Information Security - A Primer

1
Information Security
What it Means to Us
Why talk about this at all?
How does it affect me?
What can I do about it?
Information Security What it Means to Us
2
Scope
Information Security Overview
Cyber Security Safe Practices
Network Security A Primer
Cryptography & PKI A Primer
3
Overview
Information Technology, while improving efficiency,
speed and seemingly solving all our problems like the
proverbial silver bullet comes at a price. It increases
vulnerability the more the use of IT, the more the
vulnerability. In an age where information is power,
vulnerability in this domain could be catastrophic.
4
Classical Definitions
Availability (of service/ data) Network Security
Confidentiality (of data) Ciphers (Block & Stream)
Integrity (of data) Hash Functions
Authenticity (Identification of Entity, Message & Key )
Digital Signature, PKI
Non-Repudiation (of Entity) Digital Signature, PKI
Controls (to infrastructure & data) Physical,
Administrative, Logical
The Problem is not Technology, but Acceptability,
Awareness & Implementation (Change Management)
5
Information Assurance
Classical Definitions
Information Security (Technical)
Information Assurance (Managerial)
Legal (fraud, accounting, forensics, )
Organisational (HR risk & profiling)
Education & Certification
Risk Assessment & Audit
Business Continuity
Archiving & Disaster Recovery

