Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model...

27
Hilton Chan PhD, Vice-chairman Information Security and Forensics Society (email: [email protected]) © copyright by Hilton Chan, May 2000

Transcript of Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model...

Page 1: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

Hilton Chan PhD, Vice-chairmanInformation Security and Forensics Society

(email: [email protected])

© copyright by Hilton Chan, May 2000

Page 2: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

Corporate Information Protection

© copyright by Hilton Chan, May 2000

Firewall

Intrusion Detection

Anti-virus

Audit Trail

Access Control

PasswordPIN

Virtual Private Network

Penetration Test

System/Data Backup

Business Contingency Planning

IT Crisis Management

EncryptionPublic Key Infrastructure

User Awareness Training

Incident Investigation

Data Recovery

Computer Forensics

Page 3: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

Corporate Information Protection?What about IT Security, computer security,

and data security?

© copyright by Hilton Chan, May 2000

Page 4: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

Data (Yesterday)

Numbers

WordsRecords

© copyright by Hilton Chan, May 2000

Page 5: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

InformationInformation

TechnologyTechnology

Data

Computer (calculator)

Information

Data Processing

Systems

Knowledge

Information Systems

Networking Systems

Cyber Products

Cyber Services

Multi-media systems (TV),

Decision support systems, AI / Expert

systems, etc.

Telecommunication system (Telephone),

LAN, WAN, distributed network INTERNET

Cyber WorldCyber World(Virtual Reality)

© copyright by Hilton Chan, May 2000

Page 6: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

Knowledge Economy(Personal, Social and Commercial Activities)

E-mail Voice mail Video phoneE-cash

Digitized video (movie)/audio (music)

Encryption keys

Digital signatures Search enginesNews group

Business web sitesIRC/ICQ Cyber advertisement

Chat groupsInternet Content/carrier service providers

E-auctionCyber-entertainment

Cyber-medical servicesVideo conference

E-business, etc..Internet ShoppingVirtual Reality

Data � Intellectual Products/Services

© copyright by Hilton Chan, May 2000

Page 7: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

Data Security• CIA or AIC Model (Confidentiality,

Integrity and Availability)• DDUM (Destruction, Disclosure, Use

and Modification)

© copyright by Hilton Chan, May 2000

Page 8: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

Computer/IT Security• Data Security• Technology Dimension (Computers,

Telecommunication Networks, Software)

© copyright by Hilton Chan, May 2000

Page 9: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

Information Security• Data Security• Computer/IT Security• Business dimension (legal/social/ethical)

© copyright by Hilton Chan, May 2000

Page 10: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

Extending the traditional CIA Model

Confidentiality and Possession- Secrecy and Control

Integrity and Authenticity- Completeness and Validity

Availability and Utility-Usability and Usefulness

Source : Donn Parker 1998

Page 11: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

© copyright by Hilton Chan, May 2000

Four Phase model – DIER (Discovery, Investigation,Escalation and Revelation)

Page 12: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

© copyright by Hilton Chan, May 2000

Discovery-Deterrence (User Awareness Program)-Prevention (Firewall, Anti-virus, Penetration Test)-Warnings (Intrusion Detection, Audit Trail Analysis)

Investigation-Computer Forensics/Evidence Gathering (Tracing,

Logs Analysis)-System Restoration (Disaster Recovery, IT CrisisManagement, Business Contingency)

-Problem-solving

Page 13: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

© copyright by Hilton Chan, May 2000

Escalation-Internal-External (PR Strategy – Business Partners, Public,

Law Enforcement, Stakeholders)Revelation

-Post-restoration (Policy Review, BPR, Organizationrestructuring, Strategic repositioning)

-Legal Action (Computer Forensics & DigitalEvidence)

Page 14: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

© copyright by Hilton Chan, May 2000

Page 15: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

Business Contract•Eye-witnesses, paper, ink, signature, company seal, watermark, fingerprint, DNA (saliva), etc.

•Process and procedures (laws in the physical science)

e-Contract•PKI (keys), digital signature, time stamp, digital watermark, anti-virus software, intelligent agent, etc.

•Process and procedures (virtual reality)

Additional considerations:- key management (key escrow, key deposit, key recovery, etc.)

© copyright by Hilton Chan, May 2000

Page 16: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

© copyright by Hilton Chan, May 2000

Page 17: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

People

Data/Information

Technology

Environment

Process

© copyright by Hilton Chan, May 2000

Page 18: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

Corporate Information Security Model

© copyright by Hilton Chan, May 2000

CrimeInvestigation

People

Data/Information

Environment

Technology

Process

ComputerSecurity

Page 19: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

Incident

Intentional(Crime)

Careless/Reckless

Omission

Accidental

Motive (greed, anger, revenge,jealousy, etc.)

