Information Security, Identity Theft and Identity Fraud - Assignment Example

Running Head: INFORMATION SECURITY Student’s Name: Course Code: Lecture’s Name: Date of presentation: Question 1 a. Definition of terms Information security refers to the means of ways of safeguarding information and information systems from being from unauthorized or unlawful access, disclosure, use, modification, disruption, perusal, inspection, destruction or recording. Information security qualities or attributes include: confidentiality, authentication, availability, integrity, etc. i. Confidentiality: Confidentiality refers to the deliberate attempt to limit access, disclosure or use of particular information to unauthorized users. In this case the information is for exclusive use by the “right people” and who in term limit or prevent the “wrong people” From accessing the information. This gives assurance that the information is shared among and within the authorized individuals or organizations. A breach of confidentiality may arise when such information or data is handled in a manner that may lead to disclosure of information to unauthorized people either through word of mouth, copying emailing or forming other data forms like printing. ii. Integrity: This refers to trustworthiness, fidelity and honesty of information resources. This also involves “data integrity” concept_ where data or information have not been changed or altered inappropriately, whether deliberately or accidental malign activity. Another critical concept of data integrity is “source integrity”- i.e. that the data or information actually originated from an individual or entity you know, and not an imposter, and that the right information was recorded or entered i.e. data validity. iii. Availability: This refers to the assurance that the systems and means dependable for delivering, transmitting, processing and processing information are reachable when required by those in need of the particular information. This calls for proper and efficient functioning of processing computing and storage systems used in both storing and processing of the information. Availability can be hindered by; hardware failures, power outages, system upgrades. iv. Non-Repudiation: This refers to the assurance that a particular sender is supplied with proof of delivery and that the respective recipient of the transaction is equally provided with a proof of the identity of the sender therefore making it impossible for any of them to deny having processed the information. Non- repudiation therefore offers protection against anyone falsely denying taking part in some form of action. This gives the capability to ascertain whether a particular individual took some action for instance, creating, approving, sending, or receiving some form of information. This helps in protecting in protecting individuals or entities against later litigation, or claims of not having authored a given document, or a sender not having sent a message, a recipient of not having obtained message. v. Authentication: This refers to the act of confirming the originality and truth of an attribute of an entity. This may involve confirmation of an individual, software program, tracking the origin of a piece, and guaranteeing that a particular product is what it’s packaging and tagging claims designate. Authentication in information science helps in curbing literary forgery and plagiarism. b. . Examples of security attributes; i. Confidentiality; Data is considered confidential when it is not accessed by unauthorized individuals. For instance in a federal or state scenario, data and information concerning confidentiality agreements must be treated with utmost security controls. In a university scenario, confidential data is only accessed to those individuals affiliated to the institution. This may include official student academic grades, financial status and aid to the institution, social security numbers, and health information of the students and staff. A medical practitioner is under oath expected to keep information about patients’ medical records confidential. ii. Integrity: this refers to the timely access to the particular required data, or information. For instance data and information stored in a disk are expected to be stable and not supposed to be altered randomly by problems and malfunctioning arising from inherent disk controllers. iii. Non-Repudiation: Ideally this refers to the capability to deny a false rejection attempt of a responsibility with indisputable evidence. In the Public Key Infrastructure (PKI0 environment, digitized certificates can be efficiently generated and thus adopted as digital signatures. The resultant digital signature forms a non- repudiation token that offers evidence in both origin and delivery of a particular transaction. For instance the in postage mail service, one is given a receipt containing an identification number particular with the sent registered letter. If the intended recipient fails to receive that particular letter, and goes ahead to claim that the letter was never sent, then the receipt of delivery containing the identification number can offer an irrefutable non- repudiation of submission. iv. Availability: Availability of such data stored in a disk can be breached by disk crash or malware attacks. Any unexpected delay as a result of such eventuality, leading to denial or delayed access may as well lead to breach of availability. v. Authentication: This shows the veracity and genuineness of a claim of authorship or origin of data or information. For instance in electronic data or information, a digital signature could be used to verify claims of originality of a digital document. This can be verified using cryptography. This can equally be used to shows document integrity as well. c. Information assets protection Regardless of where it is handled, information should be stored and handled (e.g. files cabinets, computers, fax machines, etc) should be appropriately and suitable protected from access, modification or alteration by unauthorised personnel. In order to achieve this, immediately after creating information; whether in hardcopy or softcopy, information should classify and categorize based to the end user. This categorization helps in evaluation of the respective relative importance and the equivalent controls needed to preserve its value to the firm. Physical protection of information assets involves storage of files in a safe place away from access to unauthorised persons. Technical Protection involves maintaining the storage hardware devices to recommended servicing standards Human protection involves prohibiting unauthorised access to information assets d. Threats posed to information assets i. Physical threats; this refers to the material damage to information facilities such as fires, earthquakes, floods etc ii. Technical threats include breakdown of storage devices such as computer programs iii. Human threats refer to malicious or accidental destruction of information e.g. sabotage etc. Question 2 a. Social Engineering: refers to the art of manipulating people into doing certain actions or giving out classified and confidential information. It is termed as rather deceptive or trickery aim at obtaining information, fraud, or accessing some computer system. b. Forms of social engineering; i. Pretexting: - this refers to form of using or creating an invented scenario (pretext) thus making it possible to engage a targeted victim in a way that boosts the chance of the eventual leaking out the sought information. For