information system security
DESCRIPTION
Information System Security. History of IS. Role of IS. Support Competitive Advantage. Support Business Decision Making. Support of Business Processes and Operations. Importance of IS. Basics of IS. IS Framework. Components of IS. Attribute of Information Quality. - PowerPoint PPT PresentationTRANSCRIPT
Information System Security
History of IS
Role of IS
Support CompetitiveAdvantage
Support Business
Decision Making
Support of Business Processes and Operations
Importance of IS
Basics of IS
IS Framework
Components of IS
Attribute of Information Quality
Business Area wise Information
Changing Nature of IS
From mainframe to client server to web based IS.
Alvin Toffler’s “Third wave” – Agricultural, Industrial and Information waves.
4th wave can be assumed as mobile technology
Powerful worldwide changes that have altered business environment are- Globalization Rise of information economy Transformation of business enterprise Emergence of digital firms
Modern business systems are decentralized, autonomous and heterogeneous.
Today IS are distributed and component based.
Mainframe based IS
Client Server Based IS
Architecture of Web Based I.S.
Need of Distributed Information System
A computer service that runs at a single central location is more likely to become unavailable than a service distributed to many sites.
There are two ways in which a service can be made to run at many sites: replication of the service, and distribution of the service.
Distributed services i.e. services that have distinct components, at many different sites, that collaborate to ensure the quality of service
3 mantras of success in digital economy Liberalization Privatization Globalization
Businesses now have no geographical boundaries.
With the rise of M-Commerce we are in the era of anywhere, anytime computing.
Protecting the data and information is crucial as business make knowledge based decision.
Prior to e-business days not only suppliers and consumers remain separated, but the knowledge producers and workers and business personnel also remained unconnected.
Connectivity is a great boon of Internet. Connectivity built a bridge between the
thinkers, business people, governments, common people, academicians and so on.
We need to consider the modern day IS in this global context.
Scope of IS 1950s : Technical changes 1960-70 : Managerial Controls 1980-90 : Institutional Core activities Today : Digital Information webs
extending beyond enterprises
Wider scope of I.S.
Today’s firms are digital in terms of their rapid operations.
IS links the buyers and sellers to exchange information, products, services and payments via e-business and e-commerce.
Thus today the era is extended enterprise
To serve the needs of such organization, I.S. is no more confined to a single location.
Role of Internet and Web Services
The Internet
Web is designed to exchange unstructured information.
While people can read web pages and understand their meaning, computers can not.
If corporations want to do business over the web, humans have to involve unless there is a way for computers to communicate on their own.
This is where web services comes in.
Web services are self contained modular applications that can be described, published, located and invoked over a network, generally over www. – IBM
Web services perform functions ranging from simple request to complex business process.
Once a web service is developed, other applications and web services can discover and invoke the deployed service through universal description, discovery and integration.
Web services make it easier to build service based architecture without the applications being locked-in to a particular software vendor’s products.
Web services have been prone to give a strong return on investment (ROI) and make computer based I.S. more adaptable.
They also help bring productivity, flexibility and low maintenance cost in the development of IS by integrating components from various third party vendors.
Information System Threats and Attacks
Threat is a possible event that can harm an information system.
Vulnerability is the degree of exposure in view of threat.
Countermeasure is a set of actions implemented to prevent threats.
Information level / based Threat Threats that involve the purposeful
dissemination of information in such a way that organizations, their operations and their reputations may be affected.
Dissemination may be active via sending e-mails or passive via setting up a web site.
Network based Threats To become effective and potential
attackers require network access to corporate computer systems or to networks used by corporate computer systems.
Examples are – hacking of computer systems and launching DoS attacks as well as spreading malicious code such as viruses.
Other issues related with network based threats are – confidentiality, authentication, integrity and non repudiation.
Sources of Threats Human Error Computer abuse or crime Natural and political disasters Failure of hardware / software
Computer crime and abuse Computer crime is defined as any illegal act in
which computer is used as a primary tool. Computer abuse is unethical use of computers. Security threats related to computer crime /
abuse are – Impersonation
Identification and authentication control defeated Trojan horse method
Hiding of an authorized program a set of instructions that will cause unauthorized actions.
Logic bombs Unauthorized instructions which stay inactive until a
specific event occurs or until a specific time comes at which time they bring into effect an unauthorized act.
