auc9.docx
TRANSCRIPT
-
7/24/2019 AUC9.docx
1/8
AUC-002: CYBER SECURITY
UNIT-1
Introduction to information systems, Types of information Systems, Development of Information
Systems, Introduction to information security, Need for Information security, Threats to Information
Systems, Information Assurance, Cyber Security, and Security Risk Analysis.
I n tr oduc t ion t o i n f o r m a t ion s y s t e m s
An information system IS! is any combination of information technolo"y and people#s activities usin" that
technolo"y to support operations, mana"ement, and decision$makin". In a very broad sense, the term
information system is fre%uently used to refer to the interaction bet&een people, al"orithmic processes,data and technolo"y. In this sense, the term is used to refer not only to the information and communication
technolo"y ICT! an or"ani'ation uses, but also to the &ay in &hich people interact &ith this technolo"y in
support of business processes.
An information system is a &ork system &hose activities are devoted to processin" capturin",transmittin", storin", retrievin", manipulatin" and displayin"! information. An information system is a
mediatin" construct bet&een actions and technolo"y.
Information system is a system &hich is used for or"ani'in" and processin" information, "enerally
computer$based. Also, it is a useful system &ithin a business because it mana"es the development andoperations of the business(s information. The importance of information systems are "ro&in". As data is no&
takin" to&ards a di"ital form, instead of )ust a paper$based. Its "ood point is that the data is becomin" readily
available and become more secure. It prevents the data from unauthori'ed access. *ike in hospitals informationsystems are very helpful, your data is stored in computers and &here ever you are in the hospital your details
are available at a fe& key strokes.
Some A!ications of Information Tec"no!o#ies:
1$ %u!timedia A!ications: +ultimedia is the term used to denote the combination of multiple mediums.
+ultimedia includes the combination of tets, video, audio, "raphics animation etc. -e define amultimedia system as a computer controlled environment &hich is used to process individual ima"e,sound, and tet.
2$ &ffice A!ication and 'es(to u)!is"in#:Computers are also findin" applications in day by day
office problems. An electronic office uses computers for procurements of files, office communication,assistin" in decision makin" and administrative &ork. There are &ord processin" tools like +S &ord,
ecel po&er point etc.
-
7/24/2019 AUC9.docx
2/8
*$ Education and Researc":Information technolo"y has proved to be etremely useful for education and
research. A lot of time of &asted in findin" the relevant information source. -ith the popularity of the-orld -ide -eb and easy accessibility to the internet, it no& takes fe& seconds to find any desired
information.
+$ Ban(in# and ,inancia! Institutions:Information technolo"y has helped the bankin" and financial
institutions to automate their business process and minimi'e the transactional delays &ith the application
of computers, it has become possible to clear the recurrin" dues like payment for electricity, telephone
bill, shoppin" bill etc.
IN,&R%ATI&N SYSTE% TREATS:
A threat is anythin" man made or act of nature! that has the potential to cause of harm.
A threat is also defined as A potential for violation of security, &hich eists &hen there is a
circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is apossible dan"er that mi"ht eploit vulnerability/.
Threat modelin" is a procedure for optimi'in" net&ork security by identifyin" ob)ectives andvulnerabilities, and then definin" countermeasures to prevent, or miti"ate the effects of, threats to the system.
In this contet, a threat is a potential or actual adverse event that may be malicious such as denial$of$service attack! or incidental such as the failure of a stora"e device!, and that can compromise the assets of an
enterprise.
C.ASSI,ICATI&N &, SECURITY TREATS:
In order for one to produce a secure system, it is important to classify threats. The classification of threats could
be0
1. 2hysical threats, 3. Accidental error,
4. 5nauthori'ed access, 6. +alicious misuse.
1$ /YSICA. TREAT:
2hysical threat to a computer system could be as a result of loss of the &hole computer system, dama"e of
hard&are, dama"e to the computer soft&are, theft of the computer system, vandalism, natural disaster such as
flood, fire, &ar, earth%uakes etc. Acts of terrorism such as the attack onthe &orld trade centre is also one of the ma)or threats to computer &hich can be classified as physical
threat.
Another "ood eample of a physical threat to computer system is the floodin" of the city of Ne&
7rleans 8urricane 9atrina! durin" &hich valuable information &as lost and billions of computer data &ere
destroyed.
2$ ACCI'ENTA. ERR&R:
This is also an important security issue &hich computer security eperts should al&ays put into
consideration &hen desi"nin" security measures for a system. Accidental errors could occur at any time ina computer system but havin" proper checks in place should be the ma)or concern of the desi"ner. Accidental
error includes corruption of data caused by pro"rammin" error, user or operator errors.
*$ UNAUT&RIE' ACCESS:
Dada stored on the computer system has to be accessed for it to be translated into useful information.
This also poses a "reat security threats to the computer system due to unauthori'ed person#s havin" access to the
-
7/24/2019 AUC9.docx
3/8
system. Not only this, information can be accessed via a remote system in the process of bein" transmitted
from one point to the other via net&ork media &hich includes &ired and &ireless media. Considerin" aneample of an or"ani'ation in &hich a member of staff at a particular level of hierarchy &ithin the
establishment is only allo&ed access
to specific area accordin" to the policy of the or"ani'ation. If these employees by other means not set in theor"ani'ation policy "ain access to the restricted data area on the computer, this can be termed an unauthori'ed
access.
