AN INTRODUCTION OF INFORMATION ON SECURITY.

INFORMATION ON SECURITY

 

Introduction

There is a need for organisations to protect their databases because if every person can access it, then the company’s competitors will have undue advantage over them. Consequently, the issue of information security arose so that organisations could protect this valuable information. There are various methods and approaches that can be used to solve this problem. Technology forms one of the backbones. The effectiveness of this approach and others will be examined in detail in the essay below.[1]

 

Definition of information security

Information security may be defined as a process of protecting ones data. It ensures that an individuals/ group’s privacy is protected/ In addition, it protects the level of availability and integrity of the information. [2]

 

There are numerous businesses today that place most of their information in computer systems. Hospitals, the military, the governmement and many other small enterprises use them. This information could be detrimental to the company if it was accessed by the public hence the need for information security. It is quite common to find that certain businesses usually have the names of their employees, their salaries, bank account details in their computer systems. On top of this, one may find that other firms place their client details, sales information and marketing information in their database. In the event that some of this information is lost, destroyed or compromised in any way, then the given company will be hampered from going about their daily operations. [3]

 

Information security comes in a variety of ways. Some of the ways in which this can be achieved is through

• policies
• technologies
• security products
• security procedures
• etc[4]

 

It should be noted that software protection through virus protection or through imposition of firewalls alone cannot be enough to solve the information security problem. There should be set procedures and systems within any one given organisation that will facilitate the process of efficient data protection. [5]

 

Information systems are distributed in three main parts. These are; software, hardware and communications. This implies that any sort of information security systems must be applied in the three realms. It must also be made in such a way that it cuts across the physical, organisational and the personal. Procedures and policies normally used for these systems are those ones that apply to computer operators, users and administrators. It should be noted that information security applies to all types of data; it may be electronic data, print data or even other forms. Because of the wide aspect of information security, it has now become a career field on it own. Some of the professions that fall under this vast topic include Information Systems Auditing, Digital Forensics Science and Business Continuity Planning. All these professions are associated with the protection of a company’s business information. [6]

 

Why information security is a problem

In the world of technological development much needs to be done to ensure that personal information is protected. This is because there are hackers; individuals who specialise in the entry of other people’s computer networks. They are usually able to achieve this through the use of appropriate hardware. When hacking occurs, then a company faces the danger of loosing all their information. This normally occurs when the hacker has placed a virus in their computer system. Alternatively, hackers can gain access into a company’s computer network and give away their confidential information. This is quite an alarming issue today because it only takes a matter of seconds before something like that can be achieved. Actually, the moment a given firm shuts down their security system for just one minute, hackers may gain access and obtain so much. [7]

 

Information security is also a big issue these days because it may also be caused by dishonest employees within the company. Some workers may connive with other outsiders to get into their company’s computer systems. They may achieve this by changing passwords without informing the rest of the company why they did this. Sometimes, some help desk workers may not be fully aware of the importance of securing company information. This causes them to become relaxed about it or it may also cause them to give out confidential information without the knowledge that they are doing something wrong. Therefore, it is a company’s duty to ensure that all their employees understand the importance if information security. [8]

 

Information security is also a problem because these days there are risks that make individuals more vulnerable to hacking. This is because some individual shave the ability to figure out passwords. Therefore, it is advisable for one to ensure that they conform to some of the simple rules of data protection. These may include using passwords that have both numbers and words, resetting passwords every now and then. One should also make sure that they do not store their passwords in places where hackers or unauthorised personnel can easily access it. [9]

 

It should however be noted that no matter how sophisticated a certain company’s information security system is, there will never be such a thing as one hundred percent security. Hackers and other computer experts re always on top of their game and will look for new ways of penetrating into databases. [10]

 

Role of technology in this context

Technology is crucial in the process of managing information security because it is the basis upon which the process can be achieved, that is, it plays a crucial standard setting role. There are numerous technological standards available in the market today. This include; ISO 17799 and BS7799-2. This specification is important in the process of security management systems. The first portion is a code of practice while the other aspect gives details about security management systems. The specification is supposed to exact as an important reference point for information security systems applied in industries and commerce too. 1S0 17799 usually list some ten areas that need control during implementation and these are; [11]

