2012

PRAMOD KUMAR DEPARTMENT OF CS&IT HITM, AGRA

EIT-505 Information Security and Cyber Laws UNIT-I History of Information Systems and its Importance, basics, Changing Nature of Information, Systems, Need of Distributed Information Systems, Role of Internet and Web Services,Information System Threats and attacks, Classification of Threats and Assessing Damages Security in Mobile and Wireless Computing- Security Challenges in Mobile Devices, authentication Service Security, Security Implication for organizations, Laptops Security Basic Principles of Information Security, Confidentiality, Integrity Availability and other terms in Information Security, Information Classification and their Roles. UNIT-II Security Threats to E Commerce, Virtual Organization, Business Transactions on Web, E-Governance and EDI, Concepts in Electronics payment systems, E Cash, Credit/Debit Cards. Physical Security- Needs, Disaster and Controls, Basic Tenets of Physical Security and Physical Entry Controls, Access Control- Biometrics, Factors in Biometrics Systems, Benefits, Criteria for selection of biometrics, Design Issues in Biometric Systems, Interoperability Issues, Economic and Social Aspects, Legal Challenges UNIT-III Model of Cryptographic Systems, Issues in Documents Security, System of Keys, Public Key Cryptography, Digital Signature, Requirement of Digital Signature System, Finger Prints, Firewalls, Design and Implementation Issues, Policies Network Security- Basic Concepts, Dimensions, Perimeter for Network Protection, Network, Attacks, Need of Intrusion Monitoring and Detection, Intrusion Detection Virtual Private Networks- Need, Use of Tunneling with VPN, Authentication Mechanisms, Types of VPNs and their Usage, Security Concerns in VPN UNIT-IV Security metrics- Classification and their benefits Information Security & Law, IPR, Patent Law, Copyright Law, Legal Issues in Data mining Security, Building Security into Software Life Cycle Ethics- Ethical Issues, Issues in Data and Software Privacy Cyber Crime Types & overview of Cyber Crimes

References: 1. Godbole, Information Systems Security, Willey 2. Merkov, Breithaupt, Information Security, Pearson Education 3. Yadav, Foundations of Information Technology, New Age, Delhi 4. Schou, Shoemaker, Information Assurance for the Enterprise, Tata McGraw Hill 5. Sood,Cyber Laws Simplified, Mc Graw Hill 6. Furnell, Computer Insecurity, Springer 7. IT Act 2000

UNIT-I
Highlights
History of Information Systems and its Importance, basics, Changing Nature of Information Systems, Need of Distributed Information Systems, Role of Internet and Web Services, Information System Threats and attacks, Classification of Threats and Assessing Damages Security in Mobile and Wireless Computing- Security Challenges in Mobile Devices authentication Service Security, Security Implication for organizations, Laptops Security Basic Principles of Information Security, Confidentiality, Integrity Availability and Other terms in Information Security, Information Classification and their Roles.

References: 1. Godbole, Information Systems Security, Willey

2. Principles of Information Security, 2nd Edition

HISTORY OF INFORMATION SYSTEMS The earliest mainframe computers could only process a single task by a single user 1946: ENIAC (Electronic Numerical Integrator and Calculator) was developed 1951: first computer installed by the U.S. Census Bureau 1954: first computer used by G.E.

Over the last half century, hardware has seen many-fold increases in speed and capacity and dramatic size reductions Applications have also evolved from relatively simple accounting programs to systems designed to solve a wide variety of problems

Multitasking IBM revolutionized the computer industry in the mid-1960s by introducing the IBM System/360 line of computers These computers were the first to perform multiple processing tasks concurrently

Smaller Computers The first small-scale systems, called minicomputers, were smaller and less powerful but could handle processing for small organizations more cheaply Even smaller microcomputers designed for individual use were later developed, first by Apple and Tandy Corp. In 1982, IBM introduced the first personal computer, or PC, in 1982, which has since become the standard for individual computing

Moore's Law Coined in the 1960s by Gordon Moore, one of the founders of Intel States that the storage density (and therefore the processing power) of integrated circuits is doubling about every year By the 1970s the doubling rate had slowed to 18 months, a pace that has continued up to the present

