Information system security insurance Alexandru TATU*, Mircea COSMA**. *National Defense University "Carol I", Bucharest, 68-72, Panduri Street, Sector 5, 050662, Bucharest, Phone/Fax: +40 21 3194880, E-mail: afrimconstantin@yahoo.com **Alma Mater University, Sibiu, 57 Someşului Street, 550003 Sibiu, Phone/Fax +40 260 250008, E-mail: mircea.cosma@yahoo.com Abstract Through this paper we intend to show that technological developments in recent decades have created a strong society dependence of the means of communication and information technology. This has been increasingly made aware to ordinary people, but also military and political leaders. Increasing global dependence of sophisticated information systems and interconnection of these can produce significant opportunities and bigger information vulnerabilities. Also technological developments in electronics, communications and computer science offers new ways of achieving national security goals, while the risk factors for unprotected information structures grow exponentially. Keywords: information system security, information security, information system, information flow, security management, control information, information. Rezumat Prin intermediul acestui referat ne propunem să arătăm faptul că evoluţiile tehnologice din ultimele decenii au creat o puternică dependenţă a societăţii de mijloacele de comunicaţii şi tehnologia informaţiei, fapt conştientizat din ce în ce mai mult de oamenii obişnuiţi, dar şi de liderii militari şi politici. Creşterea dependenţei mondiale faţă de sistemele informaţionale sofisticate şi interconectarea dintre acestea pot produce oportunităţi semnificative şi vulnerabilităţi informaţionale din ce în ce mai mari. De asemenea realizările tehnologice din domeniile electronicii, comunicaţiilor şi a informaticii oferă noi căi de atingere a scopurilor securităţii naţionale, concomitent cu creşterea exponenţială a factorilor de risc pentru structurilor informaţionale neprotejate. Cuvinte cheie: securitatea sistemelor informaţionale, securitatea informaţiilor, sistem de informaţii, fluxuri de informaţii, managementul informaţiilor, controlul informaţiilor, protecţia informaţiilor, informaţii. Technological developments in recent decades have created a strong dependence of society to the means of communication and information technology, fact increasingly made aware to ordinary people, but also military and political leaders. Increasing global dependence of sophisticated information systems and interconnection of these can produce significant opportunities and bigger informational vulnerabilities. Also technological developments in consumer electronics, communications and computer science offer new ways of achieving national security goals, but also determine exponential growth of risk factors for unprotected lock information structures. Military, as well as civil domains currently depend on information systems of various sizes. We could even say that the whole world has become a large-scale information system in which communications systems are interconnected. Simply unplugging the systems off the global information network is not sufficient at now we need to adopt specific measures for security of information systems in accordance with new needs for information and face new threats to security of information systems. At this point it is not enough to implement and ensure information management systems because once created these information systems must be protected and secured against all vulnerabilities, both internal and external, to be able to fulfill the purpose for which they were designed. 46
Information system security - theoretical boundaries Information system security issue is of high interest, acquiring new meanings, which requires a new unitary concept correlated with destruction or penetration responses, but also under constant pressure of scientific, technological and cognitive perish danger. Information security is determined by the diversity and specificity of fields, issues and profiles of activity, by the particular informational environment, the current improvement and diversification of means, techniques and technologies for obtaining, analyzing, processing and transmission of operational data, information and information products and the danger of theft, illegal access and use of information by unauthorized persons. To meet these requirements, information systems must be provided with protective measures in all stages of life of information from generation, collection and processing to its use. Security of information systems is an ongoing process that includes many activities such as: defining the areas of uncertainty, identifying specific threats for these systems, developing security strategy, evaluating the security of information systems and resumption in certain specific situations. In our opinion, the following definitions meet the requirements listed. Therefore, security of information systems is a complex of legal, scientific, economic, organizational, and technical measures and countermeasures capable of ensuring confidentiality, physical and semantic integrity of information in a system and their dynamics of changes against crime, exceptions, errors, or mistakes of intentional or accidental nature, within an assumed risk and with a consumption of forces (huma n and material) resulted from a cost assigned to the mission completion. Security is recognized as a multidimensional concept so that all fields (political, diplomatic, economic, defense, cultural, scientific, etc.) establish measures to ensure that promotion of specific interests. At this time there is a new approach of the information security sector with direct implications on military organizations also. Romania as a member of NATO and the EU must take account of these global concerns on the new concepts in information security, special concerns embodied in concepts like "cibersecurity", and more. Ensuring the security of information systems - theoretical and functional aspects Currently, information dependence is bigger and dangerous, creating special facilities but also risks resulting from vulnerabilities of information systems to internal and external threats. There are states fully dependent on information provided by national cyberspace components. Their breakdown for several hours can lead to chaos in the respective country, affecting at a large extent, not only national security but also global information system security. Information systems security has become a priority for both public institutions, private companies and military organizations, given that their information flow is managed electronically and the volume of information has increased dramatically in recent years. The beginning of this millennium is dominated by the mankind s concern to effectively use and develop information technologies, together with the adoption of effective measures to counter illegal access of database activity, perceived as a new threat to international peace and security to which even the electronic information systems of the most advanced countries in terms of technology are vulnerable. Information systems security is the area that provides the functionality and efficiency of information systems (confidentiality, integrity, availability and non-repudiation of data and information), the defense of structures of national security, of specific activities and staff, particularly the decision makers, to possible espionage, terrorism, sabotage, 47
