Status of Information Security in Uganda - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Status of Information Security in Uganda

Description:

Refers to protection of all of the firm's information resources from ... Nmap, nessus, SATAN, safesuite. Encryption tools: Md5, md5check, PGP, rpem, UFC-crypt ... – PowerPoint PPT presentation

Number of Views:55
Avg rating:3.0/5.0
Slides: 30
Provided by: population7
Category:

less

Transcript and Presenter's Notes

Title: Status of Information Security in Uganda


1
Status of Information Security in Uganda
  • by
  • Constantine Bitwayiki
  • Director/Research, Innovations, Monitoring
    Evaluation
  • Chairperson National ICT/e-Government Planning
    Team
  • National Planning Authority
  • Presented at the
  • EAC Regional Consultative meeting on Information
    Security
  • 27-28 April 2006, GRAND IMPERIAL HOTEL, KAMPALA,
    UGANDA

2
Agenda
  • Two-part presentation
  • Security on the Internet
  • Risk Management

3
Systems Security
  • Refers to protection of all of the firms
    information resources from threats by authorized
    parties
  • Identify vulnerabilities and implement the
    required counter measures and safeguards

4
Why Internet?
  • Real-time information sharing with partners
  • More responsive and less expensive customer
    support facilities
  • New sales and advertising channels
  • Improved communications and information sharing
    within an organisation

5
Internet Security Concerns
  • Authentication
  • Confidentiality
  • Data integrity
  • Availability
  • Authorised use
  • Non-repudiation

6
Security Areas
  • Communications security
  • Computer security
  • Physical security
  • Personnel security
  • Media security e.g. papers, magnetic media
  • Email control security
  • Networks security
  • Data security
  • Incident handling
  • Business continuity

7
Specific Examples
  • System penetration i.e. hacking and modifying
    system settings
  • Spoofing/masquerading
  • Unauthorised disclosure
  • Unathorised action e.g. altering of web site
  • Eavesdropping
  • Data alteration

8
Specific Examples
  • Loss of funds
  • Password cracking/brute force
  • Learning secrets from computer thrash bin
  • Virus
  • Trojan horse
  • Denial of service

9
Approach to security
  • A holistic approach to security required i.e.
    technology, people, and processes
  • Security is as strong as your weakest link
  • Security should support business objectives

10
Good Security Infrastructure (1)
  • A strong commitment from management
  • A staff dedicated to security tasks
  • A well-defined security mission statement

11
Good Security Infrastructure (2)
  • A well developed security awareness training
    programme
  • Clearly defined, implemented and documented
    security policies and procedures which are
    supplied to everyone within your organisation

12
Good Security Infrastructure (3)
  • A strong flow of information to and from the
    appropriate groups
  • A security incident response team
  • External and internal security parameter controls
    (e.g. firewalls)
  • A suite of host and network based security
    auditing and improvement tools
  • Buy secure software e.g. operating system, web
    servers, firewall, payment/banking, and adhere to
    security configuration guidelines

13
Information Security Tools
  • Physical protection for computers
  • Network systems management
  • Digital certificate
  • Strong authentication
  • Access control
  • Audit and tracing software
  • Backup and disaster recovery
  • Biometric software
  • Wireless communications security

14
Information Security Tools
  • Clearing of thrash bins
  • Anti-Virus Tools
  • Firewalls
  • Encryption
  • PKI
  • Virtual Private Networks
  • Intrusion Detection Systems

15
Specific Security Tools
  • Host-based auditing tools
  • COPS, NCARP, crack, Tiger, Tripwire, logcheck,
    tklogger, safesuite, Netsonar
  • Network traffic analysis intrusion detection
    tools
  • Tcpdump, synsniff, NetRanger, NOCOL, NFR,
    RealSecure, Shadow
  • Security Management and improvement tools
  • Crack, localmail, smrsh, logdaemon, npasswd, op,
    passwd, S4-kit, sfingerd, sudo, swatch, watcher,
    wuftpd, LPRng

16
Specific Security Tools
  • Firewall, proxy and filtering tools
  • Fwtk, ipfilter, ipfirewall, portmap v3, SOCKS,
    tcp_wrappers, smapd
  • Network-based auditing tools
  • Nmap, nessus, SATAN, safesuite
  • Encryption tools
  • Md5, md5check, PGP, rpem, UFC-crypt

17
Specific Security Tools (cont)
  • One-Time Passwords Tools
  • OPIE, S/Key
  • Secure Remote Access and Authorisation Tools
  • RADIUS, TACACS, SSL, SSH, Kerberos

18
Pt 2Risk Assessment
19
Key Definitions
  • Threat Something that can potentially cause
    damage to the network or computer system
  • Risk A possibility that a threat exploits a
    vulnerability in an asset and causes damage or
    loss to the asset
  • Vulnerability A weakness in the organisation,
    computer system, or network that can be exploited
    by a threat

20
Relationship between Risk, Threats and
Vulnerabilities
exploit
Threats
Vulnerabilities
expose
increase
protect against
increase
Information Asset
Risk
Controls
indicate
have
Met by
increase
Threats
Threats
Source ISO/IEC TR 13335 (GMITS)
21
Procedure of Risk Analysis
  • Risk Analysis Assessment of threats and
    vulnerabilities of information assets
  • Risk Assessment Overall process of risk analysis
    and risk evaluation
  • Risk Management Process of identifying,
    controlling and minimising or eliminating
    security risks that may affect information systems

22
COMMON BEST PRACTICE CONTROLS ISO/IEC 17799 10
CONTROL AREAS
23
PDCA of Security Policies
Once the security policy is established, the
policy must be introduced and revised
periodically, following the Plan, Do, Check, Act
(PDCA) cycle
PLAN 1. Establish Security Policy 2. Conduct
Risk Analysis
DO 3. Implement Security Controls 4. User
Training
ACT 6. Improve
CHECK 5. Security Audit
24
Areas for Government Intervention
  • Mandate an institution to regulate information
    security issues
  • Comprehensive information security strategy
  • Undertake government-wide risk assessment on
    information systems
  • Legal and regulatory environment

25
Areas for Government Intervention (2)
  • Develop/adopt suitable standards, guidelines and
    procedures
  • Cross-border collaboration
  • Promote consumer rights bodies
  • Create public awareness on information security

26
References (1)
  • International Organization for Standardization
    information security guidelines
  • ISO/IEC 17799 Code of Practice for Information
    Security Management
  • ISO/TR13335 Guidelines for the Management of IT
    Security (GMITS)
  • ISO/IEC15408 Evaluation Criteria for IT Security
    (CC Common Criteria)
  • ISO/IEC 21827 The Systems Security Engineering
    Capability Maturity Model (SSE-CMM)

27
References (2)
  • Organization for Economic Cooperation and
    Development (OECD) information security
    guidelines
  • OECD Guidelines for the Security of Information
    Systems and Networks Towards a culture of
    Security 2002
  • OECD Guidelines on the Protection of Privacy and
    Transborder Flows of Personal Data

28
References (3)
  • Internet Engineering Task Force (IETF)
    information security guidelines
  • RFC1281 Guidelines for the Secure Operation of
    the Internet
  • RFC2196 Site Security Handbook
  • Books, journals, internet, etc

29
Thank You
juliustorach_at_yahoo.com 256-77-2333695
Write a Comment
User Comments (0)
About PowerShow.com