Information Security and Privacy A vision for inter-disciplinary research in Information Security...
-
Upload
jillian-rasband -
Category
Documents
-
view
218 -
download
0
Transcript of Information Security and Privacy A vision for inter-disciplinary research in Information Security...
![Page 1: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/1.jpg)
Information Security and Privacy
A vision for inter-disciplinary research in Information Security
Andrew Martin (with Ashiyan Rahmani-Shirazi)Oxford University Computing Laboratory
ISPP seminar series17th January 2011
![Page 2: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/2.jpg)
The information age needs information security
almost everything of value has a digital existence today– whether it solely exists in the digital domain or merely casts
a shadow, or something in between– whether that value is in monetary terms or something less
tradable, such as privacy that fact is plainly not lost on those with criminal intent
– of course, it is the value which attracts them– and some items with value may be subject to collateral
damage
![Page 3: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/3.jpg)
Whose problem is this?
technologists? cryptographers? lawyers? educators? economists? politicians? regulators? business leaders? the military? social scientists? psychologists?
![Page 4: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/4.jpg)
Example 1credit: Paul England, Microsoft
Most of our computer operating systems are designed around an administrator
this person is given all power; ‘full control’
we assume that– the administrator is wise
– the administrator is good
– the administrator is knowledgeable
http:
//w
ww
.boe
rner
.net
/jbo
erne
r/w
p-co
nten
t/up
load
s/20
09/1
0/19
55tr
adic
.gif
![Page 5: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/5.jpg)
Example 1
One of these is today’s administrator
this person is given all power; ‘full control’
we assume that– the administrator is wise
– the administrator is good
– the administrator is knowledgeable
![Page 6: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/6.jpg)
Example 1
One or more of these is today’s administrator
this person is given all power; ‘full control’
we assume that– the administrator is wise
– the administrator is good
– the administrator is knowledgeable
![Page 7: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/7.jpg)
Example 1
These violated assumptions can be remedied in many ways
– make the unwise liable– explicitly tie liability to control– education, education, education– reducing the extent of their ‘full control’
None is completely satisfactory
![Page 8: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/8.jpg)
Example 2
![Page 9: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/9.jpg)
Example 3
![Page 10: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/10.jpg)
Example 4
Interdisciplinary perspectives on IT Security
With particular reference to perspectives on International Relations & Human Rights
Ashiyan Rahmani-Shirazi
![Page 11: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/11.jpg)
DDOS on Human Rights NGOs
'Distributed Denial of Service (DDoS) is an increasingly common Internet phenomenon capable of silencing Internet speech, usually for a brief interval but occasionally for longer. In this paper, we explore the specific phenomenon of DDoS attacks on independent media and human rights organizations, seeking to understand the nature and frequency of these attacks, their efficacy, and the responses available to sites under attack. Our report offers advice to independent media and human rights sites likely to be targeted by DDoS but comes to the uncomfortable conclusion that there is no easy solution to these attacks for many of these sites, particularly for attacks that exhaust network bandwidth.'
Berkman Center for Internet & Society report, "Distributed Denial of Service Attacks Against Independent Media and Human Rights Sites" by Ethan Zuckerman et al., December 20th 2010.
![Page 12: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/12.jpg)
IT Security & IR - sample attack
SQL injection attack carried out on the UN website homepage in August 2007
![Page 13: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/13.jpg)
Social Media & Political Change
Twitter and Iran (WashingtonPost)
– The US State Department asked Twitter to delay scheduled maintenance in June to avoid disrupting communications among tech-savvy Iranian citizens
– Cyberactivism also harmful - a lot of calls for Twitter users to participate in cyber-attacks on pro-government Web sites in Iran.
![Page 14: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/14.jpg)
China, Power & the Net.
China and Google (www.arstechnica.com) Facebook and Twitter are blocked for their
ability to organize groups with anti-government intentions
Leading Chinese video sites Youku.com and Tudou.com actively monitor submissions and delete those that they consider inappropriate or in violation of Chinese law.
Chinese government attack on pro-Tibetan NGO's
Attack on NGO critical of Chinese policy in Darfur
Five DDOS attacks on Chinese human rights activist websites in January 2010
![Page 15: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/15.jpg)
Threat Analysis
Insider attacks - including recent Wikileaks attacks on US Government.
Organisational Facebook policy/Twitter policy?
'Enemy' Governmental attacks e.g. Human rights NGO's intrusion by Human Rights abuser states.
'Home' Governmental attacks e.g. US government monitoring.
Internal threats Competing organisations. Hackers/Profiteering/Wackos.
