Security of Information in Government Organisations - Essay Example

Running Head: SECURITY OF INFORMATION IN GOVERNMENT ORGANIZATIONS Student’s Name Subject Professor University/Institution Location Date Table of Contents Table of Contents 2 Security of information in Government Organizations 3 Introduction 3 Information Security 3 Information Security in Government Organizations 5 Human Information Asset 8 Physical Information Asset 8 Technical Information Asset 9 Information Asset Classification 9 Confidentiality 9 Availability 10 Intergrity 10 Risks In Information Security Of Government Organizations 10 Type of Risks 11 Implication Of Threat In Government Organizations. 15 Counter Measures For The Threats Of Information Security 15 Technical Counter Measures 16 Physical Counter Measures 16 Personnel Counter Measures 17 Conclusion 17 List of References 19 Security of information in Government Organizations Introduction The maintenance of assets and operations for the accomplishment of the goals and objectives in organizations has progressively become more and more a reliant on information systems and technology. Along with this dependency on information technology comes the need for organizations to realize that information has increasingly become one of the key strategic factors in the realization of organizational goals. The protection of information in organizations is a necessity in the modern world and calls for leaders to focus on effective information control and maintenance and therefore there is a need to integrate information security matters into the daily strategic procedures of organizations. Information Security In view of how important information in today’s organizations has become, information security has also become a major distress factor facing organization with an increasing array of threats and vicious threats in existence which has made the protection of information an intricate challenge (Bowen et al, 2007). There is a great need for government employees, researchers and practitioners to gain more knowledge of the significant concerns that lie beneath the issues of information security in order to fully recognize and be able to resolve the greatest issues that come with security of information. Information security is as old as computer security – that is the need to protect physical place where information is stored as well as “hardware and software” from external threats. Information security is therefore as old as the World War II when the very first mainframe computers were made to help in the calculation related to communication system infringements. Various stages of information security at this time were put in place to protect both the mainframe computers and keep data safe as well as secure information integrity. Any admission to sensitive places belonging to the armed forces was done by the use of badges or by means of recognition by personnel or even by means of keys. There was evident need for information to be protected and the need for national security saw the invention of much more complex and more technologically advanced means of preserving computer security (Peter, 1998). During those early years, information security was a clear-cut affair that mainly comprised of corporal safety procedures and uncomplicated cataloging of documents. The basic threats to security at that time were intelligence on organization products, theft of paraphernalia and incapacitation or sabotage. In the 1960s during the Cold War, many more mainframe computers were connected online to deal with more intricate and difficult assignments and it turn out to be essential that a way should be found to facilitate communication procedures of these mainframes to via a less burdensome process than mailing and that saw the invention of networking, a project that came to be known as ARPANET which is the origin of today’s “internet” and as the reputation and ease of access of networked computers grew, so did security of information grow and that is what brought us to where we are today (Robert, 2002). When the origin of security information is mentioned many times, the word MULTICS (Multiplexed Information and Computing Service) comes into the equation MULTICS being the very first computer that was created in the 1960s for the solitary goal of securing information. After MULTICS came UNIX. It is UNIX which brought about the current simple constituent of information safety – the password (Julekha, 2001). The first global connection of networked computers came in to existence in the 1990s and this is what gave birth to the internet which was first made accessible to the public having been in the sphere of governments, academic circles and fanatical engineering experts (Richard & Dennis, 1978). The internet brought with it easy linkage of practically all computers that could access a “phone line” or an Internet linked “Local Area Network (LAN)”. Afterwards the internet became commercial and the technology became all-encompassing reaching nearly every corner of the universe with a growing assortment of applications (Sandra, 1996). The initial users of the computers mainly used de facto standards which did not put into consideration the criticality of security of information but as the predecessor technologies grew into the 1990s, some sort of security measures were introduced. Today, millions of unprotected computer networks are brought together by the internet and the security of information stored in every computer is now dependent the stage of security of every other computer on that network (Bowen et al, 2007).