for large organizations with a diverse range of data types, Cost: Implementing and maintaining an information classification system can be costly, especially if it requires new hardware or software. Resistance to change: Some employees may resist the implementation of an information classification system, especially if it requires them to change their usual work habits. Inaccurate classification: Information classification is often done by human, so it is possible that some information may be misclassified, which can lead to inadequate protection or unnecessary restrictions on access. Lack of flexibility: Information classification systems can be rigid and inflexible, making it difficult to adapt to changing business needs or new types of data. False sense of security: Implementing an information classification system may give organizations a false sense of security, leading them to overlook other important security controls and best practices. Maintenance: Information classification should be reviewed and updated frequently, if not it can become outdated and ineffective. of Information Security : Confident Keeping sensitive information confidential and protected from unauthorized access. Integrity: Maintaining the accuracy and cons malicious attacks. Availability: Ensuring that authorized users have access to the information they need, when they need it, Compliance: Meeting regulatory and legal requirements, such as those related to data privacy and protection, Risk management: Identifying and mitigating potential security threats to prevent harm to the organization. Disaster recovery: Developing and implementing a plan to quickly recover from data loss or system failures. Authentication: Verifying the identity of users accessing information systems, Eneryption: Protecting sensitive information from unauthorized access by encoding it into a secure format. Network security: Protecting computer networks from unauthorized access, theft, and other types of attacks, steney of data, even in the presence of10, Physical security: Protecting information systems and the information they store from theft, damage, or destruction by securing the physical facilities that house these systems Issues of Information Security : Information security faces many challenges and issues, including: 1. Cyber threats: The increasing sophistication of cyber attacks, including malware, phishing, and ransomware, makes it difficult to protect information systems and the information they store. 2. Human error: People can inadvertently put information at risk through actions such as losing laptops or smartphones, clicking on malicious links, or using weak passwords 3. Insider threats: Employees with access to sensitive information can pose a risk if they intentionally or unintentionally cause harm to the organization. 4. Legacy systems: Older information systems may not have the security features of newer systems, making them more vulnerable to attack. 5S. Complexity: The increasing complexity of information systems and the information they store makes it difficult to secure them effectively. 6. Mobile and IoT devices: The growing number of mobile devices and intemet of things (IoT) devices creates new security challenges as they can be easily lost or stolen, and may have weak security controls. 7. Integration with third-party systems: Integrating information systems with third-party systems can introduce new security risks, as the third-party systems may have security vulnerabilities. 8. Data privacy: Protecting personal and sensitive information from unauthorized access, use, or disclosure is becoming increasingly important as data privacy regulations become more strict 9. Globalization: The increasing globalization of business makes it more difficult to secure information, as data may be stored, processed, and transmitted across multiple countries with different security requirements. Reference : Here are some recommended reference materials for information security: “Handbook of Information Security, Volume 1” edited by Hossein Bidgoli “Information Security Principles and Practice” by Mark Stanislav and Mark Merkow. “Computer Security Fundamentals” by Chuck Basttom. “Cybersecurity and Cyberwar: What Everyone Needs to Know” by P.W. Singer and Allan Friedman. The National Institute of Standards and Technology (NIST) Cybersecurity Framework, ISO/IEC 27001 Information Security Management Systems Standard. SANS Institute, which offers a variety of information security resources and training programs, 8. OWASP Foundation, which provides information and tools to help organizations improve their application security. eRe maw3. [Critical Characteristics of Information Critical characteristic of information The value of information comes from the characteristics it possesses Availability Allows people to access information without being interrupted or obstructed, and in the format they desire, The data is said to be accessible to an authorized user when and when it is needed, in the correct format. Example: High-availability systems strive to be available at all times, avoiding service interruptions caused by power outages, hardware failures, or system updates. 2, _Accuraey Free of errors or omissions, and providing the value that the end-user expects. It is no longer accurate if information has a value that differs from the user's expectations due to purposeful or unintentional content alteration. Example: When we request data in the past, we input exactly what we wanted, and the data should be returned without any errors, so we can say our data is correct (free from errors). 3. Authenticity The quality or state of being genuine or original, rather than a reproduction or fabrication, Information is authentic when it is the information that was originally created, placed, stored, or transferred. (Verification or Validation) Whoever created that account is authenticated, which means they have access to the system or website and can perform any function because they are authenticated users. Confidentiality (Privacy or Secrecy) The quality or state of preventing disclosure or exposure to unauthorized individuals or systems. Example : Access control mechanisms such as two-factor authentication, passwordless sign-on, and other access restrictions all promote confidentiality, but it's not just about letting authorized people in; it's also about keeping some files inaccessible. 