Information Systems Security and Control - Security Essay Example
When a computer connects to a network and engages in communication with other computers, it is essentially taking a risk - Information Systems Security and Control introduction. Internet security involves the protection of a computer’s Internet account and files from intrusion of an unknown user. Internet security has become an alarming issue for anyone connected to the net. This research paper argues the need for security over corporate intranets that have been dealing with the lack of security within the internet and the numerous attacks and malware threats that hackers use to breach security measures.
A corporation uses a private computer network that uses Internet Protocol technologies to securely share any part of an organization’s information or network operating system within that organization. This is known as the intranet which refers to a network within an organization and is used in contrast to the term internet which is a network between organizations. The intranet, a network belonging to an organization or a corporation, is accessible only by the members and employees with the proper authorization.
essay sample on "Information Systems Security and Control"? We will write a cheap essay sample on "Information Systems Security and Control" specifically for you for only $12.90/page
More Security Essay Topics.
The main purpose of an intranet is to compute resources among employees such as network usage data or to share company information such as company policies, job postings, company events, product literature, and so on. This paper also discusses the countermeasures that a corporation can take in order to reduce the impact of a potential attack against its information network established for its specific group of users that communicate and share data amongst each other. Although an intranet is a closed private network within a corporation or an organization that does not mean that it is immune to malware lurking around on the internet.
The Internet is an unsecure network that connects all people across the globe and is one of the major means that businesses use to generate revenue either by selling services, products, ideas. There is a wide span of activity taking place on the internet nowadays. Those facts depict the fact that businesses engage in online transactions and offer their goods and services through the internet. The most common practice for all businesses is to have a webpage that can be easily accessible by the public.
WebPages are the electronic representations of businesses, one of the gateways that connect the intranet of a business with the internet. Another gateway that has been created within a business which reflects upon the use of the Internet are employees surfing the internet, sending and receiving emails, exchanging instant messages, using social networks (such as Facebook) or even streaming online video (such as YouTube). Employees are unaware of the threats attached to the usage of these services and its effects on computer systems and the intranet of a corporation or organization which is where more than half of malware attacks begin.
In some cases the hacker will analyze the infrastructure of the company’s network and their systems and with the use of sophisticated tools, a hacker will search for a loophole which can leave valuable information vulnerable to exploitation. A hacker could potentially gain access to the company’s network or sometimes the exploitation may begin from inside the company’s network if a malware program has gained access to the system.
Corporate networks are in danger from every kind of malware threat, virus, network traffic and anything else that could potentially slow down the company’s system or damage it, any kind of information leakage of any sort what will cost the organization money and reputational lose. Surveys have shown that from year to year the threats are growing and evolving and as time passes attackers are finding ways to adapt their programs while creating new ones that will remain undetectable and that will outsmart the best security systems (Cisco and IronPort, 2008: 4).
More specifically according to a survey by the end of 2006 many companies found out that 90 per cent of their inbound email was spam. Although spam made its debut in 2005 with images and after a while companies found a way to protect their systems and spammers found another way to deliver them. In 2007 statistics showed that spam was found in Zip files, all types of Microsoft office documents, all image file types, videos and text files (Cisco and IronPort, 2008: 5).
The technique that spammers are employing is based on the usage of attachments coupled with any type of file and sent out to numerous inboxes in order to see what will infiltrate and pass through email security systems. Among the most popular types of files, coupled with attachments, are excel and mp3 files which are types of files that every internet user will come across and use. As new types of files are coming out and used vastly, spammers will find new ways to deliver their spam and this is the case with the PDF files that are the replacement of images to the arsenal of every spammer and finally the orse case of spamming are links that redirect the user to a temporary webpage, when clicked on, that will infect the user is computer system with a malware Trojan (Cisco and IronPort, 2008: 5-6). However emails are not the only threat that an organization can come across; surfing the internet can hiding many dangers and one of the most serious ones are malware. “Malware is a term used to describe specific threats that are downloaded from WebPages without a user’s knowledge.
While similar to viruses (in that malware can infect a user’s computer and cause system damage or loss of sensitive informa¬tion), malware is a unique threat – which, at times, cannot be detected by traditional anti-virus scanners” (Cisco and IronPort, 2008: 21). Hackers gain access to unauthorized WebPages and change their code in order to infect, with a malicious code, any user that visits the webpage. In fact a study that was conducted by Google showed that 1 in 10 WebPages indexed by Google is infected with malicious code and 70 per cent of those are legitimate websites with a good reputation (Cisco and IronPort, 2008: 22).
Once a malware virus infects a computer system it will try to steal valuable information. In those cases even the most sophisticated security systems cannot stop the virus from extracting data outside the network. Most of the time firewalls do not have the ability to monitor outgoing traffic that has been generated from within the organization especially if viruses disguise the data as if it were normal user activity (Cisco and IronPort, 2008: 27).
As it was pointed out in a global security survey organizations are “haunted” by threats and that raises the concerns and demonstrates how vulnerable they are to attacks. The 48 per cent it thinks it is exposed to loss of data (information leakage) in another case 46 per cent in phishing and pharming and that pairs with the fact that the weakest link in the security system of an organization that causes failure is humans(such as employees, customers) with 86 per cent (Deloitte, 2009: 29-30).
