Other Free Encyclopedias » Online Encyclopedia » Encyclopedia - Featured Articles » Contributed Topics from F-J

Information Security Threats - INFORMATION SECURITY: EVOLUTION TO PROMINENCE, MEASURING, NON-TECHNICAL TYPES OF

systems software access attacks

Rana Tassabehji
University of Bradford, UK

INFORMATION SECURITY: EVOLUTION TO PROMINENCE

Information security is an old concept where people, businesses, politicians, military leaders, and others have been trying to protect “sensitive” information from unauthorised or accidental loss, destruction, disclosure, modification, misuse, or access. Since antiquity, information security has been a decisive factor in a large number of military and other campaigns (Wolfram 2002)—one of the most notable being the breaking of the German Enigma code in the Second World War.

With the invention of computers, information has moved from a physical paper-based format to an electronic bit-based format. In the early days, mainframe infrastructures were based on a single sequential execution of programmes with no sharing of resources such as databases and where information could be relatively easily secured with a password and locked doors (Solms 1998). The development and widespread implementation of multi-processor personal computers and networks to store and transmit information, and the advent of the Internet, has moved us into an information age where the source of wealth creation is changing from atoms (physical goods), to bits (digital goods and services) (Negroponte 1995). Information is now a valuable asset and consequently, information security is increasingly under threat as vulnerabilities in systems are being exploited for economic and other gain. The CERT Co-ordination Center at Carnegie Mellon University has charted the increase in sophistication of attacks as knowledge required decreases since technical attack tools are more readily available and indiscriminately accessible (Figure 1). Even novices can launch the most sophisticated attacks at the click of a mouse button (Anthes 2003).

MEASURING INFORMATION SECURITY THREATS

It is impossible to get accurate figures for the number and cost of information security breaches, mainly because organisations are either not aware that the breach has occurred, or are reluctant to publicise it, for fear of ruining their reputation or destroying the trust of their stakeholders. However, in one instance the impact of malicious software in the form of worm/virus attacks on the Internet was estimated to have caused $32.8 billion in economic damages for August 2003 (Berghel 2003).

The types of information security threats come from a number of sources, which can be broadly divided into two main categories the technical and non-technical which will be examined in more detail in the next section.

NON-TECHNICAL TYPES OF INFORMATION SECURITY THREATS

In the past, much information security research and attention focussed largely on technical issues. However, in recent years, it has become widely acknowledged that human factors play a part in many security failures (Weirich & Sasse, 2002; Whitman, 2004). While technical threats are usually more high profile and given much media and financial attention, non-technical human and physical threats are sometimes more effective and damaging to information security. Non-technical threats include:

  • “Acts of God”: such as fire, flood, and explosion—both paper and bit-based information could be permanently destroyed and impossible to recover or recreate.
  • Physical infrastructure attacks: such as theft or damage of hardware, software, or other devices on or over which information is stored or transmitted. This could lead to permanent loss or unauthorised access to critical information.
  • Acts of human error or failure: where operators make genuine mistakes or fail to follow policy (Loch, Carr, et al., 1992).
  • Social engineering: uses human interaction to break security procedures. This might involve gaining the confidence of employees with access to secure information; tricking them into thinking there is a legitimate request to access secures information; physical observation; and eavesdropping on people at work. Social engineering preys on the fact that people are unable to keep up with the rapid advance of technology and little awareness of the value of information to which they have access. Kevin Mitnick (Mitnick & Simon, 2003), one of the most high-profile “hackers”, underlined the importance of social engineering in obtaining access to systems:

When I would try to get into these systems, the first line of attack would be what I call a social engineering attack, which really means trying to manipulate somebody over the phone through deception. I was so successful in that line of attack that I rarely had to go towards a technical attack. The human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted, because none of these measures address the weakest link in the security chain.

US Senate Testimony (Mitnick 2000)

Bruce Schneier, one of the world’s leading security experts, similarly underlines the importance of social engineering: “amateurs hack systems, professionals hack people” (Christopher 2003).

A DISCUSSION OF INFORMATION SECURITY THREATS

None of the threats mentioned are mutually exclusive and could occur in any combination. All threaten the information and the systems that contain and use them.

Although there can be no agreement on the actual figures and percentages, empirical evidence from a number of security surveys over the past years (CompTIA, 2003; CompTIA, 2004; PricewaterhouseCoopers,2002; PricewaterhouseCoopers, 2004; Richardson, 2003) shows similar trends and patterns of security breaches. Information security breaches are increasing year on year. The most common type of attack is from viruses and malware, followed by hacking or unauthorised access to networks resulting in vandalism of Web sites and theft of equipment (mainly laptops). Denial-of-service attacks are less frequent relative to viruses, with financial fraud and theft of information being the lowest kind of security breach experienced. However, it should be noted that the latter two breaches would be hard to detect in the short term and the impact of the previous attacks would have an indirect effect on the information stored. It is commonly believed that information security is most at risk from insiders, followed by ex-employees, hackers, and terrorists to a lesser extent (PricewaterhouseCoopers,2002; PricewaterhouseCoopers, 2004).

