E gov security_tut_session_1


Published on

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

E gov security_tut_session_1

  1. 1. ‫أﻛﺎدﯾﻣﯾﺔ اﻟﺣﻛوﻣﺔ اﻹﻟﻛﺗروﻧﯾﺔ اﻟﻔﻠﺳطﯾﻧﯾﺔ‬The Palestinian eGovernment Academy www.egovacademy.psSecurity Tutorial Session 1 PalGov © 2011 1
  2. 2. AboutThis tutorial is part of the PalGov project, funded by the TEMPUS IV program of theCommission of the European Communities, grant agreement 511159-TEMPUS-1-2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.psProject Consortium: Birzeit University, Palestine University of Trento, Italy (Coordinator ) Palestine Polytechnic University, Palestine Vrije Universiteit Brussel, Belgium Palestine Technical University, Palestine Université de Savoie, France Ministry of Telecom and IT, Palestine University of Namur, Belgium Ministry of Interior, Palestine TrueTrust, UK Ministry of Local Government, PalestineCoordinator:Dr. Mustafa JarrarBirzeit University, P.O.Box 14- Birzeit, PalestineTelfax:+972 2 2982935 mjarrar@birzeit.eduPalGov © 2011 2
  3. 3. © Copyright NotesEveryone is encouraged to use this material, or part of it, but should properlycite the project (logo and website), and the author of that part.No part of this tutorial may be reproduced or modified in any form or by anymeans, without prior written permission from the project, who have the fullcopyrights on the material. Attribution-NonCommercial-ShareAlike CC-BY-NC-SAThis license lets others remix, tweak, and build upon your work non-commercially, as long as they credit you and license their new creationsunder the identical terms. PalGov © 2011 3
  4. 4. Tutorial 5: Information SecuritySession 1 Outline: • Session 1 ILO’s. • Introduction E-governments and Security • Introduction to Information Security and Threats (CIA) • ISO 27000 Standards. PalGov © 2011 4
  5. 5. Tutorial 5: Session 1 - ILO’sThis session will contribute to the followingILOs:• A: Knowledge and Understanding • a1: Define the different risks and threats from being connected to networks, internet and web applications. • a2: Defines security standards and policies. • a3: Recognize risk assessment and management • a4: Describe the Palestinian eGovernment infrastructure and understand its security requirements.• B: Intellectual Skills • b1: Illustrate the different risks and threats from being connected. • b2: Relates risk assessment and management to e-government model. • b3: Design end-to-end secure and available systems.• C: General and Transferable Skills • d3: Analysis and identification skills. PalGov © 2011 5
  6. 6. Tutorial 5: Information SecuritySession 1 Outline: • Session 1 ILO’s. • Introduction to E-governments and Security • Introduction to Information Security and Threats (CIA) • ISO 27000 Standards. PalGov © 2011 6
  7. 7. Introduction to Palestinian E- governments and Security• The Palestinian e-Government Architecture• Security Framework• Missing Knowledge and Skills: PalGov © 2011 7
  8. 8. The Palestinian e-Government Architecture (1)• Palestinian e-government architecture developed in cooperation with the Estonian government.• The architecture connects all ministries together through a government service bus, called “x-road Palestine”.• This service bus, represents standard service oriented architecture ,• Provision of secure services.• Not yet implemented, PalGov © 2011 8
  9. 9. The Palestinian e-GovernmentArchitecture (2) PalGov © 2011 9
  10. 10. The Palestinian e-Government Architecture (3)• Public services can be accessed by citizens or entrepreneurs through the portal component.• It allows users first to login and authenticate themselves through smart-card and/or passwords;• The portal then provides the list of services that the authenticated user is allowed to access.• Then, the server communicates with the server of the ministry of interior or the server of the ministry of health and so on. PalGov © 2011 10
  11. 11. The Palestinian e-Government Architecture (4)• Several frameworks should be established to enable these interoperations,• Each organization develops and operates its services and data.• An organization can be a ministry, a governmental agency or a private firm.• In Palestine, there are 23 ministries, 55 governmental agencies, and many private firms that may all join the e- government at a certain stage. PalGov © 2011 11