­ Information Security in Government Organizations As society becomes increasingly dependent on information and telecommunication networks, and as the dependence on information technology (IT) growingly becomes important in the social and economic lives of people in every society, it has become very important for government organizations to move to ensure that the access of information is made safe and secure in the best way possible and to deal with information security issues. Many countries have put laws in place to ensure the security of information and especially “advanced information and telecommunications networks”. Government organizations are also finding it very crucial to give surety to security and steadfastness for the protection of personal information and also to carry out other evaluations that are required for the utilization of advanced information and telecommunications by their peoples with a feeling of safety. Various efforts have been made by the government of Australia for instance to ensure the security of information in government organizations through the department of Security and defense (DSD). According to Australian Government Department of Defense Intelligence and Security (2010), organizations that install public systems are free to decide upon their own safety procedures depending on their risk appetite and the level of security risks that is likely to affect their security systems. The Department of Defense Intelligence and Security however urges such public organizations to adhere to the standards set by the department and use them as a guideline whenever they are in the process of deciding assessment measures for their security systems. The need for a basic effort of reinforcing information security is one that has come to be acknowledged widely recently because of the emergence of various social issues regarding information security alongside broad band services for “information and tellecommunications infrastructure”as well as the dissemination of e-commerce (Knapp & Boulton, 2006). Social issues mainly include the spread of computer bugs at an international level, the rise in cybercrime, failure of information systems with regard to infrustructure that is crucial to the lives of the people both in the social and economic sector, the global threat of terrorism as well as the leakages of large quantities of classified information belonging to government organizations and individuals, etc. Government organizations have a responsibility to ensure the full protection of these types of data and at the same time improve intelligibility and user-friendliness. All this at the backdrop of increasing cyber-threats (Pipkin, 2000). Information security challenges affect all organizations but government organizations are more affected than any other types of organizations because they have got to confine, stock up and convey enormous numbers of personal, fiscal, armed forces, law implementation and other kinds of susceptible information (SANS Institute, 2001). Secondly, they also have to sustain the reliance of the populations that they serve which hold them in high esteem and who hold the organizations in high in high regard when it comes to transparency and easiness of use when it comes to accessing such information. A third factor and one of great importance is that government organizations have to act in response high demand in response to ever increasing expectations always placed on them with respect to transparency and ease of access of government information (Wall Street Journal, 2005). In the mean time, cyber threats are on the rise. For instance About 98% of organizations went through one malware intrusion in the year 2010 62% of organizations go through 50 malware on average every month About 43% of organizations reported an increase in malware attacks (Lumension Security Inc., 2011). Governments are therefore responding to cyber crimes in different and varied ways the main being passing tough laws against such malpractices. The government of US in particular proposed a review of its Federal Information Security management Act of 2002 in the year 2011 by placing the Department of Homeland security in charge of all the government computers and networks that are not relate to the millitary (Lumension Security Inc., 2011). Below are some basic characteristics or assets in information security Human Information Asset The human asset is oftenly forgotten in matters of information security but people have ealways been a major treat to information security. Peple can be a weak link in an organization’s information security system. The only things that can prevent people from unintentionally or deliberately causing a breach of information security are guidelines, creating alertness, edification, teaching and technological know-how. Otherwise they remain the most fragile link in information systems because human errors and the tendency of people to “cut corners” when it come to information can be used to influence people into compromising security systems. Physical Information Asset Harware is the physical technology that bears and carries the technical informationcomponents of information systems, stores up and transmits data and make available crossing points for the transmission of information. Policies related to information security are mainly aimed at protecting these assets from harm or theft by means of conventional security systems such as restricting right of