Overview
Français
Read this article from a comprehensive knowledge base, updated and supplemented with articles reviewed by scientific committees.
Read the articleAUTHOR
-
Laurent BUTTI: Orange security expert
INTRODUCTION
Information systems security (ISS) is the set of technical, organizational, legal and human resources required and put in place to maintain, restore and guarantee the security of an information system". (source: Wikipedia).
The three essential primitives of information systems security are :
integrity: the data must be as originally declared, and must not be altered either accidentally or deliberately;
confidentiality: the property that information is neither available nor disclosed to unauthorized persons, entities or processes;
availability: the system must operate without failure during the planned periods of use, guaranteeing access to installed services and resources with the expected response time.
The security of information systems has always been a key factor in a company's survival. But it's only in the last few years that awareness of this issue has grown, probably as a result of major media events impacting the activities of a number of multinationals and governments.
-
2011 was a particularly eventful year.
ExamplesFor example, Sony was unable to prevent the compromise of millions of customer accounts, and the loss of its Playstation Network service for several months.
The public details of these attacks unfortunately testified to major errors on Sony's part with regard to its operational security procedures. This, combined with a high degree of arrogance (or recklessness), led to the wrecking of some of its services, with losses estimated in the tens of millions of dollars.
Companies whose business is IT security are not spared either, as demonstrated by the compromise of RSA's internal networks, where, unfortunately, the attackers only used conventional techniques and tools (which can be found on the Internet and therefore used by anyone without the need for advanced skills) (see the To find out more).
States are not to be outdone, with one of many examples being the compromise of the network of the French Ministry of Finance and Industry, discovered in early 2011.
In the same way, state agencies that have been engaged in offensive computing for many years are no longer hesitant to admit it publicly, as was the case with the US Administration's development of computer weapons (cf. the Stuxnet, Duqu and Flame worms, which are probably just the tip of the iceberg).
-
In June 2012, almost 6 million user accounts...
The Ultimate Scientific and Technical Reference
CAN BE ALSO FOUND IN:
This article is included in
Safety and risk management
This offer includes:
Knowledge Base
Updated and enriched with articles validated by our scientific committees
Services
A set of exclusive tools to complement the resources
Practical Path
Operational and didactic, to guarantee the acquisition of transversal skills
Doc & Quiz
Interactive articles with quizzes, for constructive reading
Safety audits
What about audits?
Bibliography
Works
Software tools
• Aircrack-ng http://www.aircrack-ng.org
• Arachni http://arachni-scanner.comhttps://github.com/arachni
Websites
• Cédric Blancher's blog http://sid.rstck.org/blog
• eSecurity Planet http://www.esecurityplanet.com
• CLUSIF: Documents and safety guides for download http://www.clusif.asso.fr/fr
...Standards and norms
- Information technology – Security techniques – Information security management systems – Requirements - ISO/IEC 27001 - 2005
- Information technology – Security techniques – Information security risk management - ISO/IEC 27005 - 2008
The Ultimate Scientific and Technical Reference
