Presentation on theme: "Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University."— Presentation transcript:
Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University Computing Laboratory ISPP seminar series 17th January 2011
The information age needs information security almost everything of value has a digital existence today – whether it solely exists in the digital domain or merely casts a shadow, or something in between – whether that value is in monetary terms or something less tradable, such as privacy that fact is plainly not lost on those with criminal intent – of course, it is the value which attracts them – and some items with value may be subject to collateral damage
Whose problem is this? technologists? cryptographers? lawyers? educators? economists? politicians? regulators? business leaders? the military? social scientists? psychologists?
Example 1 credit: Paul England, Microsoft Most of our computer operating systems are designed around an administrator this person is given all power; full control we assume that – the administrator is wise – the administrator is good – the administrator is knowledgeable http://www.boerner.net/jboerner/wp-content/uploads/2009/10/1955tradic.gif
Example 1 One of these is todays administrator this person is given all power; full control we assume that – the administrator is wise – the administrator is good – the administrator is knowledgeable
Example 1 One or more of these is todays administrator this person is given all power; full control we assume that – the administrator is wise – the administrator is good – the administrator is knowledgeable
Example 1 These violated assumptions can be remedied in many ways – make the unwise liable – explicitly tie liability to control – education, education, education – reducing the extent of their full control None is completely satisfactory
Example 4 Interdisciplinary perspectives on IT Security With particular reference to perspectives on International Relations & Human Rights Ashiyan Rahmani-Shirazi
DDOS on Human Rights NGOs 'Distributed Denial of Service (DDoS) is an increasingly common Internet phenomenon capable of silencing Internet speech, usually for a brief interval but occasionally for longer. In this paper, we explore the specific phenomenon of DDoS attacks on independent media and human rights organizations, seeking to understand the nature and frequency of these attacks, their efficacy, and the responses available to sites under attack. Our report offers advice to independent media and human rights sites likely to be targeted by DDoS but comes to the uncomfortable conclusion that there is no easy solution to these attacks for many of these sites, particularly for attacks that exhaust network bandwidth.' Berkman Center for Internet & Society report, "Distributed Denial of Service Attacks Against Independent Media and Human Rights Sites" by Ethan Zuckerman et al., December 20th 2010.
IT Security & IR - sample attack SQL injection attack carried out on the UN website homepage in August 2007
Social Media & Political Change Twitter and Iran (WashingtonPost) – The US State Department asked Twitter to delay scheduled maintenance in June to avoid disrupting communications among tech-savvy Iranian citizens – Cyberactivism also harmful - a lot of calls for Twitter users to participate in cyber-attacks on pro-government Web sites in Iran.
China, Power & the Net. China and Google (www.arstechnica.com) Facebook and Twitter are blocked for their ability to organize groups with anti-government intentions Leading Chinese video sites Youku.com and Tudou.com actively monitor submissions and delete those that they consider inappropriate or in violation of Chinese law. Chinese government attack on pro-Tibetan NGO's Attack on NGO critical of Chinese policy in Darfur Five DDOS attacks on Chinese human rights activist websites in January 2010
Threat Analysis Insider attacks - including recent Wikileaks attacks on US Government. Organisational Facebook policy/Twitter policy? 'Enemy' Governmental attacks e.g. Human rights NGO's intrusion by Human Rights abuser states. 'Home' Governmental attacks e.g. US government monitoring. Internal threats Competing organisations. Hackers/Profiteering/Wackos.
Some existing IT security multidisciplinary research & NGOs Electronic Frontier Foundation - www.eff.orgwww.eff.org Tactical Technology Collective - www.tacticaltech.orgwww.tacticaltech.org Frontline - www.frontlinedefenders.orgwww.frontlinedefenders.org Harvard Berkman Centre - cyber.law.harvard.edu
MSC Thesis - 'A study of and best practices for IT security for the Baha'i International Community - United Nations Office' Abstract For many small organizations operating in a sensitive political, religious, or social context, information security is a critical concern. This dissertation reports upon a study of the current IT security framework of the offices of a non-governmental organization (NGO): the Baha'i International Community United Nations Office (BICUNO), based in New York and Geneva. The study makes use of questionnaires and interviews to determine the current practices and requirements of staff (IT and general), in terms of security related activities. An analysis of current practices, looking at strengths and weaknesses, is performed in the context of the current literature, including the ISO 27002 standard, on security practices. A number of recommendations are presented, in the form of "best security practices", for adoption in this and similar settings.
