The Goals of Information Security

1: CIA of information security is commonly described as the triad of information security. Confidentiality, Integrity and Availability are denoted by the term CIA. It is a model of information security that helps in evaluating organisation’s information security.

Confidentiality is defined as ensuring authorized person is accessing data. Unauthorised access should be blocked to ensure information security. Disclosure of important data is restricted to authorised access. The goal of confidentiality in information security is to protect important information against misuse. Organisations ensure confidentiality by using user Id’s and password, policy based control security and access control lists (ACL). Integrity is defined as assuring that information and data can be trusted. It also ensures that only authorised persons alter data and information. It guards against improper destruction and modification of information. One of the highest ideals is integrity of personal character. Integrity is divided into two categories, one if data integrity and the other is system integrity. Organisations ensure integrity through hashing algorithms and data encryption. Data encryption ensures that hackers cannot understand sensitive information. Availability is defined as data and information being available whenever required. It also ensures that data are accessible by authorised users. Organisations ensure availability through software patching and upgrading, hardware maintenance and network optimization.  

2: The four key components that are required in operational model of information security are (1) information security manager (2) business risk manager (3) senior executives and (4) individuals with responsibility of implementation, design, improvement and monitoring responsibility.

Organisation is a complex system that delivers value. An operational model is used to break down the complex system into simple components that shows the working of the system. The model helps leaders to identify problems that are causing under performance. The operational model is broken down into four components namely executives, senior managers, middle managers and workers. It also helps in describing the way an organisation works.  It can also communicate the vision of how an operation will work in the future – to be. 

3: The three main types of cryptography are public key cryptography, one time pad and steganography. In public key cryptography, one key encrypts and another matching key decrypts. The keys together are called key pair. One key is known as secret key that is kept secret and other key is the public key that is shared with everyone. The public key is defined as the key to public drop box, and the private key as key that helps to take out things from drop box.

Components of Operational Model of Information Security

The other type of cryptography is one time pad cryptography. The same pad is given to both sender and receiver that should be transmitted over secure line. The pad is destroyed once it is used that gives feature of high security situations.

Information and data is kept hidden from people who snoop on another person by the process of steganography. For example, pictures consists of a lot of unused space that can be used to hide messages. This concept cannot be fully treated as cryptography but can be used to explain the concept.  

4: The role of certificate authority (CA) is to validate ownership of domain and after domain validation issue certificate. The certificate authority uses credit reports and business registration to vet applying organisation. The Certificate authority incorporated in Public key infrastructure (PKI) ensures that people cannot mask any information on internet so that they cannot use fake digital certificates. CA verifies certificate applicant’s identity before issuing digital certificate. Certification Practice Statement (CPS) is provided by CA that states the policies and practices for issuance and maintenance of digital certificates in PKI.

The registration authority verifies authority to a network of users who requests for digital certificate. After verifying, it informs certificate authority to issue digital certificate. Registration authority is a part of PKI that enables users and companies to exchange money and information safely and securely. The digital certificate issued consists of public key that encrypts and decrypts digital signatures safely and securely. They verify certificate according to the class of certificate that is being requested. The following are the class certificate:

Class 1: Verifies individual through emails that is used to sign digitally email messages. For the process of verification, email address, physical address and full name is required.

Class 2: Verifies user of software so that the user can verify authenticity of software vendor.

Class 3: It is provided to companies who are wishing to set their own certificate authority.  

5: Secrets cannot be transmitted between machines with the use of symmetric cryptography that had never communicated before and asymmetric encryption encrypts small data and is significantly slow when used to encrypt large blocks. As a result, SSL/TLS uses both type of encryption.

Symmetric and asymmetric cryptography is used to ensure the quality of communication and information systems and data that is transmitted and stored on them depends on both software and hardware tools as well as good organisational, managerial and operational procedures. Today, cryptography methods are used to support message confidentiality and it has become more sophisticated. They also include integrity protection, authentication, nonrepudiation and detection of unauthorized copying. The main problem with public key encryption is that anyone can send the message. Reversal of public key cryptography is digital signature. The message is encrypted using sender’s private key instead of receiver’s public key. The message receiver decrypts the signature-using sender’s private key that verifies identity of sender of message.

