Copyright,1995-2006

1

Information Security

Roger Clarke, Xamax Consultancy, CanberraVisiting Professor in Cyberspace Law & Policy at

U.N.S.W., eCommerce at Uni of Hong Kong, Computer Science at

A.N.U.

http://www.anu.edu.au/people/Roger.Clarke/ ...

... / EC/SecyMq-060914.ppt, IntroSecy.html

LAW 868 – Electronic Commerce and the Law

Macquarie University – 14 September 2006

Copyright,1995-2006

2

Information SecurityAgenda

1. What’s ‘Security’?2. Dimensions of the Problem3. Technical Elements of the

Solution4. Organisational Processes5. The Legal Framework

Copyright,1995-2006

3

The Notion of Security

• Security is used in at least two senses:• a condition in which harm does not

arise, despite the occurrence of threatening events

• a set of safeguards whose purpose is to achieve that condition

• Key Concepts:• Harm, Threatening Event, Safeguard

Copyright,1995-2006

4

Security writ Broad• Security of Service

• Reliability• Robustness• Resilience• Accessibility• Usability

• Security of Investment• Business

Survivability

Copyright,1995-2006

5

Information Security

• Data Quality• Data Accessibility

• by those who should• by others

• Data Usability

Copyright,1995-2006

6

Data Life-Cycle

Corp.Database

ProvisionCollectionCaptureFilteringProcessingStorageUseDisclosureAccess

Copyright,1995-2006

7

2. Dimensions of the Problem

• Threatening Events• Natural, Accidental,

Intentional• Harm that results• Situations in which Threats arise• Countermeasures• Counter-Countermeasures

Copyright,1995-2006

8

Categories of Threatening Event

• Natural Threats, i.e. Acts of God or Nature

• Accidental Threats:• By Humans who are directly involved• By other Humans• By Machines and machine-designers

• Intentional Threats:• By Humans who are directly involved• By other Humans

Copyright,1995-2006

9

Categories of Harm

• Personal Injury• Property Damage• Data Loss, Alteration, Access or

Replication• Asset Value Loss• Reputation or Confidence Loss• Financial Loss• Opportunity Cost

Copyright,1995-2006

10

Situations in Which Threats Arise

• Computing and Comms Facilities, incl.

• Data Storage• Software• Data Transmission

• of:• The Organisation• Service Providers• Users• Others

• Physical Premises housing relevant facilities

• Supporting Infrastructure, incl. data cabling, telecomms infrastructure, electrical supplies, air-conditioning, fire protection systems

• Manual Processes, Content and Data Storage

Copyright,1995-2006

11

Situations in Which Threats Arise

Corp.Wkstns

CorporationsGovernment AgenciesIndividualsBotsThe InternetCorp.Servers

. . .

Copyright,1995-2006

12

Layers of Questions

• Are your computer and its location secure?

• Is computing secure?• Is network-connection secure?• Are networks secure?• Is Internet infrastructure secure?• Are Internet applications secure?• Are eCommerce applications secure?

Copyright,1995-2006

13

Content Transmission Key Risks

(1) Non-Receipt of a message by the intended recipient

(2) Access by an unintended person or organisation

(3) Change to the contents while in transit(4) Receipt of a false message(5) Wrongful denial

Copyright,1995-2006

14

Content Transmission Security Key Requirements

(1) Message Content Security / ‘Confidentiality’

(2) Message Content Integrity(3) Authentication of the Sender and Recipient(4) ‘Non-Repudiation’ by the Sender and

Recipient

Copyright,1995-2006

15

Specific Threats - by Outsiders

• Physical Intrusion• Masquerade• Social Engineering

• ...• Phishing• ...

• Electronic Intrusion• Interception• Cracking / ‘Hacking’

• Bugs, Trojans, Backdoors, Masquerade

• Infiltration by Software with a Payload

• ... ==>>

Host/Server-side and User/Client-side

Copyright,1995-2006

16

Infiltration by Software with a Payload

Software (the ‘Vector’)

• Pre-Installed• User-Installed• Virus• Worm• ...

Payload• Trojan:

• Undocumented• Documented

• Spyware:• Software Monitor• Adware• Keystroke Logger• ...

