Information Security

Information Security Give a summary of the article this Article below; Issues in Informing Science and Information Technology                                Volume 4, 2007 Framing the Corporate Security Problem: The Ecology of Security Robert Joseph Skovira Robert Morris University, Moon Twp, PA, USA Abstract Security and information systems are intertwined. The costs of secure systems are in the billions of dollars. In the digital world, security vulner abilities and threats work c ontrary to the security goals of confidentiality, integrity , and availability of informati on systems. The essay describes a view of organizations and their policies, networ k systems, operating systems, software applica- tions, information, and people joined interactivel y and dependently in an environment. The paper presents an ecological conception of security. Keywords : Security, Information security, Secure pr ogramming, Secure computing, Ecology Introduction Security and information systems are intertwined. The complex interacti ons and interconnections among people, software applications, networks, operating systems, and organizational policies create myriads of exploitable points. Daily newspa pers present accounts of intrusions, stolen lap- tops, and other security breakdowns. The global im plications of a security meltdown of apocalyp- tic proportions has been the guise of a novel (Bro wn, 1998). Intrusions and attempts at intruding are happening continuously at every moment of an information system’s life. According to Con- sumer Reports (2006), in any given 24 hour period th ere are approximately 60 million intrusion attempts. The estimated cost of security defenses in the face of attacks is approximately $7.8 bil- lion for 2004-2006; the costs of spamming and viruses are approximately $5.2 billion; the costs of spyware intrusions are approximately $2.6 b illion. Phishing intrusions amount approximately $630 million ( Consumer Reports , 2006). There are other estimates (Bodin, Gordon & Loeb, 2005; Kros, Foltz & Metcalf, 2004-2005). What the co st is now or will be in a year’s time is any- one’s guess. In the Information Age, where in terconnectivity and information access and avail- ability are paramount, malware and malicious expl oitation of information system vulnerabilities have become epidemic (Seshadri, Luk, Perri g, Van Doorn, & Khosla, 2006; Whitman, 2003). Security and security awareness are necessary elements of a secure environment, even as people have access to required information and inform ation resources. “Information security involves making information accessible to those who need the information, while main- taining integrity and confidentiality” (Carstens, McCauley-Bell, Malone, & DeMara, 2004, p. 68). Security Vulnerabilities In the digital world, where an individ- ual’s desk top computer is networked not only within the organization but also to the world via the WWW, it is safe to Material published as part of this publication, eith er on-line or in print, is copyrighted by the Informing Science Institute. Permission to make digital or pape r copy of part or all of these works for personal or classroom use is granted without fee provided that the copies are not made or distributed for profit or commercial advantage AND that copies 1) bear this notice in full and 2) give the full citation on the first page. It is per- missible to abstract these works so long as credit is given. To copy in all other cases or to re publish or to post on a server or to redistribute to lists requires specific permission and payment of a fee. Contact Publisher@In formingScience.org to request redistribution permission. Framing the Corporate Security Problem 46 say that everything: the computer and its opera ting system, the network and web site, the infor- mation on it or in corporate databases, the soft ware used to conduct business and query the data- bases, and the person, is vulnerable and subject to some kind of malicious attack. “A vulnerability is a weakness...that might be exploited to cause loss or harm” (Pfleeger, 1997, p. 3). Hardware is vulnerable to interruptions (also called “denial of service”) and interceptions (by stealing) (Pfleeger, 1997; Graff & van Wyk, 2003). The accessibility and visibility of computers (laptops are stolen), printers, even cables, and equipment (hard drives are recycled) of all kinds make them vulnerable to security breakdowns (Pfleeger, 1997; Whitman, 2003; Volonino & Rob- inson, 2004). Software is open to interruptive (b eing deleted) threats. Software, at least in part, and its function- ality can be captured and used without appropria te permissions. Software can be changed in un- permitted ways by unauthorized pe rsons (Pfleeger, 1997; Whitman, 2003). Information can be subject to unauthorized capture and use. Use of information can be disrupted. Unauthorized access to an information system ca n lead to information being inappropriately changed, even made up, or a ppropriated contrary to privacy laws (Pfleeger, 1997; Whitman, 2003; Volonino & Robinson, 2004). People are especially prime points of exploita tion for unpermitted access to and use of informa- tion and its system. People become opened gates fo r incursions into applications, operating sys- tems, and networks (Carstens et al., 2004; Ba iles & Templeton, 2006; Campbell, 2006). Informa- tion systems become vulnerable when key person nel are unavailable and are not reliable. This happens in many possible ways, but the chief manner is framed by and works through people’s mental models of trust. There is also a problem with usability designs of systems. For the user, security ought to be transparent. People will try to bypass system security whenever confronted with an accessibility choice allowed by an easy security routine as opposed to a difficult security check (Pfleeger, 1997; Howard, LeBlanc, & Viega, 2005; Mercuri, 2006). Security Threats Information systems and their components are threatened in at least four different ways. An in- formation system suffers an “interruption” wh en a breakdown of functionality and use happens because of an unauthorized intrusion into the information system (Pfleeger, 1997; Volonino & Robinson, 2004). An “interception” occurs as the “hijacking” or “piracy” of an information sys- tem or one of its components in order to gain una uthorized rights to and use of available software applications or stored information (Pfleeger, 1997; Volonino & Robinson, 2004). A “modifica- tion” is the changing of informational content or software code without the correct permissions as a consequence of intrusions (Pfleeger, 1997; Sc hneier, 2000). A “fabrication” is the unpermitted change of software code or stored informati on as a result of an exploitative intrusion. The changes may be additive or subtractive (Pfleeger, 1997; Volonino & Robinson, 2004). Security Goals There are three goals which security plans and pr actices attempt to meet: confidentiality in the system, the system’s integrity, and the system’s continual ability to make information and other system resources available to users. Users ought to be confident about the proper use of the in- formation system. This means that only the prope r personnel are allowed to use the information system and its resources in the proper manner, namely information system access with permission (Hartman, Flinn, Beznosov, & Kawamoto, 2003). “C onfidentiality” refers to the availability of system resources only to people permitted to access them. Having permission to use an informa- tion system’s resources means that the user must be authenticated—checked to see if the user is “legal”--in order to be authorized to use the syst em. Only authorized persons have permissions to