Copyright, Information Security Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce at Uni of Hong Kong, Computer Science at A.N.U. / EC/SecyMq ppt, IntroSecy.html LAW 868 – Electronic Commerce and the Law Macquarie University – 14 September 2006
Copyright, Information Security Agenda 1.Whats Security? 2.Dimensions of the Problem 3.Technical Elements of the Solution 4.Organisational Processes 5.The Legal Framework
Copyright, The Notion of Security Security is used in at least two senses: a condition in which harm does not arise, despite the occurrence of threatening events a set of safeguards whose purpose is to achieve that condition Key Concepts: Harm, Threatening Event, Safeguard
Copyright, Security writ Broad Security of Service Reliability Robustness Resilience Accessibility Usability Security of Investment Business Survivability
Copyright, Information Security Data Quality Data Accessibility by those who should by others Data Usability
Copyright, Data Life-Cycle
Copyright, Dimensions of the Problem Threatening Events Natural, Accidental, Intentional Harm that results Situations in which Threats arise Countermeasures Counter-Countermeasures
Copyright, Categories of Threatening Event Natural Threats, i.e. Acts of God or Nature Accidental Threats: By Humans who are directly involved By other Humans By Machines and machine-designers Intentional Threats: By Humans who are directly involved By other Humans
Copyright, Categories of Harm Personal Injury Property Damage Data Loss, Alteration, Access or Replication Asset Value Loss Reputation or Confidence Loss Financial Loss Opportunity Cost
Copyright, Situations in Which Threats Arise Computing and Comms Facilities, incl. Data Storage Software Data Transmission of: The Organisation Service Providers Users Others Physical Premises housing relevant facilities Supporting Infrastructure, incl. data cabling, telecomms infrastructure, electrical supplies, air- conditioning, fire protection systems Manual Processes, Content and Data Storage
Copyright, Situations in Which Threats Arise
Copyright, Layers of Questions Are your computer and its location secure? Is computing secure? Is network-connection secure? Are networks secure? Is Internet infrastructure secure? Are Internet applications secure? Are eCommerce applications secure?
Copyright, Content Transmission Key Risks (1)Non-Receipt of a message by the intended recipient (2)Access by an unintended person or organisation (3)Change to the contents while in transit (4)Receipt of a false message (5)Wrongful denial
Copyright, Content Transmission Security Key Requirements (1)Message Content Security / Confidentiality (2)Message Content Integrity (3)Authentication of the Sender and Recipient (4)Non-Repudiation by the Sender and Recipient
Copyright, Specific Threats - by Outsiders Physical Intrusion Masquerade Social Engineering... Phishing... Electronic Intrusion Interception Cracking / Hacking Bugs, Trojans, Backdoors, Masquerade Infiltration by Software with a Payload... ==>> Host/Server-side and User/Client-side
Copyright, Infiltration by Software with a Payload Software (the Vector) Pre-Installed User-Installed Virus Worm... Payload Trojan: Undocumented Documented Spyware: Software Monitor Adware Keystroke Logger...
