INTRODUCTION TO INFORMATION SYSTEMS SUPdeCO - PCM - English Track October 2008 Computer-Based Information Systems Security PROF. DIANA MANGALAGIU MANAGEMENT AND STRATEGY DEPARTMENT
Concept of security « The security of an information system is its non-vulnerability to accidents or deliberate attacks, that is the impossibility that those attacks have any serious impacts on the state and the operation of the system » J. P. Magnier
Why security is a hot topic
Security threats have highly increased in the last 10 years, with virtually no aspect of life left untouched, leaving opportunities to impersonate, modify, delete, or simply make mistakes and wreak havoc ….
Financial transactions e.g. credit card details
Sensitive information e.g. exam papers
Downloaded programs, including applets
General definitions Un sinistre Causes of vulnerability Immediate and long-term effects An attack or a natural disaster Disaster : Source: P. Reix
S ecurity guidelines : To handle security, it should be assessed using indicators including: 1 – Availability of information and functionalities 2 – Truthfulness of information 3 – Confidentiality of information 4 – Non-repudiation of communications 5 – Traceability of operations Potential causes of the disaster make it essential to keep watch over the vulnerability of the system and thus over the risks it runs. General definitions
Causes of disasters
Category 1 – ACCIDENTS :
- Breakdowns and failures of core hardware and software
Category 2 – ERRORS:
Errors of information input, transmission and use
Errors of software design and development
Category 3 – ABUSES :
- Theft, material abuse
Fraud, immaterial abuse
Misappropriation of goods
- Software hacking
Category 4 – MISCELLANEOUS RISKS:
- Departure of specialized staff
Security planning Policies for security 1 – Material resource security 2 – Software security 3 – Application security 4 – General security steps 5 – Insurance The idea that security is entirely handled by hardware and software related procedures is a dangerous utopia as it must come with organizational thinking as well as awareness and training of individuals.
Four cornerstones of security & trust authentication integrity & non- authorisation confidentiality repudiation
The identities of all parties involved in an operation should be verified (including code sources)
Ensure that information has not been tampered with
Cannot deny that one is the sender of the info and/or that it has been received
authentication integrity & non- repudiation
Confidentiality Only intended recipient can make sense of message or stored information authentication integrity & non- confidentiality repudiation
Authorisation Is the user allowed to perform these operations? authentication integrity & non- authorisation confidentiality repudiation
With unlimited resources, most forms of security can be broken
Cost of breaking should outweigh reward
Need to consider end-to-end security
A system is only as secure as its weakest part
E.g. encryption with a private key is usually good, but the weakness is often the storage of the private key
Common web scenarios and their security aspects Scenario 1: online banking
Authentication: is this a valid user?
Authorisation: does this user have permission to access account information?
Confidentiality : is account information secure from attack?
… but must still be easy to use
Scenario 2: Downloading code
Authentication : does the code come from a trusted source?
Integrity : has the code been tampered with before or during downloading?
Authorisation : does the code have permission to carry out certain operations?
Scenario 3: online credit card transactions
Authentication : does the credit card belong to the customer? Is the merchant valid? Is the merchant bank valid?
Integrity : have any details been altered en route?
Non-repudiation : can any of the parties deny that any aspects of the transaction took place?
Confidentiality : should the merchant have access to credit card details? Should the bank have access to purchase details?