c
 

  



Organizations get tremendous advantage by using various types of IS

applications like ERP, SCM, CRM etc. For this they need to extend their
networks for sharing the information with each other. While doing so
they tend to expose their network to hackers & face security risks.
Applications using internet face the maximum security risk as it is an
open network. Customers are very reluctant to part with their credit
card information or bank account numbers on the internet as they fear
that it would be misused. This is a major deterrent to e-commerce
activity & e-banking. Hence there is a need to understand & implement
Information security Management.

The different types of security attacks include password based attack,

exploitation of trusted access, IP spoofing, session hijacking & Packet
sniffing.

There are six aspects of Information security which need to be dealt

with :

a)VConfidentiality
b)VAuthentication
c)V Integrity
d)VNon-repudiation
e)VDenial of service
f)V Unauthorized access

Public key cryptography (PKI) along with the digital signature act
sufficiently deal with the first 4 aspects.

Usually Authentication & Unauthorized access aspects of Information

security are more emphasized.
º V





 This attack caused the break down
of major sites like Yahoo, Amazon & e-bay in the recent past. The
attacker overwhelms the target website with requests, so that
there is slowing down of performance or even crashing the
website. The goal of DOS attack is not to gain unauthorized access
to machines or data but to prevent legitimate users of a service
from using it. Attackers either flood the target site with repeated
requests for huge volumes of data causing the available
Bandwidth to choke or deliberately consume scarce resources like
pending network connections. This attack can be prevented by
use of Firewalls.
- V 
  Trojan Horses, Viruses & worms
Trojan Horses & Viruses are usually hidden in legitimate programs
& files that attackers have altered to do the damage whenever
the unsuspecting user executes that program or opens that file.
Worms are self replicating programs that spread without human
intervention after they have started. Viruses are also self
replicating programs but require some action on the part of the
user to spread to other programs, files or directories. Antivirus
software with regular updates can help prevent such attacks.
 Vï
 
 Keeping the data sensitive
computers in restricted areas with appropriate access controls
like biometrics etc. Further a good password must be used so as
to prevent unauthorized users to access the sensitive data. Failed
login attempts should be logged and followed up appropriately.
User accounts are locked out after a predefined no. of attempts.
Passwords must be changed periodically
£ V

 Short software scripts can easily be written
which can capture the sign-in sessions. A hacker can use a diskette
to install a keystroke logging program on to a PC / workstation.
Once this Trojan horse is installed, it works in the background &
captures every sign-in session based on trigger keywords. The
hacker can read the captured keystrokes from a remote location
& can gain access to the system. To prevent such occurrence,
security administrator should see that the host file system &
individual user͛s workstations are periodically scanned for Trojan
horses that could include key stroke logging programs. Further
privileged user accounts must have one-time passwords.
 V!
 

 The internet offers a wide range of network
monitoring tools, including network analyzers & packet sniffers.
These tools work by capturing packets of data as they are
transmitted along a communication segment. Once a hacker gains
physical access to a PC or connects his laptop to a spare switch
port connected to a LAN & loads this software, he can monitor the
data as it is transferred between locations. Eg. TCP Dump is an
s/w tool which can be used by a hacker to do this job & capture
the packets containing the sign-in sessions .To prevent this from
happening, while data is being transmitted during sign-in sessions
it should be encrypted using s/w tools such as Kerberos. Further
privileged user accounts must have one-time passwords.
 Vc!
  In a typical Network a host allows other trusted hosts
without requiring authentication. Hosts are identified as trusted
by configuring files such as /etc/hosts.equiv files. IP spoofing
allows a hacker to change his IP address to that of a trusted
network / host to gain access to a local network. To prevent such
 access through IP spoofing, use Firewalls & Routers and configure
them to reject IP spoofing attacks & also have appropriate
permissions set over the file /etc/hosts.equiv files.
 Vë 


  During Lunch breaks or short breaks
normally the terminals are left unattended and expose a security
threat. To avoid hacking during these periods, user sessions
should be automatically timed out after a pre-defined period of
inactivity like using sleep function. Further use password
protected screen savers, which get invoked by the operating
system when configured in any workstation.

c
 
 ! 





As discussed above, Information security technology provides solutions

for each of the above threats but organizations need to also have an
Information security policy & program in place to safeguard themselves
against these attacks.

Any company planning to do e-commerce should have a security policy

in place. They should decide who should access what? The type of
information they can access, how they can be monitored and also the
time period of access. A company should decide how the financial
transactions over the internet will take place? What data business
partners can access, Remote access for employees working from home
or for the field staff. Security hazards can be reduced by having a goal
to educate all employees about information security aspects. All vital
servers and databases should be physically secured with strict access
control procedures. After reviewing & updating security policy, the
same is to be enforced properly, which is a very difficult task.

A security policy should be based on the common principles of :

 a)VAuthentication
b)VAuthorization
c)V Confidentiality
d)VIntegrity
e)VNon-repudiations

Once the Information security policy & program based on the above
common principles are formulated, it needs to be effectively
implemented & managed.

Virus attacks have an impact on the operational level & not on the
finance & reputation of organization facing the attack.