Copyright, Specific Threats - by Insiders Abuse of Privilege Hardware Software Data Masquerade Social Engineering Physical Intrusion Electronic Intrusion Interception Cracking / Hacking Bugs, Trojans, Backdoors, Masquerade Infiltration by Software with a Payload Host/Server-side and User/Client-side
Copyright, The Malware Menagerie Virus Worm Trojan Horse Spyware Backdoor / Trapdoor Zombie Exploit Phishing
Copyright, Technical Elements of I.T. Security Physical Security: Sites Equipment Data Software Documentation Logical Security: Computer Processes Data Software Documentation Network Security Defence-in-Depth Intrusion Detection
Copyright, Technological and Organisational Measures Legal / Contractual Context Physical Access Restrictions Logical Access Restrictions Immediacy of Warning As To the Legality of the Action and Consequences Positive Acknowledgement Audit Trail of Accesses Analysis and Enforcement Weber R. Information Systems and Control Prentice-Hall 1990 Chs 3-9 (Mgmt Ctls) and Chs (Application Ctls)
Copyright, Cryptography as Magic Bullet For Message Transmission Security For Data Storage Security For (Identity) Authentication Clarke R. Message Transmission Security (or 'Cryptography in Plain Text') Privacy Law & Policy Reporter 3, 2 (May 1996) Clarke R. The Fundamental Inadequacies of Conventional Public Key Infrastructure Proc. Conf. ECIS'2001, Bled, Slovenia, June
Copyright, Access Control Identification The process whereby data is associated with a particular Identity Authentication The Process of Testing an Assertion in order to establish a level of confidence in the Assertions reliability incl. Authentication of Identity Assertions Authorisation The assignment of privileges to an Identity
Copyright, Phases in Access Control
Copyright, Tools Used for Identity Authentication Tool The Writing of a Signature Knowledge, especially: username/passwd pair PIN non-secure PIN Tokens, including: Dumb, e.g. photo-id Digital Signature, incl. SSL/TLS, Dig. Cert. Clever, e.g. chipcard Requirements to be Effective Signature on file, procedures Information, processes authorisation file hash of the PIN the PIN itself Clear view of the person,... Public key, much software, PKI, much law, much faith Hardware, software,...
Copyright, Firewalls A firewall is a device interposed between a network and the Internet, which determines: which incoming traffic is permitted which outgoing traffic is permitted Types of Firewall Processing: Application Layer – Proxy-Server / Gateway Network Layer – Packet-Filtering Router Circuit-Level (Physical Layer) Gateway
Copyright, The Layers of Internet Protocols
Copyright, Packet-Filtering Router Packets are forwarded according to filtering rules The rules are applied to the data available in the packet header, i.e. Source IP address Destination IP address TCP/UDP source port TCP/UDP destination port ICMP message type Encapsulated protocol information (TCP, UDP, ICMP or IP tunnel)
Copyright, Commonly-Open Ports 20, 21 (ftp) or 115 (sftp) 23 (telnet) or 22 (ssh) 25 (smtp) 53 (dns) S: 80 (http), 443 (https) C: a big number (http) 110 (pop) 123 (ntp) 161 (snmp) 427 (slp) 548 (afp) 631 (ipp)
Copyright, Organisational Processes Users Technical Operations Supervisors and Managers Application Developers
Copyright, Summary of Key Terms Threat A circumstance that could result in Harm Vulnerability A susceptibility to a Threat Threatening Event An occurrence of a Threat Safeguard A measure to prevent, to enable detection or investigation of, or to mitigate Harm from, a Threatening Event Risk The likelihood of Harm arising from a Threat A measure of the likelihood and/or seriousness of Harm arising from a Threatening Event impinging on a Vulnerability and not being dealt with satisfactorily by the existing Safeguards
Copyright, Security Risk Assessme nt Process Browne L. Security Risk Management Overview February
Copyright, Generic Risk Management Strategies Proactive Strategies Avoidance Deterrence Prevention Reactive Strategies Isolation Recovery Transference Insurance Non-Reactive Strategies Tolerance Abandonment Dignified Demise Graceless Degradation
Copyright, Costs of Risk Mitigation Executive time, for assessment, planning, control Consultancy time, for assessment, design Operational staff time for: training, rehearsals, incident handling, backups Loss of service to clients during backup time Computer time for backups Storage costs for on-site and off-site (fire backup) copies of software, data and log-files Redundant hardware and networks Contracted support from a 'hot-site' / 'warm-site'
Copyright, The Legal Framework Specific Laws Security Privacy Laws with Incidental Effect Pseudo-Regulation (aka Self-Regulation) in particular mere Industry Codes Standards Professionalism
Copyright, Directly Relevant Laws – Security Computer Crimes, Cybercrimes Crimes Legislation Amendment Act 1989, Cybercrime Act 2001 Criminal Code Act 1995 Part 10.7 Computer offences unauthorised access, modification or impairment possession of security software ?? use of data encryption ?? Telecommunications Interception Listening Devices / Surveillance Devices Possible future mandatory reporting of data breaches (OFPC submission to ALRC Enquiry, August 2006)
Copyright, Directly Relevant Laws – Privacy Privacy Act 1988 (Cth) For Fedl Govt, IPP 4 in s.14 For Pte Sector, NPP 4 in Schedule 3 Privacy / Data Protection in the States and Territories Vic, NSW, ACT, NT, Tas WA, SA, Qld
Copyright, Incidentally Relevant Laws Agencies Own Legislation Sectoral Legislation, e.g. Banking Corporations Law / Directors Responsibilities...
