Upload
austen-harrington
View
221
Download
0
Tags:
Embed Size (px)
Citation preview
Security Issues on E-Government
Security Issues on E-Government
Presented by,
Pranita Upadhyaya
PhD Student, KU
Presented by,
Pranita Upadhyaya
PhD Student, KU
Presentation OverviewPresentation Overview
• E-Government & its applications
• Information Security
• Security concerns in E-government
• Nepal’s scenario
• M-government security
Traditional Government Structure :Characteristic
Traditional Government Structure :Characteristic
TOP DOWNNO or LIMITED LATERAL CONNECTIVITYLIMITED COLLABORATIONINFORMATION FLOW PREDOMINANTLY
VERTICLECUSTOMER HAS NO PLACE: WHY?RULES BOUNDCULTURE: AUTHORITARIAN
Traditional Government MandateTraditional Government Mandate
• ENACTING & IMPLEMENTING LAWS• TAX COLLECTION• SECURITY• LAW AND ORDER MAINTENANCE• NATIONAL DEFENCE
Present Day: Government Mandate
Present Day: Government Mandate
Besides mentioned above………
• Poverty Eradication
• Social Development
• Enhancing balanced Economic Development
• Promote Transparency, Accountability and
Democracy
• Better Service to public, efficient and cost effective
The use of digital technologies to transform government operations in order to improve effectiveness, efficiency, and service delivery
Definition : E-Government
Understanding E-GovernmentUnderstanding E-Government
e-Government is not about one-time service delivery
but about a life-long association!
e-Government is not about isolated government
but about partnering with citizens and business!
e-Government is not about government centricity
but about stakeholder-centric government!
AdvantagesAdvantages
• To increase internal efficiency• To create new services• Easy access to information• To participate global information networks• Information sharing among Institution• Online access to public services• Individual efficiency• High Performance in teamwork• Transparent
Examples of e-Services – G2C Examples of e-Services – G2C
• Birth Certificate• Health Care
• School Admission• Scholarships• e-Learning• Examination Results
• Employment Services• Vehicle Registration• Driver’s License• Passport/Visa
• Agriculture • Land Record• Property Registration • Marriage Certificates• Taxes • Utility Services• Municipality Services
• Pensions• Insurance• Health Care • Death Certificate
Examples of e-Services – G2BExamples of e-Services – G2B
Close
Expand
Operate
Start-up Explore Opportunities
•Approvals•Permissions•Registrations
•Returns•Taxes•Permits•Compliance
•Approvals•Permissions
•Project Profiles•Infrastructure•State Support
•Approvals•Compliance
DisadvantagesDisadvantages
• Difficult access for disabilities.• Overloaded information.• Ambiguity in the cases of confidentiality.
copyrights and protection of public information.
• Gaps result from unequal avaibility opportunities.
What is Information Security?What is Information Security?
• Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction
Building blocks of secure system
Building blocks of secure system
1. Authentication- to prove one’s identity
2. Privacy/confidentiality- to ensure that no one can read except the intended receiver
3. Integrity- The message received by receiver is not altered
4. Non repudiation- to prove that sender has really sent the message
5. Availability- system still functions efficiently after some security violations
No single measure can ensure complete security
Various security measures taken so far……
Symmetric and public key cryptosystems
Symmetric and public key cryptosystems
Symmetric-key cryptosystem • same key is used for
encryption and decryption
Public-key cryptosystem• separate keys for encryption
and decryption
Public-key encryption: confidentiality
Public-key encryption: confidentiality
• Alice wants to send message M to Bob– uses Bob’s public
key to encrypt M• Bob uses his private
key to decrypt M– only Bob has key– no one else can
decipher M• Identification provided by public key encryption• But … anyone can send message to Bob using his
public key– how are we sure the message came from Alice?
Digital signaturesDigital signatures
• Electronic equivalent of handwritten signatures
• Handwritten signaturesare hard to forge
• Electronic information iseasy to duplicate
• Digital signatures usingpublic key encryption– Idea:
• Bob uses his private key to “sign” a message• Alice verifies signature using Bob’s public key
• Data authentication provided by digital signatures
Signed challenges Signed challenges
• User authentication provided by signed challenges
– Alice and Bob are real or fraud ?
Certification authorityCertification authority
• A third party trusted by all users that creates, distributes, revokes, & manages certificates
• Certificates bind users to their public keys
• Integrity is provided by the certification authority
Problem still remains…….Problem still remains…….
Problems of ….
attack on availability: • disruption or denial of services
SolutionSolution
• One cannot get stuck with only fault avoidance
• Needs to move ahead ….towards fault tolerance
• Shall cater dynamic behavior of the intrusion
Security Assessment & countermeasures
Security Assessment & countermeasures
Proper planning & security program & techniques are essential to cater threats– Regarding it, one needs to perform
• Classify the type of service based on ISMM• Continuous monitoring using Security Readiness
assessment & • Follow multiple screening mechanisms ………
Screening MechanismsScreening Mechanisms
• Prevention
• Detection
• Mitigation
• Response
PreventionPrevention
• Establishment of policy and access control– who: identification, authentication, authorization– what: granted on “need-to-know” basis
• Implementation of hardware, software, and services– users cannot override, unalterable (attackers cannot
defeat security mechanisms by changing them)– examples of preventative mechanisms
• passwords - prevent unauthorized system access• firewalls - prevent unauthorized network access• encryption - prevents breaches of confidentiality• physical security devices - prevent theft
• Maintenance
Prevention is not enough!Prevention is not enough!
Bruce Schneier,Counterpane Internet Security, Inc.
Prevention systems are never perfect.
No bank ever says: "Our safe is so good, we don't need an alarm system."
No museum ever says: "Our door and window locks are so good, we don't need night watchmen.“
Detection and response are how we get security in the real world, and they're the only way we can possibly
get security in the cyberspace world.
DetectionDetection
Determine that either an attack is underway or has occurred and report it
• Real-time monitoring
• Intrusion verification and notification– intrusion detection systems (IDS)– typical detection systems monitor various aspects of the
system, looking for actions or information indicating an attack
• example: denial of access to a system when user repeatedly enters incorrect password
MitigationMitigation
• If detection is not possible ,reduce the level of security risk
• Accomplished by decreasing the threat level
best strategy is a combination of all three elements,– decreasing threats by eliminating or intercepting the adversary
before attack – blocking opportunities through enhanced security and
– reducing consequences if attack occur
ResponseResponse
• If all of the above are not possible• Stop/increase availability of an attack
– must be timely!• incident response plan developed in advance
• Assess and repair any damage • Resumption of correct operation• Evidence collection and preservation
– very important • identifies vulnerabilities• strengthens future security measures
Survey report on E-GovernmentNepal’s Scenario
Survey report on E-GovernmentNepal’s Scenario
Major threat - DDoS attack– Not only in Nepal but worldwide….– Here, Increasing system availability major
concern
Defense MechanismsDefense Mechanisms
• What should be the optimal architecture for Nepal?
Follow a Security Architecture which consists of all the following building blocks– Prevention
– Detection
– Mitigation
– Response(stop/increase availability)
– Increase cost effectiveness through WOG approach
Research focus….Research focus….
• Development of WOG architecture and analyze using SHARPE tool
• Markov chain chosen to cater dynamic behavior of the intruder
• In WOG system - Security sub system architecture made highly available
M-Government SecurityM-Government Security
• Similar modality could as well be implemented in M-government
• Further research in this regard is needed
Thank You for your attention
Thank You for your attention