Therefore based on the information provided by these surveys, corporate intranets are the main target of internet attacks which try to exploit system assets in order to damage or steal information and it is clear that there is a need for security within intranets and an even greater need for constant maintenance and upgrade of security measures. The most effective countermeasure an organization can take is implementing an effective information security program. “Information security is the rotection of information commensurate with its value and its associated risk of loss, unauthorized disclosure, or unauthorized use. This means making investments to prevent unauthorized activities and reduce risk” (Onsett International Corporation, 2001: 2). The goals of an information security program are to reduce risk suck as unauthorized disclosure, Tampering, Fraud, Systems and IT infrastructure damage (viruses, worms). In order to build a comprehensive program you have to have these elements and prioritize them and give more emphasis according to the need and the state of the business.
Governance: Defining and overseeing the program: Security Policy, Standards and Guidelines, Organizational roles and responsibilities, Assessment of and security plans to control risk, Metrics and processes to determine how well the company is adhering to information security policies, processes, procedures and guidelines, personnel controls for who has access to sensitive systems and data, programs to increase the awareness of critical Information Security issues and responsibilities Operations: Administering and enforcing:
Information Security processes and access controls, controls for physical access to information systems and information assets, processes and procedures to minimize the likelihood of disruptions, recover from disasters and respond to security incidents Architecture: Designing and implementing: Development methodology for secure information systems, systems and controls that limit the risk of unauthorized access to business assets (Onsett International Corporation, 2001: 4-6).
Throughout an enterprise there should be numerous layers of protection to effectively and successfully deal with risks. Each level of security must reinforce the next level in order to minimize potential security problems as well as minimize the exposure the company encounters when incidents do occur. Prevention: Protecting information through effective use of technology, processes, and organizational responsibilities to limit the potential of a threat being realized. Detection: Manual and automated mechanisms to identify and isolate security problems.
This includes active and passive monitors and analytical procedures. Verification: Manual and automated mechanisms to ensure that required security measures are in place. This can take forms including audit functions and monitoring tools. Response: When prevention measures fail, companies need a rapid, pragmatic response capability. This requires planning for containment, triage, and direct response. Pre-planning for a set of probable incidents, and regular testing is key to rapid and effective response. (Onsett International Corporation, 2001: 4-6)
Despite the fact that information security is not only a technology problem, there is no “silver bullet” to make a dramatic enhancement in the security posture of a company. The posture relays upon developing Building Comprehensive Information Security Programs that implement, enforce and maintain safe computing on the coordinated fronts of Tools, Processes, and Roles: Tools: Protecting information through effective use of technology (e. g. firewalls and authentication tokens) that result in reusable solutions to business problems.
Processes: Establishing repeatable solutions or compensating controls for business risks, ensuring that they are measured regularly, and periodically aligning business and Information Security goals. Roles: Creating the roles that ensure clear responsibilities and accountability in business units, information Security Organization, outsource supplier and business partners. Eliminating gaps and reducing overlaps to ensure that requirements are met. (Onsett International Corporation, 2001: 4-6) Security control techniques exist to help organizations protect their information systems” (Security Management in Intranet Systems, 2003: 2). In the implementing phase the general technological approaches includes: Authentication: Authentication means that a person using the system is required to prove his or her identity. The forms of authentication include passwords, personal identification number, membership ID, or cryptographic key. Authorization: Authorization means that only certain individuals or groups or users filling certain roles may have access to specific resources.
Encryption: Encryption converts the sender’s message into ciphertext, which an interceptor will not be able to read. At the receiving end, the receiver decrypts the ciphertext back to the sender’s original message. Various encryption protocols have been created to ensure Internet security. Secure Socket Layer (SSL), developed by Netscape Communications, is a popular encryption protocol that makes language passing through the Internet indecipherable. It has become a de facto standard for Internet e-commerce security. Digital Certification: Digital certification is another way to assure security.
Using digital certification, a sender adds to each message a digital certificate, which is created by a certificate authority. There are three levels of digital certificates: Class 1, 2 and 3. To obtain a Class 1 certificate, a person needs to provide his name, address, and an e-mail address to a certificate authority. Once the e-mail address is verified, the person will receive a Class 1 certificate. MasterCard, VISA, Microsoft, and most other companies have agreed to the use of Secure Electronic Transaction (SET).
When using the SET, a digital envelope of certificates specifies the payment details for each transaction, which is then encrypted for transmission. Firewall Systems: A firewall is a system designed to prevent unauthorized access to or from a private network. You can implement a firewall in either hardware or software form, or a combination of both. Firewalls prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet (i. e. the local network to which you are connected) must pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. Several types of firewall techniques exist: Packet filtering: The system examines each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing. Circuit-level gateway implementation: This process applies security mechanisms when a TCP or UDP connection is established.
Once the connection has been made, packets can flow between the hosts without further checking. Acting as a proxy server: A proxy server is a type of gateway that hides the true network address of the computer(s) connecting through it. A proxy server connects to the Internet, makes the requests for pages, connections to servers, etc. , and receives the data on behalf of the computer(s) behind it. The firewall capabilities lie in the fact that a proxy can be configured to allow only certain types of traffic (e. g. , HTTP files, or web pages) through.
A proxy server has the potential drawback of slowing network performance, since it has to actively analyze and manipulate traffic passing through it (Security Management in Intranet Systems, 2003: 2-3). In conclusion, every year the need for security is increasing and organizations must manage and maintain their security system while keeping it up to date and constantly upgrading it. A good security system always starts from the phase of analysis such as the organization’s computers and network systems are capable of identifying any possible threats that may possibly be encounter in the future based.
On occasion even the most advanced security system will eventually be affect by malware or encounter issues dealing with security but it is the organization’s obligation and responsibility to ensure that key assets are not affected and valuable information and data are not stolen; but in the event that the organization suffered from a security breech then it would have to attempt to recover from such a misfortune as quickly as possible.