5. Integrity The quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state, Example : When an employee deletes important data files, a computer virus infects a computer, an employee is able to modify his own salary in a payroll database, an unauthorized user vandalizes a website, someone is able to cast a large number of votes in an online poll, and so on, there is a breach of integrity.Utility The quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end-user, itis not useful Example: Assume that my knowledge is in a foreign language that no one will comprehend, implying that it has no value and is useless. Possession (Ownership) The quality or state of having ownership or control. Example : In essence, someone will be in charge of it 4.NSTISSC Security Model NSTISSC SECURITY MODEL National Security Telecommunications & Information systems security committee’ document. It is now called the National Training Standard for Information security professionals. The NSTISSC Security Model provides a more detailed perspective on security., While the NSTISSC model covers the three dimensions of information security, it omits discussion of detailed guidelines and policies that direct the implementation of controls, The 3 dimensions of each axis become a 3x3x3 cube with 27 cells representing areas that must be addressed to secure today’s Information systems, To ensure system security, each of the 27 cells must be properly addressed during the security process. For example, the intersection between technology, Integrity & storage areas requires a control or safeguard that addresses the need to use technology to protect the Integrity of information while i storageoot set P) sat we Contdertaity Confidetsity irtegrty Ietegety Avaiabity weniabiy Storage Processing ‘Warsmasion Storage Processing Wansmasion Figure 1.4.1 NSTISSC Security Model Understanding the technical aspects of information security requires that you know the definitions of certain information technology terms and concepts. In general, security is defined as “the quality or state of being secure—to be free from danger.” Security is often achieved by means of several strategies usually undertaken simultaneously or used in combination with one another. NSTISSC Security Model ‘National Security telecommunications & information systems security committee.* It is now called the National Training Standard for Information Security Professional. This security model is a ‘comprehensive model of InfoSec known as the McCumbers cube created in 1991, which is named after a developer, John McComber. It is becoming standard to determine the characteristics, location, and security of the information. It is a three-dimension model. These three dimensions are represented in a cube with 27 cells with each cell representing each aspect of information. ‘The cells that can be represented are the below + Confidentiality, Integrity, availability + Policy, Education, Technology + Storage, Processing, Transmission ‘The McCumbers Cube in figure 1-5, shows three dimensions with each axis become a 3x3x3 cube with 27 cells representing areas that must be addressed to secure today’s information systems. Each of the 27 areas must be properly addressed during the security process, For example‘The intersection between technology, integrity, and storage requires control or safeguard that addresses the need to use technology to protect the integrity of information while in storage. One such control might be a system for detecting host intrusion that protects the integrity of information by alerting the security administrators to the potential modification of critical files. ero! wwe Conidenalty onietiy Irtegity Integy svalaity swalabity Storage Pocessrg Tansmissin ‘Soraye Process Tasision Figure 1-5 _NSTISSC Security Model What is commonly left out of such model is the need for guidelines and policies that provide direction for the practices and implementations of technologies. 5.Components of an Information System — Software — Hardware —Data — People — Procedures Networks Software ‘The software components of Information System (IS) comprise applications, operating systems, and assorted command utilities. Software programs are the vessels that cany the lifeblood of information through an organization, These are often created under the demanding constraints of project management, which limit time, cost, and workforce. Hardware Hardware is the physical technology that executes the software, store and carries the data, and provides interfaces for the entry and removal of information from the system. Physical securitypolicies deal with hardware as a physical asset and with the protection of these physical assets from harm or theft. Applying the traditional tools of physical security, such as locks and keys, restriets access to and interaction with the hardware components of any information system. Securing the physical location of computers and the computers themselves is important because a breach of physical security can result in a loss of information. Unfortunately, most information systems are built on hardware platforms that can’t guarantee any level of information security if unrestricted access to the hardware if possible. Dal Stored data, processed, and transmitted through a computer system must be protected Data is often the most valuable asset possessed by an organization and is the main target of intentional attacks. + The raw, unorganized, isolated potentially useful facts and figures that are later processed and manipulated to produce information, People There are many roles for people in information systems, common ones include + System Analyst + Programmer + Technician + Engineer + Network manager + MIS (Manager of Information Systems) + Data Entry Operator Procedure A procedure is a series of documented actions taken to achieve something, A procedure is more than a single simple task. A procedure can be quite complex and involved, such as performing a backup, shutting down a system, patching software. + Networks + When Information Systems are connected to form Local Area Network (LANs), and these LANS are connected to other networks such as the internet, new security challenges rapidly emerge. © Steps to provide network security are essential, as is the implementation of the alarm and intrusion system to make system owners aware of ongoing compromises.Components Of Information System An Information system is a combination of hardware and software and telecommunication networks that people build to collect, create and distribute useful data, typically in an organization. It defines the flow of information within the system. The objective of an information system is provide appropriate information to the user, to gather the data, process the data and communicate information to the user of the system. Computer Software + Computer Networks Hardware Information, *\ System * * a DataBase Resources 1. Computer Hardware: Physical equipment used for input, output and processing. The hardware structure depends upon the type and size of the organization. It consists of an input and an output device, operating system, processor, and media devices. This also includes computer peripheral devices. 