Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright, 2012 1 Security, for Society A View from the End of the World Roger Clarke Xamax Consultancy Pty Ltd, Canberra Visiting Professor in Computer.

Similar presentations


Presentation on theme: "Copyright, 2012 1 Security, for Society A View from the End of the World Roger Clarke Xamax Consultancy Pty Ltd, Canberra Visiting Professor in Computer."— Presentation transcript:

1 Copyright, 2012 1 Security, for Society A View from the End of the World Roger Clarke Xamax Consultancy Pty Ltd, Canberra Visiting Professor in Computer Science, ANU, Canberra Visiting Professor in Cyberspace Law & Policy, UNSW, Sydney http://www.rogerclarke.com/EC/SforS-120625 {.html,.ppt} Copenhagen – 25 June 2012 The Danish Council for Greater IT-Security Danish Society of Engineers (IDA) Subgroup on IT (IDA-IT) In Association with CBIT, Roskilde University

2 Copyright, 2012 2 http://www.odt.org/southupmaps.htm

3 Copyright, 2012 3 Security, for Society A View from the End of the World Aims Provide an Australian Perspective on some current themes in Data and IT Security Consider some broader aspects of Security Note tensions within and between Perspectives Present a security analysis of Danish Society

4 Copyright, 2012 4 The Notion of Security Security is used in at least two senses: a Condition in which harm does not arise, despite the occurrence of threatening events a Set of Safeguards whose purpose is to achieve that Condition

5 Copyright, 2012 5 The Scope of Security

6 Copyright, 2012 6 The Conventional IT Security Model Threats impinge on Vulnerabilities, resulting in Harm

7 Copyright, 2012 7 The Organisational Scope of Security

8 Copyright, 2012 8 Important IT Security Considerations Data Security Environmental, second-party and third-party threats to content, both in remote storage and in transit Authentication and Authorisation How to provide clients with convenient access to data and processes in the cloud, while denying access to imposters? Service Security Environmental, second-party and third-party threats to any aspect of reliability or integrity Susceptibility to DDOS Multiple, separate servers; but choke-points will exist

9 Copyright, 2012 9 Maladjustment Malcontent Spam, Email-Attachments, Downloads Malware Malcontent in the form of software Uses a Vector, to deliver a Payload, which is Invoked, and results in Harm Malbehaviour Flaming, Incitement, Social Engineering Hacking / Cracking / Break-In Defacing, Accessing, Changing, Destroying Denial of Service

10 Copyright, 2012 10 Basic Architecture for IT Security Safeguards External Security Internal Security Perimeter Security

11 Copyright, 2012 11 Key IT Security Safeguard Categories External Security Content Transmission Security ('Confidentiality') e.g. SSL/TLS Authentication of Sender, Recipient, Content e.g. Dig Sigs, SSL/TLS, Tunnelling, VPNs 'White Hat Hacking' Network-Based Intrusion Detection (ID)... Perimeter Security Inspection and Filtering Traffic, i.e. 'Firewalls' Malcontent, Malware Internal Security Access Control Vulnerability Inspection Intrusion (Threat) Detection Safeguard Testing Backup, Recovery, 'Business Continuity Assurance', incl. 'warm-site', 'hot-site'

12 Copyright, 2012 12 Recent Australian IT Security Experience Seen as a Contingency not Business-As-Usual Strong tendency to suppress bad news Investment and ongoing expense hard to justify Like all IT, subject to Outsourcing and hence mostly out of sight, out of mind and we have people to do that kind of thing for us

13 Copyright, 2012 13 Recent Australian IT Security Experience Seen as a Contingency not Business-As-Usual Strong tendency to suppress bad news Investment and ongoing expense hard to justify Like all IT, subject to Outsourcing and hence mostly out of sight, out of mind and we have people to do that kind of thing for us Sporadic explosions of fervour, unsustained

