Zero To Mastery In Cybersecurity- Become Zero To Hero In Cybersecurity, This Cybersecurity Book Covers A-Z Cybersecurity Concepts, 2022 Latest Edition

Zero to Mastery in CYBER SECURITY

Chapter-1

INFORMATION SYSTEM

In this age of information, almost all fields of endeavor such as education, manufacturing, research, games, entertainment, and business treat information systems as a need. Indeed, every activity in our daily life today requires people to get involved in the use of information systems.

First, to understand the system, there is a need to understand the three concepts.

1. Data.

2. Process.

3. Information.

4. System.

Data

Data is a raw material. Data refers to the raw facts on any thing or entities like student names, courses and marks. The raw data that has not yet been provided can be processed to become more useful information.

For example:

• In addition of two numbers, we need more than one data. Such as a (a=2) and b (b=4).

• In a class, student name, roll number, age and their marks are the data.

Process

Process or procedure explains the activities performed by users. Process is a guide consisting of orderly steps, which need to be implemented in order to get a certain decision on a certain matter.

Information

The data after processing is called information.

Fig. 1.1

Information is an organized, meaningful and useful interpretation of data such as a company performances or a student’s academic performance. Information systems change data after perform some process into information, which is useful and capable of giving a certain meaning to its users.

For example: - In addition of two number the data (Raw material) is a (a=2)and b (b=4) and after addition of these data the result is c (c=6). The information c (c=6) is getting after the processing over the data.

In a class, student name, roll number, age and their marks are the data and performing some process like mathematical calculation (average formula). We get the information about the class. Such as the class’s performance.

Hardware

Hardware is the physical component of the computer which can be touch and feel by the user.

These component include the following-

1. Input Devices.

2. Output Devices

3. Storage Devices.

Software

Computer software, or just software, is a collection of computer programs and related data that provides the instructions for telling a computer what to do and how to do it.

The program is the sequence of instruction that are designed to accomplish a particular task. The collection of programs that are designed for a specific purpose is called the software.

System

A system is simply a group of activities and elements and all activities are executed in a manner to achieve the specific task or purpose.

Information System

The information system is the collection of hardware and software and designed to achieve the specific task. Information system helps people for making the business decisions.

In the current era of globalization, the success of a business depends on the information system.

Many organizations today use information systems to offer services with greater satisfaction to customers, to access a wider range of information, to handle business changes at a greater speed, and to increase the productivity of workers. Based on a number of researches, an effective information system should be able to exceed customer expectations and fulfill business needs.

Types of Information System

Fig. 1.2

Transaction Processing System (TPS)

- TPS can access information about all transactions related to the organization.

- Transactions occur whenever there exist activities involving sales order processing, accounts receivable, accounts payable, inventory and ordering as well as payroll.

- These transactions involve credit and debit in the company ledger account.

- The output from this transaction is the account statement, which is used to generate financial reports.

- TPS now uses the latest technology which uses the E-commerce concept. This is a new challenge in the field of transaction processing which begins to shift to the on-line transaction processing system.

Management Information System (MIS)

- This system will take the information that has been extracted form

- TPS and generate reports which are required by the management for planning and controlling a Company’s business.

- This system is capable of fulfilling the needs of management in acquiring the information that: (a) is brief and useful.

(b) can be obtained and processed at the right time to make a decision.

Executive Information System (EIS)

- A decision support system specifically used by the executive management in making strategic decisions.

- It is a tool that provides online access directly to the relevant information, in the format that is useful and can be browsed.

- Relevant information is timely, precise and useful in business aspects, according to the interest of certain managers.

- Useful format, and can be browsed easily; will mean that the system has been specially built for the use of individuals who have little time to spare, are less skilful in using the keyboard and less experienced with computers.

- This system can be surfed easily so that managers can identify strategic issues and can then explore information for getting the sources about those issues.

- It is also an information system that combines the features of information reporting system and decision support system. It focuses on fulfilling the strategic information needs of the top management.

Decision Support System (DSS)

-

The main focus of this information system is for the effectiveness of the manager in analyzing the information and making a decision.

-

It is used for handling decisions that are not structured, i.e. decisions which are made when an emergency happens.

-

This system uses a database management system, query language, financial modeling, electronic spread sheet, statistical analysis program, report generator or graphic software for supplying the information needed.

Office Information System (OIS)

- Office automation is wider than word processing and form processing.

- This information system covers activities in the office, which can improve work flow and communication among workers, whether inside or outside the office.

- The focus of this system is on the collection of information for who ever needs it.

- The functions of this system are word processing, e-mails, work group programming, work group scheduling, facsimile processing, e-document, imaging and management of work flow.

Expert System (ES)

- It is a program that produces a decision which is almost similar to decisions made by an expert in a certain discipline.

- This information system can imitate the way humans think and consider in making a decision.

- An expert system will combine the use of knowledge, facts and techniques to make a decision.

