Global Internet Security - Essay Example

Global Internet Security Roll No: Teacher: 28th December 2008 Table of Contents Table of Contents 2 Global Internet Security 3 Introduction 3 Literature Review 4 Internet Security 4 Consequences of Loss of Security 5 Threats to Internet Security 6 Causes of Loss of Security 8 Environmental Threats 8 Logical Threats 9 Procedural threats 10 Layers of Security 10 Security policy Development 11 12 12 Key Controls 12 Minimum Requirement 13 An Approach to the Management of Risk 13 15 Internet Security Standards and Procedures 15 Virus Protection 16 Copyright Compliance 16 Data Protection 17 Risk Analysis 17 Access Control 17 Computer Misuse 17 Security Evaluation 18 Research Framework 18 Conclusion and implications 18 Bibliography 20 Global Internet Security Introduction Internet is employed in businesses, educational institutes, governmental institutes, social institutes, researching and many other places because it keeps the capability of allowing a communication path that is easier, wider, faster and user friendly. Internet plays a crucial role in the concept of globalization because it is because of internet that the world has become a globe where people can correspond with one another in a very less time. With every beneficial invention, there are also disadvantageous aspects. Because of internet, there are many global internet security concerns. Global internet security is a concern for all the world because due to internet, where people have gained many benefits, there are also many disadvantages such as internet fraud, loss of security and privacy, virus attacks, spamming, threat to data protection and computer misuse. All these threats are linked to global internet security. Internet that is accessed daily all over the world and is employed for multiple purposes is under threat. The companies, organizations, institutions and workplaces of the world that make use of internet are in need of internet security. Internet has minimized the gaps between people and their wanted works but it has also given us many disadvantages such as security threat. The computers that are kept and used in global settings are at threat in terms of security and if they are accessed illegally, there will be security threat and the private data of the companies or organizations that are working on international basis can get lost. In the lieu of internet security, there are a number of security measures that are taken such as anti-virus software, spyware, firewall and copyright authentication. There are many other security measures taken by various global organizations such as passwords for security purposes. The companies that are working online are at higher stake of lapsing of internet security. The online companies suffer from online monetary frauds that are quite problematic for the organizations. For all these purposes, further measures are required to be taken in order to safeguard the private and confidential data of internet companies. Global internet access is easier but global internet security is considered very important by all the users of internet operating globally. Literature Review Internet Security Internet is an essential resource for all working institutions whether they are educational or business oriented. The sharing of it can be a key to growth and success of the institution. Internet security can be linked to computer security because internet is dependent on computer. Computer security can be defined in terms of the availability, integrity and confidentiality of information (Bequai 2000). Its loss or improper use may have serious implications as to the continued success of an organization. Availability means that it should be ensured that information is available when you need it. Integrity means that the information should be protected from unauthorized modification and it must be ensured that information, such as price list, emailing details and other institutional information that is private can be relied upon as accurate and complete (Wojcik and Deborah 2003). Confidentiality means that the information should be protected from unauthorized disclosure, perhaps to a competitor or to the press. These can be breached in a number of ways, for example by theft or computer viruses. The result of a breach may be far greater than expected. Not only may the loss of critical information directly affect competitiveness and management but the reputation of the organization may also be damaged which could have a long-term detrimental effect (Bhimani 1996). A simple, structured approach to identifying and locating the threats which computer-based systems are likely to face is essential. Such an approach can present a view of computer security in terms of the causes and effects of loss of security, which, in turn, can be related to practical solutions (Fisk 2002). It should also allow related aspects to be considered a few at a time, resulting in a more complete, systematically derived, view. Information to be protected is that which is: Stored on computers Transmitted across networks Printed out or written on papers Sent by fax Stored on tapes or disks Spoken in conversation (including the telephone) Transmitted via e-mail Transmitted via internet Stored on databases Held on films and microfiche Included in any other methods used to convey knowledge and