Information Security System

University Degree Mathematical and Computer Sciences

Table of contents:

Introduction
Existing threats and risks
What a virus is and how to protect a computer
General controls
Application controls
Summary conclusion

Introduction

Information has no value in itself. Nowadays any company stores its information on its computers. Information is now considered so important that it is regarded as a factor of production, labour, enterprise and capital. Whether it is a revenue company or any other organisation it is necessary to keep a record of events in the company in order to maintain its operational activities.

The main aim of this assignment is to increase the awareness of users in the area of information security in order to be able to secure our personal data better then before.

In this assignment I’ll try to investigate and analise the main objectives such as:

Why computerised systems are particularly important
The major risks and threats to computer security
How to deal with computer misuse, such as hacking and viruses
How to protect your computer from harmful program
How back up can be put in place for essential computer facilities

Many organisations today are highly dependent on their Information Systems and must be mindful that all IT resources are not immediately replaceable in the event of damage or destruction. Replacing a mainframe computer, for example, could involve a lead time of several months. It would be crap for any commercial company who does its business on internet or in event loosing of valuable government information. The consequences of a security failure may be very serious. It is important that our computer system is protected at all times. This is so in order to keep data secure and reliable. A breach of security in a computer can lead to a great loss which can not be quantified in any manner.

So far we have known some types of risks and threats to computer systems in organisations.

They are being:

Accidental error
Deliberate damage
Fraud

To these categories I would also add a Physical threat, Unauthorised access and Malicious misuse. Let’s have a look on each of them.

Accidental error

This is an important security issue which computer security experts should always put into consideration when designing security measures for a system. Accidental errors could occur at any time in a computer system but if we do have proper checks in place then it could not be the major concern. Accidental error includes corruption of data caused by programming error, user or operator error.

Physical threat

A threat to a computer system could be as a result of loss of the whole computer system, damage of hardware, damage to the computer software, theft of the computer system, vandalism, natural disaster such as flood, fire, war, earthquakes etc. Acts of terrorism such as the attack on the world trade centre is also one of the major threats to computer which can be classified as physical threat.

Another good example of a physical threat to computer system is the flooding of the city of New Orleans (Hurricane Katrina) during which valuable information was lost and billions of computer data were destroyed.

Unauthorised access

Dada stored on the computer system has to be accessed for it to be translated into useful information. This also poses a great security threats to the computer system due to unauthorised person's having access to the system. Not only this, information can be accessed via a remote system in the process of being transmitted from one point to the other via network media which includes wired and wireless media. Considering an example of an organisation in which a member of staff at a particular level of hierarchy within the establishment is only allowed access to specific area according to the policy of the organisation. If these employees by other means not set in the organisation policy gain access to the restricted data area on the computer, this can be termed an unauthorised access.

Taking the banking sector as an example, imagine what could happen if an unauthorised personnel is allowed to break into the bank system and access all customers details. This could lead to an unquantifiable fraud in the bank which could lead to loss of billions of euros and at the same time makes the bank vulnerable to legal issues which could collapse the whole organisation.

Malicious misuse

Any form of tampering of the computer system which includes penetration, Trojan horses’ viruses and any form of illegal alteration of the computer system which also includes the generation of illegal codes to alter the standard codes within the system can be termed as malicious misuse. This could also lead to a great financial loss and should be prevented in all cases. What worse is when a malicious programmer can take an advantage of an insecure system to send malicious software (viruses) from one particular system to millions of computer in a matter of minutes, military information could be extracted and used to cause conflicts within nations for instance.

E-mail spam

Because "spam" – junk e-mail is so cheap and easy to create, fraudsters increasingly use it to find investors for investment schemes or to spread false information about a company. Using a bulk e-mail program, spammers can send personalised messages to thousands and even millions of Internet users at a time. One of the fraud examples may be The "Risk-Free" Fraud which can involve you into “Exciting, low-Risk Investment Opportunities”. It may sounds like exotic investments, such as prime bank securities or a wireless cable projects for instance. And sometimes the investment products do not even exist they ...

