32 (1).docx

Full Transcript

ISM relevant laws Cybercrime laws Digital investigation laws Online safety laws Information security laws Data protection and privacy laws Freedom of information laws Entity vs Identity: a many-to-many relationship An entity can have multiple identities An identity can be claimed/ used by multiple entities. Identity Management is used to manage (create, maintain, expire) identities including mappings to entities. NIST: Identity management systems are responsible for the creation, use, and termination of electronic identities ISO: “processes and policies involved in managing the lifecycle and value, type and optional metadata of attributes in identities known in a particular domain ITUT: A set of functions and capabilities (e.g., administration, management and maintenance, discovery, communication exchanges, correlation and binding, policy enforcement, authentication and assertions) used for: - assurance of identity information (e.g., identifiers, credentials, attributes); - assurance of the identity of an entity (e.g., users/subscribers, groups, user devices, organizations, network and service providers, network elements and objects, and virtual objects); and - supporting business and security applications” Used for authentication, accountability and authorization and access control Authentication: what entities are being authenticated Authorization: which entities are allowed to access and defines access control policies Local and Remote Identity Management IdM systems on local computing devices Examples: user management system on a local computer (e.g., a Windows PC running a local domain), user management system in a local video game IdM systems on remote servers Examples: Active Directory Domain Services (Windows domain controllers), user management system on remote servers / email severs / websites / any other online services No clear cut between two, its an ISM decision Attributes are “Information bound to an entity that specifies a characteristic of the entity”. Identifier is a special attribute of an entity. An attribute may be self-claimed by an entity, but may also be assigned by attribute authorities (AAs). IdM is about verifying attribute assertions: An entity claims to hold one or more specific attributes (identifier and others) Credentials are used to support the authentication of entities – either one or both parties to an information exchange or transaction. Or are used to store identifiers and/or attributes and support authentication of identities. Examples: digital certificates, government-issued credentials, SIM cards, automatic teller machine (ATM) cards Federated identity management (FIM) Problem is that many people use more than one device at the same time, therefore it is more complicated and error prone to manage all devices for both users and manages. We need this for attribute authentication, many systems only to authenticate one or more 11 attributes of a user so for example if your account student A solution is to use a federation to manage access control which in other words is authentication and authorization across multiple systems and single sign on SSO where a user can access resource is at many different systems by logging in just once. Fim is the separation of authentication and authorization. Authentication: between users and identity providers (IdPs) Authorisation: between users and service providers (SPs) Users / SPs trust IdPs + IdPs / SPs do not trust users Access control Access requester is a subject/principal which can be a user or non-user entity. Reference monitor is the monitor of access policies. Accountability Def: property that ensures that the actions of an entity may be traced uniquely to that entity Need for accountability: Legal aspects, contract obligations, business needs {quality assurance, performance monitoring, staff training …}, ethical requirements, social goods, pernsoal needs or wishes. Auditing Audit service: “A security service that records information needed to establish accountability for system events and for the actions of system entities that cause them Security audit: “An independent review and examination of a system’s records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures.” Audit trails are examples of control measurements that are recorded as part of system operations.” Relevant for “archive”, “attack sensing, warning, and response”, “Identification Protocol”, “intrusion detection”, “key management”, “login”, “policy”, “time stamp”, Audit policies can define Evidence to be collected Who can access Who manage what Investigations to be triggered Post-incident actions How staffs training and communications should be orgnaized Event Logging, events could be: Policy changes Database changes Configuration changes Login events Authorization events resource access events …. Who can do logging? Hardware – routers, firewalls, devices Software – OS, applications, cloud services Organisations – Law enforcement agencies, ISPs People – managers, admin, IT staff, security staff Logs can be stored on external memory {hard disk, portable media}, main memory, cloud storage, database, remote service, special devices {mobile devices}. SIEM = Security Information and Event Management Event logs are often managed as part of an SIEM system to facilitate data collection, storage, analysis, and exchanges. Many other data are also collected, e.g., data from IDSs/IPSs (intrusion detection/prevention systems), various software and hardware sensors, and external sources. CTI = Cyber threat intelligence Useful data about cyber threats from