Embed Size (px)
DESCRIPTION
Information Security & Cyber Law EIT-505
Citation preview
1
2012
PRAMOD KUMAR
DEPARTMENT OF CS&IT
HITM, AGRA
2
3
UNIT-I
EIT-505 Information Security and Cyber Laws
History of Information Systems and its Importance, basics, Changing Nature of Information, Systems, Need of Distributed Information Systems, Role of Internet and Web Services,Information System Threats and attacks, Classification of Threats and Assessing Damages Security in Mobile and Wireless Computing- Security Challenges in Mobile Devices, authentication Service Security, Security Implication for organizations, Laptops Security Basic Principles of Information Security, Confidentiality, Integrity Availability and other terms in Information Security, Information Classification and their Roles. UNIT-II
Security Threats to E Commerce, Virtual Organization, Business Transactions on Web, E-Governance and EDI, Concepts in Electronics payment systems, E Cash, Credit/Debit Cards. Physical Security- Needs, Disaster and Controls, Basic Tenets of Physical Security and Physical Entry Controls, Access Control- Biometrics, Factors in Biometrics Systems, Benefits, Criteria for selection of biometrics, Design Issues in Biometric Systems, Interoperability Issues, Economic and Social Aspects, Legal Challenges UNIT-III Model of Cryptographic Systems, Issues in Documents Security, System of Keys, Public Key
Cryptography, Digital Signature, Requirement of Digital Signature System, Finger Prints, Firewalls, Design and Implementation Issues, Policies Network Security- Basic Concepts, Dimensions, Perimeter for Network Protection, Network, Attacks, Need of Intrusion Monitoring and Detection, Intrusion Detection Virtual Private Networks- Need, Use of Tunneling with VPN, Authentication Mechanisms, Types of VPNs and their Usage, Security Concerns in VPN UNIT-IV Security metrics- Classification and their benefits Information Security & Law, IPR, Patent Law, Copyright Law, Legal Issues in Data mining Security, Building Security into Software Life Cycle Ethics- Ethical Issues, Issues in Data and Software Privacy Cyber Crime Types & overview of Cyber Crimes
References:
1. Godbole,“ Information Systems Security”, Willey 2. Merkov, Breithaupt,“ Information Security”, Pearson Education 3. Yadav, “Foundations of Information Technology”, New Age, Delhi 4. Schou, Shoemaker, “ Information Assurance for the Enterprise”, Tata McGraw Hill 5. Sood,“Cyber Laws Simplified”, Mc Graw Hill 6. Furnell, “Computer Insecurity”, Springer
7. IT Act 2000
4
UNIT-I
Highlights
History of Information Systems and its Importance,
basics, Changing Nature of Information Systems,
Need of Distributed Information Systems,
Role of Internet and Web Services,
Information System Threats and attacks,
Classification of Threats and Assessing Damages
Security in Mobile and Wireless Computing- Security Challenges in Mobile Devices
authentication Service Security, Security Implication for organizations,
Laptops Security
Basic Principles of Information Security, Confidentiality, Integrity Availability and
Other terms in Information Security, Information Classification and their Roles.
References: 1. Godbole,“ Information Systems Security”, Willey
2. Principles of Information Security, 2nd Edition
5
HISTORY OF INFORMATION SYSTEMS
• The earliest “mainframe” computers could only process a single task by a single user
– 1946: ENIAC (Electronic Numerical Integrator and Calculator) was developed
– 1951: first computer installed by the U.S. Census Bureau
– 1954: first computer used by G.E.
• Over the last half century, hardware has seen many-fold increases in speed and capacity and
dramatic size reductions
• Applications have also evolved from relatively simple accounting programs to systems designed
to solve a wide variety of problems
Multitasking
IBM revolutionized the computer industry in the mid-1960s by introducing the IBM System/360
line of computers
These computers were the first to perform multiple processing tasks concurrently
6
Smaller Computers
• The first small-scale systems, called minicomputers, were smaller and less powerful but could
handle processing for small organizations more cheaply
• Even smaller microcomputers designed for individual use were later developed, first by Apple
and Tandy Corp.
