Information Security and Privacy

A vision for inter-disciplinary research in Information Security

Andrew Martin (with Ashiyan Rahmani-Shirazi)Oxford University Computing Laboratory

ISPP seminar series17th January 2011

The information age needs information security

almost everything of value has a digital existence today– whether it solely exists in the digital domain or merely casts

a shadow, or something in between– whether that value is in monetary terms or something less

tradable, such as privacy that fact is plainly not lost on those with criminal intent

– of course, it is the value which attracts them– and some items with value may be subject to collateral

damage

Whose problem is this?

technologists? cryptographers? lawyers? educators? economists? politicians? regulators? business leaders? the military? social scientists? psychologists?

Example 1credit: Paul England, Microsoft

Most of our computer operating systems are designed around an administrator

this person is given all power; ‘full control’

we assume that– the administrator is wise

– the administrator is good

– the administrator is knowledgeable

http:

//w

ww

.boe

rner

.net

/jbo

erne

r/w

p-co

nten

t/up

load

s/20

09/1

0/19

55tr

adic

.gif

Example 1

One of these is today’s administrator

this person is given all power; ‘full control’

we assume that– the administrator is wise

– the administrator is good

– the administrator is knowledgeable

Example 1

One or more of these is today’s administrator

this person is given all power; ‘full control’

we assume that– the administrator is wise

– the administrator is good

– the administrator is knowledgeable

Example 1

These violated assumptions can be remedied in many ways

– make the unwise liable– explicitly tie liability to control– education, education, education– reducing the extent of their ‘full control’

None is completely satisfactory

Example 2

Example 3

Example 4

Interdisciplinary perspectives on IT Security

With particular reference to perspectives on International Relations & Human Rights

Ashiyan Rahmani-Shirazi

DDOS on Human Rights NGOs

'Distributed Denial of Service (DDoS) is an increasingly common Internet phenomenon capable of silencing Internet speech, usually for a brief interval but occasionally for longer. In this paper, we explore the specific phenomenon of DDoS attacks on independent media and human rights organizations, seeking to understand the nature and frequency of these attacks, their efficacy, and the responses available to sites under attack. Our report offers advice to independent media and human rights sites likely to be targeted by DDoS but comes to the uncomfortable conclusion that there is no easy solution to these attacks for many of these sites, particularly for attacks that exhaust network bandwidth.'

Berkman Center for Internet & Society report, "Distributed Denial of Service Attacks Against Independent Media and Human Rights Sites" by Ethan Zuckerman et al., December 20th 2010.

IT Security & IR - sample attack

SQL injection attack carried out on the UN website homepage in August 2007

Social Media & Political Change

Twitter and Iran (WashingtonPost)

– The US State Department asked Twitter to delay scheduled maintenance in June to avoid disrupting communications among tech-savvy Iranian citizens

– Cyberactivism also harmful - a lot of calls for Twitter users to participate in cyber-attacks on pro-government Web sites in Iran.

China, Power & the Net.

China and Google (www.arstechnica.com) Facebook and Twitter are blocked for their

ability to organize groups with anti-government intentions

Leading Chinese video sites Youku.com and Tudou.com actively monitor submissions and delete those that they consider inappropriate or in violation of Chinese law.

Chinese government attack on pro-Tibetan NGO's

Attack on NGO critical of Chinese policy in Darfur

Five DDOS attacks on Chinese human rights activist websites in January 2010

Threat Analysis

Insider attacks - including recent Wikileaks attacks on US Government.

Organisational Facebook policy/Twitter policy?

'Enemy' Governmental attacks e.g. Human rights NGO's intrusion by Human Rights abuser states.

'Home' Governmental attacks e.g. US government monitoring.

Internal threats Competing organisations. Hackers/Profiteering/Wackos.