![Page 16: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/16.jpg)
Some existing IT security multidisciplinary research & NGOs
Electronic Frontier Foundation - www.eff.org
Tactical Technology Collective - www.tacticaltech.org
Frontline - www.frontlinedefenders.org
Harvard Berkman Centre - cyber.law.harvard.edu
![Page 17: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/17.jpg)
MSC Thesis - 'A study of and best practices for IT security for the Baha'i International Community - United Nations Office'
Abstract
For many small organizations operating in a sensitive political, religious, or social context, information security is a critical concern. This dissertation reports upon a study of the current IT security framework of the offices of a non-governmental organization (NGO): the Baha'i International Community United Nations Office (BICUNO), based in New York and Geneva. The study makes use of questionnaires and interviews to determine the current practices and requirements of staff (IT and general), in terms of security related activities. An analysis of current practices, looking at strengths and weaknesses, is performed in the context of the current literature, including the ISO 27002 standard, on security practices. A number of recommendations are presented, in the form of "best security practices", for adoption in this and similar settings.
![Page 18: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/18.jpg)
Thank You!
Ashiyan Rahmani-Shirazi MAKellogg College, Oxford
MSC (candidate) - Software Engineering
email: [email protected]
+
Wheat Atlas Intern, www.cimmyt.orgBusiness Development Manager (p/t),
www.ascertica.com
![Page 19: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/19.jpg)
The Story so Far
Issues in security (a.k.a. risk management) give rise to questions in
– cryptography, networking, systems engineering, – law, ethics, criminology, psychology, education– business, management, economics, politics
All but the simplest questions cross boundaries among these
– Security economics is a well-established discipline– Likewise usability in security, perhaps to a lesser extent
with work on psychological acceptability etc.
– Technologists sometimes talk to regulators Trusted Computing is a good example
– Others study ICT policy in its own right– ...
![Page 20: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/20.jpg)
Security EcosystemRepresentative examples; Trademarks belong to their respective owners
ISO27000
![Page 21: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/21.jpg)
So
we have a multi-billion dollar security industry– much of it geared towards yesterday’s threats
points of contact with academic research are numerous, but patchy
robust methodologies for tough questions are missing
“should staff be allowed to connect smartphones and tablets to my infrastructure?”
“should staff be allowed to store corporate data on their own smartphones and tablets?”
![Page 22: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/22.jpg)
CSI Computer Crime and Security Survey, 2008
![Page 23: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/23.jpg)
Disruptive Technology
smart metering
personalized medicine
electronic healthcare
records
e-Government
social networking
smartphones and tablets
IPTV ‘connected home’
internet of things
multi-purpose sensor
networksroad pricing everything-
as-a-service
Large scale; heterogeneous Inherent complexity Mostly rather unlike the
‘personal computer’ we have known until now
Immense value to society Big investment by
individuals Unexpectedly becoming
‘critical infrastructure’ Almost total de-
materialization of the ‘boundary’
Many interested parties; many administrators
![Page 24: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/24.jpg)
Role of the University
joined-up thinking– without an axe to grind, maybe
questions everyone wants answered
trusted third party skill sets related to those found
in business/government– together with those that are not!
testbed – large, complex, dynamic network with great experimental subjects :)
technologists? cryptographers? lawyers? educators? economists? politicians? regulators? business leaders? the military? social scientists? psychologists?
![Page 25: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/25.jpg)
Vision for an institute
permanent centre to study these ideas needs lasting links to existing disciplines
where do CIOs go to school?– where do they get their CPD?
where are the stimulating sources of ideas? where do they go for non-partisan advice?
![Page 26: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/26.jpg)
Menu of activities
Master’s in business and information
security
‘Pure’ academic research at this
nexus
Boundary-crossing research, and
applied research (DTC, EngD)
Contract research Open-ended research
Public understanding
Leadership professional secondments
strengthening the University’s own
security
![Page 27: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/27.jpg)
Conclusion
1. the challenge of information security will continue to grow as our digital economy grows
2. no single discipline can meet that challenge alone
3. a university – in general, and this one in particular – is well-placed to make the right connections
![Page 28: Information Security and Privacy A vision for inter-disciplinary research in Information Security Andrew Martin (with Ashiyan Rahmani-Shirazi) Oxford University.](https://reader038.fdocuments.us/reader038/viewer/2022102900/55189aca550346991f8b460a/html5/thumbnails/28.jpg)
28
COMPUTING LABORATORY
SOFTWARE ENGINEERING PROGRAMMESOFTWARE AND SYSTEMS SECURITY
Andrew Martin, MA, DPhil, MBCS, CEng, CITPDeputy Director, Software Engineering Programme
Wolfson Building, Parks Road, Oxford OX1 3QD, UK.+44 (0) 1865 283605
[email protected]/andrew.martin