Subject Name: Cyber Security Mukesh Kumar

Subject Code: AUC-002 Assistant Professor

UNIT-1
Introduction to information systems, Types of information Systems, Development of Information Systems,
Introduction to information security, Need for Information security, Threats to Information, Systems, Information
Assurance, Cyber Security, and Security Risk Analysis.

Introduction to Information system:

Data: Raw facts and statistics collected together for reference or analysis are called Data.

Information: Processed data which have some meaning is called Information.

Information System: An information system (IS) can be any organized combination of people, hardware, software,
communications networks, data resources, and policies and procedures that stores, retrieves, transforms, and
disseminates information in an organization. People rely information systems to communicate with one another
using a variety of physical devices (hardware) , information processing instructions and procedures (software) ,
communications channels (networks) , and stored data (data resources) .

Thus an information system is defined as the software that helps organize and analyze data. The purpose of an
information system is to turn raw data into useful information that can be used for decision making in an
organization.

Components of Information Systems

While information systems may differ in how
they are used within an organization, they
typically contain the following components:
People: User of IS may be End user or IS
specialists.
Hardware: Computer-based information
systems use computer hardware, such as
processors, monitors, keyboard and printers.
Software: These are the programs used to
organize process and analyze data.
Databases: Information systems work with
data, organized into tables and files.
Network: Different elements need to be
connected to each other, especially if many
different people in an organization use the
same information system.
Procedures: These describe how specific
data are processed and analyzed in order to
get the answers for which the information
system is designed.

Type of Information Systems

I.T.S ENGINEERING COLLEGE, GREATER NOIDA

Subject Name: Cyber Security Mukesh Kumar
Subject Code: AUC-002 Assistant Professor

There are various types of information systems, for example: transaction processing systems, decision support
systems, knowledge management systems, learning management systems, database management systems, and
office information systems.

Pyramidal Model:

Transaction Processing Systems

I.T.S ENGINEERING COLLEGE, GREATER NOIDA

Subject Name: Cyber Security Mukesh Kumar
Subject Code: AUC-002 Assistant Professor

1. It processes business transaction of the organization. Transaction can be any activity of the organization.
For example, take a railway reservation system. Booking, canceling, etc are all transactions.
2. Any query made to it is a transaction. This provides high speed and accurate processing of record keeping
of basic operational processes and includes calculation, storage and retrieval.
3. Transaction processing systems provide speed and accuracy, and can be programmed to follow routines
functions of the organization.

Management Information Systems

1. It assists lower management in problem solving and making decisions. They use the results of transaction
processing and some other information also.
2. An important element of MIS is database. A database is a non-redundant collection of interrelated data
items that can be processed through application programs and available to many users.

Decision Support Systems

1. These systems assist higher management to make long term decisions. These type of systems handle
unstructured or semi structured decisions. A decision is considered unstructured if there are no clear
procedures for making the decision and if not all the factors to be considered in the decision can be readily
identified in advance.
2. A decision support system must very flexible.
3. The user should be able to produce customized reports by giving particular data and format specific to
particular situations.

Executive Information System

1. It is highly interactive system that provides a flexible access to information for monitoring results and
general business conditions
2. An Executive Information System is easy to navigate so that managers can recognize broad strategic
issues, and then discover the information to find the root causes of those issues.
3. Executive Information Systems are specifically tailored to executive's information needs.
4. Executive Information Systems are able to access data about specific issues and problems as well as
aggregate reports.
5. Executive Information Systems offer extensive on-line analysis tools including trend analysis, exception
reporting & "drill-down" capability.

Development of Information Systems

1. Business needs Analysis: A business needs analysis will help

you to understand what the business goals are and what the
business already has in place to support those goals. This is
the basis for identifying what the business is really looking for
and whether these are skills related. Answer of Following
questions are required
a. What are the sustainability goals?
b. What do they already have in place?
c. What can I do to help them get there?
d. What needs to be done first?

2. Scope Definition: The scope statement defines what the

I.T.S ENGINEERING COLLEGE, GREATER NOIDA

Subject Name: Cyber Security Mukesh Kumar
Subject Code: AUC-002 Assistant Professor

project will and will not include. System boundaries are clearly understood before the system size is
estimated. The boundaries identify where the system to be sized starts and ends.
3. Requirements analysis: Requirements analysis, also called requirements engineering, is the process of
determining user expectations for a new or modified product. These features, called requirements, must
be quantifiable, relevant and detailed. In software engineering, such requirements are often called
functional specifications
4. Design:
5. Development:
6. Integration Test & Acceptance:
7. Implementation and Deployment:

Information Security

The Internet continues to grow exponentially. Personal, government, and business applications continue to
multiply on the Internet, with immediate benefits to end users. These network-based applications and services can
pose security risks to individuals and to the information resources of companies and governments.
Information is an asset that must be protected. Without adequate security, many individuals, businesses, and
governments risk losing that asset.

Information security is the process by which digital information assets are protected.

