Web sites are unfortunately prone to security risks. And so are any networks to which web servers are connected. Setting aside risks created by employee use or misuse of network resources, your web server and the site it hosts present your most serious sources of security risk.
Web servers by design open a window between your network and the world. The care taken with server maintenance, web application updates and your web site coding will define the size of that window, limit the kind of information that can pass through it and thus establish the degree of web security you will have.
Information security (IS) is designed to protect the confidentiality, integrity and availability of computer system data from those with malicious intentions. Confidentiality, integrity and availability are sometimes referred to as the CIA Triad of information security.
The protection of data against unauthorized access, Programs and data can be secured by issuing passwords and digital certificates to authorized users. However, passwords only validate that a correct number has been entered, not that it is the actual person. Digital certificates and biometric techniques (fingerprints, eyes, voice, etc.) provide a more secure method (see authentication). After a user has been authenticated, sensitive data can be encrypted to prevent eavesdropping
Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc.
Information Security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The terms information security, computer security and information assurance are frequently used interchangeably.
These fields are interrelated and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms.
In its most basic definition, information security means protecting information and information systems from unauthorized access, use, disruption, or destruction. The terms information security, computer security and information assurance are frequently used interchangeably.
Institutions of all sizes collect and store huge volumes of confidential information. The information may be about employees, customers, research, products or financial operations. Most of this information is collected, processed and stored on computers and transmitted across networks to other computers. If this information fell into the wrong hands, it could lead to lost business, law suits, identity theft or even bankruptcy of the business.
Information security has evolved significantly and grown even more important in recent years. From a career perspective, there are even more areas where a professional can work in the field. Some of the specialty areas within Information Security include network security, application and database security, security testing, information systems auditing, business continuity planning and digital forensics science, among others.
Information Security is simply the process of keeping information secure: protecting its availability, integrity, and privacy.
Information has been valuable since the dawn of mankind: e.g. where to find food, how to build shelter, etc. As access to computer stored data has increased, Information Security has become correspondingly important. In the past, most corporate assets were “hard” or physical: factories, buildings, land, raw materials, etc. Today far more assets are computer-stored information such as customer lists, proprietary formulas, marketing and sales information, and financial data. Some financial assets only exist as bits stored in various computers. Many businesses are solely based on information – the data IS the business.
Information Security is a Process:
Effective Information Security incorporates security products, technologies, policies and procedures. No collection of products alone can solve every Information Security issue faced by an organization.
More than just a set of technologies and reliance on proven industry practices is required, although both are important. Products, such as firewalls, intrusion detection systems, and vulnerability scanners alone are not sufficient to provide effective Information Security.
Information Security is a process. Information systems Security Policy is a well-defined and documented set of guidelines that describes how an organization manages, protects its information assets and makes future decisions about its information systems security infrastructure. Security Procedures document precisely how to accomplish a specific task. For example, a Policy may specify that antivirus software is updated on a daily basis, and a Procedure will state exactly how this is to be done – a list of steps.
Security is Everyone’s Responsibility:
Although some individuals may have “Security” in their title or may deal directly with security on a daily basis, security is everyone’s responsibility. A chain is only as strong as its weakest link. A workplace may have otherwise excellent security, but if a help desk worker readily gives out or resets lost passwords, or employees let others tailgate on their opening secure doors with their keycard, security can be horribly compromised.
Despite the robustness of a firewall, if a single user has hardware (e.g. a modem) or software (e.g. some file sharing software) that allows bypassing the firewall, a hacker may gain access with catastrophic results. There are examples where a single firewall misconfiguration of only a few minutes allowed a hacker to gain entrance with disastrous results. Security is an issue during an application’s entire lifecycle.
Applications must be designed to be secure, they must be developed with security issues in mind, and they must be deployed securely. Security cannot be an afterthought and be effective. System analysts, architects, and programmers must all understand the Information Security issues and techniques that are germane to their work.
End user awareness is critical, as hackers often directly target them. Users should be familiar with Security Policies and should know where the most recent copies can be obtained. Users must know what is expected and required of them. Typically this information should be imparted to users initially as part of the new hire process and refreshed as needed.
Information Security involves a Tradeoff between Security and Usability: There is no such thing as a totally secure system – except perhaps one that is entirely unusable by anyone! Corporate Information Security’s goal is to provide an appropriate level of security, based on the value of an organization’s information and its business needs. The more secure a system is, the more inconvenience legitimate users experience in accessing it.
Remember, IT - and Information Security are business support functions: Unless a company’s business is IT, IT is (one of many) business support functions.
Two major Aspects of information security are:
IT security: Sometimes referred to as computer security, Information Technology Security is information security applied to technology (most often some form of computer system). It is worthwhile to note that a computer does not necessarily mean a home desktop. A computer is any device with a processor and some memory (even a calculator). IT security specialists are almost always found in any major enterprise/establishment due to the nature and value of the data within larger businesses.
They are responsible for keeping all of the technology within the company secure from malicious cyber attacks that often attempt to breach into critical private information or gain control of the internal systems.
Information assurance: The act of ensuring that data is not lost when critical issues arise. These issues include but are not limited to: natural disasters, computer/server malfunction, physical theft, or any other instance where data has the potential of being lost. Since most information is stored on computers in our modern era, information assurance is typically dealt with by IT security specialists. One of the most common methods of providing information assurance is to have an off-site backup of the data in case one of the mentioned issues arise.
