WAYS OF IMPROVING COMPUTER SECURITY IN COMPUTER-BASED INFORMATION SYSTEMS
Introduction
Computer-Based Information Security System (CBIS) is a data processing system for high-quality information. It can be used as tools that support decision making, coordination, and control, as well as visualization and analysis. A CBIS uses computers to collect, process, store, analyze, and distribute for a specific purpose such as decision making and making a business objective. A CBIS is a type of information system in which the computer plays a significant role.
Types of CBIS
Management support system
Management support system comprises three generic types, including management information system, decision support system, executive support system. The management support system provides input to be used in the managerial decision process. It deals with supporting well-structured decision situations.
Expert support system
An expert support system is the highest form of management computing office automation, which allows the communication and manipulation of the documents. Expert support systems represent one of the most advanced facts of information technology. They help people in the most complex and least-understood human information handling tasks such as decision making, problem-solving, diagnosis, and learning. Most of these materials are supplied to the program at the time it is written.
Transaction processing system
The transaction support system captures, classifies, stores, maintains, updates, and retrieves transaction data for record-keeping, and input to other types of CBIS. A transaction is any event or activity that affects the whole organization. Placing an order, billing customers, hiring employees, and depositing cheques are some of the everyday transactions.
Accounting information system
The accounting information system that collects, stores, and processes financial and accounting data used by decision-makers. It is a computer-based method for tracking accounting activity in conjunction with information technology resources.
Information Security Systems.
This refers to the processes and methodologies involved with keeping information confidential, available, and assuring its integrity. It also refers to;
- Access controls, which prevent unauthorized personnel from entering or accessing a system.
- Protecting information, no matter where the data is.
- The detection and remediation of security breaches as well as documenting those events.
Information security does not just deal with computer information, but also protecting data and information in all of its forms. All information security measures try to address at least one of three goals.
- Confidentiality
Protecting data involves restricting access only to those who are allowed to see it; everyone else cannot learn anything about its contents. For example, the law requires that universities restrict access to private student information.
- Integrity is the assurance that the information under access is not altered and represents what it is intended. Just as a person with integrity means what he or she says and can be trusted to represent the truth consistently, information security means information truly represents its intended meaning. There can be malicious or unintentional loss of integrity.
- Availability implies that information can be accessed and modified by anyone authorized to do so in an appropriate time frame.
Tools for Information Security.
To ensure the confidentiality, integrity, and availability of information, organizations can choose from a variety of tools. Each of these tools can be part of the overall information security policy. These include; access control, authentication, encryption, backups, firewalls, and many more.
Threats to Information Security.
In information security threats can be many like software attacks, theft of intellectual property, identity theft, theft of equipment or information, sabotage, and information extortion. A threat can be anything that can take advantage of a vulnerability to breach security and negatively alter, erase, harm objects of interest. Software attacks mean an attack by viruses, worms, Trojan horses. Many users believe that malware, virus, worms, bots are all the same things.
Information Security Policies
Information security policy is a set of policies issued by an organization to ensure that all information technology users within the domain of the organization or its networks comply with rules and guidelines related to the security of the information stored digitally at any point in the system or within the organization’s boundaries of authority.
The Importance of an Information Security Policy
Creating an effective security policy and taking steps to ensure compliance is a critical step to prevent and mitigate security breaches. To make your security useful, update it in response to changes in the company, new threats, conclusions drawn from previous violations, and other changes to your security posture.
Make your information security policy practical and enforceable. It should have an exception system in place to accommodate requirements and urgencies that arise from different parts of the organization.
Elements of an Information Security Policy
A security policy can be as broad as you want it to be from everything related to IT security and the security of related physical assets, but enforceable in its full scope. The following list offers some essential considerations when developing an information security policy.
- Purpose
First state the use of the system which may be to:
- Create an overall approach to information security.
- Detect and pre-empt information security breaches such as misuse of networks, data, applications, and computer systems.
- Maintain the reputation of the organization and uphold ethical and legal responsibilities.
- Respect customer rights, including how to react to inquiries and complaints about non-compliance.