Types of breach-Different types & level:

a)VViruses- 78% organizations experience this kind of breach.

b)VEmployee access abuse ʹ 52%
c)V Unauthorized access by outsiders ʹ 23%
d)VTheft / destruction of computing resources -23%
e)VLeak of proprietary information ʹ 18%

c
 
 c    

BS 7799.

India IT act 2001 passed in parliament provides a legal framework for

conducting business transactions over the internet or electronic media.

c c
 
 
  

ë
! A Firewall is a system that enforces a security policy framed
by an organization. It is generally placed between an organization͛s
intranet (Trusted Network) & the Internet (un-trusted network).
Firewall is a combination of Hardware & software. It deploys the
company policy to protect corporate networks from outsiders
unauthorized access over the internet. It works by enforcing that all
inbound & outbound traffic needs to necessarily pass through the
firewall so that a particular security policy of the company can be
enforced.

   involves encryption & decryption together with a set of

keys that parameterize the transformation. Encryption & decryption of
data are carried out by using sophisticated computer algorithms that
rearrange the original data bits while transmitting using a key or set of
keys & put it back in its original form at the time of receiving the data
by using the keys.

Encrypted data is known as Cipher.

There are 2 types of cryptosystems.

1)V 
 This requires only one key for encrypting & the same
key is required while decrypting.
Popular algorithm used is known as DES (Digital encryption
standards developed by IBM).
Advantages: Simple & comparatively more efficient.
Limitations:
a)VUseful only where the parties are known to each other.
b)VDifficulties in sharing the keys, especially in large networks.
c)V Does not adhere to digital signature as per IT act 2000.

2)Vï 
 
   
  Here 2 sets of keys
(complementary pair) called private key & public key are involved.
One key (generally Private key) is used for encoding the data
while the complementary key (generally public key) is used for
decoding the data. Each key does one way transformation of data
i.e what one key does to rearrange the original data, only the
other complementary pair key can undo or arrange the data in
original form. They are actually a pair of mathematically related
keys. The owners make their public key available to others, while
the corresponding private keys are kept secret. While sending a
message the sender encrypts / scrambles the data using first the
public key of the person he is sending data to and next he further
encrypts the message using his own private key. The receiver of
the scrambled message can see who has sent him the message
and decode / unscramble the message by first using the public key
of the sender which is available in his directory and next with his
own private key which is kept safely in his smartcard.
ï 

a)VEnsures total integrity & confidentiality of the message sent.
b)VNo need to exchange the secret or private keys between the
parties. Hence no risk is involved unlike symmetric
cryptosystems.

!"

 
 The Public key infrastructure enables
users of a un-trusted public network like internet to carry out
transactions like payments through credit card/debit cards in e-
commerce or typing account numbers in e-banking etc securely
using the asymmetric cryptosystem described above. In this
system the public & private keys are obtained & shared through a
trusted third party called Certificate Authority (CA). Further the
PKI provides for a digital certificate that can identify an individual
or an organization and directory services that can store and
whenever necessary revoke the digital certificates and publish the
same on its secured server. The PKI consists of the following main
components:

a)VThe public key (asymmetric) cryptosystems software

described above. The private key is allotted to users and
kept secret within the system, whereas the public keys
associated with the private keys are published and known to
the public.
b)VA Certifying Authority (CA) structure & digital certification
procedures. The CA creates and issues digital certificates to
each user, which is also considered as a legal verification.
Verisign is one of the leading global CA. Satyam infoway has
partnered with CA to provide PKI based digital certification
to corporate & individuals in India.
c)V A Registration authority (RA) which acts as the verifier for
the CA before a digital certificate is issued to the requestor.
d)VCertificate directories where the certificates (with their
public keys) are stored and which provide a single access
point for administration & distribution.

  
 
 
Digital signature is based on public key cryptosystems
technology. An algorithm called SHA (secure hash algorithm) is
applied on the message to be sent to get the digital signature
or finger print / hash result which is a standard length of 160
bits and is adopted as a government standard. The digital
signature is then encrypted with the sender͛s private key and is
 attached to its message and transmitted along with the
encrypted message. The digital signature can be verified by the
receiver by computing a new hash result of the original
message (after decoding with sender͛s public key and receivers
private key) using the same SHA used to create the digital
signature. Then using the sender͛s public key the received
signature is decoded and compare it with the above computed
hash result. If they both are same then the receiver can be sure
that the sender has used his private key to digitally sign the
message and also that the message received was unaltered.
Digital signatures provide non-repudiation i.e the signer cannot
deny about having sent the message.



 #
     #  !  SET protocols use a
system of locks & keys along with certified account ID͛s for both
consumers & merchants. Then through a unique process of encrypting
or scrambling, the information exchanged between the shopper & the
on-line store, SET ensures a payment process that is convenient, private
& most of all secure.



$ !  are 2 examples of SET protocols designed
to enable secure communications across the internet. The S-HTTP
enables the encryption of individual web messages between clients and
servers across the internet. The SSL protocol was developed by
Netscape communications in 1994 to provide secure communications
over the internet. The SSL protocol is able to negotiate encryption keys
as well as authenticate the server and the client before exchanging the
data. Thus it maintains the security & integrity of the transmission
channel by using encryption, authentication and message
authentication codes.