Along with access usage of internet, information security became one of the basic issues on internet. Does increased security provide comfort to people. Or does security provide some very basic protections that we believe that we don't need? During this time when the Internet provides essential communication between tens of millions of people and is being increasingly used as a tool for commerce, security becomes a tremendously important issue to deal with.
In January 2008 541.7 millions computers are connected in all over the world. Internet is not single resource of networking but worldwide people are loosely connected through this and they can access each other without having geographical boundary.
As millions peoples are connected and along with convenience and easy access to information comes risk. Risk is thing which valuable information will be lost, hack, stolen or other risky signal. On internet information is stored on electronically so there are more risk as compared to filing format and also its access range is wider.
1.2 Security
In general, security is "the quality or state of being secure-to be free from danger."[1] In other words, protection of electronic data from those who would do harm, intentionally. A security of information mostly depends on a multifaceted system. Information security is security of data or information which we transfer through internet from one to another user. Internet user's information must be secure and safe from unauthorized person or hackers.
1.3. Characteristics of Information
The value of information comes from the characteristics it possesses. When a characteristic of information changes, the value of that information either increases, or more commonly, decreases. Some characteristics affect information's value to users more than others do. This can depend on circumstances; for example, timeliness of information can be a critical factor, because information loses much or all of its value when it is delivered too late. Though information security professionals and end users share an understanding of the characteristics of information, tensions can arise when the need to secure the information from threats conflicts with the end users' need for unhindered access to the information. For instance, end users may perceive a tenth-of-a-second delay in the computation of data to be an unnecessary annoyance. Information security professionals, however, may perceive that tenth-of-a-second as a minor delay that enables the accomplishment of an important task, like data encryption.
FIGUR1.
1 1.4.Components of Information Security
1.4.1. Information Security
security Network security Policy Computer & data security Management of information security contents of the stacks, they expect to find the information they need available in a useable format and familiar language, which in this case typically means bound in a book and written in English.
1.4.2. Accuracy
Information has accuracy when it is free from mistakes or errors and it has the value that the end user expects. If information has been intentionally or unintentionally modified, it is no longer accurate. Consider, for example, a checking account. You assume that the information contained in your checking account is an accurate representation of your finances. Incorrect information in your checking account can be caused by external or internal means. If a bank teller, for instance, mistakenly adds or subtracts too much from your account, the value of the information is changed. Also, as the user of your bank account, you may accidentally enter an incorrect amount into your account register. This also changes the value of the information. Either way, the inaccuracy of your bank account could cause you to make mistakes, such as bouncing a check.
1.4.3. Authenticity
Authenticity of information is the quality or state of being genuine or original, rather than a reproduction or fake information. Information is authentic when it is in the same state in which it was created, placed, stored, or transferred. Consider for a moment some common assumption's about e-mail. When you receive e-mail, you assume that a specific individual or group created and transmitted the e-mail you assume you know the origin of the e-mail. This is not always the case. E-mail spoofing, the process of sending an e-mail message with a modified field, is a problem for many people today, because often the modified field is the address of the originator. Spoofing the sender's address can fool the e-mail recipient into thinking that the message is legitimate traffic. In this way, the spoofer can induce e-mail readers into opening e-mail they otherwise might not have opened. Spoofing can also be performed on data being transmitted across a network, as in the case of user data protocol (UDP) packet spoofing, which can enable the attacker to get access to data stored on computing systems.
Another variation on spoofing is phishing, which occurs when an attacker attempts to
obtain personal or financial information using fraudulent means, most often by posing as another individual or organization. Pretending to be someone you are not is sometimes called pretexting when it is undertaken by law enforcement agents or private investigators.When used in a phasing attack, spoofing is used in an e-mail that lures victims to a Web server that does not represent the organization it purports to, in an attempt to steal their private data, such as account numbers and passwords. The most common variants include posing as a bank or brokerage company, e-commerce organization or Internet service provider. Even when authorized, pretexting does not always lead to a satisfactory outcome.
Confidentiality
Information has confidentiality when disclosure or exposure to unauthorized individuals or systems is . Confidentiality ensures that only those with the rights and privileges to access information are able to do so.When unauthorized individuals or systems can view information, confidentiality is breached. To protect the confidentiality of information, you can use a number of measures, including the following:
â- Information classification
â- Secure document storage
â- Application of general security policies
â- Education of information custodians and end users
Confidentiality, like most of the characteristics of information, is interdependent with other characteristics, and is most closely related to the characteristic known as privacy.
In an organization, the value of confidentiality of information is especially high when it involves personal information about employees, customers, or patients. Individuals who deal with an organization expect that their personal information will remain confidential, whether the organization is a federal agency, such as the Internal Revenue Service, or a business. Problems arise when companies disclose sensitive information that was deemed confidential. Sometimes this disclosure is intentional, but there are times when disclosure of confidential information happens by mistake-for example, when confidential information is mistakenly e-mailed to someone outside the organization rather than to someone inside the organization.
Integrity
Information has integrity when it is whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state. Corruption can occur while information is being stored or transmitted. Many computer viruses and worms are designed with the explicit purpose of corrupting data. For this reason, a key method for detecting a virus or worm is to look for changes in file integrity as shown by the size of the file. Another key method of assuring information integrity is file hashing, in which a file is read by a special algorithm that uses the value of the bits in the file to compute a single large number called a hash value.