Importance of Information Systems

6

In the world of globalization, Information system is such where data are collected, classified and put into process interpreting the result thereon in order to provide an integrated series of information for further conveying and analyzing. In a progressively more strong-willed worldwide atmosphere, Information System plays the role as enabler and facilitator, which endows with tactical values to the officialdom and considerable step up to the excellence of administration. An Information System is a particular type of work system that uses information technology to detain, put on the air, store, retrieve, manipulate or display information, thereby partisan one or more other work structure. In totting up to taking sides assessment making, co-ordination and control, information systems may also help managers and workers investigate problems, envisage complex subjects and generate new merchandise or services. Work systems and the information systems that support typically undergo at least four phases: a) Initiation, the process of defining the need to change an existing work system b) Development, the process of acquiring and configuring/installing the necessary hardware, software and other resources c) Implementation, the process of building new system operational in the organization, and d) Operation and maintenance, the process concerned with the operation of the system, correcting any problems that may arise and ensuring that the system is delivering the anticipating benefits. The management of these processes can be achieved and controlled using a series of techniques and management tools which, collectively, tend to be known as Structured Methodologies. Two important methodologies: PRINCE (Projects IN a Controlled Environment), and SSADM (Structured Systems Analysis and Design Methodology), developed by the Central Computing and Telecommunications Agency (CCTA), are used widely in the UK public sector and in some Developing Countries, like Bangladesh, Pakistan, Nepal etc. Prior to comment on the application of these methods in the Developing Countries, it would be pertinent to describe brief outlines of these methodologies.

PRINCE is a project management method; not system development, which covers the organisation, management and control of projects. Since its introduction in 1989, PRINCE has become widely used in both the public and private sectors and is now the UKs de facto standard for project management. Although PRINCE was originally developed for the needs of IT projects, the method has also been used on many non-IT projects. PRINCE requires a dedicated team to be established to manage and carry out each project. It therefore aims to provide a supporting framework between the current state of affairs and the planned future state. PRINCE focuses attention on end-products rather than activities, ensuring that the organization actually gets what it wants out of the project. Quality is seen as a necessary and integral part of the project and the focus on end-products enables the criteria by which quality is to be

judged to be specified at the outset of the project. It requires the development of a viable business case for the project at its outset and that the business case needs to be periodically reviewed.

Basics of Information System

What Is an Information System?
An information system (IS) can be any organized combination of people, hardware, software, communications networks, data resources, and policies and procedures that stores, retrieves, transforms, and disseminates information in an organization. People rely on modern information systems to communicate with each other using a variety of physical devices (hardware), information processing instructions and procedures (software), communications channels (networks), and stored data (data resources). Consider some of the following examples of information systems: Smoke signals for communication were used as early as recorded history can account for the human discovery of fire. The pattern of smoke transmitted valuable information to others who were too far to see or hear the sender. Card catalogs in a library are designed to store data about the books in an organized manner that allows for a particular book to be located by its title, author name, subject, or a variety of other approaches. Your book bag, day planner, notebooks, and file folders are all part of an information system designed to assist you in organizing the inputs provided to you via handouts, lectures, presentations, and

discussions. They also help you process these inputs into useful outputs: homework and good exam grades. The cash register at your favorite fast-food restaurant is part of a large information system that tracks the products sold, the time of a sale, the inventory levels, the amount of money in the cash drawer, and contributes to analysis of product sales between any combination of locations anywhere in the world!

Information System Resources

Our basic IS model shows that an information system consists of five major resources: people, hardware, software, data, and networks.

People Resources People are the essential ingredient for the successful operation of all information
systems. These people resources include end users and IS specialists. 1. End users (also called users or clients) are people who use an information system or the information it produces. They can be customers, salespersons, engineers, clerks, accountants, or managers and are found at all levels of an organization. 2. IS specialists are people who develop and operate information systems. They include systems analysts, software developers, system operators, and other managerial, technical, and clerical IS personnel.