Some existing IT security multidisciplinary research & NGOs

Electronic Frontier Foundation - www.eff.org

Tactical Technology Collective - www.tacticaltech.org

Frontline - www.frontlinedefenders.org

Harvard Berkman Centre - cyber.law.harvard.edu

MSC Thesis - 'A study of and best practices for IT security for the Baha'i International Community - United Nations Office'

Abstract

For many small organizations operating in a sensitive political, religious, or social context, information security is a critical concern. This dissertation reports upon a study of the current IT security framework of the offices of a non-governmental organization (NGO): the Baha'i International Community United Nations Office (BICUNO), based in New York and Geneva. The study makes use of questionnaires and interviews to determine the current practices and requirements of staff (IT and general), in terms of security related activities. An analysis of current practices, looking at strengths and weaknesses, is performed in the context of the current literature, including the ISO 27002 standard, on security practices. A number of recommendations are presented, in the form of "best security practices", for adoption in this and similar settings.

Thank You!

Ashiyan Rahmani-Shirazi MAKellogg College, Oxford

MSC (candidate) - Software Engineering

email: a_rahmani@hotmail.com

+

Wheat Atlas Intern, www.cimmyt.orgBusiness Development Manager (p/t),

www.ascertica.com

The Story so Far

Issues in security (a.k.a. risk management) give rise to questions in

– cryptography, networking, systems engineering, – law, ethics, criminology, psychology, education– business, management, economics, politics

All but the simplest questions cross boundaries among these

– Security economics is a well-established discipline– Likewise usability in security, perhaps to a lesser extent

with work on psychological acceptability etc.

– Technologists sometimes talk to regulators Trusted Computing is a good example

– Others study ICT policy in its own right– ...

Security EcosystemRepresentative examples; Trademarks belong to their respective owners

ISO27000

So

we have a multi-billion dollar security industry– much of it geared towards yesterday’s threats

points of contact with academic research are numerous, but patchy

robust methodologies for tough questions are missing

“should staff be allowed to connect smartphones and tablets to my infrastructure?”

“should staff be allowed to store corporate data on their own smartphones and tablets?”

CSI Computer Crime and Security Survey, 2008

Disruptive Technology

smart metering

personalized medicine

electronic healthcare

records

e-Government

social networking

smartphones and tablets

IPTV ‘connected home’

internet of things

multi-purpose sensor

networksroad pricing everything-

as-a-service

Large scale; heterogeneous Inherent complexity Mostly rather unlike the

‘personal computer’ we have known until now

Immense value to society Big investment by

individuals Unexpectedly becoming

‘critical infrastructure’ Almost total de-

materialization of the ‘boundary’

Many interested parties; many administrators

Role of the University

joined-up thinking– without an axe to grind, maybe

questions everyone wants answered

trusted third party skill sets related to those found

in business/government– together with those that are not!

testbed – large, complex, dynamic network with great experimental subjects :)

technologists? cryptographers? lawyers? educators? economists? politicians? regulators? business leaders? the military? social scientists? psychologists?

Vision for an institute

permanent centre to study these ideas needs lasting links to existing disciplines

where do CIOs go to school?– where do they get their CPD?

where are the stimulating sources of ideas? where do they go for non-partisan advice?

Menu of activities

Master’s in business and information

security

‘Pure’ academic research at this

nexus

Boundary-crossing research, and

applied research (DTC, EngD)

Contract research Open-ended research

Public understanding

Leadership professional secondments

strengthening the University’s own

security

Conclusion

1. the challenge of information security will continue to grow as our digital economy grows

2. no single discipline can meet that challenge alone

3. a university – in general, and this one in particular – is well-placed to make the right connections

28

COMPUTING LABORATORY

SOFTWARE ENGINEERING PROGRAMMESOFTWARE AND SYSTEMS SECURITY

Andrew Martin, MA, DPhil, MBCS, CEng, CITPDeputy Director, Software Engineering Programme

Wolfson Building, Parks Road, Oxford OX1 3QD, UK.+44 (0) 1865 283605

Andrew.Martin@comlab.ox.ac.ukwww.softeng.ox.ac.uk/andrew.martin