ideas Any breakdown in the IT function can have disastrous results. Consequences of Loss of Security There are three possible consequences of a failure of computer security; the loss of availability-the system will not be operational when required. The destruction of the computer centre represents an extreme and possibly permanent form of loss of availability; the loss of integrity-the date which the system holds and produces will not be accurate; loss of confidentiality-control of access to the system will not be maintained (for example, unauthorized access to data is possible) (Wojcik and Deborah 2003). The effect of such losses, either individually or in combination, can have serious consequences both for the computing system and for the organization as a whole (Fisk 2002). Threats in any event or activity, which could result in a loss of security, must be considered in a corporate context. IT department is an integral part of the operation of an organization, so the activities and occurrences, which directly affect it, will influence the organization, possibly to the extent of threatening its security (Bequai 2000). For example, a change in the management policy towards staff can lead to discontent amongst the IT staff, and, due to the increases probability of errors or negligence, pose a very real threat to the security of computing. If one of these errors led to the loss of commercially valuable information, or resulted in a serious delay, would cause problems for the organization (Bhimani 1996). The general identification and assessment of the relevant factors, which contribute to the loss of system security, is made difficult by the diversity of organizations and their computing needs. What is considered sufficient or adequate in a system will obviously vary from organization to organization and from time to time as circumstances change. The vulnerability and sensitivity of a system and its data, and the feasibility and costs of safeguards, must be taken into account (Sherwood 2000). Threats to Internet Security a. Virus b. Fraud c. Theft d. Trojan e. Loss of data f. Hacking All the threats such as virus, fraud, theft, Trojan and loss of data are because of internet usage. For all these threats, precautionary measures are taken so that the computers that contain confidential and important data cannot be accessed with negative motives. The virus attack is destructing for the data that is stored on computer systems. With usage of internet on daily basis, the computers have the threat of virus attack (Symantec 2004). This threat can be minimized by the use of anti-virus software and through online scanning for viruses on weekly basis. Firewall can also be employed as a means of precautionary measures. With these precautionary measures, the data and information stored on computer systems will not be lost or destructed (Sherwood 2000). Moreover, the companies that are operative all over the world should make sure to keep more than one copy to data so that there is no threat to the loss of data. Fraud is such a great threat that is very common for the companies operative online. The customers that access the internet and get online products can become a source of fraud and can get products by the help of fake payment information to the company. On the other hand, the customers can be defrauded by paying for something which, they do not get (Bequai 2000). The credit card and ATM card fraud is very common in terms of internet usage and customers and companies in the whole globe become a target of these frauds. Because of internet, such frauds are very easy and people can suffer through a great monetary loss on the basis of their personal information disclosure (Sherwood 2000). Computer theft is another threat to internet security. The personal information of a company or organization or an internet user is attained by means of theft due to which, he/she has to suffer financial or reputation loss (Bhimani 1996). The payment information is also attained through negative means such as hacking or fraud after which, it is employed for get access to customer's account and his personal data that can be injurious for the customer. Trojan attack is somewhat similar to virus attack as due to Trojans also, the security of internet is lost and the data or information stored on a computer system gets affected negatively. There are antivirus and anti-Trojan software that can be employed for the removal of Trojans and also firewall can be employed for stopping irrelevant entries from the internet (Caelli, et. al 1989). Loss of data can be there because of theft, fraud, and hacking or virus attack. For all these threats, there are effective strategies that can be employed by global consumers of internet. The companies that are operative online face a greater threat to loss of data and information because they are more vulnerable as they are linked to the globe by means of internet (Wojcik and Deborah 2003). When the users of a site are many, the threats can also be many. For companies and organizations and even for individual users of internet, internet security is must because they keep important data and information on their computers, which can be accessed because of lack of internet security measures taken by the user. Hacking is also a means of breaking the internet security. Through hacking, the