1. Fundamentals of Information Security
¹Salahedin Ali Namroush ²Shauki Abdusalam Fatshul
Center Of Advanced Software Engineering (CASE)
City Campus
University Technology Malaysia
s.alnamroush@gmail.com s.fashtul@gmail.com
Prof .Dr. Abdul Hanan Bin Abdullah Dr. Norafida Bte Ithnin
Abstract:
The basic reasons we care about information systems security are that some of our information needs to
be protected against unauthorized disclosure for legal and competitive reasons; all of the information we store and
refer to must be protected against accidental or deliberate modification and must be available in a timely fashion.
We must also establish and maintain the authenticity of documents we create, send and receive. As recent events
have shown, information security is an essential part of any organization’s infrastructure and increasing
interconnectivity, and networks to fulfill the organizations’ needs. This paper defines information security, policy,
addresses the general goal of information security, provides an outline of implementation, and describes the tools
available to implement information security.
Introduction:
Information security refers to protection of
data, programs and information stored in any
storage media or networks and includes with itself
the issues of privacy. It is the progress that adds
value to an organization part of this process includes
developing and implementing a security policy.[1]
Security Policy:
The first step to implementing the
information security is not based on technology. It
involves developing a security policy a short
document that explain why you want to implement
security.
Security standards:
The security standard document accompanies
the security policy and describes what must be
secured to comply with the policy, it will identify
an organization assets, the risk to the organization if
those assets are not protected, and the threats that
must be protected against. An asset is anything an
organization requires to perform business operation
like:
• People: Expertise, corporate memory.
• Hardware: CPU, Drivers, UPS, Keyboards.
• Software: Os, Applications, Source code,
Diagnostic software.
• Data: Database, Customer data, Backups.
• Documentations: Licensing.
• Other: Utilities.
The security standards should explicitly identify
all assists critical to the business and the degree of
threat and risks that they must be protected against.
Requirements:
Beside the security companies systems
have many implicit requirements includes
performance, usability and robustness, a good
software development process enforce certain
standard of design strategy, testing configuration.
These standard cumulatively add to robustness a
system becomes more robust with each good
practice employed. Security differs in that it’s
principles are not universally known nor
understood, So there are no handy design standards
guaranteed to improve it.[2]
Proceedings of the Postgraduate Annual Research Seminar 2006 107
2. Implementing of information Security:
Implementing the information security is a
complex process that must involve the whole
organization to ensure success.
• People: if all staff are not involved in
implementing the security policy, it will likely
fail. Education and training are crucial to
successful security implementation.
• Technology: several technology options are
available to help secure network, we can define
some of technologies to help implement part of
security like:
Filter: A router firewall normally
implements a filter asset of rules that tells
the device what to forward and what not
to.
Fire walls: A firewall connects to one or
more network and manages traffic between
them based on set of rules it is like a filter
but more intelligent.
Proxy device: it performs an action on
behalf of a requesting filter contents based
on policy.
Authentication: authorization, and
accounting control access to resource on a
network. Servers typically use features to
control access to server files, printers, and
databases.
Authorization: once the system has
verified you, what you allowed to do,
different users will be authorized to
perform different functions.
Accounting: The practice of tracking users
action on the network.
Intrusion Detection System (IDS): it is
dedicated device connected to a network
or piece of software on server that looks
for suspicious activity.
Encryption: this process alters data so that
it is un intelligible to unauthorized parties.
There are many way to encrypt data.
VPN: a virtual private network allows
communications between two devices over
a public (insecure) infrastructure.
DMZ: the demilitarized zone is part of a
network that allows controlled access from
the internet, it is administrated by private
entity.
Antivirus: it includes both host- based and
server-based protection. In addition to
detecting and limiting the harmful effects
of viruses.
Host/Server Security: the proper, secure
configuration of the operating system itself
can help protect information.
Goals of Information Security
Let’s start by investigating the purpose of
information security. We want to achieve three main
goals by practicing good information security. Other
goals, such as the safety of your children and the
privacy of your personal information, depend upon
these goals:
• Confidentiality: Information is available only to
those who rightfully have access to it.
• Integrity: Information should be modified only by
those who are authorized to do so.
• Availability: Information should be accessible to
those who need it when they need it.[4]
Information Security Strategies
Most homeowners take steps to protect
their homes by installing locks on their doors,
smoke detectors in the hallway, or even a security
system. Obviously, we do these things for several
reasons, but primarily to keep our families and our
possessions safe. It is the same with information
security. An unsecured computer is an invitation to
browse through your and your family’s life. To keep
this from happening and to achieve the above goals,
we use three strategies:
• Prevention: This strategy represents the need to
install the proper software and/or hardware and take
the proper precautions in order to stop an attack
before it occurs.
• Detection: This strategy represents the need to
keep your system up to date on the latest types of
attacks in order to understand when your PC has
been damage or is at a high risk.
• Recovery: This strategy represents the need to
form a plan of action in order to reverse; if possible,
damage done to your computer and/or personal
information after an attack has occurred.[1]
The Culture Of Security
People are becoming more dependent on
information systems, networks and related services,
all of which need to be reliable and secure. Only an
approach that takes due account of the interests of
all people, and the nature of the systems that people
work on them, as appropriate to their roles, should
Proceedings of the Postgraduate Annual Research Seminar 2006 108
3. be aware of the relevant security risks and
preventive measures, assume responsibility and take
steps to enhance the security of information systems
and networks. Promotion of a culture of security
will require both leadership and extensive
participation and should result in a heightened
priority for security planning and management, as
well as an understanding of the need for security
among all participants. Security issues should be
topics of concern and responsibility at all levels of
government and business and for all participants.
This will enable participants to factor security into
the design and use of all information systems and
networks.[3]
Conclusion:
Information security is not a one time
implementation; it is a complex process one that
involves developing a security policy, which then
drives the development of security standards and
procedure. Developing the policy must involve
managerial and technical staff input to make it
feasible and enforceable. Implementing the policy
involves education employees and invoking
technology such as firewalls, IDS, encryption, and
authentication.
Information security mechanisms have failed, to
protect end users from privacy violations and fraud,
because the real driving forces behind security
system design usually have nothing to do with such
altruistic goals. They are much more likely to be the
desire to grab a monopoly, to charge deferent prices
to deferent users for essentially the same service,
and to dump risk. Often this is perfectly rational. In
an ideal world, the removal of perverse economic
incentives to create insecure systems would de-
politicize most issues. Security engineering would
then be a matter of rational risk management rather
than risk dumping. But as information security is
about power and money (about raising barriers to
trade, segmenting markets and differentiating
products) the evaluator should not restrict itself to
technical tools like cryptanalysis and information
flow, but also apply economic tools such as the
analysis of asymmetric information and moral
hazard. As fast as one perverse incentive can be
removed by regulators, businesses (and
governments) are likely to create two more. In other
words, the management of information security is a
much deeper and more political problem than is
usually realized; solutions are likely to be subtle and
partial, while many simplistic technical approaches
are bound to fail. The time has come for engineers,
economists, lawyers and policymakers to try to
forge common approach.
References:
[1] Information Security Fundamentals By Cliff
2002
[2]The Fundamentals of Information Security By
Shari Lawrence 1997
[3] OECD Guidelines for the Security of
Information Systems and Networks 2004
[4] Computer Security hand book By Arthur E Hutt,
S. Bosworth, and D. Hoyt 1995
Proceedings of the Postgraduate Annual Research Seminar 2006 109