Practical Cryptographic Applications

1
Practical Cryptographic Applications for
e-Governments and Private Industry Professor
Jaime Perez City University of Seattle, Bellevue,
WA USA jmperez_at_cityu.edu www.cityu.edu
IT-Cyber INFOSECESI Center Bulgaria
(www.esicenter.bg) Recent Developments in
Cryptography and Information Security August
29-31, 2007
National Institute of Education, Oriahovitza,
Bulgaria
2
Computer Visionaries Biggest Blunders
I think there is a world market for about five
computers.
Source Thomas J. Watson, Chairman of IBM, 1943
3
Computer Visionaries Biggest Blunders
There is no reason for any individual to have a
computer in their home.
Source Ken Olsen, President of Digital
Equipment Corporation, 1977
4
Computer Visionaries Biggest Blunders
In the early 80s, IBM Corp. gave up MS-DOS to
Bill Gates because the company thought the PC
market share would be rather small compared to
that of the mainframe market and they did not
want to tinker with small OSs.
5
Computer Visionaries Biggest Blunders
In the early 80s, the Dallas, Texas Billionaire
Ross Perot, who owned EDS at the time, turned
down Bill Gates private offer request to invest
eight million U.S. dollars in Microsoft.
6
Security Threat R(e)volution
Target and Scope of Damage
Miliseconds
GlobalInfrastructureImpact RegionalNetworks Mul
tipleNetworks IndividualNetworks IndividualComp
uter

• Next Gen
• Infrastructure hacking
• Flash threats
• Massive worm driven
• DDoS
• Damaging payload viruses and worms

Minutes/ Seconds

• 3rd Gen
• Network DoS
• Blended threat (worm virus trojan)
• Turbo worms
• Widespread system hacking

Days
Weeks

• 2nd Gen
• Macro viruses
• Email
• DoS
• Limited hacking

• 1st Gen
• Boot viruses

1980s
1990s
Today
Future
7
Worldwide Damage from Digital Attacks
This chart shows estimates of the average annual
worldwide damage from hacking, malware, and spam
since 1999. These data are based on figures from
mi2G and the authors.
8
The Culprits who will do anything to gain access!
9
A Holistic Approach to INFOSEC
Neighbors Network
Misconfigured Access Point
A laptop in your network connecting to a
neighboring Wi-Fi network exposing your corporate
data.
Cracker attacking your network through an
unofficial connection with a misconfigured AP.
Unofficial Access Point
Rogue Access Point
Cracker attacking your network through an
internal laptop acting as an unofficial software
access point.
Cracker attacking your network through an
unofficial access point connected to the network.
10
The Models of Security Classification

• Two types of classification models
• Used in public sector
• Top secret, secret, confidential, unclassified
• Used in the private sector
• Sensitive, confidential, public
• IMPORTANT Classification level combined with
  need-to-know basis should define actual access
  level.

11
Building Trust in E-commerce from Trust Models
12
Stages of e-Government Services
13
Entities of E-government Security
14
Information Security Standards, Benchmarks and
Guidelines
15
Information Security Standards, Benchmarks and
Guidelines(Continued)
16
Information Security Standards, Benchmarks and
Guidelines (Continued)
17

• TRUST AND SECURITY
• In a number of studies, there has been a link
  
• between trust and perceived security rather
  than
• security itself (Riedl 2004 Akhtar et al.
  2005,2006 ).
• In an EU study, Benchmarking Security and Trust
  in
• the EU and US, individual concerns about lack
  of
• trust and confidence in services provided
• electronically was found to be a significant
  barrier to
• the development of e-government and
  e-commerce.

18
TRUST AND SECURITY (Cont) The e-Europe 2005
Action Plan stresses the importance of on-line
security and trust for IS developments without
good performance indicators (for security)
firms, security suppliers and consumers will be
unable to make informed decisions about current
or desired level of security and privacy.
19
THE BOTTOM LINE

• Marchionini et al. 2003 Grant 2004 Lauer 2004
  Vriens and Achterbergh 2004 all postulated that
  the perception of the security implemented within
  egovernment needs to be disseminated to its
  citizenry (organisations as well as individuals)
  in order to build trust and,
• There needs to be transparency in the
  e-government process that engenders trust and
  confidence in the services being provided, as
  well as assurances of the citizens privacy.

20
IGNORANCE IS THE PROBLEM!

• Ignorance is no Excuse! Two distinct prevalent
  daily occurrences defined as (1) the lack of
  awareness and (2) the lack of awareness about
  the lack of awareness exhibited by users when it
  comes to information security policies.
• Not only do most employees not know, but they are
  totally unaware that they do not know, which
  increases the overall risks to the organization.

21
IT and Cyber Infrastructure Security Major
Providers
22
CISO APPOINTMENT

• A WIN-WIN Strategy
• In the face of the growing complexity of
  information systems in the modern digital age,
  every medium to large organization should appoint
  a CHIEF INFORMATION SECURITY OFFICER!