Information System

Security
Information System Security
 Today most of the IS are connected to internet.

 Thus they are exposed to the outside world directly.

 Threats from the outside world must be addressed.

 Damage from a non-secure IS can result in

catastrophic consequences for the organization.

 Thus organizations must investigate and evaluate the

factors that could be a threat.
 What Is Information Security???

 Protection of information systems against unauthorized access

to or modification of information, whether in storage, processing
or transit, and against the denial of service to authorized users
or

 the provision of the service to unauthorized users, including

those measures necessary to detect, document, and counter
such threats.

 Information security means making sure to provide required

information for the correct people at the correct time.
Why Information Security???
 Use of IT across businesses
 Fast growth of Internet
 Commercialization of
Internet
 Web site defacement
 Theft of confidential data
 Financial Frauds
 Legal requirements
Why Information Security???
 Increased rate of cyber crime issues.

 Cyber crime is defined as criminal activity involving

the IT infrastructure, including illegal access, illegal
interception, data interference, misuse of devices, ID
theft and electronic fraud.
Cyber Crime Techniques
 Data Scavenging
 Shoulder Surfing
 Piggy Backing
 Man In the middle
 Social Engineering
Shoulder Surfing
 Buffer overruns
 SQL injections
 Ransomware

Piggy Backing
Why Information Security???
 Cookies
 Cross Site Scripting (XSS)
 SPAM
 Denial Of Service (DOS)/ DDOS
 Virus / Worms/ Trojans
 Spyware / Adware
 Phishing
 Spoofing … … … … … … … … . . Etc.
Elements of Information Security
Three basic elements of Information Security.

 Confidentiality

 Integrity

 Availability
Confidentiality

Confidentiality: Confidentiality specifies that only the sender and

receiver should be able to access the content of message.

Fig. Attack on Confidentiality

Integrity
• Integrity means that data is protected from unauthorized changes
to ensure that it is reliable and correct. assurance that the
message is unaltered
• Integrity involves maintaining the consistency, accuracy, and
trustworthiness of data over its entire life cycle.
Availability
• Available to authorized entities for 24/7.
• Availability guarantees that systems, applications
and data are available to users when they need
them.
The most common attack that impacts  availability 
• Denial-of-service (DoS)
• Distributed Denial Of Attack (DDoS)
Authentication
• Authentication mechanisms help establish proof of identities.
• The authentication process ensures that the origin of an
electronic message or document is correctly identified
Techniques or mechanisms used for Integrity are :
1. Login passwords
2. Authentication token
3. One time Password(OTP)
4. Digital Certificate based authentication
5. Biometric Authentication
6. Kerberos
7. Single sign on (SSO)
8. Message Authentication code (MAC)
9. HMAC( hash based MAC)
10. Digital signature
 Other Elements of InfoSec

 Identification – recognition of an entity by a system.

 Authentication-Process of verifying identity.

 Accountability –Tracing activities of individual on a system.

 Authorization- Granting access or other permissions.

 Privacy- Right of individual to control the sharing of information

about him.
How to achieve Information Security???

 Information Security does not mean only installing antivirus

and firewalls.

 Information security tends to protect hardware, software,

data, procedures, records, supplies and human resources.

 Information assets are those resources that store,

transport, create, use or are information.

 Information Security is the responsibility of everyone

who can affect the security of a system.
How to achieve Information Security???

 Administrative Controls- Policies, standards,

procedures, guidelines, employee screening,
change control, Security awareness trainings.

 Technical Controls- Access controls,

encryption, Firewalls, IDS, IPS,HTTPS

 Physical Controls- controlled physical access to

resources, monitoring, no USB or CDROM etc.
 Some Good Habits

 Always use official software.

 Keep all software uptodate with patches.
 If using free software always download from original developers
site.
 Do not disclose all your information on internet sites like
orkut/Facebook.
 Use Internet with control.
 Use email properly.
 Take care while discarding your waste material.
 Use small gadgets carefully as information storage.
 Information System Security

 Vulnerability
• It is the weakness within a system. It is the degree of
exposure in view of threat.

 Threat
• A threat is a possible event that can damage or harm an
Information System.