Hardware Resources The concept of hardware resources includes all physical devices and materials used
in information processing. Specifically, it includes not only machines, such as computers and other equipment, but also all data media, that is, tangible objects on which data are recorded, from sheets of paper to magnetic or optical disks. Examples of hardware in computer-based information systems are: 1. Computer systems, which consist of central processing units containing microprocessors, and a variety of interconnected peripheral devices such as printers, scanners, monitors, and so on. Examples are hand-held, laptop, tablet, or desktop microcomputer systems, midrange computer systems, and large mainframe computer systems. 2. Computer peripherals, which are devices such as a keyboard, electronic mouse,trackball, or stylus for input of data and commands, a video screen or printer for output of information, and magnetic or optical disk drives for storage of data resources. Software Resources The concept of software resources includes all sets of information processing instructions. This generic concept of software includes not only the sets of operating instructions called programs, which direct and control computer hardware, but also the sets of information processing instructions called procedures that people need. The following are examples of software resources: 1. System software, such as an operating system program, which controls and supports the operations of a computer system. Microsoft Windows and Unix are but two examples of popular computer operating systems. 2. Application software, which are programs that direct processing for a particular use of computers by end users. Examples are a sales analysis program, a payroll program, and a word processing program. 3. Procedures, which are operating instructions for the people who will use an information system. Examples are instructions for filling out a paper form or using a software package.

Data Resources Data are more than the raw material of information systems. The concept of data
resources has been broadened by managers and information systems professionals. They realize that data

constitute valuable organizational resources. Thus, you should view data the same as any organizational resource that must be managed effectively to benefit all stakeholders in an organization. The data resources of information systems are typically organized, stored, and accessed by a variety of data resource management technologies into: 1. Databases that hold processed and organized data. 2. Knowledge bases that hold knowledge in a variety of forms such as facts, rules, and case examples about successful business practices.

Network Resources Telecommunications technologies and networks like the Internet, intranets, and
extranets are essential to the successful electronic business and commerce operations of all types of organizations and their computer-based information systems. Telecommunications networks consist of computers, communications processors, and other devices interconnected by communications media and controlled by communications software. The concept of network resources emphasizes that communications technologies and networks are a fundamental resource component of all information systems. Network resources include: 1. Communications media. Examples include twisted-pair wire, coaxial and fiber optic cables, and microwave, cellular, and satellite wireless technologies. 2. Network infrastructure. This generic category emphasizes that many hardware, software, and data technologies are needed to support the operation and use of a communications network. Examples include communications processors such as modems and internetwork processors, and communications control software such as network operating systems and Internet browser packages.

Types of Information Systems

Information systems can be classified as either operations or management information systems. Figure illustrates this conceptual classification of information systems applications. Information systems are categorized this way to spotlight the major roles each plays in the operations and management of a business.

10

 Operations Support Systems Information systems have always been needed to process data generated by, and used in, business operations. Such operations support systems produce a variety of information products for internal and external use. However, they do not emphasize producing the specific information products that can best be used by managers. Transaction processing systems. Process data resulting from business transactions, update operational databases, and produce business documents. Examples: sales and inventory processing and accounting systems. Process control systems. Monitor and control industrial processes. Examples: petroleum refining, power generation, and steel production systems. Enterprise collaboration systems. Support team, workgroup, and enterprise communications and collaboration. Examples: e-mail, chat, and videoconferencing groupware systems. Management Support Systems When information system applications focus on providing information and support for effective decision making by managers, they are called management support systems. Providing information and support for decision making by all types of managers and business professionals is a complex task. Conceptually, several major types of information systems support a variety of decision-making responsibilities: (1) management information systems, (2) decision support systems, and (3) executive information systems. Management information systems. Provide information in the form of prespecified reports and displays to support business decision making. Examples: sales analysis, production performance, and cost trend reporting systems. Decision support systems. Provide interactive ad hoc support for the decision-making processes of managers and other business professionals. Examples: product pricing, profitability forecasting, and risk analysis systems. Executive information systems. Provide critical information from MIS, DSS, and other sources tailored to the information needs of executives. Examples: systems for easy access to analyses of business performance, actions of competitors, and economic developments to support strategic planning.

