Professional Documents
Culture Documents
Information can be divided into three parts: data, knowledge, and action. Data refers to
information that can be stored, such as personal data, customer information, and
accounting information. Knowledge refers to the aspects of information that are brought
in by experienced employees and cannot be stored in a tangible form. Lastly, there is
the action of sending information to someone or something through an information
system.
An information system encompasses not only data but also users and methods and is
therefore a more comprehensive concept. An information system can be defined as a
system, whether automated or manual, that comprises people, machines, and/or
methods organized to collect, process, transmit, and disseminate data that represent
user information.
There are four big changes that have happened in the world of information systems that have
affected how businesses operate: globalization, the growth of the information-based economy,
changes to the way businesses are structured, and the rise of digital companies.
Nowadays, many companies use computer systems and structured procedures that can be
easily incorporated into the global operations of the company, allowing for greater flexibility and
better alignment with the overall business objectives.
With globalization, businesses now have to deal with the challenge of protecting their
vital corporate information in the era of mobile computing. Data and information need to
be protected as businesses rely heavily on knowledge-based decisions. The internet is
a universal platform that allows any computer in the world to communicate with any
other computer. However, the web is designed to exchange unstructured information,
making it challenging for computers to understand its meaning.
Web services play an important role in the modern dynamic business world by allowing
companies to conduct business through their computer systems using the internet
infrastructure. They perform a wide range of functions, from simple requests to
complicated business processes. Web services have proven to be cost-effective and
make computer-based information systems more adaptable, productive, and flexible by
integrating components from various third-party vendors. This approach brings
efficiency, reduces maintenance costs, and increases productivity. Additionally, web
services make information available from computer systems to other applications using
well-defined standards. Overall, web services are a complementary and dominant way
to build global information systems that cater to today's business needs.
Web services provide a range of benefits for developing information systems that are of
a global nature. Some of the benefits include:
Flexibility: Web services can be used to perform simple requests as well as complex
business processes, making them highly adaptable to different business needs.
Improved productivity: Web services provide a more efficient and automated way of
performing tasks, which can increase productivity.
Easy maintenance: Web services are designed to be modular and reusable, making it
easy to maintain and update the system as business needs evolve.
Standardization: Web services use well-defined standards, which make them easy to
integrate with other applications and systems, allowing for better collaboration and
communication across the business.
When we talk about threats to an information system, we mean events that could harm
it in some way. Vulnerability is the level of risk an information system faces when it
comes to these threats. To protect against threats, we use countermeasures, which are
a set of actions implemented to prevent harm.
This content describes various unethical actions that can harm an information system:
Logic bomb: Malicious instructions that stay idle until a specific event occurs.
Dial diddling: Data is changed during input, often to change a database's contents.
Salami technique: Small amounts of money are diverted from many accounts.
Theft of mobile devices: Mobile devices containing sensitive information are stolen.
Computer virus:-
One of the key characteristics of computer viruses is their insidious nature. They can
often infect other programs without the user's knowledge, and may not exhibit any
obvious signs of infection until they are activated to perform their intended malicious
actions. There are two primary types of computer viruses: boot infectors and
program infectors. Boot infectors replace the contents of the first sector of the diskette
or hard disk, while program infectors copy themselves into executable files stored on
the hard disk.
To protect against computer viruses, it is important to use anti-virus software and keep it
up-to-date with regular updates. Additionally, users should practice safe browsing
habits, such as avoiding suspicious websites and not downloading files from untrusted
sources. Finally, maintaining regular backups of important data can help to mitigate the
damage caused by viruses and other types of malware
Detective controls: These controls are designed to detect and report when errors,
omissions, and unauthorized use or entry occur. Examples of detective controls include
intrusion detection systems, audit trails, and security event monitoring.
Corrective controls: These controls are designed to correct errors, omissions, and
unauthorized users and intrusions once they are detected. Examples of corrective
controls include backups, data recovery mechanisms, and incident response plans.
Advisory policies are not mandatory but are strongly recommended. They provide
guidance and best practices for information security, and the consequences of not
following them are usually defined.
Informative policies exist to inform the reader about information security issues,
practices, and procedures. They may provide background information or explanations of
complex concepts and are not mandatory or prescriptive.
SECURITY POLICIES
The security policy should address the specific security needs and requirements of
the organization, including industry-specific regulations, as well as applicable
local, state, and federal laws.
It should outline the types of threats that the organization may face, and the
measures that are in place to protect against those threats. The security policy
should be regularly reviewed and updated to ensure that it remains relevant and
effective.