  12. 12. The Palestinian e-Government Architecture (4)• Hence, five frameworks are needed to implement the aforementioned e- government architecture –i) infrastructure framework, –(ii) security framework, –(iii) interoperability framework, –(iv) legal framework, –(v) policy framework. PalGov © 2011 12
  13. 13. Pal. E-gov Security FrameworkAfter establishing the network between governmental institutions, this network needs to be secure: both point to point network security and end-to-end security service are required: – Data Confidentiality, Data Integrity, Authenticity. – No surreptitious forwarding – Non-repudiation – Access Control – timeliness (to avoid replay attacks) – Accounting and Logging: – Availability. PalGov © 2011 13
  14. 14. Pal. E-gov Security Framework• To deal with these issues, the following mechanisms are needed: – Authentication services – Confidentiality services – Data integrity and non-repudiation services – Authorization services – Intrusion detection and prevention. – Malicious software and virus protection. – Denial of service and distributed denial of service detection and prevention. – Firewall systems. – Risk assessment and management. – Policy making and enforcement. – Training and awareness building. PalGov © 2011 14
  15. 15. Missing Knowledge and Skills:• Missing Knowledge and Skills: – For all: • Understand the types of risks and threats from being connected. • Understand security standards and policies including risk assessment and management • Be aware of the threats of connecting to the internet and using web applications and social networks • Ability to protect themselves and applications from security threats PalGov © 2011 15
  16. 16. Missing Knowledge and Skills:• Missing Knowledge and Skills: – For IT professionals: • Ability to design, implement and deploy user authentication services. • Ability to design, implement and deploy end- to-end security systems. • Ability to design, implement and deploy authorization services. • Ability to design, implement, and deploy confidentiality services., • Ability to design and deploy security policies PalGov © 2011 16
  17. 17. Tutorial 5: Information SecuritySession 1 Outline: • Session 1 ILO’s. • Introduction E-governments and Security • Introduction to Information Security and Threats (CIA) • ISO 27000 Standards. PalGov © 2011 17
  18. 18. Introduction to Information Security and Threats• Overview• Basic Security Concepts• Computer Security Issues• Vulnerabilities / Attacks PalGov © 2011 18
  19. 19. Overview Computer Security: “ protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).”1. [1] Definition taken Computer Security: Principles and Practice, by William Stallings and Lawrie Brown. Published by Pearson/Prentice Hall, © 2008. ISBN: 0-13-600424-5. PalGov © 2011 19
  20. 20. Key Security Concepts PalGov © 2011 20
  21. 21. Understanding the Importance of Information Security• Prevents data from being stolen• Maintains productivity• Prevents cyber-terrorism• Prevents theft of identities• Maintains competitive advantage• Prevents modifying data, forging data, masquerading and impersonating users, etc. PalGov © 2011 21
  22. 22. Computer Security Issues / Challenges1. Not simple2. Must consider potential attacks3. Procedures used counter-intuitive4. Involve algorithms and secret info5. Battle of wits between attacker / admin6. Not perceived as benefit until things fail…7. Requires regular monitoring8. Regarded as impediment to using system PalGov © 2011 22
  23. 23. Security Terminology Lecture slides by Lawrie Brown PalGov © 2011 23
  24. 24. Secure Communication with anUntrusted Infrastructure PalGov © 2011 24
  25. 25. Secure Communication with an Untrusted Infrastructure• Ali may send a message to Sara…• A devil may take Ali credentials and claim he is Ali and resend a message to Sara claiming he is Ali. PalGov © 2011 25
  26. 26. Secure Communication with an Untrusted Infrastructure• E- government usually has communication between different parties over secure and unsecure infrastructures. PalGov © 2011 26
  27. 27. CIA and AAA Concepts•CIA •Confidentiality. •Integrity. •Availability•AAA •Authentication (password). •Authorization (Access Control). •Auditing (Accounting and Logging). PalGov © 2011 27
  28. 28. Tutorial 5: Information SecuritySession 1 Outline: • Session 1 ILO’s. • Introduction E-governments and Security • Intro to Information Security and Threats (CIA) • ISO 27000 Standards. PalGov © 2011 28
