SlideShare a Scribd company logo

Results of IT Security Analysis

Z
zohraz

IT Security Analysis Results

Technology
1 of 23
Download to read offline
+ Results of IT Security Analysis Prepared by: Zohra Zekeria Lecturer at Kabul Polytechnic University
+ Agenda ■ Introduction ■ New Challenges for the Country ■ Our Goal ■ Analysis of the current IT security situation in Afghanistan • Security Checklists • IT security situation in Ministry of Energy and Water • Implementation of Basic Security Safeguards in Ministries ■ Results ■ Outlook 2017-12-18 2
+ Introduction ■ Afghanistan has already traveled a considerable distance in the past 15 years. ■ Wide variety of work process are being handled using IT services: 2017-12-18 3 Ministries Institutions Banks Mobile communication public authorities Identification cards (Tazkira) medical facilities Election
+ New Challenges for the Country ■ Effective and secure operation of all these technologies and services greatly depends on: ■ Confidential information and data of the institutions today are exposed to a multitude of threats. 2017-12-18 4 • Effective management system • Reliable IT infrastructures • Secure IT systems • Smoothly operating • Qualified IT personnel • Targeted attacks • Malware (Spam, phishing, ..) • System failures • Technical malfunctions • Human errors • Etc
+ Our Goal ■ National IT Security Strategy Plan ■ A solid management structure (Office) ■ Mitigating risks for IT and cyberspace in Afghanistan ■ Protecting governmental and institutional networks ■ Maintaining a trustworthy operation of the IT supply of the country, the government and the institutions 2017-12-18 5
+ Analysis of the current IT security situation in Afghanistan ■ Before the IT security team starts planning the National IT Security Strategy Plan, an IT security check has been performed at certain institutions. 2017-12-18 6 Ministry of Energy and Water Ministry of Women Affairs Ministry of Counter Narcotics
+ Security Checklists 2017-12-19 7 Common Aspects Application Development Security
+ 2017-12-18 8 • Change management • Hardwareand software management • Handling security incidents • Authentication mechanisms • Protection against malware • Crypto-concept • Data protection Common aspects • Data backup policy • Personnel • Organization • Policy for information security
+ 2017-12-18 9 IT security situation in Ministry of Energy and Water
+ Common Aspects ■ There is no IT security policy, documentation or rules available. ■ There areno rules for Hardwareand software management in the organizations as well as no guidelines exists for access control. ■ No security objectives for the use of standard software exists. ■ No authentication mechanisms found. ■ IT security awareness and training doesn’t exist. ■ No policy for backup, removal or restore exists 2017-12-18 10
+ Infrastructure ■ Unreliable and stable power (UPS). ■ The buildings and overall IT rooms are not standard and reliable ■ None of the norms of IT security comply with the buildings. ■ Their IT systems are not safe against fire, overheating, water damages, surge, and power outage. ■ The electrical installation is not regularly inspected. ■ The ministry lacks stable and reliable Internet connectivity . ■ The physical network topology does exist which contain regulations for identifying the locations of the network subscribers. 2017-12-18 11
+ IT Systems ■ The server and client systems use the Microsoft Windows products with no valid licenses ■ No security configurations are set to the routers and switches ■ There is a Cyberoam firewall configured to control the usage of Internet. ■ The printers, copiers, and scanners areaccessible to all the employees and there is no security mechanism to protect them. ■ The ministry has no security policies or guidelines for using the IT systems 2017-12-18 12
+ Network ■ There is isolated network in different departments, which the IT department does not have control on them. ■ The firewall is in place to restrict the access to the network. Different rules are applied to the firewall. ■ The access to WLAN are restricted through MAC filtering ■ The network does not have any active directory.. ■ There is some unwritten pseudo-local policy but there is not any enforced policy by government to follow 2017-12-18 13
+ Application Security ■ Their websites (web applications) are hosted outside of the organization. ■ Their security depends on service provider and employees trust ■ They take back up of the database regularly in an external hard drive ■ They don’t have any security policy and guidelines regarding web application, data/information and databases that accepted by top management in documented form. 2017-12-18 14
+ Application Development Security ■ Some organizations in this ministry use standard coding using MVC frameworks like Laravel and some of them develop their systems using flat PHP without using any special framework or tools ■ Security of the systems developed via frameworks is higher than the other applications developed using normal PHP. ■ Controlling access to the files and data is done using Laravel components. ■ For cryptography practices there is no any defined policy, but they are used by the developers. ■ All the data stored without distinguishing between the sensitive and non-sensitive data 2017-12-18 15
+ Implementation of Basic Security Safeguards in Ministries
+ 2017-12-19 17 3 0 6 15 39 104 72 0 10 33 12 12 21 153 79 119 49 12 INFRASTRUCTURE COMMON ASPECTS IT SYSTEMS NETWORK APPLICATION SECURITY APPLICATION DEVELOPMENT SECURITY MoEW Survey Result Yes No Not Applicable
+ 2017-12-19 18 11 7 10 20 17 70 85 32 19 54 9 80 114 66 93 74 50 INFRASTRUCTURE COMMON ASPECTS IT SYSTEMS NETWORK APPLICATION APPLICATION DEVELOPMENT MoCN Survey Result Yes No Not Applicable
+ 2017-12-19 19 26 4 19 15 7 13 53 49 49 32 44 46 17 100 27 120 49 69 INFRASTRUCTURE COMMON ASPECTS IT SYSTEMS NETWORK APPLICATION APPLICATION DEVELOPMENT MoWA Survey Result Yes No Not Applicable
+ Results ■ IT security situation throughout Afghanistan is insufficient and inadequate, mainly due to the following aspects: ■ Insufficient organizational structures ■ Lack of qualified IT personnel ■ Absence of solid IT infrastructures ■ Vulnerabilities in IT systems (hardware and software) ■ Communication and networks ■ Emergency planning ■ Nation-wide IT security policy 2017-12-18 20
+ Outlook 2017-12-18 21 ■ Creation of an effective IT security management system ■ Development of a National IT Security Strategy Plan for Afghanistan is necessary for the establishment and maintenance of an appropriate IT security level. ■ The goals of the National IT security Strategy plan can be reached with the establishment of an authority for security in Information Technology in Afghanistan
+ Thank You 2017-12-18 22
+ References [1]. IT Security Team, ITCC Afghanistan, IT Security Strategic Plan for Afghanistan,Setting up an Authority for Security in Information Technology. Sep/30/2017. [2]. IT Security Team, ITCC Afghanistan, Ministry of Energy and Water Survey Report. July/30/2017. 2017-12-18 23