- An expert can always give a certain decision which is accurate as well as ensuring maximum benefit to all the people concerned. Unfortunately, the sources for expert services are limited.

- Realizing the high value of knowledge and the expertise owned by the expert, researchers have tried to transfer and save in the computers the knowledge and expertise owned by the experts.

- Through this work, the expert system is made.

Information System Participants / Individuals in IS

Fig. 1.3

System Owner

The systems owner bears the cost of system development and maintenance. He has the right over the system, determines the interest over the system and determines the policies over its use. The system owner is also responsible for system justification and system acceptance. In certain situations, the system owner is also a system user.

System owners always think of the return value, which can be obtained by developing the information system. This return is valued from various aspects such as:

- What are the benefits of the system?

- What are the mission and objectives?

- What is the cost of developing the system?

- What is the cost of operating the system?

- Can the investment pay back the capital?

System Designer

Systems designers are experts in the technical field who would design a system for fulfilling the needs of users. They are responsible for manipulating the needs of business users and the constraints in technical solutions. They design computer files, databases, input, output, screen, networks, and programs that can fulfill the needs of system users. They are also responsible for integrating the technical solutions into the daily business environment.

Systems designers understand the technological environment better when compared to systems owners and systems users. They always provide alternatives and design systems based on technological constraints at that time. Now, systems designers give more attention to technical experts such as:

- Database designers who provide focus on the data.

- Programmers and software engineers who provide focus on the process.

- Systems integrators who provide focus on the system interfaces.

- Telecommunication and network experts who provide focus on the geographic locations.

System Developer

Systems developers are the experts in the technical field who would develop, test and produce a system, which can operate successfully. They build the system components based on the design specifications of the system designers. In many situations, system designers are the system developers.

They use technology to develop information systems.

Among the individuals who get involved directly in information system development, you maybe ask what is the role of the systems analyst? In actual fact, the systems analysts are really acting as facilitators for information systems development. The system analyst has the expertise that is owned by all the above individuals. They should feel comfortable with the views of all the individuals mentioned above. For the systems owners and users, the systems analyst should develop and update their views.

The duty of the systems analyst is to ensure that the technical knowledge of systems designers and developers are consistent with the current business needs.

System User

The system user is an individual who uses the system for producing something, or uses the system to help him in his daily jobs. Directly, users are the ones who get the benefits from the system that has been developed. Besides being the initiators for the new information system request, users also determine:

- The problems to be solved.

- Opportunities to be exploited.

- The needs to be fulfilled.

- Business constraints to be overcome by the system.

- Whether the information system that has been developed is easy or difficult to use.

Internal User

Employees who work in the company to develop the information system. Internal users constitute the highest percentage among those who use the said system. They include the support and administrative staff, the technical and professional staff, supervisors, the management and the executives.

External User

The information system can no connect the system to other individuals as users of the system.

Due to global competition, businesses are redesigned to enable connectivity with other organizations, partners, suppliers, customers and end users.

As an example, you need not fill up any form to apply for entry into OUM. With the information system provided by OUM, you just need to go to the OUM website, fill up the application form online, and send the form online. Now, the facility is provided, but in future it may be necessary to change our way of life.

Development of Information System

An information system can be developed in phases and the order in which phases are to be executed.

Each phase produces deliverables required by the next phase in the life cycles of the Information System.

There are following phases in the development of the Information System.

1. Requirement gathering and analysis: Business requirements are gathered in this phase. The main focus in this phase on the requirements like:

Who is going to use the system?

How will they use the system?

What data should be input into the system?

What data should be output by the system?

These are the general questions that get answered during the requirement gathering phase. Requirement specification document is created which serves the purpose of guideline for the next phase of the development of Information System.

2. Design: In this phase the system design is prepared from the requirement specifications which were studied in the first phase. System design helps in specifying hardware and system requirements and also helps in defining overall architecture. The system design specification serve as input for the next phase of the Information system.

3. Implementation / coding: On receiving system design documents, the work is divided into modules/ units and actual coding is started. This is longest phase of the development of information system.

4. Testing: After the code is developed it is tested against the requirements to make sure that the product is actually solving the needs addressed and gathered during the requirement phase. Testing is the activity performed to check the quality of the information system against defect. In testing phase the system is testing with intent of finding errors.

5. Deployment: After successful testing the product is delivered / deployed to the customer for their use .

6. Maintenance: Once, when the customers start using the developed system then the actual problems up and needs to be solved from time to time. This process where the care is taken for the developed product is known as maintenance.

Questions

Q.1. What is information system and give the components of information system?

Q.2. Define information system and what are the types of information system?

Q.3. Write a short notes of the following:

( i) Management Information System

( ii) Executive Information System

( iii) Decision Support system

( iv) Expert System

Q.4. Explain in details information system participants?

Q.5. Explain in details development of information system?

