Escolar Documentos
Profissional Documentos
Cultura Documentos
Cyber security refers to the protection of Internet connected systems, including hardware, software
and data from cyber attacks. Cyber security focuses on protecting computers, networks, programs
and data from unintended or unauthorized access, change or destruction.
(i) Availability
(ii) Integrity, which may include authenticity and non-repudiation
(iii) Confidentiality
We are living in a digital era. Whether it is booking a hotel room, or booking a seat in restaurant, or
even in a cab, we are using Internet and constantly generating data. This data is generally saved on
cloud which are Huge data servers or Data Center that you can access online. So with tons of data to
exploit, hackers are having their golden time. This vulnerability raises the need of such security
which can strengthen the systems in a better way.
Information System
Information systems and technologies have become a vital component for successful business
organization.
1. Users
2. Hardware
3. Software
4. Database
5. Set of Methods
A transaction processing system is an information system for business transactions involving the
collection, modification and retrieval of all transaction data. E.g. airline reservation system,
electronic transfer of funds, bank account processing.
Transaction-Transactions are the basic business operations such as customer orders, purchase
orders, receipts, time cards, invoices, and payroll checks in an organization.
Types of TPS
What-if analysis refers to changing assumptions or data in the model to see the impacts of the
changes on the outcome.
The main difference between management information system and decision support system is that
MIS supports structured decision making while the DSS provides support for unstructured or
semi-structured decisions. MIS provides such as daily, weekly, and quarterly report of the employee
working hours. Whereas DSS supports unstructured and semi-structured decisions such as whether to
make-or-buy-or-outsource products, or what new products to develop and introduce into existing
markets.
MIS provides information to support lower and middle layer managerial decisions or operations.
DSS provides information to support specific situations.
MIS uses a large volume of data as the input and gives out a summarized report. DSS uses a low
volume of data and the output is decision analysis.
Expert System
Expert system is an information system that emulates the decision-making ability of a human
expert. Expert systems are designed to solve complex problems by reasoning through bodies of
knowledge, represented mainly as if–then rules rather than through conventional procedural code.
These systems use Artificial Intelligence to solve the problem that requires human expertise.
1. The Inference Engine- It applies the rules to the known facts to deduce new facts.
2. The Knowledge Base- Represents Facts and Rules. Eg. If-then
Example-
MYCIN is an expert system which provides the expert guidance to individual for medical diagnosis.
MYCIN uses artificial intelligence to identify bacteria causing infections, and to recommend
antibiotics.
The Systems development life cycle (SDLC) is the traditional systems development method used
by most organizations today. The SDLC is a structured framework that consists of sequential
processes by which information systems are developed. SDLC include following steps-
1. System investigation
2. Systems analysis
3. Systems design
4. Development
5. Testing and Integration
6. Implementation
7. Operation and maintenance
1. System Investigation
It is the first stage of information system development cycle. The purpose of this phase is to find out
the scope of the problem and determine solutions. Resources, time, cost, benefits are considered in
this step.
The preliminary investigation includes the following tasks:
a. List problems, opportunities and directives.
b. Negotiate preliminary scope.
c. Assess project worth.
d. Plan the project.
e. Present the project and plan.
Types of feasibility-
1. Technical feasibility
Technical feasibility determines if the hardware, software, and communications components can be
developed and/or acquired to solve the business problem. Technical feasibility also determines if
the organization’s existing technology can be used to achieve the project’s performance objectives.
2. Economic feasibility
Economic feasibility determines if the project is an acceptable financial risk and if the organization
can afford the expense and time needed to complete the project.
3. Behavioral feasibility.
Behavioral feasibility addresses the human issues of the project. All systems development projects
introduce change into the organization, and people generally fear change. In fact, employees may
overtly or covertly resist a new system.
2. System Analysis
It is an in-depth study of end user information needs that produces functional requirements that are
used as the basis for the design of a new information system. This stage defines the business
problem, identifies its causes, specifies the solution, and identifies the information requirements that
the solution must satisfy.
The systems analysis stage produces the following information:
• Strengths and weaknesses of the existing system
• Functions that the new system must have to solve the business problem
• User information requirements for the new system
The output of system analysis is the set of functional requirements.
3. System Design
Systems analysis describes what a system must do to solve the business problem, and systems
design describes how the system will accomplish this task. The deliverable of the systems
design phase is the technical design that specifies the following:-
• System outputs, inputs, and user interfaces
• Hardware, software, databases, telecommunications, personnel, and procedures
• How these components are integrated
System design can be viewed as the design of user interface, data, process and system specification
.The output of system design is the set of system specifications.
For example, the logical telecommunications design may call for a wide area network connecting
the company’s plants. The physical telecommunications design will specify the types of
communications hardware (e.g., computers and routers), software (e.g., the network operating
system), media (e.g., fiber optics and satellite), and bandwidth (e.g., 100 Mbps).
