29,99 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
This book provides fundamental concepts of cybersecurity and cybercrime in an easy-to-understand, self-teaching format. It covers data security, threats, viruses, malicious software, firewalls, VPNs, security architecture, design, policies, cyberlaw, and cloud security.
The course starts with an introduction to information systems and cybersecurity application security. It progresses to developing secure information systems and understanding information security policies, standards, and cyberlaw. The final chapters address the security of emerging technologies, including cloud security, IoT, and AES.
Understanding these concepts is crucial for protecting data and systems against cyber threats. This book transitions readers from basic knowledge to advanced cybersecurity practices, combining theoretical insights with practical applications. It is an invaluable resource for mastering cybersecurity in today's digital age.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 296
Veröffentlichungsjahr: 2024
Ähnliche
CYBERSECURITY
LICENSE, DISCLAIMER OF LIABILITY, AND LIMITED WARRANTY
By purchasing or using this book and its companion files (the “Work”), you agree that this license grants permission to use the contents contained herein, but does not give you the right of ownership to any of the textual content in the book or ownership to any of the information, files, or products contained in it. This license does not permit uploading of the Work onto the Internet or on a network (of any kind) without the written consent of the Publisher. Duplication or dissemination of any text, code, simulations, images, etc. contained herein is limited to and subject to licensing terms for the respective products, and permission must be obtained from the Publisher or the owner of the content, etc., in order to reproduce or network any portion of the textual material (in any media) that is contained in the Work.
MERCURY LEARNING AND INFORMATION (“MLI” or “the Publisher”) and anyone involved in the creation, writing, production, accompanying algorithms, code, or computer programs (“the software”), and any accompanying Web site or software of the Work, cannot and do not warrant the performance or results that might be obtained by using the contents of the Work. The author, developers, and the Publisher have used their best efforts to insure the accuracy and functionality of the textual material and/or programs contained in this package; we, however, make no warranty of any kind, express or implied, regarding the performance of these contents or programs. The Work is sold “as is” without warranty (except for defective materials used in manufacturing the book or due to faulty workmanship).
The author, developers, and the publisher of any accompanying content, and anyone involved in the composition, production, and manufacturing of this work will not be liable for damages of any kind arising out of the use of (or the inability to use) the algorithms, source code, computer programs, or textual material contained in this publication. This includes, but is not limited to, loss of revenue or profit, or other incidental, physical, or consequential damages arising out of the use of this Work.
The sole remedy in the event of a claim of any kind is expressly limited to replacement of the book and only at the discretion of the Publisher. The use of “implied warranty” and certain “exclusions” vary from state to state, and might not apply to the purchaser of this product.
CYBERSECURITY
A Self-Teaching Introduction
C. P. GUPTA, PHD
&
K. K. GOYAL, PHD
Copyright ©2020 by MERCURY LEARNINGAND INFORMATION LLC. All rights reserved.Reprinted and revised with permission.
Original title and copyright: Cyber Security.Copyright ©2019 by University Science Press (An imprint of Laxmi Publications Pvt. Ltd. All rights reserved.)
This publication, portions of it, or any accompanying software may not be reproduced in any way, stored in a retrieval system of any type, or transmitted by any means, media, electronic display or mechanical display, including, but not limited to, photocopy, recording, Internet postings, or scanning, without prior permission in writing from the publisher.
Publisher: David PallaiMERCURY LEARNING AND INFORMATION22841 Quicksilver DriveDulles, VA [email protected]
C.P. Gupta and K.K. Goyal. Cybersecurity: A Self-Teaching Introduction.ISBN: 978-1-68392-498-2
The publisher recognizes and respects all marks used by companies, manufacturers, and developers as a means to distinguish their products. All brand names and product names mentioned in this book are trademarks or service marks of their respective companies. Any omission or misuse (of any kind) of service marks or trademarks, etc. is not an attempt to infringe on the property of others.
Library of Congress Control Number: 2020930906
202122321 Printed on acid-free paper in the United States of America.
Our titles are available for adoption, license, or bulk purchase by institutions, corporations, etc. For additional information, please contact the Customer Service Dept. at 800-232-0223(toll free).
