What Is Information Security?

   

ABSTRACT:

Information security is an essentail concern in today's era. Threats to Information security is a major concern for many sectors of the society now a days and due to the excessive competition in the market it is mandatory to keep your data and information secure and constant upgradation in technology is also required.Therefore this paper demonstrates an introduction to the norms of information security to fulfil the requirements in various fields. 

                           Information Security/Cyber Security

INTRODUCTION:

Information security not only aim at securing the information from any unauthorized access,but also ensures the prevention of use,exposure,ruining,modification or remodeling,inspection or recording of data.Information can be physical or electrical one.A person’s details or his profile on social media, his data on any device like laptop, phone,his biometrics, etc are counted as information.Therefore information security covers many research areas like mobile computing, online social media, cryptography,cyber forensics,etc.

Information security programs are made by keeping in mind the following 3 main objectives or we can say that motives which are 

CONFIDENTIALITY,INTEGRITY,AVAILABILITY
(CIA).

1. CONFIDENTIALITY:- This term is related to privacy. According to this term data is not reavealed or leaked to illegitimate persons,instututions or organisations. For instance, a person is signing into his account on any social media and any other person take a glimpse of his password. In these cases, his privacy has been violated.

2. Integrity - This says that maintaining the accuracy and completeness of the data. This means that the data cannot be unauthorized. For example, when an employee leaves an organization, the employee's data in all departments such as accounts must be updated to reflect the status of the job left, so that the data is complete and accurate and only authorized personnel are allowed to edit employee data.

3. Availability - Information should be available when needed. For example, if a particular employee needs access, the cooperation of various organizational teams, such as network operations, development work, incident response and policy / change management, should be checked to see if the employee's leaf count has exceeded.

Denying a service attack is one of the factors that hinder access to information.

In addition, there is a principle governing information security programs. It is undeniable.

Representative refusal – tells us that one party does not refuse receiving the message or any transaction and the another party does not refuse the message or that transaction to another party. For example, in cryptography, the message matches the sender's digital signature, showing that the sender can send the message and no one else can change it in transit. Data integrity and authentication need to be rejected.

•  Authentication - means that the user verifies about their identity and that each input to the destination comes from a verified source. Following this agenda, a legal and original message is received from a verified source through a lawful transmission. For instance, in the above case, the sender sends the message with the hash value of the message and the digital signature generated by the private key. Now on the receiver side, this digital signature creates a hash value using the public key, and then hashes the message back to create the hash value. If the value of 2 matches is called a valid broadcast with authentication or we say the original message was received from the recipient.

• Capacity Responsibility - This means that the actions of a company must be found separately for that organization. For example, as we discussed in the Integrity section, do not allow all employees to make changes to other employee data. There is a special section in an organization where you receive a request to make such changes, they have to sign the letter to the highest authority, for example, the individual director may allow the college to make changes to check his bio matrix, so that the user timestamp (changes XX) records details. So if change is like this, then we can say that an entity can find functions separately.

The key to information security is information assurance, which says maintaining the CIA of information and certifying that information is not compromised when significant problems occur. These problems are not limited to natural calamities, computer / server crashes.

Thus, the field of information security has grown exponentially in last few years. It specializes in securing networks and related infrastructure, securing applications and databases, security testing, information systems auditing and business continuity planning.

                               

INFORMATION SECURITY AND ITS THREAT

Types of threat to information security:

 # Information extortion

 # Software attacks

 # Sabotage

 # Theft to intellectual property, equipment

 #Identity   theft

 Threat have negative impacts and cause harm to take opportunity of the vulnerability to rift security.

Software attacks :

Damaged cause due to trojan horses viruses and worms. Many  0f us  believe it as a fact that worms , malware , virus,  bots are of same category . But the truth according to the fact is  each of them are different ,the  only similar feature  is that each of them is a malicious software  which behaves  according to the provided situation .

Malware:

It  is a unique  combination of two words .First one is Malicious. The second one is   Software.  Malware is defined  as  malicious software which   is an intruding  program code  for  the purpose to execute malicious function  on  any kind of system.