6
Technical Implications
APPLICATION
PRESENTATION
SESSION
TRANSPORT
NETWORK
DATA LINK
PHYSICAL Bits
Data Link
Header
DATA PH SH TH NH DLH
Network
Header
DATA PH SH TH NH
Transport
Header
DATA PH SH TH
Session
Header
DATA PH SH
Presentation
Header
PH DATA
DATA
Open Systems Interconnect Model (1974)
Transmits the data
on the medium
Adds MAC address
Adds network
address
Controls Data Flow
(ACK & Re-transmit)
Establishes a
connection
Presents data in an
acceptable form
Communication
between
Applications
BEU
Firewall
/ IDS/
IPS/
IPSec
VPN/
SSL
App
Crypto/
Anti
Virus
Standard Protocols
7
International Organisation for Standardisation (ISO)
ISO-15443 (IT Security Techniques Framework for Info Assurance)
ISO-17799 (IT Security Techniques Info Sec Management Practice)
ISO-20000 (IT Service Management)
ISO-27001 (IT Security Techniques Info Sec Management Systems)
FIPS (from NIST)
Internet Standards
IETF (Internet Engineering Task Force)
IAB (Internet Architecture Board)
Information Security Forum Standard of Good Practice
SEI (Carnegie Mellon University) Governing for Enterprise
Security (GES)
Standards
8
What Can (And Does!) Go Wrong
Organisations must remember not to expend all their energies on repelling the 'wily
hacker', at the expense of ignoring all those people who every day log on to your
systems. All evidence suggests that the insider remains the real threat
ROBERT TEMPLE (HEAD OF IT SECURITY, BRITISH TELECOM)
9
Information Security Imperatives
Cryptology
Computationally secure algorithms Role, Survivability, Secrecy,
Availability, Interoperability
Cryptanalysis
Key Design & Management
Standards, Common Criteria
Identification, Authentication & Access Control
Network protection
Firewalls & Intrusion Detection/ Prevention
Network Vulnerability & Penetration Testing Tools
LAN security & configuration monitoring systems
10
Technology
Hardware Network Components, Storage etc
Software Operating Systems, System Software & Firmware
Embedded systems
Protocols, APIs
Open Source Software
Digital Rights Management
Viruses, Spyware & Malware
Information Infrastructure
Public Key Infrastructure (PKI)
Disaster Management
11
Vulnerability & Susceptibility (Side Channel Attacks)
Human Engineering
Power Analysis
Electrical Probing
Electromagnetic Probing
Interoperability & Standards
Legal Issues The Big Brother syndrome
12
Physical Security
Cyber Security
Network Security
Cryptography & Public Key Infrastructure
Areas of Concern
13
Cyber Security
Safe Practices
14
Information Security Awareness
Importance of Cyber Security
Computer Ethics
Safe Practices
Mobile Security
Data Security
Physical Security
Scope
15
Needs to be addressed at all levels
Individual (all ages)
Organisations
Government
Nation
Various facets
Cyber Security (Internet)
Mobile Security
Data Security
Physical Security
16
Users (Individuals)
Identity Theft
Sensitive Data
Organisations
Financial Information
Sensitive & Critical Data
Denial of Service
What needs to be tackled
Administrative Practices
Software vulnerabilities
Information Assurance & Security
Cyber Security
17
Set of moral principles
Acceptable behaviour of computer users
Usage of computers
Copyright & IPR (legal right of owner)
Ethical Rules
Do not harm others
Do not steal information or access information
without permission
Respect Copyright laws
Respect privacy of individuals and organisations
Complain about illegal activities
Computer Ethics
18
Operating System Security
Password Policies
Internet Browser Security
E-Mail Security
Viruses & Spyware
Identity Theft
Downloading Guidelines
Safe Practices
19
What is an Operating System?
Complex
Vulnerable
For Individual Users
Screen saver password (+ CMOS & OS password)
File Sharing
Firewall
Delete software & OS features not used
Disable Guest Account
Update latest patches (esp. Linux)
Backup (regularly get paranoid!) Win Utils
USE LINUX
Safe Practices
20
For Organisations
Check all software (incl. patches) on a stand alone
system before installing on network
User to be provided with the least privileges (that allow
her to work)
User Accounts should set passwords according to
Security Policy (Win & Linux)
Services and Security Policy should be reviewed daily
For Windows use NTFS (rather than FAT32) Safer
Set all client machines to NOT display the previously
logged in user.
USE LINUX
Safe Practices
21
Importance of a password
Identity
Authorization
Good Passwords (difficult to guess)
Minimum 8 characters (letters, numbers &
symbols)
Non-dictionary
Not linked to personal information
Easy to remember (should not be written down)
Not used earlier
Safe Practices
Password Policies
22
DOs & DONTs
Ensure you use a STRONG password.
Take care that no one can see you enter the
password.
Never tell any one (not even the system
administrator).
Never write a password down. Remember it.
Change the password regularly.
Store passwords on the computer encrypted.
Th!5iS@g0odP4s5wD (This is a good
password)
Jamres123 is a bad password
Safe Practices
Password Policies
23
Browsers (Internet Explorer or Mozilla Firefox)
are the primary interface with the internet.
Block Pop-ups
Trusted & Untrusted Web Sites
Privacy settings
Cookies (files that store user related information used
by web sites to load faster)
Files
History
Content
Java Script Control (active controls)
Safe Practices
Internet Browser Security
24
Update OS and Browser (latest patches/ version)
Anti Virus & Anti Spyware
Display file extensions
Only trusted sites
No personal information to be given (https://)
Firewall ON always
Disconnect/ switch off modem when not in use.
Safe Practices
Internet Browser Security Guidelines
25
Phishing
Tricks you into clicking on a link that redirects you to a
malicious site or injects malware
Do not click on link that comes in an e-mail. Go directly to the
site by typing the address
Hoaxes
Spreading of rumours or falsehoods
Information on internet is NOT all TRUE or CORRECT
Trojans
Malicious code that is hidden along with other files
Collects passwords, keyboard strokes, Credit Card info and
sends it out on the net
Safe Practices
Internet Browser Security Guidelines
26
All mail is scanned. (NSA Echelon)
All mail is backed up (even after you delete it!)
There is NO Privacy unless encrypted and even then

