Download to read offline
![Fundamentals of Information Security
¹Salahedin Ali Namroush ²Shauki Abdusalam Fatshul
Center Of Advanced Software Engineering (CASE)
City Campus
University Technology Malaysia
s.alnamroush@gmail.com s.fashtul@gmail.com
Prof .Dr. Abdul Hanan Bin Abdullah Dr. Norafida Bte Ithnin
Abstract:
The basic reasons we care about information systems security are that some of our information needs to
be protected against unauthorized disclosure for legal and competitive reasons; all of the information we store and
refer to must be protected against accidental or deliberate modification and must be available in a timely fashion.
We must also establish and maintain the authenticity of documents we create, send and receive. As recent events
have shown, information security is an essential part of any organization’s infrastructure and increasing
interconnectivity, and networks to fulfill the organizations’ needs. This paper defines information security, policy,
addresses the general goal of information security, provides an outline of implementation, and describes the tools
available to implement information security.
Introduction:
Information security refers to protection of
data, programs and information stored in any
storage media or networks and includes with itself
the issues of privacy. It is the progress that adds
value to an organization part of this process includes
developing and implementing a security policy.[1]
Security Policy:
The first step to implementing the
information security is not based on technology. It
involves developing a security policy a short
document that explain why you want to implement
security.
Security standards:
The security standard document accompanies
the security policy and describes what must be
secured to comply with the policy, it will identify
an organization assets, the risk to the organization if
those assets are not protected, and the threats that
must be protected against. An asset is anything an
organization requires to perform business operation
like:
• People: Expertise, corporate memory.
• Hardware: CPU, Drivers, UPS, Keyboards.
• Software: Os, Applications, Source code,
Diagnostic software.
• Data: Database, Customer data, Backups.
• Documentations: Licensing.
• Other: Utilities.
The security standards should explicitly identify
all assists critical to the business and the degree of
threat and risks that they must be protected against.
Requirements:
Beside the security companies systems
have many implicit requirements includes
performance, usability and robustness, a good
software development process enforce certain
standard of design strategy, testing configuration.
These standard cumulatively add to robustness a
system becomes more robust with each good
practice employed. Security differs in that it’s
principles are not universally known nor
understood, So there are no handy design standards
guaranteed to improve it.[2]
Proceedings of the Postgraduate Annual Research Seminar 2006 107](https://image.slidesharecdn.com/fundamentals-of-information-security-150807152915-lva1-app6891/75/Fundamentals-of-information-security-1-2048.jpg)
![Implementing of information Security:
Implementing the information security is a
complex process that must involve the whole
organization to ensure success.
• People: if all staff are not involved in
implementing the security policy, it will likely
fail. Education and training are crucial to
successful security implementation.
• Technology: several technology options are
available to help secure network, we can define
some of technologies to help implement part of
security like:
Filter: A router firewall normally
implements a filter asset of rules that tells
the device what to forward and what not
to.
Fire walls: A firewall connects to one or
more network and manages traffic between
them based on set of rules it is like a filter
but more intelligent.
Proxy device: it performs an action on
behalf of a requesting filter contents based
on policy.
Authentication: authorization, and
accounting control access to resource on a
network. Servers typically use features to
control access to server files, printers, and
databases.
Authorization: once the system has
verified you, what you allowed to do,
different users will be authorized to
perform different functions.
Accounting: The practice of tracking users
action on the network.
Intrusion Detection System (IDS): it is
dedicated device connected to a network
or piece of software on server that looks
for suspicious activity.
Encryption: this process alters data so that
it is un intelligible to unauthorized parties.
There are many way to encrypt data.
VPN: a virtual private network allows
communications between two devices over
a public (insecure) infrastructure.
DMZ: the demilitarized zone is part of a
network that allows controlled access from
the internet, it is administrated by private
entity.
Antivirus: it includes both host- based and
server-based protection. In addition to
detecting and limiting the harmful effects
of viruses.
Host/Server Security: the proper, secure
configuration of the operating system itself
can help protect information.
Goals of Information Security
Let’s start by investigating the purpose of
information security. We want to achieve three main
goals by practicing good information security. Other
goals, such as the safety of your children and the
privacy of your personal information, depend upon
these goals:
• Confidentiality: Information is available only to
those who rightfully have access to it.
• Integrity: Information should be modified only by
those who are authorized to do so.
• Availability: Information should be accessible to
those who need it when they need it.[4]
Information Security Strategies
Most homeowners take steps to protect
their homes by installing locks on their doors,
smoke detectors in the hallway, or even a security
system. Obviously, we do these things for several
reasons, but primarily to keep our families and our
possessions safe. It is the same with information
security. An unsecured computer is an invitation to
browse through your and your family’s life. To keep
this from happening and to achieve the above goals,
we use three strategies:
• Prevention: This strategy represents the need to
install the proper software and/or hardware and take
the proper precautions in order to stop an attack
before it occurs.
• Detection: This strategy represents the need to
keep your system up to date on the latest types of
attacks in order to understand when your PC has
been damage or is at a high risk.