Copyright,1995-2006

17

Specific Threats - by Insiders

• Abuse of Privilege• Hardware• Software• Data

• Masquerade• Social

Engineering• Physical Intrusion

Electronic Intrusion• Interception• Cracking /

‘Hacking’• Bugs, Trojans,

Backdoors, Masquerade

• Infiltration by Software with a Payload

Host/Server-side and User/Client-side

Copyright,1995-2006

18

The Malware Menagerie

• Virus• Worm• Trojan Horse• Spyware• Backdoor / Trapdoor• Zombie• Exploit• Phishing

Copyright,1995-2006

19

3. Technical Elements of I.T. Security

• Physical Security:• Sites• Equipment• Data• Software• Documentation

• Logical Security:• Computer

Processes• Data• Software• Documentation

• Network Security

• Defence-in-Depth

• Intrusion Detection

Copyright,1995-2006

20

Technological and Organisational Measures

• Legal / Contractual Context• Physical Access Restrictions• Logical Access Restrictions• Immediacy of Warning As To the

Legality of the Action and Consequences

• Positive Acknowledgement• Audit Trail of Accesses• Analysis and Enforcement

http://www.anu.edu.au/people/Roger.Clarke/DV/PaperICAC.html

Weber R. ‘Information Systems and Control’ Prentice-Hall 1990Chs 3-9 (Mgmt Ctls) and Chs 10-15 (Application Ctls)

Copyright,1995-2006

21

Cryptography as Magic Bullet

• For Message Transmission Security• For Data Storage Security• For (Identity) Authentication

Clarke R. ‘Message Transmission Security (or 'Cryptography in Plain Text')’ Privacy Law & Policy Reporter 3, 2 (May 1996) 24-27http://www.anu.edu.au/people/Roger.Clarke/II/CryptoSecy.html

Clarke R. ‘The Fundamental Inadequacies of Conventional Public Key Infrastructure’ Proc. Conf. ECIS'2001, Bled, Slovenia, 27-29 June 2001 http://www.anu.edu.au/people/Roger.Clarke/II/ECIS2001.html

Copyright,1995-2006

22

Access Control

IdentificationThe process whereby data is associated

with a particular IdentityAuthentication

The Process of Testing an Assertionin order to establish a level of confidence

in the Assertion’s reliabilityincl. Authentication of Identity Assertions

AuthorisationThe assignment of privileges to an Identity

Copyright,1995-2006

23

Phases inAccess Control

Pre-Authenticationof Evidence of

Identity or Attribute

Permissions Storeor Access

Control List

Authenticationusing the Issued

Authenticator

AuthorisationAccessControl

Registerof

Authenticators

Copyright,1995-2006

24

Tools Used for Identity Authentication

Tool• The Writing of a Signature• Knowledge, especially:

• username/passwd pair• PIN• non-secure ‘PIN’

• Tokens, including:• Dumb, e.g. ‘photo-id’• Digital Signature, incl.

SSL/TLS, Dig. Cert.• Clever, e.g. chipcard

Requirements to be Effective• Signature on file, procedures• Information, processes

• authorisation file• hash of the PIN• the ‘PIN’ itself

• Clear view of the person, ...• Public key, much software, PKI,

much law, much faith• Hardware, software, ...

Copyright,1995-2006

25

Firewalls

• A firewall is a device interposed between a network and the Internet, which determines:

• which incoming traffic is permitted• which outgoing traffic is permitted

• Types of Firewall Processing:• Application Layer – Proxy-Server /

Gateway• Network Layer – Packet-Filtering

Router• Circuit-Level (Physical Layer) Gateway

Copyright,1995-2006

26

The Layers of Internet ProtocolsRepeateror Hub

Physical LayerPhysical LayerBridgeor Switch

Repeateror Hub

Bridgeor Switch

Physical Medium – CoaxPhysical Medium – Twisted-PairADSLGateway,Proxy-Server,

Network Cache

Gateway,Proxy-Server,

Network Cache

Copyright,1995-2006

27

Packet-Filtering Router• Packets are forwarded according to filtering

rules• The rules are applied to the data available in

the packet header, i.e.• Source IP address• Destination IP address• TCP/UDP source port• TCP/UDP destination port• ICMP message type• Encapsulated protocol information

(TCP, UDP, ICMP or IP tunnel)

Copyright,1995-2006

28

Commonly-Open Ports

• 20, 21 (ftp) or 115 (sftp)

• 23 (telnet) or 22 (ssh)

• 25 (smtp)• 53 (dns)• S: 80 (http), 443

(https)• C: a big number

(http)

• 110 (pop)• 123 (ntp)• 161 (snmp)• 427 (slp)• 548 (afp)• 631 (ipp)