Countermeasures
• It is a set of actions implemented to prevent threats.
 Information System Security

 Network Level Threats

 Attacker requires network access to organization systems
or networks.
 Hacking Computers, Implementing Spywares

 Information Level Threats

 Attack on the information.
 Sending fake queries to sales department
 Submitting false information.
 Creating revenge web sites.
Information System Security
 Major Security Threats to an
IS

 Computer Crimes / Abuse

 Human Error

 Failure of Hardware or Software

 Natural Disasters

 Political Disasters
Information System Security
 Computer Crime / Abuse
 Computer Viruses
 A code that performs malicious act.
 Can insert itself into other programs in a system.
 Worm is a virus that can replicate itself to other systems
using network.
 Biggest threat to personal computing.
 Trojan Horse
 A program that performs malicious or unauthorized acts.
 Distributed as a good program.
 May be hidden within a good program.
Information System Security
 Denial of Service (DoS)
 Making system unavailable to legitimate users.
 Impersonation
 Assuming someone else’s identity and enjoying his
privileges.
 Salami Technique
 Diverting small amount of money from a large number of
accounts maintained by the system.
 Small amounts go unnoticed.
 Spoofing
 Configuring a computer to assume some other computers
identity.
Information System Security
 Scavenging
 Unauthorized access to information by searching through
the remains after a job is finished.
 Dumpster diving
 Data Leakage
 Various techniques are used to obtain stored data
 SQL injection
 Error Outputs
 Wiretapping
 Tapping computer transmission lines to obtain data.
 Theft of Mobile Devices
Information System Security
 Myths, rumors and hoaxes
 Created by sending false emails to as many people as
possible.
 These may have significant impact on companies, their
reputation and business.

 Web Site Attacks

 Web site defacement
 Adding wrong information

 Increase in cyber crime rates

 Organized cyber criminals
Information System Security
 Employee Issues
 Disgruntle Employees
 Availability of hacking tools

 Social Engineering Attacks

 Sharing Passwords
 Sharing Official Systems
 Not following clean desk policy

 Rise in Mobile workers

 Use mobile devices
 Wireless access
 Lots of organization data
exposed
Classification of Threats
 Basic of the effective Security Management.

 Organization require to know the damage caused when

security incident or an attack happens.

 This helps management to decide the budget for security

related expenditures.

 Organizations can not secure everything.

 Organizations can not spend too much on security.

Classification of Threats
 Four things to be considered while evaluating
threat

 Asset
 Something of value to the organization
 Actor / Attacker
 Who or what may violate the security requirement
 Motive
 Deliberate or accidental
 Access
 How the attacker will access the asset.
Classification of Threats
 Types of
assets

 Hardware

 Software

 Information

 Systems

 People
Classification of Threats
 Classify Assets

 Tag Assets based on their value to the

organization.

 Find various threats to important assets.

 Tag threats for an asset.

 Find the threats which have maximum risk.

 Calculate the loss due to these threats.

Classification of Threats
 Cost of a threat can be calculated considering
following factors
 Productivity
 No. of employees affected
 No. of hours wasted
 Cost per hour / per employee
 Revenue
 Direct financial loss
 Future business loss
 Financial Performance
 Credit rating and stock price
 Other Expenses
 Hidden Costs
Classification of Threats
 Cost of a threat can be calculated considering
following factors
 Other Expenses
 Overtime Costs
 Travel Expenses
 Third Party costs
 Equipment Rental Costs

 Hidden Costs
 Difficult to calculate
 Cost of damaged reputation
 Loss of faith by customers, bankers or vendors
Information System Security
 The aim of the information system security is to protect
organization assets.

 If not fully protected at least limit damage to them.

 Limit access to information to authorized users only.

 Information systems controls play a crucial role to

ensure secure operations of IS.

 They safeguard the assets and the data within them.

 Information System Security

 The organization needs to develop a set of security policies,

procedures and technological measures.
 Information System Controls-
 Preventive Controls
 Prevent an error or attack

 Detective Controls
 Detect a security breach or incident

 Corrective Controls
 These control detect any error or incident and correct it.