1. The Palestinian eGovernment Academy
www.egovacademy.psSecurity Tutorial Session 1 PalGov 2011 1
2. AboutThis tutorial is part of the PalGov project, funded by
the TEMPUS IV program of theCommission of the European Communities,
grant agreement 511159-TEMPUS-1-2010-1-PS-TEMPUS-JPHES. The project
website: www.egovacademy.psProject Consortium: Birzeit University,
Palestine University of Trento, Italy (Coordinator ) Palestine
Polytechnic University, Palestine Vrije Universiteit Brussel,
Belgium Palestine Technical University, Palestine Universit de
Savoie, France Ministry of Telecom and IT, Palestine University of
Namur, Belgium Ministry of Interior, Palestine TrueTrust, UK
Ministry of Local Government, PalestineCoordinator:Dr. Mustafa
JarrarBirzeit University, P.O.Box 14- Birzeit, PalestineTelfax:+972
2 2982935 [email protected] 2011 2
3. Copyright NotesEveryone is encouraged to use this material,
or part of it, but should properlycite the project (logo and
website), and the author of that part.No part of this tutorial may
be reproduced or modified in any form or by anymeans, without prior
written permission from the project, who have the fullcopyrights on
the material. Attribution-NonCommercial-ShareAlike CC-BY-NC-SAThis
license lets others remix, tweak, and build upon your work
non-commercially, as long as they credit you and license their new
creationsunder the identical terms. PalGov 2011 3
4. Tutorial 5: Information SecuritySession 1 Outline: Session 1
ILOs. Introduction E-governments and Security Introduction to
Information Security and Threats (CIA) ISO 27000 Standards. PalGov
2011 4
5. Tutorial 5: Session 1 - ILOsThis session will contribute to
the followingILOs: A: Knowledge and Understanding a1: Define the
different risks and threats from being connected to networks,
internet and web applications. a2: Defines security standards and
policies. a3: Recognize risk assessment and management a4: Describe
the Palestinian eGovernment infrastructure and understand its
security requirements. B: Intellectual Skills b1: Illustrate the
different risks and threats from being connected. b2: Relates risk
assessment and management to e-government model. b3: Design
end-to-end secure and available systems. C: General and
Transferable Skills d3: Analysis and identification skills. PalGov
2011 5
6. Tutorial 5: Information SecuritySession 1 Outline: Session 1
ILOs. Introduction to E-governments and Security Introduction to
Information Security and Threats (CIA) ISO 27000 Standards. PalGov
2011 6
7. Introduction to Palestinian E- governments and Security The
Palestinian e-Government Architecture Security Framework Missing
Knowledge and Skills: PalGov 2011 7
8. The Palestinian e-Government Architecture (1) Palestinian
e-government architecture developed in cooperation with the
Estonian government. The architecture connects all ministries
together through a government service bus, called x-road Palestine.
This service bus, represents standard service oriented architecture
, Provision of secure services. Not yet implemented, PalGov 2011
8
9. The Palestinian e-GovernmentArchitecture (2) PalGov 2011
9
10. The Palestinian e-Government Architecture (3) Public
services can be accessed by citizens or entrepreneurs through the
portal component. It allows users first to login and authenticate
themselves through smart-card and/or passwords; The portal then
provides the list of services that the authenticated user is
allowed to access. Then, the server communicates with the server of
the ministry of interior or the server of the ministry of health
and so on. PalGov 2011 10
11. The Palestinian e-Government Architecture (4) Several
frameworks should be established to enable these interoperations,
Each organization develops and operates its services and data. An
organization can be a ministry, a governmental agency or a private
firm. In Palestine, there are 23 ministries, 55 governmental
agencies, and many private firms that may all join the e-
government at a certain stage. PalGov 2011 11
12. The Palestinian e-Government Architecture (4) Hence, five
frameworks are needed to implement the aforementioned e- government
architecture i) infrastructure framework, (ii) security framework,
(iii) interoperability framework, (iv) legal framework, (v) policy
framework. PalGov 2011 12
13. Pal. E-gov Security FrameworkAfter establishing the network
between governmental institutions, this network needs to be secure:
both point to point network security and end-to-end security
service are required: Data Confidentiality, Data Integrity,
Authenticity. No surreptitious forwarding Non-repudiation Access
Control timeliness (to avoid replay attacks) Accounting and
Logging: Availability. PalGov 2011 13
14. Pal. E-gov Security Framework To deal with these issues,
the following mechanisms are needed: Authentication services
Confidentiality services Data integrity and non-repudiation
services Authorization services Intrusion detection and prevention.