14 Copyright, 2012 14 Recent Australian IT Security Experience Seen as a Contingency not Business-As-Usual Strong tendency to suppress bad news Investment and ongoing expense hard to justify Like all IT, subject to Outsourcing and hence mostly out of sight, out of mind and we have people to do that kind of thing for us Sporadic explosions of fervour, unsustained Security companies have promised much, but have never flourish as they were expected to

15 Copyright, 2012 15 Organisational Perspective on Security 1.Operational Qualities Fit – to users' needs, and customisability Reliability – continuity of operation Availability hosts/server/db readiness/reachability Accessibility network readiness Usability response-time, and consistency Robustness frequency of un/planned unavailability Resilience speed of resumption after outages Recoverability service readiness after resumption Integrity – sustained correctness of the service, and the data Maintainability – fit, reliability, integrity after bug-fixes & mods http://www.rogerclarke.com/II/CCBR.html incl. enhancements to Avizienis et al. (2004)

16 Copyright, 2012 16 Further Issues – Cloud Computing Perspective 2.Contingent Risks Major Service Interruptions Service Survival – supplier collapse or withdrawal Safeguards include software escrow; escrow inspection; proven recovery procedures; rights that are proof against actions by receivers Data Survival – data backup/mirroring/synch, accessibility Data Acessibility – blockage by opponents or a foreign power Compatibility – software, versions, protocols, data formats Flexibility Customisation Forward-Compatibilityto migrate to new levels Backward-Compatibilityto protect legacy systems Lateral Compatibilityto enable dual-sourcing and escape

17 Copyright, 2012 17 Further Issues – Cloud Computing Perspective 3.Commercial Disbenefits and Risks Acquisition Lack of information Non-Negotiability of Terms and SLA Ongoing Loss of Corporate Expertise re apps, IT services, costs to deliver Inherent Lock-In Effect from high switching costs, formats, protocols High-volume Data Transfers from large datasets, replication/synchronisation Service Levels to the Organisation's Customers

18 Copyright, 2012 18 Further Issues – Cloud Computing Perspective 4.Compliance Disbenefits and Risks General Statutory & Common Law Obligations Evidence Discovery Law Financial Regulations Company Directors' obligations re asset protection, due diligence, business continuity, risk management Security Treaty Obligations Confidentiality – incl. against foreign governments Strategic Commercial Governmental Privacy – particularly Unauthorised Use and Disclosure Second-Party (service-provider abuse), Third-Party ('data breach', 'unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

19 Copyright, 2012 19 Attacks By Whom? Why? Principals Opportunists Hacktivists Vigilantes Organised Crime Corporations Nation-States Agents Mercenaries Private Military Corporations Politics Protest against Action Retaliation / Revenge Espionage Economics Financial Gain Financial Harm Social/Cultural Factors Challenge Dispute Celebration

20 Copyright, 2012 20 Recent Australian Experience Sporadic Emphasis on but Limited Understanding of: Risk Assessment Risk Management Governance Ambivalence about Cloud Computing Data Leakage Supplier Reliability Service Provision Data Availability Jurisdictional Location of Data

21 Copyright, 2012 21 A Broader Scope for Security Competition Collaboration, esp. re IT Infrastructure

22 Copyright, 2012 22 A Yet Broader Scope for Security IT Infrastructure for Economic Development Critical IT Infrastructure

23 Copyright, 2012 23 Recent Australian Experience Malware Detection and Eradication Corporate Devices Consumer Devices Botnets Zombie Detection and Eradication

24 Copyright, 2012 24 Recent Australian Experience Malware Detection and Eradication Corporate Devices Consumer Devices Botnets Zombie Detection and Eradication Internet-Connected SCADA

25 Copyright, 2012 25 Recent Australian Experience Malware Detection and Eradication Corporate Devices Consumer Devices Botnets Zombie Detection and Eradication Internet-Connected SCADA Moral Minority Desires re Censorship IP -Dependent Corporation Desires Nation-State Desires – ITU vs. TCP/IP

26 Copyright, 2012 26 http://idealab.talkingpointsmemo.com/2012/06/ un-proposals-to-regulate-internet-are-troubling- leaked-documents-reveal.php http://www.internetgovernance.org/2012/06/21/ threat-analysis-of-the-wcit-4-cybersecurity/

