Definition And Concepts Of Information Security

Published Date: 02 Nov 2017

Abstract: Information security is important to most organization in way to protect their information assets that may contain secret information that valuable to that organization. By the way with rapid technology advance today, the information data become vulnerable and not secure. It might attack by hacker, script kiddies and greatest threat is cracker. Malicious web site that contains worm, Trojan and viruses also can harm host computer. In order to protect the information data or assets it is important to have proper access control policies and procedure. In other hand, to safeguarding the information security it’s crucial to secure most important components in information security which are "Confidentially, Integrity and Availability" from unauthorized person. Authentication, authorization, and accountability also should highlight in securing the information security. Individual, employees or anyone in organization must alert with issues that arise about the problem and accident related to information security, so that the contingency plan or solution can made for protect the information.

Keyword: Information security, vulnerable, confidentially, integrity, availability.

1.0 Introduction

Nowadays it easy to access information by using technology advance. It more convenience but it may come risks to the system. The valuable information will be lost, stolen, changed, or misused. An attacker may exploit vulnerability in an information system to disrupt the confidentially, integrity or availability of information. Then information security is a process which digital information assets are protected. The protection of information its crucial element consists of system and hardware that use for information storage and information transmitting.

The history of information security began immediately after first mainframes were developing. In 1960s Advanced Research Procurement Agency (ARPA) began to examine feasibility of redundant network communication. In 1970s and 80s ARPANET was implement. Fundamental problem with ARPANET security was identified which non-existent user identification and authorization to system. Late 1970s microprocessor expanded computing capabilities and security threats. Internet was early use in 1990.In early internet deployment; security was treated as a low priority.

Information security can be defined as the practice that deals with protecting information’s system against attacks. It typically concerns technical means to avoid or eliminate security vulnerabilities in information design. Besides that information security is a broad term encompassing from accidental or intentional misuse by person inside or outside an organization.

Information security plays as an important function for an organization. It can protect the organization’s ability to function but also enables the safe operation of application. Besides that it can safeguards the technology asset at the organization and protect that data securely.

Whenever the technology was give us numerous benefits, there are still challenge that we faced and there are some of information security issues arise. Example of the issues that arise including malware, act or human error or failure .According to the website www.utc.edu example of malware such as viruses, worm, Trojan, etc. All these treat will attacked computer and caused damage as a result of lost productivity. Human error or failure also part of cureent issues in information security. Employee is the closest person in organizational data.They can be as a greatest threats to information security. Some of them are inexperience,did not have proper training handling the information .Employee mistakes can causing storage of data to wrong places or unprotected areas,accidental deletion or alteration of data and lastly they are failed to protect that information. Other issues that related to the informatiom security is mostly the trespasser.They can be a expert hacker,script kiddies and crackers. Hacker uses thier skill and fraud to steal the information’s property of someeone else.Script kiddies is more concern to person that hack with limited skill.They do not usually fully understand the system they hack.Cracker is most greatest threat which will crack or removes protection designed to prevent unauthorized duplication.

In addition,other issue concern with information security issues are vulnerabilty and policies and procedure that used in organization. According to Gupta and Hammond (2003) ,typically in small business are more vulnerable to the attacks such as virus,trojan and etc are caused by lacking of financial resources and expertise to develop a comprehensive information security system.It also may lack the policies and procedure .Attack may comes from insider who have direct acess to the company’s computer system.

2.0 Methodology

In order to explore what is information security and how it came to means what it does today,I was surveryed the information related to the information security by browsed websites to examine the definition,current issues of information security, concepts and also challenge in information security for the required literature.This information was gathered based on solely on an inspection of the website in order to understanding several aspect about the information security. Beside that in completing this term paper , literature review are used to enable in depth understanding of topic. The literature included in this term paper result from searches made in the following electronic database on Emerald .For example Gupta and Hammond (2003) reports on the information security issues and decision for small businness. It provides the issuess evidence in small firms in both manufacturing and services. Search terms (keywords and subject terms) used were "Information systems", "Data security". All the literature retrieved from the searching are minutely examines for any information related to the topic in hand.

3.0 Definition and concepts of Information Security

There are various definition of information security. According to the Pieters and Consoli ,etymologically, information security means practice that focus on protecting information system from attacker. According to the website http://www.isy.vcu.edu, Spears say that information security as the preservation of of three attributes which "confidentially" ,"intergrity" and "availability" (ISO/IEC 7799, 2000). From Wikipedia information security can be defined as a practice of protecting information from unauthorized acces, use, disclosure, distruption, modification, perusal, inspection, recording or destruction.While by business dictionary information security means something to ensure the availability , confidentially and intergrity of organization data there should be safe-guarding an organization’s data from unauthorized access or modification. So it can conclude that most definition of the information security is brielfly about CIA triad of information that very important to information security.These are three elements that everyone in the organization is trying to protect .