• In 1982, IBM introduced the first personal computer, or PC, in 1982, which has since become the
standard for individual computing
Moore's Law
• Coined in the 1960s by Gordon Moore, one of the founders of Intel
• States that the storage density (and therefore the processing power) of integrated circuits is
doubling about every year
• By the 1970s the doubling rate had slowed to 18 months, a pace that has continued up to the
present
Importance of Information Systems
7
In the world of globalization, Information system is such where data are collected, classified and put into
process interpreting the result thereon in order to provide an integrated series of information for
further conveying and analyzing. In a progressively more strong-willed worldwide atmosphere,
Information System plays the role as ‘enabler and facilitator’, which endows with tactical values to the
officialdom and considerable step up to the excellence of administration. ‘An Information System is a
particular type of work system that uses information technology to detain, put on the air, store, retrieve,
manipulate or display information, thereby partisan one or more other work structure’. In totting up to
taking sides assessment making, co-ordination and control, information systems may also help
managers and workers investigate problems, envisage complex subjects and generate new merchandise
or services.
Work systems and the information systems that support typically undergo at least four phases:
a) Initiation, the process of defining the need to change an existing work system
b) Development, the process of acquiring and configuring/installing the necessary hardware, software
and other resources
c) Implementation, the process of building new system operational in the organization, and
d) Operation and maintenance, the process concerned with the operation of the system, correcting any
problems that may arise and ensuring that the system is delivering the anticipating benefits. The
management of these processes can be achieved and controlled using a series of techniques and
management tools which, collectively, tend to be known as Structured Methodologies.
Two important methodologies:
PRINCE (Projects IN a Controlled Environment), and
SSADM (Structured Systems Analysis and Design Methodology), developed by the Central
Computing and Telecommunications Agency (CCTA), are used widely in the UK public sector and
in some Developing Countries, like Bangladesh, Pakistan, Nepal etc. Prior to comment on the
application of these methods in the Developing Countries, it would be pertinent to describe
brief outlines of these methodologies.
PRINCE is a project management method; not system development, which covers the organisation,
management and control of projects. Since its introduction in 1989, PRINCE has become widely used in
both the public and private sectors and is now the UK’s de facto standard for project management.
Although PRINCE was originally developed for the needs of IT projects, the method has also been used
on many non-IT projects. PRINCE requires a dedicated team to be established to manage and carry out
each project. It therefore aims to provide a supporting framework between the current state of affairs
and the planned future state. PRINCE focuses attention on end-products rather than activities, ensuring
that the organization actually gets what it wants out of the project. Quality is seen as a necessary and
integral part of the project and the focus on end-products enables the criteria by which quality is to be
8
judged to be specified at the outset of the project. It requires the development of a viable “business
case” for the project at its outset and that the business case needs to be periodically reviewed.
Basics of Information System What Is an Information System?
An information system (IS) can be any organized combination of people, hardware, software, communications networks, data resources, and policies and procedures that stores, retrieves, transforms, and disseminates information in an organization. People rely on modern information systems to communicate with each other using a variety of physical devices (hardware), information processing instructions and procedures (software), communications channels (networks), and stored data (data resources). Consider some of the following examples of information systems:
• Smoke signals for communication were used as early as recorded history can account for the human
discovery of fire. The pattern of smoke transmitted valuable information to others who were too far to see or hear the sender.
• Card catalogs in a library are designed to store data about the books in an organized manner that
allows for a particular book to be located by its title, author name, subject, or a variety of other approaches.
• Your book bag, day planner, notebooks, and file folders are all part of an information system designed
to assist you in organizing the inputs provided to you via handouts, lectures, presentations, and
9
discussions. They also help you process these inputs into useful outputs: homework and good exam grades.
• The cash register at your favorite fast-food restaurant is part of a large information system that
tracks the products sold, the time of a sale, the inventory levels, the amount of money in the cash drawer, and contributes to analysis of product sales between any combination of locations anywhere in the world!
Information System Resources
Our basic IS model shows that an information system consists of five major resources: people, hardware, software, data, and networks.
People Resources People are the essential ingredient for the successful operation of all information systems. These people resources include end users and IS specialists.
1. End users (also called users or clients) are people who use an information system or the information it produces. They can be customers, salespersons, engineers, clerks, accountants, or managers and are found at all levels of an organization.
2. IS specialists are people who develop and operate information systems. They include systems analysts, software developers, system operators, and other managerial, technical, and clerical IS personnel.