Mail goes through a number of servers at each of
which there is a possibility of hacking
Spam (unsolicited mail from strangers who have
obtained e-mail id surreptitiously)
Divulging e-mail id in malls (surveys, discounts)
Safe Practices
E-Mail Security Threats
27
Encrypt using PGP
Filter out Spam. DELETE
Do not open mail from strangers. DELETE
Scan all attachments for virus
Do not send messages with attachments that contain
executable code. Use Rich Text Format instead of the
standard .DOC format.
Avoid sending personal information/ filling forms.
Do not click on links in the e-mail.
Do not open e-mail that offer FREE gifts or money
No Chain Mails
Safe Practices
E-Mail Security Guidelines
28
Virus (started with DOS)
Captures an interrupt & Terminate but Stay Resident (TSR)
Self Replicating
Malicious - Causes Damage
Keep Anti Virus up-to-date
Anti-Virus Configuration
Macro protection enabled
Disable option for code to execute directly on Mail Clients
Scan
All files coming in
Your computer everyday
Use Genuine Anti-Virus AVG, QH, Bit-Def, NAV, Kasp,
McAfee etc
Safe Practices
Viruses
29
Spyware
Captures an interrupt & Terminate but Stay Resident (TSR)
Self Replicating
Malicious
Observes behaviour,
Takes control (changes search engine, new tool bars)
Re-directs and sends out data
Number of Pop-ups
Reduces surfing speed
Anti-Spyware
Works in real-time
Prevents spyware from being installed (scans IP packets)
Safe Practices
Spyware
30
Precautions
Do NOT click anywhere inside pop-up windows (these could
contain spyware that will infect the system) Block Pop-ups
Downloads from untrusted sites could contain Spyware
Do NOT follow the links that offer free anti-Spyware
Use Genuine Anti-Spyware (normally bundled with Anti-
Virus packages) AVG, QH, Bit-Def, NAV, Kasp, McAfee
etc
Safe Practices
Spyware
31
Stealing of Personal information
Credit Card Numbers, PINs, Passwords
Preventive Measures
Shred trash (Dumpster Diving)
Use Virtual Keyboard for entering passwords
Do not allow anyone to see you entering PIN/ password
Never give personal information on phone/ e-mail
Cancel credit cards not in use for a long time
Ensure secure site (https://) from known provider
Monitor accounts
Photographs on cards with signature
Never leave cards out of your sight
Safe Practices
Identity Theft
32
Do not get software from P2P sites/ e-mail
attachments
Only freeware or software for which you are
licensed/ registered
Only trusted web sites Check validity of the
certificate and issuer of certificate for a site from
which software is downloaded
Always scan downloads before installation
Read license agreement carefully
Cracks are dangerous

Safe Practices
Downloading Guidelines
33
Legal Problems (MMS, SMS)
Trackable
Accountable
Malicious programs (Trojans, Spyware, Worms,)
Steal personal information
Inflate bills (toll-free numbers offers)
Get access to mobile/ laptop
IMEI
International Mobile Equipment Identifier
15 (or 17) digit number
Unique for each and every mobile device
Dial * # 0 6 # for IMEA number
Can be used to disable phone if lost
Mobile Device Security
34
Securing Mobile Devices (Phones, Laptops etc.)
Same as E-Mail precautions + Backup
Bluetooth major vulnerability (Video)
Use PIN, Security Settings, Infrared Settings, Call
Barring & Restriction services
Do NOT store personal data on mobile (Credit Card
details, passwords etc)
Mobile Device Security
35
Confidentiality Encryption
Authenticity & Integrity PKI/ Digital signature
Access
Authenticated SSL (https://)
Public Key Encryption (Secure Shell instead of telnet)
VPN
Backup REGULARLY (Complete & Incremental)
Electronically shred files (not undelete-able)
Single Pass
DoD 5520.22-M
Guttmann
Data Security
36
Criticality, Location & Budget Specific
Locks
BIOS Security
Passwords (boot and set up)
Access to battery
Side Channel attacks
Power analysis
Electrical & Electromagnetic Probing
Human Engineering
Static
Power Supply & Environment
Physical Security
37
Network Security
A Primer
38
Need for Network Security
The philosophy of exchange of information over the
network that can be attacked (Vulnerability)
hardware and software especially vulnerable
extent of the vulnerability is not always readily apparent
The security only as strong as the weakest link
Safeguards available for workstations, especially PCs are
significantly weaker than was the case with classic
mainframes
Distributed computer systems
Cannot be protected by organisational measures alone
Technical mechanisms are also necessary
39
What are we trying to Protect?
Data
Secrecy
Integrity
Availability
Resources
Hard-disk space
Processor
Memory
Bandwidth
Reputation
Identities Theft
Websites Defacement
Data Loss
Loss of Trust
40
Security Threat Perception
Intrusion Gaining unauthorised access by guessing
passwords, social engineering, planting malicious code,
exploiting vulnerabilities to gain root access, etc
Denial of Service Impossible to avoid DOS attacks.
Relatively easier to carry out.
Information Theft Get data without having to directly
use the computer. Generally use internet services that are
designed to give information.
Active: Port Scanning, Exploit OS vulnerabilities, Session Hijacking
Passive: Sniffing data, passwords in network traffic
41
Approaches to Security
Reactive
Worry about problems that are apparent
currently.
Concentrate on Fire-fighting