• Recovery: This strategy represents the need to
form a plan of action in order to reverse; if possible,
damage done to your computer and/or personal
information after an attack has occurred.[1]
The Culture Of Security
People are becoming more dependent on
information systems, networks and related services,
all of which need to be reliable and secure. Only an
approach that takes due account of the interests of
all people, and the nature of the systems that people
work on them, as appropriate to their roles, should
Proceedings of the Postgraduate Annual Research Seminar 2006 108](https://image.slidesharecdn.com/fundamentals-of-information-security-150807152915-lva1-app6891/75/Fundamentals-of-information-security-2-2048.jpg)
![be aware of the relevant security risks and
preventive measures, assume responsibility and take
steps to enhance the security of information systems
and networks. Promotion of a culture of security
will require both leadership and extensive
participation and should result in a heightened
priority for security planning and management, as
well as an understanding of the need for security
among all participants. Security issues should be
topics of concern and responsibility at all levels of
government and business and for all participants.
This will enable participants to factor security into
the design and use of all information systems and
networks.[3]
Conclusion:
Information security is not a one time
implementation; it is a complex process one that
involves developing a security policy, which then
drives the development of security standards and
procedure. Developing the policy must involve
managerial and technical staff input to make it
feasible and enforceable. Implementing the policy
involves education employees and invoking
technology such as firewalls, IDS, encryption, and
authentication.
Information security mechanisms have failed, to
protect end users from privacy violations and fraud,
because the real driving forces behind security
system design usually have nothing to do with such
altruistic goals. They are much more likely to be the
desire to grab a monopoly, to charge deferent prices
to deferent users for essentially the same service,
and to dump risk. Often this is perfectly rational. In
an ideal world, the removal of perverse economic
incentives to create insecure systems would de-
politicize most issues. Security engineering would
then be a matter of rational risk management rather
than risk dumping. But as information security is
about power and money (about raising barriers to
trade, segmenting markets and differentiating
products) the evaluator should not restrict itself to
technical tools like cryptanalysis and information
flow, but also apply economic tools such as the
analysis of asymmetric information and moral
hazard. As fast as one perverse incentive can be
removed by regulators, businesses (and
governments) are likely to create two more. In other
words, the management of information security is a
much deeper and more political problem than is
usually realized; solutions are likely to be subtle and
partial, while many simplistic technical approaches
are bound to fail. The time has come for engineers,
economists, lawyers and policymakers to try to
forge common approach.
References:
[1] Information Security Fundamentals By Cliff
2002
[2]The Fundamentals of Information Security By
Shari Lawrence 1997
[3] OECD Guidelines for the Security of
Information Systems and Networks 2004
[4] Computer Security hand book By Arthur E Hutt,
S. Bosworth, and D. Hoyt 1995
Proceedings of the Postgraduate Annual Research Seminar 2006 109](https://image.slidesharecdn.com/fundamentals-of-information-security-150807152915-lva1-app6891/75/Fundamentals-of-information-security-3-2048.jpg)
More Related Content
Similar to Fundamentals of-information-security
Fundamentals of-information-security
- 1. Fundamentals of InformationSecurity ¹Salahedin Ali Namroush ²Shauki Abdusalam Fatshul Center Of Advanced Software Engineering (CASE) City Campus University Technology Malaysia s.alnamroush@gmail.com s.fashtul@gmail.com Prof .Dr. Abdul Hanan Bin Abdullah Dr. Norafida Bte Ithnin Abstract: The basic reasons we care about information systems security are that some of our information needs to be protected against unauthorized disclosure for legal and competitive reasons; all of the information we store and refer to must be protected against accidental or deliberate modification and must be available in a timely fashion. We must also establish and maintain the authenticity of documents we create, send and receive. As recent events have shown, information security is an essential part of any organization’s infrastructure and increasing interconnectivity, and networks to fulfill the organizations’ needs. This paper defines information security, policy, addresses the general goal of information security, provides an outline of implementation, and describes the tools available to implement information security. Introduction: Information security refers to protection of data, programs and information stored in any storage media or networks and includes with itself the issues of privacy. It is the progress that adds value to an organization part of this process includes developing and implementing a security policy.[1] Security Policy: The first step to implementing the information security is not based on technology. It involves developing a security policy a short document that explain why you want to implement security. Security standards: The security standard document accompanies the security policy and describes what must be secured to comply with the policy, it will identify an organization assets, the risk to the organization if those assets are not protected, and the threats that must be protected against. An asset is anything an organization requires to perform business operation like: • People: Expertise, corporate memory. • Hardware: CPU, Drivers, UPS, Keyboards. • Software: Os, Applications, Source code, Diagnostic software. • Data: Database, Customer data, Backups. • Documentations: Licensing. • Other: Utilities. The security standards should explicitly identify all assists critical to the business and the degree of threat and risks that they must be protected against. Requirements: Beside the security companies systems have many implicit requirements includes performance, usability and robustness, a good software development process enforce certain standard of design strategy, testing configuration. These standard cumulatively add to robustness a system becomes more robust with each good practice employed. Security differs in that it’s principles are not universally known nor understood, So there are no handy design standards guaranteed to improve it.[2] Proceedings of the Postgraduate Annual Research Seminar 2006 107