- Audience
Define the audience to whom the information security policy applies. Also, specify which audiences are out of the scope of the system (for example, staff in another business unit that manages security separately may not be in the range of the policy).
- Information security objectives
Guide your management team to agree on well-defined goals for strategy and security.
- Authority and access control policy
A senior manager may have the authority to decide what data can be shared and with whom. The security policy may have different terms for a senior manager vs. a junior employee. The plan should outline the level of authority over data and IT systems for each organizational role.
- Network security policy—users are only able to access company networks and servers via unique logins that demand authentication, including passwords, biometrics, ID cards, or tokens. You should monitor all systems and record all login attempts.
- Data classification
The policy should classify data into top-secret, secret, confidential, and public. The objective of classifying data is:
- To ensure that individuals with lower clearance levels cannot access sensitive data.
- To protect essential data and avoid needless security measures for unimportant data.
- Data support and operations
- Data protection regulations-systems that store personal data, or other sensitive data, must be protected according to organizational standards, best practices, industry compliance standards, and relevant regulations. Most security standards require, at a minimum, encryption, a firewall, and anti-malware protection.
- Data backup-encrypt data backup according to industry best practices. Securely store backup media, or move back up to secure cloud storage.
- Movement of data-only transfer data via secure protocols. Encrypt any information copied to portable devices or transmitted across a public network.
- Security awareness and behavior
Share IT security policies with your staff. Conduct training sessions to inform employees of your security procedures and mechanisms, including data protection measures, access protection measures, and sensitive data classification.
- Social engineering- emphasizes the dangers of social engineering attacks (such as phishing emails). Make employees responsible for noticing, preventing, and reporting such attacks.
- Clean desk policy-secure laptops with a cable lock. Shred documents that are no longer needed. Keep printer areas clean, so records do not fall into the wrong hands.
- Acceptable Internet usage policy-define how the Internet should be restricted. Do you allow YouTube, social media websites, etc.? Block unwanted websites using a proxy.
- Responsibilities, rights, and duties of personnel
Appoint staff to carry out user access reviews, education, change management, incident management, implementation, and periodic updates of the security policy. Responsibilities should be clearly defined as part of the security policy.
Examples of security requirements for different applications
Security requirements vary for various applications.
Therefore, organizations using a computer-based information system must have an in-depth understanding of their applications and analyze the appropriate choices to establish the proper level of security. For example, an automated teller system is designed to keep personal identification details confidential both in the host system and during transactions. The system protects the integrity of the account records and transactions for every individual.
Contrary, a telephone switching system is not designed with high-security measures for integrity on individual transactions because the system will not incur permanent damage by occasionally losing a call or a billing record. However, there are increased security requirements for the control programs and the configuration records, which is critical. A breach in the control programs and configuration records would lead to a crash in the switching system, thereby compromising availability, which is the essence of the system. Besides, a telephone switching system must maintain the confidentiality of individual calls, thus preventing one caller from listening to the conversations of another caller.
The security needs of a system depend on the use. For instance, a typesetting system must assure confidentiality mainly if used for publishing corporate proprietary material. Furthermore, integrity is essential if the system is used for posting laws. A typesetting system used to publish daily papers must always be available for use.
Defense mechanisms for computer-based information systems
There are four defense mechanisms for computer-based information systems
- Technical Defense
Technical defense involves defenses that are used in computers and networks technically, which can be encryption, firewall, antimalware, and intrusion detection. Encryption provides confidentiality for information exchange. Encryption is transferring the plain text into ciphertext to hide the information from an unauthorized person. There are two types of encryption; Symmetric encryption and Asymmetric encryption. Symmetric encryption involves using one key between the communicating parties. It relies on the secrecy of the key. Asymmetric encryption consists of two different keys, one is a public key, and the other one is a private key. However, firewalls are necessary for securing computer information systems against internal and external attacks. Contrary, antimalware protects operation systems against malicious software and includes antivirus or antispyware. Besides, intrusion detection warns for a computer information system by monitoring and analyzing the system to detect any attempt to access the system.