Hardware Resources The concept of hardware resources includes all physical devices and materials used
in information processing. Specifically, it includes not only machines, such as computers and other equipment, but also all data media, that is, tangible objects on which data are recorded, from sheets of paper to magnetic or optical disks. Examples of hardware in computer-based information systems are:
1. Computer systems, which consist of central processing units containing microprocessors, and a variety of interconnected peripheral devices such as printers, scanners, monitors, and so on. Examples are hand-held, laptop, tablet, or desktop microcomputer systems, midrange computer systems, and large mainframe computer systems.
2. Computer peripherals, which are devices such as a keyboard, electronic mouse,trackball, or stylus for input of data and commands, a video screen or printer for output of information, and magnetic or optical disk drives for storage of data resources.
Software Resources The concept of software resources includes all sets of information processing
instructions. This generic concept of software includes not only the sets of operating instructions called programs, which direct and control computer hardware, but also the sets of information processing instructions called procedures that people need. The following are examples of software resources:
1. System software, such as an operating system program, which controls and supports the operations of a computer system. Microsoft Windows® and Unix are but two examples of popular computer operating systems.
2. Application software, which are programs that direct processing for a particular use of computers by end users. Examples are a sales analysis program, a payroll program, and a word processing program.
3. Procedures, which are operating instructions for the people who will use an information system. Examples are instructions for filling out a paper form or using a software package.
Data Resources Data are more than the raw material of information systems. The concept of data
resources has been broadened by managers and information systems professionals. They realize that data constitute valuable organizational resources. Thus, you should view data the same as any organizational resource that must be managed effectively to benefit all stakeholders in an organization. The data resources of information systems are typically organized, stored, and accessed by a variety of data resource management technologies into:
1. Databases that hold processed and organized data.
2. Knowledge bases that hold knowledge in a variety of forms such as facts, rules, and case examples about successful business practices.
10
Network Resources Telecommunications technologies and networks like the Internet, intranets, and
extranets are essential to the successful electronic business and commerce operations of all types of organizations and their computer-based information systems. Telecommunications networks consist of computers, communications processors, and other devices interconnected by communications media and controlled by communications software. The concept of network resources emphasizes that communications technologies and networks are a fundamental resource component of all information systems. Network resources include:
1. Communications media. Examples include twisted-pair wire, coaxial and fiber optic cables, and microwave, cellular, and satellite wireless technologies.
2. Network infrastructure. This generic category emphasizes that many hardware, software, and data technologies are needed to support the operation and use of a communications network. Examples include communications processors such as modems and internetwork processors, and communications control software such as network operating systems and Internet browser packages.
Types of Information Systems
Information systems can be classified as either operations or management information systems. Figure
illustrates this conceptual classification of information systems applications. Information systems are
categorized this way to spotlight the major roles each plays in the operations and management of a
business.
11
Operations Support Systems
Information systems have always been needed to process data generated by, and used in, business
operations. Such operations support systems produce a variety of information products for internal and
external use. However, they do not emphasize producing the specific information products that can best
be used by managers.
• Transaction processing systems. Process data resulting from business transactions, update operational
databases, and produce business documents. Examples: sales and inventory processing and accounting
systems.
• Process control systems. Monitor and control industrial processes. Examples: petroleum refining,
power generation, and steel production systems.
• Enterprise collaboration systems. Support team, workgroup, and enterprise communications and
collaboration.
Examples: e-mail, chat, and videoconferencing groupware systems.
Management Support Systems
When information system applications focus on providing information and support for effective decision
making by managers, they are called management support systems. Providing information and support
for decision making by all types of managers and business professionals is a complex task. Conceptually,
several major types of information systems support a variety of decision-making responsibilities: (1)
management information systems, (2) decision support systems, and (3) executive information systems.
• Management information systems. Provide information in the form of prespecified reports and
displays to support business decision making. Examples: sales analysis, production performance, and
cost trend reporting systems.
• Decision support systems. Provide interactive ad hoc support for the decision-making processes of
managers and other business professionals. Examples: product pricing, profitability forecasting, and risk
analysis systems.
• Executive information systems. Provide critical information from MIS, DSS, and other sources tailored
to the information needs of executives. Examples: systems for easy access to analyses of business
performance, actions of competitors, and economic developments to support strategic planning.