Proactive
Plan for protection from attacks that are
theoretically possible
42
Why be Proactive?
Limits on what is difficult changes rapidly in
computing
Problems rarely come in isolation. One attack thats
too difficult may help someone find an easier one
Eventually, attackers always turn to more difficult
attacks
Attacks move instantly from never attempted to
widely used
43
Security Models
Security through Obscurity Assume that no one
knows about the existence of the system. The
model does not work for long.
Host Security Enforce security on each host
machine separately. Does not scale up to a large
number of machines.
Network Security Control network access to
various hosts and services
44
Network Security Approaches
Firewalls
Intrusion Detection Systems
Strong Authentication Methods
Encryption of sensitive data

45
Computer Security Principles
No single security model can solve all problems
No security model can take care of management
problems
Security must be built into the network design
No Network is completely secure and no model
provides complete protection
Though security may not prevent every single
incident, it can keep an incident from damaging or
shutting down operations

46
What is a Firewall?
System or group of systems that enforces an access
control policy between two networks
Blocks unauthorised or malicious data traffic
Permits authorised and truthful data traffic
Limits the amount of damage when used within an
organization
Enforces security policies and practices
Characterized by a Default Permit or a Default Deny Policy
Is most often installed at a point where a protected internal
network connects to an un-trusted external network
47
INTERNAL
NETWORK

FIREWALL
EXTERNAL
NETWORK
Classical Firewall Positioning
What is a Firewall?
48
What a Firewall can do
Can prevent certain users or machines from accessing certain
Servers / Services (Enforces a security policy)
Can prevent unauthenticated interactive logins
Can prevent network-borne attacks
Can limit the exposure of an internal network
Can provide a choke point and thus is a focus for security
decisions
Can monitor & record communication between the internal
and external network
Can encrypt data traffic between two firewalls (IPSEC)
49
What a Firewall cannot do
A Firewall is an excellent security solution but not a
complete one. Certain threats are outside the control
of the firewall.
Cannot protect against attacks that do not go through the
firewall
Cannot protect against malicious insiders
Cannot work without a consistent Network Security Policy
Cannot protect against configuration errors and it cannot set
itself up correctly
Cannot protect if administrators are vulnerable to Social
Engineering
Cannot protect against completely new threats
50
Cryptography & PKI
A Primer
51
Introduction
The Art of Cryptology
CRYPTOLOGY
STEGANOGRAPHY
(Hiding)
TRANSPOSITION
(changing position
keeping data same)
SUBSTITUTION
(replacing keeping
position same)
CODE
(replacing words)
CIPHER
(combination of
substitution &
transposition of
letters)
CRYPTOGRAPHY
(Scrambling)
The study of mathematical
techniques for scrambling
data confidentiality,
integrity, authentication, ...
CRYPTANALYSIS
(Cracking)
The study of
mathematical techniques
for defeating
cryptographic techniques
Key
52
Introduction
Cryptographic Schemes
SYMMETRIC KEY SYSTEMS
STREAM
CIPHERS
LFSR
ADDITIVE
GENERATORS
ALGo M
Telephony
Link
Encrypt
Secure Fax
BLOCK
CIPHERS
DES/3DES
IDEA
TWOFISH
RIJNDAEL
(AES)
Messaging
Archiving
Disk
Encrypt

ASYMMETRIC (PUBLIC)
KEY SYSTEMS
RSA
MERKLE-HELLMAN
KNAPSACK
EL GAMAL
RABIN
Authentication
Digital
Certification
Non-
Repudiation

UNKEYED SYSTEMS
SHA, MD2, MD4, MD5
(Hash Functions)
RNGs, PRNGs
Integrity
Key Generation

53
Non-Repudiation & Key Exchange
(Key Management & Distribution)
Confidentiality
Symmetric (Private) Key
Systems
Asymmetric (Public) Key Systems
Hybrid Systems
Integrity & Authentication
(Hashing & Digital Signatures)
Introduction
Cryptographic Services
54
Basic Concepts
Symmetric-key Cryptography
Block Ciphers
Stream Ciphers
Public-key Cryptography
Confidentiality
Authentication
Hash Functions
Digital Signatures
Non-Repudiation & Key Distribution/ Exchange
55
Encryption
Algorithm
Decryption
Algorithm
Key
Source
Cryptanalyst
X
K
Secure channel
Y X
Plain Text
X: Plain Text
Y: Cipher Text
K: Encryption/
Decryption Key
Sender A
Receiver B
The Decryption Algorithm
is the inverse of the
Encryption Algorithm
Cipher Text Plain Text
Private Key
Algorithm
Plain Text Approximation
Private Key Approximation
Cipher Text
Private Key
K
Symmetric-Key Cryptography
Basic Model
56
Shared secret key between sender & receiver
Authenticity implicit
Security depends upon secrecy of key
Good performance for bulk encryption of data
Used for High Security, Mission Critical Applications
Two types of Conventional Ciphers
Block Ciphers
Stream Ciphers
Features
57
Substitution and Transposition individually DO NOT
provide high security
Combining the basic transformations yields strong
ciphers
A suitable combination (composition) of S and T is called
a round
Having multiple rounds enhances security
Therefore most block ciphers are Product Ciphers using
multiple rounds
Block Ciphers
58
They encrypt individual characters (usually binary digits)
Generally faster than block-ciphers in hardware
Most appropriate in applications where buffering is a
problem, eg., In telecommunications
Few fully specified algorithms in open literature though
enormous theoretical knowledge exists
Have significant advantages and therefore, their use is
likely to grow
Stream Ciphers
59
Encryption
Algorithm
Decryption
Algorithm
Key pair
Source
X
Y X
KRb
Sender A
Receiver B
Public Key
Ring
KUb

