Information System

Security
INT407
Information system
• An Information System (IS) is a group of components that interact to
produce information.
• An Information System is an integrated and cooperating set of
software directed information technologies supporting individual,
group, organizational, or societal goals.
• It is the study of complementary networks that people and
organizations use to collect, filter, process, create and distribute data
Importance of Information System
Functions of Information system
 Types of Information

Internal Information -The information which is collected from the

sources, internal to the organization are called Internal Information.
•These information are generated from the operations of the
organization at various functional level.
•These information always pertains to the various operational units of the
organization.
•These information are generally required by middle or supervisory level
of management.
•Production figures, sales forecast, budgets, stock level, employee’s data,
accounting reports are the examples of internal information.
External Information
• The information which is collected from the sources external to the
organization are called External Information. •
• These informations are generated in the external environment of the
organization.
• These information are considered to affect the organizational performance
in the external environment.
• These informations are generally required by top level management. •
These information are used in the planning process of management to give
shape to its future.
• Govt. policies, Economic trends, Market information, Competitive
information etc. are the examples of external information.
IS and its role in management
• IS will help managers in effective decision-making.
• Based on IS, organization will gain edge in the competitive
environment.
• IS helps taking right decision at the right time.
• Knowledge gathered through IS is useful in unusual situation.
• IS can be integrated to formulate a strategy of action.
• IS ensures pervasiveness of decision making.
• IS makes the organization transparent.
• IS helps managerial learning about organization.
Business-area wise organization of
information
 Changing nature of Information Systems
• Main Frame based IS
• Client server based IS
• Web based IS
Information system security and Threats:
• Misuse of IS leads to :
• Loss of productivity
• Loss of revenue
• Legal liabilities
• Workplace issues
Three Pillars of Information Security

Confidentiality

Availability
Integrity
Confidentiality
This concept is used to prevent the intentional or unintentional
unauthorized disclosure of message content.
Loss of confidentiality can occur in many ways , such as through the
intentional release of private company information or through a
misapplication of network rights.
Confidentiality is concerned with preventing the unauthorized
disclosure of sensitive information.
For example-Bank never gives information of a client to other person.
Example 1-Suppose there a computer in which there is some important
data is saved. Confidentiality means there should be a trust that data
will be accessed by you or dedicated user only. Access to that data will
be only through authorized person.
Example 2- Suppose you have created a fb account. Whenever you
login u r asked to type user name and password.
Integrity
No one can modify or alter contents of information other than owner.
1.Prevention of the modification of information by unauthorized users.
For example- Suppose user 1 sends a message ‘Hi’ to user 2

User 1 User2
Hi
Message contents shouldn’t beXyzmodified in between.
2. Preservation of the internal and external consistency.
3. Internal consistency ensures that data is consistent.

For example-Only authorized user can change his facebook password.