Copyright,1995-2006

29

4. Organisational Processes

• Users

• Technical Operations• Supervisors and

Managers

• Application Developers

Copyright,1995-2006

30

Summary of Key Terms• Threat

A circumstance that could result in Harm

• VulnerabilityA susceptibility to a Threat

• Threatening EventAn occurrence of a Threat

• SafeguardA measure to prevent, to enable detection or investigation of, or to mitigate Harm from, a Threatening Event

• Risk“The likelihood of Harm arising from a Threat”A measure of the likelihood and/or seriousness of Harm arising from a Threatening Event impinging on a Vulnerability and not being dealt with satisfactorily by the existing Safeguards

Copyright,1995-2006

31

Security Risk

Assessment

Process

ScopeDefinition

ThreatAssessment

VulnerabilityAssessment

RiskAssessment

Risk MngtStrategy andSecurity Plan

Security PlanImplement’n

SecurityAudit

Browne L. ‘Security Risk Management Overview’February 2004http://www.unsw.adfa.edu.au/~lpb/......seminars/auugsec04.html

Copyright,1995-2006

32

Generic Risk Management Strategies

• Proactive Strategies

• Avoidance• Deterrence• Prevention

• Reactive Strategies• Isolation• Recovery• Transference• Insurance

• Non-Reactive Strategies

• Tolerance• Abandonment• Dignified Demise• Graceless

Degradation

Copyright,1995-2006

33

Costs of Risk Mitigation

• Executive time, for assessment, planning, control• Consultancy time, for assessment, design• Operational staff time for:

• training, rehearsals, incident handling, backups• Loss of service to clients during backup time• Computer time for backups• Storage costs for on-site and off-site (‘fire backup’)

copies of software, data and log-files• Redundant hardware and networks• Contracted support from a 'hot-site' / 'warm-site'

Copyright,1995-2006

34

5. The Legal Framework

• Specific Laws• Security• Privacy

• Laws with Incidental Effect• Pseudo-Regulation (aka Self-Regulation)

in particular mere ‘Industry Codes’• Standards• Professionalism

Copyright,1995-2006

35

Directly Relevant Laws – Security

• Computer Crimes, ‘Cybercrimes’Crimes Legislation Amendment Act 1989, Cybercrime Act 2001Criminal Code Act 1995 Part 10.7 — Computer offenceshttp://www.austlii.edu.au/au/legis/cth/consol_act/cca1995115/sch1.html

• unauthorised access, modification or impairment• possession of security software ??• use of data encryption ??

• Telecommunications Interception• Listening Devices / Surveillance Devices• Possible future mandatory reporting of data

breaches (OFPC submission to ALRC Enquiry, August 2006)

Copyright,1995-2006

36

Directly Relevant Laws – Privacy

http://www.privacy.org.au/Resources/PLawsClth.html http://www.privacy.org.au/Resources/PLawsST.html

Privacy Act 1988 (Cth)• For Fed’l Govt, IPP 4 in s.14

http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s14.html

• For Pte Sector, NPP 4 in Schedule 3http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/sch3.html

Privacy / Data Protection in the States and Territories• Vic, NSW, ACT, NT, Tas• WA, SA, Qld

Copyright,1995-2006

37

Incidentally Relevant Laws

• Agencies’ Own Legislation• Sectoral Legislation, e.g. Banking• Corporations Law / Directors’

Responsibilities• ...

Copyright,1995-2006

38

Australian Government Expectations

Source: Convergence e-Business Solutions, 2004

Copyright,1995-2006

39

Australian Government e-Authentication Framework (AGAF)

http://www.agimo.gov.au/infrastructure/authentication/agaf

• Decide what statements need to be authenticated

• Use risk assessment techniques in order todecide on the level of assurance needed

• From among the alternative e-authentication mechanisms, select an appropriate approach

• Assess the impact on public policy concernssuch as privacy and social equity

• Implement• Evaluate

Copyright,1995-2006

40

A Mini-Case Study in ForensicsOffensive Content on an Employee’s

Workstation

• Relevant Sources of Insecurity include:• Workstation Hardware, OS and Apps• Internet-Connection• Physical Access• Inadequate Logical Protections• Software Action w/- User Knowledge• Malware (virus, worm, trojan)• ‘Hacking’ (script, backdoor, zombie)