Malicious software and virus protection. Denial of service and
distributed denial of service detection and prevention. Firewall
systems. Risk assessment and management. Policy making and
enforcement. Training and awareness building. PalGov 2011 14
15. Missing Knowledge and Skills: Missing Knowledge and Skills:
For all: Understand the types of risks and threats from being
connected. Understand security standards and policies including
risk assessment and management Be aware of the threats of
connecting to the internet and using web applications and social
networks Ability to protect themselves and applications from
security threats PalGov 2011 15
16. Missing Knowledge and Skills: Missing Knowledge and Skills:
For IT professionals: Ability to design, implement and deploy user
authentication services. Ability to design, implement and deploy
end- to-end security systems. Ability to design, implement and
deploy authorization services. Ability to design, implement, and
deploy confidentiality services., Ability to design and deploy
security policies PalGov 2011 16
17. Tutorial 5: Information SecuritySession 1 Outline: Session
1 ILOs. Introduction E-governments and Security Introduction to
Information Security and Threats (CIA) ISO 27000 Standards. PalGov
2011 17
18. Introduction to Information Security and Threats Overview
Basic Security Concepts Computer Security Issues Vulnerabilities /
Attacks PalGov 2011 18
19. Overview Computer Security: protection afforded to an
automated information system in order to attain the applicable
objectives of preserving the integrity, availability and
confidentiality of information system resources (includes hardware,
software, firmware, information/data, and telecommunications).1.
[1] Definition taken Computer Security: Principles and Practice, by
William Stallings and Lawrie Brown. Published by Pearson/Prentice
Hall, 2008. ISBN: 0-13-600424-5. PalGov 2011 19
20. Key Security Concepts PalGov 2011 20
21. Understanding the Importance of Information Security
Prevents data from being stolen Maintains productivity Prevents
cyber-terrorism Prevents theft of identities Maintains competitive
advantage Prevents modifying data, forging data, masquerading and
impersonating users, etc. PalGov 2011 21
22. Computer Security Issues / Challenges1. Not simple2. Must
consider potential attacks3. Procedures used counter-intuitive4.
Involve algorithms and secret info5. Battle of wits between
attacker / admin6. Not perceived as benefit until things fail7.
Requires regular monitoring8. Regarded as impediment to using
system PalGov 2011 22
23. Security Terminology Lecture slides by Lawrie Brown PalGov
2011 23
24. Secure Communication with anUntrusted Infrastructure PalGov
2011 24
25. Secure Communication with an Untrusted Infrastructure Ali
may send a message to Sara A devil may take Ali credentials and
claim he is Ali and resend a message to Sara claiming he is Ali.
PalGov 2011 25
26. Secure Communication with an Untrusted Infrastructure E-
government usually has communication between different parties over
secure and unsecure infrastructures. PalGov 2011 26
27. CIA and AAA ConceptsCIA Confidentiality. Integrity.
AvailabilityAAA Authentication (password). Authorization (Access
Control). Auditing (Accounting and Logging). PalGov 2011 27
28. Tutorial 5: Information SecuritySession 1 Outline: Session
1 ILOs. Introduction E-governments and Security Intro to
Information Security and Threats (CIA) ISO 27000 Standards. PalGov
2011 28
29. ISO 17799 We will learn about: ISO 17799 (2000 and 2005)
precursor of ISO 27002 (2007) Originally Based on BS 7799 part 1
(1995) Information Technology Code of Practice for Information
Security Management ISO 27001 (2007), originally BS 7799 Part 2 is
a practical application of ISO 27002 and specifies requirements for
establishing an Information Security Management System ISMS, as a
precursor to being certified by a certification body) PalGov 2011
29
31. ISO 27002 (2007) Includes: Communications and Operations
Physical and Environmental Access Control Information Systems
Acquisition, Development and Maintenance IS Incident Management
Business Continuity Model BCM Compliance PalGov 2011 31
32. Why is Information Security Important Information and its
supporting processes are business assets to governments and orgs.
Some businesses and orgs (e.g. Banks and governments), deal with
information. Information CIA /AAA are needed. PalGov 2011 32
33. Information Security Requirements These are determined by
considering Risk assessment of information loss to organisation.
Legal, statutory, regulatory and contractual requirements placed on
the organisation. Information processing needs of the organisation
to support its operations. PalGov 2011 33
34. IS Controls (1) Controls can be: Policies Practices
Procedures Organisational Structures/Roles Software Functions
Controls are selected based upon their cost of implementation vs.
loss to organisation of money, time, reputation and functionality.
