Network Based Security Information System For Shell Petroleum Company

1.0 Introduction

In today’s trend of information and security treat the main tool use in businesses to protect their internal network is the firewall. A firewall is a hardware and software system that allows only external users with specific characteristics to access a protected network. While firewalls are indispensable protection for the network at keeping people out, today’s focus on e-business applications is more about letting the right people inside your network. Network security can be defined as protection of networks and their services from unauthorized modification, destruction, or discovery, and provision of guarantee that the network performs in critical situations and have no harmful effects for neither user nor for employee. The International Telecommunication Union ITU, the International Information Processing IFIP, World background Organization WCO is all running to develop standards related to electronic commerce. DES was the result of a research project set up by International Business Machines (IBM) corporation in the late 1960’s which resulted in a cipher known as LUCIFER.

In the early 1970’s it was determined to commercialise LUCIFER and a number of important changes were introduced. The encryption technology for network security, implementing information encryption and transmission on the network by using DES algorithm. Information security strategies deal with two issues: protecting the integrity of the business network and its internal systems. The field of information Technology (IT) Security as information technologies is represent merely component of information systems. A setting of a security can be defined as an organized framework consisting of concepts, beliefs, principles, policies, procedures, techniques, and measures that are required in order to protect the individual system property as well as the system as a whole against any intentional or unplanned threat.

1.1 Background of Study

Information system occupies a vital and unique position in any organization by virtue of the data and information, which it contains. Security of information is of great importance to any given organization this makes the information reliable since information stored can be referenced whenever necessary access by unauthorized persons.

This project analysis the activities and importance of securing information in any organizations and to see that the information is accurately maintained to help the management in decision making and control of the diverse activities of the organization.

The Shell petroleum company are one of the Nigerian petroleum supplying company as a result keeps record of vital information given to them by any client so as to enable them make supply and sells.

Therefore, for effective administration and management, the provision of network based security information system for every source of data is certainly inevitable, since it will take care of all the problems and inadequacies of the manual system.

Security plays very important role on information. Most security initiatives are defensive strategies — aimed at protecting the network base and collection of information and data, including the exchange of data (such as electronic data interchange, e-mail), access to data (shared databases, electronic bulletin boards), and automatic data capture (bar codes), etc. In information and network data security system the situation there are five interrelated and interacting components (people, software, hardware, procedures and data), one comes to the conclusion that security systems are (and should be looked upon as) information systems, comprising a technological communications and an organizational framework, rather than pure technological infrastructure. Security harms of TCP/IP TCP/IP, which is the main protocol used by Internet, has good behavior of interconnection, the independent technology of net, it support to many other protocols of application, and so on. Result based on the risk analysis, security policy is created. It consists of two parts: 1) General security policy: The description of its processes and Organization, security policy Objectives, security infrastructure, identification of Assets, confidential data and general threats, Description of present status and description of Security measures, contingency plans. 2) System security policy: It defines implementation of security policy in a specific system of a company. With security mechanisms based on security policy being in place, it is important to monitor their actual functionality. Internet security method 1) Physical Internet security 2) Encryption techniques: The information on the net, which is transporting or storing, could be encrypted in order to prevent the steeling behaviors from the third party. Encryption is the most common method of ensuring confidentiality. 3) Virtual private network (VPN) technology: VPN technology using variable public network as a transmission medium of information, through the additional security tunnels, user authentication and access control technology similar to a private network security. 4) Data encryption technology: The so-called data encryption is to re-encode the information in order to hide the information content, so that unauthorized users cannot obtain the information content, it is an important security way in e-commerce. 5) Firewall techniques: Firewall technology is a secure access control technology. The basic types mainly are application gate, circuit-level gate firewall based on the packet filtering, and firewall based on the all-state checking. Firewall technology used in an insecure public network security environment to accomplish local network security. Firewalls should a small part of the business security infrastructure

