Information Technology and Security

Question: Develop an effective research plan considering context, research questions, sources, timeline, and larger implications for writing a formal research report; Also to practice working with the Research Proposal as an academic genre and to provide an opportunity for working on stylistics and effective academic discourse. Answer: 1 Introduction The aim of this report is to present a research proposal on the topic of Information Technology and Security. Today we live in a technological era. Every event of our lives are connected to and affected by technologies, especially information technologies. With the technical advancement of digital technologies and communication technologies, now information technology has become more than computers and internets. So the span of security in information technology has also expanded its span. (Andress, 2014) In the next sections of this report, it will discuss different facets of security in the context of information technology. 2 Why to Study Information Technology Security? We need to study information technology security to grow the awareness about the topic among us and making our lives secure from information security attacks, hackers, theft of information, privacy breaches etc. If we focus on the statistics of cybercrime, we can check how those are increasing day by day. Over the online platforms, through the mobile devices and in many information systems we share our personal and professional details every day. There are important details like credit card number, banking details etc. that are shared through internet also. For example sharing of banking details over online banking platforms. But these data are at high risks. There are several examples of hacking and stealing of the information of individuals, defence of country etc. (Bidgoli, 2006) Study on security in information technology will help to understand these issues in details, it will help to take precautions before sharing data over the Internet. However, it wont make our data over the online platforms fully secure but we can understand the risks and that may reduce the risks to some extent. 3 Definitions Information security or InfoSec is a practice that helps to build defense against unauthorized access, disclosure, inspection, modification, capture, disruption, perusal and destruction of information. The form of data may be physical or digital. (Bishop, 2003) IT security is a part of information security that is mostly focused on computer security and network security. When information security is applied to the information technologies then that is termed as IT security. These information technologies are mostly related to computers and networks. Currently, smartphones and other smart gadgets are also considered in this class. There are IT security specialists who secures information from attacks, thefts and other kind of unauthorized access. (Ciampa, 2011) When data is under some attack already, then it is needed to be assured that the information is not lost due to the attack. This is called information assurance process. There may be different kinds of attack on information like natural calamities to hacker attack, physical damage of storage etc. As data is stored in servers and computers in most of the cases. So, this topic also comes under information security. The possible attacks and risks that can harm data are called threats to the data. There are different kind of threats in information security domain. Some of the threat are, Software based attacks by hackers. Theft of data and intellectual property. Theft of identity of some individual or system. Sabotage Extortion of information. Theft of software Under software based attacks, there are different kind of attacks. Those are, worms, virus, Trojans etc. Under the theft of data and intellectual property type of attack there are issues related to ownership on information. Identity theft issue is related to masquerading some other persons identity to get access to data in an unauthorized way. Sabotage is related to intentional destruction of information belonging to others. Extortion is modifying some information by stealing it and then sending the modified one to the receiver. Theft of software is physical theft of software. 3.1 Sources of Information An attacker can target any kind of information. But generally they tends to target defense, government, financial institutional, universities, businesses etc. as these organizations contains tons of information about individuals and in almost all cases information are collected and stored electronically, transmitted over networks and internet. (Symantec Corporation, 2014) Protection of such information are responsibility of the organization that collects and stores the same. For an individual, loss of any personal information or misuse of any, may become fatal. It is a breach of their privacy. Information security deals with these areas, protecting information and right to that information. It secures information technology infrastructure, databases, networks, etc. 4 Principles of information security The three core principles of information security are, confidentiality, integrity and availability of information. These three are collectively called CIA triad. There are other principles like non-repudiation, atomicity etc. but these three are the basic. Any information technology infrastructure will be called secure if and only if it conforms to these three principles. (Bidgoli, 2006) 4.1 Confidentiality Confidentiality ensures that the data will be kept confidential. No person without proper access privilege will be able to access the information. 4.2 Integrity Integrity ensures, data will be stored in correct format and form. There will be no unauthorized modification to the data. In the context of information security, integrity of data refers to the manitance of the data in a way that the consistency and accuracy of the data will be maintained. Data will not be modified by any kind of unauthorized access. (Bishop, 2003) 4.3 Availability Availability ensures data will be available to the right users always. There will be no interrupt in this case. At the same time data will not be available to the unauthorized or unintended users. Usually some information system or computer will process some kind of data and will store the same. The information security controls must be designed in a ways that those will be able to protect data from unauthorized access at the same time, will be able to differentiate authorized accesses and will make data available to the authorized users. (David Solomon, 2010) A system can be unavailable for various reasons. For example, there may be power failure like issues, also there may be security attacks like denial of services etc. 4.4 Non-repudiation It ensures that no communicating party will be able to deny the instance of communication in future. Cryptography based systems are used to ensure non-repudiation. 