PalGov 2011 34
35. IS Controls (2) The following controls are ESSENTIAL from a
legislative point of view Data protection and privacy of personal
information Protection of Organisational records e.g. financial
data. Protection of Intellectual Property Rights (including those
of business partners) The following controls are BEST practice
Information security policy document Allocation of information
security responsibilities Education and Training of staff in
Information Security Reporting security incidents Business
continuity management PalGov 2011 35
36. Related IS Issues Security Policy Organisational Security
Asset Classification and Control Personnel Security Physical and
Environmental Security Communications and Operations Security
Access Control System Development and Maintenance Business
Continuity Management (BCM) Compliance PalGov 2011 36
37. Security Policy Objective: To provide management support
and direction for information security in the organisation. Policy
should have an owner, and should be regularly reviewed and
enhanced. Do we have policies for Palestine ?? PalGov 2011 37
38. Internal Organisational Security Objective: to manage
information security in the organisation Appoint owners to every
information asset and make them responsible for its security Our
Orgs require Have an expert advisor (internal or external) Have an
authorisation process for all new systems Have an independent
reviewer to assess compliance with security policy PalGov 2011
38
39. Asset Classification and Control Objective: to maintain
protection of information assets. Assets include: hardware,
software, electronic data and documentation. Very Important to our
e-gov project. PalGov 2011 39
40. Personnel Security Objective: to reduce risks of human
errors, theft, fraud, misuse of Information Systems Should be
integrated with the Legal Tutorial of our project PalGov 2011
40
41. Physical and Environmental Security Objectives: To prevent
unauthorised access, loss, damage, and theft of IS resources
Equipment Disposal. Remove all confidential information or destroy
the media Protect/restrict physical access to equipment PalGov 2011
41
42. Communications and Operations Security Related areas to be
covered: Operational procedures and responsibilities System
planning and acceptance Malicious software e.g. viruses
Housekeeping (backups, archives etc) Network management Handling of
media Exchange of information and software PalGov 2011 42
43. Communications and Operations Security Procedures
Objective: Ensure correct and secure operation of IS facilities
Document operating procedures for each system (and keep them up to
date!) Separation of operational and development systems PalGov
2011 43
44. Communications and Operations Security System Acceptance
Objective: to minimise risk of system failure PalGov 2011 44
45. Communications and Operations Security Malicious software
Objective: To protect the integrity of software and information
Need to protect against viruses, worms, logic bombs, Trojan horses
etc. Policy should require software to be licensed and authorised
before use WHAT ABOUT FREE LICENSING. Policy should require safe
methods for import of files from media and networks Anti-virus
software should be regularly updated Documented procedures for
reporting and recovering from virus infections Educate staff about
viruses and protection methods (training) PalGov 2011 45
46. Communications and Operations Security Housekeeping
Objective: To maintain the availability of information and software
Use of Raid Technology Regular backups of data should be taken,
kept securely, and tested for correct recovery Operational staff
should keep a log of their activities e.g. times systems started,
failed, recovered, and logs should be independently inspected for
conformance to procedures Support staff should log all user fault
reports and their resolutions PalGov 2011 46
47. Communications and Operations Security Network Management
Objective: To safeguard the network and information on it Protect
from unauthorised access e.g. use of firewalls Protect disclosure
of confidential information e.g. VPN Ensure availability e.g. by
having backup networks/links Prevent Disclosure PalGov 2011 47
48. Communications and Operations Security Media Handling
Objective: To prevent damage to media or loss of contents PalGov
2011 48
49. Communications and Operations Security Information Exchange
Objective: To prevent loss of information exchanged between
organisations Must be consistent with legislation e.g. data
protection act Public servers e.g. Web may need to comply with
legislation in recipient country, also need controls to stop
modifications Exchanges should be based on an agreement comprising:
Standards for packaging, notification arrangements,
responsibilities in case of loss, agreed labelling system, methods
of transfer (e.g. tamper resistant packaging, encryption)
E-commerce: authentication and authorisation methods, settlement
method, liability if fraudulent transactions Policy for use of
email: what (not) to send via email, what protection to use, use of
inappropriate language Policy for use of fax, phone, mail, video:
confidentiality issues, storage issues, access issues WHAT ABOUT
E-GOV X-ROAD. WHAT ABOUT CLOUD COMPUTING !!! PalGov 2011 49
50. Access Control Objective: To control access to information
Access control policy should state rules and rights for each user
and group of users Rules should differentiate between mandatory and
optional ones, administrator or automated approval. Good base
Everything forbidden unless expressly permitted Formal registration
and de-registration process for users Allocate unique IDs to users
to allow auditing Limit the use of system privileges Record who is
allocated which IDs and privileges and regularly review them esp.
