Security Issues on E-Government

Security Issues on E-Government

Presented by,

Pranita Upadhyaya

PhD Student, KU

Presented by,

Pranita Upadhyaya

PhD Student, KU

Presentation OverviewPresentation Overview

• E-Government & its applications

• Information Security

• Security concerns in E-government

• Nepal’s scenario

• M-government security

Traditional Government Structure :Characteristic

Traditional Government Structure :Characteristic

TOP DOWNNO or LIMITED LATERAL CONNECTIVITYLIMITED COLLABORATIONINFORMATION FLOW PREDOMINANTLY

VERTICLECUSTOMER HAS NO PLACE: WHY?RULES BOUNDCULTURE: AUTHORITARIAN

Traditional Government MandateTraditional Government Mandate

• ENACTING & IMPLEMENTING LAWS• TAX COLLECTION• SECURITY• LAW AND ORDER MAINTENANCE• NATIONAL DEFENCE

Present Day: Government Mandate

Present Day: Government Mandate

Besides mentioned above………

• Poverty Eradication

• Social Development

• Enhancing balanced Economic Development

• Promote Transparency, Accountability and

Democracy

• Better Service to public, efficient and cost effective

The use of digital technologies to transform government operations in order to improve effectiveness, efficiency, and service delivery

Definition : E-Government

Understanding E-GovernmentUnderstanding E-Government

e-Government is not about one-time service delivery

but about a life-long association!

e-Government is not about isolated government

but about partnering with citizens and business!

e-Government is not about government centricity

but about stakeholder-centric government!

AdvantagesAdvantages

• To increase internal efficiency• To create new services• Easy access to information• To participate global information networks• Information sharing among Institution• Online access to public services• Individual efficiency• High Performance in teamwork• Transparent

Examples of e-Services – G2C Examples of e-Services – G2C

• Birth Certificate• Health Care

• School Admission• Scholarships• e-Learning• Examination Results

• Employment Services• Vehicle Registration• Driver’s License• Passport/Visa

• Agriculture • Land Record• Property Registration • Marriage Certificates• Taxes • Utility Services• Municipality Services

• Pensions• Insurance• Health Care • Death Certificate

Examples of e-Services – G2BExamples of e-Services – G2B

Close

Expand

Operate

Start-up Explore Opportunities

•Approvals•Permissions•Registrations

•Returns•Taxes•Permits•Compliance

•Approvals•Permissions

•Project Profiles•Infrastructure•State Support

•Approvals•Compliance

DisadvantagesDisadvantages

• Difficult access for disabilities.• Overloaded information.• Ambiguity in the cases of confidentiality.

copyrights and protection of public information.

• Gaps result from unequal avaibility opportunities.

What is Information Security?What is Information Security?

• Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction

Building blocks of secure system

Building blocks of secure system

1. Authentication- to prove one’s identity

2. Privacy/confidentiality- to ensure that no one can read except the intended receiver

3. Integrity- The message received by receiver is not altered

4. Non repudiation- to prove that sender has really sent the message

5. Availability- system still functions efficiently after some security violations

No single measure can ensure complete security

Various security measures taken so far……

Symmetric and public key cryptosystems

Symmetric and public key cryptosystems

Symmetric-key cryptosystem • same key is used for

encryption and decryption

Public-key cryptosystem• separate keys for encryption

and decryption

Public-key encryption: confidentiality

Public-key encryption: confidentiality

• Alice wants to send message M to Bob– uses Bob’s public

key to encrypt M• Bob uses his private

key to decrypt M– only Bob has key– no one else can

decipher M• Identification provided by public key encryption• But … anyone can send message to Bob using his

public key– how are we sure the message came from Alice?

Digital signaturesDigital signatures

• Electronic equivalent of handwritten signatures

• Handwritten signaturesare hard to forge

• Electronic information iseasy to duplicate

• Digital signatures usingpublic key encryption– Idea:

• Bob uses his private key to “sign” a message• Alice verifies signature using Bob’s public key

• Data authentication provided by digital signatures

Signed challenges Signed challenges

• User authentication provided by signed challenges

– Alice and Bob are real or fraud ?

Certification authorityCertification authority

• A third party trusted by all users that creates, distributes, revokes, & manages certificates

• Certificates bind users to their public keys

• Integrity is provided by the certification authority

Problem still remains…….Problem still remains…….

Problems of ….

attack on availability: • disruption or denial of services

SolutionSolution

• One cannot get stuck with only fault avoidance

• Needs to move ahead ….towards fault tolerance

• Shall cater dynamic behavior of the intrusion

Security Assessment & countermeasures

Security Assessment & countermeasures

Proper planning & security program & techniques are essential to cater threats– Regarding it, one needs to perform

• Classify the type of service based on ISMM• Continuous monitoring using Security Readiness

assessment & • Follow multiple screening mechanisms ………

Screening MechanismsScreening Mechanisms

• Prevention

• Detection

• Mitigation

• Response

PreventionPrevention

• Establishment of policy and access control– who: identification, authentication, authorization– what: granted on “need-to-know” basis

• Implementation of hardware, software, and services– users cannot override, unalterable (attackers cannot

defeat security mechanisms by changing them)– examples of preventative mechanisms

• passwords - prevent unauthorized system access• firewalls - prevent unauthorized network access• encryption - prevents breaches of confidentiality• physical security devices - prevent theft

• Maintenance

Prevention is not enough!Prevention is not enough!

Bruce Schneier,Counterpane Internet Security, Inc.

Prevention systems are never perfect.

No bank ever says: "Our safe is so good, we don't need an alarm system."

No museum ever says: "Our door and window locks are so good, we don't need night watchmen.“

Detection and response are how we get security in the real world, and they're the only way we can possibly

get security in the cyberspace world.

DetectionDetection

Determine that either an attack is underway or has occurred and report it

• Real-time monitoring

• Intrusion verification and notification– intrusion detection systems (IDS)– typical detection systems monitor various aspects of the

system, looking for actions or information indicating an attack

• example: denial of access to a system when user repeatedly enters incorrect password

MitigationMitigation

• If detection is not possible ,reduce the level of security risk

• Accomplished by decreasing the threat level

best strategy is a combination of all three elements,– decreasing threats by eliminating or intercepting the adversary

before attack – blocking opportunities through enhanced security and

– reducing consequences if attack occur

ResponseResponse

• If all of the above are not possible• Stop/increase availability of an attack

– must be timely!• incident response plan developed in advance

• Assess and repair any damage • Resumption of correct operation• Evidence collection and preservation

– very important • identifies vulnerabilities• strengthens future security measures

Survey report on E-GovernmentNepal’s Scenario

Survey report on E-GovernmentNepal’s Scenario

Major threat - DDoS attack– Not only in Nepal but worldwide….– Here, Increasing system availability major

concern

Defense MechanismsDefense Mechanisms

• What should be the optimal architecture for Nepal?

Follow a Security Architecture which consists of all the following building blocks– Prevention

– Detection

– Mitigation

– Response(stop/increase availability)

– Increase cost effectiveness through WOG approach

Research focus….Research focus….

• Development of WOG architecture and analyze using SHARPE tool

• Markov chain chosen to cater dynamic behavior of the intruder

• In WOG system - Security sub system architecture made highly available

M-Government SecurityM-Government Security

• Similar modality could as well be implemented in M-government

• Further research in this regard is needed

Thank You for your attention

Thank You for your attention