12
Threats
Threat: an object, person, or other entity that represents a constant danger to an asset
Management must be informed of the different threats facing the organization
By examining each threat category, management effectively protects
information through policy, education, training, and technology controls
The 2004 Computer Security Institute (CSI)/Federal Bureau of Investigation (FBI) survey found:
79 percent of organizations reported cyber security breaches within the last 12 months
54 percent of those organizations reported financial losses totaling over $141 million
Acts of Human Error or Failure
13
This category includes the possibility of acts performed without intent or
malicious purpose by an individual who is an employee of an organization.
Inexperience, improper training, the making of incorrect assumptions, and other
circumstances can cause problems.
Employees constitute one of the greatest threats to information security, as the
individuals closest to the organizational data.
Employee mistakes can easily lead to the following: revelation of classified data, entry
of erroneous data, accidental deletion or modification of data, storage of data in
unprotected areas, and failure to protect information.
Many threats can be prevented with controls, ranging from simple procedures, such as
requiring the user to type a critical command twice, to more complex procedures, such
as the verification of commands by a second party.
Potential Acts of Human Error or Failure
This category includes the possibility of acts performed without intent or malicious purpose by an individual who is an employee of an organization.
Inexperience, improper training, the making of incorrect assumptions, and other circumstances can cause problems.
Employees constitute one of the greatest threats to information security, as the individuals closest to the organizational data.
Employee mistakes can easily lead to the following: revelation of classified data, entry of erroneous data, accidental deletion or modification of data, storage of data in unprotected areas, and failure to protect information. Many threats can be prevented with controls, ranging from simple procedures, such as requiring
the user to type a critical command twice, to more complex procedures, such as the
verification of commands by a second party.
14
Deliberate Acts of Espionage or Trespass
This threat represents a well-known and broad category of electronic and human
activities that breach the confidentiality of information.
When an unauthorized individual gains access to the information an organization is
trying to protect, that act is categorized as a deliberate act of espionage or trespass.
When information gatherers employ techniques that cross the threshold of what is legal
and/or ethical, they enter the world of industrial espionage.
Instances of shoulder surfing occur at computer terminals, desks, ATM machines, public
phones, or other places where a person is accessing confidential information.
Deliberate Acts of Espionage or Trespass
The threat of Trespass can lead to unauthorized, real or virtual actions that enable
information gatherers to enter premises or systems they have not been authorized to enter.
15
Controls are sometimes implemented to mark the boundaries of an organization’s
virtual territory.
These boundaries give notice to trespassers that they are encroaching on the
organization’s cyberspace.
The classic perpetrator of deliberate acts of espionage or trespass is the hacker.
In the gritty world of reality, a hacker uses skill, guile, or fraud to attempt to bypass the
controls placed around information that is the property of someone else. The hacker
frequently spends long hours examining the types and structures of the targeted systems.
Deliberate Acts
of Theft
Theft is the illegal taking of another’s property. Within an organization, that property can
be physical, electronic, or intellectual.
The value of information suffers when it is copied and taken away without the owner’s
knowledge.
Physical theft can be controlled quite easily. A wide variety of measures can be
used from simple locked doors, to trained security personnel, and the installation of
alarm systems.
Electronic theft, however, is a more complex problem to manage and control.
Organizations may not even know it has occurred.
16
Deliberate Software
Attacks
Deliberate software attacks occur when an individual or group designs software to attack
an unsuspecting system. Most of this software is referred to as malicious code or
malicious software, or sometimes malware.
These software components or programs are designed to damage, destroy, or deny service
to the target systems.
Some of the more common instances of malicious code are viruses and worms, Trojan
horses, logic-bombs, back doors, and denial-of-services attacks.
Computer viruses are segments of code that perform malicious
actions.
This code behaves very much like a virus pathogen attacking animals and plants, using
the cell’s own replication machinery to propagate and attack.
The code attaches itself to the existing program and takes control of that program’s
access to the targeted computer.
The virus-controlled target program then carries out the virus’s plan, by replicating itself
into additional targeted systems.
The macro virus is embedded in the automatically executing macro code, common in
office productivity software like word processors, spread sheets, and database
applications.
The boot virus infects the key operating systems files located in a computer’s
boot sector.
Worms - malicious programs that replicate themselves constantly without requiring
another program to provide a safe environment for replication. Worms can
continue replicating themselves until they completely fill available resources, such as
memory, hard drive space, and network bandwidth.
