Running head: Principles of Information Security 1

weepingwaterpickΑσφάλεια

23 Φεβ 2014 (πριν από 3 χρόνια και 3 μήνες)

180 εμφανίσεις

Running head: Principles of Information Security

1









Principles of Information Security

Vishal Vijay Bedre

Ferris State University









Running head: Principles of Information Security

2


Organizational Information Security

What
is
Security?


The
general definition of the security
is “
quality or state of being secure

to be free from
danger”
.
Security is important for every living and non living individual. In order to protect such
things human do several things such as creating home
, office, appoin
ting security guards,
installing

burglars alarm, carrying weapon

and many more.



What is

organizational

Information
Security?


Information security is basically safe
-
guarding an organization's data from unauthorized
access or modification to ensure its
availability, confidentiality, and integrity.

In order to protect
o
rganization
al

information
they
must have to adopt several methods and
advance
technique
s
.


Why

information security
is
necessary:


The

data is the backbone of organization.
Every
organization

hold
s

sensitive information
such as

employees, salary information, financial results, and business plans for the year ahead.
Some time they

may also hold trade secrets, research and other information that

gives them a
competitive edge
, s
uch ty
pe of
confidential
information used for performing major operation
s

and process
es

at organization level

should be protected and taken care that the information does
not get stolen
. In other hand the i
ndividuals usually hold sensitive personal information
on their
home computers and typically perform online functions such as banking, shopping and social
networking; sharing their sensitive information with others over the internet.

As the information grows and the usage of electronic transactions through org
anizations
increases it has become a big challenge for one to protect their personal information. T
he risk of
Running head: Principles of Information Security

3


unauthorised access increases and we are presented with growing challenges of how best to
protect it.

Characteristics of Information Security
:

In
order to protect the information
basically
the
characteristic of information should be preserved. The Core

principals of Information Security
are listed

as follows:




Confidentiality
:

Confidentiality of information ensures that only those with sufficient
privileges may access certain information
.



Integrity
:

Integrity is the quality or state of being whole, complete, & uncorrupted
. The
integrity of information is compromised when it is exposed to corruption, damage,
destruction or other disruption of its authentic state.



Availability
:

Availability is making information accessible to user access without
interference or obstruction
in the required
format.
“Availability means availability to
authorized users”



Privacy
:


The information that is collected, used, and store by an organization is intended
only for the purposed stated by the data owner at the time it was collected.

Privacy o
f
information is to be used only for purposes known to the data owner
.



Identification
:

An information system possesses the characteristic of identification when
they are able to recognize individual users.

It is
first

step in gaining access to protected
information and it serves as the foundation for subsequent authentication and
authorization
.



Authentication
:

Authentication occurs when a control provides proof that a user
possesses the identity that he or she claims
.

Running head: Principles of Information Security

4




Authorization
:

when the user is authenticated, that process called authorization.
Authorization provides assurance that the user has been specifically
and

explicitly
authorized by the proper authority to access, update, or delete the contents of an
informa
tion asset
.



Accountability
:

Accountability exists when a control provides assurance that every
activity undertaken can be attributed to a named person or automated process
.

Areas of

information security at

organization
:

The physical security, operational security
communication
security and

network security are the specialized area of security.



Physical

security:

It includes Strategies to protect people, p
hysical assets, and Workplace
threats

from various threats
.



Operations

security
:

It basically concentrates on securing

the organization’s ability to
carry out its operational activities without interruption or compromise
.



Communications

security:

It mainly focuses on p
rotection of an organization’s
communication me
dia, technology, and content, and its ability to use these tools to
achieve the organization’s objective.



Network

security:

It addresses the protection of an o
rganization data networking devices,
connections, and contents, and the ability to use that
network to accomplish the
organization’s data communication functions.

Who

is responsible:

Several

managers, officer
s
, technician
s
, administrator
s
, consultant
s
, and
community

works for organization in order to protect information
.

Their responsibilities
and
function are listed

below:


Running head: Principles of Information Security

5





Chief

Information Security
Officer (
CISO):

The top information security position in
the organization, not usually an executive and frequently reports to the Chief Information
Officer

(CIO).


Functions of CISO are as
follows
:

1.

