Sebastien Bombal (EPITA 04), Security Manager at Areva, directs the major “Systems, Networks and Security” (SRS) at EPITA.
How do you explain the recent dramatic increase in piracy of data stored in information systems under top surveillance: wikileaks case, Bercy piracy etc.?
There is often an exploitation of technical and human vulnerability. It seems that in the case of Bercy, it was a PDF with an embedded Trojan horse received by mail, in the case of “Stuxnet” the virus spread mainly by a USB drive, in the case of the Pentagon (in 2010) a USB stick containing a Trojan horse. And the examples are many…
The common denominator that makes these attacks successful is human intervention! A click on a PDF, inserting a USB stick … It should be recognized that zero risk does not exist on information systems of this magnitude: Bercy is a fleet of 170 000 computers to manage where 150 computers were compromised in this attack (less than 0.01 %…).
The fact that these problems are more publicized in the media comes from the reality that everyone today, in both professional and private spheres, faces the issue of data protection.
How can we ensure that information systems are better protected against these intrusions?
To answer the question, the only way is to control one’s information assets and manage risk via the implementation of organizational, contractual and technological measures.
Today, a major concern in the protection of information systems is related to the location of data. With cloud computing, we no longer know where they are located because everything is virtualized. Another issue is compliance. The bonds are not treatable in the same way in every country, some information systems extend to an international scale. The job is complex, but very exciting!
How do you recommend we take into account these developments in training future engineers of security systems?
We seek to make students aware that the issues raised by information systems are not confined to technical knowledge. Contract management, risk analysis, compliance with privacy and cyber-surveillance to list a few aspects underline that the problems are numerous and intertwined.
It is especially important to teach students to have good reflexes and logic to address these issues correctly and consistently. Novelty will be further increased in their academic curriculum: it will include more emphasis in the future on knowledge of critical infrastructures, security of data centers, and regulatory policies.