Goals of Security Engineering
The policy on passwords can be used to define attributes with which the
password must comply. It can enforce the following conditions:
In the financial sector, the Reserve Bank of India (RBI) has created a
comprehensive document that lays down a number of security-related guidelines and
strategies for banks to follow in order to offer Internet Banking.
The guidelines broadly talk about the types of risks associated with Internet banking, the
technology and security standards, legal issues involved and regulatory and supervisory
concerns
Any bank that wants to offer Internet banking must follow these guidelines and adhere
to them as a legal necessity The banking and finance sector companies, most serious
about security, are the major investors in security solutions, and regularly revise their
security policies following periodic audits
security still is far behind that of European countries and the United
States
to laws, standards
The ideal approach to security is the ‘ onion skin’ approach in which the failure of any
security control will not leave an asset completely unprotected;This is the concept of ‘
defense-in-depth’. It is depicted in the following figure of security layers
Confidentiality, Integrity, and Availability (CIA) are the three main concepts of
information security. Here's what they mean in brief:
Integrity: This is about ensuring that data is accurate, complete, and unaltered. It's
important to prevent unauthorized changes to data by making sure that only authorized
personnel can modify it. For example, if you store financial data in a database, you want
to make sure that only authorized personnel can make changes to that data.
Availability: This is about ensuring that information and systems are available when
needed. It's important to ensure that systems are running smoothly and that authorized
personnel have access to the information they need, when they need it. For example, if
you use an online service to manage your finances, you expect that it will be available
whenever you need to use it.
Non-repudiation: A method that provides proof of delivery for senders and assurance
of the sender's identity for recipients to prevent either party from denying processing
data.
Technical penetration: It is a type of security breach that occurs when a person gains
unauthorized access to a secure area or system through technical means, such as
hacking or using specialized equipment to bypass security measures
Age: Information can lose its value over time, particularly if it becomes outdated or
irrelevant. As a result, the classification of information may be lowered if its value
decreases over time. For example, a report on market trends from several years ago
may no longer be classified as confidential if more recent information is available.
Useful life: Information can become obsolete for a variety of reasons, such as changes
in the company, new technologies, or other factors. If the information is no longer useful
or relevant, it can often be declassified.
DATA OBFUSCATION:-
Data obfuscation: Data obfuscation is a technique that is used to make data difficult to
understand or interpret, often by masking or obscuring certain parts of the data. It is not
considered a form of serious encryption, as it can be easily deciphered given enough
data. However, it can still be effective in preventing casual or opportunistic attackers
from accessing sensitive information.
Data sanitization: Data sanitization is the process of removing or masking sensitive
information from databases, documents, or other sources. The goal is to ensure that the
information cannot be accessed or used by unauthorized parties. One common method
of data sanitization is to overwrite sensitive information with false data of a similar type,
which preserves the look and feel of the data while making it more secure.
Usability: Data sanitization aims to protect sensitive information while still preserving
the usability of the database or document. This means that the data can still be
accessed and used by authorized parties, but sensitive information is protected from
unauthorized access.
Crisis: A crisis is an abnormal situation that presents some extraordinary high risks to a
business and that will develop into a 'disaster' unless carefully managed. Examples of
crises include unexpected financial losses, major system failures, or other situations
that require quick and effective action to prevent the situation from escalating.
Threat: Any potential event that could cause harm or damage to the organization,
whether initiated by humans or nature.
Safeguard: A control or countermeasure put in place to reduce the risk associated with
a specific threat or group of threats.
Exposure-related terms:
Exposure factor (EF): The percentage loss that a realized threat event would have on
a specific asset.
Single Loss Expectancy (SLE): A monetary figure assigned to a single threat event.
SLE is calculated as the asset value (in monetary terms) multiplied by the EF.
Annual Loss Expectancy (ALE): A monetary value derived from the SLE and ARO,
which represents the expected loss from a specific threat in a year.
RISK ANALYSIS AND RISK MANAGEMENT:-
Risk management: Risk management is the ongoing process of identifying risks and
implementing plans to address them. This includes identifying and assessing risks,
implementing controls to reduce the likelihood or impact of those risks, and monitoring
the effectiveness of those controls over time. The goal of risk management is to
manage risk in the best possible manner for the interests of the organization.
Risk formula: Risk can be calculated as the product of threat, vulnerability, and asset
value. This formula is often used to assess the potential impact of a given risk and to
prioritize risks for mitigation efforts.
Overall, risk analysis and management are critical components of information security,
and organizations should have robust processes in place to identify, assess, and
manage risks to their information security.