entry into them through passwords, the use of locks and keys as well as securing the contact point where they come into contact with other similar components of an information system (Dempsey et al, 2011). The securing of the corporeal position of computers and the computers themselves is very crucial for organizations because any breach of physical security could lead to loss of information. Technical Information Asset The technical information asset is one of the components that are hardest to secure when it come s to information security. It is the lifeline of the of informations systems I organizations and it comprises generally of constituent parts such as applications, the operation system and an assortment of other command usefulness (Stamp, 2006). It is also one of the most utilized components when it comes to information security that is highly used by cyber criminals to launch their threat on information due to its likelihood of harbouring virus’ flaws and other basic problems. Information Asset Classification The importance of information comes from the distinctiveness that it holds which is why it needs protection. Below are some of the characteristics of information: Confidentiality Information possesses the characteristic of being confidential but only until a leak or a revelation occurs. Confidentiality is a characteristic that make certain that only those who are entitled to have access to certain information do so. It is also referred to as privacy especially in legal circles Availability This is the characteristic of information that allows certified users of information (persons and computer systems) the right of entry it without intrusion or hindrance and to obtain it in the obligatory structure. Its is a characteristic that often requires the proof of access for purposes of information security. Intergrity Information can only have intergrity if its intact, entire and unaffected. Intergrity of information can be threatened if the information is exposed to fraud, spoiling, obliteration or any other factors that are unsettling to its validity. Risks In Information Security Of Government Organizations All organizations have to face with cyber risks but government organizations deal with more serious and unique challenges with the numbers of occurrence s of the quantities of threats that they have to deal with rising significantly (GAO, 2009). For instance in the US alone, these threats rose by a whoping 40% in 2010 from thirty thousand cases to 42 thousand cases ((ISC)2, 2010). Malware was the mosts widespread assault which accounted for about one third of all reported attacks with most of them being “zero-day threats” which basically means malware that has not yet been accounted for as well as “social engineering” or in other worsd the process of deceiving users to visit a compromised website or download malevolent software. Exposure to “zero day” was particularly uncompromisingly utilized by criminal groups as well as other players to take advantage of the weaknesses in appliances and products , a factor that placed government organizations as well as other organizations at high risk (Stamp, 2006). Type of Risks Below is a list of some of the risks that have been reported in recent years Zeus: In the eyar 2007, a Trojan horse named Zeus made use of “keystroke logging” for purposes of stealing information frm the US department of Transportation. Zeua later resurfaced in the year 2009 when it supposedly compromised a in various organizations and in the year 2010, it allegedly hacked computers in the US and stole about 70 million dollars Stuxnet: Stuxnet worm is reprted to have infested close to 100, 000 computers in a solitary month in mid 2010. Stuxnet was deliberately aimed at attacking engineering softwares and was in the beginning broadcast through USB drives. According to experts, those behind the creation of Stuxnet were a group of vastly skilled squad supported by significant ammounts of funds. The worm concurrently subjugated “zero day”weaknesses in microsoft windows which included a “rootkit that allows continuing licensed accesibility while concealing its existence. Iranian uranium – fortification infrastructure were the supposed target but the worm spead to computers in the US and other countries. Wikileaks: Wikileaks has so far been considered by some as one of the biggest security breac in history. In mid 2010, the wikileaks organization started to leak classified information of videod carrying documentation of a US air strike, a department 32 page report from the department of defense, 260,000 diplomatic cables as well as other sensitive information. The suspected source of the information was a 22 year oold army private who allegedly copied the information into a CD. Lockheed Martin assault: Lockheed Martin identified a considerable and rather obstinate assault on its computer networks in May 2011 which had been carried out through an infringement of its electronic security after the electronic security codes were breached. No sensitive data was lost during this attack but it took the security staff at Lockheed Martin about a week to fix the systems back to their normalcy (Lumension Security Inc., 2011) Gmail Spear – Phishing Incident : In the month of Jne 2011, Google reported that it had unearthed an attempt to make away with hundreds of passwords belonging to Gmaifor purposes of keep an eye on the accounts of senior government representatives. The alleged attack was apparently perpetrated through spear phising which is a