Copyright, Australian Government Expectations Source: Convergence e-Business Solutions, 2004
Copyright, Australian Government e-Authentication Framework (AGAF) Decide what statements need to be authenticated Use risk assessment techniques in order to decide on the level of assurance needed From among the alternative e-authentication mechanisms, select an appropriate approach Assess the impact on public policy concerns such as privacy and social equity Implement Evaluate
Copyright, A Mini-Case Study in Forensics Offensive Content on an Employees Workstation Relevant Sources of Insecurity include: Workstation Hardware, OS and Apps Internet-Connection Physical Access Inadequate Logical Protections Software Action w/- User Knowledge Malware (virus, worm, trojan) Hacking (script, backdoor, zombie) Examination and Evidence are Essential
Copyright,
Copyright,
Copyright, References Readings: Clarke R. (2001) Introduction to Information Security AUSCERT (2001) Know Thy Attacker Anderson R. (2003) Trusted Computing Frequently Asked Questions Recommended Reading: NIST (2003) Guide to Selecting Information Technology Security Products 36.pdf American Bar Association Digital Signatures Guidelines – Tutorial
Copyright, Additional References Security Information_security (techo) Malware Waters N. & Greenleaf G. IPPs examined: The Security Principle Privacy Law and Policy Reporter [2004] 36 Morison J. Computer Security -- a survey of 137 Australian agencies Privacy Law and Policy Reporter [1996] 3 PLPR 67 Cybercrime / Computer Crime Legislation
Copyright, Additional References Lehtinen R. Computer Security Basics O'Reilly Weber R. Information Systems and Control Prentice-Hall 1990 Chs 3-9 (Mgmt Ctls) and Chs (Application Ctls) Anderson R.J. Security Engineering: A Guide to Building Dependable Distributed Systems Wiley 2001 Mitnick K.D. & Simon W.L. The Art of Deception: Controlling the Human Element of Security Wiley 2002 Stamp M. Information Security : Principles and Practice Wiley 2006
Copyright, Official Sources – Australian Govt Aust Govt Online Security Mandates and Guidelines Aust Govt Protective Security Manual (PSM 2005) ive_Security_Manual Aust Govt Information and Communications Technology Security Manual (ACSI 33) Office of the Federal Privacy Commissioner (OFPC) Info Sheet Security and Personal Information SCAG Model Criminal Code, January 2001, Part 4.2 Computer Offences, pp CA256BB20083B557?OpenDocument
Copyright, Official Sources – Standards and Intl Aust. Standards: IT - Code of practice for info security management AS 17799:2001 Info Security Management Systems AS/NZS :2000 Risk Management AS Handbook for Management of IT Evidence 10 Dec 2003 NIST Computer Security OECD Guidelines The Security of Info Systems and Networks: Towards a Culture of Security, EU Commission Network and Information Security: Proposal for a European Policy Approach ments/netsec/netsec_en.doc Also Council of Europe Convention on Cybercrime, 2001
Copyright, Information Security Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce at Uni of Hong Kong, Computer Science at A.N.U. / EC/SecyMq ppt, IntroSecy.html LAW 868 – Electronic Commerce and the Law Macquarie University – 14 September 2006