STAGED METHODOLOGY FOR RISK ANALYSIS:-
The three main stages in risk analysis are asset evaluation, analysis of threats and
vulnerabilities, and selection of safeguards.
Asset Evaluation :During the asset evaluation stage, an organization identifies and
classifies its assets and determines their importance and value to the organization. This
helps the organization to identify which assets are most critical to protect and prioritize
its risk management efforts accordingly.
Overall, the risk analysis process helps organizations to better understand and manage
their information security risks, and to implement effective controls and safeguards to
protect their assets and ensure business continuity.
Information security risk analysis:
Information Security Risk Analysis involves various steps and approaches to ensure the
security of information systems. The main components of information security risk
analysis include:
Quantitative Risk Analysis: This approach assigns numeric values to the components
of the risk assessment and determines the potential losses in monetary terms. The
steps involved in quantitative risk analysis include:
Qualitative Risk Analysis: This approach ranks the seriousness of threats and the
relative sensitivity of assets, usually by using a scenario approach and creating an
exposure rating scale. The steps involved in qualitative risk analysis include:
Sanity checking the scenario through a review by senior managers of the business
units.
Mobile security has become important due to the rising importance of mobile handheld
devices, wireless computing, wireless networks, and mobile computing.
Smartphones combine the best aspects of mobile and wireless technologies and blend
them into a useful business tool.
The larger and more diverse community of mobile users and their devices increases the
demands on the IT function to secure the device, data, and connection to the network.
The proliferation of mobile and wireless devices has had a significant impact on
information security. With the increasing use of smartphones, tablets, laptops, and other
mobile devices in the workplace, there are more entry points for cyber-attacks and data
breaches.
One of the main challenges of securing mobile and wireless devices is the lack of
control that organizations have over the devices. Employees often use their personal
devices for work purposes, and these devices may not be fully secure or may have
outdated software that is vulnerable to attack. In addition, employees may use
unsecured public Wi-Fi networks to access company data, which can also pose a
security risk.
In summary, the proliferation of mobile and wireless devices has created new
challenges for information security, but with the right policies, procedures, and tools in
place, organizations can mitigate the risks and ensure the security of their data.
Registry settings are important for maintaining the security of mobile devices due to the
ease with which various applications allow a free flow of information.
In the context of mobile devices, registry settings refer to the configuration of the
registry that affects the security and privacy of the device. For example, the registry
settings may determine which apps have access to the device's location or other
sensitive data. They may also control whether the device can be remotely accessed or
managed by a third party, such as an IT administrator or mobile device management
(MDM) system.
Some registry settings may be set by default, while others may be configurable by the
user or by an administrator. Configuring the registry settings to properly secure the
device can help prevent unauthorized access, data breaches, or other security and
privacy issues.
In summary, registry settings are an important aspect of mobile device security, and
establishing trusted groups through appropriate settings can help maintain a secure
system. Windows group policy can be used to manage the registry settings on mobile
devices, and it is important to ensure that the baseline security is configured properly to
avoid security issues.
Mobile devices present unique security challenges that can be categorized into two
levels: micro challenges at the device level and macro challenges at the organizational
level. Some of the technical challenges in mobile security are:
Managing registry settings and configurations: Registry settings are important for
managing the mobile devices, applications, and user permissions. Failure to manage
registry settings can lead to security breaches.
Lightweight Directory Access Protocol (LDAP) security: LDAP is a protocol used for
accessing and maintaining distributed directory information. Mobile devices need to be
secured to ensure that only authenticated users can access the directory information.
The security of an RAS system can be broken down into three areas: the security of the
RAS server, the security of the RAS client, and the security of data transmission.
Port scanning is a threat for mobile devices, and a personal firewall on the mobile
device can be an effective protective screen against this form of attack for users
connecting through a direct Internet or RAS connection.
Deploying secure access methods that implement strong authentication keys can
provide additional protection.
Media player control security: Mobile devices often have built-in media players that
can play video and audio files. These media players need to be secured to prevent
unauthorized access to sensitive data.
Corrupt files posing as normal media files could allow an attacker to gain control
The registry stores info to configure the system for applications and hardware devices
In the registry, some keys control the behavior of Windows Media Player control
The use of web services in mobile computing has made API security a crucial
consideration. Many security developments are focused on securing embedded and
consumer products running operating systems like Linux, Symbian, Microsoft Windows
CE, and Microsoft Windows Mobile.
1.Security of devices - Some eminent kinds of attacks to which mobile devices are
subjected to are: push attacks, pull attacks and crash attacks.
Traffic analysis: Refers to attacks in which an attacker intercepts and analyzes the
traffic between two devices, allowing them to obtain sensitive information.