means through which perpetrators send malevolent messages which seem to be genuine or rather to be from a genuine source. The assault allegedly started off in China. Botnet: a network of computers assaulted by a trojan horse or a worm which lets them to be accessed remotely. Botnets escalation is mainly enabled by the existence of broadband and a dissident system of cyber criminals. They are usually used for spam. Clickjacking: this is a method through which web users are tricked into revealing personal information exposing their computers to be accessed. Normally it involves a user clicking on an ostensibly harmless link and see-through layers over the link redirecting the user to a different malevolent web page. Fake Antivirus: these account for about 15% of malware ((ISC)2, 2010). Web users are tricked through pop up menus instructing deceing them of a malware in the computer and misleading them to click a link: an action that sets up a Trojan horse in the computer and causes the computer to shut down until a software for removing it is purchased. Others include: Polymorphic Malware which propagates while maintaining the original algorithm, Spearpishing which is usually comes in the form of an email with enough convincing personal data with a link that leads the user to a malevolent site that downloads a code into the endpoint of the unsuspecting user and lastly but not least SQL injection which is a method that utilizes weaknesses in a layer of a database in an application to convey confidential information. SQL injections accounted for 38% of malware assaults in 2010. They are particularly a threat to government organizations because they store up sensitive data and interrelate with the people they serve via online means ((ISC)2, 2010). Amidst all these threats are some which are greater than others. For instance incidences of Malware have been reported to be on the rise day in day out with over 2 million samples of new and unique malware being reported every month with some getting through information systems. According to Lumension Security Inc. (2011), of all security breaches, 39% are malware related and 94% of all information security breaches can be traced to malware. Malware has also been reported to propagate taking new varying shapes every time. In addition to the above, social media sites are increasingly becoming channels for such attacks. For instance: About 95% of organizations have installations of applications for socisl networks About 66% of applications have acknowledged weaknesses through which attacks can be launched About 78% of web 2.0 applications on which social media sites are hosted allow file transmission About 28% of these applications proliferate malware The activities of cyber criminals have also escalated and in the recent past, assaults have greatly involved vandalism and conceited civil liberties among hackers. Defacing seems to have decreased as cyber criminals are now motivated by monetary achievements as they recognize that they can make a lot of cash from stealing information and capturing computer information (Verizon, 2010). Much greater threats for government organizations are now increasingly coming from rogue states and criinal groups who are after stockpiling know-how, mounting unrelenting threats and building up harmonized attacks. The US has for example been losing “terabytes” of data to cyber assaults and according to the division of policy in the department of defense, the level of losses is quite astounding and this includes the loss of sensitive and unspecified information (Verizon, 2010). For purposes of mitigating malware threats, employees of government organizations have risen up to the challenge by making it one of their biggest goals. Government organizations are increasingly empowered with laptops, smartphones USB devices and tablets. The makers of devices are estimated to ship about four million products with USB features by this year and most of these are estimated to make an entry into the networks of governmental organizations. This also means that the more the devices, the more their entry points and consequently the bigger the risks. According to a report by the computer Security institute, the number of “things” using IP addresses is expected to rise significantly and therefore, a better visibility is needed in networks, web applications and endpoimts and especially seeing that those endpoints rae becoming increasingly mobile (Research and Markets, 2010). Implication Of Threat In Government Organizations. Assaults to sensitive information belonging to government organizations such as nuclear institutions, power networks, telecommunications and fiscal amenities could harshly upset national defence and socio-economic services. It could also lead to terrorist attacks hence putting the state involved at high risk and subsequent loss of trust from its citizens. Cyber attacks in the global economy could also lead to political, fiscal and millitary reasons which can be dangerous to the socio-economic welfare and safety of a nation. If rogue states gain access to units of government information systems, they could use it to wage information warfares against other state which can be highly anonymous and which could cause a lot of damage. Counter Measures For The Threats Of Information Security Anti virus (AV) is failing in keeping up with the increasing threats which are further worsened by mobile users an cyber criminals. AV has been said to only detect 19% of all new assaults. In general, AV misses