27 Copyright, 2012 27 Tensions Between Organisational Objectives Certain Costs vs. Contingent Costs Financial Cost vs. Non-Quantifiables Business-as-usual vs. Invisibles

28 Copyright, 2012 28 Tensions Between Organisational Objectives Certain Costs vs. Contingent Costs Financial Cost vs. Non-Quantifiables Business-as-usual vs. Invisibles Between Alternative Scopes A bot doesnt harm the host, so theres no incentive to fix it (an externality) Copyright material on P2P networks Organisational, Sectoral, National and Supra-National Agency Interests

29 Copyright, 2012 29 A Mostly-Forgotten Scope for Security

30 Copyright, 2012 30 Current Australian Issues in Consumer and Citizen Security Data Breaches Notification Civil and Criminal Liability ePayments Mobile / Smartphones Visa PayWave, MCard PayPass Social Media Its Anti-Social Business Model Unconscionable Terms of Service Actual Abuse of Consumer Data The Coming Google-Acxiom Merger Smart Meters The Internet of Things

31 Copyright, 2012 31 The Many Scopes of Security

32 Copyright, 2012 32 What about Humanity? The Biosphere?

33 Copyright, 2012 33 And where is National Security?

34 Copyright, 2012 34 Is this National Security? The protection of a nation from attack or other danger by holding adequate armed forces and guarding state secrets Encompasses economic security, monetary security, energy security, environmental security, military security, political security and security of energy and natural resources http://definitions.uslegal.com/n/national-security/

35 Copyright, 2012 35 Or is this National Security? Public Safety Mayhem in marketplaces, bombs in aircraft Major Events, e.g. Olympics, Euro 2012 Prominent Person Safety Bush and Blair; Rushdie and Kurt Westergaard Gx, APEC, CHOGM,... Critical Infrastructure Security Bombs in ports, ships, railways, energy,... Anthrax in the water supply,...

36 Copyright, 2012 36 Social Control Measures Justified by National Security Data Consolidation Identity Consolidation Nymity Denial Identity Management Surveillance Physical Communications Data Location and Tracking Content Experience and Behaviour Body Experience and Behaviour

37 Copyright, 2012 37 Why is National Security Exempt from Key Evaluation Principles? Justification Relevance Effectiveness Proportionality Transparency Accountability

38 Copyright, 2012 38 Elements of Social Control Architecture A National ID Scheme Imposed Singular Identities for all purposes Imposed Singular eIdentities and 'Portals' Biometric Id and/or Authentication Physical Location and Tracking Checkpoints, Video Surveillance, ANPR Network-Traffic Surveillance Public-Private Partnerships

39 Copyright, 2012 39 Denmarks Central Person Register (CPR) and Civil Registration System (CRS) Is obligatory and universal Includes birthdate, gender in the ID No. Consolidates all basic personal data and makes it widely available across all government agencies across increasingly large segments of the private sector Is proposed for expansion, in terms of: users uses data-items http://www.cpr.dk Id=4327 27/09/2001

40 Copyright, 2012 40 The Elements of a National Identity Scheme 1.A Database 2.A Unique Signifier for Every Individual 1.A 'Unique Identifier' 2.A Biometric Entifier 3.An (Id)entification Token (such as an ID Card) 4.Quality Assurance Mechanisms 1.Mechanisms for (Id)entity Authentication 2.Mechanisms for (Id)entification 5.Widespread Use 1.Widespread Data Flows Containing the Identifier 2.Widepread Use of the (Id)entifier 3.Widespread Use of the Database 6.Obligations 1.Obligations Imposed on Every Individual 2.Obligations Imposed on Many Organisations 7.Sanctions for Non- Compliance http://rogerclarke.com/DV/NatIDSchemeElms.html

41 Copyright, 2012 41 E-BOKS / e-Posthuset Is integrated with, or at least dependent on, the CPR/CRS and Personal Identification No. Is designed as the primary channel for all government communications to citizens Is imposed on all government employees Offers itself as a repository for id documents