Malware is of two types :

#malware actions

#infection methods

Malware with respect to Infection Method  are listed below

Virus :

With the property to create replica of themselves on the user program code  like videos, pictures  and songs by hooking themselves to the program or interrupting   function  calls  and further travelling and spreading  throughout the  Internet.  ARPANET was the first to identify  the creeper virus . Examples follows stealth Virus, Macro Virus,  file Virus,  boot sector virus etc.

Worms :

With self replicating property and   apart from that they hardly hook itself  to the user code  on the  computer. The factor that distinguish between   two, first the virus and the second one is the worm,  is that worms avail  network aware property with the advantage of travelling from one computer to the other with the condition that  the  network must be  available and  without causing much harm on the targeted computer ,  example consuming hard disk space causing computer to slow down.

Trojan :

The theory facts and the basic idea  of Trojan is unique as compared to the worms.

The Trojan  word taken from the great  ‘Trojan Horse’ tale in the  Greek mythology, which  narrates the great ideology of Greeks as how they entered the city of the troy by using big wooden horse and hiding themselves in it .  the horse was presented as a gift and  The Trojans appreciated horses and had faith in the  present given to them. During  night hours  the soldiers came out together and captured  the  entire city  by attacking from the horse.

Their main motive is to  hide themselves inside any kind of  software that seems appropriate  and during the time the  software is run they perform the task that they are designed for or steal any kind of information  as per their programming.

Due to the presence of backdoor  gateway the  malevolent users  enter the computer and is successful in stealing away the  valuable data without the permission. Examples are  FTP Trojans,  remote access trojans ,Proxy Trojans etc.

Bots :

  Latest version of the worms. They are  designed in automatic mode  processes which helps them to interact without human interactions all over the internet  . They can be both either causing advantage or  disadvantage . Malicious bot is very capable to  cause harm to a  host and after infecting one it furthers  create network  all over  the central server which will help in  facilitating    infected hosts with the commands that is attached to botnet that is a network .

Malware with respect to actions :

Adware :

 It  is not a kind of  malicious but it  does  rift the  privacy of the host . they show themselves by showing adds on the screen while using net or the software  . which results in   main source of income  for these kind of developers. They keep checks on  the interests  of the users and display appropriate ads. 

Attacker can encrypt  the software with the  malicious code   and adware can monitor the  activities of the system and can  also compromise with the  machine.

Spyware :

 Spyware is  a software or  a program that  helps to monitors the  activities of the host  on machine or system and specially designed in such a way to reveal  information collected in the process  to the required  party. Spyware are normally installed  itself  with the help of viruses, Trojans,  worms. They are programmed in such a way that once they are installed they can be at the system without being detected.


 Keylogger the most common available spyware .  keylogger basically perform  recording the  host  keystrokes with help of timestamp and further  capturing  information of interest  like  username,card details,passwords,etc.

Ransomware :

 Ransomware is a kind  of malware that will do the job of  hiding the host  files or will shut down the  computer which will be hardly accessible by the user . Then computer screen will display  the message that will ask for  money that will be  ransom for the accessibility of the machine.

Scareware :

It disguise itself  as helping  tool to  fix the host  computer  but when  scareware is  taken into action it will generally  infect the  machine  or will cause complete destruction  . The software is designed in such a way to make you afraid by displaying text which will leave you with no other option than to pay them with ransom.

Rootkits :

are designed in such a way  to gain full  access or  to have administrative privileges in the host  system. When it is able to  gain  root access, the hacker can be able to  steal  private  information  to private files.

Zombies :

 As  similar as  Spyware.  The common point is the process to Infect the  mechanism of the system  but  rather than spying or stealing the information they do wait for instructions from the exploiter.

·        Theft of intellectual property:

 means violating the right of  intellectual property  like patent ,copyrights, etc.

Identity theft:

 means to disguise oneself  in order to have access on  someone ‘s  private  and vital  information they do the following job by having themselves login into that person’ s social media login credentials.

Theft of equipment and information:

Here in this category increment can be seen because of the very reason that   there is increment in information storage because of the   mobile nature of machines .