personal information of a company, organization or an individual user can be leaked out and can be employed for illegal or fraudulent purposes due to which, the owner can be negatively impacted (Bhimani 1996). There are also anti-hacking software that can be installed for safeguarding the computer from being hacked. Causes of Loss of Security The IT operation is subject to a number of threats, which may bring about losses of availability, integrity and confidentiality. The threats may be classified in a number of ways. Environmental threats are those caused by occurrences outside the IT equipment (Wojcik and Deborah 2003). Often they are due to natural causes, such as fire or flood, or the failure of essential services (power or telecommunication). Logical threats cause data to be disclosed or altered in error without the equipment being affected. Procedural threats are introduced by the failure or non-existence of adequate procedures, uncontrollable access to the IT equipment would constitute a procedural threat (Fisk 2002). Deliberate or accidental threats are those threats, which are normally accidental or on any occasion can be introduced deliberately, for example, fire can be caused by arson, and software failures can be caused by the intentional introduction of a virus (Coyne and Leeson 2004). Whether the threat is accidental or deliberate, the human element usually plays a part, either in introducing the threat initially or by increasing the risk through a failure to take sufficient precautions (Caelli, et. al 1989). Threats may arise from internal or external sources. The majority of threats are usually internal. Quite understandably, deliberate threats, and threats due to acts of God, tend to attract greater attention than accidental threats. However, one should not be led to believe that deliberate threats, or those from natural causes, are the ones that occur most frequently (Bequai 2000). Statistics show that accidental threats, such as errors and omissions, occur far more often than all other types of threats put together. No Kinds of Threats Kinds of destruction 1 Environmental Fire, Flood, Failure of services, Computer failure 2 Logical Hacking, Tapping, Virus attack, Trojan attack, software and hardware failure 3 Procedural Unauthorized access Environmental Threats These are examples of environmental threats: Fire is the most common cause of disaster. The most common cause of fire is arson. Flood is frequently caused by leaks within the building. Building collapse is rare. Apart from structural failure, it can be caused by crashing aircraft or road traffic. Even the threat of collapse is enough to close the building and to put the IT within it out of use (Hoo 2000). Essential services may include power supply, air conditioning, telecommunications and water supply. If these fail, the IT system may become inoperable. Computer failure, if prolonged, may have as bad an effect on the users as a disaster like a fire. The location of the computer centre may interfere with its running. Staff may be prevented from entering due to circumstances in the neighbourhood. Such circumstances can include political demonstrations or industrial disputes at nearby premises (Coyne and Leeson 2004). Logical Threats Hacking and tapping occur when someone sets out without authority to examine computer-held data. Hacking means breaking into a network while tapping means actually connecting into a cable (Computer Science and Telecommunications Board, National Research Council 1991). These activities cause a loss of confidentiality of data. They are usually done to prove the technical skill of the hacker but may destroy the integrity and availability of the data as well as the confidentiality (Microsoft Solutions for Security and Compliance 2006). In the UK, the Law Commission and Scottish Law Commission have recommended that hacking should constitute an offence. Another form of logical threat is the Time Bomb. This is a piece of code inserted into a program, which will operate at some future date to corrupt files or software. Typically, a programmer might insert code to delete a file if his name is removed from it (Caelli, et. al 1989). Viruses are software routines deliberately circulated among computer users with the intention of spreading into other software and affecting it. The effect can be harmless, for example, a screen message, or it can be serious corrupting both data and the software (Wojcik and Deborah 2003). New viruses are constantly being produced and the effects can be most alarming. Other logical threats include fraud, espionage, theft and accidental error. Procedural threats Procedural threats cause the correct procedures to be passed by. For example, unauthorized persons may obtain access to computer equipment or media if there are inadequate checking procedures (Computer Science and Telecommunications Board, National Research Council 1991). If there are insufficient logical access procedures then data may be read or updated by people with no authority. Control over the development of new systems and the amendment of existing ones will prevent incorrect programs being put into live use (Fisk 2002). All systems are at risk through unreliable personnel. The personnel routines should ensure that only reputable staffs are employed in positions of trust. Exit procedures should ensure