ICACT - 2016 (Volume 4 - Issue 22)

Overview of Information Security and It’s Assurance

DOI : 10.17577/IJERTCONV4IS22033

Download Full-Text PDF Cite this Publication
Keerthana. S. R, Pooja. R, Rajath. K. S, R. Amutha, 2016, Overview of Information Security and It’s Assurance, INTERNATIONAL JOURNAL OF ENGINEERING RESEARCH & TECHNOLOGY (IJERT) ICACT – 2016 (Volume 4 – Issue 22),

Text Only Version

Overview of Information Security and It’s Assurance

Keerthana. S. R1, Pooja. R1, Rajath. K. S1

    1. (Information Science and Computer Science Engineering),

      AMC Engineering College, Bangalore.

      1. Amutha2

        Assistant Professor (Information Science and Engineering) AMC Engineering College, Bangalore.

        Abstract information has a vital force in society. it has a role in shaping events. information is not only affected by its environment but is itself a trouper affecting the elements in the environment. therefore, leading to preservation of confidentiality, integrity and availability of information, that is information security. this article focuses on how information assurance and security can be achieved, overcoming the possible attacks and risks with the help of suitable algorithms and assurance model.

        Keywords security, privacy ,attacks, assurance, assurance model.

        • Integrity: This term covers two related ideas:

          Data integrity: Assures that information and projects are changed just in a predetermined and approved way.

          System integrity: Assures that a system performs its expected capacity in a whole way, free from planned or incidental unauthorized control of the system.

        • Availability: Assures that systems work speedily and administration is not denied to authorize users.

        1. INTRODUCTION

Information security, is the act of safe-guarding information from unapproved access, use, divulgence, interruption, change, examination, review, recording or decimation.

Any gadget with a processor and some memory, extending from non-networked standalone gadgets like adding machines, to networked versatile registering gadgets, for example, cell phones and tablets. IT security experts are quite often found in any real undertakings, they are in charge of keeping the greater part of the innovation inside the organization secure from malignant digital assaults that frequently endeavor to rupture into basic private information or addition control of the inward systems.

A.Passive Attacks

Fig.1. CIA triad

  1. TYPES OF ATTACKS

    The insurance given to an information system so as to achieve the appropriate goals of protecting the integrity, vulnerability, confidentiality and accessibility of information system assets.

    We can group security assaults as far as passive attacks and active attacks. A passive attack endeavors to learn or make utilization of information from the system yet does not influence system assets. An active assault is like passive attack however changes system assets and influence their operations.

    II. REQUIREMENTS OF INFORMATION SECURITY

    We can expound the necessities of information security by utilizing the CIA triad that is Confidentiality, integrity and availability (fig. 1). [6]

    • Confidentiality: This term covers two related ideas: Information classification: Assures that private or secret information is most certainly not made accessible or unveiled to unauthorized individuals.

      Security: Assures that individuals control or impact the information identified with them might be gathered and put away and the parties to which that information might be unveiled.

      Passive attacks are in the way of listening stealthily on, or checking of, transmissions. The objective of the rival is to get information that is being transmitted. Two sorts of passive attacks are the arrival of message contents and traffic analysis.[3]

      The arrival of message content is effectively caught on. A telephone discussion, an electronic mail message, and an exchanged record may contain delicate or classified information. We might want to keep an adversary from taking in the substance of these transmissions.

      A second kind of passive attack, traffic analysis, is subtler. Assume that we had a method for masking the substance of messages or other information traffic so that rivals, regardless of the possibility that they caught the message, couldn't remove the information from the message. [2]

      The regular system for masking substance is encryption. In the event that we did have encryption protection set up, an adversary still may have the capacity to watch and observe the pattern of these messages. The adversary can find the area location and identity of conveying hosts furthermore, could watch the recurrence and length of messages being traded.

      This information may be valuable in speculating the way of the communication that was occurring. Passive attacks are extremely hard to recognize, in light of the fact that they don't include any change of the information.

