1. The Palestinian eGovernment Academy www.egovacademy.psSecurity Tutorial Session 1 PalGov 2011 1

2. AboutThis tutorial is part of the PalGov project, funded by the TEMPUS IV program of theCommission of the European Communities, grant agreement 511159-TEMPUS-1-2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.psProject Consortium: Birzeit University, Palestine University of Trento, Italy (Coordinator ) Palestine Polytechnic University, Palestine Vrije Universiteit Brussel, Belgium Palestine Technical University, Palestine Universit de Savoie, France Ministry of Telecom and IT, Palestine University of Namur, Belgium Ministry of Interior, Palestine TrueTrust, UK Ministry of Local Government, PalestineCoordinator:Dr. Mustafa JarrarBirzeit University, P.O.Box 14- Birzeit, PalestineTelfax:+972 2 2982935 mjarrar@birzeit.eduPalGov 2011 2

3. Copyright NotesEveryone is encouraged to use this material, or part of it, but should properlycite the project (logo and website), and the author of that part.No part of this tutorial may be reproduced or modified in any form or by anymeans, without prior written permission from the project, who have the fullcopyrights on the material. Attribution-NonCommercial-ShareAlike CC-BY-NC-SAThis license lets others remix, tweak, and build upon your work non-commercially, as long as they credit you and license their new creationsunder the identical terms. PalGov 2011 3

4. Tutorial 5: Information SecuritySession 1 Outline: Session 1 ILOs. Introduction E-governments and Security Introduction to Information Security and Threats (CIA) ISO 27000 Standards. PalGov 2011 4

5. Tutorial 5: Session 1 - ILOsThis session will contribute to the followingILOs: A: Knowledge and Understanding a1: Define the different risks and threats from being connected to networks, internet and web applications. a2: Defines security standards and policies. a3: Recognize risk assessment and management a4: Describe the Palestinian eGovernment infrastructure and understand its security requirements. B: Intellectual Skills b1: Illustrate the different risks and threats from being connected. b2: Relates risk assessment and management to e-government model. b3: Design end-to-end secure and available systems. C: General and Transferable Skills d3: Analysis and identification skills. PalGov 2011 5

6. Tutorial 5: Information SecuritySession 1 Outline: Session 1 ILOs. Introduction to E-governments and Security Introduction to Information Security and Threats (CIA) ISO 27000 Standards. PalGov 2011 6

7. Introduction to Palestinian E- governments and Security The Palestinian e-Government Architecture Security Framework Missing Knowledge and Skills: PalGov 2011 7

8. The Palestinian e-Government Architecture (1) Palestinian e-government architecture developed in cooperation with the Estonian government. The architecture connects all ministries together through a government service bus, called x-road Palestine. This service bus, represents standard service oriented architecture , Provision of secure services. Not yet implemented, PalGov 2011 8

9. The Palestinian e-GovernmentArchitecture (2) PalGov 2011 9

10. The Palestinian e-Government Architecture (3) Public services can be accessed by citizens or entrepreneurs through the portal component. It allows users first to login and authenticate themselves through smart-card and/or passwords; The portal then provides the list of services that the authenticated user is allowed to access. Then, the server communicates with the server of the ministry of interior or the server of the ministry of health and so on. PalGov 2011 10

11. The Palestinian e-Government Architecture (4) Several frameworks should be established to enable these interoperations, Each organization develops and operates its services and data. An organization can be a ministry, a governmental agency or a private firm. In Palestine, there are 23 ministries, 55 governmental agencies, and many private firms that may all join the e- government at a certain stage. PalGov 2011 11

12. The Palestinian e-Government Architecture (4) Hence, five frameworks are needed to implement the aforementioned e- government architecture i) infrastructure framework, (ii) security framework, (iii) interoperability framework, (iv) legal framework, (v) policy framework. PalGov 2011 12

13. Pal. E-gov Security FrameworkAfter establishing the network between governmental institutions, this network needs to be secure: both point to point network security and end-to-end security service are required: Data Confidentiality, Data Integrity, Authenticity. No surreptitious forwarding Non-repudiation Access Control timeliness (to avoid replay attacks) Accounting and Logging: Availability. PalGov 2011 13