42 Copyright, 2012 42 Digital Signatures / NemID Is designed to force all activities into a single identity per person, consolidating all personas, and thereby creating a honeypot for agencies, for corporations and for intruders Enables the service provider to commit masquerade Imposes trojan client-software that has access to all resources on the consumer/citizens devices

43 Copyright, 2012 43 Digital Signatures / NemID Is designed to force all activities into a single identity per person, consolidating all personas, and thereby creating a honeypot for agencies, for corporations and for intruders Enables the service provider to commit masquerade Imposes trojan client-software that has access to all resources on the consumer/citizens devices NemID = Nemesis In Danish Nemesis: 'divine retribution against those who succumb to arrogance before the gods'

44 Copyright, 2012 44 Abuse of Social Control Architecture By an Unelected Government an invader military putsch By an Elected Government that acts outside the law that arranges the law as it wishes that reflects temporary public hysteria

45 Copyright, 2012 45 A New Digital Security Model In a highly-interconnected world, Perimeter Security / The Walled Fortress doesn't work any more The new Core Principle: When-not-if unauthorised access happens, make sure that the data is valueless to anyone other than the user-organisation

46 Copyright, 2012 46 A New Digital Security Model Some Implementation Techniques Obscure the content and identities (Only the user-organisation has the decryption-key) Use pseudo-identifiers not identifiers (Only the user-organisation has the cross-index) Split the content into 'small enough' morsels (Only the user-organisation has the whole picture) Authenticate attributes rather than identities NITTA (2011) 'New Digital Security Models' National IT and Telecom Agency, Copenhagen, February 2011, http://digitaliser.dk/resource/896495

47 Copyright, 2012 47 http://en.itst.dk/

48 Copyright, 2012 48 Denmark is a World Leader GDP per capita (7th) Export Value per capita (9th) Corruption Index (2nd) Highly flexible labour market High Minimum Wage (1st) No-Fee Tertiary Education Human Development Index (16th) Happiness Index (1st)

49 Copyright, 2012 49 Security Analysis of Danish Society – 1 75% of GDP and Export is Industrial Product incl. Consumer Products, Lego, Hifi, Wind Turbines, Greentech,..., also Architecture Labour cost is very high Agility is critical to sustained success Stability, creativity and adaptability of the workforce are critical, to ensure agility Social control, surveillance and a climate of suspicion are incompatible with Agility

50 Copyright, 2012 50 Security Analysis of Danish Society – 2 Worlds largest public sector (30% of workforce) Worlds highest taxes Worlds most privacy-intrusive government Recent substantial centralisation of a previously highly distributed public sector LOTS to lose (see previous slide) So there is scope for nervousness and discontent

51 Copyright, 2012 51 Security Analysis of Danish Society – 3 The population is highly homogeneous (90% Danish) People like it like that The Muslim population has reached 3% This has resulted in anti-immigration sentiment and very tough immigration laws That encourages reprisals by activist Muslims So there is scope for repressive measures

52 Copyright, 2012 52 Security Analysis of Danish Society – 4 The pre-conditions for despotism are largely fulfilled already – CPR/CRS, NemID,... So there is scope for rapid introduction of repressive measures That would create a vicious spiral of discontent, more repressive measures, more active expressions of discontent, etc.

53 Copyright, 2012 53 Security, for Society A View from the End of the World Recapitulation Security, even when limited to data and IT, can be approached with varying scope There are tensions within each perspective, and tensions between perspectives As a society, were not doing it very well Most countries have let national security extremists flout basic security principles Denmark is in a precarious position

54 Copyright, 2012 54 Security, for Society A View from the End of the World Roger Clarke Xamax Consultancy Pty Ltd, Canberra Visiting Professor in Computer Science, ANU, Canberra Visiting Professor in Cyberspace Law & Policy, UNSW, Sydney http://www.rogerclarke.com/EC/SforS-120625 {.html,.ppt} Copenhagen – 25 June 2012 The Danish Council for Greater IT-Security Danish Society of Engineers (IDA) Subgroup on IT (IDA-IT) In Association with CBIT, Roskilde University