      Commonly, the message traffic is sent and received in a clearly typical manner, and neither the sender nor the recipient knows that an outsider has perused the messages or watched the traffic design. Be that as it may, it is doable to keep the achievement of these attacks, as a rule by method for encryption. In this manner, the accentuation in managing passive attacks is on aversion as opposed to identification.

        1. ctive Attacks

          Active attacks include some alteration of the information stream or the creation of a false stream and can be subdivided into four classes: masquerade, replay, modification of messages, and denial of service.

          A masquerade happens when one item pretends to be a different item. A masquerade attack more often than includes one of the other types of active attack. For instance, verification arrangements can be captured and replayed after a authentication has occurred.

          Modification of messages essentially implies that some part of a proper message is modified, or that messages are postponed or reordered, to create an unauthorized effect the denial of service averts or hinders the typical utilization or management of communication features. This attack may have a particular focus; for instance, a substance may stifle all messages coordinated to a specific destination (e.g., the security audit service). Another structure of denial is the interruption of a whole networkeither by disabling the network or by over-burdening it with messages in order to bring down execution performance.

          Active attacks exhibit the inverse qualities of passive attacks. While passive attacks are hard to recognize, measures are available to make sure they fail but it is entirely hard to prevent a form active attacks completely due to the wide variation of potential physical, programming, and network vulnerabilities. Rather, the objective is to identify active attacks and to recuperate from any disruption or postponements brought on by them. On the off chance that the discovery has a hindering effect, it also may add to prevention.

  2. INFORMATION ASSURANCE (IA)

    It is the act of assuring information and overseeing dangers identified with the utilization, handling, storing, and transmission of information or data and the systems and procedures utilized for those reasons.[13] Information assurance incorporates insurance of the respectability, accessibility, credibility, non-disavowal and secrecy of user information. It utilizes physical, specialized and regulatory controls to achieve these tasks. While concentrated predominantly on information in computerized form, the full scope of IA includes advanced as well as physical forms.

      1. ROCESS OF ASSURANCE

        The information assurance procedure usually starts with the specification and grouping of the information resources or assets to be secured. [7]Next, the IA professional will perform a danger asessment for those benefits. Vulnerabilities in the information resources are resolved so as to list the dangers fit for misusing these assets. The assessment then considers both the likelihood and effect of a threat misusing a weakness in an asset, with effect normally measured in terms of expense to the assets stakeholders. The aggregate of the results of the dangers' effect and the likelihood of their happening is the aggregate danger to the information resource.

        With the danger evaluation finished, the IA specialist then builds up a risk control plan. This arrangement proposes countermeasures that include mitigating, disposing of, tolerating, or transmitting the risks, and considers avoidance, identification, and reaction to dangers. A structure distributed by a benchmarks association, for example like, Risk IT, CobiT, PCI DSS or ISO/IEC 27002, may guide advancement. Countermeasures may incorporate specialized instruments, for example like, firewalls and anti-virus programming, strategies and methods requiring such controls as customary reinforcements and configuration hardening, representative preparing in security mindfulness, or sorting out work force into devoted computer crisis reaction group (CERT) or computer security occurrence reaction group (CSIRT). In this manner, the IA expert does not try to kill all dangers, were that conceivable, yet to oversee them in the most practical way.

        After the danger risk management plan is executed, it is tried and assessed, regularly by method for formal reviews. The IA procedure is an iterative one, in that the danger evaluation and danger administration arrangement are intended to be occasionally updated and enhanced taking into account information assembled about their completeness and adequacy.

  3. ASSURANCE MODEL

        1. Reference Model of Information Assurance and Security (RMIAS)[1]

    The RMIAS gives an optional way to deal with assurance and security. [17]Essentially it is a pictorial representation of how information is being secured and gives us a representation in the form of a diagram about information assurance.

    Its laid an developed by having a thought regarding segments like security and assurance and it's likewise assembled taking into account already existing segments and different models[5] identified with security and assurance.

        • Role of Reference Model in IAS model

          At some points the knowledge we put into secure the information might not be right which causes absurdities to the framework. [We can beat this issue by utilizing a reference model (RM)[4]. The RM includes all the imperative substances and their relationships which would

          not prompt wrong choices in future and gives us a clear representation of the model or objective to be accomplished.

