Information security

INTRODUCTION:
Information security is the process of keeping the entire data safe and secure from the reach of some unauthorized people or users. It must be ensured that the data and the information are not at all visible and disclosed to anyone. On the other hand it is can also be defined as a way of safeguarding the information along with the information system which is concerned with the input, process, output and feedback from the environment. Integrity is one of the most important things that need to be taken into account when each and every system s being implemented. The information systems must be such that are reliable for people and hence can be easily utilized by the workers. The information that is to be fed on the system must be readable, memorized, audible, and printable and hence must be of electronic nature. The information must be protected in such a way that is it not accessible to anyone and at the same time there is some sort of confidentiality among the information systems and their security. The information security among the information systems is mainly popular among the business venture as many of the business units wants to keep their entire unit information and data secure, so that it cant be copied by any other business unit at all. People in todays world are trying to get aware of this fact and some of the people are also adopting information system along with its security as a career option for their future which in turn will be helpful for them and the organization. However from the functional perspective, information security may at times be quite risky for an organization as the uncertainty about the happening of something bad can also occur but some tools had been developed in order to cater to the needs of the rick and its management.

DEFINITION OF INFORMATION SECURITY:

In its most basic definition, information security means protecting information and information systems from unauthorized access, use, disruption, or destruction. The terms information security, computer security and information assurance are frequently used interchangeably. Digital signatures can improve information security by enhancing authenticity processes and prompting individuals to prove their identity before they can gain access to computer data.

Definition - What does Information Systems Security (INFOSEC) mean?

Information systems security, more commonly referred to as INFOSEC, refers to the processes and methodologies involved with keeping information confidential, available, and assuring its integrity.

It also refers to:

y y

Access controls, which prevent unauthorized personnel from entering or accessing a system. Protecting information no matter where that information is, i.e. in transit (such as in an email) or in a storage area.

The detection and remediation of security breaches, as well as documenting those events

Techopedia explains Information Systems Security (INFOSEC):

Information systems security does not just deal with computer information, but also protecting data and information in all of its forms, such as telephone conversations. information systems security (INFOSEC): The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.

Risk assessments must be performed to determine what information poses the biggest risk. For example, one system may have the most important information on it and therefore will need more security measures to maintain security. Business continuity planning and disaster recovery planning are other facets of an information systems security professional. This professional will plan for what could happen if a major business disruption occurs, but still allow business to continue as usual.

The term is often used in the context of the U.S. Navy, who defines INFOSEC as:

COMPUSEC + COMSEC + TEMPEST = INFOSEC

Where COMPUSEC is computer systems security, COMSEC is communications security, and TEMPEST is compromising emanations Now a day with the rapid use of computers an Institutions of all sizes collect and store huge volumes of confidential information. The information may be about employees, customers, research, products or financial operations. Most of this information is collected, processed and stored on computers and transmitted across networks to other computers. If this information fell into the wrong hands, it could lead to lost business, law suits, identity theft or even bankruptcy of the business The protection of data against unauthorized access. Programs and data can be secured by issuing passwords and digital certificates to authorized users. However, passwords only validate that a correct number has been entered, not that it is the actual person. Digital certificates and biometric techniques (fingerprints, eyes, voice, etc.) provide a more secure method. Information is just an asset like other important business assets. Its security is achieved by implementing an appropriate set of controls. These are; policies, processes, procedures, organizational structures and functions of helper tools.

Every business has to protect its assets. If you're a logistics company, your planes and trucks are among your most important assets. For "due care", you have to get required measures to protect them. If you lose them, you will lose business. Information is now no different. The world is increasingly becoming an interconnected environment. This results as an increased exposure of information to a wide audience thus increasing the variety of threats and vulnerabilities. That means, proper protection for information is needed as it becomes in the top of your core assets.

As I stated above, we create policies, standards, guidelines and use tools to protect information. These tools are hardware or software, thus we can call them "technology". Locked drawers, turnstile gates, card readers, surveillance cameras, encryption software, firewalls, network IDS'es... These are all tools. All "technology".

So I believe, technology doesn't drive information security but creates new exposure windows and threats to information. So even if they are loosely coupled, they're very coherent in nature The main question is that .. How to prevent unauthorized computer access? Answer: Below is additional information about helping to secure your computer and prevent any unauthorized access from other people or software programs; helping keep your information safe. (1)Operating system and software patches and updates (2)Passwords (3)Get a hardware or software firewall (4)Trojans, viruses, spyware, and other malware (5)Know how to handle e-mails (6)Run system scans to check for vulnerabilities

The details of above points are as given below

(1)Operating system and software patches and updates:

There is no such thing as perfect software, often a software program may have several issues and could potentially have security vulnerabilities that can leave your computer open to attacks that compromise your computer and your data. Software patches, updates, and drivers are made available, often for free, to consumers to help keep a software program and operating systems running properly and secure. If the program you're using does not have any method of checking for updates on its own it is up to you to verify the program is up-to-date. Often this can be done by visiting the web site of the developer who created the program. A listing of third-party companies and links to each of their pages can be found on our third-party support page.

(2)Passwords:
Make sure a password has been set on computer. Default passwords such as password, root, admin or no password will allow easy access to your computer or your Internet account. 1. Change passwords often. It is recommended at least once every few months. 2. Create a BIOS password. 3. When creating a password, add numbers or other characters to the password to make it more difficult to guess; for example: 1mypassword23!. 4. Do not use sticky notes around your computer to write down passwords. Instead use a password manager.

