Copyright, 1995-2006 1 Information Security Roger Clarke, Xamax Consultancy, Canberra Visiting...
-
Upload
isabel-brewer -
Category
Documents
-
view
220 -
download
3
Transcript of Copyright, 1995-2006 1 Information Security Roger Clarke, Xamax Consultancy, Canberra Visiting...
Copyright,1995-2006
1
Information Security
Roger Clarke, Xamax Consultancy, CanberraVisiting Professor in Cyberspace Law & Policy at
U.N.S.W., eCommerce at Uni of Hong Kong, Computer Science at
A.N.U.
http://www.anu.edu.au/people/Roger.Clarke/ ...
... / EC/SecyMq-060914.ppt, IntroSecy.html
LAW 868 – Electronic Commerce and the Law
Macquarie University – 14 September 2006
Copyright,1995-2006
2
Information SecurityAgenda
1. What’s ‘Security’?2. Dimensions of the Problem3. Technical Elements of the
Solution4. Organisational Processes5. The Legal Framework
Copyright,1995-2006
3
The Notion of Security
• Security is used in at least two senses:• a condition in which harm does not
arise, despite the occurrence of threatening events
• a set of safeguards whose purpose is to achieve that condition
• Key Concepts:• Harm, Threatening Event, Safeguard
Copyright,1995-2006
4
Security writ Broad• Security of Service
• Reliability• Robustness• Resilience• Accessibility• Usability
• Security of Investment• Business
Survivability
Copyright,1995-2006
5
Information Security
• Data Quality• Data Accessibility
• by those who should• by others
• Data Usability
Copyright,1995-2006
6
Data Life-Cycle
Corp.Database
ProvisionCollectionCaptureFilteringProcessingStorageUseDisclosureAccess
Copyright,1995-2006
7
2. Dimensions of the Problem
• Threatening Events• Natural, Accidental,
Intentional• Harm that results• Situations in which Threats arise• Countermeasures• Counter-Countermeasures
Copyright,1995-2006
8
Categories of Threatening Event
• Natural Threats, i.e. Acts of God or Nature
• Accidental Threats:• By Humans who are directly involved• By other Humans• By Machines and machine-designers
• Intentional Threats:• By Humans who are directly involved• By other Humans
Copyright,1995-2006
9
Categories of Harm
• Personal Injury• Property Damage• Data Loss, Alteration, Access or
Replication• Asset Value Loss• Reputation or Confidence Loss• Financial Loss• Opportunity Cost
Copyright,1995-2006
10
Situations in Which Threats Arise
• Computing and Comms Facilities, incl.
• Data Storage• Software• Data Transmission
• of:• The Organisation• Service Providers• Users• Others
• Physical Premises housing relevant facilities
• Supporting Infrastructure, incl. data cabling, telecomms infrastructure, electrical supplies, air-conditioning, fire protection systems
• Manual Processes, Content and Data Storage
Copyright,1995-2006
11
Situations in Which Threats Arise
Corp.Wkstns
CorporationsGovernment AgenciesIndividualsBotsThe InternetCorp.Servers
. . .
Copyright,1995-2006
12
Layers of Questions
• Are your computer and its location secure?
• Is computing secure?• Is network-connection secure?• Are networks secure?• Is Internet infrastructure secure?• Are Internet applications secure?• Are eCommerce applications secure?
Copyright,1995-2006
13
Content Transmission Key Risks
(1) Non-Receipt of a message by the intended recipient
(2) Access by an unintended person or organisation
(3) Change to the contents while in transit(4) Receipt of a false message(5) Wrongful denial
Copyright,1995-2006
14
Content Transmission Security Key Requirements
(1) Message Content Security / ‘Confidentiality’
(2) Message Content Integrity(3) Authentication of the Sender and Recipient(4) ‘Non-Repudiation’ by the Sender and
Recipient
Copyright,1995-2006
15
Specific Threats - by Outsiders
• Physical Intrusion• Masquerade• Social Engineering
• ...• Phishing• ...
• Electronic Intrusion• Interception• Cracking / ‘Hacking’
• Bugs, Trojans, Backdoors, Masquerade
• Infiltration by Software with a Payload
• ... ==>>
Host/Server-side and User/Client-side
Copyright,1995-2006
16
Infiltration by Software with a Payload
Software (the ‘Vector’)
• Pre-Installed• User-Installed• Virus• Worm• ...
Payload• Trojan:
• Undocumented• Documented
• Spyware:• Software Monitor• Adware• Keystroke Logger• ...
