Upload
rms
View
489
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
INTRODUCTION TO INFORMATION SYSTEMS
SUPdeCO - PCM - English TrackOctober 2008
Computer-Based Information Systems Security
PROF. DIANA MANGALAGIUMANAGEMENT AND STRATEGY DEPARTMENT
Concept of security
« The security of an information system is its non-
vulnerability to accidents or deliberate attacks, that is the
impossibility that those attacks have any serious impacts
on the state and the operation of the system »
J. P. Magnier
Why security is a hot topic
Security threats have highly increased in the last 10
years, with virtually no aspect of life left untouched,
leaving opportunities to impersonate, modify, delete, or
simply make mistakes and wreak havoc ….
Financial transactions e.g. credit card details Sensitive information e.g. exam papers Downloaded programs, including applets
General definitions
Un sinistreCauses of
vulnerabilityImmediate and long-
term effects
An attack or a natural disaster
Disaster:
Source: P. Reix
Security guidelines:
To handle security, it should be assessed using indicators including:
1 –Availability of information and functionalities
2 –Truthfulness of information
3 – Confidentiality of information
4 – Non-repudiation of communications
5 – Traceability of operations
Potential causes of the disaster make it essential to keep watch over the vulnerability of the system and thus over the risks it runs.
General definitions
Causes of disasters
Category 1 – ACCIDENTS : - Material risks- Breakdowns and failures of core hardware and software
Category 2 – ERRORS: - Errors of information input, transmission and use- Operating errors- Errors of software design and development
Category 3 – ABUSES:- Theft, material abuse- Fraud, immaterial abuse
Misappropriation of goodsFraudulent statements
- Software hacking
Category 4 – MISCELLANEOUS RISKS: - Strike- Departure of specialized staff
Security planning
Policies for security
1 – Material resource security
2 – Software security
3 – Application security
4 – General security steps
5 – Insurance
The idea that security is entirely handled by hardware and software related
procedures is a dangerous utopia as it must come with organizational thinking
as well as awareness and training of individuals.
authentication
integrity &
non-
authorisation
confidentiality
repudiation
Four cornerstones of security & trust
authentication
Authentication
The identities of all
parties involved in an
operation should be
verified (including code
sources)
authentication
integrity
Integrity
Ensure that
information
has not been
tampered with
authentication
integrity &
non-repudiation
Non-repudiation
Cannot deny that one is the sender of the info and/or that it has been received
authentication
integrity &
non-confidentiality
repudiation
Confidentiality
Only intended recipient
can make sense of
message or stored
information
authentication
integrity &
non-
authorisation
confidentiality
repudiation
Authorisation
Is the user allowed
to perform these
operations?
Security tradeoffs
With unlimited resources, most forms of security can be
broken
Cost of breaking should outweigh reward
Need to consider end-to-end security
A system is only as secure as its weakest part E.g. encryption with a private key is usually good, but the
weakness is often the storage of the private key
Common web scenarios and their security aspects
Scenario 1: online banking
Authentication: is this a valid user?
Authorisation: does this user have permission to access
account information?
Confidentiality: is account information secure from attack?
… but must still be easy to use
Scenario 2: Downloading code
Authentication: does the code come from a
trusted source?
Integrity: has the code been tampered with before
or during downloading?
Authorisation: does the code have permission to
carry out certain operations?
Scenario 3: online credit card transactions
Authentication: does the credit card belong to the customer? Is the merchant valid? Is the merchant bank valid?
Integrity: have any details been altered en route? Non-repudiation: can any of the parties deny that any
aspects of the transaction took place? Confidentiality: should the merchant have access to credit
card details? Should the bank have access to purchase details?