Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright, 1995-2006 1 Information Security Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce.

Published byIsabel Brewer Modified over 10 years ago

Similar presentations

Presentation on theme: "Copyright, 1995-2006 1 Information Security Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce."— Presentation transcript:

1 Copyright, 1995-2006 1 Information Security Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce at Uni of Hong Kong, Computer Science at A.N.U. http://www.anu.edu.au/people/Roger.Clarke/...... / EC/SecyMq-060914.ppt, IntroSecy.html LAW 868 – Electronic Commerce and the Law Macquarie University – 14 September 2006

2 Copyright, 1995-2006 2 Information Security Agenda 1.Whats Security? 2.Dimensions of the Problem 3.Technical Elements of the Solution 4.Organisational Processes 5.The Legal Framework

3 Copyright, 1995-2006 3 The Notion of Security Security is used in at least two senses: a condition in which harm does not arise, despite the occurrence of threatening events a set of safeguards whose purpose is to achieve that condition Key Concepts: Harm, Threatening Event, Safeguard

4 Copyright, 1995-2006 4 Security writ Broad Security of Service Reliability Robustness Resilience Accessibility Usability Security of Investment Business Survivability

5 Copyright, 1995-2006 5 Information Security Data Quality Data Accessibility by those who should by others Data Usability

6 Copyright, 1995-2006 6 Data Life-Cycle

7 Copyright, 1995-2006 7 2.Dimensions of the Problem Threatening Events Natural, Accidental, Intentional Harm that results Situations in which Threats arise Countermeasures Counter-Countermeasures

8 Copyright, 1995-2006 8 Categories of Threatening Event Natural Threats, i.e. Acts of God or Nature Accidental Threats: By Humans who are directly involved By other Humans By Machines and machine-designers Intentional Threats: By Humans who are directly involved By other Humans

9 Copyright, 1995-2006 9 Categories of Harm Personal Injury Property Damage Data Loss, Alteration, Access or Replication Asset Value Loss Reputation or Confidence Loss Financial Loss Opportunity Cost

10 Copyright, 1995-2006 10 Situations in Which Threats Arise Computing and Comms Facilities, incl. Data Storage Software Data Transmission of: The Organisation Service Providers Users Others Physical Premises housing relevant facilities Supporting Infrastructure, incl. data cabling, telecomms infrastructure, electrical supplies, air- conditioning, fire protection systems Manual Processes, Content and Data Storage

11 Copyright, 1995-2006 11 Situations in Which Threats Arise

12 Copyright, 1995-2006 12 Layers of Questions Are your computer and its location secure? Is computing secure? Is network-connection secure? Are networks secure? Is Internet infrastructure secure? Are Internet applications secure? Are eCommerce applications secure?

13 Copyright, 1995-2006 13 Content Transmission Key Risks (1)Non-Receipt of a message by the intended recipient (2)Access by an unintended person or organisation (3)Change to the contents while in transit (4)Receipt of a false message (5)Wrongful denial

14 Copyright, 1995-2006 14 Content Transmission Security Key Requirements (1)Message Content Security / Confidentiality (2)Message Content Integrity (3)Authentication of the Sender and Recipient (4)Non-Repudiation by the Sender and Recipient

15 Copyright, 1995-2006 15 Specific Threats - by Outsiders Physical Intrusion Masquerade Social Engineering... Phishing... Electronic Intrusion Interception Cracking / Hacking Bugs, Trojans, Backdoors, Masquerade Infiltration by Software with a Payload... ==>> Host/Server-side and User/Client-side

16 Copyright, 1995-2006 16 Infiltration by Software with a Payload Software (the Vector) Pre-Installed User-Installed Virus Worm... Payload Trojan: Undocumented Documented Spyware: Software Monitor Adware Keystroke Logger...

17 Copyright, 1995-2006 17 Specific Threats - by Insiders Abuse of Privilege Hardware Software Data Masquerade Social Engineering Physical Intrusion Electronic Intrusion Interception Cracking / Hacking Bugs, Trojans, Backdoors, Masquerade Infiltration by Software with a Payload Host/Server-side and User/Client-side

18 Copyright, 1995-2006 18 The Malware Menagerie Virus Worm Trojan Horse Spyware Backdoor / Trapdoor Zombie Exploit Phishing

19 Copyright, 1995-2006 19 3.Technical Elements of I.T. Security Physical Security: Sites Equipment Data Software Documentation Logical Security: Computer Processes Data Software Documentation Network Security Defence-in-Depth Intrusion Detection

20 Copyright, 1995-2006 20 Technological and Organisational Measures Legal / Contractual Context Physical Access Restrictions Logical Access Restrictions Immediacy of Warning As To the Legality of the Action and Consequences Positive Acknowledgement Audit Trail of Accesses Analysis and Enforcement http://www.anu.edu.au/people/Roger.Clarke/DV/PaperICAC.html Weber R. Information Systems and Control Prentice-Hall 1990 Chs 3-9 (Mgmt Ctls) and Chs 10-15 (Application Ctls)

