Labels

Information Security


  • What is Information security?............................ 

             Security is all about protecting valuables. In this case, "valuables" are computer assets instead of money. Information can be anything!. Your details, data on your mobile phone, maybe your profile! Anything!. It can be physical or electronic!. Is  Securing information from unauthorized access is the only about Information Security?

        No, It is the practice of preventing unauthorized access, disruption, modification, inspection, recording or destruction of information!. Information Security spans many research areas right now, for example, mobile computing, Cyber Forensics, Online social media, .....  

                    There are 4 types of people involved when we are talking about Information Security.

  • Amateurs - Accidental access to unauthorized resources and execution of unauthorized operations (no harm to regular users)
  • Crackers - Active attempts to access sensitive resources and to discover system vulnerabilities (minor inconveniences to regular users)
  • Criminals - Active attempts to utilize weaknesses in protection a system in order to steal or destroy resources (serious problems to regular users)
  • Regular Users - Special requirements: authentication in open networks, authorization, message integrity, non-repudiation, special transactions
                  Information Security program includes 3 Objectives!. Commonly known as CIA - Confidentiality, Integrity, Available.

 




  • Confidentiality 
            Computer-related assets are only available to authorized parties. Only those that should have access to something will actually get that access. 
                            Let's take an example!. 
                                                           When you have a password for your Instagram and if someone saw when while you were doing login into the account. In that case, your password has been compromised and confidentiality has been breached!. 

  • Integrity  
           Integrity is maintaining the accuracy and completeness of data. Here data cannot be edited in an unauthorized way. There are three important aspects of providing computer related integrity.                                                  
                               - Authorized actions
                               - Separation and protection of resources.
                               - Error detection and correction.
This is hard to implement, usually done so through rigorous control of who or what can have access to  data and in what ways.

  • Available
            The information must be available when needed. Timely response, fair allocation, fault tolerance, usability, controlled concurrency are the requirements for availability.

                   

  • Protection Methods.................. 

       





  • Encryption

                The process of taking plain text, like text or message or email and scrambling it into an unreadable format. That format called "Cipher text". It helps to protect the confidentiality of data. The encoded information can only be accessed or decrypted by a user with the correct encryption key. Encryption is effective for users and messages authentication, access control.

        


  • Password Security



                     Using simple user ID / Password not considered a secure method of authentication. It turns out that single-factor authentication is extremely easy to compromise!. Good password policies must be put in place to order that the password cannot be compromised.

        - Using complex password ( A password should not be simple, or the word that used as a password should not be found in a dictionary. One of the first things a hacker will do is try to crack the password by testing every term in the dictionary!)

        - Changing password regularly (Users should change their password every sixty to ninety days to ensure that any password that might  have been stolen or guessed will not be able to be used against the company)

        - Training employees not to give away passwords (One of the primary methods that is used to steal password is to simply figure them out by asking the users or administrators).

  • Policies


            Organization need to implement security policies as a form of administrative control. It should be the starting point of developing an overall security plan. 

A good policy is "a  formal, brief and high -level statement or plan that embraces an organization 's general beliefs, goals, objectives, and acceptable procedures for specified subject area" Policies require compliance; failure to comply with a policy will result in disciplinary action.

 If you need to know more about policy, you can use Harvard University's "Computer Rules and Responsibilities" that mentioned here.

  • Physical Controls   




                Without implementing physical security, an organization's security cannot be completed. Physical Security is very important that much. Physical security is the protection of the actual hardware and networking components that store and transformation resources. To implement physical security, an Organization must identify all of the vulnerable resources and take measures to ensure that these resources cannot be physically tampered with or stolen. These measures are,

  • Locked doors: It may seem obvious, but all the security in the world is useless if an intruder can simply walk in and physically remove a computing device. High-value information assets should be secured in a location with limited access.
  • Physical intrusion detection: High- value information assets should be monitored through the use of security cameras and other means to detect unauthorized access to physical locations where they exist.
  • Secured Equipment: Devices should be locked down to prevent them from being stolen. One employee's hard drive could contain all of your customer information, so it is essential that it be secured.
  • Environmental Monitoring: An organization's servers and other high-value equipment should always be kept in a room that humidity, and airflow. is monitored for temperature, The risk of a server failure rises when these factors go out of specified range.
  • Employee Training: One of the most common ways theives steal corporate information is to steal employee laptops while employee are traveling.Employees should be trained to secure their equipment whenever thae are always from the office.


Summary

As computing and network resources have become a more and more integral part of business, they have also become a target of criminals. Organizations must be vigilant with the way they protect their resources. The same holds true for us personally: as digital devices become more and more intertwined with our lives, it becomes crucial for us to understand how to protect ourselves.


Labels:

Comments

Post a Comment

Popular Posts