information security and privacy a vision for inter-disciplinary research in information security...
TRANSCRIPT
Information Security and Privacy
A vision for inter-disciplinary research in Information Security
Andrew Martin (with Ashiyan Rahmani-Shirazi)Oxford University Computing Laboratory
ISPP seminar series17th January 2011
The information age needs information security
almost everything of value has a digital existence today– whether it solely exists in the digital domain or merely casts
a shadow, or something in between– whether that value is in monetary terms or something less
tradable, such as privacy that fact is plainly not lost on those with criminal intent
– of course, it is the value which attracts them– and some items with value may be subject to collateral
damage
Whose problem is this?
technologists? cryptographers? lawyers? educators? economists? politicians? regulators? business leaders? the military? social scientists? psychologists?
Example 1credit: Paul England, Microsoft
Most of our computer operating systems are designed around an administrator
this person is given all power; ‘full control’
we assume that– the administrator is wise
– the administrator is good
– the administrator is knowledgeable
http:
//w
ww
.boe
rner
.net
/jbo
erne
r/w
p-co
nten
t/up
load
s/20
09/1
0/19
55tr
adic
.gif
Example 1
One of these is today’s administrator
this person is given all power; ‘full control’
we assume that– the administrator is wise
– the administrator is good
– the administrator is knowledgeable
Example 1
One or more of these is today’s administrator
this person is given all power; ‘full control’
we assume that– the administrator is wise
– the administrator is good
– the administrator is knowledgeable
Example 1
These violated assumptions can be remedied in many ways
– make the unwise liable– explicitly tie liability to control– education, education, education– reducing the extent of their ‘full control’
None is completely satisfactory
Example 2
Example 3
Example 4
Interdisciplinary perspectives on IT Security
With particular reference to perspectives on International Relations & Human Rights
Ashiyan Rahmani-Shirazi
DDOS on Human Rights NGOs
'Distributed Denial of Service (DDoS) is an increasingly common Internet phenomenon capable of silencing Internet speech, usually for a brief interval but occasionally for longer. In this paper, we explore the specific phenomenon of DDoS attacks on independent media and human rights organizations, seeking to understand the nature and frequency of these attacks, their efficacy, and the responses available to sites under attack. Our report offers advice to independent media and human rights sites likely to be targeted by DDoS but comes to the uncomfortable conclusion that there is no easy solution to these attacks for many of these sites, particularly for attacks that exhaust network bandwidth.'
Berkman Center for Internet & Society report, "Distributed Denial of Service Attacks Against Independent Media and Human Rights Sites" by Ethan Zuckerman et al., December 20th 2010.
IT Security & IR - sample attack
SQL injection attack carried out on the UN website homepage in August 2007
Social Media & Political Change
Twitter and Iran (WashingtonPost)
– The US State Department asked Twitter to delay scheduled maintenance in June to avoid disrupting communications among tech-savvy Iranian citizens
– Cyberactivism also harmful - a lot of calls for Twitter users to participate in cyber-attacks on pro-government Web sites in Iran.
China, Power & the Net.
China and Google (www.arstechnica.com) Facebook and Twitter are blocked for their
ability to organize groups with anti-government intentions
Leading Chinese video sites Youku.com and Tudou.com actively monitor submissions and delete those that they consider inappropriate or in violation of Chinese law.
Chinese government attack on pro-Tibetan NGO's
Attack on NGO critical of Chinese policy in Darfur
Five DDOS attacks on Chinese human rights activist websites in January 2010
Threat Analysis
Insider attacks - including recent Wikileaks attacks on US Government.
Organisational Facebook policy/Twitter policy?
'Enemy' Governmental attacks e.g. Human rights NGO's intrusion by Human Rights abuser states.
'Home' Governmental attacks e.g. US government monitoring.
Internal threats Competing organisations. Hackers/Profiteering/Wackos.