instance making companies reveal information concerning their customers. ii. Diversion theft: - this form of social engineering refers a swindle form of cheating practiced by professional thieves mainly against transport operators. iii. Phishing; - is the act of obtaining private information such as through internet. iv. Baiting: use of computer viruses and malware on computer programs v. Tailgating: - entry to unauthorized sites. c. Difference between Identity theft and identity fraud Identity theft refers to the act of accessing someone’s personal information, such as credit card information, social security number, for the purpose of committing a theft. Identity fraud refers to the act of creating a “person” together with respective personal information. This involves conjuring up the identity of a non- existence person. d. Examples of ‘Identity Theft’ and ‘Identity Fraud’ Identity thieves who happen to access ones personal names, address, social security details, can open a credit card and use it to get loans and other credit favors. This may go undetected until bill collectors start chasing up he particular individual. Identity Fraud use the factious person’s information to seek funds from credit lenders, utility firms etc. the victims of theft in this case are the merchants and credit lenders and not the fictitious person. Question 3 a. Key components of an effective Security Education Training and Awareness programme a) A well designed security policy that reflect the organizations needs b) Informing staff and customers of their expected security responsibilities c) Establishing clear and realistic markers for reviewing monitoring and updating program b. Designing and implementing a Security Awareness programme a) Formulation of a security awareness policy that describes the appropriate procedures of safeguarding security b) The willingness of the Executive Management of an organization to offer support and backing to the formulated program policy c) Adopting a common “security- positive” behavioural criterion for evaluating the employees d) Security training and awareness should not be a one- off event but rather a continuous process in the organization e) Training must not end within the company premises but should be extended to visitors, external staff and other business partners. f) There should be a well calibrated yard stick for evaluated progress achieved. c. Processes that are often used to measure the effectiveness of Security Awareness programme a) Evaluation of feedback: These responses are crucial in analyzing the effectiveness of training and awareness. The evaluation offers a good sense to program and offering room for continuous improvement. b) Monitoring compliance: This refers to tracking of compliance included in assessing the status of a training program as stated in the training manual and mapping it to established standards of the organization. c) Conducting interviews at different levels of employees cadre d) Carrying out general survey on knowledge of fundamental security principles e) Management of change: this involves ensuring the structured training should be continuously updated to be in line with the new technology, new skills and capabilities. f) Performing periodic system checks g) Organizing face-to face meetings with members of all departments Question 4 a. Intellectual Property This refers to the juridical concept of creating a mind under which exclusive innovative rights are identified. This grants the owners specified exclusive rights to a number of intangible skills such as literary work, music, inventions and discoveries, slogans, phrases and words, designs, trademarks, patents. b. Ethics refers to set of unwritten principles and concepts that guide us in determining set of behaviors that may hurt or help our security well being. This ethics are molded through interaction, values and beliefs. Given that Ethics refers to the way and how people should act, on issues concerning goodness and value of situations and things, Information Security Ethics is” the analysis of the impact and nature of information technology and the relating formulation and implementation of policies for the ethical use of such technology’. 9Moor, 1995, p.7) c. Effective strategies of confronting ethical and legal information security issues dilemma a) Enhancing customer information while promoting privacy b) Purchasing genuine computer programs and softwares c) Setting standards to protect individual and societal safety d) Offering standard, safe and reliable data and information storage media e) Centralizing data and information storage f) Enriching the employees with appropriate code of ethics d. Relationships between Ethics and information security Basically enhanced computer and information ethics definitely boosts information ethics. Ethics in information security describes the philosophical guidelines of knowing right and wrong in relation to information security, for instance prohibiting the unauthorized access to other people’s personal information. With the advent of internet, information security hackers and crackers are prowl everywhere looking for security loopholes to exploit for their own criminal gain. This calls for new and potent tools to be adopted by organizations looking forward for a fool proof information security. There is need to institute ethical information security principles that brings the issue of trust by bidding the concerned employees and clients to a set of ethical rules, and education that goes towards boosting ethical awareness and action. Question 5 a. Disaster Recovery’ in terms of information security: Disaster recovery refers to policies and procedures aimed at salvaging an organization data and information assets after a natural, or a human- induced adversity. Disaster recovery aims at offering technological systems that shore up business functions. Three stages used in contingency plans a) Preventive measures- this refers to controls that seek to stop an event from happening b) Detective measures- refers to measures and parameters used in discovering unexpected events c) Corrective measures- Controls aimed at restoring and correcting an information system after a disaster b. The Information Lifecycle: refers to extensive set of strategies aimed at overseeing storage systems and computing devices. Threats to information resources i. Insider threats- this remains to be the most prescient threat in today business. This may be due to a disgruntled employee with access to vital company information. Organized groupings with the aim getting access may seek entry disguised among temporary employee, or in severe cases as system administrators. ii. Industrial espionage iii. Competitor companies and intelligence groups may look for way to attack company confidentiality in trying to get undercover information or seeking patented details. iv. Structured and unstructured computer hackers: there daily job is to probe and scan targeted or random company systems. This means the company should keep itself updated on potential vulnerability to systems. v. Terrorist organizations: - this mainly target mainly state security agencies c. Information Risk Assessment’: Refers to the process of maintaining and implementing appropriate management parameters including procedures, practises, aimed at minimizing the effects of potential list to optimum acceptable levels. References Moor, J.M.: 1995, “What is Computer Ethics?” in D.G. Johnson and H. Nissenbaum (eds.), Computer Ethics & Social Values (Upper Saddle River, NJ) Read More