Knowledge/Professionalism

Foresight

Experience

Creativity© copyright by Hilton Chan, May 2000

Page 20: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

© copyright by Hilton Chan, November 2000

Page 21: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

Information Protection

Use of Data/InformationControl (view, amend, add, delete, ……)Ownership (proprietary, co-owned, shared, ……)User (individual, team, group, corporate, all, ……)

© copyright by Hilton Chan, November 2000

Page 22: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

Information Protection

Content of Data/InformationValidityCompletenessRelevancyTimeliness* assessment/grading by human or AI

© copyright by Hilton Chan, November 2000

Page 23: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

Information Protection

Source of Data/InformationReliabilitySingle vs. MultipleOpen vs. Covert* assessment/grading by human or AI

© copyright by Hilton Chan, November 2000

Page 24: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

Information Protection -Multidisciplinary Approach

Law – Criminal Justice SystemAccounting – IT AuditIT SecurityComputer ForensicsStandards – Technical and Management PracticeInternational CooperationPublic Awareness and Education

© copyright by Hilton Chan, November 2000

Page 25: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

What Corporate Information Protection should achieve?

Business Enabler (Competitive Advantage)IT Enabler (Operational Efficacy)Simple (Transparent to the users)Customer-centric (Privacy and Trustworthy)

© copyright by Hilton Chan, November 2000

Page 26: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

© copyright by Hilton Chan, November 2000

Page 27: Hilton Chan PhD, Vice-chairman Information Security and ... · Extending the traditional CIA Model Confidentiality and Possession - Secrecy and Control Integrity and Authenticity

© copyright by Hilton Chan, May 2000


Bank Secrecy Law1

Bank Secrecy Law1

Ruled by Secrecy

Ruled by Secrecy

Verification of Security Protocols Chapter 3: Secrecy and Secrecy Types.

Verification of Security Protocols Chapter 3: Secrecy and Secrecy Types.

Chen Advisor: Limin Jia. Whole picture Process Calculus Definition of Secrecy and Authenticity Demo Comparison Conclusion.

Chen Advisor: Limin Jia. Whole picture Process Calculus Definition of Secrecy and Authenticity Demo Comparison Conclusion.

Manpower Staff Handbook · Manpower is your employer; we pay your wages and holiday pay, deduct your tax and pay the employer’s contribution and pension scheme contribution. Secrecy/Confidentiality

Manpower Staff Handbook · Manpower is your employer; we pay your wages and holiday pay, deduct your tax and pay the employer’s contribution and pension scheme contribution. Secrecy/Confidentiality

Digital Tachograph System European Root PolicyCertificate Status Certificate Status Integrity, authenticity Confidentiality, integrity, authenticity Security Requirements for Transported

Digital Tachograph System European Root PolicyCertificate Status Certificate Status Integrity, authenticity Confidentiality, integrity, authenticity Security Requirements for Transported

Security Democracy Secrecy

Security Democracy Secrecy

Secrecy world

Secrecy world

2MMC10 Cryptology Andreas Hulsing September 20, 2018A. Hulsing 2MMC10 Cryptology 11 / 12 Secrecy + Authenticity We want a combination of encryption and MAC that provides IND-CCA and

2MMC10 Cryptology Andreas Hulsing September 20, 2018A. Hulsing 2MMC10 Cryptology 11 / 12 Secrecy + Authenticity We want a combination of encryption and MAC that provides IND-CCA and

Colby Secrecy

Colby Secrecy

Secrecy V Collaboration

Secrecy V Collaboration

SECRECY AND MORALITY IN INTELLIGENCEtitle: secrecy and morality in intelligence subject: secrecy and morality in intelligence keywords

SECRECY AND MORALITY IN INTELLIGENCEtitle: secrecy and morality in intelligence subject: secrecy and morality in intelligence keywords

Govt Secrecy

Govt Secrecy

Pay Secrecy/ Confidentiality Rules and the National Labor ...

Pay Secrecy/ Confidentiality Rules and the National Labor ...

Could Banks do More in the Fight Against Money Laundering?iicjlaw.com/subscribersonly/15august/iicj2aug-compliance-virichauha… · secrecy and confidentiality laws. ... 3 ‘Financial

Could Banks do More in the Fight Against Money Laundering?iicjlaw.com/subscribersonly/15august/iicj2aug-compliance-virichauha… · secrecy and confidentiality laws. ... 3 ‘Financial

ACT - VeritasZim Finance Management... · ZIMBABWE ACT To provide for the ... C. travel allowances, fuel coupons or holiday allowances; (c) ... No secrecy or confidentiality provision

ACT - VeritasZim Finance Management... · ZIMBABWE ACT To provide for the ... C. travel allowances, fuel coupons or holiday allowances; (c) ... No secrecy or confidentiality provision

Chernobyl Secrecy

Chernobyl Secrecy

SECRECY AND SURVEILLANCE

SECRECY AND SURVEILLANCE

Implausibility of Secrecy

Implausibility of Secrecy

Simmel Secrecy

Simmel Secrecy