Title: Status of Information Security in Uganda
1Status of Information Security in Uganda
- by
- Constantine Bitwayiki
- Director/Research, Innovations, Monitoring
Evaluation -
- Chairperson National ICT/e-Government Planning
Team - National Planning Authority
- Presented at the
- EAC Regional Consultative meeting on Information
Security - 27-28 April 2006, GRAND IMPERIAL HOTEL, KAMPALA,
UGANDA
2Agenda
- Two-part presentation
- Security on the Internet
- Risk Management
3Systems Security
- Refers to protection of all of the firms
information resources from threats by authorized
parties - Identify vulnerabilities and implement the
required counter measures and safeguards
4Why Internet?
- Real-time information sharing with partners
- More responsive and less expensive customer
support facilities - New sales and advertising channels
- Improved communications and information sharing
within an organisation
5Internet Security Concerns
- Authentication
- Confidentiality
- Data integrity
- Availability
- Authorised use
- Non-repudiation
6Security Areas
- Communications security
- Computer security
- Physical security
- Personnel security
- Media security e.g. papers, magnetic media
- Email control security
- Networks security
- Data security
- Incident handling
- Business continuity
7Specific Examples
- System penetration i.e. hacking and modifying
system settings - Spoofing/masquerading
- Unauthorised disclosure
- Unathorised action e.g. altering of web site
- Eavesdropping
- Data alteration
8Specific Examples
- Loss of funds
- Password cracking/brute force
- Learning secrets from computer thrash bin
- Virus
- Trojan horse
- Denial of service
9Approach to security
- A holistic approach to security required i.e.
technology, people, and processes - Security is as strong as your weakest link
- Security should support business objectives
10Good Security Infrastructure (1)
- A strong commitment from management
- A staff dedicated to security tasks
- A well-defined security mission statement
11Good Security Infrastructure (2)
- A well developed security awareness training
programme - Clearly defined, implemented and documented
security policies and procedures which are
supplied to everyone within your organisation
12Good Security Infrastructure (3)
- A strong flow of information to and from the
appropriate groups - A security incident response team
- External and internal security parameter controls
(e.g. firewalls) - A suite of host and network based security
auditing and improvement tools - Buy secure software e.g. operating system, web
servers, firewall, payment/banking, and adhere to
security configuration guidelines
13Information Security Tools
- Physical protection for computers
- Network systems management
- Digital certificate
- Strong authentication
- Access control
- Audit and tracing software
- Backup and disaster recovery
- Biometric software
- Wireless communications security
14Information Security Tools
- Clearing of thrash bins
- Anti-Virus Tools
- Firewalls
- Encryption
- PKI
- Virtual Private Networks
- Intrusion Detection Systems
15Specific Security Tools
- Host-based auditing tools
- COPS, NCARP, crack, Tiger, Tripwire, logcheck,
tklogger, safesuite, Netsonar - Network traffic analysis intrusion detection
tools - Tcpdump, synsniff, NetRanger, NOCOL, NFR,
RealSecure, Shadow - Security Management and improvement tools
- Crack, localmail, smrsh, logdaemon, npasswd, op,
passwd, S4-kit, sfingerd, sudo, swatch, watcher,
wuftpd, LPRng
16Specific Security Tools
- Firewall, proxy and filtering tools
- Fwtk, ipfilter, ipfirewall, portmap v3, SOCKS,
tcp_wrappers, smapd - Network-based auditing tools
- Nmap, nessus, SATAN, safesuite
- Encryption tools
- Md5, md5check, PGP, rpem, UFC-crypt
17Specific Security Tools (cont)
- One-Time Passwords Tools
- OPIE, S/Key
- Secure Remote Access and Authorisation Tools
- RADIUS, TACACS, SSL, SSH, Kerberos
18Pt 2Risk Assessment
19Key Definitions
- Threat Something that can potentially cause
damage to the network or computer system - Risk A possibility that a threat exploits a
vulnerability in an asset and causes damage or
loss to the asset - Vulnerability A weakness in the organisation,
computer system, or network that can be exploited
by a threat
20Relationship between Risk, Threats and
Vulnerabilities
exploit
Threats
Vulnerabilities
expose
increase
protect against
increase
Information Asset
Risk
Controls
indicate
have
Met by
increase
Threats
Threats
Source ISO/IEC TR 13335 (GMITS)
21Procedure of Risk Analysis
- Risk Analysis Assessment of threats and
vulnerabilities of information assets - Risk Assessment Overall process of risk analysis
and risk evaluation - Risk Management Process of identifying,
controlling and minimising or eliminating
security risks that may affect information systems
22COMMON BEST PRACTICE CONTROLS ISO/IEC 17799 10
CONTROL AREAS
23PDCA of Security Policies
Once the security policy is established, the
policy must be introduced and revised
periodically, following the Plan, Do, Check, Act
(PDCA) cycle
PLAN 1. Establish Security Policy 2. Conduct
Risk Analysis
DO 3. Implement Security Controls 4. User
Training
ACT 6. Improve
CHECK 5. Security Audit
24Areas for Government Intervention
- Mandate an institution to regulate information
security issues - Comprehensive information security strategy
- Undertake government-wide risk assessment on
information systems - Legal and regulatory environment
25Areas for Government Intervention (2)
- Develop/adopt suitable standards, guidelines and
procedures - Cross-border collaboration
- Promote consumer rights bodies
- Create public awareness on information security
26References (1)
- International Organization for Standardization
information security guidelines - ISO/IEC 17799 Code of Practice for Information
Security Management - ISO/TR13335 Guidelines for the Management of IT
Security (GMITS) - ISO/IEC15408 Evaluation Criteria for IT Security
(CC Common Criteria) - ISO/IEC 21827 The Systems Security Engineering
Capability Maturity Model (SSE-CMM)
27References (2)
- Organization for Economic Cooperation and
Development (OECD) information security
guidelines - OECD Guidelines for the Security of Information
Systems and Networks Towards a culture of
Security 2002 - OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data
28References (3)
- Internet Engineering Task Force (IETF)
information security guidelines - RFC1281 Guidelines for the Secure Operation of
the Internet - RFC2196 Site Security Handbook
- Books, journals, internet, etc
29Thank You
juliustorach_at_yahoo.com 256-77-2333695