unauthorized disclosure, disruption and any destructive actions aimed at information and communication systems. In this respect, there are modern applications of which point out: cryptographic protection of communications channels, computer networks, public key systems, antiviral cryptography, cryptographic fault-tolerant systems with single and random keys to protect data bases, error-correcting codes, cryptographic protocols and cryptographic processing of unauthorized access to information. Now, at the beginning of the third millennium, we can say that the plan of operations for the protection and security of information, techniques and environments have advanced and have improved greatly. Even the traditional system based on a central computer has become obsolete, speaking to the world on the Internet or Intranet, after inclusion in their structure of personal computers, various generations of mobile networks and the emergence of the concept of network of networks, which gives new dimensions to cyberspace. The purpose of information security is to ensure confidentiality, integrity and physical semantic information to withstand wide range of crimes or mistakes of deliberate or accidental character within an assumed risk posed by consumption of human and material forces for protection. Information systems go beyond national barriers and the ways of ensuring information and services with a relatively low cost, including military and national security, prompted an explosion in new facilities, expanded services, increased efficiency, reduced costs, communication online allowing quick decisions and expanding procurement markets. At the strategic level, this explosive growth of information and communication channels brings concern for the protection of their data, but also the desire to exploit new advantages and facilities. Analysts and specialists studies conclude that information systems security is constantly subject to specific threats, such as: - Unauthorized access to databases of decision and control systems for mining, data entry, distortion, alteration or falsification of information; - Collection of information through capture and analysis of information carrying signals or electromagnetic radiation; - Introduction of software deliberately, to penetrate or bypass the protection system and determine the computation and communication systems (weapons systems) to work differently than they were scheduled (viruses, logic bombs, Trojan horses malsoftware etc.). - Psychological actions to mislead service staff; - Electronic attack measures, such as nonlethal weapons (particle accelerators, non - nuclear electromagnetic pulse, laser radiation, etc.), sending false information (disinformation), jamming or destruction of communication channels etc. The analysis of the role of information systems security stresses out its complexity, feature that is emphasized with specific functions presentation. Information systems security is a major concern not only to specialists in the field of information security and intelligence but also to the whole society. Role and functions The new global culture of electronic information exchange in networks increases the risk of fraud and data theft and interception for government and private companies as well as individuals. To this end, the role of information systems security is to ensure safety requirements and trust in the information that flows through these channels. This goal is achieved by: - Authorized staff access to information and data; - Confidentiality, which effectively prohibits unauthorized access to information; - Ensuring integrity, which involves the transmission without modification (accidental or intentional); 48
- The availability, which means ensuring access to information for use by authorized personnel; - Protection of structures, activities and decision makers to specific destructive action. To reduce the threats, vulnerabilities and risks faced by the information in information systems, information systems security has certain features: Confidentiality as specific function involves protecting an information channel and information itself against unauthorized access and disclosure. Through confidentiality users can access only to the information specified in the security certificate. Authorized and official access to information for institution staff materializes in a security certificate and in the need to know as per job description. Through confidentiality services, data and information from computer and communication networks will be accessed and will be available only to authorized users, even if these data are stored on servers or workstations, or in transit through the network. The second function, ensuring the integrity involves preservation of the information from threats of any kind, the action of human factors, technical or natural. Integrity of an information system requires that permanent preservation of information stored, processed or transmitted unaltered by threatening factors. Integrity is ensured through the use of security mechanisms and specific products such as encryption, digital signatures and intrusion detection mechanisms. In communication networks, integrity is addressed in a specific form called authenticity, which provides data origin verification, workstation and user determination and integration of the moment when the operation was executed. Ensuring availability is the function that requires guaranteeing access to information and services and their use by authorized personnel only. Lack of availability may be in denial of service or loss of data processing as a result of natural disasters (earthquakes, floods, etc.), accidents (fire or flooding) or destructive human actions. 