CISO responsible for managing
overall InfoSec
program, and drafts

or approves
information security policies

for an organization.

2.

CISO work

with the CIO on strategic plans,
develop

tactical plans, and works with
security managers on operational pla
ns
.

3.

CISO d
evelops InfoSec budgets based on funding

and
Sets priorities for InfoSec projects
& technology
.

4.

CISO m
akes decisions in recruiting, hiring, and firing of security staff

and a
cts as the
spokesperson for the security team



Security Manager
:

The sec
urity managers are a
ccountable for the day
-
to
-
day operation
of the information security program
. They resolve issues identified by the technicians and
accomplish
objectives as identified by the CISO
.
Security mangers are regularly assigned
Running head: Principles of Information Security

6


specific managerial duties such as policy development, risk assessment, contingency
planning, and operational and tactical planning for security function. They are regularly
works with other department manger in order to take major decision inside the
orga
nization.



Security Technician:

Security technicians are t
echnically qualified individuals
responsible for configuring

security hardware and software

such as firewalls, IDPS,
implement security software, diagnose and troubleshoot problems, and coordinate

with
system and network administrators to ensure that security technology is properly
implemented.



Security Administrator:

Security administrator perform task of
a security technician
and a security
manager.

They are also responsible for managing
the da
y
-
to
-
day
operations of security technology and a
ssist in the development and conduct of training
program as well as policy
.



Security officers:

Security officers are responsible for g
uards the organizational assets
and
data,
logically as well
as physically
.



Security Consultant:

security consultant is an

i
ndependent expert in some aspect of
information security
.
He/she is usually brought in when the organization make the
decision to outsource one or more aspect of
its

security program
. They are basically
h
igh
ly

proficient in the

managerial aspects of security and

usually enter the field after
working as experts in the discipline and often have experience as a security manager or
CISO
.



Other position

Titles:

Running head: Principles of Information Security

7


1.

Information

security community:

This community is responsible for
protecting

information

assets from threats.

There are several

posts

in organization
works for

this
community:

InfoSec department manager, InfoSec engineer,
and
Internal InfoSec
consultant.

2.

IT community
:

This community is r
esponsible for s
upport
ing

business objectives by
supplying appropriate information technology.
There are several posts in organization
works for this community:

CIO, Computer
operator,

Help desk associate,
Telecommunication manager, System programmer, and
Database administrator.

3.

General business
community:

This

community is responsible for Articulating and
communicating policy and allocates

resources.
There are several posts in organization
works for this community: P
hysical security department manager, Ph
ysical assets
protection specialist, Building and facilities guard, and office maintenance worker.

How
one

can protect the organization information
:

In order to protect information
,

the

organization must have to focus
and adopt
following techniques

and method
s
:



People:

The people are weakest link in organization in order to protect
the information
. If
organization wants to secure the organizational information they need to give s
ecurity
e
ducation,
and training to each and every employee. Each
employee should know the
concept of dumpster d
iving, s
ocial engineering,
and drawbacks of
social
network
ing sites.



Implementing strong
security policy:


The policy
is a

written

document that state
s

how
a company plans to
protect the

company's physical and
information technology (IT)
assets.




Biometric

authentication method:

The biometric authentication method is electronic
identification technique

used for an individual on the basis of his or her unique biological
Running head: Principles of Information Security

8


or physiological characteristics such as
f
ingerprint,
hand and p
alm print,
v
oice
Signature,
i
ris or retinal

patterns
, and facial geometry.



Installing firewalls:


A

firewall is device that prevents a specific type of information
from moving between the untrusted network and the trusted network. It

may be a
separate

system,
a service

running on

an existing router or server, or separate network
containing a number of supporting devices.


http://www.linuxtopia.org/LinuxSecurity/LinuxSecurity_Firewall_WhatIs.html



Packet filtering firewalls:

Packet filtering firewalls are network device that filter
packets by examining every incoming and outgoing packet header. One can be
configured packet filtering firewalls to filter based on IP address, type of packet, port
request and other element prese
nt in packet.



Application
-
level firewalls:
Application firewall is typically built to monitor one or
more specific application or services such as a web or database services.