11

Threats
Threat: an object, person, or other entity that represents a constant danger to an asset Management must be informed of the different threats facing the organization By examining each threat category, management effectively protects information through policy, education, training, and technology controls

The 2004 Computer Security Institute (CSI)/Federal Bureau of Investigation (FBI) survey found: 79 percent of organizations reported cyber security breaches within the last 12 months 54 percent of those organizations reported financial losses totaling over $141 million

Acts of Human Error or Failure 12

This category includes the possibility of acts performed without intent or malicious purpose by an individual who is an employee of an organization. Inexperience, improper training, the making of incorrect assumptions, and other circumstances can cause problems. Employees constitute one of the greatest threats to information security, as the individuals closest to the organizational data. Employee mistakes can easily lead to the following: revelation of classified data, entry of erroneous data, accidental deletion or modification of data, storage of data in unprotected areas, and failure to protect information. Many threats can be prevented with controls, ranging from simple procedures, such as requiring the user to type a critical command twice, to more complex procedures, such as the verification of commands by a second party.

Potential Acts of Human Error or Failure This category includes the possibility of acts performed without intent or malicious purpose by an individual who is an employee of an organization. Inexperience, improper training, the making of incorrect assumptions, and other circumstances can cause problems. Employees constitute one of the greatest threats to information security, as the individuals closest to the organizational data. Employee mistakes can easily lead to the following: revelation of classified data, entry of erroneous data, accidental deletion or modification of data, storage of data in unprotected areas, and failure to protect information. Many threats can be prevented with controls, ranging from simple procedures, such as requiring the user to type a critical command twice, to more complex procedures, such as the verification of commands by a second party.

13

Deliberate Acts of Espionage or Trespass This threat represents a well-known and broad category of electronic and human activities that breach the confidentiality of information. When an unauthorized individual gains access to the information an organization is trying to protect, that act is categorized as a deliberate act of espionage or trespass. When information gatherers employ techniques that cross the threshold of what is legal and/or ethical, they enter the world of industrial espionage. Instances of shoulder surfing occur at computer terminals, desks, ATM machines, public phones, or other places where a person is accessing confidential information. Deliberate Acts of Espionage or Trespass The threat of Trespass can lead to unauthorized, real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.
14

Controls are sometimes implemented to mark the boundaries of an organizations virtual territory. These boundaries give notice to trespassers that they are encroaching on the organizations cyberspace. The classic perpetrator of deliberate acts of espionage or trespass is the hacker. In the gritty world of reality, a hacker uses skill, guile, or fraud to attempt to bypass the controls placed around information that is the property of someone else. The hacker frequently spends long hours examining the types and structures of the targeted systems.

Deliberate Acts of Theft Theft is the illegal taking of anothers property. Within an organization, that property can be physical, electronic, or intellectual. The value of information suffers when it is copied and taken away without the owners knowledge. Physical theft can be controlled quite easily. A wide variety of measures can be used from simple locked doors, to trained security personnel, and the installation of alarm systems. Electronic theft, however, is a more complex problem to manage and control. Organizations may not even know it has occurred.
15

