Information SystemsInformation Systems

UNIT - 1

By Shanu Gaharana

LECTURE NO.-1

By Shanu Gaharana

DefinitionsDefinitionsData

Raw facts such as an employee’s name and number of hours worked in a week, inventory part numbers or sales orders.

Information

A collection of facts organized in such a way that they have additional value beyond the value of the facts themselves.

Data Information

$35,000 12 Units $12,000 J. Jones Western Region $100,000 100 Units

35 Units

Data Processing

Salesperson: J. Jones Sales Territory: Western Region Current Sales: 147 Units = $147,000By Shanu Gaharana

Information Systems

An information system(IS) is typically considered to be a set of interrelated elements or components that collect(input), manipulate(processes), and disseminate (output) data and information and provide a feedback mechanism to meet an objective.

Open System

Close System

Definitions

By Shanu Gaharana

By Shanu Gaharana

HISTORY OF INFORMATION SYSTEMS

IS has always played a crucial role in civilization.

1.IS over 500 yrs ago

2.IS in mid –eighteenth century

3.IS in 20th centuary

By Shanu Gaharana

IMPORTANCE OF INFORMATION SYSTEMS

By Shanu Gaharana

CHANGING NATURE OF IS

There are 4 powerful changes that have altered the business

environment are :-

Globalization

Rise of the Information Economy

Transformation of the Business Enterprise

Emergence of the digital firm

By Shanu Gaharana

Mainframe based information s/m

By Shanu Gaharana

Client Server Based System

By Shanu Gaharana

Architecture of Web Services based Systems

LECTURE NO.-2

By Shanu Gaharana

By Shanu Gaharana

Need of Distributed IS

DS have the following 2 properties :-

1. There are several autonomous computational entities, each of which has

its own local memory.

2. The entities communicate with each other by message passing

13

Distributed S/mDistributed S/m An integration of system services, presenting a transparent view of a

multiple computer system with distributed resources and control A collection of independent computers that appear to the users of the

system as a single computer Examples

– Personal workstations + a pool of processors + single file system– Robots on the assembly line + Robots in the parts department– A large bank with hundreds of branch offices all over the world

Message Passing in Distributed SystemsMessage Passing in Distributed Systems

By Shanu Gaharana

By Shanu Gaharana

Need of Distributed IS

The widening scope of IS can be summarized as :-

In 1950s : technical changes

1960s -1970s : managerial controls

1980s – 1990s : institutional core activities

Today : digital information webs extending beyond the enterprise.

By Shanu Gaharana

ROLE OF INTERNET & WEB SERVICES

Statistics from the IITF Report Statistics from the IITF Report The Emerging Digital EconomyThe Emerging Digital Economy * *

To get a market of 50 Million People Participating: Radio took 38 years TV took 13 years Once it was open to the General Public, The Internet made to the

50 million person audience mark in just 4 years!!!

http://www.ecommerce.gov/emerging.htm– Released on April 15, 1998

* Delivered to the President and the U.S. Public on April 15, 1998 by Bill Daley, Secretary of Commerce and Chairman of the Information Infrastructure Task Force

By Shanu Gaharana

By Shanu Gaharana

IS THREATS & ATTACKS

Basically 2 types of Threats :-

1. Information level

2. Network Level

By Shanu Gaharana

IS THREATS & ATTACKS

Security threats have following principal sources :-

1. Human Error

2. Computer abuse or crime

3. Natural & political disasters

4. Failure of h/w or s/w.

LECTURE NO.-3

By Shanu Gaharana

By Shanu Gaharana

Security threats related to computer crime or abuse include :-

1.Impersonation

2.Trojan Horse Method

3.Logic Bomb

4.Computer viruses

5.DoS

6.Dial Diddling

7.Salami Technique

2. The entities communicate with each other by message passing

By Shanu Gaharana

8. Spoofing

9. Super – zapping

10. Scavenging

11. Data Leakage

12. Wiretapping

13. Theft of mobile devices

By Shanu Gaharana

Block Diagram of Spoofing

By Shanu Gaharana

A Threat is an indication of a potential undesirable event.