- Operational Defense
It includes two approaches: First, formulating security policies for the computer information system. Security policy comprises documents that do not provide technical and implementation details. The second approach is personal training for the employees.
- Managerial Defense involves setting standards for hiring workers. For example, extensive background checks and security background check.
- Physical Defense
Physical defense protects the computer information system against natural disasters, technical faults, and destruction caused by humans. Physical protection is essential for reasons such as physical equipment are very expensive, and any damage to the machine may cause data loss.
Ways of preventing breaches of information security
- Protect Information: Sensitive information must be protected wherever it is stored sent or used. Do not reveal personal information inadvertently.
- Reduce the transfer of data: The organization should ban shifting data from one device to another external device. Losing removable media will put the data on the disk under risk.
- Restrict download: Any media that may serve as an allegiance to the hackers should be restricted to download. This could reduce the risk of transferring the downloadable media to an external source.
- Shred files: The organization should shred all the data and folder before disposal since some applications can retrieve information after formatting.
- Ban unencrypted device: The institution should have a ban on the device that are unencrypted. Laptops and other portable devices that are unencrypted are prone to attack.
- Secure transfer: The use of reliable courier services and tamper-proof packaging while transporting bulk data will help in preventing a breach.
- A right password: The password for any access must be unpredictable and hard to crack. Change of password from time to time
- Automate security: Automating systems that regularly check the password settings, server, and firewall configuration might bring about the reduction of risk in sensitive information.
- Identify threats: The security team should be able to identify suspicious network activity and should be prepared if there is an attack from the network.
- Monitor data leakage: Periodically checking security controls will allow the security team to have control of the system. Regular check on internet contents to locate if any private data is available for public viewing is also an excellent measure to monitor data.
- Track data: Tracking the motion of data within the organizational network will prevent any unintentional use of sensitive information.
- Define accessibility: Defining accessibility to those who are working on the company’s sensitive data will bring down the risk of malicious users.
- Security training: Providing privacy and security training to all employees, clients, and others related to data-related activities will bring about awareness of the data breach.
- Stop incursion: Shutting down the avenues to the company’s warehouse will prevent incursions by the hacker. Management, production, and security solutions must be combined to avoid targeted attacks.
- Breach response: Having a breach response plan will help in triggering a quick response to data breaches and help in the reduction of harm. The idea could contain steps involving notification of the concerned staff or the agency who could contain the breach.
Responding to breaches of information security
Preparation
Conduct a careful analysis during simulated incident tests to allows the organization to create a carefully constructed Incident Response timeline with all responsibilities allocated to the most appropriate stakeholder. An Incident Response plan should also include an analysis of the IR resources a company has at its disposal, such as port lists, protocol analyzers, and network diagrams. This analysis should conclude in the preparation of an IR Tool Kit, ready to use in the event of a breach.
Identification
An organization should make sure the relative defenses are in place to ensure that indicators of compromise are identified. Such identifiers include unusual outbound network traffic, new admin users created, anomalies in privileged user account activity (first logon to a system), geographical irregularities (non-standard login attempts), increased database read volume (database dump), large numbers of request for the same file, suspicious registry or system file changes, unexpected patching, and signs of DDOS activity.
Containment
Once an organization is confident that an incident can/will be identified, the focus then turns to containing that incident. An organization should allocate defined courses of action based on the potential impact of various events. Also, IT needs to examine if it has control of aspects such as the blocking of unauthorized access, blocking of dangerous IP and email addresses, or even the isolation of systems on the network. This exercise ensures the IT function has complete control and visibility of such actions.
Eradication
Eliminate the cause of the incident – this stage may overlap with the containment stage. The aim here is to eradicate the reason, the actual event, and the compromise itself. Once this is done, it’s imperative that the eradication is verified by monitoring traffic and reviewing critical logs.
Restoration
A detailed recovery plan should be prepared and reviewed to determine that all recovery processes are carried out to ensure the restoration of the system as soon as possible, such as: restoring the system from back-up logs, notifying the relevant stakeholders, and addressing similar identified vulnerabilities on the network. The restore phase must also consider validating that systems fully operational and protected. Additionally, the IR plan should consider including elements such as an external penetration test to assess that the restored fixes are sufficient. Consideration should also be given to the level of detail.