Schultz (2002) argues that there are many myths and misconceptions about insider attacks and develops a framework for predicting and detecting them in order to prevent them. Although this framework has not yet been validated by empirical evidence, the metrics identified are drawn from a range of studies in information security by a number of academics. Some of the measures identified are personality traits; verbal behaviour; consistent computer usage patterns; deliberate markers; meaningful errors; and preparatory behaviour (Schultz, 2002). In academic terms, the field of information security is still young and this is one area in which more research can be conducted.

FUTURE TRENDS

It is always difficult to predict the future, but the past and present allows us some insight into trends for the future. Over the last few years, information security has changed and matured, moving out of the shadow of government, the military and academia into a fully fledged commercial field of its own (Mixter, 2002) as the commercial importance and economic value of information has multiplied.

Information is reliant on the systems that manage and process it. The future trend for information systems technology is more intelligent information processing (in the form of artificial intelligent bots and agents) and the increased integration and interoperability between systems, languages, and infrastructures. This means a growing reliance on information in society and economy and a subsequent rise in importance of information security.

In the short term, nobody predicts that there will be a termination of information security threats. There will be an escalation of blended combined threats with more destructive payloads—for instance, the development of malware that disables anti-virus software, firewalls, and anti-Trojan horse monitoring programmes (Levenhagen, 2004). Although the measures being taken to protect information will continue to be a cocktail of procedures in the short term, there are two views of how the threat to information security will develop in the longer term.

On the one hand, there are those that feel information security will improve incrementally as vulnerabilities are tackled by researchers and businesses. A study into the history of worms (Kienzle & Elder, 2003) identified the process of creating worms as evolutionary and that best security practices do work against this threat. Mixter (2002) and others (Garfinkel, 2004; Kienzle & Elder, 2003) know there is still much work to be done, but identify the need for information security to define clear rules and guidelines for software developers while also improving user intelligence and control. The main areas for potential research not yet fully explored, are the development of new approaches to information security education and policies, trust and authentication infrastructures, intelligence, and evaluation to quantify risk in information systems. None of which are easy.

On the other hand, there is the “digital Pearl Harbour” view, which posits that information security will only improve as a result of an event of catastrophic and profoundly disturbing proportions (Berinato, 2003; Schultz, 2003) that will lead to the mobilisation of governments, business, and people. The consequences of the “digital Pearl Harbour” would lead to a cycle of recrimination where the first response will be litigation of those that are liable. Regulation would follow with the rapid introduction of legislation to counter or prevent the catastrophe and the introduction of standards for software development. These would include configuration of software; reporting vulnerabilities; common procedures for virus or other attacks. Finally, reformation would change attitudes to information security and there would be a cultural shift for a better and more pro-active approach with zero tolerance for software that threatens information and system security (Berinato, 2003). Alternatively, the reaction to the “digital Pearl Harbour” would be to remove the integration between systems enforcing security restrictions that do not allow information sharing or transmission. Some (Garfinkel, 2004) predict that if the issue of information security is not resolved the use of new technology for sharing information (such as e-mail) will become a mere footnote of communications history, similar to the CB radio.

CONCLUSION

Information is now the lifeblood of organisations and businesses—some even argue the economy. In order to grow and thrive, information must be secured. The three most common features of information security that are threatened by both technical and non-technical means are ensuring:

  • Confidentiality: That information is accessible only to those authorised to access it.
  • Integrity: That information is unchanged and in its original format whether it is stored or transmitted, and being able to detect whether information has been tampered with, forged or altered in any way (whether accidentally or intentionally).
  • Authentication: That the source of the information (whether individuals, hardware, or software) can be authenticated as being who they claim to be.

But there must also be accountability and authorisation , where security protocols and procedures are clearly defined and can be traced and audited. The information security threats described, are just a sample of the kinds of attack that can occur. They all underline the fact that information security in the digital and interconnected age is heavily reliant on technology. However, the technology being developed to share and transmit information has not been able to keep up with the types of threats that have emerged. This lack of progress is dependent on a combination of different factors.

  • Security has not been a design consideration but an afterthought, as “patches” are bolted on after vulnerabilities have been exploited.
  • Legislation for those that breach security and development of common technical standards, has still to be developed.
  • Education and awareness-raising for users to improve “computing” and information security practices, has been lagging behind the rapid and widespread implementation and use of the new digital infrastructure.

Information security is not solely a technology issue. The kinds of vulnerabilities that exist in people’s working practices, hardware, software, and the infrastructure of the Internet and other systems as a whole, are many and so information security is the responsibility of all the stakeholders and any measures to combat information security threats should be a combination of the technical and non-technical.

Information Systems Strategic Alignment in Small Firms - INTRODUCTION, STRATEGIC ALIGNMENT, FUTURE TRENDS, CONCLUSION [next] [back] Information Security Management in Picture Archiving and Communication Systems for the Healthcare Industry - INTRODUCTION, BACKGROUND, MAIN FOCUS OF THE ARTICLE

User Comments

Your email address will be altered so spam harvesting bots can't read it easily.
Hide my email completely instead?

Cancel or

Vote down Vote up

over 4 years ago

That excellent.

Vote down Vote up

almost 5 years ago

INFORMATION SECURITERY MUST NOT BE EVALUATED TO PROMINENCE. athletic clothing

Vote down Vote up

almost 6 years ago

my comment is some times the connection takes time so try to to be fast the connection