All of our titles are available in digital format at academiccourseware.com and other digital vendors. The sole obligation of MERCURY LEARNING AND INFORMATION to the purchaser is to replace the book, based on defective materials or faulty workmanship, but not based on the operation or functionality of the product.
This book is dedicated to
our families
and
our friends
for making everything possible.
CONTENTS
Preface
Chapter 1: Introduction to Information Systems
1.1Introduction to Information Systems
1.1.1What Is Information?
1.1.2What Is a System?
1.1.3What Is an Information System (IS)?
1.2Types of Information Systems
1.3Development of Information Systems
1.3.1Prototyping
1.4Changing the Nature of Information Systems
1.4.1Globalization of Business and Need of Distributed Information Systems
1.4.2Needs in Distributed Information Systems (DIS)
1.5Introduction to Information Security
1.5.1Key Concepts of Information Security
1.6Need for Information Security
1.7Threats to Information Systems
1.7.1Classification of Threats on the Basis of Damages
1.7.2Life Cycle of Threat
1.7.3Threats Related to Information Systems
1.8Information Assurance
1.9Cybersecurity and Security Risk Analysis
1.9.1Security Risk Analysis
Chapter 2: Cybersecurity Application Security
2.1Application Security
2.1.1Database
2.1.2Email
2.1.3Internet
2.2Data Security Considerations: Backups
2.3Archival
2.3.1Storage and Disposal of Data
2.3.2Secure Data Disposal Methods
2.4Security Technology
2.4.1Firewall
2.4.2Virtual Private Networks (VPNs)
2.5Intrusion Detection
2.5.1HIDS and NIDS
2.5.2Statistical Anomaly and Signature-Based IDSEs
2.6Denial-of-Service (DOS) Attack
2.7Security Threats
2.7.1Malicious Software
2.7.2Viruses
2.7.3Email Viruses
2.7.4Macro Viruses
2.7.5Worms
2.7.6Trojan Horse
2.7.7Logic Bombs
2.7.8Trapdoors
2.7.9Spoofs
2.8Security Threats to E-Commerce
2.9Electronic Payment Systems
2.9.1The Concept of Electronic Payment
2.9.2Conventional versus Electronic Payment Systems
2.9.3The Process of Electronic Payment Systems
2.9.4Types of Electronic Payment Systems
2.10Digital Signature
2.11Cryptography
Chapter 3: Developing Secure Information Systems
3.1Secure Information System Development
3.1.1Initiation
3.1.2Acquisition/Development
3.1.3Implementation
3.1.4Operations and Maintenance
3.1.5Disposition
3.2Application Development Security
3.2.1Initial Review
3.2.2Definition Phase: Threat Modeling
3.2.3Design Phase: Design Review
3.2.4Development Phase: Code Review
3.2.5Deployment Phase: Risk Assessment
3.2.6Risk Mitigation
3.2.7Benchmark
3.2.8Maintenance Phase: Maintain
3.3Information Security Governance and Risk Management
3.3.1Information Security Governance
3.3.2Risk Management
3.4Security Architecture and Design
3.4.1Computer System Architecture
3.4.2Systems Security Architecture
3.4.3Principles of Secure Design
3.4.4Principles of Software Security
3.4.5Security Product Evaluation Methods and Criteria
3.5Security Issues in Hardware, Data Storage, and Downloadable Devices
3.5.1Hardware
3.5.2Security Marking
3.5.3Security Data Backup
3.5.4Power Supply Backup
3.5.5Data Storage
3.6Physical Security of it Assets
3.6.1The Human Factor
3.6.2Natural Disasters
3.6.3Physical Access Control
3.6.4Visual Surveillance System: CCTV (Closed Circuit Television)
3.7Back-Up Security Measures
3.7.1Physical Security
3.7.2Client Security
3.7.3Server Security
3.7.4Network Security
3.7.5Employee Security
Chapter 4: Information Security Policies, Standards, and Cyber Law
4.1Security Policies
4.1.1Policies
4.1.2Why Policies Should be Developed
4.1.3WWW Policies
4.1.4Email Security Policies
4.2Policy Review Process
4.2.1Technical Review
4.2.2Non-Technical Review
4.2.3Corporate Policies
4.2.4Policy Framework, Legislation, and Responsibilities of Information Security
4.3Information Security Standards
4.3.1International Standards Organization (ISO)
