Upload
justinviktor
View
215
Download
0
Embed Size (px)
Citation preview
8/3/2019 Information In Security Part 3 the Action Plan
1/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
1 of 44
Information Insecurity
Part III: The Action Plan
8/3/2019 Information In Security Part 3 the Action Plan
2/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
2 of 44
Cyberspace as a frontierlandUncharted territory unclear boundaries
Legislation developing slowly
Unclear or undefined ownership
Many adventurers
NavigatorsExplorersTradersQuacksCrooksCriminals
8/3/2019 Information In Security Part 3 the Action Plan
3/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
3 of 44
Cartografia Pietragialla
Land of the Have-Nots
Population ~ 6 billion
Digital Divide
CYBERSPACE
World Wide Web
Terra
Incognita
Non-IP
Explorers
Navigators
Criminals and
Terrorists
Deep web
8/3/2019 Information In Security Part 3 the Action Plan
4/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
4 of 44
Survivors guideBetter charts to the cyberspace frontier are beingproduced. In the meantime
Best practices(keep it simple, do not reinvent the wheel)
Standards(formalized compatibilities and best practices)
Legislation(rules of what is not permitted)
Compliance(with each of the above)
8/3/2019 Information In Security Part 3 the Action Plan
5/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
5 of 44
Sources of Best Practices
Enthusiasts and volunteers
Professional associations
Government departments
Consultants and commercial providers
Happyhacker
ISSA, CASPR
UKs CCTA
GartnerGIGAIBMKPMGetc
Examples of some websites follow
8/3/2019 Information In Security Part 3 the Action Plan
6/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
6 of 44
www.happyhacker.org
8/3/2019 Information In Security Part 3 the Action Plan
7/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
7 of 44
www.issa.org
8/3/2019 Information In Security Part 3 the Action Plan
8/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
8 of 44
www.sans.org
8/3/2019 Information In Security Part 3 the Action Plan
9/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
9 of 44
www.itsmf.com
8/3/2019 Information In Security Part 3 the Action Plan
10/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
10 of 44
www.itil-itsm-world.com/security.htm
8/3/2019 Information In Security Part 3 the Action Plan
11/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
www.gigaweb.com
8/3/2019 Information In Security Part 3 the Action Plan
12/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
12 of 44
8/3/2019 Information In Security Part 3 the Action Plan
13/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
13 of 44
8/3/2019 Information In Security Part 3 the Action Plan
14/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
14 of 44
StandardsFormalized definitions that ensure compatibility
De-jure
From Organizations whosemandate is to define standards
De-facto
Usually from vendorsUseful and ubiquitous
8/3/2019 Information In Security Part 3 the Action Plan
15/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
15 of 44
De-jure standards(examples)
International Standards Organization (ISO)
ISO 17799 Code of Practice for the management of Information Security
International Telecommunications Union (ITU)
Recommendations X.273, Open systems network layer securityRecommendations X.509, Authentication framework
Internet Engineering Task Force (IETF)
TCP/IP, Html, POP, STMP, FTP, SSL and many other
8/3/2019 Information In Security Part 3 the Action Plan
16/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
16 of 44
Sources of de-facto standardsProfessional associations e.g. the IEEEInstitution of Electrical and Electronic Engineers
Vendor associations e.g. ECMAEuropean Computer Manufacturers Association
Vendors e.g Microsoft, Netscape, Adobe
Examples follow
8/3/2019 Information In Security Part 3 the Action Plan
17/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
17 of 44
8/3/2019 Information In Security Part 3 the Action Plan
18/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
18 of 44
European Computer Manufacturers Association
8/3/2019 Information In Security Part 3 the Action Plan
19/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
19 of 44
Institution of Electrical and Electronic Engineers
8/3/2019 Information In Security Part 3 the Action Plan
20/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
20 of 44
8/3/2019 Information In Security Part 3 the Action Plan
21/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
21 of 44
Legislation: a little historyEarly difficulties
Data and software are incorporeal object old laws aredesigned to deal with tangible objects
Legal regime of intangibles needs to cater for the ownerit also needs to cater for persons concerned by thecontent (privacy)
The property status of information was/is unclear
Issue 1: the law and the correctness and integrity of dataIssue 2: protecting data owners for exclusive use
Some of these remain unresolved in many countries
8/3/2019 Information In Security Part 3 the Action Plan
22/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
22 of 44
Legislation: a little history2
More early difficulties
Theft, larceny, embezzlement
Older definitions require the offender to take an item ofanother persons property
Fraud
Under some legislation, it requires deception of a person (doesNOT apply to a computer)
8/3/2019 Information In Security Part 3 the Action Plan
23/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
23 of 44
Scope of cyber-legislation(1)
Computer misuse
Data protection
Telecommunications interception
Software copyrights and patents
Search and seizure, criminal evidence