(3)Get a hardware or software firewall:

We highly recommend all computer users have a firewall solution. There are two ways a firewall can protect your computer and network. 1. Hardware firewall - A hardware firewall is a hardware device that is connected to your network. Often many home users who have a home network use their network router as a firewall solution. 2. Software firewall - A software firewall is a software program that you install on your computer that helps protect that computer from unauthorized incoming and outgoing data. Below is a listing of a few of the more widely used software firewall programs.

Note: A software firewall is only going to protect the computer that has the firewall installed on it.

In addition to the above listed firewall software programs many of the antivirus scanners released today also include their own version of a firewall program. If you have an antivirus scanner that also has a firewall program you do not need to worry about getting one of the above programs or another third-party firewall program

(4)Trojans, viruses, spyware, and other malware:

Software Trojans, viruses, spyware, and other malware can not only damage or destroy your computer data but is also capable of monitoring your computer to learn more about your viewing habits on the Internet or even log all your keystrokes to capture sensitive data such as passwords and credit card information. To help protect your computer from these threats we suggest installing a virus protection program as well as a spyware protection program.

(5)Know how to handle e-mails:

Today, e-mail is one of the most popular features on the Internet. Being able to identify threats sent through e-mail can help keep your computer and your personal information safe. Below are some of the most common threats you may encounter while using e-mail.
y

Attachments - Never open or run e-mail attachments. Viruses, spyware, and other malware are commonly distributed through e-mails that have attachments. For example, an e-mail may want you to open an attachment of a funny video, when it's actually a virus.

Phishing - Phishing or an e-mail phish is an e-mail that appears to be from an official company (such as your bank) indicating you need to log onto the site to check your account settings. However, the e-mails are actually sites setup to steal confidential information such as your passwords, credit card information, social security information, etc. See the phishing definition for additional information about this term as well as examples of these e-mails.

(6)Run system scans to check for vulnerabilities

There are several sites on the Internet that allow users to check their computers for potential threats or issues their network or computer may have that can allow users unauthorized access to their computer. Below are listings of recommend sites to try: Gibson Research Corporation - The Gibson Research Corporation, or GRC, is a great location to learn about network security as well as well as test your computer or network for vulnerabilities. Hacker Wacker - Another great site with computer security related information, help, and programs to help test your computer and network.

DATA SECURITY TECHNOLOGY:

(1)Hardware based Mechanisms for Protecting Data: Software based security solutions encrypt the data to prevent data from being stolen. However, a malicious program or a hacker may corrupt the data in order to make it unrecoverable or unusable. Similarly, encrypted operating systems can be corrupted by a malicious program or a hacker, making the system unusable. Hardware-based security solutions can prevent read and write access to data and hence offers very strong protection against tampering and unauthorized access. Hardware based or assisted computer security offers an alternative to software-only computer security. Security tokens such as those using PKCS#11 may be more secure due to the physical access required in order to be compromised. Access is enabled only when the token is connected and correct PIN is entered (see two factor authentications). However, dongles can be used by

anyone who can gain physical access to it. Newer technologies in hardware based security solve this problem offering fool proof security for data. Working of Hardware based security: A hardware device allows a user to login, logout and to set different privilege levels by doing manual actions. The device uses biometric technology to prevent malicious users from logging in, logging out, and changing privilege levels. The current state of a user of the device is read by controllers in peripheral devices such as hard disks. Illegal access by a malicious user or a malicious program is interrupted based on the current state of a user by hard disk and DVD controllers making illegal access to data impossible. Hardware based access control is more secure than protection provided by the operating systems as operating systems are vulnerable to malicious attacks by viruses and hackers. The data on hard disks can be corrupted after a malicious access is obtained. With hardware based protection, software cannot manipulate the user privilege levels; it is impossible for a hacker or a malicious program to gain access to secure data protected by hardware or performs unauthorized privileged operations. The hardware protects the operating system image and file system privileges from being tampered. Therefore, a completely secure system can be created using a combination of hardware based security and secure system administration policies
(2)Backups:

Backups are used to ensure data which is lost can be recovered

(3)Data Masking: Data masking of structured data is the process of obscuring (masking) specific data within a database table or cell to ensure that data security is maintained and sensitive information is not exposed to unauthorized personnel. This may include masking the data from users (for example so banking customer representatives can only see the last 4 digits of a customer s national identity number), developers (who need real production data to test new software releases but should not be Data Erasure.

(4) Data erasure : Data erasure is a method of software-based overwriting that completely destroys all electronic data residing on a hard drive or other digital media to ensure that no sensitive data is leaked when an asset is retired or reused able to see sensitive financial data), outsourcing vendors, etc

International Laws and Standards

(5)International Laws:

In the UK, the Data Protection Act is used to ensure that personal data is accessible to those whom it concerns, and provides redress to individuals if there are inaccuracies. This is particularly important to ensure individuals are treated fairly, for example for credit checking purposes. The Data Protection Act states that only individuals and companies with legitimate and lawful reasons can process personal information and cannot be shared. Data Privacy Day is an international holiday started by the Council of Europe that occurs every January 28.
(6)International Standards:

The International Standard ISO/IEC 17799 covers data security under the topic of information security, and one of its cardinal principles is that all stored information, i.e. data, should be owned so that it is clear whose responsibility it is to protect and control access to that data. The Trusted Computing Group is an organization that helps standardize computing security technologies.