Threat consists of the 4 properties :-

1.Asset

2.Actor

3.Motive(optional)

4.Access(optional)

Classification of Threats & Assessing Damages

By Shanu Gaharana

The major Categories of damages are :-

• Destruction of information &/ or other resource

• Corruption or modification of information

• Theft, removal or loss of information and/or other resources.

•Disclosure of information

•Interruption of access to important information.

By Shanu Gaharana

There are 5 categories of Logical & Physical assets :-

1. Information

2. Hardware

3. Software

4. People

5. Systems

By Shanu Gaharana

Another way of grouping the threats is :-

1.Human actors using n/w access

2.Human actors using physical access

3.System Problems

4.Other Problems

By Shanu Gaharana

GENERIC THREAT PROFILE :-

Represented by Tree Structures

This structure shows Assets, Access, Actors, Motives, and the possible

outcomes.

There should be a suitable method in organization for ‘asset

classification’ to know which of their assets are critical.

By Shanu Gaharana

LECTURE NO.-4

By Shanu Gaharana

Security Considerations in Mobile & Wireless Computing

Today belongs to Mobile Computing .

As the mobility of workers increases, security issues also increase in

number, because working with technology outside the office brings many

challenges.

By Shanu Gaharana

Proliferation of Mobile & Wireless Devices :-

Wireless Networks, and the use of mobile devices, are bringing the world a new means of communication and day-to-day business activities.

>As the mobility of workers increases, security issues also increase in number, because working with technology outside the office brings many challenges.

> The implementation of these new Wireless devices also brings about new security threats to Information assets.

By Shanu Gaharana

Trends in Mobility :-

• Types of Mobility :-

1.User Mobility:- refers to a wireless service that lets you be completely mobile

such as in a car, train, etc.

2. Device Mobiliity :- it enables to determine if the IP phone is at its home location

or at a roaming location. Uses smaller, battery driven devices

3. Session Mobility :- Issues in data distribution.

4. Service Mobility (Code Mobility):- managing security is a big issue

By Shanu Gaharana

Key Findings for Mobile Computing Security Scenario :-

With usage experience, awareness of mobile users gets enhanced.

People continue to remain the weakest link for laptop security.

Wireless connectivity does little to increase burden of managing laptops

Laptop experience changes the view of starting a smart handheld pilot

There is naivety and/ or neglect in smart handheld security

Rules rather than technology keep smart handhelds’ usage in check

By Shanu Gaharana

Security Challenges Posed by Mobile Devices

Basically 2 challenges are presented :

1.Micro Challenges:- device level

2.Macro Challenges:- organizational level

Some well- known technical challenges in mobile security are :-

1.Managing the registry settings & configurations

2.Authentication service security

3.Cryptography Security for mobile devices

By Shanu Gaharana

LDAP (Light Weighted Directory Access Protocol ) -  is an 

application protocol for reading and editing directories over an IP network. A directory

 in this sense is an organized set of records: for example, a telephone directory is an

alphabetical list of persons and organizations with an address and phone number in

each "record"

RAS Security:- important consideration for protecting the business

sensitive data that may reside on the employees’ mobile devices.

Media Player Control Security

Networking API Security

By Shanu Gaharana

LECTURE NO. -5

By Shanu Gaharana

Authentication Service Security

A secure n/w access involves the mutual authentication b/w the device

& the base stations or web servers .

Authentication services security is important given the typical attacks

on mobile devices through wireless n/w :

Denial of Service attacks

Traffic analysis

Eavesdropping

By Shanu Gaharana

Man in the middle attacks

Session hijacking.

By Shanu Gaharana

Mobile Devices :Security Implications for Organizations

Managing diversity and proliferation of handheld devices

Threats Through lost and stolen devices.