This is a preview of the whole essay

E-mail spam

The Sophos Security Threat Report reveals that more malware is hosted on U.S. Web sites and more spam is relayed from American computers, than any other country. As evidence of this, when an American Internet company, accused of collaborating with spammers and hackers, was disconnected from the Net in November, there was a staggering 75 percent drop in spam.

Fraud

As we know that the Internet serves as an excellent tool for anyone who wants to invest its money into any new business opportunities. The internet makes the researching easier and inexpensively. But the Internet is also an excellent tool for fraudsters. That's why people should always think twice before they invest their money in any opportunity they find through the Internet.

Fraud is a serious risk to computer security. In a broad strokes definition, fraud is a deliberate misrepresentation which causes another person to suffer damages, usually monetary losses. Someone may lie about his name, place of birth and family, but as long as he remains truthful about the product he sells, he will not be found guilty of fraud. Many fraud cases involve complicated financial transactions.

Most of the well-known frauds on internet take top tenth internet scams. They are summarised as follow:

Fake Check Scams. Where consumers paid with checks for work or items sold, instructed to wire money back.
General Merchandise and Action. Where goods are sold (not or through auctions) but never delivered or misrepresented.
Nigerian Money Offers. False promises of riches if consumers pay to transfer money to their bank accounts.
Lotteries. Request for payment to claim lottery winnings or get help to win, often foreign lotteries.
Advance Fee Loans. False promises of business or personal loans, even if credit is bad.
Prizes. Request for payment to claim prizes that never materialise.
Phishing. Emails pretending to be from a well-known source, asking to confirm personal information.
Friendship. Getting an online relationship convinces victim to send money.
Internet Access Service. Cost of Internet access and other services misrepresented or services never provided.

Below I would like to mention about other and may more destroyable computer’s risk. “Let me introduce you the viruses”. I would put a smile icon in, but it is a serious matter to discuss. So what actually a virus is and what is the biggest fears about being infected? Firstly a computer virus is a . And one of the biggest fears among new computer users is being infected by a computer virus or programs designed to destroy their personal data. Viruses are malicious software programs that have been designed by other computer users to cause destruction and havoc on a computer and spread themselves to other computers where they can repeat the process.

Once the virus is made, it is often distributed through shareware, e-mail, P2P programs, or other programs where users share data. It may happen to your computer, so you have to be aware of it.

But before seeking any solution, newest antivirus software, for instance, which you may think will prevent your computer from any viruses. We have to know how viruses may affect to be able to protect our computer and whereby all our data stored in it.

How viruses may affect files is a main issue. Let’s get through it in more details.

Viruses have the capability of infecting any file, but will generally infect executable files or data files, such as word or excel documents that are opened frequently and allow the virus to try infecting other files more often. Viruses can affect any files however, usually attack .com, .exe, .sys, .bin or any data files.
It may increase the files size. Nobody can avoid it unfortunately, so did I. Once I did a copy to my USB device from other computer and having opened it I discovered eighty-five pages in the file instead of twenty-sixth of my original work.
Because most files are loaded into memory, once the program gets in it the virus can delete the file used to execute the virus. It can delete files as the file is run. It also can delete or corrupt files. If you download a file onto a disk don not think that you do not have to worry about a viruses. Once you have placed a file on a disk or moved a file from a disk to your hard drive, your computer may be infected. Virus is capable of loading itself into memory.
It can convert .exe files to .com files. Viruses may use a separate file to run the program and rename the original file to another extension so the .exe is run before the com. Viruses also may be distributed through e-mail, also files can be attached with e-mail and if it executed can infect the computer. Today this is one of the most common ways computer viruses spread around the world.
It can reboot the computer when executed. Numerous computer viruses have been designed to cause a computer to reboot, freeze, or perform other tasks not normally exhibited by the computer. Even in the case where you don not download anything off of the Internet, many people create a site or a file to download with the intention of spreading a virus. In addition can be executed from just viewing a web page.

So once we will remember that a virus is a harmful program which runs on a computer may alter the information, files and damage data stored in it and how really a computer gets infected from virus, we can protect our computer from it by using an antivirus computer’s program. But having latest released antivirus software installed on your computer, it still does not mean that your computer is well protected.