55 Copyright, 2012 55

56 Copyright, 2012 56 Why Privacy is Important Philosophically – for 'human dignity' and integrity, and individual autonomy and self-determination Psychologically – in public spaces as well as private Sociologically – people need to be free to behave, and to associate with others, subject to broad social mores, but without the continual threat of being observed Economically – innovators are 'deviant' from the norms of the time. The chilling effect of surveillance stifles innovation. People in countries with high labour-costs need to be free to innovate Politically – freedom to think, argue, and act underpins democracy. Surveillance chills behaviour and speech, and undermines democracy

57 Copyright, 2012 57 Counterveillance Tenets Terrorism is not new, and not unusual The 'power to weight ratio' of a single strike has increased (because fewer terrorists can deliver a bigger payload), but this has only limited implications for public policy Reactionary Extremism must not be accepted at face value National security and law enforcement interests must not be granted carte blanche to do whatever they wish Secrecy is not a necessary pre-condition of security It is illegitimate to treat what are really 'public safety' issues as though they were 'national security' matters Counter-Terrorism is not dependent on everyone being limited to a single State-managed identity

58 Copyright, 2012 58 Counterveillance Principles 1.Independent Evaluation of Technology 2.A Moratorium on Technology Deployments 3.Open Information Flows 4.Justification for Proposed Measures 5.Consultation and Participation 6.Evaluation 7.Design Principles 1.Proportionality 2.Independent Controls 3.Nymity and Multiple Identity 8.Rollback

59 Copyright, 2012 59 Design Precepts Every human entity has lots to hide It's in society's interests to enable people to hide information, in order to support freedoms to express, invent, innovate Every human entity has multiple identities, and needs them Identity management has to encompass nymity, accepting anonymity, and facilitating pseudonymity Pseudonymity balances social, economic and political freedoms, on the one hand, and accountability, on the other We need credible 'strong pseudonymity', that is proof against breaches by powerful governments and corporations

60 Copyright, 2012 60 Names Codes Roles Identity and Identifier

61 Copyright, 2012 61 Names Codes Roles Identity and Identifier Model World Domain or Subject World

62 Copyright, 2012 62 The Entity/ies underlying an Identity

63 Copyright, 2012 63 Entity and Entifier

64 Copyright, 2012 64 Nymity

65 Copyright, 2012 65 Identity Authentication and Authorisation Its Application to Access Control

66 Copyright, 2012 66 Uses of Biometrics 1. For (Id)entification A process to find 1-among-many, in order to answer the question 'Who is it?' 2. For (Id)entity Authentication A process to test 1-to-1, in order to help answer the question'Is this the person who you think it is?' 3. For Attribute Authentication w/- (Id)entity A process to help answer the question 'Does this person (whoever they are) have the attribute they purport to have?'

67 Copyright, 2012 67 The Huge Quality Problems with Biometric Applications Dimensions of Quality Reference-Measure Association Test-Measure Comparison Result-Computation Other Aspects of Quality Vulnerabilities Quality Measures Counter-Measures Spiralling Complexity

68 Copyright, 2012 68 7.Digital Signatures and... A string of characters that the Sender adds to a message The Theory: Only the entity that has access to the relevant Private Key can have possibly sent the message... Public Key Infrastructure (PKI) A substantial set of equipment, software, procedures and organisations necessary to generate and protect key-pairs, generate signatures, publish public keys and revocations, pre-authenticate signors, authenticate signatures, assure quality, insure participants, prosecute the guilty

69 Copyright, 2012 69 What a Digital Signature Actually Means A Digital Signature attests only that: the message was signed by a device that had access to the private key that matches the public key

70 Copyright, 2012 70 18 Myths relating to (Id)Entity 1 - An identity exists in an organisation's database 2 - You only have one identity 3 - Each identity is used by only one person 4 - A biometric is a human identifier 5 - Organisations create and manage identities 6 - Identity Management Products actually work 7 - It's generally necessary to authenticate identity...