Recommended

Cybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & ConstructionCybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & Construction
Aronson LLC
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
Zefren Edior
 
Maloney Slides
Maloney SlidesMaloney Slides
Maloney Slides
ecommerce
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
MLG College of Learning, Inc
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information Policy
MLG College of Learning, Inc
 
Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 s
Khaltar Togtuun
 
How to Comply with NIST 800-171
How to Comply with NIST 800-171How to Comply with NIST 800-171
How to Comply with NIST 800-171
Corserva
 
Lesson 4
Lesson 4Lesson 4
Lesson 4
MLG College of Learning, Inc
 

Recommended

Cybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & ConstructionCybersecurity for Real Estate & Construction
Cybersecurity for Real Estate & Construction
Aronson LLC
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
Zefren Edior
 
Maloney Slides
Maloney SlidesMaloney Slides
Maloney Slides
ecommerce
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
MLG College of Learning, Inc
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information Policy
MLG College of Learning, Inc
 
Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 s
Khaltar Togtuun
 
How to Comply with NIST 800-171
How to Comply with NIST 800-171How to Comply with NIST 800-171
How to Comply with NIST 800-171
Corserva
 
Lesson 4
Lesson 4Lesson 4
Lesson 4
MLG College of Learning, Inc
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Ignyte Assurance Platform
 
Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4
MLG College of Learning, Inc
 
KSC_FIPS_FISMA101
KSC_FIPS_FISMA101KSC_FIPS_FISMA101
KSC_FIPS_FISMA101
Kenneth Silsbee, MS
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
MLG College of Learning, Inc
 
Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...
David Bustin
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryption
Ben Rothke
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
IPPAI
 
S nandakumar
S nandakumarS nandakumar
S nandakumar
IPPAI
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset Valuation
MLG College of Learning, Inc
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approaches
vngundi
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryption
Ben Rothke
 
Information Security : Is it an Art or a Science
Information Security : Is it an Art or a ScienceInformation Security : Is it an Art or a Science
Information Security : Is it an Art or a Science
Pankaj Rane
 
General Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M RizviGeneral Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
Sharique Rizvi
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
IT Governance Ltd
 
Lesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSLesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPS
MLG College of Learning, Inc
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Eric Vanderburg
 
102 Information security standards and specifications
102 Information security standards and specifications102 Information security standards and specifications
102 Information security standards and specifications
SsendiSamuel
 
Lesson 1 - Introduction
Lesson 1 - Introduction Lesson 1 - Introduction
Lesson 1 - Introduction
MLG College of Learning, Inc
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Positive Hack Days
 
NACFAM-CFAM-20170907-v5.pptx
NACFAM-CFAM-20170907-v5.pptxNACFAM-CFAM-20170907-v5.pptx
NACFAM-CFAM-20170907-v5.pptx
A2KAROGANHD
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber security
IT Governance Ltd
 

More Related Content

What's hot

Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Ignyte Assurance Platform
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
IPPAI
 
S nandakumar
S nandakumarS nandakumar
S nandakumar
IPPAI
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
IT Governance Ltd
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Positive Hack Days
 

What's hot (20)

Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
 
Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4
 
KSC_FIPS_FISMA101
KSC_FIPS_FISMA101KSC_FIPS_FISMA101
KSC_FIPS_FISMA101
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
 
Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryption
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
 
S nandakumar
S nandakumarS nandakumar
S nandakumar
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset Valuation
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approaches
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryption
 
Information Security : Is it an Art or a Science
Information Security : Is it an Art or a ScienceInformation Security : Is it an Art or a Science
Information Security : Is it an Art or a Science
 
General Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M RizviGeneral Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
Lesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSLesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPS
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
 
102 Information security standards and specifications
102 Information security standards and specifications102 Information security standards and specifications
102 Information security standards and specifications
 
Lesson 1 - Introduction
Lesson 1 - Introduction Lesson 1 - Introduction
Lesson 1 - Introduction
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
 

Similar to Results of IT Security Analysis

Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
SolarWinds
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...
IT Governance Ltd
 
Découvrez comment mettre en place un programme de protection des données effi...
Découvrez comment mettre en place un programme de protection des données effi...Découvrez comment mettre en place un programme de protection des données effi...
Découvrez comment mettre en place un programme de protection des données effi...
Benoît H. Dicaire
 
Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...
Malaysia University of Science and Technology (MUST)
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
PECB
 

Similar to Results of IT Security Analysis (20)

NACFAM-CFAM-20170907-v5.pptx
NACFAM-CFAM-20170907-v5.pptxNACFAM-CFAM-20170907-v5.pptx
NACFAM-CFAM-20170907-v5.pptx
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber security
 
Office 365 Security: How to Safeguard Your Data
Office 365 Security: How to Safeguard Your DataOffice 365 Security: How to Safeguard Your Data
Office 365 Security: How to Safeguard Your Data
 
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
 
ISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSISMS implementation challenges-KASYS
ISMS implementation challenges-KASYS
 
Securing Your Digital Transformation: Cybersecurity and You
Securing Your Digital Transformation: Cybersecurity and YouSecuring Your Digital Transformation: Cybersecurity and You
Securing Your Digital Transformation: Cybersecurity and You
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...
 