4. Development
Systems developers utilize the system specifications to acquire the software needed for the system
to meet its functional objectives and solve the business problem. Organizations may buy the
software or construct it in-house. Although many organizations tend to purchase packaged software,
many other firms continue to develop custom software in-house.
For example, Wal-Mart builds practically all their software in-house. The chief benefit of custom
developed software is that the systems are better suited than packaged applications for an
organization’s new and existing business processes needs. For many organizations, custom software
is more expensive than packaged applications. But if a packaged application does not closely fit the
company needs then the savings are often diluted when programmer has to extend the functionality
of the purchased packages.
In this phase, all the subsystems are integrated and then tested with some predefined input set. The
output of the newly developed system is tested with expected output. If both the output matches,
then the product is sent for next phase otherwise the developers again work on the application till
desired result are not produced. Testing and development executes side by side. Throughout the
development stage, testing is done from time to time as and when required.
6. Implementation
When the output of the developed system meets the desired output, then the product is ready for the
implementation phase. In this phase, the newly developed application is transitioned to the
production environment where it is intended to be used by its end users. After the application
implementation is completed, a full documentation of the design and functionality of the application
is done for future references.
Information security: a “well defined sense of assurance that the information risks and controls are
in balance.”-- James Anderson.
Three basic security elements important to information security are confidentiality, integrity, and
availability. Elements relating to the people who use that information are authentication,
authorization, and non-repudiation.
Confidentiality
Confidentiality is the assurance that information is shared only among authorized persons or
organizations.
Measures undertaken to ensure confidentiality are designed to prevent sensitive information from
reaching the wrong people, while making sure that the right people can in fact get it. When
information is read or copied by someone not authorized to do so, the result is known as loss of
confidentiality. For some types of information, confidentiality is a very important attribute.
Examples include research data, medical and insurance records, new product specifications, and
corporate investment strategies.
Measures taken to ensure confidentiality are encryption of the data and limiting the places where it
might appear.
Integrity
Integrity means assurance that the information is authentic and complete. Data integrity means
maintaining and assuring the accuracy and consistency of data over its entire life-cycle.
Information can be corrupted when it is available on an insecure network. When information is
modified in unexpected ways, the result is known as loss of integrity. This means that unauthorized
changes are made to information, whether by human error or intentional tampering. Integrity is
particularly important for critical safety and financial data used for activities such as electronic
funds transfers, air traffic control, and financial accounting.
Measures taken to ensure integrity are message authentication and Integrity codes.
Availability
Available is assurance that the systems responsible for delivering, storing and processing
information are accessible when needed, by those who need them. Availability of information refers
to ensuring that authorized parties are able to access the information when needed
Information can be erased or become inaccessible, resulting in loss of availability. This means that
people who are authorized to get information cannot get what they need. Availability is often the
most important attribute in service-oriented businesses that depend on information (for example,
airline schedules and online inventory systems). Availability of the network itself is important to
anyone whose business or education relies on a network connection. When users cannot access the
network or specific services provided on the network, they experience a denial of service.
Measures taken to ensure availability are backing up of information into a new system.
Threats Classification
5. Forces of Nature
Natural disasters are among the most dangerous threat because they are unexpected and come
with no warning. They disrupt not only individual lives, but also storage, transmission, and use
of information.
6. Management Failures
These failures happen when management is deviated from giving quality of service. Example-
Situations where products or services not delivered as expected.
7. Technical Failure
Technical Failures are classified into two types:
Technical Hardware Failure- It occurs when manufacturer distributes equipment with flaws that
may be known or unknown to the manufacturer.
Technical Software Failure- It occurs when there is some problem in source code of the software.
Example- Bugs, Unknown Loopholes, Zero day exploit.
These can cause the system to perform in an undesirable or unexpected way. Some of these are
unrecoverable while some occur periodically.
Cyber Security
Cyber Security focuses on preventing and defending against cyber attacks that seek to damage
digital devices and their networks. The main work in cyber security is that of risk assessment and
management. Potential threats to computer networks are analyzed and evaluated to determine the
level of threat they pose. Preventing cyber attacks is an important part of a cyber security expert's
work.
Information Assurance
This field of work has been around a lot longer than cyber security. That's why it has a broader
focus. Information assurance deals with the protection of both digital and non-digital
information. This includes not just the data stored in a computer but also hard copy records. The
main job of an information assurance manager is to make sure that the information framework
within a particular organization performs according to expectations so that the information is
kept secure from non-authorized personnel.
Information assurance encompasses higher-level concepts such as strategy, law, policy, risk
management, training, and other disciplines that transcend a particular medium or domain. And
Cyber security is a sub-set of information security, which itself is a sub-discipline of information
assurance.
