The Hindu Business Line : CIA is password to a security policy

THE acronym CIA might conjure up images of an operative gathering information on the sly, but it also doubles up as the password to security of stored data for the networked world.

Confidentiality, Integrity and Availability (CIA) are the cornerstones on which an ideal information security policy should rest, says Ms Neha Saran, Technical Consultant-Information Security at MIEL e-Security.

In a presentation organised here by the Kerala State Centre of the Institution of Engineers, she said `confidentiality' ensures that information is accessible only to those authorised to have access. `Integrity' is all about safeguarding the accuracy and completeness of information and processing methods.

`Availability' restricts access to information and associated assets, when required, to the authorised person. According to ISO/IEC 17799:2000, a recognised international standard, information is an asset, which like other important business assets, has value to an organisation and consequently needs to be suitably protected.

Classified information may pertain to a range of subjects such as intellectual property, business plans, customer details, financial records and confidential information.

E-mail fraud, auction site fraud and credit card fraud pose the main threats to information security these days. "For instance, in e-mail fraud, we have to contend with what are known as `phishing' and `pharming.' Phishing is the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise to scam the user into surrendering private information that will be used for illegitimate purposes.

Pharming exploits the vulnerability in the DNS server software, which is forced to translate the domain name to an IP address. Hackers are able to redirect traffic to a Web site to another illegitimate site."

In auction sites fraud, the sites offer high value items to attract customers. Prospective buyers send money for the wares' features, but never receive them or, if at all they do, they have to settle for something far less valuable.

In credit card fraud, hackers resort to `skimming' in which magnetic stripe encoding is electronically copied from one card to another. This is used to clone the card for illegitimate purchases. Also, a skimmer device is installed at ATMs to read the stripe and key-logger. Even a spy camera is used to capture the PIN details from cards.

Then there are `phantom withdrawals' wherein the card is not stolen and the PIN is not shared, but unauthorised withdrawals continue to happen. These instances need to be immediately reported.

Security is not just a technology; it is a mindset, Ms Saran said. "Information security is a 24/7 battle. It needs to constantly evolve to face new threats. However, there is nothing such as 100 per cent security. Security is only as strong as its weakest link"

Striking a note of caution, she said e-mails are not reliable since they are mostly not encrypted. So much so even the content, including the names of the sender and receiver, can be manipulated in transit. E-mail attachments can carry dangerous viruses/ Trojans.

"Do not automatically trust every e-mail that you receive. Do not automatically click on the attachments. Use an official email ID for personal purposes because there is a chance you could be tracked. Include a scanned signature. ," Ms Saran said.

Automated hacking tools are constantly scanning the Internet for unprotected servers.

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Dalmias in talks to buy outsourcing firm in US

Alcatel to invest 500 m euros in India

Hutch opens fourth shop

Xilinx focussing on customised chips

Lenovo ThinkPad X41 Tablet

Satyam forms global team in Singapore for Asia projects

Infosys tool for Philippine bank

Acclaris India arm to boost staff count

CIA is password to a security policy

SPG India plans outsourcing meet in Amsterdam

Rajnish Kohli joins iSOFT