        • RMIAS overview

          • Information System Security life cycle: It indicates us about the improvement of information security.

          • Information Taxonomy Dimension: It portrays the way of the information being put under procedure

          • Security Goals Dimensions: It condenses pertinent list of security objectives

          • Security Counter Measured measurement: It classifies, measures and counter measures accessible for information assurance.

    Fig .2. Reference model of information assurance and secruirty

    The RMIAS adjusts to one of its measurements called IAS octave-An arrangement of 8 security objectives and they are confidentiality, integrity, availability, accountability, non- reproduction, authenticity, trustworthiness and privacy. This IAS octave is exceptionally successful and replaces the CIA triad and gives complete reference on the arrangement of security objectives (fig 2).

  4. ALGORITMIC SOLUTIONS

  1. Triple DES

    Triple DES was intended to supplant the first Data Encryption Standard (DES) algorithm, which programmers in the end figured out how to crush without any difficulty.[10] At one time, Triple DES was the prescribed standard and the most broadly utilized symmetric algorithm as a part of the business.

    Triple DES utilizes three individual keys with 56 bits each. The aggregate key length indicates 168 bits, yet specialists would contend that 112-bits in key quality is more similar to it. Despite gradually being eliminated, Triple DES still figures out how to manage a trustworthy encryption answer for money related administrations and different other ventures.

  2. RSA

    RSA is an open key encryption algorithm and the standard for encoding information sent over the web. It likewise happens to be one of the techniques utilized as a part of our PGP and GPG programs. [11]

    Unlike Triple DES, RSA is viewed as a deviated algorithm because of its utilization of a couple of keys. You have your open key, which is the thing that we use to encode our message, and a private key to decode it. The aftereffect of RSA encryption is an immense group of ballyhoo that takes attackers a considerable amount of time and handling energy to break.

  3. Blowfish

    Blowfish is yet another algorithm intended to supplant DES. This symmetric figure parts messages into groups of 64 bits and encodes them exclusively. [10]

    Blowfish is known for both its enormous pace and general viability the same number of case that it has never been vanquished. In the interim, merchants have exploited its free accessibility in people in people domain.

    Blowfish can be found in programming classifications extending from e-trade stages for securing instalments to password handling tools, where it used to secure passwords. It's unquestionably one of the more adaptable encryption techniques accessible.

  4. Twofish

    Computer security master Bruce Schneier is the genius behind Blowfish and its successor Twofish. Keys utilized as a part of this algorithm might be up to 256 bits long and as a symmetric method, one and only key is required.

    Twofish is viewed as one of the quickest of its kind, and perfect for use in both equipment and programming situations. Like Blowfish, Twofish is openly accessible to any individual who needs to utilize it. Accordingly, you'll see it packaged in encryption projects, for example, PhotoEncrypt, GPG, and the well known open source programming TrueCrypt.

  5. AES

    The Advanced Encryption Standard (AES) is the algorithm trusted as the standard by the U.S. Government and various associations.[9]

    Despite the fact that it is greatly productive in 128-piece structure, AES additionally utilizes keys of 192 and 256 bits for substantial obligation encryption purposes. AES is to a great extent considered impenetrable to all attacks, except for savage power, which endeavors to unravel messages utilizing every single conceivable blend as a part of the 128, 192, or 256-piece figure. Still, security specialists trust that AES will in the end be hailed the true standard for encrypting information in the private division.

    1. INFORMATION SECURITY FRAMEWORK An information security framework is a series of

      documented processes that are used to define policies and procedures around the implementations and ongoing management of information security (Info Sec) controls in an enterprise environment. These are blue prints for building an

      info sec program to manage risk and reduce vulnerabilities. Info sec pros can utilize these frameworks to define and prioritize the task required to build security into an organization.

      Frameworks are often customized to solve specific information security problems just like building blue prints. Blue prints are customized to meet their required specifications and use. Some frameworks were developed for specific industries as well as different regulatory compliances goals. They also come in varying degrees of complexity and scale. However you will find that there is a large amount of overlap in general security concepts.

