Fundamentals of Information Security

¹Salahedin Ali Namroush ²Shauki Abdusalam Fatshul

Center Of Advanced Software Engineering (CASE) City Campus

University Technology Malaysia s.alnamroush@gmail.com s.fashtul@gmail.com

Prof .Dr. Abdul Hanan Bin Abdullah Dr. Norafida Bte Ithnin

Abstract:

The basic reasons we care about information systems security are that some of our information needs to be protected against unauthorized disclosure for legal and competitive reasons; all of the information we store and refer to must be protected against accidental or deliberate modification and must be available in a timely fashion. We must also establish and maintain the authenticity of documents we create, send and receive. As recent events have shown, information security is an essential part of any organization’s infrastructure and increasing interconnectivity, and networks to fulfill the organizations’ needs. This paper defines information security, policy, addresses the general goal of information security, provides an outline of implementation, and describes the tools available to implement information security. Introduction:

Information security refers to protection of data, programs and information stored in any storage media or networks and includes with itself the issues of privacy. It is the progress that adds value to an organization part of this process includes developing and implementing a security policy.[1] Security Policy:

The first step to implementing the information security is not based on technology. It involves developing a security policy a short document that explain why you want to implement security. Security standards:

The security standard document accompanies the security policy and describes what must be secured to comply with the policy, it will identify an organization assets, the risk to the organization if those assets are not protected, and the threats that must be protected against. An asset is anything an organization requires to perform business operation like: • People: Expertise, corporate memory. • Hardware: CPU, Drivers, UPS, Keyboards.

• Software: Os, Applications, Source code, Diagnostic software.

• Data: Database, Customer data, Backups. • Documentations: Licensing. • Other: Utilities.

The security standards should explicitly identify all assists critical to the business and the degree of threat and risks that they must be protected against. Requirements:

Beside the security companies systems

have many implicit requirements includes performance, usability and robustness, a good software development process enforce certain standard of design strategy, testing configuration. These standard cumulatively add to robustness a system becomes more robust with each good practice employed. Security differs in that it’s principles are not universally known nor understood, So there are no handy design standards guaranteed to improve it.[2]

Proceedings of the Postgraduate Annual Research Seminar 2006 107

Implementing of information Security:

Implementing the information security is a complex process that must involve the whole organization to ensure success. • People: if all staff are not involved in

implementing the security policy, it will likely fail. Education and training are crucial to successful security implementation.

• Technology: several technology options are available to help secure network, we can define some of technologies to help implement part of security like:

Filter: A router firewall normally

implements a filter asset of rules that tells the device what to forward and what not to.

Fire walls: A firewall connects to one or more network and manages traffic between them based on set of rules it is like a filter but more intelligent.

Proxy device: it performs an action on behalf of a requesting filter contents based on policy.

Authentication: authorization, and accounting control access to resource on a network. Servers typically use features to control access to server files, printers, and databases.

Authorization: once the system has verified you, what you allowed to do, different users will be authorized to perform different functions.

Accounting: The practice of tracking users action on the network.

Intrusion Detection System (IDS): it is dedicated device connected to a network or piece of software on server that looks for suspicious activity.

Encryption: this process alters data so that it is un intelligible to unauthorized parties. There are many way to encrypt data.

VPN: a virtual private network allows communications between two devices over a public (insecure) infrastructure.

DMZ: the demilitarized zone is part of a network that allows controlled access from the internet, it is administrated by private entity.

Antivirus: it includes both host- based and server-based protection. In addition to detecting and limiting the harmful effects of viruses.

Host/Server Security: the proper, secure configuration of the operating system itself can help protect information.

Goals of Information Security

Let’s start by investigating the purpose of information security. We want to achieve three main goals by practicing good information security. Other goals, such as the safety of your children and the privacy of your personal information, depend upon these goals: • Confidentiality: Information is available only to those who rightfully have access to it. • Integrity: Information should be modified only by those who are authorized to do so. • Availability: Information should be accessible to those who need it when they need it.[4] Information Security Strategies

Most homeowners take steps to protect

their homes by installing locks on their doors, smoke detectors in the hallway, or even a security system. Obviously, we do these things for several reasons, but primarily to keep our families and our possessions safe. It is the same with information security. An unsecured computer is an invitation to browse through your and your family’s life. To keep this from happening and to achieve the above goals, we use three strategies: • Prevention: This strategy represents the need to install the proper software and/or hardware and take the proper precautions in order to stop an attack before it occurs. • Detection: This strategy represents the need to keep your system up to date on the latest types of attacks in order to understand when your PC has been damage or is at a high risk. • Recovery: This strategy represents the need to form a plan of action in order to reverse; if possible, damage done to your computer and/or personal information after an attack has occurred.[1] The Culture Of Security

People are becoming more dependent on

information systems, networks and related services, all of which need to be reliable and secure. Only an approach that takes due account of the interests of all people, and the nature of the systems that people work on them, as appropriate to their roles, should

Proceedings of the Postgraduate Annual Research Seminar 2006 108

be aware of the relevant security risks and preventive measures, assume responsibility and take steps to enhance the security of information systems and networks. Promotion of a culture of security will require both leadership and extensive participation and should result in a heightened priority for security planning and management, as well as an understanding of the need for security among all participants. Security issues should be topics of concern and responsibility at all levels of government and business and for all participants. This will enable participants to factor security into the design and use of all information systems and networks.[3] Conclusion:

Information security is not a one time implementation; it is a complex process one that involves developing a security policy, which then drives the development of security standards and procedure. Developing the policy must involve managerial and technical staff input to make it feasible and enforceable. Implementing the policy involves education employees and invoking technology such as firewalls, IDS, encryption, and authentication. Information security mechanisms have failed, to protect end users from privacy violations and fraud, because the real driving forces behind security system design usually have nothing to do with such altruistic goals. They are much more likely to be the desire to grab a monopoly, to charge deferent prices to deferent users for essentially the same service, and to dump risk. Often this is perfectly rational. In an ideal world, the removal of perverse economic incentives to create insecure systems would de-politicize most issues. Security engineering would then be a matter of rational risk management rather than risk dumping. But as information security is about power and money (about raising barriers to trade, segmenting markets and differentiating products) the evaluator should not restrict itself to technical tools like cryptanalysis and information flow, but also apply economic tools such as the analysis of asymmetric information and moral hazard. As fast as one perverse incentive can be removed by regulators, businesses (and governments) are likely to create two more. In other words, the management of information security is a much deeper and more political problem than is usually realized; solutions are likely to be subtle and partial, while many simplistic technical approaches are bound to fail. The time has come for engineers, economists, lawyers and policymakers to try to forge common approach.

References:

[1] Information Security Fundamentals By Cliff 2002

[2]The Fundamentals of Information Security By Shari Lawrence 1997

[3] OECD Guidelines for the Security of Information Systems and Networks 2004

[4] Computer Security hand book By Arthur E Hutt, S. Bosworth, and D. Hoyt 1995

Proceedings of the Postgraduate Annual Research Seminar 2006 109