  29. 29. ISO 17799• We will learn about: – ISO 17799 (2000 and 2005) precursor of ISO 27002 (2007) – Originally Based on BS 7799 part 1 (1995) – “Information Technology – Code of Practice for Information Security Management” – ISO 27001 (2007), originally BS 7799 Part 2 is a practical application of ISO 27002 and specifies requirements for establishing an Information Security Management System ISMS, as a precursor to being certified by a certification body) PalGov © 2011 29
  30. 30. ISO 27002 (2007)• Includes: –Risk Assessment & Treatment –Security Policies –Organization –Asset Management –HR PalGov © 2011 30
  31. 31. ISO 27002 (2007)• Includes: – Communications and Operations – Physical and Environmental – Access Control Information – Systems Acquisition, Development and Maintenance – IS Incident Management – Business Continuity Model BCM – Compliance PalGov © 2011 31
  32. 32. Why is Information Security Important• Information and its supporting processes are business assets to governments and orgs.• Some businesses and orgs (e.g. Banks and governments), deal with information.• Information CIA /AAA are needed. PalGov © 2011 32
  33. 33. Information Security Requirements• These are determined by considering – Risk assessment of information loss to organisation. – Legal, statutory, regulatory and contractual requirements placed on the organisation. – Information processing needs of the organisation to support its operations. PalGov © 2011 33
  34. 34. IS Controls (1)• Controls can be: – Policies – Practices – Procedures – Organisational Structures/Roles – Software Functions• Controls are selected based upon their cost of implementation vs. loss to organisation of money, time, reputation and functionality. PalGov © 2011 34
  35. 35. IS Controls (2)• The following controls are ESSENTIAL from a legislative point of view – Data protection and privacy of personal information – Protection of Organisational records e.g. financial data. – Protection of Intellectual Property Rights (including those of business partners)• The following controls are BEST practice – Information security policy document – Allocation of information security responsibilities – Education and Training of staff in Information Security – Reporting security incidents – Business continuity management PalGov © 2011 35
  36. 36. Related IS Issues• Security Policy• Organisational Security• Asset Classification and Control• Personnel Security• Physical and Environmental Security• Communications and Operations Security• Access Control• System Development and Maintenance• Business Continuity Management (BCM)• Compliance PalGov © 2011 36
  37. 37. Security Policy• Objective: To provide management support and direction for information security in the organisation.• Policy should have an owner, and should be regularly reviewed and enhanced.• Do we have policies for Palestine ?? PalGov © 2011 37
  38. 38. Internal Organisational Security• Objective: – to manage information security in the organisation – Appoint owners to every information asset and make them responsible for its security• Our Orgs require – Have an expert advisor (internal or external) – Have an authorisation process for all new systems – Have an independent reviewer to assess compliance with security policy PalGov © 2011 38
  39. 39. Asset Classification and Control• Objective: to maintain protection of information assets. –Assets include: hardware, software, electronic data and documentation. –Very Important to our e-gov project. PalGov © 2011 39
  40. 40. Personnel Security• Objective: to reduce risks of human errors, theft, fraud, misuse of Information Systems – Should be integrated with the Legal Tutorial of our project PalGov © 2011 40
  41. 41. Physical and Environmental Security• Objectives: To prevent unauthorised access, loss, damage, and theft of IS resources – Equipment Disposal. Remove all confidential information or destroy the media – Protect/restrict physical access to equipment PalGov © 2011 41
  42. 42. Communications and Operations Security• Related areas to be covered: – Operational procedures and responsibilities – System planning and acceptance – Malicious software e.g. viruses – Housekeeping (backups, archives etc) – Network management – Handling of media – Exchange of information and software PalGov © 2011 42
