Más contenido relacionado
La actualidad más candente (20)
Similar a E gov security_tut_session_1 (20)
Más de Mustafa Jarrar (20)
E gov security_tut_session_1
- 1. أﻛﺎدﯾﻣﯾﺔ اﻟﺣﻛوﻣﺔ اﻹﻟﻛﺗروﻧﯾﺔ اﻟﻔﻠﺳطﯾﻧﯾﺔ
The Palestinian eGovernment Academy
www.egovacademy.ps
Security Tutorial
Session 1
PalGov © 2011 1
- 2. About
This tutorial is part of the PalGov project, funded by the TEMPUS IV program of the
Commission of the European Communities, grant agreement 511159-TEMPUS-1-
2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps
Project Consortium:
Birzeit University, Palestine
University of Trento, Italy
(Coordinator )
Palestine Polytechnic University, Palestine Vrije Universiteit Brussel, Belgium
Palestine Technical University, Palestine
Université de Savoie, France
Ministry of Telecom and IT, Palestine
University of Namur, Belgium
Ministry of Interior, Palestine
TrueTrust, UK
Ministry of Local Government, Palestine
Coordinator:
Dr. Mustafa Jarrar
Birzeit University, P.O.Box 14- Birzeit, Palestine
Telfax:+972 2 2982935 mjarrar@birzeit.eduPalGov © 2011
2
- 3. © Copyright Notes
Everyone is encouraged to use this material, or part of it, but should properly
cite the project (logo and website), and the author of that part.
No part of this tutorial may be reproduced or modified in any form or by any
means, without prior written permission from the project, who have the full
copyrights on the material.
Attribution-NonCommercial-ShareAlike
CC-BY-NC-SA
This license lets others remix, tweak, and build upon your work non-
commercially, as long as they credit you and license their new creations
under the identical terms.
PalGov © 2011 3
- 4. Tutorial 5:
Information Security
Session 1 Outline:
• Session 1 ILO’s.
• Introduction E-governments and
Security
• Introduction to Information Security
and Threats (CIA)
• ISO 27000 Standards.
PalGov © 2011 4
- 5. Tutorial 5: Session 1 - ILO’s
This session will contribute to the following
ILOs:
• A: Knowledge and Understanding
• a1: Define the different risks and threats from being connected
to networks, internet and web applications.
• a2: Defines security standards and policies.
• a3: Recognize risk assessment and management
• a4: Describe the Palestinian eGovernment infrastructure and
understand its security requirements.
• B: Intellectual Skills
• b1: Illustrate the different risks and threats from being
connected.
• b2: Relates risk assessment and management to e-government model.
• b3: Design end-to-end secure and available systems.
• C: General and Transferable Skills
• d3: Analysis and identification skills.
PalGov © 2011 5
- 6. Tutorial 5:
Information Security
Session 1 Outline:
• Session 1 ILO’s.
• Introduction to E-governments
and Security
• Introduction to Information Security
and Threats (CIA)
• ISO 27000 Standards.
PalGov © 2011 6
- 7. Introduction to Palestinian E-
governments and Security
• The Palestinian e-Government
Architecture
• Security Framework
• Missing Knowledge and Skills:
PalGov © 2011 7
- 8. The Palestinian e-Government
Architecture (1)
• Palestinian e-government architecture
developed in cooperation with the Estonian
government.
• The architecture connects all ministries
together through a government service bus,
called “x-road Palestine”.
• This service bus, represents standard
service oriented architecture ,
• Provision of secure services.
• Not yet implemented,
PalGov © 2011 8
- 10. The Palestinian e-Government
Architecture (3)
• Public services can be accessed by citizens or
entrepreneurs through the portal component.
• It allows users first to login and authenticate
themselves through smart-card and/or
passwords;
• The portal then provides the list of services that
the authenticated user is allowed to access.
• Then, the server communicates with the server
of the ministry of interior or the server of the
ministry of health and so on.
PalGov © 2011 10
- 11. The Palestinian e-Government
Architecture (4)
• Several frameworks should be
established to enable these
interoperations,
• Each organization develops and
operates its services and data.
