Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
security of information systems
1. A PRESENTATION ON SECURITY
OF INFORMATION SYSTEMS
PRESENTED BY:
SUKLA PAUL
IIEST , SHIBPUR
2. WHAT DOES INFORMATION SYSTEMS SECURITY
MEAN?
• More commonly referred to as INFOSEC, Information Security refers to the processes and
methodologies involved with keeping information confidential, available, and assuring its integrity.
• It also refers to:
Access controls, which prevent unauthorized personnel from entering or accessing a system.
Protecting information no matter where that information is, i.e. in transit (such as in an email) or in a
storage area.
The detection and remediation of security breaches, as well as documenting those events.
3. WHAT DOES INFORMATION SYSTEMS SECURITY
MEAN? (CONTD.)
• Risk assessments must be performed to determine what information poses the biggest risk.
• The term is often used in the context of the U.S. Navy, who defines INFOSEC as:
COMPUSEC + COMSEC + TEMPEST = INFOSEC
where COMPUSEC denotes computer systems security, COMSEC is communications security, and
TEMPEST is compromising emanations.
4. SECURITY OF AN INFORMATION SYSTEM
• Information system security refers to the way the system is defended against unauthorized
access, use, disclosure, disruption, modification, perusal, inspection, recording or
destruction.
• There are two major aspects of information system security:
Security of the information technology used - securing the system from malicious cyber-
attacks that tend to break into the system and to access critical private information or gain
control of the internal systems.
Security of data - ensuring the integrity of data when critical issues, arise such as natural
disasters, computer/server malfunction, physical theft etc. Generally an off-site backup of
data is kept for such problems.
5. SECURITY OF AN INFORMATION SYSTEM (CONTD.)
• Guaranteeing effective information security has the following key aspects:
Preventing the unauthorized individuals or systems from accessing the information.
Maintaining and assuring the accuracy and consistency of data over its entire life-cycle.
Ensuring that the data, transactions, communications or documents are genuine.
Ensuring the integrity of a transaction by validating that both parties involved are genuine, by
incorporating authentication features such as "digital signatures".
Ensuring that once a transaction takes place, none of the parties can deny it, either having
received a transaction, or having sent a transaction. This is called 'non-repudiation'.
Safeguarding data and communications stored and shared in network systems.
6. SECURITY REQUIREMENTS
• Needs for information systems security and trust can be formulated in terms of several major
requirements:
Data confidentiality
Data Integrity
System Availability
System Configuration
7. SECURITY REQUIREMENTS (CONTD.)
• Satisfying these security requirements requires a range of security services, including:
Authentication
Authorization
Auditing
Non Repudiation
8. ROLE OF CRYPTOGRAPHY IN INFORMATION SECURITY
• It is important to understand what role the tool of cryptography plays in information system
security, and what aspects of security are not provided by cryptography. Cryptography provides a
number of useful capabilities:
Confidentiality
Authentication
Integrity check
Digital signature
9. INFORMATION SYSTEMS AND ETHICS
• Information systems bring about immense social changes, threatening the existing distributions of
power, money, rights, and obligations. It also raises new kinds of crimes, like cyber-crimes.
• Following organizations promote ethical issues:
The Association of Information Technology Professionals (AITP)
The Association of Computing Machinery (ACM)
The Institute of Electrical and Electronics Engineers (IEEE)
Computer Professionals for Social Responsibility (CPSR)
10. THE ACM CODE OF ETHICS AND PROFESSIONAL CONDUCT
• Give comprehensive and thorough evaluations of computer systems and their impacts,
including analysis and possible risks.
• Honor contracts, agreements, and assigned responsibilities.
• Improve public understanding of computing and its consequences.
• Access computing and communication resources only when authorized to do so.
11. THE ACM CODE OF ETHICS AND PROFESSIONAL CONDUCT
• Give comprehensive and thorough evaluations of computer systems and their impacts,
including analysis and possible risks.
• Honor contracts, agreements, and assigned responsibilities.
• Improve public understanding of computing and its consequences.
• Access computing and communication resources only when authorized to do so.
12. THE IEEE CODE OF ETHICS AND PROFESSIONAL CONDUCT
• IEEE code of ethics demands that every professional vouch to commit themselves to the
highest ethical and professional conduct and agree:
To accept responsibility in making decisions consistent with the safety, health and welfare of
the public, and to disclose promptly factors that might endanger the public or the
environment;
To avoid real or perceived conflicts of interest whenever possible, and to disclose them to
affected parties when they do exist;
To be honest and realistic in stating claims or estimates based on available data;
To reject bribery in all its forms
13. THE IEEE CODE OF ETHICS AND PROFESSIONAL CONDUCT
To improve the understanding of technology, its appropriate application, and potential
consequences;
To maintain and improve our technical competence and to undertake technological tasks for
others only if qualified by training or experience, or after full disclosure of pertinent limitations;
To seek, accept, and offer honest criticism of technical work, to acknowledge and correct errors,
and to credit properly the contributions of others;
To treat fairly all persons regardless of such factors as race, religion, gender, disability, age, or
national origin;
To avoid injuring others, their property, reputation, or employment by false or malicious action;
To assist colleagues and co-workers in their professional development and to support them in
following this code of ethics.
14. APPLICATIONS OF INFORMATION SECURITY SYSTEMS
• Antivirus Software: Antivirus or anti-virus software (often abbreviated as AV), sometimes known
as anti-malware software, is computer software used to prevent, detect and remove malicious
software.
• Antivirus software was originally developed to detect and remove computer viruses. However, with the
proliferation of other kinds of malware, antivirus software started to provide protection from other
computer threats.
• In particular, modern antivirus software can protect from: malicious browser helper
objects (BHOs), browser hijackers, ransomware, keyloggers, backdoors, rootkits, trojan
horses, worms, dialers, fraudtools, adware and spyware. Some products also include protection from
other computer threats, such as infected and malicious URLs, spam, scam and phishing attacks, online
identity (privacy), online banking attacks, social engineering techniques, advanced persistent
threat (APT) and botnet DDoS attacks.
15. APPLICATIONS OF INFORMATION SECURITY SYSTEMS
(CONTD.)
• Firewall : A firewall is a network security system that monitors and controls the incoming and outgoing
network traffic based on predetermined security rules.
• A firewall typically establishes a barrier between a trusted, secure internal network and another outside
network, such as the Internet, that is assumed not to be secure or trusted.
• They are often categorized as either network firewalls or host-based firewalls.
• Network firewalls filter traffic between two or more networks; they are either software
appliances running on general purpose hardware, or hardware-based firewall computer appliances.
• Host-based firewalls provide a layer of software on one host that controls network traffic in and out of
that single machine. Firewall appliances may also offer other functionality to the internal network they
protect, such as acting as a DHCP or VPN server for that network.
16. APPLICATIONS OF INFORMATION SECURITY SYSTEMS
(CONTD.)
• Mobile Secure Gateway : Mobile secure gateway or MSG is an industry term for the software or
hardware appliance that provides secure communication between a mobile application and respective
backend resources typically within a corporate network. It addresses challenges in the field of mobile
security.
• MSG is typically composed of two components - Client library and Gateway.
• The Client is a library that is linked with the mobile application. It establishes secure connectivity to
Gateway using cryptographic protocol typically SSL/TLS. This represents a secured channel used for
communication between the mobile application and hosts.
• Gateway separates internal IT infrastructure from the Internet, allowing only an authorized client
requests to reach a specific set of hosts inside restricted network.