How To Protect Your Information And System

Published Date: 02 Nov 2017

Abstract: Information security in the organization involves a specific profession to defense the threats. This paper has specifically focused on the method to defense threats attack in the context of the organization. Several methods were discussed in the area of information security.

Keywords: Information security, Threat, Information security awareness

Introduction

Threat to information security is an apprehension in the organization at present. Computer technology and the system used are more and more ubiquitous in the most organization. Because of that, the organization must have a comprehensive management to prevent the attacks. For example, an organization should have Information Security Unit that responsible in this field. This is a requirement of an organization today to secure any data against risk such as threats and problems either from internal client or others from outsider.

Methodology

In completing this term paper, primary and secondary literatures are used to enable I depth understanding of information security, threats, and prevention the attacks. Most of the literatures were collected from books, and some of them are journal.

What is Information Security and Threats?

Defining information security

The term information security is frequently used to describe the tasks of guarding information that is in a digital format. This digital information is typically manipulated by a micro-processor such as on a personal computer, stored on a magnetic or optical storage device like a hard drive or a DVD, and transmitted over a network such as the Internet. Ciampa, M. (2010). In other words, information security refers to the protection of information, and the systems and hardware that use, store, and transmit that information. (Whitman, M. E. & Mattord, H. J., 2005)

1

Information security terminology

Table 1: Terms of and the example of information security

Term

Example in information security

Asset

Employee database

Threat

Steal data

Threat agent

Attacker, virus, flood

vulnerability

Software defect

Exploit

Send virus to unprotected email server

Risk

Information will be stolen

Threats

According to Merriam Webster dictionary, threat is an expression of intention to inflict evil, injury, or damage. Any threats must be viewed as a potential breach of security which if successful, will have a certain impact. There are various types of threats that may affect to a system and the organization. For example, illegal entry by hacker as a threat may result in theft and fraud, loss of confidentiality, and loss of privacy for an organization.

The elements of security

The word security provides user few clues for understanding and modeling requirements for the protection and management of information resources. Ciampa, M. (2010) states the security profession has defined the basics of security as three elements:

Confidentiality: Confidentiality ensures that only authorized parties can view the information.

Integrity: Integrity ensures that the information is correct and no authorized person or malicious software has altered that data.

Availability: Availability ensures that data is accessible to authorized users.

These three elements are known as CIA, the basic around which all security programs are developed.

2

The security professional’s view of information security

A broader view of what makes up the three elements of confidentiality, integrity, and availability (CIA) can be found in looking at the ten domains of information security that make up the Common Body of Knowledge (CBK) maintained by the International Information Systems Security Certification Consortium (ISC). The domains that make up CBK further define the elements that make up CIA and help the business person and security professional understand the depth of the issues that guide the development of an effective information security program. Wylder, (2004) described the ten domains are:

Access control systems and methodology: These are the core application systems that people think of when discussing information security. This area addresses the use of information systems and how to manage and restrict access to a system or application.

Telecommunications and network security: This is similar to the first domain but addresses issues regarding transmission of information and the transport mechanisms regarding network and connectivity.

Security management practices: This domain addresses policies and management practices, including risk management.

Application and systems development security: This domain deals with the system development life cycle (SDLC) and data management from an information security perspective.

Cryptography: Covered in this domain are the principles and methods used to protect information through the use of codes and secrecy.

Security architecture and models: As the name indicates, this domain has to do with the design and architecture of computers and networks and how to protect them.

Operations security: This domain addresses the control involved in the operation of a data center, and the management issues resulting from applications as they are used in a business environment.

Business continuity planning (BCP) and disaster recovery planning (DRP): This domain covers the policies and procedures needed to

3

ensure that a business projects information resources from the effect s of system failures and outages.

Laws, investigations, and ethics: This domain covers the legal and ethical issues for business.

Physical security: This domain covers the physical security measures that are involved in protecting the assets of the company.

Threats to Information Security

Most of the organization used any kind of system in daily activities and operation. The possibility to being infected by threats is high when there is no prevention to defense the threats. The common threats that may infect in the organization are errors and omissions, fraud and theft, malicious hackers, malicious code, and denial-of-service attacks.

One of the common threats is errors and omissions. This threat is the number one threat to the system even though does not get the headlines of international hackers and the latest work propagating through the email system. Peltier, et al. (2005) described that because cannot deny access to all of the user community, it becomes difficult to protect the systems from the people who need to use it day in day out. Error and omissions attack the integrity component of the CIA triad. To help fight these mistakes, some of the security concept can be used. There are least privilege and performing adequate and frequent backups of the information systems. Using least privilege can create additional overhead on the support staff members who are tasked with applying the access controls to the user community. Meanwhile, the second one concept will use a tape backup as one of the essential tools of the information security manager and can often be the only recourse against a successful attack.