• An organization can be a ministry, a
governmental agency or a private firm.
• In Palestine, there are 23 ministries,
55 governmental agencies, and many
private firms that may all join the e-
government at a certain stage.
PalGov © 2011 11
- 12. The Palestinian e-Government
Architecture (4)
• Hence, five frameworks are
needed to implement the
aforementioned e-
government architecture
–i) infrastructure framework,
–(ii) security framework,
–(iii) interoperability framework,
–(iv) legal framework,
–(v) policy framework.
PalGov © 2011 12
- 13. Pal. E-gov Security Framework
After establishing the network between
governmental institutions, this network
needs to be secure: both point to point
network security and end-to-end security
service are required:
– Data Confidentiality, Data Integrity,
Authenticity.
– No surreptitious forwarding
– Non-repudiation
– Access Control
– timeliness (to avoid replay attacks)
– Accounting and Logging:
– Availability.
PalGov © 2011 13
- 14. Pal. E-gov Security Framework
• To deal with these issues, the following
mechanisms are needed:
– Authentication services
– Confidentiality services
– Data integrity and non-repudiation services
– Authorization services
– Intrusion detection and prevention.
– Malicious software and virus protection.
– Denial of service and distributed denial of service
detection and prevention.
– Firewall systems.
– Risk assessment and management.
– Policy making and enforcement.
– Training and awareness building.
PalGov © 2011 14
- 15. Missing Knowledge and Skills:
• Missing Knowledge and Skills:
– For all:
• Understand the types of risks and threats from
being connected.
• Understand security standards and policies
including risk assessment and management
• Be aware of the threats of connecting to the
internet and using web applications and social
networks
• Ability to protect themselves and applications
from security threats
PalGov © 2011 15
- 16. Missing Knowledge and Skills:
• Missing Knowledge and Skills:
– For IT professionals:
• Ability to design, implement and deploy user
authentication services.
• Ability to design, implement and deploy end-
to-end security systems.
• Ability to design, implement and deploy
authorization services.
• Ability to design, implement, and deploy
confidentiality services.,
• Ability to design and deploy security policies
PalGov © 2011 16
- 17. Tutorial 5:
Information Security
Session 1 Outline:
• Session 1 ILO’s.
• Introduction E-governments and
Security
• Introduction to Information
Security and Threats (CIA)
• ISO 27000 Standards.
PalGov © 2011 17
- 18. Introduction to Information Security
and Threats
• Overview
• Basic Security Concepts
• Computer Security Issues
• Vulnerabilities / Attacks
PalGov © 2011 18
- 19. Overview
Computer Security:
“ protection afforded to an automated
information system in order to attain the
applicable objectives of preserving the
integrity, availability and confidentiality of
information system resources (includes
hardware, software, firmware,
information/data, and telecommunications).”
1. [1] Definition taken Computer Security: Principles and Practice, by William Stallings and
Lawrie Brown. Published by Pearson/Prentice Hall, © 2008. ISBN: 0-13-600424-5.
PalGov © 2011 19
- 21. Understanding the Importance of
Information Security
• Prevents data from being stolen
• Maintains productivity
• Prevents cyber-terrorism
• Prevents theft of identities
• Maintains competitive advantage
• Prevents modifying data, forging
data, masquerading and
impersonating users, etc.
PalGov © 2011 21
- 22. Computer Security Issues / Challenges
1. Not simple
2. Must consider potential attacks
3. Procedures used counter-intuitive
4. Involve algorithms and secret info
5. Battle of wits between attacker / admin
6. Not perceived as benefit until things fail…
7. Requires regular monitoring
8. Regarded as impediment to using system
PalGov © 2011 22
- 25. Secure Communication with an
Untrusted Infrastructure
• Ali may send a message to Sara…
• A devil may take Ali credentials
and claim he is Ali and resend a
message to Sara claiming he is
Ali.
PalGov © 2011 25
- 26. Secure Communication with an
Untrusted Infrastructure
• E- government usually has
communication between
different parties over secure
and unsecure infrastructures.
