Course: Information Security Management in eGovernance

Day 1

Session 2: Introduction to Information Security in e-Governance

Agenda
Need for Information Systems Security Policy Elements of Information Security Policy Approach for development of Information Security Policy Information Security Organization and roles, responsibilities

What is Information?
BS ISO 27002:2005 Information as : defines

'Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected

Slide 3

What is Information?
Information can be
Printed or written on paper Stored electronically Transmitted by post or using electronics means Shown on corporate videos Displayed / published on web Verbal spoken in conversations

Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected (BS ISO 27002:2005)

Slide 4

Information in Governments
Governments are moving towards e-Governance to improve convenience, reduce time, improve transparency in delivering services to businesses and citizens Businesses and citizens expect high standards of services, instant access to information, efficient transactions and support, whenever and wherever they need it, but in a secure fashion. The two major components of the approach are the information delivery and service delivery. In the first component, various web-based information services are used by the Governments of different granularity. On the other hand, in the second component, the citizen is given access to the Government business related IT systems to provide transaction services (e.g. tax payments, filing of forms, issuing certificates etc)

Slide 5

Information in Governments
These two types of components bring the issues of information and systems security such as architecture, standards and technology to the forefront. Another fundamental element of the problem is the unprecedented gap between the pace of technological change and the inevitably glacial pace of policy and law making. Any good system of governance should be resilient to attacks by frauds, inadvertent virus, a variety of motivated cyber crimes through unauthorised access and even to a nationsponsored cyber war and in the scenarios of disaster and warfare. In a networked society these kinds of threats have a potential to cripple a Government.

Slide 6

Information in Governments
Models of e-Governance From the developmental perspective, e-Governance can be defined as the application of electronic means (in particular the ICT) in: (1) the interaction between Government and citizens and Government and businesses, as well as in (2) internal Government operations to simplify and improve democratic, Government and business aspects of Governance

Slide 7

Some of the kind of Information exchanged in Governments

Public Information, Personalized Information. Critical Information,

Information types
Business Information, and Comparative Data,

Feedback and Opinions,

Based on these classes of information, their sources and frequency of update and exchange, various models of e-Governance projects are evolved.

Slide 8

Information assets in Governments

Information can be found in various places such as : End user environment Systems , documents etc. Servers application (web , in house developed, mail etc) , database server , backup servers, Domain servers and many more Network - Wireless Networks , Local area network , internet etc. Other devices such as laptops , pocket devices, smart cards, smart phones, tablet PCs etc

Slide 9

Technology Base for e-Governance

Communication Network: The Data and Voice Network owned by the Government or private players. e-Government System Interface: Point of admission to the Government System. Backend Systems: Database and Business layers of the Information Infrastructure

Slide 10

Facets of Information assets

Information available at end user level which could be trusted , un-trusted , Third Party etc .
Partly Trusted Untrusted

Third-Party Application

Internet

Service Layer Information is available at the applications , databases etc level

Web Tier Databases

Application

Service Delivery Platform

Network Layer Information resides at the network level which encompasses the entire business functions of the Governments. Service Delivery platforms have a huge asset in terms of government data

Common Framework

Backbone Network

Securing the information assets

Security of information & information assets is becoming a major area of concern With every new application, newer vulnerabilities crop up, posing immense challenges to those who are mandated to protect the IT assets e-Government security requirements can be studied by examining the overall process, beginning with the citizens end and ending with the e-Gov server The assets that must be protected to ensure secure e-Gov include client computers, the messages traveling on the communication channel, and the Web and e-gov servers including any hardware attached to the servers

Slide 12

Need for Information security in Governments

In the current climate of elevated risk created by the vulnerabilities of and threats to the Nations IT infrastructure, cyber security is not just a paperwork drill. Adversaries are capable of launching harmful attacks on IT systems, networks, and information assets. Enterprise concerns have been heightened by increasingly sophisticated hacker attacks and identity thefts, warnings of cyber terrorism, and the pervasiveness of IT uses. Many in the industry and critical infrastructure organizations have come to recognize that their continued ability to gain citizens confidence will depend on improved software development, systems engineering practices and the adoption of strengthened security models and best practices.

Slide 13

Need for Information security in Governments (contd..)

Governments amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers. A breach of security could lead to lost opportunities, defamation, loss of goodwill, repudiation loss, financial loss , transactional loss , loss of citizens confidence and many others

Slide 14

Need for Information security in Governments (contd..)

