Internet is not a single network, but a worldwide collection of loosely connected networks that are accessible by individual computer hosts, in a variety of ways, to anyone with a computer and a network connection.

However, along with the convenience and easy access to information come risks. Among them are the risks that valuable information will be lost, stolen, changed, or misused. If information is recorded electronically and is available on networked computers, it is more vulnerable than if the same information is printed on paper and locked in a file cabinet. Intruders do not need to enter an office or home; they may not even be in the same country. They can steal or tamper with information without touching a piece of paper or a photocopier. They can also create new electronic files, run their own programs, and hide evidence of their unauthorized activity.

Basic Security Concepts

Three basic security concepts important to information on the internet are confidentiality, integrity, and availability. Concepts relating to the people who use that information are authentication, authorization, and nonrepudiation.
When information is read or copied by someone not authorized to do so, the result is known as “loss of confidentiality. In some locations (banks, hospitals, loan companies…), there may be a legal obligation to protect the privacy of individuals.

Information can be corrupted when it is available on an insecure network. When information is modified in unexpected ways, the result is known as “loss of integrity“: integrity is particularly important for critical safety and financial data used for activities such as electronic funds transfers, air traffic control, and financial

Information can be erased or become inaccessible, resulting in “loss of availability“: this means that people who are authorized to get information cannot get what they need.

Availability of the network itself is important to anyone whose business or education relies on a network connection. When users cannot access the network or specific services provided on the network, they experience a “denial of service“.

To make information available to those who need it and who can be trusted with it, organizations use authentication and authorization. Authentication is proving that a user is the person he or she claims to be. That proof may involve something the user knows (such as a password), something the user has (such as a “smartcard”), or something about the user that proves the person’s identity (such as a fingerprint). Authorization is the act
of determining whether a particular user (or computer system) has the right to carry out a
certain activity, such as reading a file or running a program.
Security is strong when the means of authentication cannot later be refuted—the user cannot later deny that he or she performed the activity. This is known as nonrepudiation.

These concepts of Information Security also apply to the term information security; that is, internet users want to be assured that:
• they can trust the information they use
• the information they are responsible for will be shared only in the manner that they
• the information will be available when they need it
• the systems they use will process information in a timely and trustworthy manner
In addition, information assurance extends to systems of all kinds, including large-scale distributed systems, control systems, and embedded systems, and it encompasses systems with hardware, software, and human components. The technologies of information assurance address system intrusions and compromises to information.

What can happen

It is remarkably easy to gain unauthorized access to information in an insecure networked environment, and it is hard to catch the intruders. Even if users have nothing stored on their computer that they consider important, that computer can be a “weak link,” allowing unauthorized access to the organization’s systems and information.
Seemingly innocuous information can expose a computer system to compromise. Information that intruders find useful includes which hardware and software are being used, system configuration, type of network connections, phone numbers, and access and authentication procedures. Security-related information can enable unauthorized
individuals to access important files and programs, thus compromising the security of the system.

No one on the internet is immune. Those affected include banks and financial companies, insurance companies, brokerage houses, consultants, government contractors, government agencies, hospitals and medical laboratories, network service providers, utility companies, the textile business, universities, and wholesale and retail trades.




Linda Pesante
Copyright 2008 Carnegie Mellon University