Information Security Concept Map - Term Paper Example

Title Page Assignment title: Information Security Assignment 01 Name:………………………………………………………………… Student number:……………………………………………………… Due date:……………………………………………………………… The title of your topic: Information Security Concept Map TABLE OF CONTENTS TABLE OF CONTENTS 1 INTRODUCTION 2 CONFIDENTIALITY 3 INTEGRITY 4 AVAILABILITY 5 COUNTERMEASURE 6 INFORMATION THREATS AND ATTACKS 7 CONCEPT MAP 9 RECOMMENDATION 9 CONCLUSION 10 References 10 INTRODUCTION Information security ensures the integrity, availability and privacy of data is protected. Every organization has a role to ensure proper risk management strategies are put in place to ensure data security. The primary function of information security is to prevent unauthorized access, disclosure or modification of information in order to maintain reliable and timely access and use. Development in the telecommunication sector with rise of mobile technologies like tablets, laptops, iPads and netbooks which have recording and internet connectivity features brings in new challenges to cyber space security. (Libicki, 2012) The emergence of clouds computing and information storage in the Cloud brings flexibility and scalability. This makes information access and control complex. This is even complicated by increasing cybercrime sophistication and information ecology complexity. (Ruan, et al., 2011). Cyberspace security team strives to protect the cyber infrastructure against external attack and aggression. The threats not only target the cyber infrastructure but also people and their resources. (Kitiyadisai, 2005). The main areas to be looked in to will include confidentiality, integrity, availability (CIA). CIA triad components (Stallings and Brown, 2008) This chapter will introduce the concept of information and computer security. It will strive to highlight the information security and also look in to the need to plan for possible threats, define security policies in order to limit vulnerabilities existing in the organizational information and computer systems. The chapter will also look at the establishment of information and computer security measures good for the organization. The paper is meant to help information security managers organizations understand the concept of information security with reference to its importance, responsibilities, and threats involved, control measures and how to plan and implement security policies. The paper will finally provide a detailed concept map that will clearly designate the broad concept of information security and management. All these are meanest to sustain an effective and efficient business operations, communication and transactions. CONFIDENTIALITY According to Stallings and Brown (2008) confidentiality is the CIA component that ensures authorized restriction on access and disclosure of information together with the means of personal privacy protection. McKnight (2002) also pointed out that confidentiality ensures information is only accessible by the intended individuals who are dully authorized for access and use. This therefore prevents access of information by unauthorized persons. CIA triad components (Stallings and Brown, 2008) To ensure information confidentiality is achieved countermeasures such as authentication, use of passwords, protection against malicious software and restricting user access to organizational data by use of privileges and user rights. Confidentiality therefore guarantees that only the authorized data users have the right to access organizational data. INTEGRITY Stallings and Brown, (2008) highlighted that integrity is the CIA triad component that strives to ensure there is trustworthiness of information with appropriate or specified manner in the way information and programs are changed. McKnight (2002) pointed out that information integrity ensures information reaches its destination as it was sent. This therefore means that organizational data and computer programs should have high level of confidence with no alteration or distortion whatever. According to Tallinn (2014), the inhibitor of cyber space need to be well defined to ensure information is disseminated to the right group. Communication and file sharing across the network is advancing as unethical behaviors like cyber spoofing and hacking continues to be complex and dynamic. CIA triad components (Stallings and Brown, 2008) Data integrity guarantees that only the authorized persons have the rights to modify sensitive organizational information and there is a mechanism that detects if such data has been altered while on transmission. This also guarantees that data remains authentic. AVAILABILITY According to Stallings and Brown (2008), availability is the CIA triad component that ensures there is reliable and timely access of information and use. McKnight (2002) also observed that the information needed by the user should be available at the place needed by the user, in the right time and format. Availability refers, unsurprisingly, to