Trojan horses - software programs that hide their true nature, and reveal their designed
behavior only when activated. Trojan horses are frequently disguised as helpful,
interesting or necessary pieces of software, such as readme.exe files often included with
shareware or freeware packages.
Back door or Trap door - A virus or worm can have a payload that installs a back door
or trap door component in a system. This allows the attacker to access the system at
will with special privileges.
Polymorphism - A threat that changes its apparent shape over time, representing a new
threat not detectable by techniques that are looking for a pre-configured signature. These
threats actually evolve variations in size and appearance to elude detection by anti-virus
software programs, making detection more of a challenge.
Virus and Worm Hoaxes - As frustrating as viruses and worms are, perhaps more
time and money is spent on resolving virus hoaxes. Well-meaning people spread the
viruses and worms when they send e-mails warning of fictitious or virus laden threats.
17
Forces of Nature
Forces of nature are among the most dangerous threats
Disrupt not only individual lives, but also storage, transmission, and use of information
Organizations must implement controls to limit damage and prepare contingency
plans for continued operations
18
ATTACKS
An attack is the deliberate act that exploits vulnerability.
It is accomplished by a threat-agent to damage or steal an organization’s information or
physical asset.
An exploit is a technique to compromise a system. Vulnerability is an identified
weakness of a controlled system whose controls are not present or are no longer
effective. An attack is then the use of an exploit to achieve the compromise of a
controlled system.
Malici
ous
Code
19
This kind of attack includes the execution of viruses, worms, Trojan horses, and
active web scripts with the intent to destroy or steal information.
The state of the art in attacking systems in 2002 is the multi-
vector worm.
These attack programs use up to six known attack vectors to exploit a variety of
vulnerabilities in commonly found information system devices.
Back Doors - Using a known or previously unknown and newly discovered access
mechanism, an attacker can gain access to a system or network resource.
Password Crack - Attempting to reverse calculate a
password.
Brute Force - The application of computing and network resources to try every
possible combination of options of a password.
Dictionary - The dictionary password attack narrows the field by selecting specific
accounts to attack and uses a list of commonly used passwords (the dictionary) to guess
with.
Denial-of-service (DoS) - the attacker sends a large number of connection or
information requests to a target. So many requests are made that the target system
cannot handle them successfully along with other, legitimate requests for service. This
may result in a system crash, or merely an inability to perform ordinary functions.
Distributed Denial-of-service (DDoS) - an attack in which a coordinated stream of
requests is launched against a target from many locations at the same time.
20
Spoofing - a technique used to gain unauthorized access to computers, whereby the
intruder sends messages to a computer with an IP address indicating that the message is
coming from a trusted host.
Man-in-the-Middle - In the man-in-the-middle or TCP hijacking attack, an attacker sniffs
packets from the network, modifies them, and inserts them back into the network.
Spam - unsolicited commercial e-mail. While many consider Spam a nuisance rather
than an
attack, it is emerging as a vector for some attacks.
Data: Payload IP source: 192.168.0.25
IP destination: 1 00.0.0.75
Originai iP packet from hacker's system
Data: Payload IP source:
100.0.0.80
IP destination:
100.0.0.75 Spoofed (modified)
IP packet
Hacker modifies source address to
spoof firewall
Firewall allows packet in, mistaking if for ligitimate traffic
Spoofed packet slips into intranet to wreak havoc
FIGURE 2-10 IP Spoofmg
2) Hacker intercepts
transmission. and poses as
Company B.Hacker exchanges
his own keys with Company
A.Hacker then establishes a session
with Company B.posing as
Company A.
1) Company A attempts to
establish an encrypted session
with Company B.
3) Company B sends all messages to the hacker who receives,decrypts,
copies, and forwards copies (possibly modified) to Company B.
FIGURE 2-11 Man-in-the-Middle Attack
• Mail bombing: also aDoS; attacker routes large quantities of e-mail to target
Sniffers: program or device that monitors data traveling over network; can be used both for
legitimate purposes and for stealing information from a network Social engineering: using social skills to convince people to reveal access credentials or other
valuable information to attacker
Buffer overflow: application error occurring when more data is sent to a buffer than can be
handled Timing attack: relatively new; works by exploring contents of a Web browser’s cache to create
malicious cookie