Deliberate Software Attacks Deliberate software attacks occur when an individual or group designs software to attack an unsuspecting system. Most of this software is referred to as malicious code or malicious software, or sometimes malware. These software components or programs are designed to damage, destroy, or deny service to the target systems. Some of the more common instances of malicious code are viruses and worms, Trojan horses, logic-bombs, back doors, and denial-of-services attacks. Computer viruses are segments of code that perform malicious actions. This code behaves very much like a virus pathogen attacking animals and plants, using the cells own replication machinery to propagate and attack. The code attaches itself to the existing program and takes control of that programs access to the targeted computer. The virus-controlled target program then carries out the viruss plan, by replicating itself into additional targeted systems. The macro virus is embedded in the automatically executing macro code, common in office productivity software like word processors, spread sheets, and database applications. The boot virus infects the key operating systems files located in a computers boot sector. Worms - malicious programs that replicate themselves constantly without requiring another program to provide a safe environment for replication. Worms can continue replicating themselves until they completely fill available resources, such as memory, hard drive space, and network bandwidth. Trojan horses - software programs that hide their true nature, and reveal their designed behavior only when activated. Trojan horses are frequently disguised as helpful, interesting or necessary pieces of software, such as readme.exe files often included with shareware or freeware packages. Back door or Trap door - A virus or worm can have a payload that installs a back door or trap door component in a system. This allows the attacker to access the system at will with special privileges. Polymorphism - A threat that changes its apparent shape over time, representing a new threat not detectable by techniques that are looking for a pre-configured signature. These threats actually evolve variations in size and appearance to elude detection by anti-virus software programs, making detection more of a challenge. Virus and Worm Hoaxes - As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus hoaxes. Well-meaning people spread the viruses and worms when they send e-mails warning of fictitious or virus laden threats.
16

Forces of Nature
Forces of nature are among the most dangerous threats Disrupt not only individual lives, but also storage, transmission, and use of information Organizations must implement controls to limit damage and prepare contingency plans for continued operations 17

ATTACKS An attack is the deliberate act that exploits vulnerability. It is accomplished by a threat-agent to damage or steal an organizations information or physical asset. An exploit is a technique to compromise a system. Vulnerability is an identified weakness of a controlled system whose controls are not present or are no longer effective. An attack is then the use of an exploit to achieve the compromise of a controlled system.

Malici ous Code

18

This kind of attack includes the execution of viruses, worms, Trojan horses, and active web scripts with the intent to destroy or steal information. The state of the art in attacking systems in 2002 is the multivector worm. These attack programs use up to six known attack vectors to exploit a variety of vulnerabilities in commonly found information system devices. Back Doors - Using a known or previously unknown and newly discovered access mechanism, an attacker can gain access to a system or network resource. Password Crack - Attempting to reverse calculate a password. Brute Force - The application of computing and network resources to try every possible combination of options of a password. Dictionary - The dictionary password attack narrows the field by selecting specific accounts to attack and uses a list of commonly used passwords (the dictionary) to guess with. Denial-of-service (DoS) - the attacker sends a large number of connection or information requests to a target. So many requests are made that the target system cannot handle them successfully along with other, legitimate requests for service. This may result in a system crash, or merely an inability to perform ordinary functions.

Distributed Denial-of-service (DDoS) - an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.

19

Spoofing - a technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. Man-in-the-Middle - In the man-in-the-middle or TCP hijacking attack, an attacker sniffs packets from the network, modifies them, and inserts them back into the network. Spam - unsolicited commercial e-mail. While many consider Spam a nuisance rather than an attack, it is emerging as a vector for some attacks.

Data: Payload

IP source: 192.168.0.25

IP destination: 1 00.0.0.75

Originai iP packet from hacker's system

Data: Payload

IP source: 100.0.0.80

IP destination: 100.0.0.75

Spoofed (modified) IP packet

Hacker modifies source address to spoof firewall

Firewall allows packet in, mistaking if for ligitimate traffic

Spoofed packet slips into intranet to wreak havoc

20

FIGURE 2-10

IP Spoofmg

2) Hacker intercepts transmission. and poses as Company B.Hacker exchanges his own keys with Company A.Hacker then establ shes a session i with Company B.posing as Company A. 1) Company A attempts to establish an encrypted sess ion with Company B. 3) Company B sends all messages to the hacker who receives,decrypts, copies, and forwards copies (possibly modified) to Company B.

FIGURE 2-11 Man-in-the-Middle Attack

Mail bombing: also aDoS; attacker routes large quantities of e-mail to target

Sniffers: program or device that monitors data traveling over network; can be used both for legitimate purposes and for stealing information from a network Social engineering: using social skills to convince people to reveal access credentials or other valuable information to attacker Buffer overflow: application error occurring when more data is sent to a buffer than can be handled Timing attack: relatively new; works by exploring contents of a Web browsers cache to create malicious cookie