Information Security in the Digitized World

In today’s world, information is one of the most important assets of an organization, probably second only to Human Capital. Information has become important both as input and output. Hence information security is of great concern to companies that have anything related to them doing business on with the internet

The Internet, which has become a primary medium for conducting business is by design an open non-secure medium. Since internet has been evolving from mailing and non-commercial purposes to secure transaction management process it becomes more imperative that the secure transaction processing is available to ensure that people have trust and assurance in doing business on the internet.

Surveys show that lack of transaction security is one of the key reasons why consumers are hesitant about shopping online. There has been a 2 digit growth year on year increase of internet based frauds and complains of theft.

In 1991 the NSF lifted the restriction of commercial use of the Internet and that marked the beginning of the age of electronic commerce. The incipient growth was turbo charged with the development of the World Wide Web and GUI-based browsers shortly after. Since then online business and e-commerce has been growing at a phenomenal rate. Despite this extraordinary growth, surveys show that consumers are reluctant to make their purchases online because of security concerns. For the same reason a significant number of businesses are hesitant to move their operations online. These security concerns stem from a number of factors. The original purpose of the Internet was to move files among computers and to enable easy remote access to computers.

Security, both for the Internet and the Web is essentially an afterthought. In addition to the

Internet being an open forum, the rapid proliferation of new software and communication systems. This makes users oblivious to a number of vulnerabilities that can lead to inadvertent security breaches or logging in of business users who can be exploited more for the loss of their knowledge to security vulnerability. In contrast to the simple open design of the Internet, the present economy has evolved into what is primarily a knowledge-based economy in which information security is of paramount importance. At first glance, it appears we have a situation that presents tremendous opportunity for global commerce and B2B transactions a global communication infrastructure that is very conducive for low cost transmission of information and a global economy that is tending to be highly information-based. However, the potential global electronic commerce scenario cannot be realized without a reliable supporting information security framework. Protecting online assets and network resources is extremely important; it ought to be a mission critical concern of any e-business.

Online security is analyzed as consisting of multiple parameters some of them mentioned below

1. Confidentiality and privacy

2. Integrity

3. Availability,

4. Legitimate use

Confidentiality and privacy

Privacy or confidentiality involves making information accessible to only authorized parties, or restricting information access to unauthorized parties. Privacy concerns did not originate with the Internet. However, conducting business over the Internet has brought a lot of focus on this situation

eg. A person purchasing a ipod on ebay, a person transferring money via his bank account for business purpose, as simple as a person accessing his email or facebook profile.

There has always been a concern on the confidentiality and privacy specially with the onset of a whole gamut of social networking sites sprawling up on the internet. Most of the social networking sites though have an integrated security system but still the number of profile thefts and false identity profiles has always been increasing. Facebook usage hich constitutes of around 39% of the social networking site usage still reports of scams.

In the last year, 57% of users report they have been spammed via social networking sites, an increase of 70.6% compared to last year. Furthermore, 36% of users claim they’ve been sent malware via social networking sites, which is a rise of 69.8% from last year.On the other hand, CEOs of companies are concerned that their employees’ usage of social networks is posing a security risk for their company. Recently the leakage of emails

Integrity

The need for correct information at the correct moment in an information and knowledge driven society is tremendous. Typically, information is either stored at a given location or being passed from one point to another. Either way, the primary concern for information integrity is that it the information is not compromised altered or modified illegally and illegitimately. The data should neither be added nor taken from it that is not intended or authorized. The extreme cases of lack of information integrity are when a whole database is lost or replaced with something else.

Intermediate to these extreme cases are situations where data is corrupted either minimally or altered partially such that major repairs have to be done to make it useable again. This causes a lot of time and cost investment both for small and large companies. Instances of this have been common for educational institutions and call centers where a lot of confidential customer data is stored thus causing a angry reactions from the stakeholders.

Attacks of trojans and malware that alter, modify, delete data have been rampant in the internet world since long

Below statistics from Kaspersky Labs show the country wise % of malware attacks world wide

Availability

System availability is one of the fundamental requirements of doing online business. Availability means that systems, data, and other resources are usable when needed despite subsystem outages and environmental disruptions. Lack of availability is essentially loss of use.

The most commonly known cause of availability problems is Denial of Service (DoS) attacks.

Wikipedia defines Denial of Service (DoS) as

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an internet site or service from functioning efficiently or at all, temporarily or indefinitely.


DoS attacks typically target sites or services hosted on high-profile web servers like banks, credit card payment gateways, and even root name servers The term is generally used with regards to computer networks but is not limited to this field. Closely related to availability are reliability and responsiveness. Reliability implies that a system performs functionally as expected. Responsiveness is a measure of how quickly service could be restored after a system failure. In other words, it is a measure of system survivability. This does not necessarily mean that the failed system is revived; just that service is restored or not lost at all.

Even very strong services have not been totally averse to availability situations and attacks. People have even complained that very popular search network sites have been down ( though for a very minuscule amount of time )

Legitimate use

This is one of the key issues for online security (and also generally with any computer security) . Legitimate use has three components: identification, authentication and authorization. Identification involves a process of a user positively identifying itself (human or machine) to the host (server) that it wishes to conduct a transaction with. The most common method for establishing identity is by means of username and password. The response to identification is authentication. Without authentication, it is possible for the system to be accessed by an impersonator. Authentication needs to work both ways: for users to authenticate the server they are contacting, and for servers to identify their clients. Authentication usually requires the entity that presents its identity to confirm it either with something the client knows (e.g. password or PIN), something the client has (e.g. a smart card, RSA based key, secondary password, identity card) or something the client is (biometrics: finger print or retinal scan).

Another approach to authentication is by the use of digital certificates. A digital certificatecontains unique information about the user including encryption key values. These public/private encryption key pairs can be used to create hash codes and digitally sign data. The authenticity of the digital certificate is attested to by a trusted third party known as a "Certificate Authority." This whole process constitutes Public Key Infrastructure.

VeriSign, Thawte, Comodo, RSA and GeoTrust are fvery renowned names as Certificate Authority world. Other ways of protection are like Sandboxing a technique that several vendors have started incorporating or have put on the development road map. Check Point and Symantec have each brought to market extra safeguards around browser downloads. McAfee has cleverly extended SiteAdvisor and its SECURE trust mark to appear within search engine results, helping protect consumers against some of the new techniques criminals use to infect machines and steal personal data. To add further protection against password-stealing key-loggers most of the banking, credit card and secure transaction processing sites have introduced virtual keyboard feature for consumers to mouse-click their passwords into login fields

Even though I would not scare people saying do not go over the internet you could be fac e Hacking, Phishing, Spamming, Malware, Spyware, Adware, Virus, Identity theft, etc etc I would still say it is a great tool but it also has its threats, 'Tread carefully and safely'.

Redefine your Strategy to access the internet for your own benefit