INFORMATION SECURITY: THREATS AND SOLUTIONS.
Click here to load reader
-
Upload
9869265428 -
Category
Technology
-
view
134 -
download
1
Transcript of INFORMATION SECURITY: THREATS AND SOLUTIONS.
INFORMATION SECURITY: THREATS AND
SOLUTIONS.
AIM:
The aim of this paper is to focus on the security of the information.
ABSTRACT:
Information security has become very important in most organizations. There are many
different threats that can steal the data. This paper is going to tell about the threats of the
information security in detail, and also the solutions to prevent these threats. It will give the brief
information about the information security.
KEYWORDS: Privacy, vulnerability, ransom ware, spyware, computer program, cyber
attack.
1. INTRODUCTION:
Information Security (Info Sec) is the practice of preventing unauthorized access, use, disclosure,
disruption, modification, inspection, recording or destruction of information. The chief area of
concern for the field of information security is the balanced protection of Confidentiality,
Integrity and Availability of data also known as CIA triad. Threats to sensitive and private
information comes in many different forms such as malware, phishing attacks, eavesdropping,
Trojans, virus and worms, DOS, vulnerability, computer crime, key loggers etc. Information
Security handles risk management. Sensitive information must be kept- it cannot be altered,
changed or transferred without permission.
Governments, military, financial institutions, hospitals, and private businesses amass a great deal
of confidential information about their employees, customers, products, research, and financial
status. Most of this information is now collected, processed and stored on electronic computers
and transmitted across networks to other computers. Should confidential information about a
business customers or finances or new product line fall into the hands of a competitor, such a
breach of security could lead to lost business, law suits or even bankruptcy of the business.
Protecting confidential information is a business requirement, and in many cases also an ethical
and legal requirement. For the individual, information security has a significant effect on
Privacy, which is viewed very differently in different cultures.
The field of information security has grown and evolved significantly in recent years. As a career
choice there are many ways of gaining entry into the field. It offers many areas for specialization
including Information Systems Auditing, Business Continuity Planning and Digital Forensics
Science etc.
2. STUDY:
2.1 The threats in information security are as follows:
2.1.1 Eavesdropping: It is secretly listening to the private conversation of others without their
consent.
2.1.2 Malware: It is the term used to refer a variety of forms of intrusive software including
computer viruses, worms, Trojan horses, ransom ware, spyware and other malicious programs. It
can take the form of executable code, scripts, active content and other software.
Figure 1: Malware Categories
2.1.3 Trojans: Trojan horse or Trojan is any malicious computer program which misleads users
of its true intent.
2.1.4 Viruses: A computer virus is a type of malicious software program that when executed
replicates itself by modifying other computer programs and inserting its own code. It corrupts or
modifies files on the targeted computer.
Figure 2: The Mac Mag virus 'Universal Peace', as displayed on a Mac in March 1988
2.1.5 Worms: It is a standalone malware computer program that replicates itself in order to
spread to other computers. It causes some harm to network even if only by consuming
bandwidth.
2.1.6 Denial of Service (DOS): It is a cyber-attack that is accomplished by flooding the targeted
machine with requests in an attempt to overload systems.
2.1.6.1 Distributed DOS: It is an attack where the incoming traffic floods the victim’s
computer.
Figure 3: DDoS Stacheldraht attack diagram.
2.1.7 Vulnerability: It is a weakness which allows an attacker to reduce a system’s information
assurance.
2.1.8 Computer Crime: It is defined as the offences that are committed against individuals with
criminal motive to harm the reputation of the victim or cause mental harm or loss. It is also
called as cyber crime.
2.1.9 Key Logging: It is the action of recording the keys struck on the keyboard so that the
person using keyboard is unaware that his actions are monitored. A key logger can be either
software or hardware. It is also known as keystroke logging or keyboard capturing.
2.1.10 Phishing: It is a threat that acquires sensitive information such as username, password
etc. It takes place in email spoofing or instant messaging.
Figure 4: Phishing Attack
2.2 Some Case studies have been included to elaborate on the threats against the information
security. [1]
Case 1: Phishing case study.
One Doctor from Gujarat had registered a crime stating that some persons have perpetrated
certain acts through misleading emails ostensibly emanating from ICICI Bank’s email ID. Such
acts have been perpetrated with intent to defraud the Customers. The investigation was carried
out with the help of the mail received by the customer, bank account IP details & domain IP
information, the place of offence at was searched for evidence.
Case 2: Online credit Cheating and Forgery Scam In one of the noted cases of 2003, Amit Tiwari, a 21yr old engineering student had
many names, bank accounts and clients with an ingenious plan to defraud a Mumbai
based credit card processing company, CC Avenue of nearly Rs. 900, 000.