2016 FS-ISAC Annual Summit (Miami) - Developing Effective Encryption Strategies
2016 FS-ISAC Annual Summit (Miami) - Developing Effective Encryption Strategies2016 FS-ISAC Annual Summit (Miami) - Developing Effective Encryption Strategies
2016 FS-ISAC Annual Summit (Miami) - Developing Effective Encryption Strategies
 
Bitglass Webinar - A Primer on CASBs and Cloud Security
Bitglass Webinar - A Primer on CASBs and Cloud SecurityBitglass Webinar - A Primer on CASBs and Cloud Security
Bitglass Webinar - A Primer on CASBs and Cloud Security
 
NetSecOps: Everything Network Managers Must Know About Collaborating with Sec...
NetSecOps: Everything Network Managers Must Know About Collaborating with Sec...NetSecOps: Everything Network Managers Must Know About Collaborating with Sec...
NetSecOps: Everything Network Managers Must Know About Collaborating with Sec...
 
Indian perspective of cyber security
Indian perspective of cyber securityIndian perspective of cyber security
Indian perspective of cyber security
 
Securing and Modernizing Technology in the Commonwealth: Better Together
Securing and Modernizing Technology in the Commonwealth: Better TogetherSecuring and Modernizing Technology in the Commonwealth: Better Together
Securing and Modernizing Technology in the Commonwealth: Better Together
 
Découvrez comment mettre en place un programme de protection des données effi...
Découvrez comment mettre en place un programme de protection des données effi...Découvrez comment mettre en place un programme de protection des données effi...
Découvrez comment mettre en place un programme de protection des données effi...
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
 
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdprIsaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
 
Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...
 
Webinar - Bitglass and CyberEdge - Hidden Security Threats
Webinar - Bitglass and CyberEdge - Hidden Security ThreatsWebinar - Bitglass and CyberEdge - Hidden Security Threats
Webinar - Bitglass and CyberEdge - Hidden Security Threats
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 

