Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright, 1995-2006 1 Information Security Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce.

Similar presentations


Presentation on theme: "Copyright, 1995-2006 1 Information Security Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce."— Presentation transcript:

1 Copyright, Information Security Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce at Uni of Hong Kong, Computer Science at A.N.U. / EC/SecyMq ppt, IntroSecy.html LAW 868 – Electronic Commerce and the Law Macquarie University – 14 September 2006

2 Copyright, Information Security Agenda 1.Whats Security? 2.Dimensions of the Problem 3.Technical Elements of the Solution 4.Organisational Processes 5.The Legal Framework

3 Copyright, The Notion of Security Security is used in at least two senses: a condition in which harm does not arise, despite the occurrence of threatening events a set of safeguards whose purpose is to achieve that condition Key Concepts: Harm, Threatening Event, Safeguard

4 Copyright, Security writ Broad Security of Service Reliability Robustness Resilience Accessibility Usability Security of Investment Business Survivability

5 Copyright, Information Security Data Quality Data Accessibility by those who should by others Data Usability

6 Copyright, Data Life-Cycle

7 Copyright, Dimensions of the Problem Threatening Events Natural, Accidental, Intentional Harm that results Situations in which Threats arise Countermeasures Counter-Countermeasures

8 Copyright, Categories of Threatening Event Natural Threats, i.e. Acts of God or Nature Accidental Threats: By Humans who are directly involved By other Humans By Machines and machine-designers Intentional Threats: By Humans who are directly involved By other Humans

9 Copyright, Categories of Harm Personal Injury Property Damage Data Loss, Alteration, Access or Replication Asset Value Loss Reputation or Confidence Loss Financial Loss Opportunity Cost

10 Copyright, Situations in Which Threats Arise Computing and Comms Facilities, incl. Data Storage Software Data Transmission of: The Organisation Service Providers Users Others Physical Premises housing relevant facilities Supporting Infrastructure, incl. data cabling, telecomms infrastructure, electrical supplies, air- conditioning, fire protection systems Manual Processes, Content and Data Storage

11 Copyright, Situations in Which Threats Arise

12 Copyright, Layers of Questions Are your computer and its location secure? Is computing secure? Is network-connection secure? Are networks secure? Is Internet infrastructure secure? Are Internet applications secure? Are eCommerce applications secure?

13 Copyright, Content Transmission Key Risks (1)Non-Receipt of a message by the intended recipient (2)Access by an unintended person or organisation (3)Change to the contents while in transit (4)Receipt of a false message (5)Wrongful denial

14 Copyright, Content Transmission Security Key Requirements (1)Message Content Security / Confidentiality (2)Message Content Integrity (3)Authentication of the Sender and Recipient (4)Non-Repudiation by the Sender and Recipient

15 Copyright, Specific Threats - by Outsiders Physical Intrusion Masquerade Social Engineering... Phishing... Electronic Intrusion Interception Cracking / Hacking Bugs, Trojans, Backdoors, Masquerade Infiltration by Software with a Payload... ==>> Host/Server-side and User/Client-side

16 Copyright, Infiltration by Software with a Payload Software (the Vector) Pre-Installed User-Installed Virus Worm... Payload Trojan: Undocumented Documented Spyware: Software Monitor Adware Keystroke Logger...

17 Copyright, Specific Threats - by Insiders Abuse of Privilege Hardware Software Data Masquerade Social Engineering Physical Intrusion Electronic Intrusion Interception Cracking / Hacking Bugs, Trojans, Backdoors, Masquerade Infiltration by Software with a Payload Host/Server-side and User/Client-side

18 Copyright, The Malware Menagerie Virus Worm Trojan Horse Spyware Backdoor / Trapdoor Zombie Exploit Phishing

19 Copyright, Technical Elements of I.T. Security Physical Security: Sites Equipment Data Software Documentation Logical Security: Computer Processes Data Software Documentation Network Security Defence-in-Depth Intrusion Detection

