Sunday, 17 April 2016

Introduction to Information Security - Part 1

software development companies in India

Introduction to Security:
In general, Security is “The quality or state of being secure—to be free from danger” In other words, Protection against enemy—from those who would do harm, intentionally or otherwise—is the overall objective of software development companies in India.
A successful organization should have the following multiple layers of security in place to protect its operations:
  • Physical security: To protect physical items, objects, or areas from unauthorized access and   misuse
  • Personnel security: To protect the individual or group of individuals who are authorized to access the organization and its operations
  • Operations security: To protect the details of a particular operation or series of activities
  • Communications security: To protect communications media, technology, and content
  • Network security: To protect networking components, connections, and contents
  • Information security: To protect the confidentiality, integrity and availability of information assets, whether in storage, processing, or transmission. It is achieved via the application of policy, education, training and awareness, and technology
 Information Security
Information security protects information (and the facilities and systems that store, use and transmit it) from a wide range of threats, in order to preserve its value to an organization and software development companies in India.
There are two important characteristics of information that determine its value to an organization:
  • The scarcity of the information outside the organization.
  • The share ability of the information within the organization, or some part of it.
Key Information Security Concepts
  • Access: A subject or object’s ability to use, manipulate, modify, or affect another subject or object. Authorized users have legal access to a system, whereas hackers have illegal access to a system. Access controls regulate this ability.
  • Asset: The organizational resource that is being protected. An asset can be logical, such as a Web site, information, or data; or an asset can be physical, such as a person, computer system, or other tangible object.
  • Attack: An intentional or unintentional act that can cause damage to or otherwise compromise information and/or the systems that support it. Attacks can be active or passive, intentional or unintentional, and direct or indirect.
  • Control, safeguard, or Countermeasure: Security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization.
  • Exploit: A technique used to compromise a system. Threat agents may attempt to exploit a system or other information asset by using it illegally for their personal gain. Or, an exploit can be a documented process to take advantage of a vulnerability or exposure, usually in software, that is either inherent in the software or is created by the attacker.
  • Exposure: A condition or state of being exposed. In information security, exposure exists when a vulnerability known to an attacker is present.
  • Loss: A single instance of an information asset suffering damage or unintended or unauthorized modification or disclosure. When an organization’s information is stolen, it has suffered a loss.
  • Protection Profile or Security Posture: The entire set of controls and safeguards, including policy, education, training and awareness, and technology, that the organization implements (or fails to implement) to protect the asset
  • Risk: The probability that something unwanted will happen. Organizations must minimize risk to match their risk weakness—the quantity and nature of risk the organization is willing to accept.
  • Subjects and Objects: A computer can be either the subject of an attack—an agent entity used to conduct the attack—or the object of an attack—the target entity.
  • Threat: A category of objects, persons, or other entities that presents a danger to an asset. Threats are always present and can be purposeful or undirected.
  • Threat Agent: The specific instance or a component of a threat.
  • Vulnerability: A weaknesses or fault in a system or protection mechanism that opens it to attack or damage. Some examples of vulnerabilities are a flaw in a software package, an unprotected system port, and an unlocked door.
Components of an Information System
1.  Software:
The software component of the IS comprises applications, operating systems, and assorted command utilities developed by different software development companies in India. Software is perhaps the most difficult IS component to secure. The exploitation of errors in software programming accounts for a substantial portion of the attacks on information. The information technology industry is rife with reports warning of holes, bugs, weaknesses, or other fundamental problems in software. In fact, many facets of daily life are affected by buggy software, from smartphones that crash to flawed automotive control computers that lead to recalls. 
2.  Hardware:
Hardware is the physical technology that houses and executes the software developed by various software development companies in India, stores and transports the data, and provides interfaces for the entry and removal of information from the system. Physical security policies deal with hardware as a physical asset and with the protection of physical assets from harm or theft. Applying the traditional tools of physical security, such as locks and keys, restricts access to and interaction with the hardware components of an information system. Unfortunately, most information systems are built on hardware platforms that cannot guarantee any level of information security if unrestricted access to the hardware is possible.
3.  Data:
Data stored, processed, and transmitted by a computer system must be protected. Data is often the most valuable asset possessed by an organization and it is the main target of intentional attacks. Systems developed in recent years are likely to make use of database management systems. When done properly, this should improve the security of the data and the application. Unfortunately, many system development projects do not make full use of the database management system’s security capabilities, and in some cases the database is implemented in ways that are less secure than traditional file systems.
4.  People:
Though often overlooked in computer security considerations, people have always been a threat to information security. And unless policy, education and training, awareness, and technology are properly employed to prevent people from accidentally or intentionally damaging or losing information, they will remain the weakest link. Social engineering can prey on the tendency to cut corners and the commonplace nature of human error.
5.  Procedures:
Another frequently overlooked component of an IS is procedures. Procedures are written instructions for accomplishing a specific task. When an unauthorized user obtains an organization’s procedures, this poses a threat to the integrity of the information.
6.  Networks:
The IS component that created much of the need for increased computer and information security is networking. When information systems are connected to each other to form local area networks (LANs), and these LANs are connected to other networks such as the Internet, new security challenges rapidly emerge. The physical technology that enables network functions is becoming more and more accessible to organizations of every size.

No comments:

Post a Comment