Results of IT Security Analysis

  • 1. + Results of IT Security Analysis Prepared by: Zohra Zekeria Lecturer at Kabul Polytechnic University
  • 2. + Agenda ■ Introduction ■ New Challenges for the Country ■ Our Goal ■ Analysis of the current IT security situation in Afghanistan • Security Checklists • IT security situation in Ministry of Energy and Water • Implementation of Basic Security Safeguards in Ministries ■ Results ■ Outlook 2017-12-18 2
  • 3. + Introduction ■ Afghanistan has already traveled a considerable distance in the past 15 years. ■ Wide variety of work process are being handled using IT services: 2017-12-18 3 Ministries Institutions Banks Mobile communication public authorities Identification cards (Tazkira) medical facilities Election
  • 4. + New Challenges for the Country ■ Effective and secure operation of all these technologies and services greatly depends on: ■ Confidential information and data of the institutions today are exposed to a multitude of threats. 2017-12-18 4 • Effective management system • Reliable IT infrastructures • Secure IT systems • Smoothly operating • Qualified IT personnel • Targeted attacks • Malware (Spam, phishing, ..) • System failures • Technical malfunctions • Human errors • Etc
  • 5. + Our Goal ■ National IT Security Strategy Plan ■ A solid management structure (Office) ■ Mitigating risks for IT and cyberspace in Afghanistan ■ Protecting governmental and institutional networks ■ Maintaining a trustworthy operation of the IT supply of the country, the government and the institutions 2017-12-18 5
  • 6. + Analysis of the current IT security situation in Afghanistan ■ Before the IT security team starts planning the National IT Security Strategy Plan, an IT security check has been performed at certain institutions. 2017-12-18 6 Ministry of Energy and Water Ministry of Women Affairs Ministry of Counter Narcotics
  • 8. + 2017-12-18 8 • Change management • Hardwareand software management • Handling security incidents • Authentication mechanisms • Protection against malware • Crypto-concept • Data protection Common aspects • Data backup policy • Personnel • Organization • Policy for information security
  • 10. + Common Aspects ■ There is no IT security policy, documentation or rules available. ■ There areno rules for Hardwareand software management in the organizations as well as no guidelines exists for access control. ■ No security objectives for the use of standard software exists. ■ No authentication mechanisms found. ■ IT security awareness and training doesn’t exist. ■ No policy for backup, removal or restore exists 2017-12-18 10
  • 11. + Infrastructure ■ Unreliable and stable power (UPS). ■ The buildings and overall IT rooms are not standard and reliable ■ None of the norms of IT security comply with the buildings. ■ Their IT systems are not safe against fire, overheating, water damages, surge, and power outage. ■ The electrical installation is not regularly inspected. ■ The ministry lacks stable and reliable Internet connectivity . ■ The physical network topology does exist which contain regulations for identifying the locations of the network subscribers. 2017-12-18 11
  • 12. + IT Systems ■ The server and client systems use the Microsoft Windows products with no valid licenses ■ No security configurations are set to the routers and switches ■ There is a Cyberoam firewall configured to control the usage of Internet. ■ The printers, copiers, and scanners areaccessible to all the employees and there is no security mechanism to protect them. ■ The ministry has no security policies or guidelines for using the IT systems 2017-12-18 12
  • 13. + Network ■ There is isolated network in different departments, which the IT department does not have control on them. ■ The firewall is in place to restrict the access to the network. Different rules are applied to the firewall. ■ The access to WLAN are restricted through MAC filtering ■ The network does not have any active directory.. ■ There is some unwritten pseudo-local policy but there is not any enforced policy by government to follow 2017-12-18 13
  • 14. + Application Security ■ Their websites (web applications) are hosted outside of the organization. ■ Their security depends on service provider and employees trust ■ They take back up of the database regularly in an external hard drive ■ They don’t have any security policy and guidelines regarding web application, data/information and databases that accepted by top management in documented form. 2017-12-18 14
  • 15. + Application Development Security ■ Some organizations in this ministry use standard coding using MVC frameworks like Laravel and some of them develop their systems using flat PHP without using any special framework or tools ■ Security of the systems developed via frameworks is higher than the other applications developed using normal PHP. ■ Controlling access to the files and data is done using Laravel components. ■ For cryptography practices there is no any defined policy, but they are used by the developers. ■ All the data stored without distinguishing between the sensitive and non-sensitive data 2017-12-18 15
  • 16. + Implementation of Basic Security Safeguards in Ministries
  • 17. + 2017-12-19 17 3 0 6 15 39 104 72 0 10 33 12 12 21 153 79 119 49 12 INFRASTRUCTURE COMMON ASPECTS IT SYSTEMS NETWORK APPLICATION SECURITY APPLICATION DEVELOPMENT SECURITY MoEW Survey Result Yes No Not Applicable
  • 18. + 2017-12-19 18 11 7 10 20 17 70 85 32 19 54 9 80 114 66 93 74 50 INFRASTRUCTURE COMMON ASPECTS IT SYSTEMS NETWORK APPLICATION APPLICATION DEVELOPMENT MoCN Survey Result Yes No Not Applicable
  • 19. + 2017-12-19 19 26 4 19 15 7 13 53 49 49 32 44 46 17 100 27 120 49 69 INFRASTRUCTURE COMMON ASPECTS IT SYSTEMS NETWORK APPLICATION APPLICATION DEVELOPMENT MoWA Survey Result Yes No Not Applicable
  • 20. + Results ■ IT security situation throughout Afghanistan is insufficient and inadequate, mainly due to the following aspects: ■ Insufficient organizational structures ■ Lack of qualified IT personnel ■ Absence of solid IT infrastructures ■ Vulnerabilities in IT systems (hardware and software) ■ Communication and networks ■ Emergency planning ■ Nation-wide IT security policy 2017-12-18 20
  • 21. + Outlook 2017-12-18 21 ■ Creation of an effective IT security management system ■ Development of a National IT Security Strategy Plan for Afghanistan is necessary for the establishment and maintenance of an appropriate IT security level. ■ The goals of the National IT security Strategy plan can be reached with the establishment of an authority for security in Information Technology in Afghanistan
  • 23. + References [1]. IT Security Team, ITCC Afghanistan, IT Security Strategic Plan for Afghanistan,Setting up an Authority for Security in Information Technology. Sep/30/2017. [2]. IT Security Team, ITCC Afghanistan, Ministry of Energy and Water Survey Report. July/30/2017. 2017-12-18 23