Copyright,1995-2006
17
Specific Threats - by Insiders
• Abuse of Privilege• Hardware• Software• Data
• Masquerade• Social
Engineering• Physical Intrusion
Electronic Intrusion• Interception• Cracking /
‘Hacking’• Bugs, Trojans,
Backdoors, Masquerade
• Infiltration by Software with a Payload
Host/Server-side and User/Client-side
Copyright,1995-2006
18
The Malware Menagerie
• Virus• Worm• Trojan Horse• Spyware• Backdoor / Trapdoor• Zombie• Exploit• Phishing
Copyright,1995-2006
19
3. Technical Elements of I.T. Security
• Physical Security:• Sites• Equipment• Data• Software• Documentation
• Logical Security:• Computer
Processes• Data• Software• Documentation
• Network Security
• Defence-in-Depth
• Intrusion Detection
Copyright,1995-2006
20
Technological and Organisational Measures
• Legal / Contractual Context• Physical Access Restrictions• Logical Access Restrictions• Immediacy of Warning As To the
Legality of the Action and Consequences
• Positive Acknowledgement• Audit Trail of Accesses• Analysis and Enforcement
http://www.anu.edu.au/people/Roger.Clarke/DV/PaperICAC.html
Weber R. ‘Information Systems and Control’ Prentice-Hall 1990Chs 3-9 (Mgmt Ctls) and Chs 10-15 (Application Ctls)
Copyright,1995-2006
21
Cryptography as Magic Bullet
• For Message Transmission Security• For Data Storage Security• For (Identity) Authentication
Clarke R. ‘Message Transmission Security (or 'Cryptography in Plain Text')’ Privacy Law & Policy Reporter 3, 2 (May 1996) 24-27http://www.anu.edu.au/people/Roger.Clarke/II/CryptoSecy.html
Clarke R. ‘The Fundamental Inadequacies of Conventional Public Key Infrastructure’ Proc. Conf. ECIS'2001, Bled, Slovenia, 27-29 June 2001 http://www.anu.edu.au/people/Roger.Clarke/II/ECIS2001.html
Copyright,1995-2006
22
Access Control
IdentificationThe process whereby data is associated
with a particular IdentityAuthentication
The Process of Testing an Assertionin order to establish a level of confidence
in the Assertion’s reliabilityincl. Authentication of Identity Assertions
AuthorisationThe assignment of privileges to an Identity
Copyright,1995-2006
23
Phases inAccess Control
Pre-Authenticationof Evidence of
Identity or Attribute
Permissions Storeor Access
Control List
Authenticationusing the Issued
Authenticator
AuthorisationAccessControl
Registerof
Authenticators
Copyright,1995-2006
24
Tools Used for Identity Authentication
Tool• The Writing of a Signature• Knowledge, especially:
• username/passwd pair• PIN• non-secure ‘PIN’
• Tokens, including:• Dumb, e.g. ‘photo-id’• Digital Signature, incl.
SSL/TLS, Dig. Cert.• Clever, e.g. chipcard
Requirements to be Effective• Signature on file, procedures• Information, processes
• authorisation file• hash of the PIN• the ‘PIN’ itself
• Clear view of the person, ...• Public key, much software, PKI,
much law, much faith• Hardware, software, ...
