The Major Categories of Information Security Controls - Article Example

Business Information Systems My name Course Instructor Institution City/State Date Part A Q1. Define security, threat, exposure and vulnerability in relation to Information Systems security. Identify which components of a computer based information system must be protected by the information system security. (200 words) Computer system security is a system that puts boundaries between the firewalls and computer systems with a combination of software and hardware to limit computer system exposure to hackers (Atul 2005, p.275). The system is always connected to LAN (local area network) which connects to an internet system. Security in relation to information system is the capability of the system of protecting information with integrity and confidentiality. Computer threat refers to the possible dangers that computer data faces. In the organization, computer systems face threats like errors and omissions, theft and fraud, employee sabotage, industrial espionage, malicious hackers and malicious code (Talal & Husam 2008, p.45). Exposure is the state in which a computer system that allows attackers to gather information and also allows the attackers to hide their activities (Louise, Patrik & Péter 2006, p.788). This vulnerability is always caused by system errors that would exposure the entire system to hackers. Vulnerability is basically an exposure to the operating system or other software application component (Atul & Rex 2005, p.303). Vulnerability has been increased by the innovation of internet that has exposed most organizations to hackers. Microsoft products have been victims of internet vulnerability. Q2. Explain malware and the 3 major categories of software attacks. Include definitions of a logic bomb, back door, denial of service attack and distributed denial of service attack. (200 words) Malware is the short form for malicious software which is a computer program that is designed to damage and infiltrate computers without consent of the users (Vasileios & Diomidis 2007, p.297). Malware is an umbrella term that covers the various computer threats like worms, viruses, spyware, Trojans and rootkits. Major categories of software attacks include passive, active and distributed attacks. Logic bombs are codes that individuals insert intentionally into a particular software system that sets off malicious functions under specified conditions (Helen, Sarandis & Christos 2011, p.285). Authorized users usually install these codes. Thus, they act to reinforce back up needs. Back doors are codes that attackers insert on computer information systems to ensure unauthorized access for a longer period (Talal & Husam 2008, p.46). Attackers may install them inadvertently using Trojan horse. Thus, it is simply a means of gaining access into the information system illegally. Denial of Service Attack (DoS) is a form of attacking information systems like computers over the network (Talal & Husam 2008, p.50). In simple terms, it refers to the malicious attempt of rendering network systems unusable. However, this activity may not damage the entire system completely and it relies on various methods that take the advantage of network technology weaknesses. Distributed denial-of service (DDoS) is a computer attack that utilizes different hosts so as to overwhelm servers thus leading to a complete crash of the website system (Talal & Husam 2008, p.50). This attack is used by hackers to access large-scale and popular websites aimed at disabling them temporarily or sometimes permanently. Q3. Define and discuss the major categories of information security controls. Provide 2 examples of each. (200 words) Computer security controls is divided into three major categories that simple refers to controls and they include physical, technical and administrative controls (Tran K & Tran T 2013, p. 15). The categories clearly state security implementation proper security Physical control is simply the implementation of the security measures to deter unauthorized access into the information system (Tran K & Tran T 2013, p. 16). Physical controls include closed –circuit surveillance cameras, picture IDs, security guards, motion or systems of thermal alarm and biometrics like voice, face, iris, handwriting, and fingerprints. Technical controls on the other hand use technology as the basis of controlling access and as well as usage of sensitive data within physical structures over the network (Tran K & Tran T 2013, p. 16). Moreover, these controls exist in different scopes and adopt such technologies like encryption, smart cards, network authentication, access control lists (ACLs) and file integrity auditing software (Stefanos 2004, p.260). Administrative controls entail human security factors or measures thus they represent all personnel levels within the organization and they determine which users can access to which information and resources (Tran K & Tran T 2013, p. 16). These measures include training and awareness, recovery plans and disaster preparedness. Other measures include separation strategies, registration of the personnel as well as their accountability. These three categories entail deterrence, corrective and recovery initiatives Q4. Define a business continuity plan contrasting a cold, warm and hot site. (200 words) Business continuity plan is the document that has all critical information that the business requires to stay in the operational stage after adverse events (Joan 2004, p.63). The business continuity plan can also be the emergency plan of the organization. An organization needs an effective business continuity plan that clearly states the vital processes of the business. This document contain such information like contact list of the employees, key suppliers and vendor information, key contacts, recovery locations, companies inventory, communication venue lists and the disaster response plan. Cold site is the backup site which businesses goes to when its primary site has been destroyed, inoperable or damage (Tran & Tra2013, p.7). They are the most expensive to install and can operate within few hours. They are applicable to businesses that use internal networking and internet extensively. On the other hand, a hot site is the location where the organization resumes during the disasters and it has all vital equipment needed for the business to resume its regular activities including the backup, computer systems and jack phones (Dennis, Olivia & Brandon 2012, p.180). They are operated by different organization and not by the companies that buy and install them. Finally, warm sites are other business recovery facilities that are equipped partially with other necessary software and hardware, power supply and other communication equipment (Arthur & Quey 2006, p.348). Part B Claim Facebook fails to protect users’ privacy Data/Evidence Approximately 45000 credentials of the users were stolen by the Ramnit malware. This was put across by the security personnel that were called upon to look at security issues of the facebook site or website. On the other hand, the case study postulates that 800000 machines were infected by the virus within a short period between late of September to early December of 2011. The other important