different sources, e.g., Common Vulnerabilities and Exposures (CVE), online social media and darknet. CTI can be made part of the SIEM system or be separately managed. SIEM and CTI help provide needed data and intelligence to support logging, auditing, accountability, etc. Authentication techniques – accountability for users Authentication without auditing is dangerous because we need to know who is accountable. Possession-based authentication: Can be used to identify hardware devices involved Inherence-based authentication: Can be used to identify people involved. Context-based authentication: Can be used to identify contextual factors involved (e.g., geo-locations). Risk-based authentication: Can be used to identify audit trials that require more attention Continuous authentication: Can be used to create a continuous audit trial of each user during login Authorisation – Accountability for the authorizer Authorisation without auditing is dangerous as the authorizer should be responsible for all authorisation decisions. The grantor (authoriser) needs to know what the authorisee has been doing. - Accountability of the authoriser. The access control policy makers should be responsible for any policy decisions made- Accountability of the policy makers Delegation without auditing is dangerous! - ⇒ Accountability of the delegator and the delegate Non-repudiation = Source of origin verification Non repudiation gives reliable record of who did what. Techniques such as MACs – message Authentication Codes. Trusted 3rd parties such as Certificate Authorities issue and verify digital certificates. Identity Providers manage and verify digital identities Credential issuers for issuing verifiable credentials and credential verifiers for verifying VCs Government for issuing passports. Insider Threat Detection More than 50% have insider threats against their organization Malicious insiders (e.g., employees who steal / sell trade secrets) Negligent insiders (e.g., employees who did not follow policies Unintentional insiders (e.g., employees who mis-communicate) Infiltrators: external parties who have gained access to internal systems therefore become an “insider” temporarily Involves monitoring and logging of all systems including internal and external systems. Digital Forensics & eDiscovery used for establishing accountability. Digital Forensic/ digital investigation : scientific tasks, techniques and practices used in the investigation of stored or transmitted binary information or data for legal purposes eDiscovery: discovery that includes the identification, preservation, collection, processing, review, analysis, or production of Electronically Stored Information SOCs - Security Operations Centre – key in enabling accountability in org DEF: a centralized function within an organization employing people, processes, and technology to continuously monitor and improve an organization’s security posture while preventing, detecting, analysing, and responding to cybersecurity incidents Activities: integration, management and review of traffic feeds; protective monitoring; initial triage and analysis; vulnerability management; alerting and response; incident management; root cause analysis; patching & remediation; correlation management; SIEM tuning; continuous improvement; key management CSIRTs aka CERT / CITR = Cyber/Computer Security Incident Response Team CIRT VS SOC Narrower scope than SOCs DEF: serves a single organisation, but a CSIRT often goes beyond an organisation and serves a whole sector, a nation or a larger region Work together and share resources No clear differences between them CSIRTs may not be in charge of accountability Cyber Incident Management consists of: Prepare – policies, operational capabilities (people, tools) Handle – communicate analyze mitigate Follow Up – return to normal operations & identify and implement lessons learned ISACs = Information Sharing and Analysis Centre They help enhance effectiveness and efficiency of the whole sector/nation/region’s ISM and cyber incident response capabilities example: NCSC CSIRTs and ISACs work together. They often have overlapping constituencies. Cross-CSIRT organisations as ISACs between CSIRTs Historical Context of EU and Brexit European Single Market stands for goods, capital , services and persons for EU and some non eu nations (excluding UK) Europe strategy had main aim : smart (youth and digital), sustainable and inclusive growth(jobs) to overcome weakness in Europe’s economy + improve competitiveness and productivity. Many of theses are completed , & this strategy sets the historical context for many important cyber-related legislations EU Digital Single Market – part of EUs agenda Stands for : Access to online products and services Conditions for digital networks and services to grow Growth of EUs digital economy To meet these objectives , they need to cover E-commerce , copyright, cybersecurity and crime , data economy, privacy, digital skills and research Which require legal frameworks + 1 more freedom of FREE MOVEMENT OF NON PERSONAL DATA Terms: Regulations: immediately enforceable as law in all EU member states simultaneously - No national legislation is required, although EU member states can still do so (e.g., for additional rules). Directives: legally binding but need to be implemented by each EU member state in its own ways (normally in the form of national legislation) Decisions: legally binding but applied to individuals Recommendations: legally non-binding Opinions: legally non-binding Acts of Parliament in Uk Acts of Scottish Parliament, and one for Wales Statuary instruments : secondary (delegated) legislation After Brexit many laws were embedded into UK law and some are taking longer to be replaced, some may never be placed. Cybercrime Laws Cyber-dependent crime (≈ computer as a target) Cyber-enabled crime (≈ computer as a tool) UK Misuse Act - All about authorisation 1. Unauthorised access to computer material 2. Unauthorised access to computer material with intent to commit or facilitate commission of further offences. 