5) Strengthen the preventing and treatment of viruses: Viruses are the most showing threat to client systems. Setting the client-level protecting, web access, e-mail serve level protection, and file application serve level protection. Setting all the system files and executive file read-only is useful to protect important files. Restraining using floppy disk with uncertain resource, as well as the piratical software, is significant for cutting the spread path of the viruses. The e-mails should be kept unread, the same to the accessories. The multiple privilege access schemes present in Unix, VMS and other multi-user operating systems prevents a ―virus from damaging the entire system. It will only damage a specific user’s files. A part of concern should also be put into the insecurity the system itself, which needs updating from the realty-explorer regularly. If the system had be found to be contagious unluckily during the checking, corresponding methods should be carried out to clear the viruses away from the net.

1.2 Statement of the Problem

In spite of the level of computation of various organizations, this particular organization on discussion is still at the grass root level. It requires a certain degree of protection especially of vital equipment’s, properties and information and this cannot be realized through the current system of operation, which is the manual system.

1.3 Purpose of the Study

The purpose of this study is to provide a network based, security information system and interactive package that will accurately and efficiently record all data and information about business operation and management.

It will also eradicate the numerous problems associated with the manual technique of securing information in order to facilitate the transfer and retrieval of information between the various departments of the organization,

1.4 Aims and Objectives

Having studied the activities of the police station some benefits could be derived from the computerization of information system and this includes:

Higher session of communication channels. To compass formal and informal component.

To provide storage security efficiency of information

Quicker access to individual data

Faster treatment of information security oriented cases.

Provision of output information in a readily comprehensible form to those persons involved in the activities of the organization. Provide facilities for data not immediately required or that may be required to be used more than once.

1.5 The Scope of the Study

This study will cover shell Petroleum Company and its operation and activities carried out in terms of information sharing and data. Also the scope is centered on eradicate the numerous problems associated with the manual technique of securing information in order to facilitate the retrieval of information.

1.6 Limitations

A lot of militating constraints were encountered during the course of this write up. They are:-

Inaccessibility to some documents, which arose due to security, imposed on some of the organization documents by the management. It was not also possible to make an in-dept study of these documents, which would have helped in the development of the project work.

Time was a major limitation to this write up, there wasn’t enough time to study the details of the various field of the information department of the organization unavailability of textbook needed for this write – up was not found in the institution library.

1.7 Assumptions

For easy implementation of this study some assumption were made.

It is assumed that the software to be designed for the study will help shell petroleum in an effective service delivery.

Finally, it is also assumed that by computerizing this organization, information security has been implemented to handle their day to day cases in a better and more organized manner.

1.8 Definition of Terms

Q – Basic

The programming language used in designing the project program

Modules

This is the act of partitioning software’s logically into elements that performs specific functions and sub functions.

On-line Processing

This is a method of processing that provides direct access to information files used by user’s and so enables updating.

Operations

The action carried out on an activity or process.

Crime Record Sheet

This contains pertinent information on staff and services as input to the computer system via the standard input deice keyboard

Data Entry

This is the standard input device through which the system gets most of the instructions and commands.

Old File

This contains previous information on the staff and crime record and is updated each time on operation is carried out.

Display Unit

An output device where systems display mosts outputs on request.

New File

This is an update of the old file and is stored on line in the system hard disk or a floppy diskette.

Storage Unit

This is where files are stored and retrieved when needed, it could be the hard – disk, floppy disk, drums e..t.c.

Processing Unit

This is where all data are processed and commands from the user carried out.

Password

This is being employed to restrict unauthorized access to information contained in the system; in others it is a security check technique

Witness

This is a person who has actually present at an event and should for these reason be able to describe it.

Accused

This is a person who has done wrong by breaking the law. Information or informers – This is a person who detects offenders and informs the authorities of their offences

Suspect

This is when one have a feeling that someone is guilty.

Search Warrant

This is an official authority given to policemen when it is necessary to enter and search a building for any stolen property.

Exhibit

This is a document produced in a law court and referred to in evidence.