(1) Compliance

(2) Maintenance and systems development

(3) Access control

(4) Operations management and communications  

(5) Environmental and physical security

(6) Personnel security

(7) Asset classification and control

(8) Organizational security infrastructure

(9) Business continuity management

(10) Establishing organizational security policy;

There are various technological processes and tools used in the business world today. Technology can become a problem or a solution depending on how it is handled. Technology allows organisations to accumulate large amounts of data; a function that can be difficult to achieve with other forms of information security. Technology also allows companies to restrict access to information that should not be made available to other parties. However, for organisations to achieve these functions, they need to make sure that they design certain procedures and protection mechanisms. This will go a long way in ensuring that there is even balance in the issue of privacy and security. [12]

 

Besides that technology can also allow variable degrees of accessibility between the sender and the recipient. These days, there are gradations of availability of information. For example, a sender can decide whether or not they would like to be completely anonymous or they would like to fully identify themselves. There are also other numerous levels in between. This is because there may be certain transactions that need to occur with just minimal levels of personal information. This normally applies to government organisations especially when they are trying to access certain information about suspected offenders. Parties that request for information in such organisations may just be granted the information they need and nothing more than that. If there was some level of full disclosure, it could result in some detrimental effects. Consequently, technologies allow only controlled interactions with persons such that only relevant information is exchanged. [13]

 

There are three main issues that need to be dealt with when trying to implement technologies for use in certain organisations. The first is that a given organisation should try as much as possible to ensure that they examine al the standards that are available out there. This is because not all standards are suitable for the environment ion which a particular organisation operates in. The second issue that organisations need to deal with is the implementation of the technology. Lastly, companies or parties need to ascertain that only authorised personnel gain access to information and all others are denied that chance. [14]

 

The importance of technology in information security is the fact that one does not need to protect huge amounts of data all at once. Actually, one can just protect an aspect of the security tool and consequently protect all other information. For example, certain technologies like cryptography do not permit access to information even when an individual knows all about the technique. This is because they need only one aspect of the technology to penetrate the information but they cannot proceed without that aspect. [15]

 

Technology is important in solving information security problems because of some of the following reasons;

-authentication

-non repudiation

-integrity[16]

 

Authentication in this case implies the prevention of impersonation where one person comes and pretends to be someone else. Technology also allows integrity in that a company or individual can confirm that their data has not modified or changed in any way. Lastly, technology also plays a crucial role in providing non repudiation. The latter term means that a person cannot deny that they did not sent certain data or they did not read that information.

 

Technological solutions may have some part to play in the protection of data, however, their more crucial role is in the process of demonstrating that data has not been modifies or altered in any way. There also able to merge all three functions that have been stated above in the bulleted list. This is something that individuals cannot be able to achieve.[17]

 

Types of technology available today

Cryptography may be defined as the process by which data is transformed into a form that cannot be used by any other person except the authorised user. This is usually achieved through the process of data encryption. Normally what occurs is that the authorise user has a cryptographic key. It gives him the ability to change back the encrypted information into a form that is easily readable through a process called decryption. The process normally applies to different scenarios. For example, the information under consideration may be in transit; that is, it is moving for one individual to another. Sometimes cryptography my also apply to data available in a given company’s database. This is data that is in storage form. Some of the applications that cryptography provides the user include;

• digital signatures
• message digests
• better authentication methods
• encrypted network communications
• non-repudiation[18]

 

In the past, cryptography was achieved through the use of less efficient applications like ftp and telnet. These days, there are better technologies used in the process. Some of them include ssh. This application uses the process of encrypted network communications. There are also other protocols that can be applied to wireless communication and an example is WPA. Data files and email are usually encrypted through PGP and GNUPG protocols. [19]

 

Cryptography comes in two main forms. The first is through symmetric technologies while the other is asymmetric technologies. In symmetric algorithms, the decryption and encryption keys are the same. Consequently, before the algorithm can work, recipients and senders need to agree on the encryption keys to be used. The purpose of using symmetric algorithms for cryptography is that it is quite easy to access and send information. Alternatively, companies can use asymmetric algorithm. In this approach, the encryption key differs from the description key. This implies that only description keys should be kept hidden. The latter form is more efficient than the former. However, the ease of use for the latter approach is less than the use of symmetric algorithms. [20]