PalGov © 2011 26
- 27. CIA and AAA Concepts
•CIA
•Confidentiality.
•Integrity.
•Availability
•AAA
•Authentication (password).
•Authorization (Access Control).
•Auditing (Accounting and
Logging).
PalGov © 2011 27
- 28. Tutorial 5:
Information Security
Session 1 Outline:
• Session 1 ILO’s.
• Introduction E-governments and
Security
• Intro to Information Security and
Threats (CIA)
• ISO 27000 Standards.
PalGov © 2011 28
- 29. ISO 17799
• We will learn about:
– ISO 17799 (2000 and 2005) precursor of ISO 27002
(2007)
– Originally Based on BS 7799 part 1 (1995)
– “Information Technology – Code of Practice for
Information Security Management”
– ISO 27001 (2007), originally BS 7799 Part 2 is a
practical application of ISO 27002 and specifies
requirements for establishing an Information
Security Management System ISMS, as a
precursor to being certified by a certification body)
PalGov © 2011 29
- 30. ISO 27002 (2007)
• Includes:
–Risk Assessment & Treatment
–Security Policies
–Organization
–Asset Management
–HR
PalGov © 2011 30
- 31. ISO 27002 (2007)
• Includes:
– Communications and Operations
– Physical and Environmental
– Access Control Information
– Systems Acquisition, Development and
Maintenance
– IS Incident Management
– Business Continuity Model BCM
– Compliance
PalGov © 2011 31
- 32. Why is Information Security Important
• Information and its supporting
processes are business assets to
governments and orgs.
• Some businesses and orgs (e.g.
Banks and governments), deal with
information.
• Information CIA /AAA are needed.
PalGov © 2011 32
- 33. Information Security Requirements
• These are determined by considering
– Risk assessment of information loss to
organisation.
– Legal, statutory, regulatory and
contractual requirements placed on the
organisation.
– Information processing needs of the
organisation to support its operations.
PalGov © 2011 33
- 34. IS Controls (1)
• Controls can be:
– Policies
– Practices
– Procedures
– Organisational Structures/Roles
– Software Functions
• Controls are selected based upon their
cost of implementation vs. loss to
organisation of money, time, reputation
and functionality.
PalGov © 2011 34
- 35. IS Controls (2)
• The following controls are ESSENTIAL from a
legislative point of view
– Data protection and privacy of personal information
– Protection of Organisational records e.g. financial
data.
– Protection of Intellectual Property Rights (including
those of business partners)
• The following controls are BEST practice
– Information security policy document
– Allocation of information security responsibilities
– Education and Training of staff in Information Security
– Reporting security incidents
– Business continuity management
PalGov © 2011 35
- 36. Related IS Issues
• Security Policy
• Organisational Security
• Asset Classification and Control
• Personnel Security
• Physical and Environmental Security
• Communications and Operations Security
• Access Control
• System Development and Maintenance
• Business Continuity Management (BCM)
• Compliance
PalGov © 2011 36
- 37. Security Policy
• Objective: To provide management
support and direction for information
security in the organisation.
• Policy should have an owner, and
should be regularly reviewed and
enhanced.
• Do we have policies for Palestine ??
PalGov © 2011 37
- 38. Internal Organisational Security
• Objective:
– to manage information security in the organisation
– Appoint owners to every information asset and
make them responsible for its security
• Our Orgs require
– Have an expert advisor (internal or external)
– Have an authorisation process for all new systems
– Have an independent reviewer to assess
compliance with security policy
PalGov © 2011 38
- 39. Asset Classification and Control
• Objective: to maintain protection of
information assets.
–Assets include: hardware, software,
electronic data and documentation.
–Very Important to our e-gov project.