the availability of information resources. According to McKnight (2002), information that is not available at the time it is needed is as bad as none at all or even worse. Threat to availability component could be system malfunction, denial of service, virus attack, network failure, natural phenomena or even human causes such as accidental or intentional error. System and data availability guarantees uninterrupted access and use of information resources by the users whenever it is needed. CIA triad components (Stallings and Brown, 2008) COUNTERMEASURE According to Dhillon, G. (2007), information in organizations is taken as a very important asset. There are threats that face organizational data as malicious and unauthorized individuals try to access the information. This interferes with organizational smooth business operation. There is need therefore for both corrective and preventive measures. Countermeasure refers to the protection mitigating a potential threat. This is achieved either by elimination vulnerability or reducing the magnitude of risk occurrence. Countermeasures involve cost and optimal resource allocation. It is very hard for information security administrators to put in place security countermeasures that restrict users and control attacks; this is due to limited resources and time. (Dhillon, 2007). Warwick, F. (1994) pointed out that the users restricted from accessing information are also disgruntled with complaint that work becomes very difficult when so many control measures are put in place. Since resources are limited; there is need for optimal allocation of resources while rolling out information security measures. The cost of information security countermeasure therefore will highly depend on the cost of the asset under threat. Information needs to be classified in order to determine the most worth data to secure and that which may not need mush security. Information classification classifies data into various categories based on their confidentiality, integrity and availability requirements. Unclassified data will entails data that has less or no confidentiality, integrity, or availability requirements hence has needs less effort to secure it. Restricted data entails data that should not be open to access by unauthorized persons; its disclosure will negatively affect the organization. The data therefore has high confidentiality requirement and thus needs more efforts and resources to secure it. Confidential data entails data that must comply with the requirement of confidentiality same applies to secret data; this is data that needs significant effort to secure since its leakage has great damage to the image of the organization. (Warwick, 1994) Information security has two orientations. There is the prevention aspect and detection aspect. These two aspects depend on available security technologies and also the underlying circumstances. Prevention methods include use of controls such as passwords and other authentication mechanisms while detection mechanism includes use of audit trail to trace down intrusion. All this is to ensure confidentiality, availability and information integrity. INFORMATION THREATS AND ATTACKS The paper will also look in to the security risks together with tools and techniques used by hackers to exploit system vulnerabilities to intrude or maliciously interfere with information security. Threats compromise on information security. Security threat has been defined as any circumstance that has potential to adversely affect the operations, assets, image and even data of an organization. The threat has a potential to exploit the organizational system vulnerability. According to Cubby & McNeilage (2012), there are web offenders that use the cyber space for their own dubious schemes especially targeting unsuspecting individuals, banks, companies or even government and military agencies. Examples are cyber terrorism, web site hacking and cracking; some use mobile telecommunication devises to coordinate public disorder, terror or gang activities. Kitiyadisai (2005) pointed out that cyber threats and attacks may target resources such as the information and communication technology equipment, data banks and even government classified information. There are also threats like denial of service where major websites are attacked and users denied or prevent web normal performance or ability of people to connect. (Cohen, 1995) There are also cases where cyber attacks disrupt the physical computer devices either by a virus or worms. Information security therefore strives to address security threats; such threats include malicious attacks, natural disaster, system malfunctions, and internal attacks among others. McGuire’s (2012) observed that most of the cyber crimes are executed by some form of organized activities. Students now not only hack site to access unauthorized information; they also download unauthorized video, software, games and music. Threats Countermeasures Natural disaster Floods, Fire, Earthquake