 

Another method that has been used today is through host based firewalls. In this case, there is a virtual ‘wall’ where only useful information is allowed into the organisations’ computer network. Firewalls are normally used to protect the system against worms and spam. Firewalls are advisable for almost all types of computer networks, this is because spam and worms do not make choices as to which networks are more interesting or not. However, firewalls themselves have their own risks. For example, there may be some that are percolated and allow certain types of unauthorised information to enter a computer system. In this case, there may be a need to repair that firewall.

 

Another method that is available in the market is snapshot technology. This is a method that allows organisations to record the status of a certain piece of information at any one time. This approach is quite useful when trying to deter certain individuals from trying to access a given computer’s systems. This is because it creates accountability. Any given organisation can determine whether information was altered. They can also reduce the rate of exposure to loss consequently protecting their information. [21]

 

Another form of technology that is in use today in the world of Information Security is biometric solutions. In this approach, individuals are identified in the basis of some of their biological aspects. It comes in various forms such as speaker recognition, hand geometry, facial recognition, fingerprint recognition, signature recognition, iris and retina recognition and many others. Biometric technologies have gained a lot of popularity as a method of information security because they are unique to certain individuals. Gone are the days when identification relied solely on what individuals know rather; it was discovered that it is more efficient to protect information through biological techniques. [22]

 

Limitations to technology

The use of cryptography as a solution to information security problems poses a number of restrictions on a given organization. Companies should be very careful when applying this approach to information security. They should ensure that the cryptographic solutions they use have received peer reviews from independent experts. This is because if they are implemented without prior examination, one might find that they can become a security threat themselves. This can be such a huge liability on any one given company.

 

Companies should also be careful about certain elements of the encryption solution adopted. For example, they should check on the strength and length of the key chosen. Encryption keys that are too short may end up not being very effective. Besides that, companies should also make sure that the strength of the encryption key corresponds to the type of information to be protected. For example, when there is a need to protect information that is very confidential in nature there may be a need to use a more efficient key than for less confidential information. All these requirements need to be met before the cryptographic solution becomes effective. We can therefore conclude that the requirements act as a limitation to the implementation of this form of technological solution. [23]

 

Another limitation that can arise as a result of using cryptographic techniques is the issue of availability. The encryption key in itself is a very sensitive tool. This is because it may be destroyed or it may be disclosed to unauthorized personnel. If the encryption key is known, then any person can use it and access confidential information.

 

Sometimes it is possible for certain organisations to loose their keys. This can be very detrimental to the organisation because it means that the data is inaccessible and that they cannot be able to reach it no matter what they try. Consequently, companies can loose valuable information through this method. Even though companies may try to recover those lost keys, it may just be an exercise in futility. Cases of lost keys are usually detrimental when dealing with stored data. However, when considering transmitted data then all an organisation needs to do is to send the information again. [24]

 

Besides this, organisations need to make sure that the key is available when necessary. It may be difficult trying to merge all these aspects together hence bringing about a lot of limitations to the use of this solution. There are certain management techniques that have been introduced to deal with this issue, for example through PKI solutions.

 

 However, not all organisations may have the ability to implement cryptography solutions then other key solutions on top of that. These key management solutions can also pose an even bigger security threat than the unprotected data itself. Normally, companies try to create certain key back up systems or back up systems for their data. However, the backs up systems are not as carefully guarded as the data itself. Consequently, key back-ups have provided huge loopholes for security bridges thus beating the whole purpose of using the system in the first place. [25]

 

Biometric solutions also have their own disadvantages. For example, there may be a system malfunction where a valid member of the organisation is not identified by the system yet that person may have urgent need to access information. Sometimes it may not be possible to store each and every single person’s biological information. Some people may be very instrumental to the organisation and may have permission to gain access to a certain company’s information. However, it may become very difficult for the company to accommodate al of them, in the biometrics database. Consequently, this impairs the effectiveness of this information security solution. [26]

 

When organisations use firewalls to protect their information systems, it may not always be very effective because hackers are always coming up with ways of penetrating information systems. This means that it will always be an endless effort by the company to replace their firewall. As if that is not enough there are certain firewalls that are just naturally flawed. This means that no matter what the company does to make sure that their firewall is in good condition, it will always allow certain worms or unauthorised information. Therefore, organisations must invest a lot in trying to determine which host based firewalls are most appropriate and what they can do about them.