71 Copyright, 2012 71 9Only cheats/crims/terrorists have something to hide 10Cheats etc. can be deterred, prevented and caught, without creating a society worse than one that contains cheats etc. 11Nyms are for cheats 12Privacy-Enhancing Technologies (PETs) don't pay 13Data silos are bad 14Identity silos are bad 15Biometric schemes actually work 16Biometric schemes combat terrorism 17Imposed biometric schemes will work 18An id scheme is just another business system Clarke R. (2008) '(Id)Entities (Mis)Management: The Mythologies underlying the Business Failures' Invited Keynote at 'Managing Identity in New Zealand', Wellington NZ, 29-30 April 2008, at http://www.rogerclarke.com/EC/IdMngt-0804.html

72 Copyright, 2012 72 The Paradox of Security Security measures threaten security

73 Copyright, 2012 73 Another Myth You cant have privacy if you want security Yes, if course privacy protections are used by people for anti-social and criminal ends But the privacy advocacy argument is not extremist like the national security agenda Privacy protections are about: Justification, not Blithe Assumptions Proportionality, not simplistic notions like Zero-Tolerance and we need to do anything that might help us wage the war on terrorism

74 Copyright, 2012 74 Basic Requirements of a SmartCard (Id)entity Authenticator (1 of 2) Restrict identified transaction trails to circumstances in which they are justified (because of the impossibility of alternatives) Sustain anonymity except where it is demonstrably inadequate Make far greater use of pseudonymity, using protected indexes Make far greater use of attribute authentication Implement and authenticate role-ids rather than person-ids Use (id)entity authentication only where it is essential Sustain multiple specific-purpose ids, avoid multi-purpose ids Ensure secure separation between applications

75 Copyright, 2012 75 Basic Requirements of a SmartCard (Id)entity Authenticator (2 of 2) Ownership of each card by the individual, not the State Design of chip-based ID schemes transparent and certified Issue and configuration of cards undertaken by multiple organisations, including competing private sector corporations, within contexts set by standards bodies, in consultation with government and (critically) public interest representatives No central storage of private keys No central storage of biometrics Two-way device authentication, i.e. every personal chip must verify the authenticity of devices that seek to transact with it, and must not merely respond to challenges by devices

76 Copyright, 2012 76 'Natural' Extensions Biometrics Location and Tracking Physical Space Network Space

77 Copyright, 2012 77 Concepts of Location and Tracking Location – knowing the whereabouts of something, in relation to known reference points Physical Space, Network Space, Intellectual Space,... Precision, Accuracy, Reliability, Timeliness,... Tracking – knowing the sequence of locations of something over a period of time Real-Time-Tracking Retrospective Tracking Predictive Tracking

78 Copyright, 2012 78 Terrorists, Organised Crime, Illegal Immigrants Benefits Are Illusory Mere assertions of benefits, no explanation: its obvious, its intuitive, of course it will work, all of which are partners to simplistic notions like Zero-Tolerance and we need to do anything that might help us wage the war on terrorism Lack of detail on systems design Continual drift in features Analyses undermine the assertions Proponents avoid discussing the analyses

79 Copyright, 2012 79 Miscreants (Benefits Recipients, Fine-Avoiders,...) Benefits May Arise, But Are Seriously Exaggerated Lack of detail on systems design Continual drift in features Double-counting of benefits from the ID Scheme and the many existing programs Analyses undermine the assertions Proponents avoid discussing the analyses

80 Copyright, 2012 80 Conclusion PETs can address some PITs, but a nightmare- free Australia Card is not feasible Any intellectual, and any regulator, who accommodates a national identification scheme, is selling-out liberty, and derogating their duties as human beings We must not be cowed by either of the twin terrors of Islamic Fundamentalism and National Security Fundamentalism


Download ppt "Copyright, 2012 1 Security, for Society A View from the End of the World Roger Clarke Xamax Consultancy Pty Ltd, Canberra Visiting Professor in Computer."

Similar presentations


Ads by Google