information security group dsd & e-security dsd and e-security tim burmeister information...
TRANSCRIPT
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
DSD and E-SecurityDSD and E-Security
Tim Burmeister
Information Security Policy
Defence Signals Directorate
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
E-security in Government E-security in Government TodayToday
• Risk Management
• Greater prevalence of mixed environments
• Service delivery vs. secure operating environments
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
The Future …The Future …
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
The Information Security The Information Security BusinessBusiness
• DSD has been doing it for over 50 years
• But we no longer have a monopoly
• Government used to provide its own solutions
• Now everyone seems to be in on the act
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
CostsCosts
• Melissa: $80 million damage
• I Love You: $10 billion damage
• Software piracy: $ 7.5 billion
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
Diverse Sources of ‘Attack’Diverse Sources of ‘Attack’
• Chernobyl: June 1998, Taiwan
• Melissa: March 1999, US
• I love You: May 2000, The Philippines
• Kournikova: Feb 2001, The Netherlands
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
Infrastructure AttacksInfrastructure Attacks
• 1996 - 911 Services, Florida
• 1997 - regional airport disruption, US
• 1999 - threat to power supplies, Belgium
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
An alleged computer hacker caused raw sewage to overflow on Queensland's Sunshine Coast by using radio transmissions to alter council sewage pump stations, police said today. The charges include stealing, computer hacking and using radio communications equipment without authority. Police will allege the man caused the overflows of sewage into Maroochy Shire waterways late last year and early this year using radio transmissions to alter council sewage pump stations.
(Australian Associated Press, 23/5/2000)
Computer Hacker Caused Computer Hacker Caused Sewage Overflows, Police Sewage Overflows, Police
SaySay
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
More Coordinated AttacksMore Coordinated Attacks
The so-called Israeli/Palestinian Cyberwar
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
Infrastructure AttacksInfrastructure Attacks
But what don’t we know about?
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
‘‘We’re in Trouble…’ We’re in Trouble…’
0
5
10
15
20
25
30
35
Nu
mb
er o
f C
omp
rom
ises
Jan
99
- M
ar 9
9
Ap
r 99
- J
un
99
Jul 9
9 -
Sep
99
Oct
99
- D
ec 9
9
Jan
00
- M
ar 0
0
Ap
r 00
- J
un
00
Jul 0
0 -
Sep
00
Oct
00
- D
ec 0
0
Jan
01
- M
ar 0
1
Quarter
Compromised Australian Government Computers
Fed Govt
State Govt
Total
Sources: attrition, alldas
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
‘‘Or maybe not…’ Or maybe not…’
0
5
10
15
20
25
30
35
Nu
mb
er o
f C
omp
rom
ises
Jan
99
- M
ar 9
9
Ap
r 99
- J
un
99
Jul 9
9 -
Sep
99
Oct
99
- D
ec 9
9
Jan
00
- M
ar 0
0
Ap
r 00
- J
un
00
Jul 0
0 -
Sep
00
Oct
00
- D
ec 0
0
Jan
01
- M
ar 0
1
Ap
r 01
- J
un
01
Quarter
Compromised Australian Government Computers
Fed Govt
State Govt
Total
Sources: attrition, alldas
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
DSD’s FunctionsDSD’s Functions
From the 1986 government directive:
— Provide material, advice and assistance to Commonwealth Government Departments and authorities and the Defence Force on matters relevant to the security and integrity of official information, and or loss or compromise of which could adversely affect National Security; and
— Provide advice on request to Commonwealth Government Departments and authorities in relation to other sensitive official information unrelated to National Security.
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
Functions of DSDFunctions of DSD
7 …
(c) to provide material, advice and other assistance to Commonwealth and State authorities on matters relating to the security and integrity of information that is processed, stored or communicated by electronic or similar means; and
(d) to provide assistance to Commonwealth and State authorities in relation to cryptography and communications technologies.
Intelligence Services Bill, 2001
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
DSD and E-SecurityDSD and E-Security
• The Australasian Information Security Evaluation Program (AISEP)
• Advice and Assistance
• Computer Network Vulnerability Team
• Protection of the National Information Infrastructure
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
AISEP EvaluationAISEP Evaluation
• Evaluation is the thorough examination of a product’s security claims using a defined criteria.
• Australia uses two evaluation criteria— Common Criteria
— ITSEC
• Common Criteria is the more recent evaluation criteria— Broad scope of mutual recognition internationally
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
Concept of AssuranceConcept of Assurance
• Assurance is:— The degree of confidence in the claimed security features of a
product or system.
— Defined by a Security Target.
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
The EPLThe EPL
• DSD lists products that have completed evaluation on the EPL (certified)— Certification Reports available
— Use in conjunction with the published Security Target
• Products that are ‘In-Evaluation’ are also listed on the EPL— Buyer beware
— Can not provide the same level of assurance
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
And this is good because …And this is good because …
• there are products available which are known to perform appropriately
• not just for government use— use in the private sector can help to promote a more secure IT
environment
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
Advice and AssistanceAdvice and Assistance
• establishing IT security policy guidance on setting up IT networks
• providing assistance to departments in securing their IT systems
• performing internet gateway certifications for government
• whole of Government infrastructure— Gatekeeper (a public key infrastructure)
— Fedlink (secure network connecting all departments)
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
Computer Network Computer Network Vulnerability TeamVulnerability Team
• keep abreast of known vulnerabilities in software and equipment
• research, test software and equipment for potential new problems
• perform security audits on client's systems and networks
• incident response capability
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
National Information National Information InfrastructureInfrastructure
• two broad roles— intelligence (threat and vulnerability assessments, other
products)
— incident response, together with ASIO and the AFP
• incident reporting scheme for commonwealth government agencies— ISIDRAS currently
— Onsecure Website, in concert with NOIE
Information Security GroupInformation Security GroupDSD & E-SecurityDSD & E-Security
ConclusionConclusion
• Known threats and unknown threats
• DSD helps government prepare itself for both