Information Security Concept Map - Coursework Example

Information security concept map Name: Course: Tutor: Date: Contents Information security concept map 0 Name: 0 Course: 0 Tutor: 0 Date: 0 Contents 1 Introduction 2 Aims of information security 2 Possible attacks and counter measures 4 Data manipulation and modification 4 Data theft 4 Flooding 4 Spoofing 5 Jamming 5 Mole/Sabotage 5 Packet sniffer 5 Social engineering 6 Virus attack 6 Concept map 7 Reference 7 Introduction Information is a very valuable asset to any organization. Each organization has the responsibility of ensuring that the integrity, validity and availability of information is maintained at all times. Due to the need to ensure the achievement of the mentioned attributes, there has been need for identification of possible attacks that any information system is prone to experience. Some of the attacks and risks associated with it can be caused directly by human negligence or indirectly. This paper discusses the aims or purposes of information security. I go ahead to discuss the possible attacks on information systems. A concept map has been provided at the end of the discussion showing the idea flow of the discussions given in the paper Aims of information security Information security is a field that concerns with the protection of information and data from unauthorized access or any activity that would otherwise be harmful to the information owner (Anderson, 2001). It is about preventing loss or managing the same. Some of the losses that information security seeks to prevent include loss of reputation, loss of financial assets and valuables, loss of customer goodwill and desire for engagement among other (Bishop, 2003). In general, its purpose is to protect the information resources of any particular organization from unauthorized access or damage. Some of the major points that can be pointed out here as the main aims of practicing information security include the following: a. Availability of information resource at all times. One of the aims of information security is to ensure that the same information is available at all times when needed. Unavailability of information can be caused by damage or corruption in the same or loss due to theft. Some of the resources that aid in the information processing and transfer need also to be well secured (Denning, 1982). b. Integrity of information: Integrity of information is an important aspect that each organization aims to achieve in its data stores (Ross, Janssen, & John, 2004). Protection of information and data is done in order to ensure that the integrity of the same is kept at all times. Viruses and other malware can corrupt information and for that reason, causes them lose its integrity. Unauthorized manipulation of information or data can also cause the same to lose integrity (Gollmann, 1999) c. Information confidentiality: Information is secured from unauthorized access in order to prevent confidential information from leaking out. Exposing client confidential information can cause a lot of problems to the company and for that reason, might attract a lot of law suits which can prove very costly to the company(Kenigsberg, 2004) Possible attacks and counter measures Data manipulation and modification Modification of data without authorization could lead to denial of information when required. False information can be generated from one’s own data files, which may lead to making poor or wrong decisions based on the retrieved data (Russell, 1991). This problem can be solved by use of intrusion access control backup or by training the users on right means of data security and management. (Lambo, 2006) Data theft This is a situation where information is stolen from a computer without the knowledge of the owner. The bad side of theft is that a competitor or a criminal might get access to the information (Schneier, 2000). This problem can however be controlled by training the users, use of backup as well as use of intrusion detection access control mechanism (Anderson K. , 2006). Flooding Users who bombard systems with a lot of information such that the systems are not able to handle all of them cause flooding (Aceituno, 2005). The risk associated with this problem is that the system might not process all the information coming or going out leading to some information to be left out (Dhillon, 2007). Another problem caused by the same problem is denial of service to users. It can be solved by use of firewalls and application of redundant systems in the machines/systems. Spoofing Spoofing can also be referred to as imitation. In this case, a pretender or imitator hijacks a valid session and pretends to be a valid user. The same can also be done by stealing authentication information like User Name and Password (Allen, 2001).  This attack is very bad because it is difficult to identify a valid user form a hijacker. Solving the problem can be done by use of stricter access control mechanism, encryption and user training (Krutz & Russell, 2003). Jamming Jamming can be caused by Electromagnetic waves, which disrupt transmission signals. Jamming can cause incorrect signals to be received or on the other hand the signal is received but cannot be understood by the users (Layton, 2007). This problem can be solved by use of redundant systems or disconnection of the networks once the problem is experienced. Mole/Sabotage A trusted person can expose organizational information to a competitor, criminal or to the public. Such people might be driven by a motive to revenge. Though it is hard to identify a mole in an organization or within close relations circles, measure to prevent the same from happening need however to be applied. This includes training of users and use of stronger access control mechanisms. Packet sniffer Packet sniffers are software tools that are used by attackers to collect valuable information in a network or a system. Such information that can be stolen by an attacker would include userID, Passwords, E-mails or credit card numbers. Encryption is the most effective way and common way to solve the problem (McNab, 2004). Social engineering Social engineering is one of the most common ways in which an attack can be perpetrated (White, 2003). In this case an attacker gains user trusts then tricks her/him into revealing his or her secrets like passwords, username and other important information (Dhillon G. , 2007). The only way to prevent such problem is by making users aware of such people and some of the techniques they use in the process. Virus attack A virus is a malicious program that attaches itself in to a computer program. The malicious program can destroy valid programs or information not forgetting that it can cause the systems computational time to be very low (Peltier, 2001).  The best way to prevent such attacks is by use of antivirus software like MacAfee, Kaspesky among others. Use of redundant systems, backups and user training are also some of the ways of solving this attack (Peltier, 2002). Concept map Reference Aceituno, V. (2005). On Information Security Paradigms. ISSA Journal . Allen, J. (2001). The CERT Guide to System and Network Security Practices. Boston, MA: Addison-Wesley. . Anderson, K. (2006, October 12). IT Security Professionals Must Evolve for Changing Market. SC magazine . Anderson, R. (2001). Security Engineering: A Guide to Building Dependable Distributed Systems. New Jersey: John Wiley and Sons, Inc. Bishop, M. (2003). Computer Security: Art and Science. London: Pearson Education, Inc. Denning, D. (1982). Cryptography and Data Security. New York: Addison-Wesley. Dhillon, G. (2007). Principles of Information Systems Security: text and cases. NY: ohn Wiley & Sons. Dhillon, G. (2007). Principles of Information Systems Security: text and cases. New York: John Wiley & Sons. Gollmann, D. (1999). Computer Security. New Jersey: John Wiley and Sons,Inc. Kenigsberg, N. (2004). A Framework for HIPAA IT Security Compliance: Leveraging for Security . Boston : EDUCAUSE Center for Applied Research Bulletin. Krutz, R., & Russell, D. V. (2003). The CISSP Prep Guide . Indianapolis, IN: Wiley. Lambo, T. (2006). ISO/IEC 27001: The future of infosec certification. ISSA Journal . Layton, T. P. (2007). Information Security: Design, Implementation, Measurement, and Compliance. . Boca Raton, FL: Auerbach publications. McNab, C. (2004). Network Security Assessment. Sebastopol, CA: O'Reilly. Neumann, P. (1995). Computer-Related Risks. . New Jersey: Addison-Wesley. Peltier, T. (2002). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Boca Raton, FL: Auerbach publications. Peltier, T. (2001). Information Security Risk Analysis. Boca Raton, FL: Auerbach publications. Ross, T., Janssen, & John, J. (2004). Leveraging IT Infrastructure for HIPAA Training EDUCAUSE Center for Applied Research Bulletin. Boston: EDUCAUSE Center for Applied Research Bulletin. Russell, D. a. (1991). Computer Security Basics. Sebastopol CA: O'Reilly and Associates. Schneier, B. (2000). Secrets and Lies: Digital Security in a Networked World. . New Jersey: John Wiley and Sons. Inc. White, G. (2003). All-in-one Security+ Certification Exam Guide. Emeryville, CA: McGraw- Hill/Osborne. Read More