4.4Cyber Laws in India
4.4.1Amendment of Act 2008
4.4.2IT Act of 2000 Provisions
4.5Intellectual Property Law
4.5.1History
4.5.2Industrial Design Rights
4.5.3Objectives of Intellectual Property Law
4.5.4Infringement, Misappropriation, and Enforcement
4.6Semiconductor Law
4.6.1Background
4.6.2Enactment of US and other National Legislation
4.6.3How the SCPA Operates
4.6.4Acquisition of Protection by Registration
4.6.5Mask Works
4.6.6Enforcement
4.6.7Functionality Unprotected
4.6.8Reverse Engineering Allowed
4.7Software Licenses
4.7.1Software Licenses and Copyright Law
4.7.2Ownership versus Licensing
4.7.3Proprietary Software Licenses
4.7.4Free and Open-Source Software Licenses
Chapter 5: Security of Emerging Technology
5.1Security of Big Data Analytics
5.1.1Big Data Analysis can Transform Security Analytics in the Following Ways
5.1.2Big Data Analytics for Security Issues and Privacy Challenges
5.2Security of Cloud Computing
5.2.1Cloud Deployment Models
5.2.2The Three Layers of Cloud Computing Services Model (Software, Platform or Infrastructure (SPI) Model)
5.2.3Security Concerns and Challenges of Cloud Computing
5.2.4Cloud Security as Consumers Service
5.3Security of Internet of Things (IoT)
5.3.1Evolution of IoT
5.3.2Building Blocks of the Internet of Things (IoT)
5.3.3Different Between IoT and Machine-to-Machine (M2M)
5.3.4IoT Layers Models
5.3.5Applications of IoT
5.3.6New Challenges Created by the IoT
5.3.7Security Requirements of IoT
5.3.8Three Primary Targets of Attack against IoT
5.3.9Hybrid Encryption Technique
5.3.10Hybrid Encryption Algorithm Based on DES and DSA
5.3.11Advance Encryption Standard (AES)
5.3.12Requirements for Lightweight Cryptography
5.3.13Lightweight Cryptography in the IoT
5.3.14Prevention of Attacks on IoT
5.4Security of Smart Grid
5.4.1Smart Grid Challenges
5.4.2Smart Grid Layers
5.4.3Information Security Risks and Demands of Smart Grid
5.4.4Smart Grid Security Objectives
5.4.5The Smart Grid System can be Divided in Three Major Systems
5.4.6Types of Security Attacks that can Compromise the Smart Grid Security
5.4.7Cybersecurity Attacks in a Smart Grid
5.5Security of Scada Control Systems
5.5.1Components of SCADA systems
5.5.2SCADA System Layers
5.5.3Requirements and Features for the Security of Control Systems
5.5.4Categories for Security Threats to Modern SCADA Systems
5.6Security of Wireless Sensor Networks (WSNs)
5.6.1WSN Layers
5.6.2Security Requirements in WSNs
5.6.3The Attacks Categories in WSNs
5.6.4Attacks and Defense in WSNs at Different Layers
5.6.5Security Protocols in WSNs
Index
PREFACE
Considering the risks involved with online freedom and global connectivity, the study of cybersecurity has become an essential component for every computer professional and undergraduate student of computer science. Thus, the prime objective behind publishing this book is to increase the awareness on cybersecurity.
The chapters are organized incrementally by subject. Chapter One is a brief introduction to basic concepts of systems, information systems, threats, and risk. It also gives a general overview of the terms that are going to be used. Chapter Two presents the overview of application layer security per the OSI model of computer networks. It also discusses several secondary data-storage media and their mechanisms, archival, and retrieval systems. Concerns about intrusion detection systems, virtual private networks, electronic transactions, and cryptography are also covered. Chapter Three introduces the implementation of security during each and every phase of the system development life cycle. In this chapter we also discuss the concept of physical security on IT assets. Chapter Four deals with laws related to the cyber world. It emphasizes intellectual property rights, semi-conductor law, and other important acts. The chapter also provides the do’s and don’ts in IT.