The goals of network security are as follows:

1. Protect confidentiality
2. Maintain integrity
3. Ensure availability
It is required that all networks and information be protected from threats and vulnerabilities for a business to
achieve its fullest potential.

Threat:
In information security, A threat refers to anything that has the potential to cause serious harm to a computer
system. A threat is something that may or may not happen, but has the potential to cause serious damage.
Threats can lead to attacks on computer systems, networks and more
Threats are potentials for vulnerabilities to turn into attacks on computer systems, networks, and more.
Threats can include everything like viruses, Trojans, back-door, attacks from hackers etc.

Vulnerability:
Vulnerability refers to a flaw in a system that can leave it open to attack. Vulnerability is any type of weakness in a
computer system itself, in a set of procedures, or in anything that leaves information security exposed to a threat.

Threats are persistent because of vulnerabilities, which can arise from the following:
1. Misconfigured hardware or software
2. Poor network design
3. Inherent technology weaknesses
4. End-user carelessness
5. Intentional end-user acts (that is, disgruntled employees)

Attacks:

I.T.S ENGINEERING COLLEGE, GREATER NOIDA

Subject Name: Cyber Security Mukesh Kumar
Subject Code: AUC-002 Assistant Professor

In computer and computer networks an attack is any action or attempt to destroy, expose, alter, disable, steal or
gain unauthorized access to or make unauthorized use of an asset.

Types of Attack:
1. Passive attack: In this attack an adversary deploys a sniffer tool and waits for sensitive information to be
captured. This information can be used for other types of attacks. It includes packet sniffer tools, traffic
analysis software, filtering clear text passwords from unencrypted traffic and seeking authentication
information from unprotected communication. Once an adversary found any sensitive or authentication
information, he will use that without the knowledge of the user.
a. Traffic analysis
b. Release of message contents
2. Active attack: In this attack an adversary does not wait for any sensitive or authentication information. He
actively tries to break or bypass the secured systems. It includes viruses, worms, trojan horses, stealing login
information, inserting malicious code and penetrating network backbone. Active attacks are the most
dangerous in natures. It results in disclosing sensitive information, modification of data or complete data lost.
a. Masquerade
b. Replay
c. Modification of Message content
d. Denial of services.

Information assurance: Information Assurance (IA) refers to the steps involved in protecting information systems,
like computer systems and networks. There are commonly five terms associated with the definition of information
assurance:
1. Integrity
2. Availability
3. Authentication
4. Confidentiality
5. Nonrepudiation

Information Assurance is protecting information systems through maintaining these five qualities of the system.

1. Integrity: Integrity involves making sure that an information system remains unscathed and that no one
has tampered with it. IA takes steps to maintain integrity, such as having anti-virus software in place so
that data will not be altered or destroyed, and having policies in place so that users know how to properly
utilize their systems to minimize malicious code from entering them
2. Availability: Availability is the facet of IA where information must be available for use by those that are
allowed to access it. Protecting the availability can involve protecting against malicious code, hackers and
any other threat that could block access to the information system.
3. Authentication: Authentication involves ensuring that users are who they say they are. Methods used for
authentication are user names, passwords, biometrics, tokens and other devices. Authentication is also
used in other ways -- not just for identifying users, but also for identifying devices and data messages.
4. Confidential: IA involves keeping information confidential. This means that only those authorized to view
information are allowed access to it. Information needs to be kept confidential.
5. Non-repudiation: This means that someone cannot deny having completed an action because there will
be proof that they did it.

I.T.S ENGINEERING COLLEGE, GREATER NOIDA

Subject Name: Cyber Security Mukesh Kumar
Subject Code: AUC-002 Assistant Professor

Cyber Security: Cyber security refers to preventative methods used to protect information from being stolen,
compromised or attacked. It requires an understanding of potential information threats, such as viruses and other
malicious code. Cyber security strategies include identity management, risk management and incident
management.

User cyber security may be employed in the following ways:

1. Continuous antivirus software updates
2. Strong passwords
3. Never disclosing personal information

Risk analysis: Risk analysis is the process of defining and analyzing the dangers to individuals, businesses and
government agencies posed by potential natural and human-caused adverse events. In IT, a risk analysis report
can be used to align technology-related objectives with a company's business objectives. A risk analysis report can
be either quantitative or qualitative.

Quantitative risk analysis: In quantitative risk analysis, an attempt is made to numerically determine the
probabilities of various adverse events and the likely extent of the losses if a particular event takes place.

Qualitative risk analysis: Qualitative risk analysis, which is used more often, does not involve numerical
probabilities or predictions of loss. Instead, the qualitative method involves defining the various threats,
determining the extent of vulnerabilities and devising countermeasures should an attack occur.

Countermeasures against Risk Analysis can be categorized as Technical or Administrative with sub categories of
each type as follows:

1. Preventive: This type countermeasure is designed to prevent damage or impact from an action or event
from occurring.
2. Detective: These countermeasures provide some type of notification that something has gone wrong.
3. Corrective: Some countermeasures have the ability to correct identified problems, such as the loss of a
bit in a word.

I.T.S ENGINEERING COLLEGE, GREATER NOIDA