First to understanding the information security, I must know the concepts of information security.From the surveys on the website www.mhprofessional.com it can says that most domain information security concept CIA triad that stands for confidentially, Integrity and availability.Let’s touch on each one of these briefly.Fisrtly, confidentially is deals with keeping the secret information or it can be company’s intellectual property from the unauthorized person. Information will often applicable for those have authorized to access it because its nature, its content including legal or financial information, embarrasment to one party or another. To restricted to the access of information main mechanism of protection of confidentially system are cryptography and access control.Typically the attack to confidentiality are malware, intruders.Besides that insecure networks and poorly administered system are example of threats to confidentially.

Next integrity is something means with the property of safeguarding the trustworthiness, origin, completeness, and correctness of information assets.This integrity is crtical part to ensure the origin of information cannot be alter or modification by unauthorized person. For protection of integrity there are two mechanism such as preventive mechanism and detective mechanism. Preventive mechanism is about access control that hinder unauthorized alter the information.While detective mechanism concern to detect unauthorized alter when preventive mechanism have failed.

Availability also crucial part after confidentially and integrity components. According to the website http://www.sinclair.edu availability something means authorized user can easily use the information asset that available for them when and where they need that information. Attack against the availability are those that make it so that the victim cannot use the resource in question.The most famous example of this sort of attack the Denial of Services Attack (Dos).Besides that,natural and manmade disaster also can be as a threat to availability whereas human errors are frequent but usually not as severe as natural disaster.According to the website http://www.sinclair.edu availability is principle that concern with information assets that can be accessible only by authorized user when and where they need them. It was available and usable by them.

Other concept that can compile together in this term paper including of identification, authentication, authorisation and the last one accountability.According to the website www.mhprofessional.com identification means by which user claims thier identity to the system when access to information or information processing resources are required by using the IDs.For information security purposes, unique name needed should locally unique and global unique to ensure that access control may enforced and accountability established.

Next discussion about authentication. Authentication is ensuring that the identity of a subject or resources is the one claimed.The most common example of authentication entity is password, key use to lock and unlock door,cars and drawers and also biometric authentication entity. Password is commonly used for routine access for control,identification is necessary for authentication and authorization. A biometric is process of identification and verification which a physiological or behaviour characteristic of a human being that can distinguish one person from another.This biometric authentication methods such as iris, retina recognition, fingerprint,voice and signature recognition.

Once a user’s identifiaction and authentication are established ,authorization is a process of checking the authentication of an individual or resource to establish and confirm their authorized use of, or access to, information or other assest. The authorization also referred to as rights, privelages or permission that define in order user to do on the system.These authorizations typically defined by system’s security policy and are set by the security or system administrator.

Accountability is another important part in the concept of information security.Accountability something means the responsibilty for action and process within the system. Whenever any action is carried out ,that individual should take responsibility and accountable for that action.To safeguard the system or information it should provide accountability,because se without this element a system may not be considered secure.

4.0 Information Security Conceptual Theory

5.0 Challenges/Threats of Information Security

Information security is one of the most faced challenges in these day and it was critical information to the successfull of company or organization business. There are several challenges or threats examined in ways to protect the CIA triad information security. With the rapid adoption of Information Technology (IT) todays information assets are totally unsecured from attackers that wrongly access the information .

Collection of information about these challenges or threats from website http://isseg-training.web.cern.ch/ISSeG-training/ shows there are several threats in information security.For example password compromise , data interception techniques (sniffing/man in the middle attack),fraudulent connection,software alteration (time bomb, worm, Trojan, virus etc.) and lack of security awareness or job training.

Threat :Password compromise

What might happen : Broken of password confidentiality. More individuals know the valid password that was intended.

Examples : The weakness of password such as too few character , same with other user account name, blank.

Lacking of effective password policy

Trying multiple values or guesses is unlimited ability attempt to work out the password.

: A password has been intercepted or sniffed on the network

Password has been intercepted on email

Password has been alter on the host computer

Virus, worm,malware attacked host computer.

: Without user permission, keyboard logger has been used to record the password .

Cannot control if are using Internet cafe.

Inappropriate physical access to critical servers.

Threat : Data interception techniques (e.g. sniffing /man in the middle attacks)

What might happen : An attacker sniffed confidential information hijack the identity of the peer machines.

Examples : User IP and Mac address on the locla network has been hijack by ab attacker

Local network have been acess by malicious users

: Virus,Trojan or spyware infected local host on network.

Not adequate malware protection

: Malicious web site to trick the valid user

SPAM e-mail contain malicious web site and trick the user to use it.

