Status of Information Security in Uganda

1
Status of Information Security in Uganda

• by
• Constantine Bitwayiki
• Director/Research, Innovations, Monitoring
  Evaluation
• Chairperson National ICT/e-Government Planning
  Team
• National Planning Authority
• Presented at the
• EAC Regional Consultative meeting on Information
  Security
• 27-28 April 2006, GRAND IMPERIAL HOTEL, KAMPALA,
  UGANDA

2
Agenda

• Two-part presentation
• Security on the Internet
• Risk Management

3
Systems Security

• Refers to protection of all of the firms
  information resources from threats by authorized
  parties
• Identify vulnerabilities and implement the
  required counter measures and safeguards

4
Why Internet?

• Real-time information sharing with partners
• More responsive and less expensive customer
  support facilities
• New sales and advertising channels
• Improved communications and information sharing
  within an organisation

5
Internet Security Concerns

• Authentication
• Confidentiality
• Data integrity
• Availability
• Authorised use
• Non-repudiation

6
Security Areas

• Communications security
• Computer security
• Physical security
• Personnel security
• Media security e.g. papers, magnetic media
• Email control security
• Networks security
• Data security
• Incident handling
• Business continuity

7
Specific Examples

• System penetration i.e. hacking and modifying
  system settings
• Spoofing/masquerading
• Unauthorised disclosure
• Unathorised action e.g. altering of web site
• Eavesdropping
• Data alteration

8
Specific Examples

• Loss of funds
• Password cracking/brute force
• Learning secrets from computer thrash bin
• Virus
• Trojan horse
• Denial of service

9
Approach to security

• A holistic approach to security required i.e.
  technology, people, and processes
• Security is as strong as your weakest link
• Security should support business objectives

10
Good Security Infrastructure (1)

• A strong commitment from management
• A staff dedicated to security tasks
• A well-defined security mission statement

11
Good Security Infrastructure (2)

• A well developed security awareness training
  programme
• Clearly defined, implemented and documented
  security policies and procedures which are
  supplied to everyone within your organisation

12
Good Security Infrastructure (3)

• A strong flow of information to and from the
  appropriate groups
• A security incident response team
• External and internal security parameter controls
  (e.g. firewalls)
• A suite of host and network based security
  auditing and improvement tools
• Buy secure software e.g. operating system, web
  servers, firewall, payment/banking, and adhere to
  security configuration guidelines

13
Information Security Tools

• Physical protection for computers
• Network systems management
• Digital certificate
• Strong authentication
• Access control
• Audit and tracing software
• Backup and disaster recovery
• Biometric software
• Wireless communications security

14
Information Security Tools

• Clearing of thrash bins
• Anti-Virus Tools
• Firewalls
• Encryption
• PKI
• Virtual Private Networks
• Intrusion Detection Systems

15
Specific Security Tools

• Host-based auditing tools
• COPS, NCARP, crack, Tiger, Tripwire, logcheck,
  tklogger, safesuite, Netsonar
• Network traffic analysis intrusion detection
  tools
• Tcpdump, synsniff, NetRanger, NOCOL, NFR,
  RealSecure, Shadow
• Security Management and improvement tools
• Crack, localmail, smrsh, logdaemon, npasswd, op,
  passwd, S4-kit, sfingerd, sudo, swatch, watcher,
  wuftpd, LPRng

16
Specific Security Tools

• Firewall, proxy and filtering tools
• Fwtk, ipfilter, ipfirewall, portmap v3, SOCKS,
  tcp_wrappers, smapd
• Network-based auditing tools
• Nmap, nessus, SATAN, safesuite
• Encryption tools
• Md5, md5check, PGP, rpem, UFC-crypt

17
Specific Security Tools (cont)

• One-Time Passwords Tools
• OPIE, S/Key
• Secure Remote Access and Authorisation Tools
• RADIUS, TACACS, SSL, SSH, Kerberos

18
Pt 2Risk Assessment
19
Key Definitions

• Threat Something that can potentially cause
  damage to the network or computer system
• Risk A possibility that a threat exploits a
  vulnerability in an asset and causes damage or
  loss to the asset
• Vulnerability A weakness in the organisation,
  computer system, or network that can be exploited
  by a threat

20
Relationship between Risk, Threats and
Vulnerabilities
exploit
Threats
Vulnerabilities
expose
increase
protect against
increase
Information Asset
Risk
Controls
indicate
have
Met by
increase
Threats
Threats
Source ISO/IEC TR 13335 (GMITS)
21
Procedure of Risk Analysis

• Risk Analysis Assessment of threats and
  vulnerabilities of information assets
• Risk Assessment Overall process of risk analysis
  and risk evaluation
• Risk Management Process of identifying,
  controlling and minimising or eliminating
  security risks that may affect information systems

22
COMMON BEST PRACTICE CONTROLS ISO/IEC 17799 10
CONTROL AREAS
23
PDCA of Security Policies
Once the security policy is established, the
policy must be introduced and revised
periodically, following the Plan, Do, Check, Act
(PDCA) cycle
PLAN 1. Establish Security Policy 2. Conduct
Risk Analysis
DO 3. Implement Security Controls 4. User
Training
ACT 6. Improve
CHECK 5. Security Audit
24
Areas for Government Intervention

• Mandate an institution to regulate information
  security issues
• Comprehensive information security strategy
• Undertake government-wide risk assessment on
  information systems
• Legal and regulatory environment

25
Areas for Government Intervention (2)

• Develop/adopt suitable standards, guidelines and
  procedures
• Cross-border collaboration
• Promote consumer rights bodies
• Create public awareness on information security

26
References (1)

• International Organization for Standardization
  information security guidelines
• ISO/IEC 17799 Code of Practice for Information
  Security Management
• ISO/TR13335 Guidelines for the Management of IT
  Security (GMITS)
• ISO/IEC15408 Evaluation Criteria for IT Security
  (CC Common Criteria)
• ISO/IEC 21827 The Systems Security Engineering
  Capability Maturity Model (SSE-CMM)

27
References (2)

• Organization for Economic Cooperation and
  Development (OECD) information security
  guidelines
• OECD Guidelines for the Security of Information
  Systems and Networks Towards a culture of
  Security 2002
• OECD Guidelines on the Protection of Privacy and
  Transborder Flows of Personal Data

28
References (3)

• Internet Engineering Task Force (IETF)
  information security guidelines
• RFC1281 Guidelines for the Secure Operation of
  the Internet
• RFC2196 Site Security Handbook
• Books, journals, internet, etc

29
Thank You
juliustorach_at_yahoo.com 256-77-2333695