Governments, military, corporations, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers.
Should confidential information about a business' customers or finances or new product line fall into the hands of a competitor or a black hat hacker, a business and its customers could suffer widespread, irreparable financial loss, not to mention damage to the company's reputation. Protecting confidential information is a business requirement and in many cases also an ethical and legal requirement.
For the individual, information security has a significant effect on privacy, which is viewed very differently in different cultures.
The field of information security has grown and evolved significantly in recent years. There are many ways of gaining entry into the field as a career. It offers many areas for specialization including securing network(s) and allied infrastructure, securing applications and databases, security testing, information systems auditing, business continuity planning and digital forensics, etc.
Information Security Attributes: or qualities, i.e., Confidentiality, Integrity and Availability (CIA). Information Systems are composed in three main portions, hardware, software and communications with the purpose to help identify and apply information security industry standards, as mechanisms of protection and prevention, at three levels or layers: physical, personal and organizational. Essentially, procedures or policies are implemented to tell people (administrators, users and operators) how to use products to ensure information security within the organizations.
The CIA triad (confidentiality, integrity and availability) is one of the core principles of information security. (The members of the classic InfoSec triad -confidentiality, integrity and availability - are interchangeably referred to in the literature as security attributes, properties, security goals, fundamental aspects, information criteria, critical information characteristics and basic building blocks.)
There is continuous debate about extending this classic trio. citation needed] Other principles such as Accountability have sometimes been proposed for addition – it has been pointed out[citation needed that issues such as Non-Repudiation do not fit well within the three core concepts, and as regulation of computer systems has increased (particularly amongst the Western nations) Legality is becoming a key consideration for practical security installations.
Confidentiality refers to preventing the disclosure of information to unauthorized individuals or systems. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network.
The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.
Confidentiality is necessary for maintaining the privacy of the people whose personal information is held in the system.
In information security, data integrity means maintaining and assuring the accuracy and consistency of data over its entire life-cycle. This means that data cannot be modified in an unauthorized or undetected manner. This is not the same thing as referential integrity in databases, although it can be viewed as a special case of Consistency as understood in the classic ACID model of transaction processing. Integrity is violated when a message is actively modified in transit. Information security systems typically provide message integrity in addition to data confidentiality.
For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks, such as a flood of incoming messages to the target system essentially forcing it to shut down.
Authenticity In computing, e-Business, and information security, it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim to be. Some information security systems incorporate authentication features such as "digital signatures", which give evidence that the message data is genuine and was sent by someone possessing the proper signing key.
In law, non-repudiation implies one's intention to fulfill their obligations to a contract. It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction.
It is important to note that while technology such as cryptographic systems can assist in non-repudiation efforts, the concept is at its core a legal concept transcending the realm of technology. It is not, for instance, sufficient to show that the message matches a digital signature signed with the sender's private key, and thus only the sender could have sent the message and nobody else could have altered it in transit.
The alleged sender could in return demonstrate that the digital signature algorithm is vulnerable or flawed, or allege or prove that his signing key has been compromised. The fault for these violations may or may not lie with the sender himself, and such assertions may or may not relieve the sender of liability, but the assertion would invalidate the claim that the signature necessarily proves authenticity and integrity and thus prevents repudiation.
Information security analysts
Information security analysts are information technology (IT) specialists who are accountable for safeguarding all data and communications that are stored and shared in network systems. In the financial industry, for example, information security analysts might continually upgrade firewalls that prohibit superfluous access to sensitive business data and might perform defencelessness tests to assess the effectiveness of security measures.
Electronic commerce uses technology such as digital signatures and public key encryption to establish authenticity and non-repudiation.
The Certified Information Systems Auditor (CISA) Review Manual 2006 provides the following definition of risk management: "Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization."
Risk analysis and risk evaluation processes have their limitations since, when security incidents occur, they emerge in a context, and their rarity and even their uniqueness give rise to unpredictable threats. The analysis of these phenomena which are characterized by breakdowns, surprises and side-effects, requires a theoretical approach which is able to examine and interpret subjectively the detail of each incident
Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). Vulnerability is a weakness that could be used to endanger or cause harm to an informational asset. A threat is anything (manmade or act of nature) that has the potential to cause harm.
It should be pointed out that it is not possible to identify all risks, nor is it possible to eliminate all risk. The remaining risk is called "residual risk".
The ISO/IEC 27002:2005 Code of practice for information security management recommends the following be examined during a risk assessment:
In broad terms, the risk management process consists of:
Identification of assets and estimating their value. Include: people, buildings, hardware, software, data (electronic, print, and other), and supplies.
Conduct a threat assessment. Include: Acts of nature, acts of war, accidents, malicious acts originating from inside or outside the organization.
Conduct a vulnerability assessment, and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security, quality control, technical security.
Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis.
Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset.
Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity.
Information security uses cryptography to transform usable information into a form that renders it unusable by anyone other than an authorized user; this process is called encryption. Information that has been encrypted (rendered unusable) can be transformed back into its original usable form by an authorized user, who possesses the cryptographic key, through the process of decryption.
Domain: Web & Information Security
Fig: Information Security