and Storm Tsunami and Hurricane Malicious Virus, worms and Trojan Horse Shareware and Cyber attack Password cracking. Denial-of-service attacks. Packet modification. Intrusion attacks. Network spoofing Eavesdropping. Adversaries Terrorists, Criminals and Hackers Corporate competitors Disgruntled employees Government agencies Internal attack Fraudulent mails Lost equipment and data Access to unauthorized information Malfunctions Power failure Network and Device failure Over-right data and Software crush Policy control Determine acceptable risk Risk assessment and mitigation Determine security requirements Design security solutions Implement security policies Measure and evaluate status Review regulations Training and awareness Technical Controls Firewalls and Password policy Intrusion prevention systems (IPS) Virtual private network (VPN) Biometric authentication devices Routers with ACLs Single socket layer – SSL Proxy server (restrict port access) Anti-virus software, Authentication and Encryption Physical controls Fences, Guards and Locks Intruder detection systems Uninterruptible power supplies Fire-detection systems Security-awareness training Information security threats and control measures. (Denning, 1990). CONCEPT MAP RECOMMENDATION These policies should be balanced with individual privacy so that as management look into the ways to combat cyber threats, fundamental individual privacy rights are not compromised. However where national security and individual privacy contend, national security must take precedence. According to Broadhurst, et. al. (2014), the dynamic nature of attacks and threats needs a wide and complex approach to combat the menace. The management should find a way of defining the information security policies and regulatory framework in order to ensure its workers are not adversely affected by cyber attacks. CONCLUSION The current development in information and communication technology is amazing. The availability of computers and other complex ICT resources widespread with faster Internet connections has brought forward more opportunities and equal challenges in as far information security management is concerned. People now make use of the internet as a tool for beneficial use however some cyber offenders exploit the same for malicious, terrorism or their criminal purposes. Malicious attackers use diverse range of techniques and tools to exploit security policies vulnerabilities just to achieve their own evil goals. This paper has identified several threats to information as assets. These threats include natural disaster, human acts, internal attacks and malicious attacks. The paper has also identified some of the countermeasure that can be used to mitigate the risk caused by the attack. These measures include the use of passwords authentication, network control, policy formulation, physical control and event technical control. If these measures are implemented well, the information will be secure and ensure there is confidentiality, integrity and availability of information to the authorized users whenever it is needed and in the right format. References Amoroso, Edward G. (1994). Fundamentals of Computer Security Technology. Englewood Cliffs, NJ: PTR Prentice-Hall. Broadhurst, et. al.( 2014 ) Organizations and Cyber crime: An An alysis of the Nature of Groups engaged in Cyber Crime; International Journal of Cyber Criminology, Australian National University, Australia. Retrieved from http://www.cybercrimejournal.com/broadhurstetalijcc2014vol8issue1.pdf Brown, Carol E. and Alan Sangster. Electronic Sabotage. http://accounting.rutgers.edu/raw/aies/www.bus.orst.edu/faculty/brownc/lectures/virus/virus.htm Cohen, Frederick B. (1995). Protection and Security on the Information Superhighway. New York: John Wiley & Sons, Inc. Denning, Peter J., Editor (1990). Computers Under Attack. Intruders, Worms, and Viruses. New York: ACM Press; and, Reading, MA: Addison-Wesley Publishing Company. Dhillon, Gurpreet (2007). Principles of Information Systems Security: text and cases. NY: John Wiley & Sons. Ford, Warwick (1994). Computer Communications Security. Upper Saddle River, NY: Prentice Hall. Kitiyadisai, K. (2005). Privacy rights and protection: Foreign values in modern Thai context. Ethics and Information Technology, 7(1), 27-36. Libicki, M. (2012) Panel on Response to Cyberattacks: The Attribution Problem. The McCain Conference,. U.S. Naval Academy, Annapolis. Retrieved from http://www.youtube.com/watch?v=bI7TLqTt0H0 McKnight, W., L., Dr. (2002). What is information assurance? CrossTalk The Journal of Defense Software Engineering. Retrieved July 13, 2008 from:  http://www.stsc.hill.af.mil/crosstalk/2002/0/mcknight.html. Stallings, W., and Brown, L. (2008). Chapter 1: Overview. Computer Security Principles and Practice. Upper Saddle River, NJ: Pearson Education Inc. Tallinn (2014) 1st Workshop on Ethics of Cyber Conflict Proceedings, Retrieved from https://www.ccdcoe.org/publications/ethics-workshop-proceedings.pdf Read More