Example include many such as A defacement / hacking of a public website can cause loss of repudiation Vital data i.e. databases can be lost if unauthorized entry is not checked properly A e-procurement website stops functioning all of a sudden A disaster strikes and the processes gets standstill Repudiation loss: One party of a transaction denies having received a transaction nor can the other party deny having sent a transaction ?? Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement!!

Slide 15

Understanding Security Measures

Data Center Security

Use Firewalls

Web-site Security
Anti-virus tools Anti-phishing tools

Physical Office Security

Restricted Accessibility Regular checks & reviews

Secured Working Processes

Planning long-term solutions Process-Cycle to be followed (PDCA Cycle Plan, Do, Check & Assess Cycle )

Slide 16

Categorization of Information Systems

Categorize Information based on
Hardware Software Data Documentation Personnel Procedures Models etc

Slide 17

Challenges & Issues - Security

Data & Application security PPP models (service delivery model) Lack of internal Technical capacities Loopholes in the applications and databases Knowledge transfer Exit management Complex e-Governance Projects High performance & response time High Security desired on operations but not a top priority to start with Multiple Legacy Environments Security framework Implementation of Security Standards Implementation of suitable access controls and authorization Preparation of RFPs which captures all the security requirements

Slide 18

Points of concern in Governments

Letting vendors define good security Underestimating the required security expertise Assigning untrained people to maintain security Relying primarily on a firewall. Firstly think of budget concerns, neglecting the value of their information and organizational reputations. Authorizing reactive, short-term fixes so problems re-emerge rapidly.

Slide 19

Top Security Myths

In fact, 80% of data loss is caused by insiders. In fact, encryption is only one approach to securing data. Security also requires access control, data integrity, system availability, and auditing. In fact, 40% of Internet break-ins occur in spite of a firewall being in place!!!!
Encryption makes your data secure.

Hackers cause most security breaches.

Firewalls make your data secure.

Security myths

Defining the risks , threats and vulnerabilities

Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset

Threat: Something that can potentially cause damage to the organization, IT Systems or network.

Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat

Slide 21

Threats
External Parties Low awareness of security issues Employees Growth in networking and distributed computing Growth in complexity and effectiveness of hacking tools and viruses Natural Disasters eg. fire, flood, earthquake

Slide 22

Generic Threat Profile

Accidental Inside Disclosure Modification Loss, Destruction Interruption Disclosure Modification Loss, Destruction Interruption

Deliberate

Critical Information Assets

Accidental

Outside

Disclosure Modification Loss, Destruction Interruption

Deliberate

Disclosure Modification Loss, Destruction Interruption

Slide 23

Information Security Threats and Vulnerabilities

Client Threats: Until the introduction of executable Web content, Web pages were mainly static. Coded in Hyper Text Markup Language (HTML), static pages could do little more than display content and provide links to related pages with additional information. Widespread use of active content has changed this perception. Active Content: Active Contents like Java applets, ActiveX controls, JavaScript, and VBScript refer to programmes that are embedded transparently in Web pages and that cause action to occur. Embedding active content to Web pages involved in e-Governance introduces several security risks. Malicious active content delivered by means of cookies can reveal the content of client-side files or even destroy files stored on client computers.

Slide 24

Information Security Threats and Vulnerabilities

Malicious Codes: Computer viruses, worms and Trojan Horses are examples of malicious code. People are aware but may not be prepared to deal with such adversaries. Server-side Masquerading: Masquerading lures a victim into believing that the entity with which it is communicating is a different entity. For example, if a user tries to log into a computer across the Internet but instead reaches another computer that claims to be the desired one, the user has been spoofed. Communication Channel Threats: The Internet serves as the electronic chain linking a consumer (client) to the e-Gov server. Messages on the Internet travel randomly from a source node to a destination node. Impossible to guarantee that every computer on the Internet through which messages pass is safe, secure, and non-hostile.

Slide 25

Information Security Threats and Vulnerabilities

Confidentiality Threats: Confidentiality is the prevention of unauthorised information disclosure. Use of Internet definitely poses confidentiality threats to the messages sent. Availability Threats: The purpose of availability threats, also known as delay or denial of service threats, is to disrupt normal computer processing or to deny processing entirely. Slowing any Internet service will detract citizens from using egov services. Server Threats: The server is the third link in the client-Internet-server trio embodying the e-Gov path between the citizens and the Government. Servers have vulnerabilities that can be exploited by anyone determined to cause destruction or to illegally acquire information.