about 10% of all malware assaults. But there are ways out as outlined below. Technical Counter Measures Practical technical solutions apart from the use of AV involves three key factors namely: Patch Management – A thorough working system and intermediary application patching which reduces weaknesses. Intelligent application whitelisting – This is an sophisticated application security locks which lock the entry of any unfamiliar supplies and threats and even “zero day threats”. Complete Defence in depth – This is an allround approach which combines “AV, patch management, application security lock and device cotrol” to convey a strong information security system (Zwinky et al, 2000). Physical Counter Measures All the above systems can only work if they are supported by a strong physical system in the form of four steps namely: Assessment – identifiable platforms,operating systems, applications, network services and other assets. Exterior sources must always be checked to ensure they are safe through regular scanning (Kaufman et al, 2002). Prioritization – This involves maintenance of inventory of assets and a databse of “remediation information” with regard to threat, conformity, inspection and organizational assessment. Remediation – This is the modelling, staging and testing of remediation prior to setting it up. There is also a need to tutor administrators and users on best practices of managing weaknesses. Repetition – the last remediation should be examined to authenticate its success and the report be submitted for inspection and conformity. The above process should be an ongoing one Personnel Counter Measures Employing well-informed security experts in government organizations which as is the first step towards mitigating the threat to information security. It is also very important that organizations should as a necessity train their employees from time to time about safe use of the organization’s systems and data (Stamp, 2006). Conclusion Persistent weaknesses in information systems and applications persist in intimidating the privacy, reliability and accessibility of important information as well as the systems that are used to uphold the maneuvers, assets and personnel of most government organizations. Sensitive data continues to be at the mercy of threats of larceny, loss and even inappropriate leakages. This expose government organizations and the people they serve to loss of confidentiality and “identity theft”. There is a need for government organization to put proper measurements in place an din operation in order to protect their information reserves. List of References (ISC)2. (2010). Security Transcends Technology: The 2010 State of Cybersecurity from Federal CISO's perspective - An (ISC)2 Report. Retrieved August 15, 2012, from https://www.isc2.org/ Australian Government Department of Defense Intelligence and Security. (2011). Australian Government Information Security Manual. Canberra: Commonwealth of Australia. Bowen, P., Chew, E., & Hash, J. (2007). Security Guide for Government Executives. Gaithersburg, MD: National institute of Standards and Technology: Technology Administration, US Department of Commerce. Dempsey, K., Chawla, N., & Johnson, A. (2011). Information Security. Washington DC: National institutes of Standards and Technology US Department of Commerce. GAO. (2009). Information Security: Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses. Washington DC: GAO. Julekha, D. (2001). ACLU Knocks Eli Lilly for Divulging E-Mail Addresses. Computerworld Vol. 35. No.28 , 6. Kaufman, C., Perlman, R., & Speciner, M. (2002). Network Security (2nd ed.). New York: Prentice Hall. Knapp, K., & Boulton, R. (2006). Cyber-warfare threatens corporations: Expansion into commercial environments. Information Systems Management vOL 23. No. 2 , 76-87. Lumension Security Inc. (2011). Information Security for Government Agencies: Checks, Balances and a More Secure Endpoint. Scottsdale: Lumension Security Inc. Peter, S. (1998, November 19). Net Insecurity: Then and Now. Retrieved August 15, 2012, from Sane 98 Online: www.nluug.nl/events/sane98/aftermath/salus.html. Pipkin, D. (2000). Information Security: Protecting the Global enterprise. New Jersey: Prentice Hall PTR. Research and Markets. (2010, December). USB 2010 Semi-Annual Update. Retrieved August 15, 2012, from Research and Markets: http://www.researchandmarkets.com/reports/1478133/usb_2010_semi_annual_update.pdf Richard, B., & Dennis, H. (1978). Protection Analysis: Final Report ISI/SR-78-13. Marina Del Ray: USC/Information Sciences Institute. Robert, L. (2002). Program Plan for the ARPANET. Retrieved August 15, 2012, from Ziplink: www.ziplink.net/~lroberts/SIGCOMM99_files/frame.htm. Sandra, D. (1996). Systems Analysis and Design and the Transition to Objects. New York: McGraw Hill Publishers. SANS Institute. (2001). Information Assurance Foundations. Security Essentials Vol. 2 (1) , 1-8. Stamp, M. (2006). Information Security: Principles and Practice. Hoboken New Jersey: JohnWiley & Sons, Inc. Verizon. (2010, July 28). 2010 Data Breach Report From Verizon Business, U.S. Secret Service Offers New Cybercrime Insights. Retrieved August 15, 2012, from verizon.com: http://newscenter.verizon.com/press-releases/verizon/2010/2010-data-breach-report-from.html Wall Street Journal. (2005, February 22). ChoicePoint Data Theft Affected Thousands. Wall Street Journal Eastern Edition , p. 1. Zwinky, E., Cooper, S., & Brent, C. (2000). Building Internet Firewalls (2nd Ed.). Sebastopol: O'Relly. Read More