that staffs leaving the organization do not retain their identification or means of access (Caelli, et. al 1989). Layers of Security Threats are counteracted by security measures. These are logical security, physical security and organizational security. These layers of security are as three fences surrounding the IT system (Computer Science and Telecommunications Board, National Research Council 1991). These fences will never be intact, but the nearer to completeness they are, the better the security will be. Security at organizational level covers staff control and discipline, adequate procedures, properly supervised and awareness of security requirements throughout the organization (Wojcik and Deborah 2003). Staff functions and procedures need to be well defined and supervised as that any departure from the normal routines causes comment and subsequent investigation. Examples are job separation, standard documentation and monitoring controls. However, sometimes mistakes occur, the correct protocols are ignored or intruders gain access to the premises. For these instances, physical security is required. This covers protection against environmental threats and physical protection against unauthorized access (Computer Science and Telecommunications Board, National Research Council 1991). Examples are building access restriction, internal restricted areas and fire detection and control. Sometimes, even authorized people will attempt, by accident or design, to misuse the equipment. To prevent this, logical security is required. This limits data and software based on the need of each individual to know the item concerned. It is most effective if applied on an individual basis and if each apparent misuse is investigated (Bhimani 1996). Examples are identification by password, control records and authentication of data. Security policy Development There are five steps, which should be taken in formulating a security programme for any organization. Appreciation for the need for security: Unless senior management understands the need for security, the programme is unlikely to succeed. Classification of information: This is not essential but it provides a useful yardstick whereby the threats to data and the actions necessary to protect the data may be measured (Bequai 2000). All the information should be classified, including that held only in paper form. Risk Management: This will cover the assessment of risks and identify suitable countermeasures. Policy preparation: An IT security should be prepared and circulated. This demonstrates management's commitment to security and ensures that everyone in the organization is aware of the importance of security (Symantec 2004). Implementation: The policy will be implemented by the setting up of standards and procedures, and by the correct use of any countermeasures introduced (Hoo 2000). The whole process is iterative. As time goes by the risk management process, the policy and the implementation will be refined (Computer Science and Telecommunications Board, National Research Council 1991). Security should never stand still as the threats and countermeasures available are always changing. The policy and its implementation should continually be reviewed and updated as necessary. Technology development 0 Threats to Organizational Security With technology development and with internet boosting, the threats to organizational security all over the world are increased (Hoo 2000). Now, the companies are working online due to which, not only their business has spread globally but they also have the threat globally. With restricted setups, the threats were also minimized and with global setups, the threats are also globalized. Threats to Security because of Internet Key Controls The code of practice for information security management was published in 1995 as a British standard, BS 7799. It contains many controls and identifies ten that are considered key controls (Computer Science and Telecommunications Board, National Research Council 1991). These can be considered as a baseline for providing information security. 1. Information security policy document 2. Allocation of information security responsibilities 3. Information security education and training 4. Reporting of security incidents 5. Virus controls 6. Business continuity planning process 7. Control of proprietary software copying 8. Safeguarding of organizational records 9. Data protection 10. Compliance with security policy Minimum Requirement At a minimum, the security policy should include guidance on the following areas: The importance of information security to the business processes A statement from top management supporting the goals and principles of information security (Hoo 2000). Specific statements indicating minimum standards and compliance requirements for legal, regulatory and contractual obligations; security awareness and educational requirements; virus prevention and detection and business continuity planning (Coyne and Leeson 2004). Definition of responsibilities and accountabilities for information security Details of the process for reporting suspected security incidents. Develop, implement and periodically review the company security policy and procedures. An Approach to the Management of Risk A record should be kept of each identified risk, with the key factor to be