KUb

Public-Key Cryptography
Confidentiality
Plain Text Cipher Text
Private Key
of B
Cryptanalyst
Algorithm
Plain Text
Private Key of B (to decrypt messages to B)
Cipher Text
Public Key
of B
Public Key
of B
Plain Text
60
Encryption
Algorithm
Decryption
Algorithm
Key pair
Source
X
KUa
Y X
KRa
Sender A
Receiver B
Public Key
Ring
KUa
Authentication
Plain Text Cipher Text
Private Key
of A
Public Key
of A
Public Key
of A
Plain Text
Cryptanalyst
Algorithm
Plain Text
Private Key of A (to spoof identity of A)
Cipher Text
61
Mathematically related key pair
Private key - known only to user;kept secret
Public key - made available publicly
Encryption/Decryption very slow (time-consuming)
Used for
Confidentiality (only for small data sizes)
Authentication (Digital Signature)
Non-Repudiation(Key Management & Distribution)
Key Exchange
Features
62
Myth - 1: Public-key Encryption is more secure from
cryptanalysis than is conventional encryption. In actual fact, the
security of any encryption scheme depends on the length of the key &
the computational work involved in breaking a cipher
Myth - 2: Public-key Encryption has made conventional
encryption obsolete. In actual fact even today Private key
Cryptography is used for encryption and Public-key Cryptography is
restricted to key management & signature applications
Myth - 3: Key distribution is trivial when using Public-key
Encryption, compared to the rather cumbersome handshaking
involved with key distribution centres for conventional
encryption. In actual fact, the procedures involved for Public-key
Cryptography are no simpler nor any more efficient than those required
for conventional encryption
Myths
63
Plain
Text
h(f)
Message
Digest
Fixed size

Hash Function
To be Transmitted
with the message
Hash Functions
x
h(x)
One-way function
Input is a message of any length
Output is fixed
Cannot be generated from another message
Is different from the result of any other message
Not reversible - Impossible to recover message from hash
Uniquely identifies message and verifies integrity
Commonly used hash algorithms
Secure Hash Algorithm (SHA)
Message Digest algorithm (MD2, MD4, MD5)
Length is typically 128 or 160 bits
64
Enables verification of sender, date & time of signature
Trusted Time & Date Stamping
Authenticates information content at time of signature
Depends on content of information (Hash)
Should be unique to sender (Private Key)
Verifiable by third party for arbitration
Easy to produce, recognise, verify & store
Computationally infeasible to forge
Digital Signatures
65
EP
KR
a

||
K
KU
a

Compare
DC M
K
Signature tied to cryptogram
M EC H
H
E
KRa
[H(E
K
[M])]
E
K
[M]
DP
Sender A
Receiver B
Private Key Algorithm
Hash Function Algorithm
Public Key Algorithm
EC
H
EP
Message
Digest
Message
Digest
Public Key of
A
Digital
Signature
Cryptogram
Cryptogram
Signed
Cryptogram
Cryptogram
Digital
Signature
Private Key of
A
Message
Digest
Message Message
Secret
Key
Secret
Key
Digital Signature Implementation - 1
66
EP
||
M
M
Signature tied to plain text
KR
a