  43. 43. Communications and Operations Security – Procedures• Objective: Ensure correct and secure operation of IS facilities – Document operating procedures for each system (and keep them up to date!) – Separation of operational and development systems PalGov © 2011 43
  44. 44. Communications and Operations Security – System Acceptance• Objective: to minimise risk of system failure PalGov © 2011 44
  45. 45. Communications and Operations Security – Malicious software• Objective: To protect the integrity of software and information – Need to protect against viruses, worms, logic bombs, Trojan horses etc. – Policy should require software to be licensed and authorised before use – WHAT ABOUT FREE LICENSING. – Policy should require safe methods for import of files from media and networks – Anti-virus software should be regularly updated – Documented procedures for reporting and recovering from virus infections – Educate staff about viruses and protection methods (training) PalGov © 2011 45
  46. 46. Communications and Operations Security – Housekeeping• Objective: To maintain the availability of information and software – Use of Raid Technology – Regular backups of data should be taken, kept securely, and tested for correct recovery – Operational staff should keep a log of their activities e.g. times systems started, failed, recovered, and logs should be independently inspected for conformance to procedures – Support staff should log all user fault reports and their resolutions PalGov © 2011 46
  47. 47. Communications and Operations Security – Network Management• Objective: To safeguard the network and information on it – Protect from unauthorised access e.g. use of firewalls – Protect disclosure of confidential information e.g. VPN – Ensure availability e.g. by having backup networks/links – Prevent Disclosure PalGov © 2011 47
  48. 48. Communications and Operations Security – Media Handling• Objective: To prevent damage to media or loss of contents PalGov © 2011 48
  49. 49. Communications and Operations Security – Information Exchange• Objective: To prevent loss of information exchanged between organisations – Must be consistent with legislation e.g. data protection act – Public servers e.g. Web – may need to comply with legislation in recipient country, also need controls to stop modifications – Exchanges should be based on an agreement comprising: • Standards for packaging, notification arrangements, responsibilities in case of loss, agreed labelling system, methods of transfer (e.g. tamper resistant packaging, encryption) • E-commerce: authentication and authorisation methods, settlement method, liability if fraudulent transactions – Policy for use of email: what (not) to send via email, what protection to use, use of inappropriate language – Policy for use of fax, phone, mail, video: confidentiality issues, storage issues, access issues – WHAT ABOUT E-GOV X-ROAD. – WHAT ABOUT CLOUD COMPUTING !!! PalGov © 2011 49
  50. 50. Access Control• Objective: To control access to information – Access control policy should state rules and rights for each user and group of users – Rules should differentiate between mandatory and optional ones, administrator or automated approval. • Good base “Everything forbidden unless expressly permitted” – Formal registration and de-registration process for users – Allocate unique IDs to users to allow auditing – Limit the use of system privileges – Record who is allocated which IDs and privileges and regularly review them esp. special privileges – Ensure unattended equipment has appropriate protection PalGov © 2011 50
  51. 51. Access Control – Passwords• Have a password management policy known by all users• Have users sign a statement to keep passwords confidential• Allocate a temporary password which users must change at first log on• Force strong passwords >8 characters, easy to remember but not linked to user, preferably mixed characters and not dictionary words (upper/lower case/numbers/special)• Make users change passwords at predefined intervals• Store password files encrypted and separately from application files• Don’t display passwords during login PalGov © 2011 51
  52. 52. Access Control – Networks• Objective: Protection of networked services – Network access policy – services allowed, user authorisation procedures, management controls – Have Enforced Paths that control the path from user’s device to networked services e.g. dedicated telephone numbers, limited roaming, screening routers – Mandate user authentication before they gain access – Protect remote access to engineering diagnostic ports – Separate internal network into security domains – Install application proxy firewalls PalGov © 2011 52