The hash value for any combination of bits is unique. If the computer system performs the same hashing algorithm before trusting the contents of the file and returns a different number than the posted hash value for that file, the file has been compromised and the integrity of the information is lost. Information integrity is the cornerstone of information systems, because information is of no value or use if users cannot verify its integrity. File corruption is not always a result of external forces, such as hackers. Noise in the transmission media, for instance, can also cause data to lose its integrity. Transmitting data on a circuit with a low voltage level can render the data inaccurate on the receiving end. Redundancy bits and check bits can compensate for internal and external threats to the integrity of information. During each transmission, algorithms, hash values, and the error-correcting codes ensure the integrity of the information. Data whose integrity has been compromised is retransmitted.
Utility
The utility of information is the quality or state of having value for some purpose or end.
Information has value when it can serve a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful. For example, to a private citizen U.S. Census data can quickly become overwhelming and difficult to interpret.
1.4. Components of an Information System
As shown in Figure 1-5, an Information System (IS) is much more than computer hardware; it is the entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization. These six critical components enable information to be input, processed, output, and stored. Each of these IS components has its own strengths and weaknesses its own characteristics and uses. More important to remember, each component of the information system has its own security requirements.
1.4.1. Software
The software component of the IS comprises applications, operating systems, and assorted command utilities. Software is perhaps the most difficult IS component to secure. The exploitation of errors in software programming accounts for a substantial portion of the attacks on information. The news is filled with reports warning of holes, bugs, weaknesses, or other fundamental problems in software. Software programs are the vessels that carry the lifeblood of information through an organization. Unfortunately, software programs are often created under the constraints of project management, which limit time, cost, and manpower. Information security is all too often implemented as an afterthought, rather than developed as an integral component from the beginning. In this way, software programs become an easy target of accidental or intentional attacks.
1.4.2. Hardware
Hardware is the physical technology that houses and executes the software, stores and carries the data, and provides interfaces for the entry and removal of information from the system. Physical security policies deal with hardware as a physical asset and with the protection of these physical assets from harm or theft. Applying the traditional tools of physical security, such as locks and keys, restricts access to and interaction with the hardware components of an information system. Securing the physical location of computers and the computers themselves is important because a breach of physical security can result in a loss of information. Unfortunately, most information systems are built on hardware platforms that cannot guarantee any level of information security if unrestricted access to the hardware is possible.
1.4.3. Data
Data stored, processed, and transmitted through a computer system must be protected. Data is often the most valuable asset possessed by an organization and it is the main target of intentional attacks. Systems developed in recent years are likely to have been created to make use of database management systems.When done properly, this should improve the security of the data and the application. Unfortunately, many system development projects are not done in ways that make use of the database management system's security capabilities, and in some cases, the database is implemented in ways that are less secure than traditional file systems.
1.4.4. People
Though often overlooked in computer security considerations, people have always been a
threat to information security. Legend has it that around 200 B.C. a great army threatened
the security and stability of the Chinese empire.[1]
1.4.5. Procedures
Another frequently overlooked component of an IS is procedures. Procedures are written instructions for accomplishing a specific task. When an unauthorized user obtains an organization's procedures, this poses a threat to the integrity of the information. For example, a consultant to a bank learned how to wire funds by using the computer centers, procedures, which were readily available. By taking advantage of a security weakness (lack of authentication), this bank consultant ordered millions of dollars to be transferred by wire to his own account. Lax security procedures caused the loss of over ten million dollars before the situation was corrected. Most organizations distribute procedures to their legitimate employees so they can access the information system, but many of these companies often fail to provide proper education on the protection of the procedures. Educating employees about safeguarding the procedures is as important as securing the information system. After all, procedures are information in their own right. Therefore, knowledge of procedures, as with all critical information, should be disseminated among members of the organization only on a need-to-know basis.
1.4.6. Networks
The IS component that created much of the need for increased computer and information Security is networking. When information systems are connected to each other to form Local Area Networks (LANs), and these LANs are connected to other networks such as the Internet, new security challenges rapidly emerge. The physical technology that enables network functions is becoming more and more accessible to organizations of every size. Applying the traditional tools of physical security, such as locks and keys, to restrict access to and interaction with the hardware components of an information system are still important; but when computer systems are networked, this approach is no longer enough. Steps to provide network security are essential, as is the implementation of alarm and intrusion systems to make system owners aware of ongoing compromises.
There are many aspects to security and many applications, ranging from secure commerce and payments to private communications and protecting passwords. One essential aspect for secure communications is that of cryptography and steganography.
1.5 Techniques to Secure Information
Mostly two techniques are used for securing information.
1.5.1 Cryptography
Cryptography is an important element of any strategy to address message transmission security requirements. It is the practical art of converting messages or data into a different form, such that no-one can read them without having access to the 'key'.
1.5.2. Steganography
Steganography is the security technique used to hide information in to media or within other information in such a way that unauthenticated user having not idea about hidden information. Most of steganography works have been carried out on pictures, video clips, music and sounds. Text steganography is the most difficult kind of steganography, this is due to the lack of redundant information in a text file, while there is a lot of redundancy in a picture or a sound file, which can be used in steganography [1].