14. Pal. E-gov Security Framework To deal with these issues, the following mechanisms are needed: Authentication services Confidentiality services Data integrity and non-repudiation services Authorization services Intrusion detection and prevention. Malicious software and virus protection. Denial of service and distributed denial of service detection and prevention. Firewall systems. Risk assessment and management. Policy making and enforcement. Training and awareness building. PalGov 2011 14

15. Missing Knowledge and Skills: Missing Knowledge and Skills: For all: Understand the types of risks and threats from being connected. Understand security standards and policies including risk assessment and management Be aware of the threats of connecting to the internet and using web applications and social networks Ability to protect themselves and applications from security threats PalGov 2011 15

16. Missing Knowledge and Skills: Missing Knowledge and Skills: For IT professionals: Ability to design, implement and deploy user authentication services. Ability to design, implement and deploy end- to-end security systems. Ability to design, implement and deploy authorization services. Ability to design, implement, and deploy confidentiality services., Ability to design and deploy security policies PalGov 2011 16

17. Tutorial 5: Information SecuritySession 1 Outline: Session 1 ILOs. Introduction E-governments and Security Introduction to Information Security and Threats (CIA) ISO 27000 Standards. PalGov 2011 17

18. Introduction to Information Security and Threats Overview Basic Security Concepts Computer Security Issues Vulnerabilities / Attacks PalGov 2011 18

19. Overview Computer Security: protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).1. [1] Definition taken Computer Security: Principles and Practice, by William Stallings and Lawrie Brown. Published by Pearson/Prentice Hall, 2008. ISBN: 0-13-600424-5. PalGov 2011 19

20. Key Security Concepts PalGov 2011 20

21. Understanding the Importance of Information Security Prevents data from being stolen Maintains productivity Prevents cyber-terrorism Prevents theft of identities Maintains competitive advantage Prevents modifying data, forging data, masquerading and impersonating users, etc. PalGov 2011 21

22. Computer Security Issues / Challenges1. Not simple2. Must consider potential attacks3. Procedures used counter-intuitive4. Involve algorithms and secret info5. Battle of wits between attacker / admin6. Not perceived as benefit until things fail7. Requires regular monitoring8. Regarded as impediment to using system PalGov 2011 22

23. Security Terminology Lecture slides by Lawrie Brown PalGov 2011 23

24. Secure Communication with anUntrusted Infrastructure PalGov 2011 24

25. Secure Communication with an Untrusted Infrastructure Ali may send a message to Sara A devil may take Ali credentials and claim he is Ali and resend a message to Sara claiming he is Ali. PalGov 2011 25

26. Secure Communication with an Untrusted Infrastructure E- government usually has communication between different parties over secure and unsecure infrastructures. PalGov 2011 26

27. CIA and AAA ConceptsCIA Confidentiality. Integrity. AvailabilityAAA Authentication (password). Authorization (Access Control). Auditing (Accounting and Logging). PalGov 2011 27

28. Tutorial 5: Information SecuritySession 1 Outline: Session 1 ILOs. Introduction E-governments and Security Intro to Information Security and Threats (CIA) ISO 27000 Standards. PalGov 2011 28

29. ISO 17799 We will learn about: ISO 17799 (2000 and 2005) precursor of ISO 27002 (2007) Originally Based on BS 7799 part 1 (1995) Information Technology Code of Practice for Information Security Management ISO 27001 (2007), originally BS 7799 Part 2 is a practical application of ISO 27002 and specifies requirements for establishing an Information Security Management System ISMS, as a precursor to being certified by a certification body) PalGov 2011 29

30. ISO 27002 (2007) Includes: Risk Assessment & Treatment Security Policies Organization Asset Management HR PalGov 2011 30

31. ISO 27002 (2007) Includes: Communications and Operations Physical and Environmental Access Control Information Systems Acquisition, Development and Maintenance IS Incident Management Business Continuity Model BCM Compliance PalGov 2011 31

32. Why is Information Security Important Information and its supporting processes are business assets to governments and orgs. Some businesses and orgs (e.g. Banks and governments), deal with information. Information CIA /AAA are needed. PalGov 2011 32

33. Information Security Requirements These are determined by considering Risk assessment of information loss to organisation. Legal, statutory, regulatory and contractual requirements placed on the organisation. Information processing needs of the organisation to support its operations. PalGov 2011 33

34. IS Controls (1) Controls can be: Policies Practices Procedures Organisational Structures/Roles Software Functions Controls are selected based upon their cost of implementation vs. loss to organisation of money, time, reputation and functionality. PalGov 2011 34