Internally data should be maintained.
For example-No one can do transactions from my bank account other
than me.
Availability
Availability assures that a system’s authorized users have timely and
uninterrupted access to the information in the system and to the
network.
For example- Suppose you want to use your fb account at midnight
then server should be available to serve you.
Other important terms
1. Identification-It indicates the means by which users claim their
identities to a system. It is most commonly used for access control,
and is necessary for authentication and authorization. For example-
Logon ID, identity card of employees in any organization.
2. Authentication- This is testing or reconciliation of evidence of a
user’s ID. It establishes the user’s ID and ensures that the users are
who they say they are. Authentication is a security measure
designed to establish the validity of a transmission ,message or
originator or a means of verifying an individual’s eligibility to
receive specific categories of information.
For example- Suppose any intruder is trying to illegally access
someone’s account then an alert message should be generated.
3. Accountability – A system’s ability to determine the actions and
behaviour of a single individual within a system and to identify that
particular individual. Audit traits and los support accountability.
4. Authorization- The rights and permission granted to an individual(or
process),which enable access to a computer resource. Once a user’s ID
and authentication are established, authorization levels determine the
extent of system rights that an operator can hold. Thus, authorization
is the access rights granted to a user ,program or process.
The privileges allocated to an individual(or process) that enables access
to a computer resource.
Famous attacks
1. Myths, rumors and hoaxes-
Hoaxes are false emails(sometimes it is impossible to check where
that email is originated from). These result in reducing traffic of a
website.
2.Online attack
Information level threats and network level
threats
There are three terms
a. Threat
b. Vulnerability
c. Countermeasures
Information Level threats
1. Spreading wrong information ex- hoaxes
2. Involves purposeful dissemination of information
3. Sending fake inquiries
4. Setting up revenge websites
5. Falsifies Job advertisements
Network based threats
1. Hacking of Computer System
2. Denial of Service
DOS
Flooding accounts with large number of emails is a network based
attack as it is the size and the quantity of the email that matters and
not the content of the email.
Before rise of the internet attacks were physical but now a days attacks
are through networks.
Principle Sources of Security threats
1. Human Error- When a employee disclose confidential information it
comes under human error.
2. Computer abuse or crime- When a person intends to be malicious ex
fake rumours like you have won a lottery.
“ Illegal act performed by a computer”
3. Natural Disasters-This can happen in the form of natural
calamities ,wars and riots.
4. Failure of hardware and software- server malfunctioning and
software errors.
 Security threats related to computer abuse or
crime
1. Impersonation- The impersonator enjoys the privileges of a legitimate user by gaining access to a
system by identifying oneself as another person after having defeated the identification and
authentication controls employed by the system.
2. Trojan Horse- concealing within an authorized program a set of instructions that will cause
unauthorized actions.
3. Logic Bombs- unauthorized actions often introduced with the Trojan horse technique, which stay
dormant until a specific time comes, as the instruction may keep checking system’s internal clock.
4. Computer Virus- Segment of code that is able to perform malicious acts and insert copies of
themselves into other programs in the system. Because of this replication , a virus will progressively
infect healthy programs and systems.
5. DOS- rendering the system unusable by legitimate users.
6. Dial diddling- Changing data before or during input , often to change the contents of a database.
7. Salami technique- Diverting the small amount of money from a large number of accounts
maintained by the system. These small amount will not be noticed.
8. Spoofing- Configuring a system to masquerade as another system on the network in order to gain
the unauthorized success.
9. Super-Zapping- using a system’s program that can bypass regular
system controls to perform unauthorized acts.
10. Scavenging- Unauthorized access to information by searching
through the residue after a job has been run on a computer. E.g.
printer.
11. Data leakage-
12. Wire tapping- tapping computer TC lines to obtain information.
13. Theft of mobile devices.
Security related basic terms and definitions
1. Non Repudiation- Assurance that someone cannot deny the validity
of something .
2. Electronic or digital signature
A digital code generated by public key encryption
• 3. Steganography
• The art of hiding existence of a message.
• Ensures confidentiality and integrity of data.
• Example: In a digital image, the least significant bit of each word can be used
to comprise a message without causing any significant change in the image.
4. Encryption
5. Cipher
6. Cryptography
7. DOS attacks
8. Interception
Chracteristics of digital signature
1. Authentication
2. Non Repudiation
3. Non reusability
Categories of logical and physical assets.
WHY WE NEED INFORMATION
CLASSIFICATION?
• Not all information have same level of importance or same level of
criticality.
• Prevent unauthorized disclosure and resultant failure of
confidentiality.
• Helps organization to apply security policies and security procedures.
INFORMATION CLASSIFICATION
• Unclassified
• Sensitive but unclassified
• Confidential
• Secret
• Top secret
CRITERIA FOR INFORMATION
CLASSIFICATION
• Value
• Age
• Useful life
• Personal association
Data Integrity and Availability issues in CRM
• System management issues
• Duplication of efforts inputting data
• Data – integrity issues – same information entered by differently
entered by different individuals.
• No data synergy
• More time searching for information , less time acting on it.
How do organizations ‘classify’ data and
information ?