+$ %A.ICI&US %ISUSEAny form of tamperin" of the computer system &hich includes penetration, Tro)an horses( viruses and
any form of ille"al alteration of the computer system &hich also includes the "eneration of ille"al
codes to alter the standard codes &ithin the system can be termed as malicious misuse. This could alsolead to a "reat financial loss and should be prevented in all cases.
-
7/24/2019 AUC9.docx
4/8
The si ma)or types of information systems correspondin" to each or"ani'ational level$$$$$$$
1$ Eecutie Suort System 34ESS45
2$ %ana#ement information system 34%IS45
*$ 'ecision-suort systems 34'SS45
+$ 6no7!ed#e %ana#ement Systems 346%S45
8$ Transaction /rocessin# Systems 34T/S45
9$ &ffice Automation Systems3&AS5
An Eecutie Suort System 34ESS45 is desi"ned to help senior mana"ement make strate"ic
decisions. It "athers analyses and summari'es the key internal and eternal information used in thebusiness. A "ood &ay to think about an :SS is to ima"ine the senior mana"ement team in an aircraft
cockpit $ &ith the instrument panel sho&in" them the status of all the key business activities. :SS
typically involves lots of data analysis and modelin" tools such as ;&hat$if; analysis to help strate"icdecision$makin".
-
7/24/2019 AUC9.docx
5/8
A mana#ement information system 34%IS45 is mainly concerned &ith internal sources of
information. +IS usually take data from the transaction processin" systems and summaries it into aseries of mana"ement reports. +IS reports tend to be used by middle mana"ement and operational
supervisors.
'ecision-suort systems 34'SS45are specifically desi"ned to help mana"ement make decisions in
situations &here there is uncertainty about the possible outcomes of those decisions. DSS comprise toolsand techni%ues to help "ather relevant information and analyses the options and alternatives. DSS often
involves use of comple spreadsheet and databases to create ;&hat$if; models.
6no7!ed#e %ana#ement Systems 346%S45eist to help businesses create and share information
These are typically used in a business &here employees create ne& kno&led"e and epertise $ &hich canthen be shared by other people in the or"ani'ation to create further commercial opportunities.
-
7/24/2019 AUC9.docx
6/8
IN,&R%ATI&N SECURITY:
Information security means protectin" information and information systems from unauthori'ed
access, use, disclosure, disruption, modification, perusal, inspection, recordin" or destruction. It is the
process of protectin" the information. It protects its availability, privacy and inte"rity.+ore companiesstore business and individual information on computer than ever before. +uch of the information
stored is hi"hly confidential and not for public vie&in".
+any businesses are solely based on information stored in computers. 2ersonal staff details, client
lists, salaries, bank account details, marketin" and sales information may all be stored on a database.
-ithout this information, it &ould often be very hard for a business to operate. Information
security systems need to be implemented to protect this information.
:ffective information security systems incorporate a ran"e of policies, security products,
technolo"ies and procedures. Soft&are applications &hich provide fire&all information security
and virus scanners are not enou"h on their o&n to protect information.
>asic principal of information security are01. Confidentiality,
3. Inte"rity and
4. Availability
-
7/24/2019 AUC9.docx
7/8
1$ C&N,I'ENTIA.ITY:
Confidentiality is the term used to prevent the disclosure of information to unauthori'ed individuals orsystems. =or eample, a credit card transaction on the Internet re%uires the credit card number to be
transmitted from the buyer to the merchant and from the merchant to a transaction processin" net&ork.The system attempts to enforce confidentiality by encryptin" the card number durin" transmission, by limitin"the places &here it mi"ht appear in databases, lo" files, backups, printed receipts, and so on!, and by
restrictin" access to the places &here it is stored. If an unauthori'ed party obtains the card number in any
&ay, a breach of confidentiality has occurred.
Confidentiality is necessary but not sufficient! for maintainin" the privacy of the people &hose personalinformation a system holds.
2$ INTE
-
7/24/2019 AUC9.docx
8/8
both physical and electronic forms as &ell as data at rest in various types of physical and electronic
stora"e facilities.
Information assurance is the process of addin" business benefit throu"h the use of Information Risk
+ana"ement &hich increases the utility of information to authori'ed users, and reduces the utility ofinformation to those unauthori'ed. It is stron"ly related to the field of information security, and also &ith
business continuity. IA relates more to the business level and strate"ic risk mana"ement of information
and related systems, rather than the creation and application of security controls. Therefore in addition to
defendin" a"ainst malicioushackersand code e."., viruses!, IA practitioners consider corporate"overnance issues such as privacy, re"ulatory and standards compliance, auditin", business, and disaster
recovery as they relate to information systems. =urther, &hile information security dra&s primarilyfrom computer science, IA is an interdisciplinary field re%uirin" epertise in business, accountin", user
eperience, fraud eamination, forensic science, mana"ement science, systems en"ineerin", security
en"ineerin", and criminolo"y, in addition to computer science. Therefore, IA is best thou"ht of as a
superset of information security i.e. umbrella term!, and as the business outcome of Information Risk+ana"ement.
http://en.wikipedia.org/wiki/Hacker_(computer_security)http://en.wikipedia.org/wiki/Hacker_(computer_security)http://en.wikipedia.org/wiki/Hacker_(computer_security)http://en.wikipedia.org/wiki/Hacker_(computer_security)