35. IS Controls (2) The following controls are ESSENTIAL from a legislative point of view Data protection and privacy of personal information Protection of Organisational records e.g. financial data. Protection of Intellectual Property Rights (including those of business partners) The following controls are BEST practice Information security policy document Allocation of information security responsibilities Education and Training of staff in Information Security Reporting security incidents Business continuity management PalGov 2011 35

36. Related IS Issues Security Policy Organisational Security Asset Classification and Control Personnel Security Physical and Environmental Security Communications and Operations Security Access Control System Development and Maintenance Business Continuity Management (BCM) Compliance PalGov 2011 36

37. Security Policy Objective: To provide management support and direction for information security in the organisation. Policy should have an owner, and should be regularly reviewed and enhanced. Do we have policies for Palestine ?? PalGov 2011 37

38. Internal Organisational Security Objective: to manage information security in the organisation Appoint owners to every information asset and make them responsible for its security Our Orgs require Have an expert advisor (internal or external) Have an authorisation process for all new systems Have an independent reviewer to assess compliance with security policy PalGov 2011 38

39. Asset Classification and Control Objective: to maintain protection of information assets. Assets include: hardware, software, electronic data and documentation. Very Important to our e-gov project. PalGov 2011 39

40. Personnel Security Objective: to reduce risks of human errors, theft, fraud, misuse of Information Systems Should be integrated with the Legal Tutorial of our project PalGov 2011 40

41. Physical and Environmental Security Objectives: To prevent unauthorised access, loss, damage, and theft of IS resources Equipment Disposal. Remove all confidential information or destroy the media Protect/restrict physical access to equipment PalGov 2011 41

42. Communications and Operations Security Related areas to be covered: Operational procedures and responsibilities System planning and acceptance Malicious software e.g. viruses Housekeeping (backups, archives etc) Network management Handling of media Exchange of information and software PalGov 2011 42

43. Communications and Operations Security Procedures Objective: Ensure correct and secure operation of IS facilities Document operating procedures for each system (and keep them up to date!) Separation of operational and development systems PalGov 2011 43

44. Communications and Operations Security System Acceptance Objective: to minimise risk of system failure PalGov 2011 44

45. Communications and Operations Security Malicious software Objective: To protect the integrity of software and information Need to protect against viruses, worms, logic bombs, Trojan horses etc. Policy should require software to be licensed and authorised before use WHAT ABOUT FREE LICENSING. Policy should require safe methods for import of files from media and networks Anti-virus software should be regularly updated Documented procedures for reporting and recovering from virus infections Educate staff about viruses and protection methods (training) PalGov 2011 45

46. Communications and Operations Security Housekeeping Objective: To maintain the availability of information and software Use of Raid Technology Regular backups of data should be taken, kept securely, and tested for correct recovery Operational staff should keep a log of their activities e.g. times systems started, failed, recovered, and logs should be independently inspected for conformance to procedures Support staff should log all user fault reports and their resolutions PalGov 2011 46

47. Communications and Operations Security Network Management Objective: To safeguard the network and information on it Protect from unauthorised access e.g. use of firewalls Protect disclosure of confidential information e.g. VPN Ensure availability e.g. by having backup networks/links Prevent Disclosure PalGov 2011 47

48. Communications and Operations Security Media Handling Objective: To prevent damage to media or loss of contents PalGov 2011 48

49. Communications and Operations Security Information Exchange Objective: To prevent loss of information exchanged between organisations Must be consistent with legislation e.g. data protection act Public servers e.g. Web may need to comply with legislation in recipient country, also need controls to stop modifications Exchanges should be based on an agreement comprising: Standards for packaging, notification arrangements, responsibilities in case of loss, agreed labelling system, methods of transfer (e.g. tamper resistant packaging, encryption) E-commerce: authentication and authorisation methods, settlement method, liability if fraudulent transactions Policy for use of email: what (not) to send via email, what protection to use, use of inappropriate language Policy for use of fax, phone, mail, video: confidentiality issues, storage issues, access issues WHAT ABOUT E-GOV X-ROAD. WHAT ABOUT CLOUD COMPUTING !!! PalGov 2011 49

