During April 22-23, 2003 the International Quality and Productivity Centre (IQPC) ran a conference in Sydney, Australia that was based on National Critical Information Infrastructure in Australia. (This review and associated web links are available from my website http://www.infowar.com.au)
Peter Coroneos, Chief Executive of the Internet Industry Association chaired Day One of the conference. He discussed how the issues are real and that we need to consider the Cyber dimension and the Internet. There is a need to determine criticality, and understand that many elements that are critical aren't necessarily obvious. Peter discussed the IIA's role in securing the Internet in Australia, the relationship with law enforcement agencies, and problems with prosecuting cyber crimes. He also detailed an Anti-SPAM campaign that the IIA has begun.
Mike Rothery, Senior Adviser National Information Infrastructure (NII), the
Australian Attorney-General's Department discussed Information
Infrastructure Assurance and the role the AGD has in NII protection. He
spoke of how infrastructure assurance is more than just IT security, and
that we must consider organisational and information risks. Need to realise
that previously discrete (disconnected) systems are now networked and
exchange data inside and outside an organisation. Now there is shared
infrastructure, an organisation's network infrastructure is extending,
incorporating all systems (IT, power, utilities, control, etc.) so a failure
could impact the whole organisation. Vulnerabilities are inherited from
strategic partnerships such as:
*Mergers and Acquisitions
Mike pointed out we need to consider security in relation to all decisions, that business decisions don't usually consider IT security. It must also be realised the NII exists in an international context, and that individual organisations have a dependence on the NII which may be affected by overseas events. Mike explained that often accidents can help us understand about dependencies (e.g. Longford) and show what impact the community may suffer from such an incident. Mike talked about protection and discussed an interesting case of an abattoir that uses dial-in access on an unencrypted channel, and no IT people in place!
In terms of NII ownership Mike highlighted the need for private sector partnership in securing elements, and that the Government has no intention or desire to regulate industry, particularly due to the rapidly changing nature of IT and the NII. Organisations must consider the strategic context in which they operate. Threats and vulnerabilities to their systems may be over and above their own internal security issues, and have national significance. Mike discussed the outcomes of the Business-Government Task Force, the recent formation of a Trusted Information Sharing Network and Critical Infrastructure Advisory Council and how these fit into the Government's priorities for Safeguarding Australia.
Mike Spring, Director, Information Systems Security, Government Communications Security Bureau (NZ), talked about New Zealand's approach to Critical Infrastructure Protection (CIP). He began with an outline of the structure of the GCSB and why it was involved with CIP. He talked about New Zealand's strategy for CIP, two key reports issued so far, and a Centre for CIP CCIP that was established. The GCSB is the single responsible authority for CIP, and the CCIP is an entity within this department and is publicly funded. The CCIP has been operational since November 2001, and has three functions: Watch and Warn, Investigation and Analysis, and Outreach. The CCIP has links with other international CIP bodies, FIRST, APEC-Tel, and other cyber-security forums.
Tim Burmeister, Senior Manager Infosec Policy, Defence Signals Directorate
talked about CIP from a national perspective. He spoke of how electronic
threats cross international borders and that security needs to be considered
in an international context. Tim spoke of how DSD has shifted its focus to
include threats to commerce and SME's. He highlighted concerns with credit
card fraud, electronic transactions, and a need to understand the real level
of the threat. Tim outlined DSD's history of involvement with CIP, the
Interdepartmental Committee Report on the NII, the links DSD has with ASIO
and the Australian Federal Police, and DSD's information security role. He
talked about the services DSD offers including the Australasian Information
Security Evaluation Program AISEP, the Evaluated Products List EPL, ISIDRAS
and the Computer Network Vulnerability Team. Tim spoke of common IT security
mistakes that include:
*Policies not utilised and also quickly become outdated
*The "hot" new security product will not solve all problems
*Poorly managed security
*Procedures not updated to reflect new risks
Tim explained how good security reduces the risk of loss of information or attack, creates a perception of trust, and encourages people to conduct online transactions. Advice can be given on the threats and vulnerabilities, but the decisions are made at the top level, and often with additional information that may not be known by the security advisers. In relation to incident reporting it can only work when incidents are detected or known. Referring to Cyber Warfare he pointed out most attacks are aimed at individual machines or systems. No major attack has occurred on infrastructure, but an IT attack on a control system could be a problem.