H
EC DC
H M
K K
Compare
DP
KU
a

E
K
[M||E
KRa
[H(M)]]
E
KRa
[H(M)]
Sender A
Receiver B
M
Message
Message
Digital
Signature
Message
Digest
Signed
Message
Cryptogram
Digital
Signature
Message
Digest
Message
Digest
Message
Public Key of
A
Private Key of
A
Secret
Key
Secret
Key
Signed
Message
Digital Signature Implementation - 2
Private Key Algorithm
Hash Function Algorithm
Public Key Algorithm
EC
H
EP
67
Non Repudiation & Key
Exchange
68
A B
KUa
KUa
KUa

KUa
KUb
KUb
KUb
KUb
Public Announcement of Keys
Uncontrolled Public Key Distribution
69
Public Key
Directory
A B
KUa KUb
Public Key Publication
Publicly Available (Access Controlled) Directory
70
Public Key
Authority
Initiator
A
Responder
B
(1) Request || Time
1
(4) Request || Time
2

(6)E
KUa
[N
a
|| N
b
]
(7)E

[N
b
]
(2)E
kRauth
[KUb || Request || Time
1
]
(5)E
kRauth
[KUa || Request || Time
2
]
KUb
(3)E

[ID
A
|| N
a
]
KUb
Public Key Authority
Central Authority Maintaining Dynamic Directory of
Centrally Generated Keys
Steps 1 to 7 have to be carried out for
every transaction. This is tedious and is
overcome using certification.
Issue of Public
Key of A
Issue of Public
Key of B
Request for
Public Key
of A
Request for
Public Key
of B
Authenticated Exchange
of Public Keys
71
Exchange of Public Key Certificates
Certificate
Authority
A
B
(2)C
B

(1)C
A

KUa
KUb
C
A
=E
KRauth
[Time
1
ID
A
KUa] ||
||
C
B
=E
KRauth
[Time
2
||

ID
B
KUb ]
||
E
KRauth
ID
A
:Identifier of A
:Private Key
of Authority
Public Key Certificates
Registration
Registration
Issue of
Certificate to A
Issue of
Certificate to B
Exchange of Certificates
A Certificate can be used for
any number of transactions for
the period of its validity
Time
1
& Time
2

refer to the
Period of
Validity
72
Public-Private Key Pair Generated Individually by User
Uncontrolled (Public Announcement) of Public Keys
Public Key Publication in a Publicly available (access controlled)
directory
Cannot achieve Non Repudiation
No central control & Trust
Easy & Cheap to implement
Public-Private Key Pair Generated Centrally
Public Key Authority
Certificate Authority (could be generated individually by user)
Non Repudiation achieved
Central Control & Trust
Complex & Expensive Infrastructure
Non Repudiation Achieved by
Suitable Key Distribution
73
Non-Repudiation & Key Exchange
Confidentiality
Symmetric (Private) Key
Systems
Asymmetric (Public) Key Systems
Hybrid Systems
(Hashing & Digital Signatures)
Introduction
Cryptographic Services
74
Issues 1
Cryptology
Computationally secure algorithms Role, Survivability, Secrecy,
Availability
Cryptanalysis (Linguistics, Maths, Int. etc) & Algorithm Analysis
Key Design
Key Management & Administration (Distribution)
Public Key Infrastructure (PKI)
Technology
Hardware obsolescence
Software key storage
Protocols
Open Source Software authenticity, need to analyse
75
Issues 2
Vulnerability & Susceptibility (Side Channel Attacks)
System (Hardware & Software) Vulnerabilities
Social Engineering
Interoperability & Standards
Data Transfer between networks with different security classification
Policy (Integrated, Institutionalised)
Expertise (Long Term gains)
Maths, Physics, Computing, Language
Design, Development, Production, Life Cycle Support
Gradation/ Certification & Audit Accountability & Trust
Key Escrow Insurance
Utilisation of Indigenous Academia & Industry
Control, Funding, Authority
76
Some Final Thoughts

The IT infrastructure is a complex technological system. All such
complex systems exhibit interactive complexity (sub-systems interact
in unexpected ways) and tight coupling (sub-systems have rapid
impact on each other). These characteristics make the system accident-
prone. Such systems have serious accidents as a consequence of the
inherent complexities irrespective of the intent or skill of the designers
or operators. The best systems operated by the best men will fail and
fail regularly.
Normal Accidents: Living with High-Risk Technologies by Charles Perrow
How much should we computerise?
How much should we trust such systems?
Have we catered for Normal Accidents?
What are WE doing about Information Security

Information Security - A Primer

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Information Security - A Primer

Transféré par

Droits d'auteur :

Formats disponibles

1

Vous aimerez peut-être aussi