1. +
Results of IT Security Analysis
Prepared by: Zohra Zekeria
Lecturer at Kabul Polytechnic University
2. +
Agenda
■ Introduction
■ New Challenges for the Country
■ Our Goal
■ Analysis of the current IT security situation in Afghanistan
• Security Checklists
• IT security situation in Ministry of Energy and Water
• Implementation of Basic Security Safeguards in Ministries
■ Results
■ Outlook
2017-12-18
2
3. +
Introduction
■ Afghanistan has already traveled a considerable distance in
the past 15 years.
■ Wide variety of work process are being handled using IT
services:
2017-12-18
3
Ministries Institutions
Banks Mobile communication
public authorities Identification cards (Tazkira)
medical facilities Election
4. +
New Challenges for the Country
■ Effective and secure operation of all these technologies and
services greatly depends on:
■ Confidential information and data of the institutions today are
exposed to a multitude of threats.
2017-12-18
4
• Effective management
system
• Reliable IT infrastructures
• Secure IT systems
• Smoothly operating
• Qualified IT personnel
• Targeted attacks
• Malware (Spam, phishing, ..)
• System failures
• Technical malfunctions
• Human errors
• Etc
5. +
Our Goal
■ National IT Security Strategy Plan
■ A solid management structure (Office)
■ Mitigating risks for IT and cyberspace in Afghanistan
■ Protecting governmental and institutional networks
■ Maintaining a trustworthy operation of the IT supply of the country,
the government and the institutions
2017-12-18
5
6. +
Analysis of the current IT security
situation in Afghanistan
■ Before the IT security team starts planning the National IT
Security Strategy Plan, an IT security check has been
performed at certain institutions.
2017-12-18
6
Ministry of
Energy and
Water
Ministry of
Women Affairs
Ministry of
Counter
Narcotics
10. +
Common Aspects
■ There is no IT security policy, documentation or rules available.
■ There areno rules for Hardwareand software management in the
organizations as well as no guidelines exists for access control.
■ No security objectives for the use of standard software exists.
■ No authentication mechanisms found.
■ IT security awareness and training doesn’t exist.
■ No policy for backup, removal or restore exists
2017-12-18
10
11. +
Infrastructure
■ Unreliable and stable power (UPS).
■ The buildings and overall IT rooms are not standard and reliable
■ None of the norms of IT security comply with the buildings.
■ Their IT systems are not safe against fire, overheating, water
damages, surge, and power outage.
■ The electrical installation is not regularly inspected.
■ The ministry lacks stable and reliable Internet connectivity .
■ The physical network topology does exist which contain regulations
for identifying the locations of the network subscribers.
2017-12-18
11
12. +
IT Systems
■ The server and client systems use the Microsoft Windows products
with no valid licenses
■ No security configurations are set to the routers and switches
■ There is a Cyberoam firewall configured to control the usage of
Internet.
■ The printers, copiers, and scanners areaccessible to all the
employees and there is no security mechanism to protect them.
■ The ministry has no security policies or guidelines for using the IT
systems
2017-12-18
12
13. +
Network
■ There is isolated network in different departments, which the IT
department does not have control on them.
■ The firewall is in place to restrict the access to the network. Different
rules are applied to the firewall.
■ The access to WLAN are restricted through MAC filtering
■ The network does not have any active directory..
■ There is some unwritten pseudo-local policy but there is not any
enforced policy by government to follow
2017-12-18
13
14. +
Application Security
■ Their websites (web applications) are hosted outside of the
organization.
■ Their security depends on service provider and employees
trust
■ They take back up of the database regularly in an external
hard drive
■ They don’t have any security policy and guidelines regarding
web application, data/information and databases that
accepted by top management in documented form.
2017-12-18
14
15. +
Application Development Security
■ Some organizations in this ministry use standard coding using MVC
frameworks like Laravel and some of them develop their systems
using flat PHP without using any special framework or tools
■ Security of the systems developed via frameworks is higher than the
other applications developed using normal PHP.
■ Controlling access to the files and data is done using Laravel
components.
■ For cryptography practices there is no any defined policy, but they
are used by the developers.
■ All the data stored without distinguishing between the sensitive and
non-sensitive data
2017-12-18
15
20. +
Results
■ IT security situation throughout Afghanistan is insufficient and
inadequate, mainly due to the following aspects:
■ Insufficient organizational structures
■ Lack of qualified IT personnel
■ Absence of solid IT infrastructures
■ Vulnerabilities in IT systems (hardware and software)
■ Communication and networks
■ Emergency planning
■ Nation-wide IT security policy
2017-12-18
20
21. +
Outlook
2017-12-18
21
■ Creation of an effective IT security management system
■ Development of a National IT Security Strategy Plan for
Afghanistan is necessary for the establishment and maintenance of
an appropriate IT security level.
■ The goals of the National IT security Strategy plan can be reached
with the establishment of an authority for security in Information
Technology in Afghanistan
23. +
References
[1]. IT Security Team, ITCC Afghanistan, IT Security Strategic
Plan for Afghanistan,Setting up an Authority for Security in
Information Technology. Sep/30/2017.
[2]. IT Security Team, ITCC Afghanistan, Ministry of Energy and
Water Survey Report. July/30/2017.
2017-12-18
23