 

Whether technology alone solve all the problems

Technology cannot be the only method used in solving information security problems because of the nature of threats received. It should be noted that the approaches used by individuals trying to gain access into a given company’s information system are quite complicated. These individuals may use some public information to get an idea about a given company’s detail. They may access their website and use certain details to deduce unknown information. Websites are a vast source of information on organisations. Here are just some of the issues that can be found from those sources;

• business partners
• product names
• idioms
• corporate culture
• contact information
• mergers
• acquisitions[27]

 

 All these aspects are important in getting information that could lead to the break-in of the target company’s website. Besides that, hackers usually try to scan all the available list servers. This will act as a guideline to the type of network adopted by the target company. Normally, company’s system administrator may have a query about an element in their security system. They will contact a list serve about this. The hacker interested in the company’s network information could find out more about the software and hardware used by that given company. Since there is application of personal interventions, it becomes very difficult for organisations to try and protect their information through technologies alone. [28]

 

With numerous search engines in the internet today, it is quite easy to access information about employees within certain organisations. Google provides a huge database about these types of information. There is the ‘whois’ records that lists contact information and names of employees within various organisations. After hackers have accessed all these background information, they compile it using a process called social engineering. On this process, they try to figure out things such as passwords and user names using the background information obtained. [29]

 

Social engineering is something that technology cannot eliminate easily. In this process, hackers manipulate an employee’s propensity to trust. Normally, what such people do is that they use tricks to learn passwords. For example one may pose as an angry and impatient boss who needs a password as soon as possible and this may tempt that particular employee to give out the information without hesitations. Others may act as system administrators who request for passwords for certain employees. Social engineering may also come in the form of an employee who seeks password information from administrators in remote sense. Alternatively, hackers my pose as clients for information providers and gain access to crucial information. It is quite clear that such tactics are difficult to prevent through technological techniques alone. [30]

 

Sometimes, there are other simpler methods of determining password information. Foe example, one might decide to visit a certain company’ parking lot; here they will see staff member’s vanity tags. Since certain individuals use vanity tags as passwords, hackers could try them and may sometimes succeed in penetrating the target company’ computer network. On top of this, there is the method of war dialling. This can be defined as checking telephone lines and network applications for loopholes. Hackers are aware that if a certain telephone line extension or number behaves in certain ways, then its ports may be unprotected. They therefore use this to their own advantage because they can know which modems are vulnerable. Similarly, hackers have the ability to determine how vulnerable wireless networks and infrared networks and they can use these inadequacies to gain access to the target’s computer network. [31]

 

Security is not something that can be solved by technology alone because it is a people-problem. No amount of technology would be adequate to deal with the wits and tricks of hackers. Once organisations can understand this, then they can use other policy, legal market issues to solve the problem. [32]

 

Since organisations are continuously collecting and storing information about individuals, hackers will also try their best to evolve their accessing techniques. They will always look for new and better ways of social engineering, war dialling and other methods to penetrate target companies’ networks. [33]

 

How the problem can be solved

This can be achieved through a number of techniques. Organisations should try their best to adopt a hybrid model of governance. This can be done through the incorporation of security in all realms of their business operations. This means that information security should not just be considered as a separate entity or department within the organisation. It should be a concern for all the staff members in organisations. At first, it may be difficult to make security part of many organisations’ core business processes. This is because they are still trying to acclimatise to computer networks and systems first. It may take a substantial amount of time before information security can be taken seriously by all organisations. But they could start moving towards that direction. Such organisations that are ready for this change should integrate three aspects;

• process
• technology
• people[34]

 