Computer viruses Execute itself by inserting its malicious
code in the execution path of another application And
Self replicate by replacing existing files with copies of files containing the viral code.
Worms are independent programs that make and transmit copies of themselves through telecommunication networks.
Dos Rendering the system unusable by legitimate users.
Dial diddling (cheating) Changing data before or during input often to change the
content of database Salami techniques
Diverting small amount (not noticed) of money from large numbers of accounts maintained by the system.
Spoofing Configuring a computer system to masquerade (pretend to be)
as another system over the network in order to gain unauthorized access.
Super zapping Using a system’s programs that can bypass regular system
control to perform unauthorized act.
Scavenging Unauthorized access to information by
searching through the residue after a job has been run on a computer.
Data leakage Wiretapping Theft of mobile devices
Damage Assessment
Security Issues in Mobile Computing
The three distinguishing features of emerging mobile computing environments are- mobility of users mobility of network elements (i.e.
portable computing devices) wireless networking
Mobility of Users Global Authentication
A mechanism for flexible global authentication is essential to support user mobility.
Authentication often forms the basis of other security services such as authorization.
Privacy The need to ensure privacy of users becomes more
pronounced. In static environments, the location of a user or network
element is unlikely to be secret information. Users and network elements are stationary. However, in a mobile computing environment, it may
be necessary to protect information about the locations and activities of users.
Contd…….. Eavesdropping
Eavesdropping is the act of secretly listening to the private conversation of others without their consent.
Assumptions about physical security of the network no longer hold true when inter-domain interactions enter the picture.
Even if the foreign domain claims its network to be physically secure, a visiting user may not be willing to accept this assurance.
Thus, some sort of cryptographic protection becomes unavoidable.
An issue that is common to the mobility of users and network elements is the availability of resources.
Mobility of Network Elements Mobile users may carry portable computing
devices. Portability introduces the following issues- Risks to data
Due to the higher risks of physical damage, loss, or theft, mobility of devices implies that there is a higher risk of loss for the data stored on them.
Asymmetry in resources Portable devices have comparatively fewer resources
available to them. Technological advancements will improve the quantity
and quality of the available resources.
Wireless Networking Wireless networking is necessary to
support continuous user and device mobility.
This introduces additional issues of concern-
Eavesdropping The convenience of wireless networks has a
cost: it is more convenient for an eavesdropper to listen in on the traffic.
It is often asserted that the primary security concern with wireless networks is that communication is susceptible to eavesdropping and tampering.
While it is true that in wireless networks, links have no physical security at all, the situation is not much better with wired but open networks. Thus cryptographic protection is necessary in both wireless and fixed networks
Hando Another issue that arises when dealing
with multiple domains is that of hando . In a wireless network with mobile users,
a user might wander into neighbouring cells while a session is active.
Security systems must provide convenient and fast means for the session to be transferred (“handed to") from a cell in one domain to a cell in a different domain.
Bandwidth/Error rate Wireless networks typically have lower
bandwidth and suffer from higher error rates compared to wire line networks.
Consequently, traffic over wireless networks is expensive.
Security protocols meant to be used over wireless networks should therefore pay special attention to minimizing the number of messages, message sizes and frequencies of exchange
Frequent Disconnections In contrast to wire line networks,
disconnections will be frequent in wireless networks.
Many researchers are working on finding ways to design robust protocols and applications that can withstand such disconnections.
There are security implications as well.
Credit Card Frauds in mobile and wireless computing era
Credit Card Transaction Environment
An Australian Company “Alarcity” introduce a system known as CLEW (closed loop environment for wireless).
Steps of CLEW A merchant send transaction to bank. The bank transmits to card holder
authorization request. Cardholder approves / rejects
(password protected) The bank/merchant is notified. The credit card transaction is
completed.
Limitation of Wireless Wireless processing equipment is
expensive. Wireless processing comes with extra fee. Wireless credit card machines are subject
to cellular coverage blackouts. Wireless credit card processing uses a business
cellular network called Motient or Mobitex network.
Not sufficient security or encryption to process wireless transactions.
Cryptographic security
LDAP Security for Hand held devices
LDAP Directory Structure
RAS Security for Mobile Devices
Media Player Control Security
Organizational Measures of Mobile devices
Encrypting Database Include mobile devices in security
strategy Enterprise can do the followings-
Use of RFID in M-Commerce