Stateful inspection firewalls:
It is third generation firewall and consists of

enhanced
features. It monitors each network connection established in between internal and
Running head: Principles of Information Security

9


external system using state tables. State tables track the state and context of each
exchanged packet by recording which station sent which packet and when.



Screen

subnet or host firewall system:

This firewall consist of packet filtering router
with separate, dedicated firewall such as an application proxy server. This approach
allows the router to screen packets to minimize the network traffic and load on internal
proxy.



Intrusion detection and p
revention system:


It works like burglars alarms. The alarm
can be different forms such as audible
, via email, and numerical or text paging.

That
is
depending up on the way of configuring the IDPS
.
It can be configured
as a burglar alarm
in order to

notify

an external information organization
.

There are different types of
Intrusion detection and prevention system some of them are listed below:


http://www.cs.bham.ac.uk/~mdr/teaching/modules03/security/students/SS1/handout/handout.html



Host
-
Based:

A

host based IDPS works by configuring and classifying various categories
of system

and data files. This IDPS mostly configured on a host and monitor only
Running head: Principles of Information Security

10


activities on the host. It
looks

for changes in file
attribute such as create, modify and
delete.



Netw
ork
-
Based:

Network based IDPS monitor network traffic
.

It looks for patterns of
network traffic, such as large collections of related traffic that can indicate a denial of
service attack or a series of related packets that could indicate a port scan in pro
gress.



Signature
-
Based:

It works like antivirus software. It examines data traffic for
something that matches the signatures, which comprise preconfigured, predetermine
attack patterns.



Statistical

Anomaly
-
Based IDPS:

It collects data from normal traffic and establishes a
baseline.

It then periodically samples network activity, using statistical methods, and
compares the sample to the baseline. When activity falls outside the baseline parameters,
the IDPS notify the ad
ministrator.



Access control model
:

Enable to restrict access to information, information assets, and
other tangible
assets to

those with a bona fide business need
. It another way of defend
information from the unauthorized user.
Example: Giving appropriat
e access privileges to
data for each department such as read, writes, and execute permission.



Cryptography
:

Cryptography word is combination of Greek words kryptos, meaning
“hidden,” and graphein, meaning “to write”. This method is used for securing
infor
mation from unauthorized user.

This method includes different type of encryption
and decryption operation some of them are listed below:

Running head: Principles of Information Security

11



http://www.garykessler.net/library/crypto.html



Common Ciphers
:

In this encryption commonly used algorithm include three functions:
Substitution, transposition and XOR.



Substitution:
In this function plain text is substituted with another text (cipher
text)
.



Transposition:
It is type of ciphering technique simply re
arrange the values within a
block to create cipher text.



XOR:
This type of ciphering technique the plain text is XOR with key stream text.



Symmetric
Encryption:

In this type of encryption method the encryption and decryption
of data can be down using same algorithm and key.



Asymmetric

encryption
:

In this type of encryption method the encryption and
decryption of data can be down using different key (public and
private key).




Virtual Private Network

(
VPN
):

It is another way of securing organizational data.
VPN

is stands for Virtual Private Network. It is a network technology that creates a secure
network connection over a public network such as the Internet or a private network
Running head: Principles of Information Security

12


owned by a service provider.
This
technology is popular in large corporations,
educa
tional institutions, and government agencies. This technology enables remote users
to securely connect to a private network
.
VPN
can connect multiple sites over a large
distance just like a Wide Area Network. VPNs are often used to extend intranets
worldwi
de to disseminate information and news to a wide user base.
The organization

use
VPNs to connect
different
branches that

can be distributed across the country or around
the world.


http://www.digitalworldtokyo.com/index.php/digital_tokyo/articles/remote_w
orkers_rejoice_as_vpn_gets_spee
d_bump/

The some of the following advantages of VPN force organization to adopt the new
technology
such as
:

i
t is an inexpensive effective way of building a private network
, gives
e
nhanced
security, p
rovide
flexibility,
provide r
emote control,

o
nline anonymity, better
performance, reduce costs one can s
hare files
,
Unblock websites & bypass filters
,
and
no
need to c
hange IP address

when

organizational individual need an I
P address from another
country.