Protecting data on lost devices

Educating the laptop users

By Shanu Gaharana

LAPTOP SECURITYBasic security measures are as following:-

1.Choose a secure operating s/m and lock it down.2.Enable a strong BIOS Password.3.Asset tag or engrave the laptop.4.Register the laptop with manufacturer.

Physical Security :-

1.Use a cable or hard-wired lock.2.Use a docking station.3.Use personal firewall for your laptop.4.Lock up all the ports and PCMCIA cards.5.Use laptop safes6.Use Motion Sensors & Alarms

By Shanu Gaharana

LAPTOP SECURITY

Protecting Sensitive data :-

- Use NTFS file s/m

- Disable the guest account.

- Prevent the last logged-in user name from being displayed.

- Enable EFS (Encrypting File System).

- Backup your data before you leave.

By Shanu Gaharana

Lecture No. - 6

By Shanu Gaharana

INFORMATION CLASSIFICATION

It is a demonstration toward an organizations commitment to security protections.

Helps to identify which information is most sensitive or vital.

Identify which protections apply to which information.

By Shanu Gaharana

TERMS FOR INFORMATION CLASSIFICATION

1. Unclassified :- neither sensitive nor classified. Public release of this information does not violate confidentiality.

2. Sensitive but unclassified:- minor secret but may not create serious damage if disclosed. Information that may be classified with these labels range from personally identifying information such as passport and Social Security numbers.

3. Confidential:- this information would cause "damage" or be to national security if publicly available

4. Secret:- this information would cause serious damage to national security if publicly available

5. Top Secret :- this information would cause exceptionally serious damage to national security if publicly available

By Shanu Gaharana

INFORMATION CLASSIFICATION in PRIVATE ORGANIZATIONS

1. Public

2. Sensitive

3. Private

Information Systems DevelopmentInformation Systems Development

By Shanu Gaharana

By Shanu Gaharana

LECTURE NO. – 7

By Shanu Gaharana

BASIC PRINCIPLES OF IS

IS plays a crucial role in the modern digital economy.

There are basically 3 pillars of Infosec:

-Confidentiality

- Integrity

-Availability

By Shanu Gaharana

Security Related Basic Terms

Electronic SecurityNon – repudiation :- Regarding digital security, the cryptological meaning and application of non-repudiation is-

- A service that provides proof of the integrity and origin of data.- An authentication that with high assurance can be asserted to be genuine.

Electronic Signature :- An electronic signature is any electronic means that

indicates that a person adopts the contents of an electronic message. The U.S. Code defines

an electronic signature for the purpose of US law as "an electronic sound, symbol, or

process, attached to or logically associated with a contract or other record and executed or

adopted by a person with the intent to sign the record.

Encryption Cipher Cryptanalysis:- is the study of methods for obtaining the

meaning of encryptedinformation, without access to the secret information that is normally required to do so. Typically, this involves knowing how the system works and finding a secret key. In non-technical language, this is the practice of

codebreaking or cracking the code

Cryptography

DoS Attacks

By Shanu Gaharana

Tempest :- is a codename referring to investigations and studies of compromising

emanations (CE) . Compromising Emanations (CE) are defined as unintentional

intelligence-bearing signals which, if intercepted and analyzed, may disclose the

information transmitted, received, handled, or otherwise processed by any information-

processing equipment. TEMPEST is a codename only and is not an acronym.

Spoofing

Steganography:- Art of hiding the existence of a message.

By Shanu Gaharana

INFORMATION INTEGRITY

Assurance that the data being accessed or read has neither been tampered

with, nor been altered or damaged through a system error, since the time of

the last authorized access

By Shanu Gaharana

OTHER TERMS IN IS

Identification

Authentication

Accountability

Authorization

Privacy

ReferencesReferences

By Shanu Gaharana

http://samer-baydoun.com

>Information S/ms Security by Nina Godbole

> http://www.csbdu.in/virtual/DIGITAL%20MUP/4.2.php