The first thing an organisation needs to do it to perform risk assessment. A risk is any thing that could possible compromise or affect information within the organisation. A risk assessment is the examination of all the vulnerabilities within an organisation and the decision to do or not to do something about those vulnerabilities. It should be noted that risk assessments are things that are done over time. This is something that must be consistent with an organisation because everyday, new threats are cropping up and what may have been considered safe in the past may become quite dangerous in the future. Risk assessment also involves taking countermeasures. It should be noted that thee are certain measures that must go in line with the given organisation. This is because the management or administration must consider all the costs, productivity and value of the information to be protected. [35]

 

After performing a risk assessment, then organisations should mitigate the risk. This can be done administratively. Administrative controls normally involve the use of standards, procedures and policies to act as guidelines in terms of information security. Regulations and laws also fall under this form of controls. Administrative controls tell staff members and other parties how the business is run on a daily basis. This differs from industry to industry. For example, in the banking sector, administrative controls come in the form of Data security standards applied during payment systems when using the Mater Card and in The Visa Card. Other administrative controls that have worked in other companies include disciplinary polices, hiring policies, passwords policy and corporate security policy. [36]

 

 

Administrative controls are manifested through logic controls. Normally logic controls are referred to as technical controls. They use various software applications within computer systems in order to mitigate risks. It can be though any one of the following methods; logical controls, data encryption, control lists, network intrusion detectors, host based firewalls. All these techniques are founded upon the least privilege principle. This implies that people who access information should only get what is necessary to complete the task at hand. There are certain common instances when this principle is violated and they can become information security risks. For example, when a person has been changed to another department within their organisation, then there is a need to ensure that that person does not use previously acquire information to access unauthorised information. [37]

 

Organisations also manifest administrative controls through the use of physical controls. These are all the physical actions taken by the organisation. It normally involves assessing the physical environment and ensuring that there are no information leaks. A given organisation can achieve this through security cameras where thy can monitor unauthorised personnel accessing their information. They can also place cable locks, barricades and fire suppression systems that detect when persons enter the organisation’s premises and try to penetrate their computer networks. Sometimes, certain companies may decide to divide the workplace and their database such that unauthorised personnel are easily detected. [38]

 

On top of this, companies can implement physical controls by ensuring that all the different functions within the organisation are done by different individuals. This will go a long way in ensuring that people do not manipulate their positions to give away crucial information about the organisation. For example, one person should be given the duty of a server administrator, then another should be given the duty of a database administrators and a totally different person should also be given the task of application programmer. Consequently, duties will be divided and there will be less room for infringement of the company’s privacy policies. This is what is called the principle of separation of duties and is the foundation of the physical controls methods. [39]

 

Afterwards, the given company should make sure they classify their information. This ought to be done in order of importance. Not al information needs the same level of protection therefore priority should be given to the most important. The process of classification is first initiated by determining the source of the information among members of senior management. Thereafter, companies should then come up with policies regarding classification of the information. All members of the firm should be informed about the classification information. In line with this, companies need to follow regulations and laws when trying to classify information[40].

 

Some of the elements that could be considered by any one organisation when trying to classify their information include how old the information is; this could indicate how obsolete it is and how valuable the information is. Thereafter, organisations should label their information. For example some information may be ‘confidential’; others may be ‘private’, ‘sensitive’ and ‘public’. Once members of the organisation understand these rules of classification, then they will be well on their way to achieving the best security controls within the company. [41]

 

After completing the classification process, a given company must the control access. This is first done through identification where a person who makes claims about their identity should back this up with proof. This is then followed by authentication where a given system can verify whether the person entering their computer system is authorised. This can be done through a number of methods. Some of them include the use of passwords or usernames. But gone are the days when this used work. These days, companies need to include other advanced methods such as biometrics like magnetic swipe cards, retina eye scans, voice prints, finger prints and palm prints. All the above methods are available when trying to ascertain that the person making a claim is telling the truth. [42]

 

Authorisation must then be given after the system has authenticated the claims made. Normally authorisation should also be controlled such that only necessary information is displayed depending on the nature or function of the person trying to gain access into the network. Some technological methods that can be used to achieve this include control mechanisms from;