In the end, our hope is that you will be in a better position to make informed decisions about anything of consequence that might be affected by the growing potential for cyber-attacks. This book should appeal to a wide audience as an effective self-study guide. Nothing is possible without expert guidance and improvement, so please send us feedback.
Dr. C.P. Gupta
Dr. K.K. Goyal
February 2020
CHAPTER 1
INTRODUCTION TO INFORMATION SYSTEMS
1.1INTRODUCTION TO INFORMATION SYSTEMS
1.1.1What Is Information?
Data versus Information
Data is a stream of raw facts representing events such as business transactions. Once this data is processed, it can more easily be turned into information.
Data that has been put into a meaningful and useful context, usually called information, helps to make a decision. Applied formation is a cluster of facts that is meaningful and useful to human beings and help in the process of making decisions.
“Information Is Power”
The goal is to put the right information, in the right hands, at right time, in the right format.
Good information is useful to the decision maker, and it must meet certain criteria. Some of the characteristics of good information are confidentiality, integrity, availability, possession, utility, and accuracy.
Information Classification
Information can be classified in terms of usefulness, age, and value according to the requirements for protection. Information is always updated and if new information is found, then usefulness defines the level of importance. The importance of information also depends on time and how long the information is valid if time (i.e., age is passed then importance of information is zero). The value of information is very important for private areas.
Users According to Information Classification
According to information classification, information is an asset. Users of information have the responsibility to protect the data. Those users and their roles and responsibilities are defined as follows:
An owner is an individual who is responsible for establishing the policy and makes final decisions. He keeps the information secret to protect from corresponding levels of classification. The owner also manages the custodian and user. A custodian is an individual responsible for maintaining the information by taking backups. He keeps the middle level of information that is sensitive and secret. There are end users or operators who collect raw data for information and follow operating procedures.
1.1.2What Is a System?
A system is a set of activities that have been arranged systematically to achieve a certain objective. A system is a set of related components that can process an input to produce a certain output. Every system requires a form of data input, like an ATM machine accepts data when we enter PIN number and a washing machine accepts data when we select start buttons. They process inputs and produce respective outputs.
1.1.3What Is an Information System (IS)?
An information system (IS) is a combination of information technology, people, and activities that support the operations of management and decision making. In other words, an information system is not simply about computer—it’s about how businesses can make the best use of computer technology to provide the information needed to achieve the goals.
An information system is used to provide the interface between people, processes, data and technology, which can support business operations to increase productivity and help managers in making decisions.
IS is a combination of information technology plus a set of activities to serve as a support for decision making.
An Information System Contains Five Major Components
1.Hardware: Hardware is a part of a system or information system that can be touched and seen (i.e., it is physically available and helps in obtaining desired output). Information systems’ hardware refer to all type and are used for inputting, processing, managing, solving, and distributing the information being used in an organization, such as physical computers, networks, communication equipment, scanners, digital drives, and so on.
2.Software: Software is the part of computer system we cannot see and feel. It does not have physical existence—we cannot touch it—but it is logically available: Its presence can be felt in performance of certain tasks.
Software can be broadly classified into two categories:
•System software
•Application software
System software is a special type of software that controls the device driver that can communicate with specific hardware whenever required. Application software contains the programs that can help users and enable companies to perform business functions. Users can increase productivity with the presence of application software such as Microsoft Word, Tally, Paint, Adobe Photoshop, and so on.
3.Data: Data refers to raw facts and figures on any subject or entities such as student names, courses, and marks. Raw data can be processed to become more useful information.
Information is an organized, meaningful, and useful interpretation of data such as a company’s performance or a student’s academic performance. Information systems change data into information, which gives a certain meaning to its users.