Thank You! Ashiyan Rahmani-Shirazi MA Kellogg College, Oxford MSC (candidate) - Software Engineering email: firstname.lastname@example.org + Wheat Atlas Intern, www.cimmyt.org Business Development Manager (p/t), www.ascertica.com
The Story so Far Issues in security (a.k.a. risk management) give rise to questions in – cryptography, networking, systems engineering, – law, ethics, criminology, psychology, education – business, management, economics, politics All but the simplest questions cross boundaries among these – Security economics is a well-established discipline – Likewise usability in security, perhaps to a lesser extent with work on psychological acceptability etc. – Technologists sometimes talk to regulators Trusted Computing is a good example – Others study ICT policy in its own right –...
Security Ecosystem Representative examples; Trademarks belong to their respective owners ISO27000
So we have a multi-billion dollar security industry – much of it geared towards yesterdays threats points of contact with academic research are numerous, but patchy robust methodologies for tough questions are missing should staff be allowed to connect smartphones and tablets to my infrastructure? should staff be allowed to store corporate data on their own smartphones and tablets? should staff be allowed to connect smartphones and tablets to my infrastructure? should staff be allowed to store corporate data on their own smartphones and tablets?
Disruptive Technology smart metering personalized medicine electronic healthcare records e- Government social networking smartphones and tablets IPTV connected home internet of things multi-purpose sensor networks road pricing everything- as-a-service Large scale; heterogeneous Inherent complexity Mostly rather unlike the personal computer we have known until now Immense value to society Big investment by individuals Unexpectedly becoming critical infrastructure Almost total de- materialization of the boundary Many interested parties; many administrators
Role of the University joined-up thinking – without an axe to grind, maybe questions everyone wants answered trusted third party skill sets related to those found in business/government – together with those that are not! testbed – large, complex, dynamic network with great experimental subjects :) technologists? cryptographers? lawyers? educators? economists? politicians? regulators? business leaders? the military? social scientists? psychologists?
Vision for an institute permanent centre to study these ideas needs lasting links to existing disciplines where do CIOs go to school? – where do they get their CPD? where are the stimulating sources of ideas? where do they go for non-partisan advice?
Menu of activities Masters in business and information security Pure academic research at this nexus Boundary-crossing research, and applied research (DTC, EngD) Contract research Open-ended research Public understanding Leadership professional secondments strengthening the Universitys own security
Conclusion 1. the challenge of information security will continue to grow as our digital economy grows 2. no single discipline can meet that challenge alone 3. a university – in general, and this one in particular – is well-placed to make the right connections
COMPUTING LABORATORY SOFTWARE ENGINEERING PROGRAMME SOFTWARE AND SYSTEMS SECURITY Andrew Martin, MA, DPhil, MBCS, CEng, CITP Deputy Director, Software Engineering Programme Wolfson Building, Parks Road, Oxford OX1 3QD, UK. +44 (0) 1865 283605 Andrew.Martin@comlab.ox.ac.uk www.softeng.ox.ac.uk/andrew.martin COMPUTING LABORATORY SOFTWARE ENGINEERING PROGRAMME SOFTWARE AND SYSTEMS SECURITY Andrew Martin, MA, DPhil, MBCS, CEng, CITP Deputy Director, Software Engineering Programme Wolfson Building, Parks Road, Oxford OX1 3QD, UK. +44 (0) 1865 283605 Andrew.Martin@comlab.ox.ac.uk www.softeng.ox.ac.uk/andrew.martin 28