special privileges Ensure unattended equipment has appropriate
protection PalGov 2011 50
51. Access Control Passwords Have a password management policy
known by all users Have users sign a statement to keep passwords
confidential Allocate a temporary password which users must change
at first log on Force strong passwords >8 characters, easy to
remember but not linked to user, preferably mixed characters and
not dictionary words (upper/lower case/numbers/special) Make users
change passwords at predefined intervals Store password files
encrypted and separately from application files Dont display
passwords during login PalGov 2011 51
52. Access Control Networks Objective: Protection of networked
services Network access policy services allowed, user authorisation
procedures, management controls Have Enforced Paths that control
the path from users device to networked services e.g. dedicated
telephone numbers, limited roaming, screening routers Mandate user
authentication before they gain access Protect remote access to
engineering diagnostic ports Separate internal network into
security domains Install application proxy firewalls PalGov 2011
52
53. Access Control Operating systems Objective: To prevent
unauthorised computer access Identify the user and optionally the
calling location Record successful and failed login attempts
Display a warning notice to users at login Dont provide help for
unsuccessful logins Limit number of failed logins (e.g. to 3) and
have a time delay between each attempt Limit the time for the login
procedure Display the following information after successful login
Last time user logged in & number of failed attempts since Time
out inactive sessions, time limit high risk sessions PalGov 2011
53
54. Access Control Monitoring Objective: to detect unauthorised
access Audit logs record: user ID, location, date and time,
attempted action, success/fail, plus alerts Actions include: log
on, log off, files accessed, records accessed, programs used,
devices attached/detached Intrusion Detection Systems analyse logs
to look for anomalous behaviour and system misuse. Issue alerts
when they detect them Audit logs should be protected against
modification Accurate clock times are important for accurate logs
Audit logs should be protected against modification (as well as
deletion and forging) PalGov 2011 54
55. System Development and Maintenance Objective: To ensure
that security is built into Information Systems Security
requirements should be identified during projects requirements
phase and be related to the business value of the system Data input
validation: out of range values, invalid characters, missing
fields, exceeding upper limits Data processing validation:
balancing controls, checksums, programs run in correct order and at
correct time Data output validation: plausibility checks,
reconciliation counts PalGov 2011 55
56. Business Continuity Management (1) Objective: To counteract
interruptions to business activity and to protect critical business
processes from the effects of major failures Failures can come from
natural disasters, accidents, equipment failures and deliberate
attacks Perform a risk analysis, identifying causes, probabilities
and impacts Implement cost effective risk mitigating actions PalGov
2011 56
57. Business Continuity Management (2)Formulate Business
Continuity PlanImplement and test the BCPContinually review and
update the BCPFailure of equipment in a particular zoneVERY
IMPORTANT FOR THE E-GOV ESPECIALLY IN PALESTINE PalGov 2011 57
58. Compliance legal Objectives: Ensure compliance with
legislation Identify applicable laws data protection, privacy,
monitoring use of resources, computer misuse Rules for
admissibility and completeness of evidence Ensure copyright and
software licences are adhered to (implement controls and spot
checks) Keep asset register, proofs of purchase, master discs
Organisational records must be kept securely for a minimum
statutory time period Consider media degradation and technology
change Complemented by the Legal Issues tutorial. PalGov 2011
58
59. Compliance security policy Objectives: Ensure compliance
with security policy Security of information systems should be
regularly reviewed Managers should ensure all procedures are
carried out properly PalGov 2011 59
60. Summary In this session we discussed the following: The
Palestinian e-gov architecture. The security framework for the
e-gov platforms The required skills for people involved in the e-
gov activities. Introduction to security and the CIA concept.
Detailed information about the security management and risk
assessment standards included in the ISO 27002. PalGov 2011 60
61. Bibliography1. Computer Security: Principles and Practice,
by William Stallings and Lawrie Brown. Published by
Pearson/Prentice Hall, 2008. ISBN: 0-13- 600424-5.2. Lecture Notes
by David Chadwick 2011, True - Trust Ltd.3. Cryptography and
Network Security, by Behrouz A. Forouzan. Mcgraw-Hill, 2008. ISBN:
978-007- 126361-0.4. Center for Interdisciplinary Studies in
Information Security (ISIS) http://scgwww.epfl.ch/courses PalGov
2011 61