      ACOBIT

      Control objectives for information and related technology is a framework created in the mid 90's however ISACA and autonomous associations of IT and IT administration experts the ISACA[16] as of now offers the world well known certified information framework inspector CISA and certified information security director CISM certifications this framework began principally centered around decreasing technical dangers in associations yet has advanced as of late with COBIT 5 and to likewise incorporate arrangement of IT with business-vital objectives it is the most normally utilized framework to achieve consistence with SARBANES_OXLEY rules.

      B.ISO 27000 series

      The ISO 27000 arrangement was created by the global standard association and it gives an exceptionally expansive information security framework that can be connected to numerous kinds and sizes of organisations.it can be considered as information security equal ISO 9000 quality standards for assembling and even incorporates a comparable certification process it is separated into various sub standers in light of sub substance for instance ISO 27000 comprises of outline and vocabulary while ISO 27001 prerequisites for the system ISO 27002 which was advanced from the British standard BS7799 ,characterize the operational steps fundamental in an information security program.

      There are numerous more practices and standards reported in the ISO 27000 arrangement, ISO 27799

      For instance characterizes information security in medicinal services which could be helpful for those organizations requiring HIPAA compliance. New ISO 27000 standards are in progress to offer particular guidance on distributed computing and storage security and digital proof gathering.

      ISO 27000 is wide and can be utilized for any industry however the certification fits cloud suppliers hoping to show a dynamic security program.

      C.NIST SP 800 SERIES

      The U.S National Institute of standards and innovation has been collecting data on information security standards and best practices documentation. The NIST special

      Production 800 arrangement was initially distributed in 1990 and has developed to give advice on pretty much every part of information security. In spite of the fact that not being a specific information security framework NIST SP 800/53 is a model that different frameworks have developed from U.S government offices use NIST SP800/53 to consent to the

      elected information handling standards otherwise called FIPS. 200 prerequisites despite the fact that it is particular to government offices the NIST framework could be connected in any other industry and ought not be neglected by organizations hoping to fabricate an information security program .

    2. SECURITY AWARENESS

      One of the greatest danger to an association's information security is normally not a shortcoming in the tech control environment.[12] Its frequently spilled by the activity or inaction of the employees and the work force that can prompt security incident. For instance, revelation of information , not reporting strange activities etc. so, its constantly better if an association has a security awareness program .keeping in mind the end goal to guarantee that employees know about significance of ensuring sensitive information and dangers of misusing information.[15]

      Best practices in organizations security awareness [8]

      1. Assemble the security awareness group

        This group is in charge of improvement, convey and support of security awareness program.

      2. Determine roles of security awareness

      This allocates suitable level to the employees taking into account their occupation capacity. The objective is to construct a reference list of different sorts and depths.

      • Identifying levels of responsibilities

        This is done by grouping people as per their role levels. The beneath outline demonstrates simplified concept of various levels of responsibility.

        Fig.3.Security Awareness roles of Organizations

      • Establishing minimum security awareness

One of the most fundamental attributes of an associations ought to be foundation of minimum security awareness. Its conveyed from various perspectives like formal training, PC based training and so on.

The accompanying graph demonstrates the depth of awareness that expansions levels of danger connected with various roles (fig 4).

Fig .4. Depth of security Awareness Training

The principle point of security awareness is to convey pertinent material to the suitable group of people in convenient and productive way with no trace of dangers.

  1. LITERATURE OF SURVEY

    Today's associations are exceedingly reliant on information administration and procedures. Information security is one of the top issues for researchers and others any normal user. In literature, there is an agreement that representatives are the weakest connection in IS security. An assortment of scientists talk about plans for workers' security related mindfulness and conduct. This paper exhibits a hypothesis based writing survey of the surviving methodologies utilized inside representatives' information security mindfulness and the research conducted over the previous decade. Altogether, 113 distributions were distinguished and analyzed. The information security research group covers 54 unique speculations. Concentrating on the four fundamental behavioral hypothesis, a best in class outline of representatives' security mindfulness and the research done over the previous decade is given.