PalGov © 2011 39
- 40. Personnel Security
• Objective: to reduce risks of human errors,
theft, fraud, misuse of Information Systems
– Should be integrated with the Legal Tutorial of our
project
PalGov © 2011 40
- 41. Physical and Environmental Security
• Objectives: To prevent unauthorised
access, loss, damage, and theft of IS
resources
– Equipment Disposal. Remove all
confidential information or destroy the
media
– Protect/restrict physical access to
equipment
PalGov © 2011 41
- 42. Communications and Operations Security
• Related areas to be covered:
– Operational procedures and
responsibilities
– System planning and acceptance
– Malicious software e.g. viruses
– Housekeeping (backups, archives etc)
– Network management
– Handling of media
– Exchange of information and software
PalGov © 2011 42
- 43. Communications and Operations Security –
Procedures
• Objective: Ensure correct and secure
operation of IS facilities
– Document operating procedures for each
system (and keep them up to date!)
– Separation of operational and development
systems
PalGov © 2011 43
- 45. Communications and Operations Security –
Malicious software
• Objective: To protect the integrity of software and
information
– Need to protect against viruses, worms, logic bombs, Trojan
horses etc.
– Policy should require software to be licensed and authorised
before use
– WHAT ABOUT FREE LICENSING.
– Policy should require safe methods for import of files from media
and networks
– Anti-virus software should be regularly updated
– Documented procedures for reporting and recovering from virus
infections
– Educate staff about viruses and protection methods (training)
PalGov © 2011 45
- 46. Communications and Operations Security –
Housekeeping
• Objective: To maintain the availability of
information and software
– Use of Raid Technology
– Regular backups of data should be taken, kept
securely, and tested for correct recovery
– Operational staff should keep a log of their
activities e.g. times systems started, failed,
recovered, and logs should be independently
inspected for conformance to procedures
– Support staff should log all user fault reports and
their resolutions
PalGov © 2011 46
- 47. Communications and Operations Security –
Network Management
• Objective: To safeguard the network
and information on it
– Protect from unauthorised access e.g. use
of firewalls
– Protect disclosure of confidential
information e.g. VPN
– Ensure availability e.g. by having backup
networks/links
– Prevent Disclosure
PalGov © 2011 47
- 49. Communications and Operations Security –
Information Exchange
• Objective: To prevent loss of information exchanged between
organisations
– Must be consistent with legislation e.g. data protection act
– Public servers e.g. Web – may need to comply with legislation in
recipient country, also need controls to stop modifications
– Exchanges should be based on an agreement comprising:
• Standards for packaging, notification arrangements, responsibilities in case of loss,
agreed labelling system, methods of transfer (e.g. tamper resistant packaging,
encryption)
• E-commerce: authentication and authorisation methods, settlement method, liability if
fraudulent transactions
– Policy for use of email: what (not) to send via email, what protection to
use, use of inappropriate language
– Policy for use of fax, phone, mail, video: confidentiality issues, storage
issues, access issues
– WHAT ABOUT E-GOV X-ROAD.
– WHAT ABOUT CLOUD COMPUTING !!!
PalGov © 2011 49
- 50. Access Control
• Objective: To control access to information
– Access control policy should state rules and rights for each
user and group of users
– Rules should differentiate between mandatory and optional
ones, administrator or automated approval.