21 Copyright, 1995-2006 21 Cryptography as Magic Bullet For Message Transmission Security For Data Storage Security For (Identity) Authentication Clarke R. Message Transmission Security (or 'Cryptography in Plain Text') Privacy Law & Policy Reporter 3, 2 (May 1996) 24-27 http://www.anu.edu.au/people/Roger.Clarke/II/CryptoSecy.html Clarke R. The Fundamental Inadequacies of Conventional Public Key Infrastructure Proc. Conf. ECIS'2001, Bled, Slovenia, 27-29 June 2001 http://www.anu.edu.au/people/Roger.Clarke/II/ECIS2001.html

22 Copyright, 1995-2006 22 Access Control Identification The process whereby data is associated with a particular Identity Authentication The Process of Testing an Assertion in order to establish a level of confidence in the Assertions reliability incl. Authentication of Identity Assertions Authorisation The assignment of privileges to an Identity

23 Copyright, 1995-2006 23 Phases in Access Control

24 Copyright, 1995-2006 24 Tools Used for Identity Authentication Tool The Writing of a Signature Knowledge, especially: username/passwd pair PIN non-secure PIN Tokens, including: Dumb, e.g. photo-id Digital Signature, incl. SSL/TLS, Dig. Cert. Clever, e.g. chipcard Requirements to be Effective Signature on file, procedures Information, processes authorisation file hash of the PIN the PIN itself Clear view of the person,... Public key, much software, PKI, much law, much faith Hardware, software,...

25 Copyright, 1995-2006 25 Firewalls A firewall is a device interposed between a network and the Internet, which determines: which incoming traffic is permitted which outgoing traffic is permitted Types of Firewall Processing: Application Layer – Proxy-Server / Gateway Network Layer – Packet-Filtering Router Circuit-Level (Physical Layer) Gateway

26 Copyright, 1995-2006 26 The Layers of Internet Protocols

27 Copyright, 1995-2006 27 Packet-Filtering Router Packets are forwarded according to filtering rules The rules are applied to the data available in the packet header, i.e. Source IP address Destination IP address TCP/UDP source port TCP/UDP destination port ICMP message type Encapsulated protocol information (TCP, UDP, ICMP or IP tunnel)

28 Copyright, 1995-2006 28 Commonly-Open Ports 20, 21 (ftp) or 115 (sftp) 23 (telnet) or 22 (ssh) 25 (smtp) 53 (dns) S: 80 (http), 443 (https) C: a big number (http) 110 (pop) 123 (ntp) 161 (snmp) 427 (slp) 548 (afp) 631 (ipp)

29 Copyright, 1995-2006 29 4.Organisational Processes Users Technical Operations Supervisors and Managers Application Developers

30 Copyright, 1995-2006 30 Summary of Key Terms Threat A circumstance that could result in Harm Vulnerability A susceptibility to a Threat Threatening Event An occurrence of a Threat Safeguard A measure to prevent, to enable detection or investigation of, or to mitigate Harm from, a Threatening Event Risk The likelihood of Harm arising from a Threat A measure of the likelihood and/or seriousness of Harm arising from a Threatening Event impinging on a Vulnerability and not being dealt with satisfactorily by the existing Safeguards

31 Copyright, 1995-2006 31 Security Risk Assessme nt Process Browne L. Security Risk Management Overview February 2004 http://www.unsw.adfa.edu.au/~lpb/......seminars/auugsec04.html

32 Copyright, 1995-2006 32 Generic Risk Management Strategies Proactive Strategies Avoidance Deterrence Prevention Reactive Strategies Isolation Recovery Transference Insurance Non-Reactive Strategies Tolerance Abandonment Dignified Demise Graceless Degradation

33 Copyright, 1995-2006 33 Costs of Risk Mitigation Executive time, for assessment, planning, control Consultancy time, for assessment, design Operational staff time for: training, rehearsals, incident handling, backups Loss of service to clients during backup time Computer time for backups Storage costs for on-site and off-site (fire backup) copies of software, data and log-files Redundant hardware and networks Contracted support from a 'hot-site' / 'warm-site'

34 Copyright, 1995-2006 34 5.The Legal Framework Specific Laws Security Privacy Laws with Incidental Effect Pseudo-Regulation (aka Self-Regulation) in particular mere Industry Codes Standards Professionalism

