information in security part 3 the action plan

8/3/2019 Information In Security Part 3 the Action Plan

1/44

E. GelbsteinA. Kamal Information InsecurityPart III: The Action Plan

Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc

1 of 44

Information Insecurity

Part III: The Action Plan


2/44



2 of 44

Cyberspace as a frontierlandUncharted territory unclear boundaries

Legislation developing slowly

Unclear or undefined ownership

Many adventurers

NavigatorsExplorersTradersQuacksCrooksCriminals


3/44



3 of 44

Cartografia Pietragialla

Land of the Have-Nots

Population ~ 6 billion

Digital Divide

CYBERSPACE

World Wide Web

Terra

Incognita

Non-IP

Explorers

Navigators

Criminals and

Terrorists

Deep web


4/44



4 of 44

Survivors guideBetter charts to the cyberspace frontier are beingproduced. In the meantime

Best practices(keep it simple, do not reinvent the wheel)

Standards(formalized compatibilities and best practices)

Legislation(rules of what is not permitted)

Compliance(with each of the above)


5/44



5 of 44

Sources of Best Practices

Enthusiasts and volunteers

Professional associations

Government departments

Consultants and commercial providers

Happyhacker

ISSA, CASPR

UKs CCTA

GartnerGIGAIBMKPMGetc

Examples of some websites follow


6/44



6 of 44

www.happyhacker.org


7/44



7 of 44

www.issa.org


8/44



8 of 44

www.sans.org


9/44



9 of 44

www.itsmf.com


10/44



10 of 44

www.itil-itsm-world.com/security.htm


11/44



www.gigaweb.com


12/44



12 of 44


13/44



13 of 44


14/44



14 of 44

StandardsFormalized definitions that ensure compatibility

De-jure

From Organizations whosemandate is to define standards

De-facto

Usually from vendorsUseful and ubiquitous


15/44



15 of 44

De-jure standards(examples)

International Standards Organization (ISO)

ISO 17799 Code of Practice for the management of Information Security

International Telecommunications Union (ITU)

Recommendations X.273, Open systems network layer securityRecommendations X.509, Authentication framework

Internet Engineering Task Force (IETF)

TCP/IP, Html, POP, STMP, FTP, SSL and many other


16/44



16 of 44

Sources of de-facto standardsProfessional associations e.g. the IEEEInstitution of Electrical and Electronic Engineers

Vendor associations e.g. ECMAEuropean Computer Manufacturers Association

Vendors e.g Microsoft, Netscape, Adobe

Examples follow


17/44



17 of 44


18/44



18 of 44

European Computer Manufacturers Association


19/44



19 of 44

Institution of Electrical and Electronic Engineers


20/44



20 of 44


21/44



21 of 44

Legislation: a little historyEarly difficulties

Data and software are incorporeal object old laws aredesigned to deal with tangible objects

Legal regime of intangibles needs to cater for the ownerit also needs to cater for persons concerned by thecontent (privacy)

The property status of information was/is unclear

Issue 1: the law and the correctness and integrity of dataIssue 2: protecting data owners for exclusive use

Some of these remain unresolved in many countries


22/44



22 of 44

Legislation: a little history2

More early difficulties

Theft, larceny, embezzlement

Older definitions require the offender to take an item ofanother persons property

Fraud

Under some legislation, it requires deception of a person (doesNOT apply to a computer)


23/44



23 of 44

Scope of cyber-legislation(1)

Computer misuse

Data protection

Telecommunications interception

Software copyrights and patents

Search and seizure, criminal evidence

Contractual obligations for suppliers

National security and anti-terrorism


24/44



24 of 44


Human rights: right to privacy, right to access

Consumer protection

Censorship

Electronic contracts, taxation of e-commerce

Obscene publications

Protection of minors


25/44



25 of 44


Organized crime in cyberspace

On-line banking and money laundering

Gambling in cyberspace

Electronic signatures and certificats

Defamation and libel in cyberspace

National security and anti-terrorism

and much, much more


26/44



26 of 44

First issued in 1994Updated in 1997


27/44



27 of 44

Professor David Post and otherswww.cli.org


28/44



28 of 44

International LegislationOECD: 1983-1985 - Criminalization of computer abuse

Council of Europe (COE): 1985 - Work begins towards a

convention on cyber-crime

United Nations Congress on the Prevention of Crime

In November 2001, formal signature by 33 countries of theCOE Convention on Cybercrime


29/44



29 of 44

The COE Convention

Unauthorized computer intrusion, malicious code, the use

of computers to commit acts which are already a crime

Procedures to capture and retrieve on-line and otherinformation by issuing Retention Orders

Cooperation between signatory states to share e-evidence

Additional protocols are being developed

Three primary groups of provisions


30/44



30 of 44

Reactions to the Convention33 States (29 Council Members) plus Canada, Japan, SouthAfrica and the United States of America signed it.

It will enter into force once ratified by 5 States (planned mid 2003)

Misgivings

Possible conflicts with existing national legislation

Non-signatory States where cybercriminals may act with impunity

Inidividual rights to privacy vs. extended surveillance powersgranted to signatory countries

Possilibity of personal data being transferred outside Europe tocountries with less protective legislation

Issuance of warrants seeking evidence and extradition

Increased cost of e-business and place restrictions


31/44



31 of 44

Compliance and certificationGeneral ICT audits, with focus on security(COBIT guidelines)

Compliance audits against ISO 17799 or similar

Security certification services

The selected auditors must bedeeply trusted


32/44



32 of 44

www.isaca.org


33/44



33 of 44

Do-it-yourself kit for ISO 17799 compliance auditwww.securityauditor.net


34/44



34 of 44

www.giac.org


35/44



35 of 44

www.isc2.org


36/44



36 of 44

www.htcn.org


37/44



37 of 44

Other interested partiesand other civil liberties groups


38/44



38 of 44

www.cfenet.com


39/44



39 of 44

www1.ifccfbi.gov/index.asp


40/44



40 of 44

www.merchantfraudsquad.com


41/44



41 of 44

International Chamber of Commercewww.iccwbo.org


42/44



42 of 44

Beyond insecurity and crimeCyber-terrorism and Cyber-war call for

a new way of looking at our world

and for further action by the International Community


43/44



43 of 44

Moving forward

Recommendations for immediate action

purpose: help those not yet ready

Work to be donepurpose: avoid procrastination and develop

a Law of Cyberspace before it is too late


44/44



44 of 44

Recommendations1. Become aware of the Information Insecurity problem

2. Devise an information security strategy

3. Implement remedial procedures immediately4. Seek professional help without delay

5. Identify the gaps in your countrys legislation

6. Encourage the United Nations to embark urgently on

a Law of Cyberspace

information in security part 3 the action plan

Documents