3. Unauthorised acts with intent to impair operation of computer etc. 3A. Making, supplying or obtaining articles for … (1,3) 3ZA. unauthorised acts causing serious damage UK Serious Crime Act Creates new offence of unauthorised acts in relation to a computer that result, either directly or indirectly, in serious damage Max sentence : life for causing loss of life, serious illness or injury or damage to national security ears for creating risk of economic/environmental damage or social disruption EU Cybercrime Laws : EU Cybercrime Directive & EU Directive on Child Sexual Abuse EU Cybercrime Directive attacks against Information systems : cyber dependant crime across EU EU Directive on Child Sexual Abuse – including use of technology. UK RIPA = Regulation of Investigatory Powers Act Regulating public bodies’ powers on surveillance and investigation enables certain public bodies to demand that an ISP provide access to a customer’s communications in secret; enables mass surveillance of communications in transit; enables certain public bodies to demand ISPs fit equipment to facilitate surveillance; enables certain public bodies to demand that someone hand over keys to protected information; allows certain public bodies to monitor people’s Internet activities; prevents the existence of interception warrants and any data collected with them from being revealed in court UK Investigatory Powers Act It regulates electronic surveillance powers of UK intelligence agencies and police. New powers for targeted and bulk interception of communication and collection of communication data Requiring CSPs/ISPs to retain Internet connection records for one year Allowing many authorities to see Internet connection records without a warrant. Permitting targeted equipment interference (i.e. “hacking”) A legal obligation on CSPs to cooperate Maintaining an existing requirement for CSPs to remove encryption (applied by CSPs) New criminal offences related to access to Internet data UK IPA – in action British ISPs collaborating on government initiative for collection of Internet Connection Records. UK Online Safety Act to make the UK the safest place in the world to be online while defending free expression Aims: “prevent the spread of illegal content and activity such as images of child abuse, terrorist material and hate crimes, including racist abuse protect children from harmful material protect adults from legal – but harmful – content Penalties of £18 m EU NIS Directive Main goal is to boost the overall level of cyber security of the whole EU, ensured by - Preparedness + cooperation + culture across sectors It requires EU member states to be appropriately equipped, e.g. via a national CSIRT and a competent national NIS authority UK NIS Regulations part of National Cyber Security Strategy Digital service providers: Information Commissioner’s Office (ICO) ICO is also in charge of data protection and freedom of information laws. Digital infrastructure: Office of Communications (Ofcom) Other sectors: drinking water supply and distribution, energy (electricity, gas, oil), health, transport (air, maritime, road, rail) - The NIS authorities are often different for the four countries in the UK EU Eidas Regulation eIDAS = electronic IDentification, Authentication and trust Services The aim is “to improve trust in EU-wide electronic transactions and to increase the effectiveness of … online services and e-commerce” to regulate Electronic Identification eID schemed and trust services prvoiders and A Voluntary EU trust mark for qualified trust services. In the future… Self Sovereign Identity = = Giving control back to users! Claim-issuers issue identities to users. Each user controls her/his own identities. A user presents (part of) her/his identity to a verifier so that the latter can verify the presented identity (i.e., relevant attribute(s)). Such user-controlled identities can be represented in the form of verifiable credentials (more on the next slide). Can be based on decentralised identifiers (DIDs) or more traditional (centralised) identities Verifiable credentials Electronic credentials that individual users can hold and get them verified by others when needed in the context of SSI. Uses: age verification, parking permits, COVID immunity passports. Convention of Cybercrime dealing with infringement of copyright, computer related fraud, child pornography and violation of network security. Aim to pursue a common criminal policy aimed at protection of society against cybercrime beyond CoE states (USA, Canada, Japan etc) EU Data Retention Directive… Invalidated By EU due to violating right of privacy Key rules Member states had to store citizens’ telecommunications data for 6- 24 months. Police and security agencies would be able to request access to such data (with a permission from a court). Identity vs Identifier (ID) Identities are normally identified via a unique identifier to avoid ambiguity in the authentication process. Real vs Virtual Example: a person’s real name vs a person’s pen name Physical vs Electronic Example: a person’s real name vs a person’s email address