Types of Cryptography

6: The four types of backup that are conducted are full backup, incremental backup, differential backup and virtual full backup. Copy of all files are stored in case of full backup. Full backups consumes huge amount of relative space even when the files are compressed and then stored. The disk life is shortened due to heavy access to backup disks and consumes network bandwidth. The main advantage of full backup is ease of restoration. File name, date and location is only needed to restore lost data. Incremental backups saves space by storing the files that have been changed or created only after the last backup. The main advantage of incremental backup is that data backed at each iteration is much smaller that saves space and utilises less network bandwidth. Similar to incremental backups are differential backups except that new files are stored that occurs after the last full backup was performed. This type of backup however requires more network bandwidth and space compared to incremental backups. Virtual full backup is another type of backup that utilises a database to track and manage backed data. This method help virtual full backup to avoid disadvantages of other backup methods. The copy of files is taken only once and is not needed to be taken again as long as the storage medium is unchanged. It saves relative space and network bandwidth.

7: Software patches should be tested before implementing them to prevent error in production environment. Testing the software patch before release will be beneficial for avoiding risks. Testing prevents software from external destructive software. It will help the organisation improve its functionality and not worry about security updates. It will protect the system from malware attacks if software patch is tested. Proves beneficial in reducing the complexity of production software environments. It will mitigate 83% of security issues.

Therefore, if software patch is not tested before releasing it to production software environment then it might not be compatible with the environment and software might become vulnerable to attacks. The steps that are performed for testing are creating an environment for test followed by testing limited production devices. A patch provides security to software and fixes software vulnerability. Therefore, it is important for testing the patch to ensure security.

8: The five steps that are taken in any risk management process are:

1. Identifying the risk: Identifies and recognises risks that will affect the project and its outcomes. A number of techniques is used to identify project risks. At first, Risk register of the project is created where the projects risks are identified and documented.
2. Analysis of the risk: Once the risks are identified, consequences of each risks are analysed. The nature of risk is understood along with the potential effects on project goals and objectives. The information of risk analysis is also recorded in the risk register.
3. Ranking the risks: According to the intensity of effects on project goals, identified risks are ranked. The effects of risk is termed as risk magnitude that is defined as combination of consequence and likelihood. If the risks are acceptable then no actions need to be taken and if the risks are not acceptable then it is ranked in the risk register.
4. Treating the risks: The risks whose risk magnitude is high should be treated. This means that project managers should find alternative ways to mitigate the risk issues.
5. Reviewing and monitoring the risks: In this step, the risk register is reviewed and used to track and monitor the risks.

9: Advanced persistent threat (APT) is defined as targeted and prolonged cyber attack, where the attacker gains access to the network however remains undetected for an extended period. The intention of the attack is to monitor network activity and do data theft rather than cause damage to the network of organisation. The sectors of manufacturing, financial industry and national defense are typically targeted by APT. The companies in this sectors deals with intellectual property, value information, military plans and other data from enterprise organisation and government. The APT attack model consists of various steps like target selection, information gathering, point of entry, planting malware on compromised machine, escalate privileges, command and control communication, lateral movement, asset persistence and discovery, data exfiltration and covering the tracks. The APT attack includes significantly well studied and planned by attackers. The internal blueprint of IT infrastructure, social engineering attacks, malware engineering and data extraction that is undetected (Da Veiga and Martins 2015). The first stage of APT attack is target selection, followed by gathering information of the organisation. After collection of sufficient information, the attackers makes the entry followed by planting malware in compromised machines. The malwares controls communication and commands.

Roles of Certificate Authority and Registration Authority in PKI

10: The leftover storage space that exists in hard disk drive when not all the space is used to store the file is called slack space. When a file is deleted, the file is not erased from the operating system, however the space is only available for reallocation. The slack space is mainly defined as the difference between physical and logical size. The actual size measured in bytes is the logical size. The number of sectors allocated to the file is determined by the physical size.

The slack space and free space should always be searched if an employee is suspected of conducting illegal activities on a company computer to prevent loss and theft of data. Data might be lost due to over writing and overlapping of data. Important data that is lost or stolen by the employee might create huge loss to organisation.

11: The Personally identifiable information and Protected Health information should be identified by every organisations and handled them security. PII is any data that can be identified, located and contacted either combined with other sources or itself. The information that is linked to an individual is included in the PII. The information of the individual in include through medical, financial, employment and educational records. The data elements that are required to identify an individual are biometric data, telephone number, social security number and name. The federal agencies has the responsibility of safeguarding sensitive information and other PII (Yang and Jia 2014). Protecting PII has become the most important thing today. Several laws that are related to PII are Privacy Act, GLBA, HIPAA, COPPA, FERPA and FCRA.