Warwick Watkins, Director General of the Department of Information
Technology and Management (NSW) began by examining emergency events that
have occurred, including:
*Victoria - Longford, Coode Island, Anthrax, and Ash Wednesday
*NSW - Nyngan floods, Thredbo, Sydney fires and hailstorms, Newcastle earthquake, and
*Waterfall rail disaster
He outlined how incidents such as these can be large and serious, require critical information from numerous agencies involved, can have long term effects, and affect many. Warwick looked at how information is required for emergency management to assist in responding, inform decision makers, inform the media, and advise and guide the public. He spoke of the common Spatial Data Infrastructure established by the US Congress for all government agencies to use in providing comprehensive, accurate and timely data sets that are essential for effective emergency service response (Australian SDI efforts). This includes basic information held (proprietary, road networks, elevation model, hydrography, etc) along with supplemental information (social, economic and environmental) and the need to combine these for event specific incidents. Warwick said we should not worry about a specific event, rather focus on building a robust and flexible capability that is effective, mobile, adaptive and timely in its response. He discussed a scenario that was run that considered the explosion of a bomb hidden in a rubbish bin, and how the data was mapped to the impact zone to determine the emergency response. Warwick finished by pointing out that organisations tend to focus on the response, but that it is important to be prepared and ready.
Georgina Crundell, Global Head of Information Security, ANZ Banking Group explained that ANZ are not just concerned with Australian domestic threats but also international issues. She outlined some of the major risks faced by the bank and discussed how they approach information security within ANZ, using a proactive, top-down model. ANZ has gone through a number of organisational changes to incorporate information security into their organisation. Large number of security initiatives are being developed and incorporated into the start of projects. Georgina identified the need to determine what it is you want to protect, and to identify information assets. An example for ANZ is the SWIFT system that must process over $250 billion by 4 PM daily. The issue of ROI also is important in effective information security, as are skills cost and training staff. Relationships between IT departments must be developed/maintained to ensure thorough understanding and awareness of security policies. Georgina finished by discussing various security processes within ANZ, and a number of cooperative strategies with other partners.
Carsten Larsen, General Manager of ACTEW-AGL discussed his organisation's role in the recent Canberra bushfire crisis. He showed a video of events, and how the infrastructure was affected during this crisis. Working through the crisis, he presented a case study of the events, and the measures and procedures taken by ACTEW, including setting up a crisis center, ensuring all units had mobile phone chargers, and keeping a management person in reserve to act as backup (to avoid burnout).
David Harris, National General Manager, Corporate Security, Telstra examined security issues, pointing out that the boundaries are gone. He questioned whether traditional security and business thinking address CIIP. A look at traditional security thinking (Security 101 as he referred to it!) covering confidentiality, integrity, and availability and how it applies to today's environment, requiring an all-hazards approach. He said a security framework must enable business to provide flexible, controlled access to services and information for customers, partners, and the whole value chain. Through an examination of perceived benefits, capability, and a threat/loss relationship he showed that without capability there is no threat, with capability there needs to be opportunity. Securing the infrastructure must support its functionality and efficiency; an emphasis must be on the ease of use, with adequate security. This must also be supplanted with effective operational management of your IT services, and be able to deal with evidentiary complexities for fraud and intrusion incidents. By considering the context of a possible emergency, you can have an efficient and useful disaster recovery plan.
Daniel Lai, National Security Director of the Australian Customs Service began with an outline of his organisation's role and function. Noting that organisations are spending more on security, he examined the ROI issue on IT security spending. He considered how no-one is measuring the benefits of spending (e.g. putting in a firewall), and that for critical/highly important elements the cost should not be an issue. By incorporating ROI into the project lifecycle, security is aligned with business objectives, and can be integrated into the total cost of ownership. Daniel indicated there is no need to sweat the small stuff, but we need to incorporate security into the organisation's culture.
