Copyright, 1995-2006 1 Information Security Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce at Uni of Hong Kong, Computer Science at A.N.U. http://www.anu.edu.au/people/Roger.Clarke/ ... ... / EC/SecyMq-060914.ppt, IntroSecy.html LAW 868 – Electronic Commerce and the Law Macquarie University – 14 September 2006
48
Embed
Copyright, 1995-2006 1 Information Security Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Cyberspace Law & Policy at U.N.S.W., eCommerce.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Copyright,1995-2006
1
Information Security
Roger Clarke, Xamax Consultancy, CanberraVisiting Professor in Cyberspace Law & Policy at
U.N.S.W., eCommerce at Uni of Hong Kong, Computer Science at
A.N.U.
http://www.anu.edu.au/people/Roger.Clarke/ ...
... / EC/SecyMq-060914.ppt, IntroSecy.html
LAW 868 – Electronic Commerce and the Law
Macquarie University – 14 September 2006
Copyright,1995-2006
2
Information SecurityAgenda
1. What’s ‘Security’?2. Dimensions of the Problem3. Technical Elements of the
Solution4. Organisational Processes5. The Legal Framework
Copyright,1995-2006
3
The Notion of Security
• Security is used in at least two senses:• a condition in which harm does not
arise, despite the occurrence of threatening events
• a set of safeguards whose purpose is to achieve that condition
• Is computing secure?• Is network-connection secure?• Are networks secure?• Is Internet infrastructure secure?• Are Internet applications secure?• Are eCommerce applications secure?
Copyright,1995-2006
13
Content Transmission Key Risks
(1) Non-Receipt of a message by the intended recipient
(2) Access by an unintended person or organisation
(3) Change to the contents while in transit(4) Receipt of a false message(5) Wrongful denial
Copyright,1995-2006
14
Content Transmission Security Key Requirements
(1) Message Content Security / ‘Confidentiality’
(2) Message Content Integrity(3) Authentication of the Sender and Recipient(4) ‘Non-Repudiation’ by the Sender and
Recipient
Copyright,1995-2006
15
Specific Threats - by Outsiders
• Physical Intrusion• Masquerade• Social Engineering
Weber R. ‘Information Systems and Control’ Prentice-Hall 1990Chs 3-9 (Mgmt Ctls) and Chs 10-15 (Application Ctls)
Copyright,1995-2006
21
Cryptography as Magic Bullet
• For Message Transmission Security• For Data Storage Security• For (Identity) Authentication
Clarke R. ‘Message Transmission Security (or 'Cryptography in Plain Text')’ Privacy Law & Policy Reporter 3, 2 (May 1996) 24-27http://www.anu.edu.au/people/Roger.Clarke/II/CryptoSecy.html
Clarke R. ‘The Fundamental Inadequacies of Conventional Public Key Infrastructure’ Proc. Conf. ECIS'2001, Bled, Slovenia, 27-29 June 2001 http://www.anu.edu.au/people/Roger.Clarke/II/ECIS2001.html
Copyright,1995-2006
22
Access Control
IdentificationThe process whereby data is associated
with a particular IdentityAuthentication
The Process of Testing an Assertionin order to establish a level of confidence
in the Assertion’s reliabilityincl. Authentication of Identity Assertions
AuthorisationThe assignment of privileges to an Identity
Copyright,1995-2006
23
Phases inAccess Control
Pre-Authenticationof Evidence of
Identity or Attribute
Permissions Storeor Access
Control List
Authenticationusing the Issued
Authenticator
AuthorisationAccessControl
Registerof
Authenticators
Copyright,1995-2006
24
Tools Used for Identity Authentication
Tool• The Writing of a Signature• Knowledge, especially:
• username/passwd pair• PIN• non-secure ‘PIN’
• Tokens, including:• Dumb, e.g. ‘photo-id’• Digital Signature, incl.
SSL/TLS, Dig. Cert.• Clever, e.g. chipcard
Requirements to be Effective• Signature on file, procedures• Information, processes
• authorisation file• hash of the PIN• the ‘PIN’ itself
• Clear view of the person, ...• Public key, much software, PKI,
much law, much faith• Hardware, software, ...