Slide 26

Information Security Threats and Vulnerabilities

Web Server Threats: Web server software is not inherently high-risk, it has been designed with Web service and convenience as the main design goal. The more complex the software is, the higher the probability that it contains coding errors (bugs) and security holes. e-Gov Server Threats: The e-Gov server, along with the Web server, responds to requests from Web browsers through the HTTP protocol and Common Gateway Interface (CGI) scripts. Several pieces of software comprise the egov server software suite. Each of these softwares can have security holes and bugs. Database Threats: Besides Government information, databases connected to the Web contain critical and private information that could irreparably damage a enterprise or citizen if it were disclosed or altered. Some databases store user name/password pairs in a non-secure way. If someone obtains user authentication information, then he or she can masquerade as a legitimate database user and reveal private and costly information.

Slide 27

Information Security Threats and Vulnerabilities

Common Gateway Interface Threats: A Common Gateway Interface (CGI) implements the transfer of information from a Web server to another programme, such as a database programme. Because CGIs are programmes, they present a security threat if misused Password Hacking: The simplest attack against a password-based system is to guess passwords. Guessing of passwords require access to the complement, the complementation functions, and the authentication functions be obtained. If none of these have changed by the time the password is guessed, then the attacker can use the password to access the system.

Slide 28

Threat Sources
Source
External Hackers

Motivation
Challenge Ego Game Playing Deadline Financial problems

Threat
System hacking Backdoors Fraud Poor documentation System attacks Letter bombs Viruses Denial of service Corruption of data Malicious code introduction System bugs Unauthorized access

Internal Hackers

External Agents

Revenge Political

Poorly trained employees

Unintentional errors Programming errors Data entry errors

Slide 29

Threat Sources
Categories of Threat Human Errors or failures Compromise to Intellectual Property Deliberate Acts or espionage or trespass Deliberate Acts of Information extortion Deliberate Acts of sabotage / vandalism Deliberate Acts of theft Deliberate software attacks Deviations in quality of service from service provider Forces of nature Technical hardware failures or errors Technical software failures or errors Technological Obsolesce Example Accidents, Employee mistakes Piracy, Copyright infringements Unauthorized Access and/or data collection Blackmail of information exposure / disclosure Destruction of systems / information Illegal confiscation of equipment or information Viruses, worms, macros Denial of service Power and WAN issues Fire, flood, earthquake, lightening Equipment failures / errors Bugs, code problems, unknown loopholes Antiquated or outdated technologies

Slide 30

Threat Sources

High User Knowledge of IT Systems

Theft, Sabotage, Misuse

Virus Attacks

Systems & Network Failure

Lack Of Documentation

Lack of security

Natural Calamities & Fire

Slide 31

Relationships between assets , risks, threats , vulnerabilities

Threats Agents
Gives Rise to

Threat

Exploits

Vulnerability

Leads to

Risks

Asset
Can damage

Exposure Safeguard
Can be countered by And cause an

Slide 32

Information Security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. Information security enables a Organizations to meet its business objectives by implementing business systems with due consideration of information technology (IT)- related risks to the organization, business and trading partners, technology service providers, and most importantly CITIZENS. The terms information security, computer security and information assurance are frequently incorrectly used interchangeably. These fields are interrelated often and share the common goals of protecting the confidentiality, integrity, availability , accountability and assurance of information.

Slide 33

IT Security
IT Security means eliminating the disruption of business operations and reducing the exposure to various attacks. IT Security deals with several different trust aspects of information. Information security involves the architecture where an integrated combination of appliances, systems and solutions, software, surveillance, and vulnerability scans working together IT Security is not just confined to computer systems, it applies to all aspects of protecting information or data, in whatever form. i.e. Physical, People etc. Security is achieved using several strategies simultaneously or used in combination with one another

Slide 34

Security objectives
Organizations meet this goal by striving to accomplish the following objectives: AvailabilityThe ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information or systems. Integrity of Data or SystemsSystem and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability. Confidentiality of Data or Systems Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use.

Security objectives (contd..)

Accountability Clear accountability involves the processes, policies, and controls necessary to trace actions to their source. Accountability directly supports non-repudiation, deterrence, intrusion prevention, security monitoring, recovery, and legal admissibility of records. Assurance Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security measures work as intended.

Slide 36

Information security focus

Information Security focus
Protection of information assets Protection of Computer systems Protection of Data networks Protection of Databases & Applications Protection of end user environments Protection of Physical and environmental Security measures in Third Party Outsourcing Logical access control Disaster recovery Planning Security Audit Public Key Infrastructure Legal Frameworks and various initiatives by GoI

Elements of Information Security

Organization Staff

People

Our Business Process

Process Technology

Technology which our Business use

Slide 38

Elements of Security.. People & Processes

Management Employees Business Partners Service providers Contractors Citizens Regulators etc Helpdesk / Service management Incident Reporting and Management Change Requests process Request fulfillment Access management Identity management Service Level / Third-party Services Management IT procurement process etc...
The processes refer to "work practices" or workflow.

People who use or interact with the Information

Slide 39

Technology what we use to improve what we do

Network Infrastructure Cabling, Data/Voice Networks and equipment Telecommunications services (PABX), including VoIP services , ISDN , Video Conferencing Server computers and associated storage devices Operating software for server computers Communications equipment and related hardware. Intranet and Internet connections VPNs and Virtual environments Remote access services Wireless connectivity

Application software Finance and assets systems, including Accounting packages, Inventory management, HR systems, Assessment and reporting systems Software as a service - instead of software as a packaged or custom-made product.

Slide 40

Technology what we use to improve what we do

Physical Security components
CCTV Cameras Clock in systems / Biometrics Environmental management Systems: Humidity Control, Ventilation , Air Conditioning, Fire Control systems Electricity / Power backup

Access devices
Desktop computers Laptops, ultra-mobile laptops and PDAs Thin client computing. Printers, Scanners, Photocopier etc.

Slide 41

Information Security Management

Information Security
Confidentiality

Integrity

Availability

Authenticity

Assurance

People

Process

Technology

Security Policy Regulatory Compliance User Awareness Program Access Control Security Audit Incident Response Encryption, PKI Firewall, IPS/IDS Antivirus
Security Audit
42

A Structured Approach to Security Design

For security to be effective it must be designed as a whole and applied consistently across an organization and its IT infrastructure. The steps to design security of a system is to model the system, identify the security properties to be preserved, model the adversary, and then ensure that the security properties are preserved under attacks. Detailed modeling of the system and identification of the required security properties are possible. But it is almost impossible to accurately model the adversaries and vulnerabilities of the system exploited by those adversaries. The result is that there is nothing called absolute security.

Security Engineering Life Cycle

Security requirement Security Policy

Security Infrastructure Specification

Security Infrastructure Implementation

Security Testing

Requirement Validation

Slide 44

Security Engineering Life Cycle

Security Requirement Specification and Risk Analysis The first phase in the Security Engineering Life Cycle collects information regarding assets of the organisation that needs to be protected, threat perception on those assets, associated access control policies, existing operational infrastructure, connectivity aspects, services required to access the asset and the access control mechanism for the services. Security Policy Specification Security Requirement Specification and Risk Analysis Report as input and generates a set of e-Gov security policies. The policy statements are high-level rule-based and generic in nature and thereby, does not provide any insight to system implementation or equipment configuration.

Slide 45

Security Engineering Life Cycle

Security Infrastructure Specification This phase analyses the Security Requirement Specification and the Security Policy Specification to generate a list of security tools that are needed to protect the assets. It also provides views on the location and purpose of the security tools. Security Infrastructure Implementation The organisation, in this phase, procures, deploys, and configures the selected security infrastructure at the system level.

Slide 46

Security Engineering Life Cycle

Security Testing In this phase, several tests are carried out to test the effectiveness of the security infrastructure, functionality of the access control mechanism, specified operational context, existence of known vulnerabilities in the infrastructure etc. Requirement Validation This phase analyses the extent of fulfillment of the security requirements for implementing e-Governance organization by the corresponding security policy and the implemented security infrastructure. Change in the service goal, operational environment, and technological advancement may lead to a fresh set of security requirements and thereby, triggering a new cycle of the Security Engineering Life Cycle.

Slide 47

e-Governance Security Assurance Framework (eSAFE)

Categorization of Information Systems Baseline Control Selection Risk assessment

Monitoring Effectiveness of Controls

Implementation of controls

Refinement of controls

Slide 48

Baseline Control Selection

Master Catalog of Security Controls Complete Set of Security Controls and Control Enhancements

Low Baseline Controls

Medium Baseline Controls

High Baseline Controls

Low Baseline Selection of a subset of security controls from the master catalog consisting of basic level controls

Medium Baseline Builds on Low Baseline with additional controls, and control enhancements selected from the master catalog

High Baseline Builds on Medium Baseline with additional controls, and control enhancements selected from the master catalog Slide 49

Risk Assessment
Identify risks based on
Asset value Impacts Threats Vulnerabilities Asset loss exposure

Slide 50

Refinement & implementation of controls

Determine desirable and mandatory controls Evaluate existing and mandatory controls Determine the refinements needed in the controls Implement controls

Slide 51

Monitoring Effectiveness of Controls

Monitor the controls in place Encourage testing Have security audit Move towards complying to information security standards

Slide 52

References
www.mit.gov.in www.egovonline.net

Slide 53