  53. 53. Access Control – Operating systems• Objective: To prevent unauthorised computer access – Identify the user and optionally the calling location – Record successful and failed login attempts – Display a warning notice to users at login – Don’t provide help for unsuccessful logins – Limit number of failed logins (e.g. to 3) and have a time delay between each attempt – Limit the time for the login procedure – Display the following information after successful login • Last time user logged in & number of failed attempts since – Time out inactive sessions, time limit high risk sessions PalGov © 2011 53
  54. 54. Access Control – Monitoring• Objective: to detect unauthorised access – Audit logs record: user ID, location, date and time, attempted action, success/fail, plus alerts – Actions include: log on, log off, files accessed, records accessed, programs used, devices attached/detached – Intrusion Detection Systems analyse logs to look for anomalous behaviour and system misuse. Issue alerts when they detect them – Audit logs should be protected against modification – Accurate clock times are important for accurate logs – Audit logs should be protected against modification (as well as deletion and forging) PalGov © 2011 54
  55. 55. System Development and Maintenance• Objective: To ensure that security is built into Information Systems – Security requirements should be identified during project’s requirements phase and be related to the business value of the system – Data input validation: out of range values, invalid characters, missing fields, exceeding upper limits – Data processing validation: balancing controls, checksums, programs run in correct order and at correct time – Data output validation: plausibility checks, reconciliation counts PalGov © 2011 55
  56. 56. Business Continuity Management (1)• Objective: To counteract interruptions to business activity and to protect critical business processes from the effects of major failures – Failures can come from natural disasters, accidents, equipment failures and deliberate attacks – Perform a risk analysis, identifying causes, probabilities and impacts – Implement cost effective risk mitigating actions PalGov © 2011 56
  57. 57. Business Continuity Management (2)–Formulate Business Continuity Plan–Implement and test the BCP–Continually review and update the BCP–Failure of equipment in a particular zone–VERY IMPORTANT FOR THE E-GOV ESPECIALLY IN PALESTINE PalGov © 2011 57
  58. 58. Compliance – legal• Objectives: Ensure compliance with legislation – Identify applicable laws – data protection, privacy, monitoring use of resources, computer misuse – Rules for admissibility and completeness of evidence – Ensure copyright and software licences are adhered to (implement controls and spot checks) – Keep asset register, proofs of purchase, master discs – Organisational records must be kept securely for a minimum statutory time period – Consider media degradation and technology change – Complemented by the Legal Issues tutorial. PalGov © 2011 58
  59. 59. Compliance – security policy• Objectives: Ensure compliance with security policy – Security of information systems should be regularly reviewed – Managers should ensure all procedures are carried out properly PalGov © 2011 59
  60. 60. Summary• In this session we discussed the following: – The Palestinian e-gov architecture. – The security framework for the e-gov platforms – The required skills for people involved in the e- gov activities. – Introduction to security and the CIA concept. – Detailed information about the security management and risk assessment standards included in the ISO 27002. PalGov © 2011 60
  61. 61. Bibliography1. Computer Security: Principles and Practice, by William Stallings and Lawrie Brown. Published by Pearson/Prentice Hall, © 2008. ISBN: 0-13- 600424-5.2. Lecture Notes by David Chadwick 2011, True - Trust Ltd.3. Cryptography and Network Security, by Behrouz A. Forouzan. Mcgraw-Hill, ©2008. ISBN: 978-007- 126361-0.4. Center for Interdisciplinary Studies in Information Security (ISIS) http://scgwww.epfl.ch/courses PalGov © 2011 61
  62. 62. Thanks Radwan Tahboub PalGov © 2011 62