The laws are utilised for an important cause that restricts organisation from sharing personal information to other parties. They also protect the information. The information that are identified by PII are Personal identification number such as diver’s license number, patient identification number and passport number.

12: Ethics is important in information security for creating information security and privacy awareness. Ethics involves responsibility, duty and personal character. The main ethical theories are Utilitarianism, hedonism and egoism.

Utilitarian theory is the main theory that is also referred to as the greatest happiness principle. The main concept behind this theory is that right action brings more good than bad to all persons. Hedonism elaborates the good and bad thing that are stated in utilitarian theory. Pain and pleasure is included in the theory. Hedonists are not utilitarians but utilitarian are hedonists. Egoism is focussed on the idea of good and bad for individuals. These theories are elaborately discussed in the code of ethics. It is important that every organisation follow the code of ethics. Whenever, there is a dilemma in decision making of any organisation, the administrators try to follow ethical theory. Several unwanted situation in information security is solved by ethical theories.

Use of Symmetric and Asymmetric Cryptography in SSL/TLS

References:

Ahn, S.H., Kim, N.U. and Chung, T.M., 2014, February. Big data analysis system concept for detecting unknown attacks. In Advanced communication technology (ICACT), 2014 16th International Conference on (pp. 269-272). IEEE.

Chen, P., Desmet, L. and Huygens, C., 2014, September. A study on advanced persistent threats. In IFIP International Conference on Communications and Multimedia Security (pp. 63-72). Springer, Berlin, Heidelberg.

Cherdantseva, Y. and Hilton, J., 2013, September. A reference model of information assurance & security. In 2013 International Conference on Availability, Reliability and Security (pp. 546-555). IEEE.

Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M. and Baskerville, R., 2013. Future directions for behavioral information security research. computers & security, 32, pp.90-101.

Da Veiga, A. and Martins, N., 2015. Information security culture and information protection culture: A validated assessment instrument. Computer Law & Security Review, 31(2), pp.243-256.

Fabian, B., Ermakova, T. and Junghanns, P., 2015. Collaborative and secure sharing of healthcare data in multi-clouds. Information Systems, 48, pp.132-150.

Ghafir, I. and Prenosil, V., 2014. Advanced persistent threat attack detection: an overview. Int J Adv Comput Netw Secur, 4(4), p.5054.

Kaur, J. and Mustafa, N., 2013, November. Examining the effects of knowledge, attitude and behaviour on information security awareness: A case on SME. In Research and Innovation in Information Systems (ICRIIS), 2013 International Conference on (pp. 286-290). IEEE.

Khan, A.N., Kiah, M.M., Khan, S.U. and Madani, S.A., 2013. Towards secure mobile cloud computing: A survey. Future Generation Computer Systems, 29(5), pp.1278-1299.

Laudon, K.C. and Laudon, J.P., 2016. Management information system. Pearson Education India.

Mason, R.O., 2017. Four ethical issues of the information age. In Computer Ethics (pp. 41-48). Routledge.

Singh, G., 2013. A study of encryption algorithms (RSA, DES, 3DES and AES) for information security. International Journal of Computer Applications, 67(19).

Sorokin, P., 2017. Social and cultural dynamics: A study of change in major systems of art, truth, ethics, law and social relationships. Routledge.

Tamjidyamcholo, A., Baba, M.S.B., Shuib, N.L.M. and Rohani, V.A., 2014. Evaluation model for knowledge sharing in information security professional virtual community. Computers & Security, 43, pp.19-34.

Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber security. computers & security, 38, pp.97-102.

Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for information security risk management. Computers & security, 44, pp.1-15.

Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for information security risk management. Computers & security, 44, pp.1-15.

Yang, K. and Jia, X., 2014. Expressive, efficient, and revocable data access control for multi-authority cloud storage. IEEE transactions on parallel and distributed systems, 25(7), pp.1735-1744.

Yang, K., Jia, X., Ren, K., Zhang, B. and Xie, R., 2013. DAC-MACS: Effective data access control for multiauthority cloud storage systems. IEEE Transactions on Information Forensics and Security, 8(11), pp.1790-1801.

Zafar, H., 2013. Human resource information systems: Information security concerns for organizations. Human Resource Management Review, 23(1), pp.105-113.