4.Process: Process or procedure explains the activities carried out by users, managers, and staff. Process is important for supporting certain business models in written documents or as reference material online. It is a guide consisting of orderly steps to be followed and implemented in order to get a certain decision on a certain matter.
5.People (humans): The main objective of an information system is to provide valuable information to managers, users, and others, whether inside or outside of the company. This includes not only users, but those who operate and service the computer, those who maintain the data, and those who support the network of computers. Users can be broken up into three categories:
–End users
–Internal users
–External users
History of Information System (IS)/Information Is Power
YearMain ActivitiesSkill Required1970s–Mainframe computers were used
–Systems were tied to a few business functions: payroll, inventory, billing
Programming in COBOL–Main focus was to automate existing process
–PC and LAN were installed
–Departments set up their own computer
1980s–End-user computed with word processor
–Main focus was to automate existing process
PC support and basic networking1990s–Commercialization
–WWW (World Wide Web) becomes corporate standard
–System and data integration
–No-more standalone system
–WWW extended by Internet
N/W support system integration DBA2000s–Data sharing
–Main focus on efficiency of system (e.g., speed, manufacturing, distribution)
N/W support DBA system integrationDimensions of Information Systems
An information system represents the combination of management, organization, and technology. Using information systems effectively requires an understanding of the organization, management, and information technology dimensions of the system. These dimensions can be explained as follows:
Organization dimension: An information system plays a vital role for managing an organization. This dimension involves the hierarchy of authority, procedures, policies, and operations. Today, with the development of Internet, technology and telecommunications information systems are involved in every phase of organizations such as production, manufacturing, human resources, finance, sales, and marketing.
Management dimension: Organizations set goals, strategies, and plans, and they are handled by different individuals according to their managerial level (top-level management, middle-level management, and low-level management).
Information systems provide different tools and information needed by managers to allocate, coordinate, and monitor their work, make decisions, and create new products and reports.
Technology dimension: Technology acts as a tool for information systems; it provides IT infrastructure a platform. It consists of computer hardware and software, data management technology, and networking and telecommunications technology (networks, Internet, intranets, and extranets). Managers use technology to carry out their work and make decisions.
Characteristics of Information Systems (IS)
Characteristics of good quality information systems (IS) are as follows:
•Consistent information
•No redundancy in information
•Updated information
•Complete information
•Appropriate information
•Valid information
•Reliable information
•Consistent information: Information should be correct and unambiguous. It should not contain any logical contradiction. Management must be able to rely on the results generated by information systems. Only then can they make good decisions; if information systems produce unreliable information, it could affect the reputation and business of the organization.
•No redundancy in information: Information systems ensure no redundancy of data. Redundancy refers to unnecessary, surplus, duplicate information. It can be controlled by removing duplicate data from databases or by taking backup. Redundancy in information systems is simply the result of poor planning.
•Updated information: Information is an asset and has its own importance and value over a period of time. The latest updated information plays a crucial role in decision making and planning. Information should be timely updated and communicated so that appropriate action can be taken. The latest events should be updated in information systems as early as possible.
•Complete information: Accuracy of information is just not enough. It should also be complete, which means facts and figures should not be missing or concealed. Telling the truth but not wholly is of no use.
•Appropriate information: Information should be understandable to the users. It should be communicated according to the structure, format, and details that are relevant to the user. Managers need detailed, summarized reports for appropriate understanding the status of work at a glance.
•Valid information: Completeness of information is just not enough. It should be accurate based of facts and figures generated by the amount of research done. It depends on the qualification and experience of the person communicating the information.
•Reliable information: Information should be fair and free from bias. It should always yield the same result. To increase the reliability of information, it should be taken directly in writing rather than taken indirectly so that the source and reliability of information can be trace out.
1.2TYPES OF INFORMATION SYSTEMS
Information systems can be broadly classified in to two categories:
•Management support system
•Operational support system
1.Transaction processing systems (TPS): TPS were introduced during 1950–1960. TPS is a computerized system that performs and records daily routine transactions necessary to conduct business. TPS process data from business transactions, for example, payroll systems and production instruction.