• Good base “Everything forbidden unless expressly permitted”
– Formal registration and de-registration process for users
– Allocate unique IDs to users to allow auditing
– Limit the use of system privileges
– Record who is allocated which IDs and privileges and
regularly review them esp. special privileges
– Ensure unattended equipment has appropriate protection
PalGov © 2011 50
- 51. Access Control – Passwords
• Have a password management policy known by all users
• Have users sign a statement to keep passwords
confidential
• Allocate a temporary password which users must change
at first log on
• Force strong passwords >8 characters, easy to remember
but not linked to user, preferably mixed characters and not
dictionary words (upper/lower case/numbers/special)
• Make users change passwords at predefined intervals
• Store password files encrypted and separately from
application files
• Don’t display passwords during login
PalGov © 2011 51
- 52. Access Control – Networks
• Objective: Protection of networked services
– Network access policy – services allowed, user
authorisation procedures, management controls
– Have Enforced Paths that control the path from
user’s device to networked services e.g. dedicated
telephone numbers, limited roaming, screening
routers
– Mandate user authentication before they gain
access
– Protect remote access to engineering diagnostic
ports
– Separate internal network into security domains
– Install application proxy firewalls
PalGov © 2011 52
- 53. Access Control – Operating systems
• Objective: To prevent unauthorised computer access
– Identify the user and optionally the calling location
– Record successful and failed login attempts
– Display a warning notice to users at login
– Don’t provide help for unsuccessful logins
– Limit number of failed logins (e.g. to 3) and have a time
delay between each attempt
– Limit the time for the login procedure
– Display the following information after successful login
• Last time user logged in & number of failed attempts
since
– Time out inactive sessions, time limit high risk sessions
PalGov © 2011 53
- 54. Access Control – Monitoring
• Objective: to detect unauthorised access
– Audit logs record: user ID, location, date and time, attempted
action, success/fail, plus alerts
– Actions include: log on, log off, files accessed, records
accessed, programs used, devices attached/detached
– Intrusion Detection Systems analyse logs to look for
anomalous behaviour and system misuse. Issue alerts when
they detect them
– Audit logs should be protected against modification
– Accurate clock times are important for accurate logs
– Audit logs should be protected against modification (as well
as deletion and forging)
PalGov © 2011 54
- 55. System Development and Maintenance
• Objective: To ensure that security is built into
Information Systems
– Security requirements should be identified during
project’s requirements phase and be related to the
business value of the system
– Data input validation: out of range values, invalid
characters, missing fields, exceeding upper limits
– Data processing validation: balancing controls,
checksums, programs run in correct order and at
correct time
– Data output validation: plausibility checks,
reconciliation counts
PalGov © 2011 55
- 56. Business Continuity Management (1)
• Objective: To counteract interruptions to business
activity and to protect critical business processes from
the effects of major failures
– Failures can come from natural disasters,
accidents, equipment failures and deliberate
attacks
– Perform a risk analysis, identifying causes,
probabilities and impacts
– Implement cost effective risk mitigating
actions
PalGov © 2011 56
- 57. Business Continuity Management (2)
–Formulate Business Continuity Plan
–Implement and test the BCP
–Continually review and update the BCP
–Failure of equipment in a particular zone
–VERY IMPORTANT FOR THE E-GOV
ESPECIALLY IN PALESTINE
PalGov © 2011 57
- 58. Compliance – legal
• Objectives: Ensure compliance with legislation
– Identify applicable laws – data protection, privacy,
monitoring use of resources, computer misuse
– Rules for admissibility and completeness of evidence
– Ensure copyright and software licences are adhered
to (implement controls and spot checks)
– Keep asset register, proofs of purchase, master discs
– Organisational records must be kept securely for a
minimum statutory time period
– Consider media degradation and technology change
– Complemented by the Legal Issues tutorial.
PalGov © 2011 58
- 59. Compliance – security policy
• Objectives: Ensure compliance with security
policy
– Security of information systems should be regularly
reviewed
– Managers should ensure all procedures are carried
out properly
PalGov © 2011 59
- 60. Summary
• In this session we discussed the following:
– The Palestinian e-gov architecture.
– The security framework for the e-gov platforms
– The required skills for people involved in the e-
gov activities.
– Introduction to security and the CIA concept.
– Detailed information about the security
management and risk assessment standards
included in the ISO 27002.
PalGov © 2011 60
- 61. Bibliography
1. Computer Security: Principles and Practice, by
William Stallings and Lawrie Brown. Published by
Pearson/Prentice Hall, © 2008. ISBN: 0-13-
600424-5.
2. Lecture Notes by David Chadwick 2011, True -
Trust Ltd.
3. Cryptography and Network Security, by Behrouz
A. Forouzan. Mcgraw-Hill, ©2008. ISBN: 978-007-
126361-0.
4. Center for Interdisciplinary Studies in Information
Security (ISIS) http://scgwww.epfl.ch/courses
PalGov © 2011 61
- 62. Thanks
Radwan Tahboub
PalGov © 2011 62