• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Class4 Security
 

Class4 Security

on

  • 423 views

 

Statistics

Views

Total Views
423
Views on SlideShare
423
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Bouygues Télécom : Sa panne informatique du 17/11/2004 lui coûte 16 millions d’Euros SNCF : 1000 terminaux paralysés en juillet 2004 Selon Microsoft , 2,4 milliards d’heures de travail dans les entreprises ce qui équivaut en France à 20€ de l’heure X 15 millions de personnes = 1,8 milliards d’euros de perte

Class4 Security Class4 Security Presentation Transcript

  • INTRODUCTION TO INFORMATION SYSTEMS SUPdeCO - PCM - English Track October 2008 Computer-Based Information Systems Security PROF. DIANA MANGALAGIU MANAGEMENT AND STRATEGY DEPARTMENT
  • Concept of security «  The security of an information system is its non-vulnerability to accidents or deliberate attacks, that is the impossibility that those attacks have any serious impacts on the state and the operation of the system » J. P. Magnier
  • Why security is a hot topic
    • Security threats have highly increased in the last 10 years, with virtually no aspect of life left untouched, leaving opportunities to impersonate, modify, delete, or simply make mistakes and wreak havoc ….
      • Financial transactions e.g. credit card details
      • Sensitive information e.g. exam papers
      • Downloaded programs, including applets
  • General definitions Un sinistre Causes of vulnerability Immediate and long-term effects An attack or a natural disaster Disaster : Source: P. Reix
  • S ecurity guidelines : To handle security, it should be assessed using indicators including: 1 – Availability of information and functionalities 2 – Truthfulness of information 3 – Confidentiality of information 4 – Non-repudiation of communications 5 – Traceability of operations Potential causes of the disaster make it essential to keep watch over the vulnerability of the system and thus over the risks it runs. General definitions
  • Causes of disasters
    • Category 1 – ACCIDENTS :
    • Material risks
    • - Breakdowns and failures of core hardware and software
    • Category 2 – ERRORS:
    • Errors of information input, transmission and use
    • Operating errors
    • Errors of software design and development
    • Category 3 – ABUSES :
    • - Theft, material abuse
    • Fraud, immaterial abuse
    • Misappropriation of goods
    • Fraudulent statements
    • - Software hacking
    • Category 4 – MISCELLANEOUS RISKS:
    • Strike
    • - Departure of specialized staff
  • Security planning Policies for security 1 – Material resource security 2 – Software security 3 – Application security 4 – General security steps 5 – Insurance The idea that security is entirely handled by hardware and software related procedures is a dangerous utopia as it must come with organizational thinking as well as awareness and training of individuals.
  • Four cornerstones of security & trust authentication integrity & non- authorisation confidentiality repudiation
  • Authentication
    • The identities of all parties involved in an operation should be verified (including code sources)
    authentication
  • Integrity
    • Ensure that information has not been tampered with
    authentication integrity
  • Non-repudiation
    • Cannot deny that one is the sender of the info and/or that it has been received
    authentication integrity & non- repudiation
  • Confidentiality Only intended recipient can make sense of message or stored information authentication integrity & non- confidentiality repudiation
  • Authorisation Is the user allowed to perform these operations? authentication integrity & non- authorisation confidentiality repudiation
  • Security tradeoffs
    • With unlimited resources, most forms of security can be broken
    • Cost of breaking should outweigh reward
    • Need to consider end-to-end security
    • A system is only as secure as its weakest part
      • E.g. encryption with a private key is usually good, but the weakness is often the storage of the private key
  • Common web scenarios and their security aspects Scenario 1: online banking
    • Authentication: is this a valid user?
    • Authorisation: does this user have permission to access account information?
    • Confidentiality : is account information secure from attack?
    • … but must still be easy to use
  • Scenario 2: Downloading code
    • Authentication : does the code come from a trusted source?
    • Integrity : has the code been tampered with before or during downloading?
    • Authorisation : does the code have permission to carry out certain operations?
  • Scenario 3: online credit card transactions
    • Authentication : does the credit card belong to the customer? Is the merchant valid? Is the merchant bank valid?
    • Integrity : have any details been altered en route?
    • Non-repudiation : can any of the parties deny that any aspects of the transaction took place?
    • Confidentiality : should the merchant have access to credit card details? Should the bank have access to purchase details?