Eric Faccer, Research Scientist, DSTC Security Group began with the perception of threat, recounting the October 30, 1938 transmission of War of the Worlds and the ensuing panic it caused. He showed that this was caused due to centralisation (single point of failure), a trusted source (the radio), and lack of failover/redundancy. Next he looked at how computers have been around for around 50 years whilst infrastructure has only been around for about 10 years. Noting that CIIP policy will not always be congruent with private sector IT security procedures, he examined functionality versus real security and the inverse relationship it has. Following this he showed how perceived security builds a false level of trust. Since security is a non-trivial exercise, there may be side-effects that are not considered that may in turn cause new security problems. He noted how many organisations have developed their own cryptographic ciphers which have been broken, such as WEP. Eric also pointed out inconsistencies with technology and law, such as the Tennessee law that states it is "illegal for a woman to drive a car unless there is a man either running or walking in front of it waving a red flag to warn approaching motorists and pedestrians"
A panel was then convened that examined the issue of regulation to invest in Critical Information Infrastructure Protection (CIIP). The overall consensus was that whilst regulation may make it easier, no-one is particularly keen for it. Commonwealth Government policy is that market forces provide the drivers for CIIP, and that there is a need for shared responsibility. It would be more effective to educate rather than regulate, also that regulation would have trouble in keeping up with rapidly changing IT. In some cases regulation may be appropriate or even necessary, but legislation won't necessarily ensure the reliability or stability of CII. Business continuity planning and disaster recovery are key issues that are required in CIIP, organisations must get involved.
Leif Gamertsfelder, Senior Associate of Deacons finished Day One off with a look at company directors' duties and liability in relation to CIIP. He discussed how CIIP talks about national goods and services and their national security requirement, and how this is different to corporate security and requirements. He explained how company directors must exercise business judgement in relation to information assurance and network security, and that if a security incident occurs, do you have a valid defence? Leif examined the security management cycle and liability issues, including delegation and business "judgements". He stressed that the driver in the Corporations Act is shareholder value, and that it has no relation to CIIP. He also considered the ASX Listing Rule 3.1 and the problem with determining when you should disclose information, and how this could affect share prices. As a possible solution to encourage security spending, based on national interests, Leif suggested that national security could be a driver for security in individual organisations, through incentives such as tax concessions for security spending and research and development.
The first half of the second day of the conference was chaired by Mark Gardner, Chief Strategist of Securenet whilst the second half was chaired by Ajoy Ghosh, Chairman, Standards Australia Workgroup on Computer Forensic Standards
Geoffrey Ross, Managing Director of Securenet began the first presentation with the view that security must be taken seriously. He talked about rising and constant threats, and how they can mutate and become more complex. He reviewed the impact of the recent Slammer worm and how the Securenet center in Canberra dealt with it. Geoffrey talked how risks are shared and this must be recognised and addressed, looking both inwards and outwards of our organisations. He examined issues both inside the enterprise IT and outside, and questioned whether organisations are getting the message, and if directors and officers are identifying their responsibilities. Recognising that security has traditionally been defensive, but also an enabler, he said we need to focus on the enablement aspect of security.
Nick Tate, Director of AusCERT discussed the background and history of AusCERT and its related activities. He showed the general rise in incident reporting and discussed key findings of the AusCERT 2002 Computer Crime and Security Survey. Nick talked about various research and education networks, and how many universities have high speed, wide bandwidth networks which allow for greater activity. He stressed the need to incorporate these large capacity university networks into the NII. Nick also discussed recent information sharing and reporting initiatives, AusCERT's links with global partners, a new National Alert Scheme, and education and training schemes, including the ISSPCS security certification scheme.
Ashley Wearne Managing Director, of Network Associates talked about proactive threat protection and security issues in a business context. He discussed how the threats to global business are getting worse, and asked what is your level of awareness of security of your organisation? He outlined how viruses have peaked in terms of speed of infection, whereas response times to deploy counter measures have grown, creating a window of vulnerability. He said we should not focus on the technology, trying to fit the pieces, rather consider the business impact, how to manage the situation and get things working. He applied the 7 Habits of Highly Effective People and how this would apply to security management, using SPAM as an example. He discussed how new legislation will affect organisations and the personal liability that directors and officers will have for external and internal attacks. Ashley said we need to revise architectural thinking towards defence, and outlined the approach that Network Associates provides.