- 2. Implementing of informationSecurity: Implementing the information security is a complex process that must involve the whole organization to ensure success. • People: if all staff are not involved in implementing the security policy, it will likely fail. Education and training are crucial to successful security implementation. • Technology: several technology options are available to help secure network, we can define some of technologies to help implement part of security like: Filter: A router firewall normally implements a filter asset of rules that tells the device what to forward and what not to. Fire walls: A firewall connects to one or more network and manages traffic between them based on set of rules it is like a filter but more intelligent. Proxy device: it performs an action on behalf of a requesting filter contents based on policy. Authentication: authorization, and accounting control access to resource on a network. Servers typically use features to control access to server files, printers, and databases. Authorization: once the system has verified you, what you allowed to do, different users will be authorized to perform different functions. Accounting: The practice of tracking users action on the network. Intrusion Detection System (IDS): it is dedicated device connected to a network or piece of software on server that looks for suspicious activity. Encryption: this process alters data so that it is un intelligible to unauthorized parties. There are many way to encrypt data. VPN: a virtual private network allows communications between two devices over a public (insecure) infrastructure. DMZ: the demilitarized zone is part of a network that allows controlled access from the internet, it is administrated by private entity. Antivirus: it includes both host- based and server-based protection. In addition to detecting and limiting the harmful effects of viruses. Host/Server Security: the proper, secure configuration of the operating system itself can help protect information. Goals of Information Security Let’s start by investigating the purpose of information security. We want to achieve three main goals by practicing good information security. Other goals, such as the safety of your children and the privacy of your personal information, depend upon these goals: • Confidentiality: Information is available only to those who rightfully have access to it. • Integrity: Information should be modified only by those who are authorized to do so. • Availability: Information should be accessible to those who need it when they need it.[4] Information Security Strategies Most homeowners take steps to protect their homes by installing locks on their doors, smoke detectors in the hallway, or even a security system. Obviously, we do these things for several reasons, but primarily to keep our families and our possessions safe. It is the same with information security. An unsecured computer is an invitation to browse through your and your family’s life. To keep this from happening and to achieve the above goals, we use three strategies: • Prevention: This strategy represents the need to install the proper software and/or hardware and take the proper precautions in order to stop an attack before it occurs. • Detection: This strategy represents the need to keep your system up to date on the latest types of attacks in order to understand when your PC has been damage or is at a high risk. • Recovery: This strategy represents the need to form a plan of action in order to reverse; if possible, damage done to your computer and/or personal information after an attack has occurred.[1] The Culture Of Security People are becoming more dependent on information systems, networks and related services, all of which need to be reliable and secure. Only an approach that takes due account of the interests of all people, and the nature of the systems that people work on them, as appropriate to their roles, should Proceedings of the Postgraduate Annual Research Seminar 2006 108
- 3. be aware ofthe relevant security risks and preventive measures, assume responsibility and take steps to enhance the security of information systems and networks. Promotion of a culture of security will require both leadership and extensive participation and should result in a heightened priority for security planning and management, as well as an understanding of the need for security among all participants. Security issues should be topics of concern and responsibility at all levels of government and business and for all participants. This will enable participants to factor security into the design and use of all information systems and networks.[3] Conclusion: Information security is not a one time implementation; it is a complex process one that involves developing a security policy, which then drives the development of security standards and procedure. Developing the policy must involve managerial and technical staff input to make it feasible and enforceable. Implementing the policy involves education employees and invoking technology such as firewalls, IDS, encryption, and authentication. Information security mechanisms have failed, to protect end users from privacy violations and fraud, because the real driving forces behind security system design usually have nothing to do with such altruistic goals. They are much more likely to be the desire to grab a monopoly, to charge deferent prices to deferent users for essentially the same service, and to dump risk. Often this is perfectly rational. In an ideal world, the removal of perverse economic incentives to create insecure systems would de- politicize most issues. Security engineering would then be a matter of rational risk management rather than risk dumping. But as information security is about power and money (about raising barriers to trade, segmenting markets and differentiating products) the evaluator should not restrict itself to technical tools like cryptanalysis and information flow, but also apply economic tools such as the analysis of asymmetric information and moral hazard. As fast as one perverse incentive can be removed by regulators, businesses (and governments) are likely to create two more. In other words, the management of information security is a much deeper and more political problem than is usually realized; solutions are likely to be subtle and partial, while many simplistic technical approaches are bound to fail. The time has come for engineers, economists, lawyers and policymakers to try to forge common approach. References: [1] Information Security Fundamentals By Cliff 2002 [2]The Fundamentals of Information Security By Shari Lawrence 1997 [3] OECD Guidelines for the Security of Information Systems and Networks 2004 [4] Computer Security hand book By Arthur E Hutt, S. Bosworth, and D. Hoyt 1995 Proceedings of the Postgraduate Annual Research Seminar 2006 109