Information in Security Part 3 The Action Plan

Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Information Insecurity
Part III: The Action Plan
E. Gelbstein A. Kamal
Information Insecurity Part III: The Action Plan
1 of 44
Cyberspace as a frontierland
Uncharted territory unclear boundaries Unclear or undefined ownership Legislation developing slowly
Navigators Explorers Traders Quacks Crooks Criminals 2 of 44
Many adventurers
CYBERSPACE
Criminals and Terrorists Terra Incognita
Land of the Have-Nots Population ~ 6 billion

Non-IP World Wide Web
Deep web
Digital Divide
Cartografia Pietragialla
Explorers Navigators
3 of 44
Survivors guide
Better charts to the cyberspace frontier are being produced. In the meantime Best practices
(keep it simple, do not reinvent the wheel)
Standards
(formalized compatibilities and best practices)
Legislation
(rules of what is not permitted)
Compliance
(with each of the above)
4 of 44
Sources of Best Practices

Enthusiasts and volunteers Professional associations Government departments
Happyhacker ISSA, CASPR UKs CCTA Gartner GIGA IBM KPMG etc
5 of 44
Consultants and commercial providers

Examples of some websites follow
www.happyhacker.org
6 of 44
www.issa.org
7 of 44
www.sans.org
8 of 44
www.itsmf.com
9 of 44
www.itil-itsm-world.com/security.htm
10 of 44
www.gigaweb.com
12 of 44
13 of 44
Standards
Formalized definitions that ensure compatibility
De-jure
From Organizations whose mandate is to define standards
De-facto
Usually from vendors Useful and ubiquitous
14 of 44
De-jure standards (examples)

Internet Engineering Task Force (IETF)
TCP/IP, Html, POP, STMP, FTP, SSL and many other
International Telecommunications Union (ITU)

Recommendations X.273, Open systems network layer security Recommendations X.509, Authentication framework
International Standards Organization (ISO)

ISO 17799 Code of Practice for the management of Information Security
15 of 44
Sources of de-facto standards

Professional associations e.g. the IEEE Institution of Electrical and Electronic Engineers Vendor associations e.g. ECMA European Computer Manufacturers Association Vendors e.g Microsoft, Netscape, Adobe
Examples follow
16 of 44
17 of 44
European Computer Manufacturers Association
18 of 44
Institution of Electrical and Electronic Engineers
19 of 44
20 of 44
Legislation: a little history

Early difficulties
Data and software are incorporeal object old laws are designed to deal with tangible objects Legal regime of intangibles needs to cater for the owner it also needs to cater for persons concerned by the content (privacy) The property status of information was/is unclear Issue 1: the law and the correctness and integrity of data Issue 2: protecting data owners for exclusive use
Some of these remain unresolved in many countries
21 of 44
Legislation: a little history

More early difficulties
Theft, larceny, embezzlement
Older definitions require the offender to take an item of another persons property Fraud Under some legislation, it requires deception of a person (does NOT apply to a computer)
22 of 44
Scope of cyber-legislation
Computer misuse Data protection Telecommunications interception National security and anti-terrorism Software copyrights and patents Search and seizure, criminal evidence Contractual obligations for suppliers
(1)
23 of 44
Human rights: right to privacy, right to access Electronic contracts, taxation of e-commerce Censorship Obscene publications Protection of minors Consumer protection
(2)
24 of 44
Organized crime in cyberspace On-line banking and money laundering Gambling in cyberspace Electronic signatures and certificats Defamation and libel in cyberspace National security and anti-terrorism
and much, much more Information Insecurity Part III: The Action Plan
(3)
25 of 44
First issued in 1994 Updated in 1997
26 of 44
Professor David Post and others www.cli.org
27 of 44
International Legislation
OECD: 1983-1985 - Criminalization of computer abuse Council of Europe (COE): 1985 - Work begins towards a convention on cyber-crime United Nations Congress on the Prevention of Crime In November 2001, formal signature by 33 countries of the COE Convention on Cybercrime
28 of 44
The COE Convention

Three primary groups of provisions
Unauthorized computer intrusion, malicious code, the use of computers to commit acts which are already a crime Procedures to capture and retrieve on-line and other information by issuing Retention Orders Cooperation between signatory states to share e-evidence
Additional protocols are being developed
29 of 44
Reactions to the Convention

33 States (29 Council Members) plus Canada, Japan, South Africa and the United States of America signed it. It will enter into force once ratified by 5 States (planned mid 2003)
Possible conflicts with existing national legislation Non-signatory States where cybercriminals may act with impunity
Misgivings
Inidividual rights to privacy vs. extended surveillance powers granted to signatory countries Possilibity of personal data being transferred outside Europe to countries with less protective legislation Issuance of warrants seeking evidence and extradition Increased cost of e-business and place restrictions
30 of 44
Compliance and certification

General ICT audits, with focus on security
(COBIT guidelines)
Compliance audits against ISO 17799 or similar Security certification services
The selected auditors must be deeply trusted
31 of 44
www.isaca.org Information Insecurity Part III: The Action Plan
32 of 44
Do-it-yourself kit for ISO 17799 compliance audit www.securityauditor.net

33 of 44
www.giac.org
34 of 44
www.isc2.org
35 of 44
www.htcn.org
36 of 44
Other interested parties

and other civil liberties groups
37 of 44
www.cfenet.com
38 of 44
www1.ifccfbi.gov/index.asp
39 of 44
www.merchantfraudsquad.com
40 of 44
International Chamber of Commerce www.iccwbo.org
41 of 44
Beyond insecurity and crime

Cyber-terrorism and Cyber-war call for a new way of looking at our world
and for further action by the International Community

42 of 44
Moving forward
Recommendations for immediate action purpose: help those not yet ready Work to be done purpose: avoid procrastination and develop a Law of Cyberspace before it is too late
43 of 44
Recommendations
1. Become aware of the Information Insecurity problem 2. Devise an information security strategy 3. Implement remedial procedures immediately 4. Seek professional help without delay 5. Identify the gaps in your countrys legislation 6. Encourage the United Nations to embark urgently on a Law of Cyberspace
44 of 44

Information in Security Part 3 The Action Plan

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Information in Security Part 3 The Action Plan

Загружено:

Авторское право:

Доступные форматы

Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

Land of the Have-Nots Population ~ 6 billion

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

Sources of Best Practices

Consultants and commercial providers

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

De-jure standards (examples)

International Telecommunications Union (ITU)

International Standards Organization (ISO)

Information Insecurity Part III: The Action Plan

Sources of de-facto standards

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

European Computer Manufacturers Association

Information Insecurity Part III: The Action Plan

Institution of Electrical and Electronic Engineers

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

Legislation: a little history

Information Insecurity Part III: The Action Plan

Legislation: a little history

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

First issued in 1994 Updated in 1997

Information Insecurity Part III: The Action Plan

Professor David Post and others www.cli.org

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

The COE Convention

Information Insecurity Part III: The Action Plan

Reactions to the Convention

Information Insecurity Part III: The Action Plan

Compliance and certification

Compliance audits against ISO 17799 or similar Security certification services

The selected auditors must be deeply trusted

Information Insecurity Part III: The Action Plan

www.isaca.org Information Insecurity Part III: The Action Plan

Do-it-yourself kit for ISO 17799 compliance audit www.securityauditor.net

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

Other interested parties

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

Information Insecurity Part III: The Action Plan

International Chamber of Commerce www.iccwbo.org

Information Insecurity Part III: The Action Plan

Beyond insecurity and crime