·        Sabotage:

Causing destruction in company’ s system and machine in order to cause distrust in customers.

·        Information extortion :

 means threat to the  company’s information  or property in order to  receive ransom . For example ransomware normally make victims file inaccessible  by locking them thus forcing them for the ransom in exchange. In order to unlock the file payment is necessity .

regardless the  old generation  method to attack   it keeps on continue in  present days as well these days with advancement in the software. The one mentioned above we have more threats that are listed down below.

·        Technology with weak security :

With changing time we can notice advancement and change in technology which is used in new gadgets with updated software and to provide users with latest features. But the numbers that abide by the principles of information security are  very few .  due to the fact that the availability of these products is every where so competition can be noticed  in the markets so due to this very reason seller often compromise with the security to have the products advanced .thus leading to theft and exploitation.

·        Social media attacks :

In this type of attack  cyber criminals checks on the most visited site of one specific organization in order to steal required private data .

·        Mobile Malware :

·        It’s a here say that if danger has to be avoided in the security there should not be internet access.   Same theory applies to Mobile phones in which gaming applications with the main motive to drag users is designed to download the apps of the  game and without any  intention they are bound to  install  virus and malware  in the  system or device .

·        Outdated Security Software :

With  advancement in technology  new threats  can also be noticed hence there is constant requirement of updating security software to have defended system.

·        Corporate data on personal devices :

 every organization is bound to  follows a rule of  BYOD. BYOD full form is  Bring your own device like Laptops,  mobile phone Tablets to the working areas. Clearly BYOD creates  a serious danger  to security of information  but because of the fact of market products  issues  companies  are fighting  to accept this.

·        Social Engineering :

is the technique to trick people  in order to get access on personal information    like password  bank account details,  etc. These criminals can manipulate you and can gain trust with your passwords and further installing malware and virus in your system  .

Implementing Salting:

To validate the authenticity   we  principally use hacking. In order to make hashing safe salting is used. In hashing Salting is considered as an additional step taken towards security . If  such  situation arise that two costumers  have the possibility  of the  exactly same password ,it is probable to have same password for hashes . A salt,  defines as sequence of character which are random ,  which is an extra feature to the input of the password before the process of  hashing. Thus  making an other way round has for the two different passwords in hash . salting is an additional feature to hash making things difficult for look up tables and hence creating hindrance  in hacking  . the process of processing large amount of hash ups per second  tables of look ups is used  .

 Practical application  of Salting:

•  dimension of  function ‘s output of hash should tally with  salt  ‘size .

 during any  web application hash should br present on a server.

• user’s password salt should be different from the rest.

 A Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) is the  one of the best options available  to get  salt.  Further giving completely different numbers indeed highly safe to use.

In  storing  a password:

 Salt is supplied with the help of CSPRNG

• Addition of  salt to the very beginning of that unique  password.that has to be created

 •  then do the processing of Hashing   with SHA-256.

•  then do Save  hash and resulting in saving  the salt as well.

 To have eligible password:

 • then  Recovering hash and salt from the very database.

• then Addition of  salt to that very  password and doing  hashing.

 • then  Comparing  the hash of the supplied  password to the stored  one in  the database.

•  it will display inaccurate with password does not match  with the hashes.

Key stretching can  be accommodated  securely  against the attack. Hence  preventing hardware with high ends  which  further helps in computing   millions of hashes per   second with effectiveness.

Network Safeguarding

Network devices:

 Data as information and services requires transport communication . The main purpose of these device are to keep checks on the  targeted  cyber criminals.

Protection measure for different kind of network devices :

Routers:

this  communicate with every single person  to have recognition of the best  ideal way in order  to  persuade them with traffic to different  networks. In order to have  routing choice Routers  usually use the most efficient way that is routing protocols . Routers are capable of making  different services as one whole unit . such operations  methods usually results in making  routers as the  prime targets. The main  threat to  routers are  remote access and hacking, generally  fight against  protocols dealing with routing . in order to have safe protocol  few strategies with advance software and configuration helps to  ensures router.