2.3 The solutions to the information security are as follows:
2.3.1 Access Control: Access to the protected information must be restricted to people who are
unauthorized to access the information. This requires that mechanisms to be in place to control
the access to protected information.
2.3.1.1 Identification: It is an assertion of who someone is or what something is.
2.3.1.2 Authentication: It is the act of verifying a claim of identity.
Figure 5: Authentication
2.3.1.3 Authorization: It is the function of specifying access rights to resources related to
information security.
2.3.2 Cryptography: Information Security uses cryptography to transform usable information
into unusable information. This process is called encryption.
Figure 6: German Lorenz cipher machine, used in World War II to encrypt very-high-
level general staff messages
2.3.3 Firewall: It is a network security system that monitors and controls the incoming and
outgoing network traffic based on security rules.
Figure 7: Firewall
2.3.4 Intrusion Detection System (IDS): It is a software application that monitors a network or
systems for malicious activity or policy violations.
2.3.5 Intrusion Prevention System (IPS): It is a network security appliance that monitors
network or system activities for malicious activity. It is also known as Intrusion Detection and
Prevention System (IDPS).
2.3.6 Application Security: It encompasses measures taken to improve the security of an
application by finding, fixing and preventing security vulnerabilities.
2.3.7 Data-Centric Security: It is an approach to security that emphasizes the security of the
data itself rather than the security of networks, servers or applications.
3. ANALYSIS:
3.1 To prevent insider attacks on agency networks access rights to files should be controlled and
access should be granted only on as required for the performance of job duties.
3.2 Networks that serve different agencies or departments should be segregated, and access to
those segmented networks should be established as appropriate through the use of VLANs,
routers, firewalls, etc.
3.3 Users activities on systems should be monitored.
3.4 To prevent unauthorized access of information all hosts that are potential targets of DoS
(Denial of Service) should be secured.
3.5 Authentic programs should be installed with Trojan scan Programs.
3.6 To prevent against exploitation:
3.6.1 Periodic scanning for spyware, adware and bots (software robots) shall be conducted with
anti-spyware programs that detect these malicious pr
3.6.2 Denial of all inbound traffic by default through the perimeter defense.
3.6.3 Provision of security awareness training to personnel on an annual basis that, in part,
cautions against downloading software programs from the Internet without appropriate
agency approval.
4. FUTURE ENHANCEMENT:
Looking into 2017, the information security agenda for executives continues to evolve. The
complexities of what to protect and when, overlaid with requirements of regulation and
compliance, create the need for a new type of information security executive--one with business
savvy, sound risk fundamentals and holistic technical understanding. These skills, coupled with a
strong strategy, will be necessary for organizations to achieve their 2017 information security
goals.
The number one item on the 2017 information security agenda is data protection. The practice of
protecting the confidentiality, integrity and availability of data is not new--passwords, encryption
and data classification structures have been around for years. What has changed is the type of
data that's now considered valuable. From the external attacker perspective, intellectual property
and insider information was once the most sought-after data asset. Now, the data currency of
choice is identity--e-mail addresses, social security numbers and credit card information.
Corporate espionage is still a significant threat, but the new underground deals in volume, where
success is being measured in thousands and millions of identities.
5. CONCLUSION:
Information security is the ongoing process of exercising due care and due diligence to protect
information, and information systems, from unauthorized access, use, disclosure, destruction,
modification, or disruption or distribution. The never ending process of information security
involves ongoing training, assessment, protection, monitoring & detection, incident response and
repair, documentation, and review.
6. BIBLIOGRAPY:
[1] Sunakshi Maghu, Siddharth Sehra and Avdesh Bhardawaj, “Inside of Cyber Crimes and
Information Security: Threats and Solutions”, International Journal of Information & Computation
Technology, Volume 4, Number 8 (2014), pp. 835-840.
[2] Mrs. Rakhee Kelaskar, Mrs.Vanshri Valecha, “Information Security Management”, Variorum
Multi-Disciplinary e-Research Journal, Vol.,-02, Issue-IV, May 2012.
[3] V. Suganya, “A Review on Phishing Attacks and Various Anti Phishing Techniques”,
International Journal of Computer Applications (0975 – 8887) Volume 139 – No.1, April 2016.
[4] Ammar Yassir and Smitha Nayak, “Cybercrime: A threat to Network Security”, IJCSNS
International Journal of Computer Science and Network Security, 84 VOL.12 No.2, February
2012.
WEB LINKS USED:
1. https://www.ripublication.com/irph/ijict_spl/ijictv4n8spl_09.pdf.
2. http://paper.ijcsns.org/07_book/201202/20120214.pdf.
3. http://www.ijcaonline.org/research/volume139/number1/suganya-2016-ijca-909084.pdf.
4. www.wikipedia.org.
5. www.google.com.
6. http://ijact.org/volume4issue3/IJ0430037.pdf.