4.5 Authenticity It ensures the authorization process. When entered in a system, it checks whether the data is from authentic source of not. This is mostly related to ecommerce and ebusiness platforms. Where confirmation of the transactions and sharing of data are needed to be authenticated about their genuineness. There are technologies and methods like digital signatures to ensure authenticity. 5 Defenses Information security defenses can be of the following types. 5.1 Access controls Setting and implementing access controls ensures security from unauthorized access to some degree. A risk assessment should be done before implementing access control on data. The access controls help in implementation of access to protect sensitive information. There are typically three stages in the access control implantation method. Those are, identification, authentication and authorization. (Benantar, 2006) In the first step, identification helps in ascertaining that who the person who want access to the information is. A typical example is asking about the userid during login process. Then, in the second step authentication process helps to verify the claim in the identification step. For example, if someone has provided his identification as John to the system, the system will check whether the person is john or not. For that purpose, it may ask for password that is supposed to be known by John only. There are other authentication mechanisms like biometrics etc. however, no process is beyond risks and attacks. In the final and third step, the system will authenticate whether the information collected from previous two steps are authentic or not and then it will give permission for access to the information. For example, if the person John has only READ access right to a piece of data , and John has asked permission for WRITE access then the system will reject the request even if the userid and password are correctly supplied. There are different kind of access control mechanisms like mandatory, discretionary etc. 5.2 Cryptography Cryptography is a very useful defense mechanism in information security. Cryptography helps in changing the form of information so that the original information is hidden. The scrambled information will be understandable to the intended user only. So if anyone else receive the information who is not intended user, then the information will not be readable to them. The process of changing a piece of information based on some key is called encryption. The reverse is called decryption. The changed form of information is called cipher text. (William, 2008) Cryptography has a wide range of security algorithms. Information systems can implement those algorithms to implement security features like authentication, non-repudiation etc. 5.3 Software like Antivirus, Firewall There are wide range of antivirus software for dealing with virus issues in computers. These also ensures information security by protecting data from potential damages by viruses. There are systems and software like firewall, IDS etc. that helps in detecting unauthorized access from network to a system. (David Solomon, 2010) 5.4 Awareness and Best practices Implementation of security controls is not enough to ensure information security if the users are not aware of the risks and the consequences. So, the first thing is to increase awareness among the users. Then making them aware of the best practices to avoid risks of security attacks to some degree. 6 Future Research IT security and information security is a vast topic. There are number of sub topics to work on in future. There are enough case studies to uncover reasons behind security attacks over time, also there are scopes to implement new protocols or standards for ensuring security. In future, based on literature and case studies, the IT security will be explored in details. Data for the research on IT security will be collected from different case studies, literatures papers, journals, surveys, statistics etc. available from Internet. 7 Conclusion In the research proposal on IT security, it has described the term from the broader perspective of information security. It will help to understand the role and significance of IT security in the span of information security. In the proposal, it has discussed about basic security principles for information security, different kind of attacks, different kind of defenses, future scope of research etc. References Andress, J. (2014). The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice. Syngress. Beachboard, J., Cole, A., Mellor, M., Hernandez, S., Aytes, K. (2008). Improving Information Security Risk Analysis Practices for Small- and Medium-Sized Enterprises: A Research Agenda. Florida. Benantar, M. (2006). Access Control Systems: Security, Identity Management and Trust Models. Springer. Bidgoli, H. (2006). Handbook of Information Security, Key Concepts, Infrastructure, Standards, and Protocols . John Wiley and Sons. Bishop, M. (2003). Computer Security: Art and Science. Addison-Wesley Professional. Bosworth, S., Kabay, M. E. (2002). Computer Security Handbook. John Wiley Sons. Ciampa, M. (2011). Security+ Guide to Network Security Fundamentals. Cengage Learning.K., Solomon, M. (2010). Fundamentals of Information Systems Security. Jones Bartlett Learning. Symantec Corporation. (2014). Internet Security Threat Report 2014. Symantec Corporation. Vacca, J. R. (2012). Computer and Information Security Handbook. Newnes. Whitman, M., Mattord, H. (2011). Principles of Information Security. Cengage Learning. William, S. (2008). Computer Security: Principles and Practice. Pearson . Xiao, Y., Li, F. H., Chen, H. (2011). Handbook of Security and Networks. World Scientific.