Copyright,1995-2006
25
Firewalls
• A firewall is a device interposed between a network and the Internet, which determines:
• which incoming traffic is permitted• which outgoing traffic is permitted
• Types of Firewall Processing:• Application Layer – Proxy-Server /
Gateway• Network Layer – Packet-Filtering
Router• Circuit-Level (Physical Layer) Gateway
Copyright,1995-2006
26
The Layers of Internet ProtocolsRepeateror Hub
Physical LayerPhysical LayerBridgeor Switch
Repeateror Hub
Bridgeor Switch
Physical Medium – CoaxPhysical Medium – Twisted-PairADSLGateway,Proxy-Server,
Network Cache
Gateway,Proxy-Server,
Network Cache
Copyright,1995-2006
27
Packet-Filtering Router• Packets are forwarded according to filtering
rules• The rules are applied to the data available in
the packet header, i.e.• Source IP address• Destination IP address• TCP/UDP source port• TCP/UDP destination port• ICMP message type• Encapsulated protocol information
(TCP, UDP, ICMP or IP tunnel)
Copyright,1995-2006
28
Commonly-Open Ports
• 20, 21 (ftp) or 115 (sftp)
• 23 (telnet) or 22 (ssh)
• 25 (smtp)• 53 (dns)• S: 80 (http), 443
(https)• C: a big number
(http)
• 110 (pop)• 123 (ntp)• 161 (snmp)• 427 (slp)• 548 (afp)• 631 (ipp)
Copyright,1995-2006
29
4. Organisational Processes
• Users
• Technical Operations• Supervisors and
Managers
• Application Developers
Copyright,1995-2006
30
Summary of Key Terms• Threat
A circumstance that could result in Harm
• VulnerabilityA susceptibility to a Threat
• Threatening EventAn occurrence of a Threat
• SafeguardA measure to prevent, to enable detection or investigation of, or to mitigate Harm from, a Threatening Event
• Risk“The likelihood of Harm arising from a Threat”A measure of the likelihood and/or seriousness of Harm arising from a Threatening Event impinging on a Vulnerability and not being dealt with satisfactorily by the existing Safeguards
Copyright,1995-2006
31
Security Risk
Assessment
Process
ScopeDefinition
ThreatAssessment
VulnerabilityAssessment
RiskAssessment
Risk MngtStrategy andSecurity Plan
Security PlanImplement’n
SecurityAudit
Browne L. ‘Security Risk Management Overview’February 2004http://www.unsw.adfa.edu.au/~lpb/......seminars/auugsec04.html
Copyright,1995-2006
32
Generic Risk Management Strategies
• Proactive Strategies
• Avoidance• Deterrence• Prevention
• Reactive Strategies• Isolation• Recovery• Transference• Insurance
• Non-Reactive Strategies
• Tolerance• Abandonment• Dignified Demise• Graceless
Degradation
Copyright,1995-2006
33
Costs of Risk Mitigation
• Executive time, for assessment, planning, control• Consultancy time, for assessment, design• Operational staff time for:
• training, rehearsals, incident handling, backups• Loss of service to clients during backup time• Computer time for backups• Storage costs for on-site and off-site (‘fire backup’)
copies of software, data and log-files• Redundant hardware and networks• Contracted support from a 'hot-site' / 'warm-site'
Copyright,1995-2006
34
5. The Legal Framework
• Specific Laws• Security• Privacy
• Laws with Incidental Effect• Pseudo-Regulation (aka Self-Regulation)
in particular mere ‘Industry Codes’• Standards• Professionalism
Copyright,1995-2006
35
Directly Relevant Laws – Security
• Computer Crimes, ‘Cybercrimes’Crimes Legislation Amendment Act 1989, Cybercrime Act 2001Criminal Code Act 1995 Part 10.7 — Computer offenceshttp://www.austlii.edu.au/au/legis/cth/consol_act/cca1995115/sch1.html
• unauthorised access, modification or impairment• possession of security software ??• use of data encryption ??
• Telecommunications Interception• Listening Devices / Surveillance Devices• Possible future mandatory reporting of data
breaches (OFPC submission to ALRC Enquiry, August 2006)
Copyright,1995-2006
36
Directly Relevant Laws – Privacy
http://www.privacy.org.au/Resources/PLawsClth.html http://www.privacy.org.au/Resources/PLawsST.html
Privacy Act 1988 (Cth)• For Fed’l Govt, IPP 4 in s.14
http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s14.html
• For Pte Sector, NPP 4 in Schedule 3http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/sch3.html
Privacy / Data Protection in the States and Territories• Vic, NSW, ACT, NT, Tas• WA, SA, Qld
Copyright,1995-2006
37
Incidentally Relevant Laws
• Agencies’ Own Legislation• Sectoral Legislation, e.g. Banking• Corporations Law / Directors’
Responsibilities• ...
Copyright,1995-2006
38
Australian Government Expectations
Source: Convergence e-Business Solutions, 2004
Copyright,1995-2006
39
Australian Government e-Authentication Framework (AGAF)
http://www.agimo.gov.au/infrastructure/authentication/agaf
• Decide what statements need to be authenticated
• Use risk assessment techniques in order todecide on the level of assurance needed
• From among the alternative e-authentication mechanisms, select an appropriate approach
• Assess the impact on public policy concernssuch as privacy and social equity
• Implement• Evaluate
Copyright,1995-2006
40
A Mini-Case Study in ForensicsOffensive Content on an Employee’s
Workstation
• Relevant Sources of Insecurity include:• Workstation Hardware, OS and Apps• Internet-Connection• Physical Access• Inadequate Logical Protections• Software Action w/- User Knowledge• Malware (virus, worm, trojan)• ‘Hacking’ (script, backdoor, zombie)
• Examination and Evidence are Essential
http://www.anu.edu.au/people/Roger.Clarke/II/OffIm0511.html
Copyright,1995-2006
41
Copyright,1995-2006
42
Copyright,1995-2006
43
ReferencesReadings:• Clarke R. (2001) ‘Introduction to Information Security’
http://www.anu.edu.au/people/Roger.Clarke/EC/IntroSecy.html• AUSCERT (2001) ‘Know Thy Attacker’
http://www.auscert.org.au/download.html?f=7&it=2000&cid= • Anderson R. (2003) ‘Trusted’ Computing Frequently Asked
Questionshttp://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
Recommended Reading: • NIST (2003) ‘Guide to Selecting Information Technology Security
Products http://csrc.nist.gov/publications/nistpubs/800-36/NIST-SP800-36.pdf
• American Bar Association ‘Digital Signatures Guidelines – Tutorial’http://www.abanet.org/scitech/ec/isc/dsg-tutorial.html
Copyright,1995-2006
44
Additional References• http://en.wikipedia.org/wiki/...