35 Copyright, 1995-2006 35 Directly Relevant Laws – Security Computer Crimes, Cybercrimes Crimes Legislation Amendment Act 1989, Cybercrime Act 2001 Criminal Code Act 1995 Part 10.7 Computer offences http://www.austlii.edu.au/au/legis/cth/consol_act/cca1995115/sch1.html unauthorised access, modification or impairment possession of security software ?? use of data encryption ?? Telecommunications Interception Listening Devices / Surveillance Devices Possible future mandatory reporting of data breaches (OFPC submission to ALRC Enquiry, August 2006)

36 Copyright, 1995-2006 36 Directly Relevant Laws – Privacy http://www.privacy.org.au/Resources/PLawsClth.html http://www.privacy.org.au/Resources/PLawsST.html Privacy Act 1988 (Cth) For Fedl Govt, IPP 4 in s.14 http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s14.html For Pte Sector, NPP 4 in Schedule 3 http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/sch3.html Privacy / Data Protection in the States and Territories Vic, NSW, ACT, NT, Tas WA, SA, Qld

37 Copyright, 1995-2006 37 Incidentally Relevant Laws Agencies Own Legislation Sectoral Legislation, e.g. Banking Corporations Law / Directors Responsibilities...

38 Copyright, 1995-2006 38 Australian Government Expectations Source: Convergence e-Business Solutions, 2004

39 Copyright, 1995-2006 39 Australian Government e-Authentication Framework (AGAF) http://www.agimo.gov.au/infrastructure/authentication/agaf Decide what statements need to be authenticated Use risk assessment techniques in order to decide on the level of assurance needed From among the alternative e-authentication mechanisms, select an appropriate approach Assess the impact on public policy concerns such as privacy and social equity Implement Evaluate

40 Copyright, 1995-2006 40 A Mini-Case Study in Forensics Offensive Content on an Employees Workstation Relevant Sources of Insecurity include: Workstation Hardware, OS and Apps Internet-Connection Physical Access Inadequate Logical Protections Software Action w/- User Knowledge Malware (virus, worm, trojan) Hacking (script, backdoor, zombie) Examination and Evidence are Essential http://www.anu.edu.au/people/Roger.Clarke/II/OffIm0511.html

41 Copyright, 1995-2006 41

42 Copyright, 1995-2006 42

43 Copyright, 1995-2006 43 References Readings: Clarke R. (2001) Introduction to Information Security http://www.anu.edu.au/people/Roger.Clarke/EC/IntroSecy.html AUSCERT (2001) Know Thy Attacker http://www.auscert.org.au/download.html?f=7&it=2000&cid= Anderson R. (2003) Trusted Computing Frequently Asked Questions http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html Recommended Reading: NIST (2003) Guide to Selecting Information Technology Security Products http://csrc.nist.gov/publications/nistpubs/800-36/NIST-SP800- 36.pdf American Bar Association Digital Signatures Guidelines – Tutorial http://www.abanet.org/scitech/ec/isc/dsg-tutorial.html

44 Copyright, 1995-2006 44 Additional References http://en.wikipedia.org/wiki/... Security Information_security (techo) Malware Waters N. & Greenleaf G. IPPs examined: The Security Principle Privacy Law and Policy Reporter [2004] 36 http://www.austlii.edu.au/au/journals/PLPR/2004/36.html Morison J. Computer Security -- a survey of 137 Australian agencies Privacy Law and Policy Reporter [1996] 3 PLPR 67 http://www.austlii.edu.au//au/journals/PLPR/1996/41.html Cybercrime / Computer Crime Legislation http://www.efa.org.au/Issues/Privacy/cybercrimeact.html

45 Copyright, 1995-2006 45 Additional References Lehtinen R. Computer Security Basics O'Reilly 2006 http://safari.oreilly.com/0596006691?tocview=true Weber R. Information Systems and Control Prentice-Hall 1990 Chs 3-9 (Mgmt Ctls) and Chs 10-15 (Application Ctls) Anderson R.J. Security Engineering: A Guide to Building Dependable Distributed Systems Wiley 2001 Mitnick K.D. & Simon W.L. The Art of Deception: Controlling the Human Element of Security Wiley 2002 Stamp M. Information Security : Principles and Practice Wiley 2006

46 Copyright, 1995-2006 46 Official Sources – Australian Govt Aust Govt Online Security Mandates and Guidelines http://www.agimo.gov.au/infrastructure/government Aust Govt Protective Security Manual (PSM 2005) http://www.ag.gov.au/agd/WWW/protectivesecurityhome.nsf/Page/Protect ive_Security_Manual Aust Govt Information and Communications Technology Security Manual (ACSI 33) http://www.dsd.gov.au/library/infosec/acsi33.html Office of the Federal Privacy Commissioner (OFPC) Info Sheet 6 - 2001 Security and Personal Information http://www.privacy.gov.au/publications/IS6_01.html SCAG Model Criminal Code, January 2001, Part 4.2 Computer Offences, pp. 87-199 http://www.ag.gov.au/agd/www/Agdhome.nsf/Page/RWPA93DBE7859B7 9635CA256BB20083B557?OpenDocument

