Computers 7.3.15 COM 323 E Information Systems Security (Coursework Sample)

7.3.15COM 323E INFORMATION SYSTEMS SECURITY
OBJECTIVES
At the end of the course, the student should be able to:
* Explain the Protocol layers and security protocols of Networks.
* Explain the principles of electronic commerce.
* Identify basic problems related to security protocols.
COURSE OUTLINE
Protocol layers and security protocols. Intranets and extranets. Mobile computing. Electronic commerce. Security architectures in open-network environments. Cryptographic security protocols. Threats, attacks, and vulnerabilities. Security services: confidentiality; authentication; integrity; access control; non-repudiation; and availability. Security mechanisms: encryption; data-integrity mechanisms; digital signatures; keyed hashes; access-control mechanisms; challenge-response authentication; traffic padding; routing control; and notarization. Key-management principles. Distributed and embedded firewalls. Security zones.
Topics
1 Introduction to computer security
2 Security in the application level
3 Security in operating system
4 Physical security
5 Personnel issues
6 Network security
7 Environmental exposures and controls
8 Computer ethics
Information systems security
Chapter One
Introduction to computer security
A security system is a set of mechanisms and techniques that protect a computer system, specifically the assets. They are protected against loss or harm including unauthorised access, unauthorised disclosure and interference of information.
Assets can be categorised into:
* Resources – all instances of hardware, software, communication channels, operating environment, documentation and people
* Data – files, databases, messages in transit, etc.
A security attack is the act or attempt to exploit vulnerability in a system. Security controls are the mechanisms used to control an attack. Attacks can be classified into active and passive attacks.
* Passive attacks – attacker observes information without interfering with information or flow of information. He/she does not interfere with operation. Message content and message traffic is what is observed.
* Active attacks – involves more than message or information observation. There is interference of traffic or message flow and may involve modification, deletion or destruction. This may be done through the attacker masquerading or impersonating as another user. There is denial or repudiation where someone does something and denies later. This is a threat against authentication and to some extent integrity.
Security goals
* Confidentiality- is the term used to prevent the disclosure of information to unauthorized individuals or systems. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.
* Integrity-In information security, integrity means that data cannot be modified undetectably. This is not the same thing as referential integrity in databases, although it can be viewed as a special case of Consistency as understood in the classic ACID model of transaction processing. Integrity is violated when a message is actively modified in transit. Information security systems typically provide message integrity in addition to data confidentiality.
* Availability-For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks.
* Authenticity-In computing, e-Business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim they are.
* Non-repudiation-In law, non-repudiation implies one's intention to fulfill their obligations to a contract. It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction.
* Privacy -Ensuring that individuals maintain the right to control what information is collected about them, how it is used, who has used it, who maintains it, and what purpose it is used for.
Information security is protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
There are two major aspects of information system security:
* Security of the information technology used - securing the system from malicious cyber-attacks that tend to break into the system and to access critical private information or gain control of the internal systems.
* Security of data - ensuring the integrity of data when critical issues arise such as natural disasters, computer/server malfunction, physical theft etc. Generally an off-site backup of data is kept for such problems.
Effective information security has the following key aspects:
* Preventing the unauthorized individuals or systems from accessing the information.
* Maintaining and assuring the accuracy and consistency of data over its entire life-cycle.
* Ensuring that the computing systems, the security controls used to protect it and the communication channels used to access it, functioning correctly all the time, thus making information available in all situations.
* Ensuring that the data, transactions, communications or documents are genuine.
* Ensuring the integrity of a transaction by validating that both parties involved are genuine, by incorporating authentication features such as "digital signatures".
* Ensuring that once a transaction takes place, none of the parties can deny it, either having received a transaction, or having sent a transaction. This is called 'non-repudiation'.
* Safeguarding data and communications stored and shared in network systems.
Hazards (exposures) to information security
An exposure is a form of possible loss or harm. Examples of exposures include:
* Unauthorised access resulting in a loss of computing time
* Unauthorised disclosure – information revealed without authorisation
* Destruction, especially with respect to hardware and software
* Theft
* Interference with system operation.
Threats to information security
These are circumstances that have potential to cause loss or harm i.e. circumstances that have a potential to bring about exposures.
* Human error
* Disgruntled employees
* Dishonest employees
* Greedy employees who sell information for financial gain
* Outsider access – hackers, crackers, criminals, terrorists, consultants, ex-consultants, ex-employees, competitors, government agencies, spies (industrial, military etc), disgruntled customers
* Acts of God/natural disasters – earthquakes, floods, hurricanes
* Foreign intelligence
* Accidents, fires, explosion
* Equipment failure
* Utility outage
* Water leaks, toxic spills
* Viruses – these are programmed threats
Vulnerability
Vulnerability is a weakness within the system that can potentially lead to loss or harm. The threat of natural disasters has instances that can make the system vulnerable. If a system has programmes that have threats (erroneous programmes) then the system is vulnerable.
Security controls
These include:
* Administrative controls – they include
¯ Policies – a policy can be seen as a mechanism for controlling security
¯ Administrative procedures – may be put in place by an organization to ensure that users only do that which they have been authorised to do
¯ Legal provisions – serve as security controls and discourage some form of physical threats
¯ Ethics
* Logical security controls – measures incorporated within the system to provide protection from adversaries who have already gained physical access
* Physical controls – any mechanism that has a physical form e.g. lockups
* Environmental controls
Administering security
1 Risk analysis
It involves the evaluation of system assets and their vulnerabilities to threats. Risk analysis estimates potential losses that may result from threats
Reasons to perform a risk analysis
* Improve awareness
* Helps identify assets, vulnerabilities and controls
* Improve basis for control decisions
* Justify expenditure for security
Steps undertaken in risk analysis
* Identifying assets of the computing system, which can then be categorized as hardware, software, data, people, documentation and supplies.
* Identify vulnerabilities of assets. This step requires imagination in order to predict what damage might occur to the asset and from what source, bearing in mind that the three basic goals of computer security are ensuring secrecy, integrity a...