Q.6. What is Information System? How does information system relate to business and help them?

Chapter 2

INFORMATION SECURITY

According to the UK Government, Information security is: The practice of ensuring information is only read, heard, changed, broadcast and otherwise used by people who have the right to do so. (Source: UK Online for Business)

Information systems need to be secure if they are to be reliable. Since many businesses are critically reliant on their information systems for key business processes (e.g. websites, production scheduling, transaction processing), security can be seen to be a very important area for management to get right.

Need for Information Security

Computer security is the process of preventing and detecting unauthorized use of your computer.

Prevention measures help you to stop unauthorized users from accessing any part of your computer system. Detection helps you to determine whether or not someone attempted to break into your system, if they were successful, and what they may have done.

Security Requirements

Needs for information systems security and trust can be formulated in terms of several major requirements:

- Data confidentiality - controlling who gets to read information in order to keep sensitive information from being disclosed to unauthorized recipients - e.g., preventing the sclosure of classified information to an adversary.

- Data integrity - assuring that information and programs are changed, altered, or modified only in a specified and authorized manner - e.g., preventing an adversary from modifying orders given to combat units so as to shape battlefield events to his advantage.

- System availability - assuring that authorized users have continued and timely access to information and resources - e.g., preventing an adversary from flooding a network with bogus traffic that delays legitimate traffic such as that containing new orders from being transmitted.

- System configuration- assuring that the configuration of a system or a network is changed only in accordance with established security guidelines and only by authorized users.

-

Authentication - ascertaining that the identity claimed by a party is indeed the identity of that party.Authentication is generally based on what a party knows (e.g., a password), what a party has (e.g., hardware computer-readable token), or what a party is (e.g., a fingerprint).

-

Authorization - granting of permission to a party to perform a given action (or set of actions)

-

Auditing - recording each operation that is invoked along with the identity of the subject performing it and the object acted upon (as well as later examining these records).

-

Non-repudiation - the use of a digital signature procedure affirming both the integrity of a given message and the identity of its creator to protect against a subseqeuent attempt to deny authenticity.

Information System threats / attacks

There are mainly two types of threats in Information System.

Fig. 2.1

Passive Threats

Security threats are in the nature of monitoring of transmission of many types. The goal of this attack or the hacker doing the attack is to gain information or the information that is being transmitted in the message to gain a edge of other party.

Passive attacks are very hard to detect because they do not damaged or changed the information.

So you can not tell they have been attacked.

Types of Passive Threats

There are main two types of passive attack.

1. Release of message content: It is easy to grasp just from it name and what it does it easily figureout also. In this type of passive attack a mail message, phone call any transferred message pretty much of sensitive information that would be intercepted.

2. Traffic analysis: Traffic analysis is little more complicated and it is very subtle and hard to detect. It would be like this if we had a way to hide the information on a message and the hacker still viewed the information’

Active threats

Active threats attempt to change the system it is attacking. Active threats always involve a modification of data stream. There are four main categories of attacks –

- Masquerade: - It is a term used when an attacking network personates a valid device. It is the ideal approach. If an attacker wants to remain undetected. If the device can successfully fool the target network into validating it as an authorized device the attacker gets all the access rights that the authorized device stabilized during log on.

- Replay: - Replay attack capture information sent by an unwary client and later attempts to reuse, replay that information in order to gain access to protected data.

- Modification: - It changes the information included in messages being processed between two of more entities.

- Denial of Service: - In a DOS attack, an attacker attempt to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, network of sites you are tiring to use, an attacker may be able to prevent you from accessing emails, web sites, online accounts; other services that relay on the affected computer.

Information Assurance

Information Assurance assures that authorized users have access to authorized information at the authorized time. It does not matter whether the information is in storage, processing. The session provides an introduction to information Assurance as well as details that will help storage personal better understand its applicability in their own environments.

Measures that protect and defend information and information system by ensuring their availability, integrity, authentication, confidentialit

Information Assurance defines and applies a collection of policies, standards, methodologies, services and mechanisms to maintain mission integrity with respect to people, process, technology, information and supporting infrastructure.

Information Assurance provides for confidentiality, integrity, availability, utility, authenticity, no repudiation, authorized use and privacy of information in all forms.

Information Security Principles

Confidentiality

Confidentiality ensures that information can be access to only for authorized user.

Integrity

Integrity ensures that, information remains same in its original form.

Availability

Availability ensures that, information resource is ready for use within stated operational parameters.

Possession

Possession ensures that, resource remains in the custody of authorized personal.

Authenticity

Authenticity ensures that, information confirms to reality, it is not misrepresented as something it is not.

Privacy

Privacy ensures that, protection of personal information from observation or intrusion as well as adherence to relevant privacy compliances.

Questions

Q.1. What are the needs of Information Security. Explain it?

Q.2. What is information system threats/attacks and what are the types of information system threats?

Q.3. Write a