There are five stages of TPS:
(i.)Data entry
(ii.)Processing
(iii.)Database maintenance
(iii.)Inquiry processing
(iv.)Document and report generation
2.Management information systems (MIS): MIS were introduced during 1960–1970. Management information systems provide information for managing an organization. They extract summarized data from TPS. An MIS allows managers to monitor and direct the organization’s processes and activities. It provides accurate feedback and pre-specified reports on a scheduled basis. The output is often of the kind that you need routinely each term (quarterly, monthly, yearly) to evaluate how to proceed.
3.Decision support systems (DSS): DSS were introduced during 1970–1980. A decision support system is an interactive information system that provides information, models, and data manipulation tools to help in making decisions in semi-structured and unstructured situations. It supports analytical work, simulation and optimization. Simulation models calculate the simulated outcome of tentative decisions and assumptions. Optimization models determine optimal decisions based on criteria supplied by the user, mathematical search techniques, and constraints. For example, online analytical processing (OLAP) provides the use of data analysis tools to explore large databases of transactional data. Data mining provides the use of analysis tools to find patterns in large transactional databases.
4.Executive information systems (EIS): EIS was introduced during 1980–1990. It is a highly interactive information system that provides flexible access to information for monitoring results and general business conditions and uses both internal and competitive information. It is also known as an executive support system (ESS).
5.Expert systems (ES): ES were introduced during 1990–2000. Expert systems support professionals faced with complex situations requiring expert knowledge in a well-defined area. They represent human expertise, also called knowledge-based Systems that typically use if-then rules. They are used as interactive advisors or as automated tools.
6.Office automation systems (OAS): Office automation systems help people in performing personal record keeping, writing, and calculations efficiently. Main types of tools include:
•spread sheet programs
•text- and image-processing systems, and
•personal databases and note-taking systems.
1.3DEVELOPMENT OF INFORMATION SYSTEMS
Information system development involves various activities performed together. The stages involved in the IS development life cycle are as follows:
1.Recognition of need: Recognition of need is the first stage of the information system development life cycle. This gives a clear picture of what the existing system actually is. The preliminary investigation must define the scope of project and the perceived problems, opportunities, and directives that triggered the project. The preliminary investigation includes the following tasks:
(i.)Lists problems, opportunities, and directives
(ii.)Negotiates project worth
(iii.)Accesses project worth
(iv.)Plans the project
(v.)Presents the project and plan
2.Feasibility study: The statement, “Do not try to fix it unless you understand it” applies and completely describes the feasibility study stage of system analysis. The goal of feasibility studies is to evaluate alternative systems and to propose the most feasible and desirable system for development. It consists of a statement of the problem, a summary of the findings, details of the findings, and recommendations and conclusions. There are five types of feasibility studies:
•Technical feasibility
•Economical feasibility
•Motivational feasibility
•Schedule feasibility
•Operational feasibility
3.Analysis: Analysis is not a preliminary study. It is an in-depth study of end-user information needs that produces functional requirements that are used as the basis for the design of a new information system. IS analysis involves detailed study of the following:
•The information needs of the organization and end user
•The activities, resources, and product of any present information system
•The information system capabilities required to meet the information needs
4.Design: System design can be viewed as the design of user interface, data, process, and system specifications. Information system design can be viewed as the following:
•User interface design
•Data design
•System specification design
•Process design
5.Implementation: Implementation is the stage where theory is converted into what’s practical. The implementation is a vital step in ensuring the success of new systems. Even a well-designed system can fail if it is not properly implemented. Information system implementation involves the following:
•Acquisition of H/W, S/W, and services
•Software development and modification
•End-user training
•System documentation
6.Post implementation and maintenance: Once a system is fully implemented and being operated by an end user, the maintenance function begins. System maintenance is the monitoring, evaluating, and modifying of operational information systems to make desirable or necessary improvements.
1.3.1Prototyping
Prototyping is a part of the analysis phase of the IS development life cycle. It is the process of building a model system (i.e., simulation). Information system prototypes are employed to help system designers build an information system that is intuitive and easy to manipulate by end users. Prototyping is an iterative process.