Wireless

networking
protection:

The wireless network protection is mandatory for
organization. Nowadays
,
several organizations are using wireless technology as a major
Running head: Principles of Information Security

13


communication media
.

In order to protect wireless network
organization must have to
adopt
several techniques

such as w
ired

equivalent privacy, Wi
-
Fi
protected access, and
Wi
-
max
.




Scanning and analysis tools:

S
canner and analysis tools are used for find out
vulnerabilities in system, holes in security components, and other unsecured points in the
network.



Port
scanner
:

This utilities used for identify computer that are activated on a
network ,active ports and services on those computers, the function and roles
fulfilled by the machine and other useful information.





Vulnerability
S
canners
:

It is variants of po
rt scanner and it is used for scanning the
network for very detailed information.
It
identifies

exposed user names and groups,
show open network shares, and expose configuration problems and other server
vulnerabilities.



Packet
S
niffers
:

This tool collects

and analyzes copies of packets from the network.
It can provide a network administrator with valuable information to help diagnose
and resolve networking issues.



Content

F
ilters
:

This tool that protects the organizational system from misuse and
unintentio
nal denial of service conditions is the content filter.

It is software program
or hardware/software application that allows administrator to restrict content that
comes into network.



Trap and Trace
:

This technique used for identifying the individual who
are illegally
perusing the internal areas of network.

Running head: Principles of Information Security

14




Repl
icating data at different sites:
This method is effective way of information
security. If one site data is corrupted

or no longer in use

then one can use other site data
in order to continue the bus
iness operations.


http://www.openminds.co.uk/windows
-
solutions/data
-
replication/data
-
replicationmore
-
information.html



Conclusion
:

S
ecuring i
nformation is
an
ongoing and
critical process at organization
level.

One needs to think
in

all aspect
s of
information security. In order to provide a good

information
security

system a manger should

perform

a key role
.
He
/ she
can provide

information security by adopting different methods and

advance techniques

and also by
deploying a good information security policy in the organization
.






Running head: Principles of Information Security

15


Refer
ence

Michael Whitman
&
Herbert Mattord
. (2010).

Management of Information Security 3rd Edition.


Andrew Brown, Tim Cocks, & Kumutha Swampillai (2004).
Spyware and Trojan Horses
Retrieved October 8, 2010, from:

h
ttp://www.cs.bham.ac.uk/~mdr/teaching/modules03/security/students/SS1/handout/handout.
html

Mark Stamp (2006).
Information Security Principle and Practice
Retrieved October
1
, 2010,
from:

http://books.google.com/books?id=Bh45pU0_E_4C&printsec=frontcover&dq=information+
security+books&hl=en&ei=CLi7TPzTMI6gnweBq7TKDQ&sa=X&oi=book_result&ct=boo
k
-
thumbnail&resnum=2&ved=0CD4Q6wEwAQ#v=onepage&q=information%20security%20
books&f=false

Scott Grannema
n. (n.d
). Information Security Management.
Retrieved October 5, 2010, from:

http://www.granneman.com/downloads/infosec1intro.pdf

Rutgers State University
. (
March 23, 2006
).
Wireless Security Recommendations for Rutgers

Retrieved October 5, 2010, from:

http
://techdir.rutgers.edu/wireless.html

Kimberly Kiefer

& other
. (
2004).
Information security: a legal, business, and technical
handbook

Retrieved October 1
, 2010, from:


http://books.google.com/books?id=ahzxwsxZqiMC&printsec=frontcover&
source=gbs_ge_su
mmary_r&cad=0#v=onepage&q&f=false

Running head: Principles of Information Security

16



Academic Integrity Statement

"This assignment is my/our own work. Any assistance I/we received in its preparation is
acknowledged within the assignment in accordance with academic practice. If I/we used da
ta,
ideas, words, diagrams, pictures, or other information from any source, I have cited the source(s).
I understand that copying text word for word from other sources without placing it in quotation
marks is considered plagiarism and not acceptable even
if I/we cite the source where the material
was copied from. I certify that this assignment was prepared specifically for this class and has
not been submitted, in whole or in part, to any other class at Ferris State University or elsewhere.


Signature
___
VISHAL. V.
_
BEDRE
___________"