50. Access Control Objective: To control access to information Access control policy should state rules and rights for each user and group of users Rules should differentiate between mandatory and optional ones, administrator or automated approval. Good base Everything forbidden unless expressly permitted Formal registration and de-registration process for users Allocate unique IDs to users to allow auditing Limit the use of system privileges Record who is allocated which IDs and privileges and regularly review them esp. special privileges Ensure unattended equipment has appropriate protection PalGov 2011 50

51. Access Control Passwords Have a password management policy known by all users Have users sign a statement to keep passwords confidential Allocate a temporary password which users must change at first log on Force strong passwords >8 characters, easy to remember but not linked to user, preferably mixed characters and not dictionary words (upper/lower case/numbers/special) Make users change passwords at predefined intervals Store password files encrypted and separately from application files Dont display passwords during login PalGov 2011 51

52. Access Control Networks Objective: Protection of networked services Network access policy services allowed, user authorisation procedures, management controls Have Enforced Paths that control the path from users device to networked services e.g. dedicated telephone numbers, limited roaming, screening routers Mandate user authentication before they gain access Protect remote access to engineering diagnostic ports Separate internal network into security domains Install application proxy firewalls PalGov 2011 52

53. Access Control Operating systems Objective: To prevent unauthorised computer access Identify the user and optionally the calling location Record successful and failed login attempts Display a warning notice to users at login Dont provide help for unsuccessful logins Limit number of failed logins (e.g. to 3) and have a time delay between each attempt Limit the time for the login procedure Display the following information after successful login Last time user logged in & number of failed attempts since Time out inactive sessions, time limit high risk sessions PalGov 2011 53

54. Access Control Monitoring Objective: to detect unauthorised access Audit logs record: user ID, location, date and time, attempted action, success/fail, plus alerts Actions include: log on, log off, files accessed, records accessed, programs used, devices attached/detached Intrusion Detection Systems analyse logs to look for anomalous behaviour and system misuse. Issue alerts when they detect them Audit logs should be protected against modification Accurate clock times are important for accurate logs Audit logs should be protected against modification (as well as deletion and forging) PalGov 2011 54

55. System Development and Maintenance Objective: To ensure that security is built into Information Systems Security requirements should be identified during projects requirements phase and be related to the business value of the system Data input validation: out of range values, invalid characters, missing fields, exceeding upper limits Data processing validation: balancing controls, checksums, programs run in correct order and at correct time Data output validation: plausibility checks, reconciliation counts PalGov 2011 55

56. Business Continuity Management (1) Objective: To counteract interruptions to business activity and to protect critical business processes from the effects of major failures Failures can come from natural disasters, accidents, equipment failures and deliberate attacks Perform a risk analysis, identifying causes, probabilities and impacts Implement cost effective risk mitigating actions PalGov 2011 56

57. Business Continuity Management (2)Formulate Business Continuity PlanImplement and test the BCPContinually review and update the BCPFailure of equipment in a particular zoneVERY IMPORTANT FOR THE E-GOV ESPECIALLY IN PALESTINE PalGov 2011 57

58. Compliance legal Objectives: Ensure compliance with legislation Identify applicable laws data protection, privacy, monitoring use of resources, computer misuse Rules for admissibility and completeness of evidence Ensure copyright and software licences are adhered to (implement controls and spot checks) Keep asset register, proofs of purchase, master discs Organisational records must be kept securely for a minimum statutory time period Consider media degradation and technology change Complemented by the Legal Issues tutorial. PalGov 2011 58

59. Compliance security policy Objectives: Ensure compliance with security policy Security of information systems should be regularly reviewed Managers should ensure all procedures are carried out properly PalGov 2011 59

60. Summary In this session we discussed the following: The Palestinian e-gov architecture. The security framework for the e-gov platforms The required skills for people involved in the e- gov activities. Introduction to security and the CIA concept. Detailed information about the security management and risk assessment standards included in the ISO 27002. PalGov 2011 60

61. Bibliography1. Computer Security: Principles and Practice, by William Stallings and Lawrie Brown. Published by Pearson/Prentice Hall, 2008. ISBN: 0-13- 600424-5.2. Lecture Notes by David Chadwick 2011, True - Trust Ltd.3. Cryptography and Network Security, by Behrouz A. Forouzan. Mcgraw-Hill, 2008. ISBN: 978-007- 126361-0.4. Center for Interdisciplinary Studies in Information Security (ISIS) http://scgwww.epfl.ch/courses PalGov 2011 61

62. Thanks Radwan Tahboub PalGov 2011 62