Advantages of Prototyping
•Prototype reduces the development time.
•It reduces the development cost.
•It requires user involvement.
•Its results provide higher user satisfaction.
•Prototyping is an active, not passive model that end users can see, touch, and feel.
•Prototyping can increase creativity because it allows for quicker user feedback, which can lead to better solutions.
Disadvantages of Prototyping
•Prototyping often leads to premature commitment to a design.
•Prototyping can reduce creativity in designs.
•Not suitable for larger applications.
•Structure of the system can be damaged since many changes can be made.
•The developer can misunderstand users’ objectives.
1.4CHANGING THE NATURE OF INFORMATION SYSTEMS
Information system changes should be timely and done periodically. It is because of globalization, transformation of information in digital world. Each information system is defined and characterized by their purpose and goal. Today, systems are not residing in a single location but are distributed geographically and based on component. Today information systems are flexible, structured, global, and integrated. They are also very fast and accurate. Business environments have been changed or altered by four powerful changes:
–Globalization
–Risk in information economy
–Transformation of business enterprise
–Emerging digital firms
Main frame–based information system changes to client server–based information system. This system improves usability, flexibility, interoperability, and scalability compared to centralized main frame time-sharing computing.
1.4.1Globalization of Business and Need of Distributed Information Systems
Today, businesses have no geographical boundaries as globalization has become the mantra of success in the digital economy, led by rise of electronic business (e-business). “Extended enterprises” are completely new ways of doing business, e-commerce, or e-business. Information systems (IS) are handling business in all forms, not just the text-based data of 1970s that typically comes in flat files but also the rich text, image, graphics, and voice. There are digital markets where an IS links buyers and sellers to exchange information products, services, and payments worldwide.
Role of Internet and Web Servers in Globalization of IS
The Web is huge collection of multimedia information located on Web servers attached to Internet. Web servers have proved to give a strong return on investment (ROI) and make computer-based IS more reliable. They also bring productivity, flexibility, and low maintenance costs in the development of IS by integrating components from various third-party venders. Linking information is very easy; it can be shared all around the world.
1.4.2Needs in Distributed Information Systems (DIS)
The distributed development of information systems (also named global software development) increased with the globalization of companies and their businesses with new information and communication technologies. In distributed information systems, the information is available on several computers (i.e., information is distributed over multiple sites, which are connected and share information with a communication network). In distributed information systems, many computers connect to each other and share their information with each other. It increases enterprise productivity, reducing IS development cost and extending enterprise strategy to the global market. Certain common characteristics needed in distributed information systems are the following:
1.Transparency: A distributed system needs to hide the fact that its processes and resources are physically distributed across multiple computers. Transparency is of various forms, as follows:
TransparencyDescriptionAccessHide differences in data representation and how a resource is accessedLocationHide where a resource is locatedMigrationHide that a resource may move to another locationRelocationHide that a resource may be moved to another location while in useReplicationHide that a resource is replicatedConcurrencyHide that a resource may be shared by several competitive usersFailureHide the failure and recovery of a resource2.Easier expansion: Distributed information systems (DIS) allow many users to access common data. DIS share the workload over available machines and enhance sharing and processing of information. DIS are always open to add new resources and sharing services. They remain effective when there is significant sharing of resource and users.
3.Reflects original system and local autonomy: This system enables information to be accessed without knowing their location. Data can be placed at different sites users normally use. In this way, users have local control of the data, and they can establish and enforce local policies regarding the use of this data.
4.Protection of valuable data: Distributed information systems are responsible for protecting valuable data even if any fault or failure occurs. It can be achieved by the recovery and redundancy of information or valuable data.
5.Economic: It creates network of small computers with the power of single large computer at less cost. A collection of computers offers better price/performance than a single mainframe computer. It’s the cost-effective way to increase computing power.
6.Modularity: Systems can adapt new features and can be deleted easily, which does not affect the other system. Computing power can be added in small increments. This leads to modular expandability.
7.Reliable transaction: Due to replication of data and secure channels with reliable networks, we can manage large and complex transactions very easily. If any machine crashes the system can still survive. It ensures availability and improves reliability. As data may be replicated so that it exists at more than one site, it makes data available, even the failure of a node or a communication link.
