INFORMATION SECURITY: THREATS AND

SOLUTIONS.

AIM:

The aim of this paper is to focus on the security of the information.

ABSTRACT:

Information security has become very important in most organizations. There are many

different threats that can steal the data. This paper is going to tell about the threats of the

information security in detail, and also the solutions to prevent these threats. It will give the brief

information about the information security.

KEYWORDS: Privacy, vulnerability, ransom ware, spyware, computer program, cyber

attack.

1. INTRODUCTION:

Information Security (Info Sec) is the practice of preventing unauthorized access, use, disclosure,

disruption, modification, inspection, recording or destruction of information. The chief area of

concern for the field of information security is the balanced protection of Confidentiality,

Integrity and Availability of data also known as CIA triad. Threats to sensitive and private

information comes in many different forms such as malware, phishing attacks, eavesdropping,

Trojans, virus and worms, DOS, vulnerability, computer crime, key loggers etc. Information

Security handles risk management. Sensitive information must be kept- it cannot be altered,

changed or transferred without permission.

Governments, military, financial institutions, hospitals, and private businesses amass a great deal

of confidential information about their employees, customers, products, research, and financial

status. Most of this information is now collected, processed and stored on electronic computers

and transmitted across networks to other computers. Should confidential information about a

business customers or finances or new product line fall into the hands of a competitor, such a

breach of security could lead to lost business, law suits or even bankruptcy of the business.

Protecting confidential information is a business requirement, and in many cases also an ethical

and legal requirement. For the individual, information security has a significant effect on

Privacy, which is viewed very differently in different cultures.

The field of information security has grown and evolved significantly in recent years. As a career

choice there are many ways of gaining entry into the field. It offers many areas for specialization

including Information Systems Auditing, Business Continuity Planning and Digital Forensics

Science etc.

2. STUDY:

2.1 The threats in information security are as follows:

2.1.1 Eavesdropping: It is secretly listening to the private conversation of others without their

consent.

2.1.2 Malware: It is the term used to refer a variety of forms of intrusive software including

computer viruses, worms, Trojan horses, ransom ware, spyware and other malicious programs. It

can take the form of executable code, scripts, active content and other software.

Figure 1: Malware Categories

2.1.3 Trojans: Trojan horse or Trojan is any malicious computer program which misleads users

of its true intent.

2.1.4 Viruses: A computer virus is a type of malicious software program that when executed

replicates itself by modifying other computer programs and inserting its own code. It corrupts or

modifies files on the targeted computer.

Figure 2: The Mac Mag virus 'Universal Peace', as displayed on a Mac in March 1988

2.1.5 Worms: It is a standalone malware computer program that replicates itself in order to

spread to other computers. It causes some harm to network even if only by consuming

bandwidth.

2.1.6 Denial of Service (DOS): It is a cyber-attack that is accomplished by flooding the targeted

machine with requests in an attempt to overload systems.

2.1.6.1 Distributed DOS: It is an attack where the incoming traffic floods the victim’s

computer.

Figure 3: DDoS Stacheldraht attack diagram.

2.1.7 Vulnerability: It is a weakness which allows an attacker to reduce a system’s information

assurance.

2.1.8 Computer Crime: It is defined as the offences that are committed against individuals with

criminal motive to harm the reputation of the victim or cause mental harm or loss. It is also

called as cyber crime.

2.1.9 Key Logging: It is the action of recording the keys struck on the keyboard so that the

person using keyboard is unaware that his actions are monitored. A key logger can be either

software or hardware. It is also known as keystroke logging or keyboard capturing.

2.1.10 Phishing: It is a threat that acquires sensitive information such as username, password

etc. It takes place in email spoofing or instant messaging.

Figure 4: Phishing Attack

2.2 Some Case studies have been included to elaborate on the threats against the information

security. [1]

Case 1: Phishing case study.

One Doctor from Gujarat had registered a crime stating that some persons have perpetrated

certain acts through misleading emails ostensibly emanating from ICICI Bank’s email ID. Such

acts have been perpetrated with intent to defraud the Customers. The investigation was carried

out with the help of the mail received by the customer, bank account IP details & domain IP

information, the place of offence at was searched for evidence.

Case 2: Online credit Cheating and Forgery Scam In one of the noted cases of 2003, Amit Tiwari, a 21yr old engineering student had

many names, bank accounts and clients with an ingenious plan to defraud a Mumbai

based credit card processing company, CC Avenue of nearly Rs. 900, 000.

2.3 The solutions to the information security are as follows:

2.3.1 Access Control: Access to the protected information must be restricted to people who are

unauthorized to access the information. This requires that mechanisms to be in place to control

the access to protected information.