2. Computer Software: The programs/ application program used to control and coordinate the hardware components. It is used for analysing and processing of the data, These programs include a set of instruction used for processing information. Software is further classified into 3 types: 1. System Software 2. Application Software 3. Procedures,3. Databases: Data are the raw facts and figures that are unorganized that are later processed to generate information, Softwares are used for organizing and serving data to the user, managing physical storage of media and virtual resources. As the hardware can’t work without software the same as software needs data for processing. Data are managed using Database management system. Database software is used for efficient access for required data, and to manage knowledge bases. 4, Network: refer to the telecommunication networks like the intranet, extranet and the internet, + These resources facilitate the flow of information in the organization. + Networks consists of both the physical devices such as networks cards, routers, hubs and cables and software such as operating systems, web servers, data servers and application servers, + Telecommunications networks consist of computers, communications processors, and other devices interconnected by communications media and controlled by software. + Networks include communication media, and Network Support 5. Human Resources: It is associated with the manpower required to run and manage the system. People are the end user of the information system, end-user use information produced for their own purpose, the main purpose of the information system is to benefit the end user. The end user can be accountants, engineers, salespersons, customers, clerks, or managers etc. People are also responsible to develop and operate information systems. They include systems analysts, computer operators, programmers, and other clerical IS personnel, and managerial techniques. Balancing Information Security and Access + Information Security can’t be absolute: it is processed, not a goal + Must provide the security and is also feasible to access the information for its application + Should balance protection and availability Approaches to Information Implementation + Bottom-up-approach + Top-down approach Ithas a higher probability of success. © The project is initiated by upper-level managers who issue policy & procedures and processes. © Dictate the goals & expected outcomes of the project. © Determine who is suitable for each of the required actions.Pi ciple of Information System Security Information System Security or INFOSEC refers to the process of providing protection to the computers, networks and the associated data. With the advent of technology, the more the information is stored over wide networks, the more crucial it gets to protect it from the unauthorized which might misuse the same. Every organisation has the data sets that contain confidential information about its activities. The major reason of providing security to the information systems is not just one fold but 3 fold: 1 2 3. Together, these tiers form the CIA triangle that happened to be known as the foremost necessity of securing the information system. These three levels justify the principle of information system security. Let us go through the same one by one: 1. Confidentiality: The main essence of this feature lies in the fact that only the authorized personnel should be allowed the access to the data and system, The unauthorised individuals must be kept away from the information, This is ensured by checking the authorisation of every individual who tries to access the database. For eg. An organisation's administration must not be allowed to access the private information of the employees. 2. Integrity: Integrity is ensured when the presented data is untouched or rather, is not altered by any unauthorized power. The information thus can be referred with the eyes closed. The integrity of the information can be altered in either unintentional or intentional ways. Intentionally, information can be passed through malicious content by any individual Rather, unintentionally, any authorized individual might himself hamper the information for example, he might delete any specific important part of information. Availability: This feature means that the information can be accessed and modified by any authorized personnel within a given time frame. The point here to be noted is that the accessibility of the information is limited. The time frame within which it can be accessed is different for every organisation. Balancing Information Security and Access: It is the sole purpose of the organisation to protect the interests of the users and to provide them with appropriate amount of information whenever necessary. Also, at the same time, it is necessary to provide adequate security to the information so that not anyone can access it. The need for maintaining the perfect balance of information security and accessibility arises from the fact that information security can never be absolute.It would be harmful to provide free access to a piece of information and it would be hard to restrict any accessibility. So, one needs to make sure that the exact required balance is maintained so that both the users and the security professionals are happy. Tools of Information Security: There are various tools which are or which can be used by various organisations in order to ensure the maximum information system security. These tools however, do not guarantee the absolute security, but as stated above, helps in forming the crucial balance of information access and seourity, 1. Authentication: This is the foremost important tool that needs to be kept in mind before starting the crucial process of ensuring security. The process of authentication is when the system identifies someone with one or more than one factors. These factors must be unique for most of the users. For example, ID and password combinations, face recognition, thumb impression etc. These factors can not always be trusted as one could lose them or it might be accessed by any outsider. For these circumstances, one can use multi factor authorisation which is done by combining any two or more of the above factors. 