Conviction

This is the act of convicting a person for crime.

Authentication

The process of confirming the correctness of the claimed identity.

Authenticity

The validity and conformance of the original information.

Computer Network

A collection of host computers together with the sub-network or inter-network through which they can exchange data.

Confidentiality

The need to ensure that information is disclosed only to those who are authorized to view it.

Cost Benefit Analysis

A comparison of the cost of implementing countermeasures with the value of the reduced risk.

Cryptography

The process of garbling a message in such a way that anyone who intercepts the message cannot understand it.

Data Custodian

The entity currently using or manipulating the data, and therefore, temporarily taking responsibility for the data.

Data Owner

The entity having responsibility and authority for the data.

Defense In-Depth

The approach of using multiple layers of security to guard against failure of a single security component.

Denial of Service

The prevention of authorized access to a system resource or the delaying of system operations and functions.

Dictionary Attack

An attack that tries all of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words compared to a brute force attack that tries all possible combinations.

Digital Signature

A hash of a message that uniquely identifies the sender of the message and proves the message has not changed since transmission.

Domain:

1) A sphere of knowledge, or a collection of facts about some program entities or 2) a number of network points or addresses, identified by a name. On the Internet, a domain consists of a set of network addresses. In the Internet’s domain name system, a domain is a name with which name server records are associated that describe subdomains or hosts. In Windows NT and Windows 2000, a domain is collection of computers on a network that share a common user database and security policy. A domain is administered as a unit with common rules and procedures by the domain administrator. The user need only log in to the domain to gain access to the resources, which may be located on a number of different servers in the network.

Domain Name

A domain name locates an organization or other entity on the Internet. For example, the domain name “www.sans.org” locates an Internet address for “sans.org” at Internet point 199.0.0.2 and a particular host server named “www”. The “org” part of the domain name reflects the purpose of the organization or entity (in this example, “organization”) and is called the top-level domain name. The “sans” part of the domain name defines the organization or entity and together with the top-level is called the second-level domain name.

Domain Name System (DNS)

The way that Internet domain names are located and translated into Internet Protocol addresses. A domain name is a meaningful and easyto- remember “handle” for an Internet address.

Due Diligence

The requirement that organizations must develop and deploy a protection plan to prevent fraud, abuse, and additional deploy a means to detect them if they occur.

Encryption

Cryptographic transformation of data (called “plaintext”) into a form (called “cipher text”) that conceals the data’s original meaning to prevent it from being known or used.

Firewall

A network security device that ensures that all communications attempting to cross it meet an organization’s security policy. Firewalls track and control communications, deciding whether to allow, reject or encrypt communications.

Hardening

The process of identifying and fixing vulnerabilities on a computer system.

Hijack Attack

A form of active wiretapping in which the attacker seizes control of a previously established communication association.

Honey Pot

Programs that simulate one or more network services that you designate on your computer’s ports. A honey pot can be used to log access attempts to those ports including the attacker’s keystrokes. This could give you advanced warning of a more concerted attack.

Incident

An adverse network event in an information system or network, or the threat of the occurrence of such an event.

Incident Handling

An action plan for dealing with intrusions, cyber-theft, denial of service, fire, floods, and other security-related events. It is comprised of a six-step

Process

Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

Integrity

The need to ensure that information has not been changed accidentally or deliberately, and that it is accurate and complete.

Intrusion Detection System (IDS)

A security management system for computers and networks. An IDS gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization).

Least Privilege

The principle of allowing users or applications the least amount of permissions necessary to perform their intended function.

Network Address Translation (NAT)

The translation of an Internet Protocol address used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside.

Penetration

Gaining unauthorized logical access to sensitive data by circumventing a system’s protections.

Port

The endpoint of a communication stream, identified by a number. Only one process per machine can listen on the same port number.

Proxy

A server that acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service.

Security Policy

A set of rules and practices that specifies or regulate how and why a system or organization provides security services to protect sensitive and critical system resources.

Vulnerability

A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.