Threat : Fraudulent or intrigue connection

What might happen : Unauthorized service has beeb access by an attacker.

Examples: Valid credentials used by theft and unauthorised.

Compromised password

: Lack of access control (allowing simple password)

Not appropriate secure servers caused lack of user awareness.

Allow simple password might come insufficient access controls.

Threat : Software alteration ( time bomb , worm , Trojan ,Virus)

What might happen : System might corrupted because the malicious software .

Example : An attacker attack site by exploits a software vulnerability.

Do not have antivirus protection on PCs.

Botnet attack to the site.

: Compromised software distribution

Software installation kits prior to use did not have sufficient checking.

Threat : Lack of security of awareness or job training

What might happens: Relevant staff are lacking of security training

Example : Do not have current security training for system managers.

Relevant staff have insufficient security training

Security is managed by non security experts.

6.0 Recommendation to address the challenges in Information security.

Below are several recommendation for each threats or challenge that faced by an organization.

Threat : Password compromise

Recommendation : Enforce good practice in the selection and use of password.

Why : Password compromising can give advantageous to unauthorized access and caused theft of information. The result represent to serious breach security. How : To overcome password compromise user should be advised to :

Avoid using same password for business and non-business purposes.

Change password if password compromise

User are advised to avoid sharing the individual user passwords.

When accessing application services that have high security risks,user should use different password.For example using HTTP during authentication or secure protocol such as challenge when public web sites or portals or if the password is sent across the network in clear text.

In addition, user are advised to use a single, quality password if they want to access multiple services, system and are need to maintain multiple separate passwords .All this recommendation is assured for protection in information security.For a quality password it should have sufficient minimum length. The password must easy to remember and do not use password that easy can guess such as using person-related information for example birth dates, telephone number, and names. Besides that the a qood quality of password should free of consecutive identical.

Threat : Data interception techniques (e.g. sniffing /man in the middle attacks)

Recommendation : Establish training and guideline for secure programming.

To securing programming there should application controls as a preventive tool to detect the corruption of information,to prevent unauthorized alteration of information and also prevent processing errors and loss.

How : To overcome the threat, it should consider an automatic examination and validation of input data to hinder standard attacks. This recommendation ensure to reduce loss of integrity. Various specific areas are consider such as use apropriate programs to recover the failure and ensuring correct processing of data. There should have procedure to hinder programs running in the wrong order or running agter failure of prior processing. Log activities are create involved in the processing.In other hand, the programs should be designed in order to reduce privileges required for the execution.

Threat : Fraudulent or intrigue connection

Recommendation : Access contol policies and procedure on security requirement are established.

Procedure in information security should be established,reviewed and documented based on the organization’s requirement. Besides that it should have clear access control and rights for each user or group of user.

How : The access control policy must contain :

Security requirements for applications, and identification of related information.

Requirements for formal authorization of access requests.

Removal of access rights.

Standard user access profiles for common job roles in the organization.

Consistency between the access control and information classification policies of different systems and networks.

Threat : Software alteration ( time bomb , worm , Trojan ,Virus)

Recommendation : Information security responsibilities allocation.

How : To overcome the software alteration or modification,must clearly defined all information security responsibilities. To protect individual assets it must clearly defined a local responsibilities and carrying out specific security. Information security responsibilities allocation is important to protect organization’s assets and security process are carried out. So that autorization levels must clearly defined and documented.They also need to delegate tasks to others.However, staff member should understand thier security roles and responsibilities.

Threat : Lack of security of awareness or job training

Recommendation : Encourage information security awareness,education and training

How : All employees of organization and related party including contractors and third party users must exposed by appropriate awareness training and always updates in organizational policies and procedure that related for thier job function.These recommendation create awareness among them to ensure they can identify the information security problems and accident and respond according to the needs of thier work role.Ongoing training include formal classes, but also give easy access to security–related information.Besides that, updating information and informed information changes are necessary.Example of training that should consider for the related person in information security such as :

Enforcement, sanctions, and disciplinary actions for security violations.

Physical security requirements .

Policies and procedures for working with third parties.

How to properly access sensitive information or work in areas where sensitive information is accessible.

Termination policies and procedures relative to security.

7.0 Conclusion

As a summary ,information security should be consider a balance protection and availability from any harm that can affect the information. Understanding on the information security concepts makes us aware about the protection of information security. Experts person are needed in oder to handle the information security problems or accidentally that faced by organization. To overcome the threats in information security there are need to create awareness among the staff by giving job training and education training to them to gain new knowledge about the challenge in information security. The recommendation to overcome these problems should apply and use for retain the good quallity of information security. To minimized the risks in information security , it crucial to safeguarding the truthworthiness, origin, correctness of information assessts from unauthorized person or attcaker.Regularly revised of policies and procedure is also needed.