49 To ensure availability, four types of measures are important: physical, technical, administrative and personal. Physical measures involve access control, fire and humidity detection systems, data restoration facilities other than the data processing facilities. Technical measures include fault tolerance mechanisms; electronics switching for automatically data savings, applications for access control to prevent unauthorized interruption of services. Administrative measures add to the problems related to access control policies and operating procedures, contingency plans for emergencies, users training. Adequate training of operators, developers and security personnel constitutes a special measure for avoiding availability damage situations. Non-repudiation as distinct function involves removing any uncertainty about the source or destination of a transmission using reliable records that can be checked independently to determine the origin / destination of information. Without being a specific function, audit is the creation and protection of evidence needed for the investigation of facts generating security events. Samples can result in activity logs that record data series such as user name, time points and associated actions. Very important in the operation of information systems, restoration is the function that information systems can be recovered if their availability was affected. Restoration is perhaps the most important function if one or more functions have not been successfully met. To achieve a competitive security, any real threats and vulnerabilities of the information system must be anticipated (wrong operation, external attacks, accidental or intentional interference or interconnection, delivering useful information spurious emissions, etc.) and appropriate security measures must be taken. This can be achieved through a complex of legal, organizational, economic, physical, technological and informational measures, able to prevent and limit the destructive action of disasters, ensuring safe and stable
functionality of a system and to resume work conditions in a short time. Information systems security functions become critical when addressing national security, since the breach of any of these lead to compromising data and mission failure, resulting in loss of life, property damage, and re-planning or performing additional missions. Means of achievement Mutations occurred in recent years, conflicts of interests movement from the military field to the economic one, and the development of information society and information exchange liberalization have produced profound changes in the approach to security of information systems. As such, the information systems security has acquired new dimensions, as confirmed by some arguments proved in recent years informational confrontation, as follows: - Electronic and informational confrontation generalization; - Auspicious influence of information processing on the effectiveness of modern weapons and harmful influence of computer viruses on smart weapons; - Moral pressure of misinformation and ease of important forces remained without effective management destruction; - Effectiveness of smart weapons - robot planes, cruise missiles, self-directed missiles, and laser guided bombs and missile systems. With the development of computer science, although organizational, administrative and technical measures were taken to limit unauthorized access to information, there is an alarming increase of cases, forms and methods of stealing information. Management strategies to prevent, manage and overcome crises require priority military information security measures both to prevent aggression and to ensure normal and safe movement of the information. The complexity of these measures, their effectiveness, sometimes difficult to appreciate, the dynamics of the situation and time pressure confer specificity and multidimensionality to information protection. Information systems security issue is complex and derives from the fact that not always, secret information by their nature are properly and completely defined and this fact is complicated when information becomes classified by extension and cannot be controlled unless in cases of conflict by military censorship. For ensuring trust in information systems is necessary to understand the risks and to adopt effective ways to reduce them. This goal can be achieved only by providing funds for investment in information protection for both the purchase and implementation of security equipment and products, as well as for specialist training and organizational protection measures. It can be said that the security of information systems is a profession and a business; a profession because protective measures require a high degree of professionalism and a business because it cannot be achieved within a reasonable and affordable cost. Like any business, information systems security information management involves decisions under risk, predicting what should be protected within the limits of probability of loss caused by the cost of protection. Communication and computer networks have many features for obtaining, processing and storage of information, but are also the most vulnerable. Therefore, when designing a security system for such networks, a relationship has to be established between the costs of achieving the network and the costs to ensure protection in conditions of maximum efficiency with minimum investment. We can say that future conflicts will revolve around the future handling of information and miss-information, and around the change human behavior through proper operation and routing of information. 50
New threats will not be likely to generate violent actions, the focus will move across the spectrum of information on activities designed to determine certain desirable behaviors in different activities and areas. Information systems security sector will experience an accentuated growth in the coming years, determined by the evolution of the Internet and social networks, and the increasing of the globalization phenomenon. References Dumitru, Vasile şi colectiv Sisteme informaţionale militare, Editura Ceres, Bucureşti, 2000. Mihai Ioan Micle si Florin Alexandrescu, Resursele Umane şi Protecţia Informaţiilor, Bucureşti, 2008. Ioan Cosmin MIHAI, Securitatea sistemului informatic, Ed. Dunărea de Jos, 2007. Oprea Dumistru, Protectia si securitatea informatiilor, Editura Polirom, Bucureşti, 2007 Militaru, Gheorghe Sisteme informatice de management, Editura All, Bucureşti, 2004. Oprea, Dumitru, Meşniţă, Gabriela Sisteme informaţionale pentru manageri, Editura Polirom, Iaşi, 2002. Radu, Ioan şi alţii Informatică şi management, Editura Universitară, Bucureşti, 2005. 51