Switches:

The   threat to the   switches in network are   attacks against protocol ,theft, hacking.  In order to safeguard the network  practical  applicability   of port security is must.  The  number of mac addresses which are only allowed on the port are restricted  with the help of  Port security . The switch helps to allow the  access to devices or machines  with legitimate   MAC (Media Access Control) addresses and declining the others in the process . MAC address is  indeed a subtle  identifier given as a blessing to the   interface controller in networking areas.

·        Firewalls:

the  firewall unauthorizes the  capable risky traffic by not allowing the entry of  the network. Firewall  helps in providing basic traffic allowance by  filtering  there  abilities with the help of  access control lists (ACL). Administrators use ACLs is used by administrators  to block  traffic  on the systems. ACL can be seen as proceeding  list of allowed or blocked  statements. The main purpose of hackers is to block   Firewalls and defeat there protection . The  access control list attacking is the   main threat  .  in order to Secure the authentication ,  remote access ,and appropriate system  there is the need of  updating software  so that firewall can be protected .

CONCLUSION:

Information security is the continuous process  which keeps on updating with time and is exercised with  due care and carefulness in order to protect and safe guard the  information with the systems as well from illegitimate access, revealing, devastation,distribution,modification,  disruption. There is endless process and steps to information security which involves continuous training, guarding it ,assessment,monitoring & identifying,incident response & documentation ,repairing, and review. It’s the necessity for any device and machine that is used for good purposes . it safeguards individual privacy and protects from threat and cyber crime.Continuous updating is required with advanced technology which plays key role in information secutrity.  

References: 

 

[1] Earl, Michael. Knowledge management strategies: Toward a taxonomy. Journal of management information systems 18.1 (2001) 215-233

[2] Anand, Vikas, Charles C. Manz, and William H. Glick. An organizational memory approach to information management. Academy of management review 23.4 (1998) 796-809

 [3] Schwenk, Charles H. Information, cognitive biases, and commitment to a course of action. Academy of Management Review 11.2 (1986) 298-310

 [4] Buhalis, Dimitrios, and Rob Law. Progress in information technology and tourism management: 20 years on and 10 years after the Internet - The state of eTourism research. Tourism management 29.4 (2008) 609-623

 [5] Benbya, Hind, Giuseppina Passiante, and Nassim Aissa Belbaly. Corporate portal: a tool for knowledge management synchronization. International Journal of Information Management 24.3 (2004): 201-220

 [6] Wang, Richard Y. et al. Manage your information as a product. MIT Sloan Management Review 39.4 (1998) 95

 [7] Hersey, Paul, and Kenneth H. Blanchard. Management of organizational behavior: Utilizing human resources. (1969) 526-526

 [8] Tushman, Michael L. and David A. Nadler. Information processing as an integrating concept in organizational design. Academy of management review 3.3 (1978) 613-624

[9]Brereton, Pearl, et al. Lessons from applying the systematic literature review process within the software engineering domain. Journal of systems and software 80.4 (2007) 571-583

 [10] Georgakopoulos, Diimitrios, Mark Hornick, and Amit Sheth. An overview of workflow management: From process modeling to workflow automation infrastructure. Distributed and parallel Databases 3.2 (1995): 119-153

 [11] Wright, Patrick M., and Scott A. Snell. Toward a unifying framework for exploring fit and flexibility in strategic human resource management. Academy of management review 23.4 (1998) 756-772

 [12] Alavi, Maryam, and Dorothy E. Leidner. Knowledge management systems: issues, challenges, and benefits. Communications of the AIS 1.2es (1999) 

 [13] Hicks, Ben J. Lean information management: Understanding and eliminating waste." International journal of information management 27.4 (2007) 233-249

 [14] Edmunds, Angela, and Anne Morris. The problem of information overload in business organisations: a review of the literature. International journal of information management 20.1 (2000) 17-28

[15] Teo, Thompson SH, and Bee Lian Too. Information systems orientation and business use of the Internet: An empirical study. International Journal of Electronic Commerce 4.4 (2000) 105-130