 -UNIX operating systems

 -Windows operating systems

 -firewalls

 -routers[43]

 

Alternative solutions

In order to achieve this, companies could allocate a substantial amount of their budget to information security. These finances could be used to educate members of the organisations. It could also be used in the process of outsourcing. This is because experts in the field are better prepared and more informed about the fundamental aspects of information security. An internet service provider can also be involved in the information security process. This is because they can incorporate this onto their network connection and prevent many problems that could arise afterwards as a result of inadequacies in the network problems. There are a few internet service providers that provide anti-spam, anti-phishing and anti-malware to protect their clients. [44]

 

Organisations and stakeholders should take up liability for bridges in information security. This could go long way in ensuring that all stakeholders in the information security system play their part. For example, software need to take liability when they sell software that exposes a given organisation’s information. Organisations themselves need to be made liable when they expose personal details about their clients, partners or other parties that interact with them. Liability in this case will mean tangible economic losses that are directed to parties that have made mistakes in this sense. This will act as a sort of incentive to all parties involved in management of information. Consequently, such groups will try their level best to be remaining on their toes. They will know that there is a price to pay for negligence and will be more careful in the future. [45]

 

However, there is no such thing as a 100 percent security protection. There is an obsession that people have with technology; they seem to think that it can solve everything yet it is not the case. Actually, no approach or combination of approaches can boast of providing total security. This is because information security is a problem that has been brought about by people. As long as people exist, there will always be threats to an individual’s /company’s information networks. There will always be a chase between the attacker and the defender in information systems. Companies can only maximise available options but they cannot fully eradicate the problem. [46]

 

Conclusion

Technology forms standards for solving problems in information security. However, it cannot solve the issue alone because people cause those problems and they must be involved. Consequently, the most comprehensive method of handling information security is through integration of the process, the organisation and people. [47]

 

Reference:

Anderson, R. (2004):  Liability and Computer Security: Nine Principles; Lecture Notes in Computer Science journal, pp.231-245

Chaum, D. (2002): Achieving Personal Privacy; a journal by the Scientific American, pp. 96-101

Finney, H. (2003): Detecting Double Spending: Routledge Publishers

Granger, S. (2008): Social Engineering Fundamental: Part I: Hacker Tactics, retrieved from www.securityfocus.com/infocus/1527 accessed on 30 March 2008

Sullivan, B. (2005): Database Giant Gives Access to Fake Firms, MSNBC News February 14, retrieved from; www.msnbc.com/id/6969799 accessed on 30 March 2008

Saunders, M. & McPhee, M. (2007): Stones Rock the Internet; Boston Sunday Globe, 20 November 1994, p.1, p.34.

Konrad, R (2005): At Least 700 Have Identities Stolen, Associated Press, February 19, 2005, at http://story.news.yahoo.com/news?tmpl=story2&u=/ap/20050219/ap_on_bi_ge/choicepoint_identity_theft accessed on 30 March 2008

 Leyden, w. (2002): Crackers Favor War Dialing and Weak Passwords, The Register, April 26, 2002

Leyden, w. (2002): Financial Privacy: The Gram-Leach Bliley Act, retrieved from www.ftc.gov/privacy/glbact/ accessed on 30 March 2008

Parlin, T. (2003): The text of the law; retrieved from http://aspe.hhs.gov/admnsimp/pl104191.htm accessed on 30th March 2008

Foley, M. (2006): Microsoft Readies Usage-Based Pricing Model; a report for PC Week, 1 August 1994, pp 3

Adras, J. (2003): Final security rule; retrieved from http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2003_register&docid=fr20fe03-4.pdf accessed on 30th March 2008

Schwartz, J. (2004): The ISO's product description and ordering; retrieved from www.iso.ch/iso/en/prods-services/popstds/informationsecurity.html accessed on 30th March 2008

FAQ (2006): International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management: Frequently Asked Questions; retrieved from http://csrc.nist.gov/publications/secpubs/otherpubs/reviso-faq.pdf accessed on 30th March 2008

Allen, T.  (2006): The NIST Computer Security Resource Center; ret