Flux rss
They need your help
IT Security

Introduction to IT Security

Needs in Terms of IT Security
Bookmark Bookmark & Share
Introduzione alla sicurezza informatica Introdução à segurança informática Einführung in die Informatiksicherheit Introduction à la sécurité informatique Introducción a la seguridad informática
As Internet use is developing, more and more companies are opening their information system to their partners and suppliers. Therefore, it is essential to know which of the company's resources need protecting and to control system access and the user rights of the information system. The same is true when opening company access on the Internet.

Moreover, because of today's increasingly nomadic lifestyle, which allows employees to connect to information systems from virtually anywhere, employees are required to carry a part of the information system outside of the company's secure infrastructure.

Introduction to Security

Risk in terms of security is generally characterised by the following equation:

risk = (threat * vulnerability) / countermeasure

The threat represents the type of action that is likely to be of harm, whereas vulnerability (sometimes called flaws or breaches) represents the level of exposure to threats in a particular context. Finally, the countermeasure is all of the actions implemented to prevent the threat.

The countermeasures to be implemented are not only technical solutions but also include user training and awareness as well as a clearly defined rules.

In order to secure a system, the potential threats must be identified so as to identify and anticipate the enemy's course of action. Therefore, the goal of this report is to provide an overview of possible hacker motivations, categorise them and give an idea of how they work in order to better know how to limit the risk of intrusion.

Goals of IT Security

Information systems are generally defined by all of a company's data and the material and software resources that allow a company to store and circulate this data. Information systems are essential to companies and must be protected.

IT security generally consists in ensuring that an organisation's material and software resources are used only for their intended purposes.

IT security generally is comprised of five main goals:

  • Integrity: guaranteeing that the data are those that they are believed to be
  • Confidentiality: ensuring that only authorised individuals have access to the resources being exchanged
  • Availability: guaranteeing the information system's proper operation
  • Non-repudiation: guaranteeing that an operation cannot be denied
  • Authentication: ensuring that only authorised individuals have access to the resources

Confidentiality

Confidentiality consists in making information unintelligible to individuals other than those involved in the operation.

Integrity

Verifying data integrity consists in determining if the data were changed during transmission (accidentially or intentionally).

Availability

The goal of availability is to guarantee access to a service or resources.

Non-repudiation

The non-repudiation of information is the guarantee that none of the parties involved can deny an operation at a later date.

Authentication

Authentication consists in confirming a user's identity, i.e. guaranteeing for each party that their partners are truly who they think they are. An access control (e.g. an encrypted password) grants access to resources only to authorised individuals.

Need for a Global Approach

Information system security is often the subject of metaphors. It is often compared to a chain in the example that a system's security level is only as strong as the security level of its weakest link. Likewise, a reinforced door is useless in protecting a building if its windows are left wide open.

All this goes to show that the issue of security must be tackled at a global level and must comprise the following elements:

  • Making users aware of security problems
  • Logical security, i.e. security at the data level, notably company data, applications and even operating systems
  • Telecommunications security: network technologies, company servers, access networks, etc.
  • Physical security, or the security of material infrastructures: secure rooms, places open to the public, company comman areas, employee workstations, etc.

Implementing a Security Policy

The IT system security is generally limited to guaranteeing the right to access a system's data and resources by setting up authentication and control mechanisms that ensure that the users of these resources only have the rights that were granted to them.

And yet security mechanisms can create difficulties for users. Instructions and rules often become increasingly complicated as networks grow. Thus, IT security must be studied in such a way that it does not prevent users from developing uses that they need and so that they can use information systems securely.

This is why one of the first steps a company must take is to define a security policy, which is implemented with the four following stages:

  • Identify the security needs and the IT risks that the company faces and their possible consequences
  • Outline the rules and procedures that must be implemented for the identified risks in the organisation's different departments
  • Monitor and detect the information system's vulnerabilities and keep informed of the flaws in the applications and materials being used
  • Define the actions to be taken and the individuals to contact in case a threat is detected

The security policy is all of the security rules that an organisation (in the general sense of the word) follows. Therefore, it must be defined by the management of the organisation in question because it affects all the system's users.

In this respect, it is not the job of the IT adminstrators to define user access rights but rather that of their superiors. An IT administrator's role is to ensure that IT resources and the access rights to these resources are in line with the security policy defined by the organisation.

Moreover, given that he or she is the only person who masters the system, he or she must give security information to the management, advise the decision makers on the strategies to be implemented, and be the entry point for communications intended for users about problems and security recommendations.

A company's IT security depends on employees (users) learning the rules through training and awareness-building sessions. However, security must go beyond employee knowledge and cover the following areas:

  • A physical and logical security mechanism that is adapted to the needs of the company and to employee use
  • A procedure for managing updates
  • A properly planned backup strategy
  • A post-incident recovery plan
  • An up-to-date documented system

The Causes of Insecurity

Insecurities are generally broken down into two categories:

  • An active state of insecurity, i.e. user ignorance of the system's functionalities, some of which can be harmful to the system (e.g. not deactivating network services that are not needed by user)
  • A passive state of insecurity, i.e. lack of knowledge of the security measures in place (e.g. when the administrator or user of a system does not know what security devices he or she has)