addressed. Many possible methods, techniques or software tools will assist in the management of risk. Although the management of risk is a cyclic process, it can be considered to have two main parts, risk analysis (the gathering of information about risks and preparation of alternatives) and risk management (decision-making, taking action and watching what happens). Risk analysis phase can be divided into three steps (Wojcik and Deborah 2003). They are risk identification, risk estimation and risk evaluation. Risk management phase can be divided into four steps. They are planning, resourcing, controlling and monitoring (Fisk 2002). Risk management represents a systematic approach to the problem posed by threats. It should ensure that countermeasures are applied where they will be most effective and where the need is greatest (Bequai 2000). There are five parts to the practice of risk management: 1. Identification of assets: Defining the resources, including hardware, systems and people, which require protection (Caelli, et. al 1989). 2. Identification of threats: Finding the vulnerabilities and assessing the threats, which will exploit those vulnerabilities. 3. Assessment of consequences: The amount of damage that may be caused if any threat is realized and the likelihood of this happening should be assessed. These two factors are used to calculate the risk (Coyne, et. al 2004). 4. Selection of countermeasures: The most cost effective countermeasures should be selected so as to reduce the risk to an acceptable level (Caelli, et. al 1989). When the countermeasures are in place, the risks should be recalculated to ensure that the measures have been effective. 5. Preparation of contingency plans: Contingency plans are required to assist recovery from an unexpected disaster, which the countermeasures failed to prevent (Coyne, et. al 2004). The whole process is subject to continuous review and update as necessary. Internet Security Standards and Procedures No Standards and Procedures Businesses Having Policies and Procedures 1 Virus Protection 95 percent 2 Copyright Compliance 60 percent 3 Data Protection 75 percent 4 Risk Analysis 36 percent 5 Access Control More than 75 percent 6 Computer Misuse 46 percent 7 Software Evaluation 20 percent Virus Protection Viruses having received considerable publicity in recent years, so it is no surprise to discover that 95 % of organizations have some policies and procedures for preventing virus attacks (United States Department of Health & Human Services 2003). Prohibition of unauthorized software is the most common policy and loading of unauthorized software is still the most common cause of virus infection. However, there were a number of cases reported where viruses entered the organization via authorized software updates and in one case on a new PC, direct from the suppliers (Bhimani 1996). Over 80 % of organizations have either virus detection or change detection software on all systems or a central disk checking facility (Bequai 2000). User awareness programmes were also in place in over half of organizations. A number of respondents who had experienced virus incidents mentioned that the incident was used to raise user awareness (Caelli, et. al 1989). Copyright Compliance Sixteen per cent of organizations reported infringements of software licence conditions. Comparisons with the 1994 survey suggest that organizations have tightened up procedures in this area (Caelli, et. al 1989). The proportion citing a formal policy has increased from 55 % to 72 %, monitoring to ensure compliance has increased from 32 % to 61 % and guidelines or training for users has increased from 29 % in the 1994 survey to 55 % in 1996 (Fisk 2002). Data Protection Almost three quarters of organizations have a designated employee who can advise users on data protection issues. Many of them also have a user awareness programme. There was a strong correlation between industry sector and the emphasis on data protection issues (Stallings 1997). In the government sector, 95 % have an individual with responsibility for advising users on data protection and 66 % have a user awareness programme. Other leading sectors were education (91 % and 70 %), health (81 % and 76 %) and finance (86 % and 60 %) (Bhimani 1996). Risk Analysis Just over one third of organizations (36 %) said that they carry out detailed risk analysis of IT applications. This is more likely to be used for mainframe or network based applications than for standalone applications (Symantec 2004). Risk analysis at the design stage was most common for mainframe or network based applications. Access Control Access control procedures exist in most organizations. Password protection for network access and password protection for specific applications were much more common than password protection for individual PCs (Symantec 2004). A number of those who indicated that they have password protection for individual PCs pointed out that this was for specific PCs or portable PCs only. Over three quarters of the respondents had implemented formal corporate standards relating to password security and procedures for controlling and changing passwords (Coyne and Leeson 2004). Computer Misuse Nearly half (46 %) of the respondents said that they provide a clear definition and notification of those parts of the system to which each user has