Vulnerabilities are introduced in the information system at three points namely a development,
design and distribution phases. The major stages involved in developing a vulnerable free
information system are:-
(i) Test the entity
(ii) Supervise the installation
(iii) Manage customer driven changes
Types
• Non-Intrusive
1. Security Audit
2. Risk Assessment
3. Risk Analysis
• Intrusive
1. Vulnerability Scan
2. Penetration Testing / Ethical Hacking
1. Non-Intrusive Security assessment -
Compliance is fulfilling a set of standards. In the information security domain, International
Standard Organization has issued various standards providing important guidelines standards.
(i) Security Audit- Audit identifies non-compliances with accepted practice and identifies new
risks. If new risks are detected, audit notifies the parties responsible for restoring conformity.
An audit is the verification of conformity with a particular strategy, plan, standard, regulation,
or guidelines.
Degree of Conformance
(ii) Risk Assessment - Risk assessment has two procedures namely risk identification and risk
estimation.
Risk identification is done by comparing the current operation with the requirements of ideal
practice. Analysis of the risk identifies the gaps between the best practices specified by the
model and the current operations.
Risk estimation determines the probability and impact of the threats, as determined by risk
identification. The impact or severity of any threats is determined by the quantitative terms of
money and time lost. Risk estimation must state the probability of occurrence and known cause
and effect relationship to each resource. If the rate of occurrence is high, then even the harm
might be minor, a counter measure might make good business sense. A catastrophic threat is not
necessarily dangerous if it only happens only once in several years. If the expense is greater than
any possible harm, then the counter measure is not included in the security response.
In order to estimate the risk involved, The Annualized Loss Expectancy (ALE) is calculated.
ALE is defined as the expected monetary loss that can be expected for an asset due to a risk over
a one year period.
The formula for determining annualized loss expectancy is
ALE is useful in prioritizing or comparing separate risk issues which often have different
frequencies and per-event impacts.
(iii) Risk Analysis - Risk analysis provides a cost/benefit comparison, which compares the
annualized cost of safeguards to the potential cost of loss. First the team must carry out the
project sizing to understand what assets and threats should be evaluated. Assessment is focussed
on physical security, technical security and personal security.
It is very difficult to quantify the values of intangible assets, which may change over time. If a
company finds out that the total or residual risk is too high, it may decide to buy insurance. And
if the risk is too low, it may decide to avoid the issue. Many companies go through risk
mitigation to decrease the level of risk to some acceptable level. For ex, Firewall, Trainings,
intrusion detection systems represents the type of risk mitigation. Risk Analysis can be
categorized into two types-:
Risk Response
Planning
1. Vulnerability Scan- Scan the network using automated tools to identify security holes in the
network. These security holes could be on the internal or external to the system. Vulnerability
assessments are performed by using an off-the-shelf software package, such as Nessus or OpenVas
to scan an IP address or range of IP addresses for known vulnerabilities.
In Nessus, we can know the OS type of remote system. For example, the software has signatures for
the Heartbleed bug or missing Apache web server patches and will scan the network and alert if
found. The Heartbleed bug allows anyone on the Internet to read the memory of the systems
protected by the vulnerable versions of the OpenSSL software. It is a toolkit for TLS and SSL
protocols implements basic cryptographic functions using a general purpose cryptography
library. This compromises the secret keys used to identify the service providers. This allows
attackers to eavesdrop on communications, steal data directly from the services and users and to
impersonate services and users. The software then produces a report that lists out found
vulnerabilities and (depending on the software and options selected) will give an indication of the
severity of the vulnerability and basic remediation steps. Scans can be scheduled daily, weekly,
monthly or yearly. It’s important to keep in mind that these scanners use a list of known
vulnerabilities, meaning they are already known to the security community, hackers and the software
vendors. There are vulnerabilities that are unknown to the public at large and these scanners will not
find them.
2. Penetration Scan
Penetration testing (Pen-Testing) is done to exploit the bug and discover the depth of the problem
and find out exactly what type of information could be revealed if it was exploited. Penetration
testing is designed to assess your security before an attacker does. Penetration testing tools
simulate real-world attack scenarios to discover and exploit security gaps that could lead to
stolen records, compromised credentials.
Process
A penetration test starts with the security professional enumerating the target network to
find vulnerable systems and/or accounts. This means scanning each system on the network
for open ports that have services running on them. It is extremely rare that an ent ire network
has every service configured correctly, properly password protected, and fully patched.
Once the penetration tester has a good understanding of the network and the vulnerabilities
that are present, he/she will use a penetration testing tool to exploit vulnerability in order to
gain unwelcomed access. However, Security professionals do not just target systems. Often,
a pen tester targets users on a network through phishing emails, pre -text calling, or onsite
social engineering.