  2. RESULT

    As the number of inhabitants in computers expanded the field of InfoSec increased more popularity. Back then, anyone with the knowledge of computer could have a go at getting to sensitive data, which is the point at which the requirement for InfoSec came into existence .People attempted to hack others computers for multiple purpose

    ,which lead to the advancement of things like OTP, multiple layers of security precautionary measures were added. Third party associations getting to personal data gave more significance to awareness of dangers of hacking. This prompted the advent of Encryption or data scrambling. Some of the new models address the numerous issues of InfoSec. Since the issue is not totally resolved, and threats persists we must work collectively and put our best efforts to avoid being doomed by the past.

  3. CONCLUSION

After observing the different dangers and vulnerabilities connected with information security and taking in the techniques for information security and awareness program, we can infer that in spite of the fact that information security remains a worry, innovation has made tremendous jumps in levels of protecting the information and the future of information security is on the right path.

REFERENCES

  1. J. McCumber, "Information Systems Security: A Comprehensive Model," in: Proceeding of the 14th National Computer Security Conference, NIST, Baltimore, MD, 1991.

  2. P. Neumann, Computer-Related Risks, ACM Press, 1995

  3. A. Ekelhart, S. Fenz, M. Klemen, and E. Weippl, "Security Ontology: Simulating Threats to Corporate Assets," in: Bagchi and

    V. Atluri, (eds.) Information Systems Security, v. 4332. Springer, pp. 249-259, 2006.

  4. P. Fettke, and P. Loos, Perspectives on Reference Modeling, in: P. Fettke, and P. Loos (eds.) Reference Modelingfor Business Systems Analysis, Idea Group, pp. 1-20, 2007.

  5. Danijel Milicevic, Matthias Goeken,"Application of models in information security management" Research Challenges in Information Science (RCIS), 2011 Fifth International Conference,october,2011

  6. Garima Ojha, Punit Arora, "SECURITY @ Information Technology", International Journal of Engineering Research & Technology,Vol.1 ,Issue 7,September 2012

  7. Y. Cherdantseva, and J. Hilto, Information Security and Information Assurance. The Discussion about the Meaning, Scope and Goals, in: F. Almeida, and I. Portela (eds.),Organizational, Legal, and Technological Dimensions of IS Administrator. IGI Global Publishing, September, 2013

  8. Banerjee C., Arpita Banerjee, Murarka P.D., An Improvised Software Security Awareness Model, International Journal of Information, Communication and Computing Technology, Jagan Institute of Management Studies, New Delhi, Vol I, Issue II,July-

    Dec2013

  9. Rishabh Jain, Rahul Jejurkar, AES Algorithm Using 512 Bit Key Implementation for Secure Communication International Journal of Innovative Research in Computer and Communication Engineering Vol. 2, Issue 3, March 2014

  10. Gurpreet Singh,Supriya, "A Study of Encryption Algorithms (RSA, DES, 3DES and AES) for Information Security",International Journal of Computer Applications (0975 8887)

    ,Volume 67 No.19, April 2010

  11. Dr. Prerna Mahajan & Abhishek Sachdeva , "A Study of Encryption Algorithms AES, DES and RSA for Security " Global Journal of Computer Science and Technology Network, Web & Security

    ,Volume 13 ,Issue 15 ,Version 1.0, Year 2013

  12. S. Bharathi, Dr. J. Suguna, "A Conceptual Model To Understand Information Security Awareness", International Journal of Engineering Research & Technology, Vol. 3Issue 8, August 2014

  13. https://en.wikipedia.org/wiki/Information_assurance

  14. http://searchsecurity.techtarget.com/tip/IT-security-frameworks-and- standards-Choosing-the-right-on

  15. .http://searchsecurity.techtarget.com/definition/security-awareness- training

  16. .ISACA. (20 1 2) ISACA [Online]. HYPERLINK ''http://www . i saca.org/K no w I edge-Center/co bit/Pages/Overv iew. Asp

Leave a Reply