statistic or evidence is the 17/3% projection of the Symantec report that stated that these malware were from worms related to Ramnit. According to the Toulmens model of argument, the evidence presents grounds of the claim. It states the basis of the claim and gives the clear direction from which the statement comes from. From the model, it is possible to assess and evaluate the validity of the evidence that supports the basis of argument that facebook corporation has failed in safeguarding users privacy. All the evidences in this case study holds grounds since they have been authenticated with statistical figures and percentages Warrant With respect to the subject, 45000 computers that are affected by Ramnit are enough to render the situation as serious. This social medium has failed to protect its customers and relatively large numbers of their machines have been affected. On the other hand, a warrant is a postulation on the situation on the ground. If for example 45000 machines have been affected, there is high possibility that the virus will spread because the people use these machines to connect to different sites thereby leaving Ramnit to different anticipated sites. Thus, the result is damage to different organisations and businesses. The facebook management on the other hand, ascertained that most user information was rather out of date thus increasing their vulnerability to Ramnit. Thus, it is imperative to apply causal argument theory to this case. This is because the facebook users need not to be told by the management to constantly update their information. It is their wish to take precaution. In the contrary, facebook may not use this claim as a defence since the management was the designer of such a website that that does not protect its users by is rather vulnerable to potential information system threats. Backing The virus steals user passwords by hiding its activities. It is difficult to identify a malware when it operates under hidden circumstances. This is backed up by the information system security professional that was called to intervene on the Ramnit menace. Thus, this is enough backing for the claim that facebook has failed to protect users since it is a substantial evidence of the problem or issue. In addition, the other area of concern from the special technical expert team is the fact that this virus by people or hackers who are high tech but they claim that the organisation is devising ways of dealing with the problem. This simply means that Ramnit does not spread by itself but by people who take the advantage of the system’ s incapability of protecting confidential information of the users. In short, the organisation developed a system that would be vulnerable to potential cyber or internet threats. Rebuttal Rebuttal that arises from the case study is that facebook tries to shift the blame away from itself by claiming that the issue has just come into attention. This organisation is just detecting violation of the users in this website. With eminent internet threats, the company could have device ways of dealing with uncertainties like information security attacks by hackers and other internet criminals. Another classical example of a rebuttal is the advice against unique links. The corporation is trying to advice users on which links to click or not. However, it will be difficult to differentiate the bad links and good links. Thus, the management must just find best system mechanisms or structures that will best protect users from hackers Using Toulman’s model of argument, these rebuttals may represent exceptional points of the argument. In this type of argument, an idea may be put across to shift attention from the main subject thus the facebook distances itself from the claim that it is responsible for privacy violation of the users. It tries to defend itself against the claim by finally opposing the claim. Qualifier A good qualifier for this argument is the finding by researchers that paints the clear picture on how hackers use Ramnit to gain unauthorised acess into various user accounts. After accessing such accounts, the hackers recommend the infected links to friends of account owners. The result is further spreading Ramnit. Therefore, the research is a perfect qualifier for the claim (facebook has failed to protect user’s privacy. If the hackers can access information of various users, it therefore qualifies that it is incapable of protecting privacy of the users. However, Toulman refers to qualifier as the argument component that depicts the degree to which an individual vies the claim as being important or of great significance. Your Opinion This argument has confirmed that facebook did not anticipate that security issues would arise in relation to system hacking. This is because it did not put any initiative or a security system that would protect confident information of its users like private and personal information. The system design makes it vulnerable to information system attacks like malware. All of the above elements of arguments point out to the inadequacy of the facebook’s information security system to protect private accounts. People have used Ramnit to hack into different accounts. On the other hand, the corporation claims ignorant of the issue by stating that it is when the issue has come to their attention. Thus, facebook has totally failed to protect user’s privacy due the large number of computers that have been affected and the huge number of hacked accounts. References Arthur, J. C & Quey Y, 2006, ‘On security preparations against possible IS threats across industries’, Information Management & Computer Security, vol. 14, no. 4, pp.343 – 360. Atul G, Rex, H 2005, ‘Information systems security issues and decisions for small businesses: An empirical examination’, Information Management & Computer Security, vol. 13, no. 4, pp.297 – 310. Dennis, C. G, Olivia, F. L & Brandon, P. M 2012, ‘Outsourcing and replication considerations in disaster recovery planning’, Disaster Prevention and Management, vol. 21, no. 2, pp.172 – 183. Helen, K, Sarandis, M & Christos, D 2011, ‘An advanced web attack detection and prevention tool’, Information Management & Computer Security’, vol. 19, no. 5, pp.280 – 299. Joan, L. L, 2004, ‘Business continuity plans: An overview’, Journal of Investment Compliance, vol. 5, no. 2, pp.62 – 64. Louise, W, Patrik, B & Péter R 2006, ‘Information security – an application of a systems approach’, Kybernetes, vol. 35, no. 6, pp.786 – 796. Stefanos, G 2004, ‘Enhancing Web privacy and anonymity in the digital era’, Information Management & Computer Security, vol. 12, no.3, pp.255 – 287. Talal H. H & Husam, A. A. K 2008, ‘Investigating Perceived Security Threats of Computerized Accounting Information Systems An Empirical Research applied on Jordanian banking sector’, Journal of Economic and Administrative Sciences, vol. 24, no.1, pp.41 – 67. Tran K. D & Tran, T, 2013, ‘A survey on security visualization techniques for web information systems", International Journal of Web Information Systems, vol. 9, no. 1, pp.6 – 31. Vasileios, V & Diomidis, S 2007, ‘A PRoactive malware identification system based on the computer hygiene principles’, Information Management & Computer Security, vol. 15, no. 4, pp.295 – 312. Read More