Last update on Thursday October 16, 2008 02:43:14 PM.This document entitled « Introduction to IT Security » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the licence, as this note appears clearly.
Security Policies in Windows NT Understanding the notion of policy Security policy is the set of all security rules that are to be implemented in an organisation, and the ways in which they are implemented. The user manager located in the Start Menu (Programs/Administration... en.kioskea.net/contents/winnt/ntstrat.php3
Information security officer (ISO) Information security officer (ISO) An ISO (information security officer) is in charge of setting and a company's security policy. He/she also plays a critical role in informing, advising, and alerting the general management on matters relating to... en.kioskea.net/contents/metiers-informatique/rssi-responsable-securite.php3
Protection - Introduction to Network Security What is Network Security? Network security is a level of guarantee that all the machines in a network are working optimally and the users of these machines only possess the rights that were granted to them. This can include: preventing... en.kioskea.net/contents/protect/protintro.php3
How to disable the security Center under windows XP?How to disable the security Center under windows XP? Intruduction Disable Alerts Turn off Windows Security Center Intruduction Windows security Center is a component that works under Windows XP service pack 2 for providing... en.kioskea.net/faq/sujet-617-how-to-disable-the-security-center-under-windows-xp
Disabling security alerts under VistaDisabling security alerts under Vista If you are annoyed by the multiple Security Alert message, you can specify in which cases these messages will appear. The trick requires a modification of the registry, then it would be wise to save... en.kioskea.net/faq/sujet-1446-disabling-security-alerts-under-vista
FAILED TO CONNECT TO SERVER – Opening portsFAILED TO CONNECT TO SERVER – Opening ports To access your computer from outside via VNC, you should open ports 5800,5801,5900 and 5901 on your firewall (Zone Alarm, Norton Internet Security, etc.). en.kioskea.net/faq/sujet-1385-failed-to-connect-to-server-a-opening-ports
Results for Introduction to IT Security
Remove system security (Solved)Hello, I also have a problem with my desktop being infected by "security system". I also need directions on how to destroy it. any help? Margie22 en.kioskea.net/forum/affich-59028-remove-system-security
System Security keep on poping up on my screeHello, Can you please help me, I had previously downloaded System Security, now everytime I log on I get system security screen scanning my PC, but they do not remove the viruses from my PC. It says activate system security. Can I download another... en.kioskea.net/forum/affich-48480-system-security-keep-on-poping-up-on-my-scree
Nokia security codesHello, can someone tell me the codes to use and open my nokia 3110 security.. en.kioskea.net/forum/affich-111879-nokia-security-codes
Results for Introduction to IT Security
Download Eset Smart SecurityAntivirus, antispyware, antispam, firewall: all-in-one! We cannot find a simple protection! Based on NOD32 antivirus, extremely little greedy in resources! Eset Smart Security is a protection solution to be tried! en.kioskea.net/telecharger/telecharger-2190-eset-smart-security
Download ZoneAlarm Security SuiteZoneAlarm Security Suite is a complete protection for your PC with a single complete program. It drives away viruses, blocks spam and removes definitively spyware from your PC. ZoneAlarm Internet Security Suite is not contented with eradicating... en.kioskea.net/telecharger/telecharger-3407-zonealarm-security-suite
Download IE Security ProInternet Explorer Security enables you to customize many aspects of Internet Explorer. For example you can disable individual menu items and prevent anyone from editing your Favorites, change the background of the toolbar, animated icons, change the... en.kioskea.net/telecharger/telecharger-2655-ie-security-pro
Results for Introduction to IT Security
Trend Micro Internet Security 2009 - Complete package + 1 Year Maintenance - 3 users - DVD - Win - EWith Trend Micro Internet Security, you no longer need to choose between computer performance and maximum protection. Get smart, proven security that never sleeps, guarding your PC from the latest threats while giving you the freedom to browse and... en.kioskea.net/guide/655237480-trend-micro-internet-security-2009-complete-package-1-year-maintenance-3-users-dvd-win-english
Trene Micro, Inc. Trend Internet Security Pro 2009 2 Year License (PC CD)Inc ., Whether you are at home or on the go Trend Micro PC-cillinInternet Security Pro 2009 safeguards your online transactionsidentity and irreplaceable files with the most comprehensiveprotection available. Get all the benefits of our proven... en.kioskea.net/guide/591565108-trene-micro-inc-trend-internet-security-pro-2009-2-year-license-pc-cd
Kaspersky Lab Kaspersky Internet Security 2009, 3-Desktop, 1 year Renewal Subscription (PC)INTERNET SECURITY 2009 3 USER en.kioskea.net/guide/451197104-kaspersky-lab-kaspersky-internet-security-2009-3-desktop-1-year-renewal-subscription-pc
Results for Introduction to IT Security
Conficker worm active, security experts sayA man surfs the Internet in Beijing. The Conficker worm, believed to have burrowed into millions of computers around the world, has sent an encrypted data message to infected machines, according to a computer security firm. The Conficker worm,... en.kioskea.net/actualites/conficker-worm-active-security-experts-say-12512-actualite.php3
Results for Introduction to IT Security
Definition of Needs in Terms of IT SecurityDefinition Phase The definition phase for security needs is the first step towards implementing a security policy. The goal consists in determining the organisation's needs by taking an inventory of the information system and then studying the... en.kioskea.net/contents/secu/securite-besoins.php3
Security AuditsThe Concept of Audits A security audit consists of relying on a trustworthy third party (generally a company that specialises in computing security) to validate, based on the security policy, the protective measures that are in place. The goal of... en.kioskea.net/contents/secu/audit-securite.php3
File sharing in Windows XPAdvantages File sharing involves making the content of one or more directories available through the network. All Windows systems have standard devices making it easy to share the content of a directory. However, file sharing may lead to security... en.kioskea.net/contents/configuration-reseau/partage-fichiers.php3
Results for Introduction to IT Security