Now we are familiar with how the viruses can affect on a computer. But how a computer gets infected from virus? There are some samples:

From:

Infected Floppy Disk
infected files downloaded from website
infected files from a infected CD
infected E-mail attachment
running an unknown program or code on your computer.

What measures we can take then to prevent virus from entering into our computer?

1. We should only use floppies that are from known source and are properly scanned from an anti-virus.

2. We can install a good firewall on our computer.

3. We can install good anti-spyware on our computer.

4. Never open an E-mail from an unknown person or unknown source.

5. Install a good Anti-Virus on your computer.

6. In the Internet Explorer go to Tools icon then go to the Internet Options, then click the security tab and select highest security option on the slider. Then click apply and Ok. This step will help you from restricting harmful viruses and Trojans from entering into your computer.

The above instructions will help you reducing the risks of saving your computer from any Virus attack.

What if it is too late what we should do then when a virus attacks our computer? There are some recommendations:

1. First of all we should try to back-up our data that is most important to us.

2. If our computer is on network, just disconnect it from the network so that the virus should not spread in to the other computers.

3. Now run a good Anti Virus on the computer to scan for the viruses.

4. After the viruses are found by the anti-virus try to remove them with it.

5. Some times the viruses are internet Trojan horses or spyware, in that case you should use good anti-spyware to remove them.

General Controls

Information security belongs to one of the most important matters in the present personal or business environment. Any users want to protect their data. However, the problem is how to protect data best. There are many ways to protect or personal or business data. Some of preventions we have already mentioned above.

But if we want to minimise errors, disaster, computer crime, and breaches of security, special policies and procedures must be incorporated into the design and implementation of information systems.

The combinations of manual and automated measures can safe information systems.

The specific policies, technology and manual procedures for protecting computing resources and ensuring accuracy and reliability of information systems are called controls. (Informational System Security, chapter 18)

Computer systems are controlled by a combination of general controls and application controls.

General controls are those that control the design, security, and use of computer programs and the security of data files in general throughout the organisation. On the whole, general controls apply to all computerised applications and consist of a combination of system software and manual procedures that create an overall control environment.

General controls include the following:

• Physical hardware controls

• Computer operations controls

• Data security controls

• Administrative controls

Physical Controls

These controls include an environmental Protection against Physical hazard.

These hazards consist fire, water, temperature, dust, humidity or any environmental factor that might cause or damage computer or files. The large computer room the elaborate environmental control systems the room has. You have to make copies of important files in case of the fire. As recommendation you may need to keep the regular preventative maintenance of the hardware by qualified engineers. Magnetic tapes or disks should be kept in protective covers. Organisations that are critically dependent on their computers must also make provisions for emergency backup in case of power failure.

Make sure that computer hardware is physically secure and check for equipment malfunction. Computer hardware should be physically secured so that it can be accessed only by authorised individuals. Access to rooms where computers operate should be restricted to computer operations personnel.

Computer operation or organisational controls

Basically they are procedures to ensure that programmed procedures are consistently and correctly applied to data storage and processing.

They include controls over the setup of computer processing jobs, operations software and computer operations, and backup and recovery. Instructions for running computer jobs should be fully documented, reviewed, and approved by a responsible official person. Controls over operations software include manual procedures designed to both prevent and detect error.

Therefore your staff should be proper recruitmented and trained to ensure that all I.T. personnel have required knowledge and skills to perform their work.

For example, a human-operator error at a computer system at the Shell Pipeline Corporation caused the firm to ship 93,000 barrels of crude oil to the wrong trader. This one error cost Shell $2 million. Such error could have been avoided if the company had incorporated tighter operational safeguards.

Data Security Controls

Data security controls ensure that valuable business data files are not subject to unauthorised access, change, or destruction. Such controls are required for data files when they are in use and when they are being held for storage. It is easier to control data files in your systems, since access is limited to operators who run the batch jobs. However, on-line and real-time systems are vulnerable at several points. They can be accessed through terminals as well as by operators during production runs. For instance, one of yours dissatisfied employee may steal the business information for consideration. He or she can sell this type of information to inform different competitors about your company’s customers or business plans, etc.