2. Access Control: After ensuring that the right individual gets the access to information, one has to make sure that only the appropriate information reaches him or her. By using the tool of access control, the system judges that which user must be able to read or write or modify certain piece of information. For this it generally maintains a list of all the users. One could find two type of lists Access Control List (ACL) — This is just the list of individuals who are eligible to access the information © Role- Based access Control List (RBAC) ~ This list comprises of the names of authorized personnel and their respective actions they are authorized to perform over the information 3. Encryption: Sometimes the information is transmitted over the internet so the risk of anyone accessing it increases and now the tools have to be strong to avoid it. In this scenario, the information can be easily accessed and modified by anyone. To avoid this, a new tool is put to work, Encryption. Using encryption, one can put the confidential information into bits of unreadable characters that are difficult to decrypt and only the authorised receivers of the information can read it easily SDLC Waterfall methodology SDLC — is a methodology for the design and implementation of an information system in an organization, + A methodology is a formal approach to solving a problem based on a structured sequence of procedures,(Retrieved from Whiteman & Mationd, 2010, p. SDLC consists of 6 phases. Investigation Analysis Logical Design Physical Design Implementation Maintenance Principle of Informa ion System Security : Security System Development Life Cycle INTRODUCTION: ‘The Security System Development Life Cycle (SSDLC) is a framework used to manage the development, maintenan: ,, and retirement of an organization's information security systems. The SSDLC is a cyclical process that includes the following phases: 1 Planning: During this phase, the organization identifies its information security needs and develops a plan to meet those needs. This may include identifying potential security risks and vulnerabilities, and determining the appropriate controls to mitigate those risks. Analysis: During this phase, the organization analyzes its information security needs in more detail and develops a detailed security requirements specification. Design: During this phase, the organization designs the security system to meet the requirements developed in the previous phase. This may include selecting and configuring security controls, such as firewalls, intrusion detection systems, and encryption. Implementation: During this phase, the organization develops, tests, and deploys the security system. Maintenance: After the security system has been deployed, it enters the maintenance phase, where it is updated, maintained, and tweaked to meet the changing needs of the organization, Retirement: Eventually, the security system will reach the end of its useful life and will need to be retired. During this phase, the organization will plan for the replacement of the system, and ensure that data stored in it is properly preserved.The SSDLC is a useful framework for managing the development, maintenance, and retirement of an organization's information security systems. It helps to ensure that security systems mect the needs of the organization and are developed in a structured and controlled manner. This can help organizations to protect their sensitive information, maintain compliance with relevant regulations, and keep their data and systems safe from cyber threats. Security System Development Life Cycle (SecSDLC) is defined as the set of procedures that are executed in a sequence in the sofware development cycle (SDLC). It is designed such that it can help developers to create software and applications in a way that reduces the security risks at later stages significantly from the start. The Security System Development Life Cycle (SecSDLC) is similar to Software Development Life Cycle (SDLC), but they differ in terms of the activities that are carried out in each phase of the eycle, SecSDLC eliminates security vulnerabilities. Its process involves identification of certain threats and the risks they impose on a system as well as the needed implementation of security controls to counter, remove and manage the risks involved. Whereas, in the SDLC process, the focus is mainly on the designs and implementations of an information system, Phases involved in SecSDLC are: + System Investigation: This process is started by the officials/directives working at the top level management in the organization. The objectives and goals of the project are considered priorly in order to execute this process. An Information Security Policy is defined which contains the descriptions of security applications and programs installed along with their implementations in organization's system. + System Analysis: In this phase, detailed document analysis of the documents from the System Investigation phase are done. Already existing security policies, applications and software are analyzed in order to check for different flaws and vulnerabilities in the system. Upcoming threat possibilities are also analyzed. Risk management comes under this process only. + Logical D The Logical Design phase deals with the development of tools and following blueprints that are involved in various information security policies, their applications and software. Backup and recovery policies are also drafted in order to prevent future losses. In case of any disaster, the steps to take in business are also planned. The decision to outsource the company project is decided in this phase. It is analyzed whether the project can be completed in the company itself or it needs to be sent to another company for the specific task. + Physical Design: The technical teams acquire the tools and blueprints needed for the implementation of the software and application of the system security, During this phase, different solutions are investigated for any unforeseen issues which may be encountered in the future. They are analyzed and written down in order to cover most of the vulnerabilities that were missed during the analysis phase. + Implementation: The solution decided in earlier phases is made final whether the project is in-house or outsourced. The proper documentation is provided of the product in order to meet the requirements specified for the project to be met. Implementation and integration process of the project are carried out with the help of various teams aggressively testing whether the product meets the system requirements specified in the system documentation. + Maintenance: After the implementation of the security program it must be ensured that it is functioning properly and is managed accordingly. The security program must be kept up to date accordingly in order to counter new threats that can be left unseen at the time of design.