Copyright,1995-2006
25
Firewalls
• A firewall is a device interposed between a network and the Internet, which determines:
• which incoming traffic is permitted• which outgoing traffic is permitted
• Types of Firewall Processing:• Application Layer – Proxy-Server /
Gateway• Network Layer – Packet-Filtering
Router• Circuit-Level (Physical Layer) Gateway
Copyright,1995-2006
26
The Layers of Internet ProtocolsRepeateror Hub
Physical LayerPhysical LayerBridgeor Switch
Repeateror Hub
Bridgeor Switch
Physical Medium – CoaxPhysical Medium – Twisted-PairADSLGateway,Proxy-Server,
Network Cache
Gateway,Proxy-Server,
Network Cache
Copyright,1995-2006
27
Packet-Filtering Router• Packets are forwarded according to filtering
rules• The rules are applied to the data available in
the packet header, i.e.• Source IP address• Destination IP address• TCP/UDP source port• TCP/UDP destination port• ICMP message type• Encapsulated protocol information
• SafeguardA measure to prevent, to enable detection or investigation of, or to mitigate Harm from, a Threatening Event
• Risk“The likelihood of Harm arising from a Threat”A measure of the likelihood and/or seriousness of Harm arising from a Threatening Event impinging on a Vulnerability and not being dealt with satisfactorily by the existing Safeguards
Copyright,1995-2006
31
Security Risk
Assessment
Process
ScopeDefinition
ThreatAssessment
VulnerabilityAssessment
RiskAssessment
Risk MngtStrategy andSecurity Plan
Security PlanImplement’n
SecurityAudit
Browne L. ‘Security Risk Management Overview’February 2004http://www.unsw.adfa.edu.au/~lpb/......seminars/auugsec04.html
• Executive time, for assessment, planning, control• Consultancy time, for assessment, design• Operational staff time for:
• training, rehearsals, incident handling, backups• Loss of service to clients during backup time• Computer time for backups• Storage costs for on-site and off-site (‘fire backup’)
copies of software, data and log-files• Redundant hardware and networks• Contracted support from a 'hot-site' / 'warm-site'
Copyright,1995-2006
34
5. The Legal Framework
• Specific Laws• Security• Privacy
• Laws with Incidental Effect• Pseudo-Regulation (aka Self-Regulation)
in particular mere ‘Industry Codes’• Standards• Professionalism
• Waters N. & Greenleaf G. ‘IPPs examined: The Security Principle‘ Privacy Law and Policy Reporter [2004] 36 http://www.austlii.edu.au/au/journals/PLPR/2004/36.html
• Morison J. ‘Computer Security -- a survey of 137 Australian agencies‘ Privacy Law and Policy Reporter [1996] 3 PLPR 67 http://www.austlii.edu.au//au/journals/PLPR/1996/41.html
• Lehtinen R. ‘Computer Security Basics’ O'Reilly 2006 http://safari.oreilly.com/0596006691?tocview=true
• Weber R. ‘Information Systems and Control’ Prentice-Hall 1990Chs 3-9 (Mgmt Ctls) and Chs 10-15 (Application Ctls)
• Anderson R.J. ‘Security Engineering: A Guide to Building Dependable Distributed Systems’ Wiley 2001
• Mitnick K.D. & Simon W.L. ‘The Art of Deception: Controlling the Human Element of Security’ Wiley 2002
• Stamp M. ‘Information Security : Principles and Practice’ Wiley 2006
Copyright,1995-2006
46
Official Sources – Australian Govt
• Aust Govt Online Security Mandates and Guidelines http://www.agimo.gov.au/infrastructure/government
• Aust Govt Protective Security Manual (PSM 2005) http://www.ag.gov.au/agd/WWW/protectivesecurityhome.nsf/Page/Protective_Security_Manual
• Aust Govt Information and Communications Technology Security Manual (ACSI 33) http://www.dsd.gov.au/library/infosec/acsi33.html
• Office of the Federal Privacy Commissioner (OFPC)Info Sheet 6 - 2001 Security and Personal Informationhttp://www.privacy.gov.au/publications/IS6_01.html
• SCAG ‘Model Criminal Code’, January 2001 , Part 4.2 ‘Computer Offences, pp. 87-199 http://www.ag.gov.au/agd/www/Agdhome.nsf/Page/RWPA93DBE7859B79635CA256BB20083B557?OpenDocument
Copyright,1995-2006
47
Official Sources – Standards and Int’l
• Aust. Standards:• ‘IT - Code of practice for info security management’ AS
17799:2001• ‘Info Security Management Systems’ AS/NZS 7799.2:2000• ‘Risk Management’ AS4360 1999• ‘Handbook for Management of IT Evidence’ 10 Dec 2003• NIST Computer Security http://csrc.nist.gov/publications/nistpubs/• OECD Guidelines ‘The Security of Info Systems and Networks:
Towards a Culture of Security’, 2002 http://www.oecd.org/dataoecd/16/22/15582260.pdf
• EU Commission ‘Network and Information Security: Proposal for a European Policy Approach’ 2002 http://europa.eu.int/information_society/eeurope/2002/news_library/documents/netsec/netsec_en.docAlso http://europa.eu/scadplus/leg/en/lvb/l24121.htm
• Council of Europe ‘ Convention on Cybercrime’, 2001
Copyright,1995-2006
48
Information Security
Roger Clarke, Xamax Consultancy, CanberraVisiting Professor in Cyberspace Law & Policy at
U.N.S.W., eCommerce at Uni of Hong Kong, Computer Science at