When data can be input online through a terminal, entry of unauthorised input must be prevented. For example, a credit note could be altered to match a sales invoice on file. In such cases security can be developed as follow:

System software can include the use of passwords assigned only to authorised individuals. No one can log on to the system without a valid password. Additional sets of passwords and security restrictions can be developed for specific systems and applications. For example, data security software can limit access to specific files, such as the files for the accounts receivable system. Someone of your employee may have this type of profile and be able to update the system but can neither read nor update sensitive fields such as salary, medical history, or earnings data.

Another profile applies to a divisional manager, who cannot update the system but can read all employee data fields for his or her division, including medical history and salary. These profiles would be established and maintained by a data security system. A multilayered data security system is essential for ensuring that this information can he accessed only by authorised persons.

All these procedures are difficult to run within your company without any administrative control, in other words a procedural control.

Procedural controls

They are specified methods of performing tasks or activities. The idea is to have standards methods for common activities, so that results will be obtained in terms of quality, timeliness and security. Written policies and procedures establish formal standards can help you to control your information system operations. Procedures must be formalised in writing and authorised by the appropriate level of management. Accountabilities and responsibilities must be clearly specified.

Supervision of personnel involved in control procedures ensures that the controls for an information system are performing as intended. With supervision, weaknesses can be spotted, errors corrected, and deviations from standard procedures identified.

Application controls

Application controls are specific controls within each separate computer application, such as payroll or order processing. They include both automated and manual procedures that ensure that only authorised data are completely and accurately processed by that application.

The controls for each application should take account of the whole sequence of processing, manual and computer, from the first steps taken to prepare transactions to the production and use of final output.

Application controls focus on the following objectives:

1. Completeness of input and update. All current transactions must reach the computer and be recorded on computer files.

2. Accuracy of input and update. Data must be accurately captured by the computer and correctly recorded on computer files.

3. Validity. Data must be authorised or otherwise checked with regard to the appropriateness of the transaction. (In other words, the transaction must reflect the right event in the external world. The validity of an address change, for example, refers to whether a transaction actually captured the right address for a specific individual.)

4. Maintenance. Data on computer files must continue to remain correct and current.

Application controls can be classified as (1) input controls, (2) processing controls, and (3)

output controls.

Input controls check data for accuracy and completeness when they enter the system.

There are specific input controls for input authorisation, data conversion, data editing, and error handling. Input must be properly authorised, recorded, and monitored as source documents flow to the computer. For example, formal procedures can be set up to authorise only selected members of the sales department to prepare sales transactions for an order entry system. So the batches may require authorisation signatures before they can be entered into the computer.

Processing controls establish that data are complete and accurate during updating. The major processing controls are run control totals, computer matching, and programmed edit

checks.

Output control

It ensures that the results of computer processing are accurate, complete, and properly distributed. Typical output controls include the following:

• Balancing output totals with input and processing totals

• Reviews of the computer processing logs to determine that all of the correct computer jobs were executed properly for processing

• Audits of output reports to make sure that totals, formats, and critical details are correct and reconcilable with input

• Formal procedures and documentation specifying authorized recipients of output reports, checks, or other critical documents.

Summary conclusion

Today, we don't even know when we are being attacked. But if you know the answers on some simple questions as:

How the information is used
Who the information is shared with
How users can access and correct information
And finally how to protect all data stored on your computer

It might ensure all your computing resources of your company and protect their continued availability and usefulness.

To decide which controls to use, information system builders must examine various control techniques in your company in relation to each other and to their relative cost effectiveness.

Using all recommendations received through the assignment is essential for your computer to be protected from a variety of risks and threats.

A control weakness at one point may be neutralised by a strong control at another. Therefore it may not be cost effective to build strong controls at every point in the processing cycle if compensating controls exist elsewhere. The combination of all the controls that we discussed above and developed for a particular application will determine its overall control structure.

Bibliography:

http://www.computerhope.com/vlist.htm

http://www.infosectoday.com/Articles/Security_Threat_2009.htm