2.3.1.1 Identification: It is an assertion of who someone is or what something is.

2.3.1.2 Authentication: It is the act of verifying a claim of identity.

Figure 5: Authentication

2.3.1.3 Authorization: It is the function of specifying access rights to resources related to

information security.

2.3.2 Cryptography: Information Security uses cryptography to transform usable information

into unusable information. This process is called encryption.

Figure 6: German Lorenz cipher machine, used in World War II to encrypt very-high-

level general staff messages

2.3.3 Firewall: It is a network security system that monitors and controls the incoming and

outgoing network traffic based on security rules.

Figure 7: Firewall

2.3.4 Intrusion Detection System (IDS): It is a software application that monitors a network or

systems for malicious activity or policy violations.

2.3.5 Intrusion Prevention System (IPS): It is a network security appliance that monitors

network or system activities for malicious activity. It is also known as Intrusion Detection and

Prevention System (IDPS).

2.3.6 Application Security: It encompasses measures taken to improve the security of an

application by finding, fixing and preventing security vulnerabilities.

2.3.7 Data-Centric Security: It is an approach to security that emphasizes the security of the

data itself rather than the security of networks, servers or applications.

3. ANALYSIS:

3.1 To prevent insider attacks on agency networks access rights to files should be controlled and

access should be granted only on as required for the performance of job duties.

3.2 Networks that serve different agencies or departments should be segregated, and access to

those segmented networks should be established as appropriate through the use of VLANs,

routers, firewalls, etc.

3.3 Users activities on systems should be monitored.

3.4 To prevent unauthorized access of information all hosts that are potential targets of DoS

(Denial of Service) should be secured.

3.5 Authentic programs should be installed with Trojan scan Programs.

3.6 To prevent against exploitation:

3.6.1 Periodic scanning for spyware, adware and bots (software robots) shall be conducted with

anti-spyware programs that detect these malicious pr

3.6.2 Denial of all inbound traffic by default through the perimeter defense.

3.6.3 Provision of security awareness training to personnel on an annual basis that, in part,

cautions against downloading software programs from the Internet without appropriate

agency approval.

4. FUTURE ENHANCEMENT:

Looking into 2017, the information security agenda for executives continues to evolve. The

complexities of what to protect and when, overlaid with requirements of regulation and

compliance, create the need for a new type of information security executive--one with business

savvy, sound risk fundamentals and holistic technical understanding. These skills, coupled with a

strong strategy, will be necessary for organizations to achieve their 2017 information security

goals.

The number one item on the 2017 information security agenda is data protection. The practice of

protecting the confidentiality, integrity and availability of data is not new--passwords, encryption

and data classification structures have been around for years. What has changed is the type of

data that's now considered valuable. From the external attacker perspective, intellectual property

and insider information was once the most sought-after data asset. Now, the data currency of

choice is identity--e-mail addresses, social security numbers and credit card information.

Corporate espionage is still a significant threat, but the new underground deals in volume, where

success is being measured in thousands and millions of identities.

5. CONCLUSION:

Information security is the ongoing process of exercising due care and due diligence to protect

information, and information systems, from unauthorized access, use, disclosure, destruction,

modification, or disruption or distribution. The never ending process of information security

involves ongoing training, assessment, protection, monitoring & detection, incident response and

repair, documentation, and review.

6. BIBLIOGRAPY:

[1] Sunakshi Maghu, Siddharth Sehra and Avdesh Bhardawaj, “Inside of Cyber Crimes and

Information Security: Threats and Solutions”, International Journal of Information & Computation

Technology, Volume 4, Number 8 (2014), pp. 835-840.

[2] Mrs. Rakhee Kelaskar, Mrs.Vanshri Valecha, “Information Security Management”, Variorum

Multi-Disciplinary e-Research Journal, Vol.,-02, Issue-IV, May 2012.

[3] V. Suganya, “A Review on Phishing Attacks and Various Anti Phishing Techniques”,

International Journal of Computer Applications (0975 – 8887) Volume 139 – No.1, April 2016.

[4] Ammar Yassir and Smitha Nayak, “Cybercrime: A threat to Network Security”, IJCSNS

International Journal of Computer Science and Network Security, 84 VOL.12 No.2, February

2012.

WEB LINKS USED:

1. https://www.ripublication.com/irph/ijict_spl/ijictv4n8spl_09.pdf.

2. http://paper.ijcsns.org/07_book/201202/20120214.pdf.

3. http://www.ijcaonline.org/research/volume139/number1/suganya-2016-ijca-909084.pdf.

4. www.wikipedia.org.

5. www.google.com.

6. http://ijact.org/volume4issue3/IJ0430037.pdf.