20 Copyright, Technological and Organisational Measures Legal / Contractual Context Physical Access Restrictions Logical Access Restrictions Immediacy of Warning As To the Legality of the Action and Consequences Positive Acknowledgement Audit Trail of Accesses Analysis and Enforcement Weber R. Information Systems and Control Prentice-Hall 1990 Chs 3-9 (Mgmt Ctls) and Chs (Application Ctls)

21 Copyright, Cryptography as Magic Bullet For Message Transmission Security For Data Storage Security For (Identity) Authentication Clarke R. Message Transmission Security (or 'Cryptography in Plain Text') Privacy Law & Policy Reporter 3, 2 (May 1996) Clarke R. The Fundamental Inadequacies of Conventional Public Key Infrastructure Proc. Conf. ECIS'2001, Bled, Slovenia, June 2001

22 Copyright, Access Control Identification The process whereby data is associated with a particular Identity Authentication The Process of Testing an Assertion in order to establish a level of confidence in the Assertions reliability incl. Authentication of Identity Assertions Authorisation The assignment of privileges to an Identity

23 Copyright, Phases in Access Control

24 Copyright, Tools Used for Identity Authentication Tool The Writing of a Signature Knowledge, especially: username/passwd pair PIN non-secure PIN Tokens, including: Dumb, e.g. photo-id Digital Signature, incl. SSL/TLS, Dig. Cert. Clever, e.g. chipcard Requirements to be Effective Signature on file, procedures Information, processes authorisation file hash of the PIN the PIN itself Clear view of the person,... Public key, much software, PKI, much law, much faith Hardware, software,...

25 Copyright, Firewalls A firewall is a device interposed between a network and the Internet, which determines: which incoming traffic is permitted which outgoing traffic is permitted Types of Firewall Processing: Application Layer – Proxy-Server / Gateway Network Layer – Packet-Filtering Router Circuit-Level (Physical Layer) Gateway

26 Copyright, The Layers of Internet Protocols

27 Copyright, Packet-Filtering Router Packets are forwarded according to filtering rules The rules are applied to the data available in the packet header, i.e. Source IP address Destination IP address TCP/UDP source port TCP/UDP destination port ICMP message type Encapsulated protocol information (TCP, UDP, ICMP or IP tunnel)

28 Copyright, Commonly-Open Ports 20, 21 (ftp) or 115 (sftp) 23 (telnet) or 22 (ssh) 25 (smtp) 53 (dns) S: 80 (http), 443 (https) C: a big number (http) 110 (pop) 123 (ntp) 161 (snmp) 427 (slp) 548 (afp) 631 (ipp)

29 Copyright, Organisational Processes Users Technical Operations Supervisors and Managers Application Developers

30 Copyright, Summary of Key Terms Threat A circumstance that could result in Harm Vulnerability A susceptibility to a Threat Threatening Event An occurrence of a Threat Safeguard A measure to prevent, to enable detection or investigation of, or to mitigate Harm from, a Threatening Event Risk The likelihood of Harm arising from a Threat A measure of the likelihood and/or seriousness of Harm arising from a Threatening Event impinging on a Vulnerability and not being dealt with satisfactorily by the existing Safeguards

31 Copyright, Security Risk Assessme nt Process Browne L. Security Risk Management Overview February 2004

32 Copyright, Generic Risk Management Strategies Proactive Strategies Avoidance Deterrence Prevention Reactive Strategies Isolation Recovery Transference Insurance Non-Reactive Strategies Tolerance Abandonment Dignified Demise Graceless Degradation

33 Copyright, Costs of Risk Mitigation Executive time, for assessment, planning, control Consultancy time, for assessment, design Operational staff time for: training, rehearsals, incident handling, backups Loss of service to clients during backup time Computer time for backups Storage costs for on-site and off-site (fire backup) copies of software, data and log-files Redundant hardware and networks Contracted support from a 'hot-site' / 'warm-site'

34 Copyright, The Legal Framework Specific Laws Security Privacy Laws with Incidental Effect Pseudo-Regulation (aka Self-Regulation) in particular mere Industry Codes Standards Professionalism