authorized access. A warning about computer misuse is displayed on or near all terminals in 17 % organizations and 44 % give staff a written warning about the disciplinary consequences of computer misuse (Bhimani 1996). Security Evaluation There are standardized European criteria for the security of IT systems and products, known as ITSEC. In the UK, third party assessment against these criteria is certified by the ITSEC scheme. Just fewer than 20 % of the respondents were already aware of the ITSEC scheme, although the proportion was much higher in the larger organizations (41 % of those employing over 1000 staff) and the finance sector (also 41 %). Of those who were aware of the scheme, almost one third gave preference to certified products (Coyne and Leeson 2004). Thirty-one per cent of respondents had had the security of some systems assessed by a third party but three quarters of these were not aware if this assessment was carried out to a recognized standard (Bhimani 1996). Research Framework For obtainment of data related to global internet security, a detailed literature review is done. Literature review plays a crucial role in any kind of research because it reports about the background studies and work done in the same area or an area that is somehow related to the particular area of research. The literature review is not a summary of the articles, books and other resources accessed but those that are evaluated in terms of their relevancy for a specific research. For researching the topic of global internet security, the works written by writers concerning security and internet usage are accessed and employed in research as to get relevant details regarding the research. Conclusion and implications Due to internet, a revolution of technology and information has come. Internet has facilitated us with many advantages but along with its advantages, there are also disadvantages due to which, the businesses working online and with the help of internet are threatened because of security lapses. Internet security is considered a very crucial subject all over the globe because at one hand, internet connects the world like a globe and has generated the concept the globalization and on the other hand, due to usage of internet, there are security problems for the international companies and customers. Internet security is very significant for the companies working with internet technology all over the world. The world is facing the challenge of internet security on global basis. There are threats of virus attack, Trojans attack, fraud, theft, hacking and loss of crucial data. Data protection is very important for the businesses because of the significance of data. There should be precautionary measures in terms of internet security. Internet is required to be employed by commercial as well as household usage on global terms but the users should keep in mind the notion of internet security. They should not reveal their personal information without making sure that their information is going to be in safe hands. There should be anti-virus and anti-Trojan software that can minimize or stop the damage to data stored in a computer. There should be authenticated passwords for the users. There should be some ways through which the accuracy of credit cards and ATM cards can be assessed. Moreover, only registered companies should be provided with personal data in case of need and other companies should not be trusted. For hacking, there should be anti-hacking software that can stop the entrance of irrelevant entrants. For internet security, global measures are required to be taken because internet connects not through pone place or one location but to the whole globe due to which, there is a greater threat to security which should be considered and dealt likewise. Bibliography Bequai, A. America's Internet Commerce and the Threat of Fraud. Computers and Security 19 (8) (2000): 688-691. Bhimani, A. Securing the Commercial Internet. Communications of the ACM 39 (6) (1996): 29-35. Caelli, W., Longley, D. and Shain, M. Information Security for Managers, Stockton Press. Ernst and Young (1999) 6th Annual Information Security Survey, 1989: 56-82. Computer Science and Telecommunications Board, National Research Council. Computers at Risk: Safe Computing In the Information Age. Washington D.C.: National Academy Press, 1991: 56-87. Coyne, Christopher and Leeson, P. Who Protects Cyberspace' Global Prosperity Initiative Working Paper 37, Mercatus Center: George Mason University, 2004: 44-73. Fisk, Mike. Causes & Remedies for Social Acceptance of Network Insecurity, contribution to the "Workshop on Economics and Information Security", Berkeley: University of California, 2002: 106-127. Hoo, Kevin J. Soo. How Much is Enough' A Risk Management Approach to Computer Security. Working Paper, Center for International and Security Studies: Stanford University, 2000: 138-152. Sherwood, J. Opening up the Enterprise, Computers and Security 19 (8) (2000): 710-719. Symantec. Symantec Internet Security Threat Report: Trends for July 1, 2003, (2004): 112-134. United States Department of Health & Human Services. Information Security Program, Risk Assessment Guide, 2003: 107-123. Wojcik, Caryn and Deborah, Gouin. "Managing Electronic Records in the 21st Century." Information Management Journal.' 37 (11) (2003): 44-50. Read More