47 Copyright, 1995-2006 47 Official Sources – Standards and Intl Aust. Standards: IT - Code of practice for info security management AS 17799:2001 Info Security Management Systems AS/NZS 7799.2:2000 Risk Management AS4360 1999 Handbook for Management of IT Evidence 10 Dec 2003 NIST Computer Security http://csrc.nist.gov/publications/nistpubs/ OECD Guidelines The Security of Info Systems and Networks: Towards a Culture of Security, 2002 http://www.oecd.org/dataoecd/16/22/15582260.pdf EU Commission Network and Information Security: Proposal for a European Policy Approach 2002 http://europa.eu.int/information_society/eeurope/2002/news_library/docu ments/netsec/netsec_en.doc Also http://europa.eu/scadplus/leg/en/lvb/l24121.htm Council of Europe Convention on Cybercrime, 2001

48 Copyright, 1995-2006 48 Information Security Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce at Uni of Hong Kong, Computer Science at A.N.U. http://www.anu.edu.au/people/Roger.Clarke/...... / EC/SecyMq-060914.ppt, IntroSecy.html LAW 868 – Electronic Commerce and the Law Macquarie University – 14 September 2006

Download ppt "Copyright, 1995-2006 1 Information Security Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce."

Similar presentations

1 Senn, Information Technology, 3 rd Edition © 2004 Pearson Prentice Hall James A. Senns Information Technology, 3 rd Edition Chapter 7 Enterprise Databases.

1 Senn, Information Technology, 3 rd Edition © 2004 Pearson Prentice Hall James A. Senns Information Technology, 3 rd Edition Chapter 7 Enterprise Databases.
Copyright 1987-2009 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor – Cyberspace Law & Policy UNSW and at the ANU and the Uni. of.

Copyright Roger Clarke Xamax Consultancy, Canberra Visiting Professor – Cyberspace Law & Policy UNSW and at the ANU and the Uni. of.
1

1
© Ravi Sandhu www.list.gmu.edu Introduction to Information Security Ravi Sandhu.

© Ravi Sandhu Introduction to Information Security Ravi Sandhu.
Copyright, 1995-2006 1 The Malware Menagerie Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce.

Copyright, The Malware Menagerie Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce.
Copyright 1988-2006 1 Digital Privacy Roger Clarke, Xamax Consultancy, Canberra Board Member, Australian Privacy Foundation Visiting Professor, Unis. of.

Copyright Digital Privacy Roger Clarke, Xamax Consultancy, Canberra Board Member, Australian Privacy Foundation Visiting Professor, Unis. of.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
UNITED NATIONS Shipment Details Report – January 2006.

UNITED NATIONS Shipment Details Report – January 2006.
1 Hyades Command Routing Message flow and data translation.

1 Hyades Command Routing Message flow and data translation.
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.

18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
Joint ITU/ECA Regional Workshop on Information and Communication Technologies (ICT) Indicators Gaborone, Botswana 26-29 October 2004

Joint ITU/ECA Regional Workshop on Information and Communication Technologies (ICT) Indicators Gaborone, Botswana October 2004
1 E-business Security and Control 2 Opening Case: Visa 10 commandments for online merchants – Maintaining a network firewall – Keeping security patches.

1 E-business Security and Control 2 Opening Case: Visa 10 commandments for online merchants – Maintaining a network firewall – Keeping security patches.
1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.

1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.
1. Bryan Dreiling Main Contact for Three Year Plans 785.296.2809 2.

1. Bryan Dreiling Main Contact for Three Year Plans
1 According to PETROSAFE safety policy, the company is keen that: Introduction All Egyptian Petroleum companies and foreign companies working in A.R.E.

1 According to PETROSAFE safety policy, the company is keen that: Introduction All Egyptian Petroleum companies and foreign companies working in A.R.E.
Where to find information…. What topics this presentation covers: Strategic Planning Developing a Business Plan Developing a Marketing Plan Risk Management.

Where to find information…. What topics this presentation covers: Strategic Planning Developing a Business Plan Developing a Marketing Plan Risk Management.
ACT User Meeting June 2011. Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.

ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
PP Test Review Sections 6-1 to 6-6

PP Test Review Sections 6-1 to 6-6
EIS Bridge Tool and Staging Tables September 1, 2009 Instructor: Way Poteat Slide: 1.

EIS Bridge Tool and Staging Tables September 1, 2009 Instructor: Way Poteat Slide: 1.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 1 - 1 The Demand for Audit and Assurance Services Chapter.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The Demand for Audit and Assurance Services Chapter.

Similar presentations

Ads by Google