Risks and vulnerability of information security.
Vulnerabilities
Vulnerabilities simply refer to weaknesses in a system. They make threat outcomes possible and potentially even more dangerous. A system could be exploited through a single vulnerability; for example, a single SQL Injection attack could give an attacker full control over sensitive data. An attacker could also chain several exploits together, taking advantage of more than one vulnerability to gain more control.
Examples of common vulnerabilities are SQL injection, Cross-site Scripting, server misconfigurations, sensitive data transmitted in plain text, and more.
Risks
Risks are usually confused with threats. However, there is a subtle difference between the two. A cybersecurity risk refers to a combination of a threat probability and loss or impact. Essentially, this translates to the following:
risk = threat probability * potential loss
Therefore, a risk is a scenario that should be avoided combined with the likely losses to result from that scenario. The following is a hypothetical example of how risks can be constructed:
SQL Injection is a vulnerability. Therefore, sensitive data theft is one of the biggest threats that SQL Injection enables. Moreover, financially motivated attackers are one of the threat actors. The impact of sensitive data getting stolen will bear a significant financial cost (financial and reputation loss) to the business. Consequently, the probability of such an attack is high, given that SQL Injection is an easy-access, widely exploited vulnerability, and the site is externally facing. Therefore, the SQL Injection vulnerability in this scenario should be treated as a high-risk vulnerability.
Conclusions
A security system of a computer-based information system is multidimensional. Therefore, the emphasis is put on three major components, which include confidentiality, integrity, and availability, which depend on each other. Privacy is necessary for the protection of passwords. Passwords consequentially promote the integrity of the system through control of access and ensuring the accountability of every individual. The systems that control integrity must be protected from all sorts of interference. in case of tampering, there must be a possibility of correcting the threat- which ensures the availability of the system despite challenges.
A system is a collection of components that depends on other elements such as a local network provider system depends on other systems. The systems involve physical structures such as computers and software. Physical protection for the systems includes environmental controls such as security guards, locked doors, and fences. The systems also require protection from natural hazards such as fire and floods. Moreover, a system should reflect classical management control separation of duty for maximum security. Extra strength may be acquired for a system by isolating authentication functions and auditing.
References
Alshammari, M., & Bach, C. (2013). Defense mechanisms for computer-based information systems.
Andress, J. (2014). The basics of information security: understanding the fundamentals of InfoSec in theory and practice. Syngress.
Bartolini, N., Nikoletseas, S., Sinha, P., Cardellini, V., & Mahanti, A. (Eds.). (2009). Quality of Service in Heterogeneous Networks: 6th International ICST Conference on Heterogeneous Networking for Quality, Reliability, Security, and Robustness, QShine 2009 and 3rd International Workshop on Advanced Architectures and Algorithms for Internet Delivery and Applications, AAA-IDEA 2009 (Vol. 22). Springer.
Flodén, J. (2013). Essentials of information systems.
Information Resources Management Association. (2018). Cybersecurity and threats: concepts, methodologies, tools, and applications. IGI Global.
Jha, D. G. (2013). Computer concepts and management information systems. PHI Learning Pvt. Ltd.
Kim, D., & Solomon, M. G. (2016). Fundamentals of information systems security. Jones & Bartlett Learning.
Lane, V. P. (1985). Security of computer-based information systems. Macmillan International Higher Education.
Li, C., Peters, G. F., Richardson, V. J., & Watson, M. W. (2012). The consequences of information technology control weaknesses on management information systems: The case of Sarbanes-Oxley internal control reports. Mis Quarterly, 179-203.
Raggad, B. G. (2010). Information security management: concepts and practice. CRC Press.
Stair, R., & Reynolds, G. (2015). Fundamentals of information systems. Cengage Learning.
Stair, R., & Reynolds, G. (2015). Principles of information systems. Cengage Learning.