35 Copyright, Directly Relevant Laws – Security Computer Crimes, Cybercrimes Crimes Legislation Amendment Act 1989, Cybercrime Act 2001 Criminal Code Act 1995 Part 10.7 Computer offences unauthorised access, modification or impairment possession of security software ?? use of data encryption ?? Telecommunications Interception Listening Devices / Surveillance Devices Possible future mandatory reporting of data breaches (OFPC submission to ALRC Enquiry, August 2006)

36 Copyright, Directly Relevant Laws – Privacy Privacy Act 1988 (Cth) For Fedl Govt, IPP 4 in s.14 For Pte Sector, NPP 4 in Schedule 3 Privacy / Data Protection in the States and Territories Vic, NSW, ACT, NT, Tas WA, SA, Qld

37 Copyright, Incidentally Relevant Laws Agencies Own Legislation Sectoral Legislation, e.g. Banking Corporations Law / Directors Responsibilities...

38 Copyright, Australian Government Expectations Source: Convergence e-Business Solutions, 2004

39 Copyright, Australian Government e-Authentication Framework (AGAF) Decide what statements need to be authenticated Use risk assessment techniques in order to decide on the level of assurance needed From among the alternative e-authentication mechanisms, select an appropriate approach Assess the impact on public policy concerns such as privacy and social equity Implement Evaluate

40 Copyright, A Mini-Case Study in Forensics Offensive Content on an Employees Workstation Relevant Sources of Insecurity include: Workstation Hardware, OS and Apps Internet-Connection Physical Access Inadequate Logical Protections Software Action w/- User Knowledge Malware (virus, worm, trojan) Hacking (script, backdoor, zombie) Examination and Evidence are Essential

41 Copyright,

42 Copyright,

43 Copyright, References Readings: Clarke R. (2001) Introduction to Information Security AUSCERT (2001) Know Thy Attacker Anderson R. (2003) Trusted Computing Frequently Asked Questions Recommended Reading: NIST (2003) Guide to Selecting Information Technology Security Products 36.pdf American Bar Association Digital Signatures Guidelines – Tutorial

44 Copyright, Additional References Security Information_security (techo) Malware Waters N. & Greenleaf G. IPPs examined: The Security Principle Privacy Law and Policy Reporter [2004] 36 Morison J. Computer Security -- a survey of 137 Australian agencies Privacy Law and Policy Reporter [1996] 3 PLPR 67 Cybercrime / Computer Crime Legislation

45 Copyright, Additional References Lehtinen R. Computer Security Basics O'Reilly Weber R. Information Systems and Control Prentice-Hall 1990 Chs 3-9 (Mgmt Ctls) and Chs (Application Ctls) Anderson R.J. Security Engineering: A Guide to Building Dependable Distributed Systems Wiley 2001 Mitnick K.D. & Simon W.L. The Art of Deception: Controlling the Human Element of Security Wiley 2002 Stamp M. Information Security : Principles and Practice Wiley 2006

46 Copyright, Official Sources – Australian Govt Aust Govt Online Security Mandates and Guidelines Aust Govt Protective Security Manual (PSM 2005) ive_Security_Manual Aust Govt Information and Communications Technology Security Manual (ACSI 33) Office of the Federal Privacy Commissioner (OFPC) Info Sheet Security and Personal Information SCAG Model Criminal Code, January 2001, Part 4.2 Computer Offences, pp CA256BB20083B557?OpenDocument

47 Copyright, Official Sources – Standards and Intl Aust. Standards: IT - Code of practice for info security management AS 17799:2001 Info Security Management Systems AS/NZS :2000 Risk Management AS Handbook for Management of IT Evidence 10 Dec 2003 NIST Computer Security OECD Guidelines The Security of Info Systems and Networks: Towards a Culture of Security, EU Commission Network and Information Security: Proposal for a European Policy Approach ments/netsec/netsec_en.doc Also Council of Europe Convention on Cybercrime, 2001

48 Copyright, Information Security Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce at Uni of Hong Kong, Computer Science at A.N.U. / EC/SecyMq ppt, IntroSecy.html LAW 868 – Electronic Commerce and the Law Macquarie University – 14 September 2006


Download ppt "Copyright, 1995-2006 1 Information Security Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce."

Similar presentations


Ads by Google