Characteristics of Distributed Information Systems (DIS)
•Communication: The computers in a distributed system communicate with one another through various communication media, such as high-speed networks or telephone lines. They do not share main memory or disks.
•Distributed data: Data sets can be split into fragments and can be distributed across different nodes within a network. Individual data fragments can be replicated and allocated across different nodes.
•Performance: Each site is capable of independently processing user requests that require access to local data or file systems and is also capable of performing and processing on remote machines in the network.
•Distributed operations: Distributed systems operate in parallel; different algorithms ensure the correctness, especially operation during failures of part of the system, and recovery from failures.
Disadvantages of Distributed Information Systems (DIS)
•Complex: The added complexity required to ensure proper coordination among the sites is the major disadvantage. This increased complexity takes various forms like cost, bugs, and processing overheads.
•Security: There may be security problems due to the sharing nature of distributed systems.
•Difficulty to maintain integrity: It is very difficult to maintain the integrity because some messages can be lost in the network system.
•Additional hardware and software required: Additional hardware and software are required to manage bandwidth and overloading problems and to increase performance and network operations.
1.5INTRODUCTION TO INFORMATION SECURITY
A modern society is heavily dependent on information and communication technologies. We trust computers, but they are often not safe or secure and therefore have many risks. “The major goal of information security is to define ways to reduce these risks.” Said an other way, the objective is to protect against those who do harm intentionally or un-intentionally. Security is the quality or state of being secure to be free from danger. Fear of anything that can go wrong is threat and the possibility of anything going wrong is called risk. Action for doing anything wrong is called attack. We need to secure form threats. Multilevels of security were implemented by “onion skin” or “defense in depth” approach:
Security Layers
Information security protects information assets. Assets may be physical or logical assets. Physical assets are tangible like hardware, people, and computer systems and logical assets are intangible like data, information, and websites. Assets can be further classified into information, software, hardware, people, and systems.
There are three things that may help to protect information systems:
•Education: Education of what could happen if lost or in the wrong hands
•Awareness: Awareness of what information you have. How important it is? How secure it is?
•Technology: Technological precautions to secure information systems
1.5.1Key Concepts of Information Security
Information security has some key concepts to secure or protect valuable assets:
•Access: Authorized users have legal access to the system, whereas hackers have illegal access to the system. Access control regulates this.
•Asset: Assets can be physical or tangible like the organizational resource that is being protected. Assets may be logical such as websites or may be any information/data that needs to be protected to identify the value.
•Attack: An intentional or unintentional act that can cause damage or otherwise compromise information or the systems. Attacks can be active or passive, intentional, or unintentional and direct or indirect.
•Vulnerability: A weakness or fault in the system that can be exposed to cause loss or harm. A human who exploits vulnerability is responsible for the attack on the system.
•Threat: Set of circumstances that causes loss, harm, or danger to an asset. A weakness or fault in a system or protection mechanism that opens it to attack or damage.
•Control or safeguard: An action, device, procedure, or technique that eliminates or reduces vulnerability. Also called a countermeasure.
|| Threats are blocked by controlling vulnerability. ||
1.6NEED FOR INFORMATION SECURITY
The value of information comes from the characteristics it possesses. When a characteristic of information changes, the value of that information either increases or decreases. Some characteristics affect information’s value to users more than others do, called essential characteristics of the information.
The need for information security thus arises to maintain confidentiality, integrity, and availability—three essential characteristics of information. This is defined as the CIA triangle, CIA triad, or security triad of information security.
Confidentiality: Confidentiality is the “prevention of disclosure of information from unauthorized user.” Information has confidentiality when it is protected from disclosure or exposure to unauthorized individuals or systems. Confidentiality ensures that only those with the rights and privileges to access the information are able to do so. When unauthorized individuals or systems can view information, confidentiality is breached. To protect the confidentiality of information, we can use a number of measures, including the following:
•Information classification
•Secure document storage
•Application of general security policies
•Education of end users
Integrity:
