230 likes | 369 Views
DSD and E-Security. Tim Burmeister Information Security Policy Defence Signals Directorate Tim.Burmeister@dsd.gov.au. E-security in Government Today. Risk Management Greater prevalence of mixed environments Service delivery vs. secure operating environments. The Future ….
E N D
DSD and E-Security Tim Burmeister Information Security Policy Defence Signals Directorate Tim.Burmeister@dsd.gov.au
E-security in Government Today • Risk Management • Greater prevalence of mixed environments • Service delivery vs. secure operating environments
The Information Security Business • DSD has been doing it for over 50 years • But we no longer have a monopoly • Government used to provide its own solutions • Now everyone seems to be in on the act
Costs • Melissa: $80 million damage • I Love You: $10 billion damage • Software piracy: $ 7.5 billion
Diverse Sources of ‘Attack’ • Chernobyl: June 1998, Taiwan • Melissa: March 1999, US • I love You: May 2000, The Philippines • Kournikova: Feb 2001, The Netherlands
Infrastructure Attacks • 1996 - 911 Services, Florida • 1997 - regional airport disruption, US • 1999 - threat to power supplies, Belgium
Computer Hacker Caused Sewage Overflows, Police Say An alleged computer hacker caused raw sewage to overflow on Queensland's Sunshine Coast by using radio transmissions to alter council sewage pump stations, police said today. The charges include stealing, computer hacking and using radio communications equipment without authority. Police will allege the man caused the overflows of sewage into Maroochy Shire waterways late last year and early this year using radio transmissions to alter council sewage pump stations. (Australian Associated Press, 23/5/2000)
More Coordinated Attacks The so-called Israeli/Palestinian Cyberwar
Infrastructure Attacks But what don’t we know about?
‘We’re in Trouble…’ Sources: attrition, alldas
‘Or maybe not…’ Sources: attrition, alldas
DSD’s Functions From the 1986 government directive: • Provide material, advice and assistance to Commonwealth Government Departments and authorities and the Defence Force on matters relevant to the security and integrity of official information, and or loss or compromise of which could adversely affect National Security; and • Provide advice on request to Commonwealth Government Departments and authorities in relation to other sensitive official information unrelated to National Security.
Functions of DSD 7 … (c) to provide material, advice and other assistance to Commonwealth and State authorities on matters relating to the security and integrity of information that is processed, stored or communicated by electronic or similar means; and (d) to provide assistance to Commonwealth and State authorities in relation to cryptography and communications technologies. Intelligence Services Bill, 2001
DSD and E-Security • The Australasian Information Security Evaluation Program (AISEP) • Advice and Assistance • Computer Network Vulnerability Team • Protection of the National Information Infrastructure
AISEP Evaluation • Evaluation is the thorough examination of a product’s security claims using a defined criteria. • Australia uses two evaluation criteria • Common Criteria • ITSEC • Common Criteria is the more recent evaluation criteria • Broad scope of mutual recognition internationally
Concept of Assurance • Assurance is: • The degree of confidence in the claimed security features of a product or system. • Defined by a Security Target.
The EPL • DSD lists products that have completed evaluation on the EPL (certified) • Certification Reports available • Use in conjunction with the published Security Target • Products that are ‘In-Evaluation’ are also listed on the EPL • Buyer beware • Can not provide the same level of assurance
And this is good because … • there are products available which are known to perform appropriately • not just for government use • use in the private sector can help to promote a more secure IT environment
establishing IT security policy guidance on setting up IT networks providing assistance to departments in securing their IT systems performing internet gateway certifications for government whole of Government infrastructure Gatekeeper (a public key infrastructure) Fedlink (secure network connecting all departments) Advice and Assistance
keep abreast of known vulnerabilities in software and equipment research, test software and equipment for potential new problems perform security audits on client's systems and networks incident response capability Computer Network Vulnerability Team
two broad roles intelligence (threat and vulnerability assessments, other products) incident response, together with ASIO and the AFP incident reporting scheme for commonwealth government agencies ISIDRAS currently Onsecure Website, in concert with NOIE National Information Infrastructure
Known threats and unknown threats DSD helps government prepare itself for both Conclusion