Some existing IT security multidisciplinary research & NGOs
Electronic Frontier Foundation - www.eff.org
Tactical Technology Collective - www.tacticaltech.org
Frontline - www.frontlinedefenders.org
Harvard Berkman Centre - cyber.law.harvard.edu
MSC Thesis - 'A study of and best practices for IT security for the Baha'i International Community - United Nations Office'
Abstract
For many small organizations operating in a sensitive political, religious, or social context, information security is a critical concern. This dissertation reports upon a study of the current IT security framework of the offices of a non-governmental organization (NGO): the Baha'i International Community United Nations Office (BICUNO), based in New York and Geneva. The study makes use of questionnaires and interviews to determine the current practices and requirements of staff (IT and general), in terms of security related activities. An analysis of current practices, looking at strengths and weaknesses, is performed in the context of the current literature, including the ISO 27002 standard, on security practices. A number of recommendations are presented, in the form of "best security practices", for adoption in this and similar settings.
Thank You!
Ashiyan Rahmani-Shirazi MAKellogg College, Oxford
MSC (candidate) - Software Engineering
email: [email protected]
+
Wheat Atlas Intern, www.cimmyt.orgBusiness Development Manager (p/t),
www.ascertica.com
The Story so Far
Issues in security (a.k.a. risk management) give rise to questions in
– cryptography, networking, systems engineering, – law, ethics, criminology, psychology, education– business, management, economics, politics
All but the simplest questions cross boundaries among these
– Security economics is a well-established discipline– Likewise usability in security, perhaps to a lesser extent
with work on psychological acceptability etc.
– Technologists sometimes talk to regulators Trusted Computing is a good example
– Others study ICT policy in its own right– ...
Security EcosystemRepresentative examples; Trademarks belong to their respective owners
ISO27000
So
we have a multi-billion dollar security industry– much of it geared towards yesterday’s threats
points of contact with academic research are numerous, but patchy
robust methodologies for tough questions are missing
“should staff be allowed to connect smartphones and tablets to my infrastructure?”
“should staff be allowed to store corporate data on their own smartphones and tablets?”
CSI Computer Crime and Security Survey, 2008
Disruptive Technology
smart metering
personalized medicine
electronic healthcare
records
e-Government
social networking
smartphones and tablets
IPTV ‘connected home’
internet of things
multi-purpose sensor
networksroad pricing everything-
as-a-service
Large scale; heterogeneous Inherent complexity Mostly rather unlike the
‘personal computer’ we have known until now
Immense value to society Big investment by
individuals Unexpectedly becoming
‘critical infrastructure’ Almost total de-
materialization of the ‘boundary’
Many interested parties; many administrators
Role of the University
joined-up thinking– without an axe to grind, maybe
questions everyone wants answered
trusted third party skill sets related to those found
in business/government– together with those that are not!
testbed – large, complex, dynamic network with great experimental subjects :)
technologists? cryptographers? lawyers? educators? economists? politicians? regulators? business leaders? the military? social scientists? psychologists?
Vision for an institute
permanent centre to study these ideas needs lasting links to existing disciplines
where do CIOs go to school?– where do they get their CPD?
where are the stimulating sources of ideas? where do they go for non-partisan advice?
Menu of activities
Master’s in business and information
security
‘Pure’ academic research at this
nexus
Boundary-crossing research, and
applied research (DTC, EngD)
Contract research Open-ended research
Public understanding
Leadership professional secondments
strengthening the University’s own
security
Conclusion
1. the challenge of information security will continue to grow as our digital economy grows
2. no single discipline can meet that challenge alone
3. a university – in general, and this one in particular – is well-placed to make the right connections
28
COMPUTING LABORATORY
SOFTWARE ENGINEERING PROGRAMMESOFTWARE AND SYSTEMS SECURITY
Andrew Martin, MA, DPhil, MBCS, CEng, CITPDeputy Director, Software Engineering Programme
Wolfson Building, Parks Road, Oxford OX1 3QD, UK.+44 (0) 1865 283605
[email protected]/andrew.martin