• Examination and Evidence are Essential

http://www.anu.edu.au/people/Roger.Clarke/II/OffIm0511.html

Copyright,1995-2006

41

Copyright,1995-2006

42

Copyright,1995-2006

43

ReferencesReadings:• Clarke R. (2001) ‘Introduction to Information Security’

http://www.anu.edu.au/people/Roger.Clarke/EC/IntroSecy.html• AUSCERT (2001) ‘Know Thy Attacker’

http://www.auscert.org.au/download.html?f=7&it=2000&cid= • Anderson R. (2003) ‘Trusted’ Computing Frequently Asked

Questionshttp://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

Recommended Reading: • NIST (2003) ‘Guide to Selecting Information Technology Security

Products http://csrc.nist.gov/publications/nistpubs/800-36/NIST-SP800-36.pdf

• American Bar Association ‘Digital Signatures Guidelines – Tutorial’http://www.abanet.org/scitech/ec/isc/dsg-tutorial.html

Copyright,1995-2006

44

Additional References• http://en.wikipedia.org/wiki/...

• Security• Information_security (techo)• Malware

• Waters N. & Greenleaf G. ‘IPPs examined: The Security Principle‘ Privacy Law and Policy Reporter [2004] 36 http://www.austlii.edu.au/au/journals/PLPR/2004/36.html

• Morison J. ‘Computer Security -- a survey of 137 Australian agencies‘ Privacy Law and Policy Reporter [1996] 3 PLPR 67 http://www.austlii.edu.au//au/journals/PLPR/1996/41.html

• Cybercrime / Computer Crime Legislationhttp://www.efa.org.au/Issues/Privacy/cybercrimeact.html

Copyright,1995-2006

45

Additional References

• Lehtinen R. ‘Computer Security Basics’ O'Reilly 2006 http://safari.oreilly.com/0596006691?tocview=true

• Weber R. ‘Information Systems and Control’ Prentice-Hall 1990Chs 3-9 (Mgmt Ctls) and Chs 10-15 (Application Ctls)

• Anderson R.J. ‘Security Engineering: A Guide to Building Dependable Distributed Systems’ Wiley 2001

• Mitnick K.D. & Simon W.L. ‘The Art of Deception: Controlling the Human Element of Security’ Wiley 2002

• Stamp M. ‘Information Security : Principles and Practice’ Wiley 2006

Copyright,1995-2006

46

Official Sources – Australian Govt

• Aust Govt Online Security Mandates and Guidelines http://www.agimo.gov.au/infrastructure/government

• Aust Govt Protective Security Manual (PSM 2005) http://www.ag.gov.au/agd/WWW/protectivesecurityhome.nsf/Page/Protective_Security_Manual

• Aust Govt Information and Communications Technology Security Manual (ACSI 33) http://www.dsd.gov.au/library/infosec/acsi33.html

• Office of the Federal Privacy Commissioner (OFPC)Info Sheet 6 - 2001 Security and Personal Informationhttp://www.privacy.gov.au/publications/IS6_01.html

• SCAG ‘Model Criminal Code’, January 2001 , Part 4.2 ‘Computer Offences, pp. 87-199 http://www.ag.gov.au/agd/www/Agdhome.nsf/Page/RWPA93DBE7859B79635CA256BB20083B557?OpenDocument

Copyright,1995-2006

47

Official Sources – Standards and Int’l

• Aust. Standards:• ‘IT - Code of practice for info security management’ AS

17799:2001• ‘Info Security Management Systems’ AS/NZS 7799.2:2000• ‘Risk Management’ AS4360 1999• ‘Handbook for Management of IT Evidence’ 10 Dec 2003• NIST Computer Security http://csrc.nist.gov/publications/nistpubs/• OECD Guidelines ‘The Security of Info Systems and Networks:

Towards a Culture of Security’, 2002 http://www.oecd.org/dataoecd/16/22/15582260.pdf

• EU Commission ‘Network and Information Security: Proposal for a European Policy Approach’ 2002 http://europa.eu.int/information_society/eeurope/2002/news_library/documents/netsec/netsec_en.docAlso http://europa.eu/scadplus/leg/en/lvb/l24121.htm

• Council of Europe ‘ Convention on Cybercrime’, 2001

Copyright,1995-2006

48

Information Security

Roger Clarke, Xamax Consultancy, CanberraVisiting Professor in Cyberspace Law & Policy at

U.N.S.W., eCommerce at Uni of Hong Kong, Computer Science at

A.N.U.

http://www.anu.edu.au/people/Roger.Clarke/ ...

... / EC/SecyMq-060914.ppt, IntroSecy.html

LAW 868 – Electronic Commerce and the Law

Macquarie University – 14 September 2006