Fraud and theft also can be as a threat to information security. In the organization, employees are responsible for the successful intrusion than outsiders. Peltier, et al. (2005) also states that it becomes very difficult to find the source of internal attacks without alerting the attacker that suspected the employee of wrong-doing. The best line of defense against fraud and theft by the internal employees is to have well-defined policies. Policies can make it easier for the information security manager to collect data on the suspected wrong-doer to prove what bad acts the employee has performed. The information security manager can use forensic techniques to gather evidence that will help provide proof of who performed the

4

attack. For example, computer forensics allows a trained person to recover evidence from computer system. There are many places that evidence of the activity may be left. Some of the places are like at firewalls, server logs, and the client workstation that should be investigated to determine if any evidence remains.

Other than that, the common threat is malicious hackers. There are several groups of Internet users out there that will attack information systems. The three primary groups are hackers, crackers, and phreaks. While common nomenclature is to call all three of the group’s hackers. A hacker is a user who penetrates a system just to look around and see what is possible. A hacker has etiquette and just wants security to be improved on all Internet systems. The next group, the crackers are the group to really fear. A cracker has no etiquette on breaking into a system. Crackers will damage or destroy data if they are able to penetrate a system. The goal of crackers is to cause as much damage as possible to all systems on the Internet. The last group, phreaks, tries to break into an organization’s phone system. The phreaks can then use the free phone access to disguise the phone number from which they are calling, and also stick the organization with the bill for long distance phone charges. These three groups will harm the organization activities. All the staff must be aware to prevent any attacks that occur in daily operation.

Another threats in that may attack in the organization is malicious code. This threat is defined as any code that is designed to make a system perform any operation with the knowledge of the system owner. One of the fastest ways to introduce malicious code into a target organization’s protected network is by sending the malicious code via email. The common types of malicious code are virus, worm, Trojan horse, and logic bomb. The most commonly thought of type of malicious code is the virus. A virus code fragment code that can be injected into target files. A virus then waits, usually until the file is opened or accessed, to spread to another file where the malicious code is then injected into that file. With a virus infected system, one can often find in excess of 30 000 infected files (Peltier, et al., 2005).

The last common threat is denial-of-service attacks. This threat also called DoS attack is designed to either overwhelm the target server’s hardware resources or overwhelm the target network’s telecommunication lines. In these attacks, the hacker would launch an attack from his system against the target server or network. There is new Dos attack called the distributed denial of service (DDoS) attack. It’s not like DoS that one-to-one attack; DDoS attacks used zombie hosts to create a many-to-many attack. These zombie hosts were devices that were compromised and had code

5

uploaded onto them that would allow for a master machine to contact them, and have them all release the DoS attack at the same time. The new DDoS attacks are very difficult to defend against. The mechanism that has curtailed most DDoS attacks is by trying to minimize the number of zombie-infected host available. As soon as a new and better infection mechanism surfaces, another round of DDoS attacks is sure to spring up.

How to Protect the Organization

Protecting the organization involve the entire of staff who responsible to secure the system, network, and server. One of the example is there must be an Information Technology (IT) department in that organization. There are three methods will discuss in this topic. Firstly, how to secure the system second one is the implementation of information security program

How to secure the system

There are basic three methods to secure the system from online security attack (Ateeq Ahmad, 2012).

Prevention: If you were to secure your house, prevention would be similar to placing dead bolt locks on your doors, locking your window, and perhaps installing a chain link fence around your yard. You are doing everything possible to keep the threat out.

Detection: You want to be sure you detect when such failures happen. Once again using the house analogy, this would be similar to putting a burglar alarm and motion sensors in the house. These alarms go off when someone breaks in. If prevention fails, you want to be alerted to that as soon as possible.

Reaction: Detecting the failure has little value if you do not have the ability to respond. What good does it to be alerted to a burglar if nothing is done? If someone breaks into your house and triggers the burglar alarm, one hopes that the local police force can quickly respond. The same holds true for information security. Once you have detected a failure, you must execute an effective response to the incident.

6

Information security program

The responsibility to implement information security program is under the professional information security. They must implement the perfect security program.

For security professionals, there are three key elements for any security program which are integrity, confidentiality, and availability (Peltier, 2002). Management is concerned that information reflects the real world and that it can have confidence in the information available to it so that management can make informed business decisions. One of the goals of an effective security program is to ensure that the information of an organization and its information processing resources are properly protected.

To be successful, the awareness program should take into account the needs and current levels of training and understanding of the employees and management. According to Peltier, (2002), there are five keys to establishing an effective awareness program. These include assess current level of computer usage, determine what the managers and employees want to learn, examine the level of receptiveness to the security program, map out how to gain acceptance, and identify possible allies.

An effective security awareness program could be the most cost effective action management can take to protect its critical information assets. Implement an effective security awareness program will help all employees understand why they need to take information security seriously, what they will gain from its implementation, and how it will assist them in completing their assigned tasks. The process should begin at new employee orientation and continue annually for all employees at all levels of the organization.

Conclusion

Information security management is becoming more challenging at this time. This is because the increasing of information in digital storage in an organization and possibility enables various invasions. Information security awareness does not require huge cash outlays. It does require time and proper project management.

7