Contractual obligations for suppliers
National security and anti-terrorism
8/3/2019 Information In Security Part 3 the Action Plan
24/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
24 of 44
Scope of cyber-legislation(2)
Human rights: right to privacy, right to access
Consumer protection
Censorship
Electronic contracts, taxation of e-commerce
Obscene publications
Protection of minors
8/3/2019 Information In Security Part 3 the Action Plan
25/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
25 of 44
Scope of cyber-legislation(3)
Organized crime in cyberspace
On-line banking and money laundering
Gambling in cyberspace
Electronic signatures and certificats
Defamation and libel in cyberspace
National security and anti-terrorism
and much, much more
8/3/2019 Information In Security Part 3 the Action Plan
26/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
26 of 44
First issued in 1994Updated in 1997
8/3/2019 Information In Security Part 3 the Action Plan
27/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
27 of 44
Professor David Post and otherswww.cli.org
8/3/2019 Information In Security Part 3 the Action Plan
28/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
28 of 44
International LegislationOECD: 1983-1985 - Criminalization of computer abuse
Council of Europe (COE): 1985 - Work begins towards a
convention on cyber-crime
United Nations Congress on the Prevention of Crime
In November 2001, formal signature by 33 countries of theCOE Convention on Cybercrime
8/3/2019 Information In Security Part 3 the Action Plan
29/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
29 of 44
The COE Convention
Unauthorized computer intrusion, malicious code, the use
of computers to commit acts which are already a crime
Procedures to capture and retrieve on-line and otherinformation by issuing Retention Orders
Cooperation between signatory states to share e-evidence
Additional protocols are being developed
Three primary groups of provisions
8/3/2019 Information In Security Part 3 the Action Plan
30/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
30 of 44
Reactions to the Convention33 States (29 Council Members) plus Canada, Japan, SouthAfrica and the United States of America signed it.
It will enter into force once ratified by 5 States (planned mid 2003)
Misgivings
Possible conflicts with existing national legislation
Non-signatory States where cybercriminals may act with impunity
Inidividual rights to privacy vs. extended surveillance powersgranted to signatory countries
Possilibity of personal data being transferred outside Europe tocountries with less protective legislation
Issuance of warrants seeking evidence and extradition
Increased cost of e-business and place restrictions
8/3/2019 Information In Security Part 3 the Action Plan
31/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
31 of 44
Compliance and certificationGeneral ICT audits, with focus on security(COBIT guidelines)
Compliance audits against ISO 17799 or similar
Security certification services
The selected auditors must bedeeply trusted
8/3/2019 Information In Security Part 3 the Action Plan
32/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
32 of 44
www.isaca.org
8/3/2019 Information In Security Part 3 the Action Plan
33/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
33 of 44
Do-it-yourself kit for ISO 17799 compliance auditwww.securityauditor.net
8/3/2019 Information In Security Part 3 the Action Plan
34/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
34 of 44
www.giac.org
8/3/2019 Information In Security Part 3 the Action Plan
35/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
35 of 44
www.isc2.org
8/3/2019 Information In Security Part 3 the Action Plan
36/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
36 of 44
www.htcn.org
8/3/2019 Information In Security Part 3 the Action Plan
37/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
37 of 44
Other interested partiesand other civil liberties groups
8/3/2019 Information In Security Part 3 the Action Plan
38/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
38 of 44
www.cfenet.com
8/3/2019 Information In Security Part 3 the Action Plan
39/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
39 of 44
www1.ifccfbi.gov/index.asp
8/3/2019 Information In Security Part 3 the Action Plan
40/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
40 of 44
www.merchantfraudsquad.com
8/3/2019 Information In Security Part 3 the Action Plan
41/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
41 of 44
International Chamber of Commercewww.iccwbo.org
8/3/2019 Information In Security Part 3 the Action Plan
42/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
42 of 44
Beyond insecurity and crimeCyber-terrorism and Cyber-war call for
a new way of looking at our world
and for further action by the International Community
8/3/2019 Information In Security Part 3 the Action Plan
43/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
43 of 44
Moving forward
Recommendations for immediate action
purpose: help those not yet ready
Work to be donepurpose: avoid procrastination and develop
a Law of Cyberspace before it is too late
8/3/2019 Information In Security Part 3 the Action Plan
44/44
E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan
Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc
44 of 44
Recommendations1. Become aware of the Information Insecurity problem
2. Devise an information security strategy
3. Implement remedial procedures immediately4. Seek professional help without delay
5. Identify the gaps in your countrys legislation
6. Encourage the United Nations to embark urgently on
a Law of Cyberspace