• Security• Information_security (techo)• Malware
• Waters N. & Greenleaf G. ‘IPPs examined: The Security Principle‘ Privacy Law and Policy Reporter [2004] 36 http://www.austlii.edu.au/au/journals/PLPR/2004/36.html
• Morison J. ‘Computer Security -- a survey of 137 Australian agencies‘ Privacy Law and Policy Reporter [1996] 3 PLPR 67 http://www.austlii.edu.au//au/journals/PLPR/1996/41.html
• Cybercrime / Computer Crime Legislationhttp://www.efa.org.au/Issues/Privacy/cybercrimeact.html
Copyright,1995-2006
45
Additional References
• Lehtinen R. ‘Computer Security Basics’ O'Reilly 2006 http://safari.oreilly.com/0596006691?tocview=true
• Weber R. ‘Information Systems and Control’ Prentice-Hall 1990Chs 3-9 (Mgmt Ctls) and Chs 10-15 (Application Ctls)
• Anderson R.J. ‘Security Engineering: A Guide to Building Dependable Distributed Systems’ Wiley 2001
• Mitnick K.D. & Simon W.L. ‘The Art of Deception: Controlling the Human Element of Security’ Wiley 2002
• Stamp M. ‘Information Security : Principles and Practice’ Wiley 2006
Copyright,1995-2006
46
Official Sources – Australian Govt
• Aust Govt Online Security Mandates and Guidelines http://www.agimo.gov.au/infrastructure/government
• Aust Govt Protective Security Manual (PSM 2005) http://www.ag.gov.au/agd/WWW/protectivesecurityhome.nsf/Page/Protective_Security_Manual
• Aust Govt Information and Communications Technology Security Manual (ACSI 33) http://www.dsd.gov.au/library/infosec/acsi33.html
• Office of the Federal Privacy Commissioner (OFPC)Info Sheet 6 - 2001 Security and Personal Informationhttp://www.privacy.gov.au/publications/IS6_01.html
• SCAG ‘Model Criminal Code’, January 2001 , Part 4.2 ‘Computer Offences, pp. 87-199 http://www.ag.gov.au/agd/www/Agdhome.nsf/Page/RWPA93DBE7859B79635CA256BB20083B557?OpenDocument
Copyright,1995-2006
47
Official Sources – Standards and Int’l
• Aust. Standards:• ‘IT - Code of practice for info security management’ AS
17799:2001• ‘Info Security Management Systems’ AS/NZS 7799.2:2000• ‘Risk Management’ AS4360 1999• ‘Handbook for Management of IT Evidence’ 10 Dec 2003• NIST Computer Security http://csrc.nist.gov/publications/nistpubs/• OECD Guidelines ‘The Security of Info Systems and Networks:
Towards a Culture of Security’, 2002 http://www.oecd.org/dataoecd/16/22/15582260.pdf
• EU Commission ‘Network and Information Security: Proposal for a European Policy Approach’ 2002 http://europa.eu.int/information_society/eeurope/2002/news_library/documents/netsec/netsec_en.docAlso http://europa.eu/scadplus/leg/en/lvb/l24121.htm
• Council of Europe ‘ Convention on Cybercrime’, 2001
Copyright,1995-2006
48
Information Security
Roger Clarke, Xamax Consultancy, CanberraVisiting Professor in Cyberspace Law & Policy at
U.N.S.W., eCommerce at Uni of Hong Kong, Computer Science at
A.N.U.
http://www.anu.edu.au/people/Roger.Clarke/ ...
... / EC/SecyMq-060914.ppt, IntroSecy.html
LAW 868 – Electronic Commerce and the Law
Macquarie University – 14 September 2006