Ajoy Ghosh, Chairman of Standards Australia Workgroup on Computer Forensic Standards, discussed the development of the Guidelines for the Management of IT Evidence. He detailed the difference between a Standard and a Handbook, the requirements for IT Evidence, and the purpose of the Handbook. Ajoy outlined the characteristics of IT evidence and the general principles of evidence collection. He explained the evidence lifecycle and how it can determine the design and operation of your IT system to allow for correct procedures to be carried out if/when required. A draft copy of the Handbook was provided to delegates.
Ben McDevitt, General Manager, Counter Terrorism, Australian Federal Police discussed the terrorist threat and the need for business cooperation in defending the CII. He talked of the changing nature of crime, the transnational nature of cybercrime, and the growing nature of electronic crime. He examined the use and application of technology in crimes, how terrorists had embraced this technology, and the vulnerability of society on infrastructure. He talked of the private ownership of much of the CII, how businesses will need to overcome rivalries and share information, and how efforts such as the Trusted Information Sharing Network can help. He said that businesses need to protect their own infrastructures from a whole range of disaster scenarios, and cyber-security should be taken seriously. Ben also detailed the formation of the Australian High Tech Crime Centre and how it will be the electronic front line against computer-generated crime.
The session before lunch was a panel that examined national security versus
privacy protection. A number of interesting issues were raised during this
*National Privacy Principles that outline broad requirements for privacy, should be built into policy from the start
*Security and privacy often overlap, but where they part is in individual use of systems and communications
*Consider the privacy impact in your organisation
*Electronic transactions are reducing the level of anonymity through mechanisms such as authentication
*What are you able to monitor and what type of monitoring can you do?
*In general there are sufficient laws in place to deal with issues such as digital signatures
*However, the laws are somewhat fuzzy in relation to digital information
*Organisations policies must be enforceable, and often many legal cases are thrown out because of poor policies
*Problems establishing identity controls for anonymity issues
*Review of current Gatekeeper implementation, driven partially by high number of fraud cases
*Information Security Interest Group is looking at security certification, and NOIE is examining the role the government would have with this.
Andy Norton, Manager, Intrusion Prevention Vulnerability Management,
Symantec Corporation gave a presentation on enterprise vulnerability
management. He discussed how reactive security costs more than proactive
security, but that security tends to be reactive. He outlined three common
causes of reactive deployment of vulnerability management:
*Security is dealt with as an IT issue
*No integration of people or processes
*High ownership of cost
He suggested that IT should get help from Human Resources who have experience and mandate to get policy out to the organisation. By applying the SANS methodology Symantec have developed a tool for the vulnerability management process. This will assist with tracking user awareness, integrating technical compliance, and identifying vulnerabilities. Andy talked about the scope and breadth of vulnerability data, and the level and depth you have to go to, and the need to prioritise. He said that security is not just technology but people and processes.
Brent Clark, ePayment Security Consultant, examined the history of Internet payments and compared payments in the real world to payments in the online world. He detailed how online payments are made today and how credit cards are still the de-facto standard. He examined identity theft and online fraud, and cited the case of the Sydney Opera House fraud. Next he moved onto authentication and some of the online solutions, such as Verified by Visa and Mastercard Securecode. Brent said how ANZ was the first bank to introduce online authentication and how the other banks are implementing similar measures now. He talked about the Maestro Online Debit system and how it was an alternative to using a credit card, also P2P payment systems such as PayPal. Looking towards the future of online payments Brent talked of the rise and fall of PKI, the belief that strong password authentication will dominate, and that card companies will drive payment infrastructure. He also suggested the Internet may form a substitute infrastructure for EFTPOS by 2020. Referring to B2B payment, he predicted card companies will also dominate B2B systems and will extend their epayment product range for this market.
Mark Dolan, International eCommerce Manager, P&O Ports began by considering the real risk of sea freight: Crew, cargo, vessel, and containers. He discussed various shipping compliance measures, including the US 24 hour rule. He then discussed how security has not traditionally been part of the supply chain management (SCM) process. He said that security is seen as impacting upon the SCM process although some consider it beneficial. Mark then outlined a Safe and Secure Tradeline Process Flow model that was developed in 2002 that integrates security into the SCM process. It was tested across the Asia Pacific by various vendors and operators. The trial ran over two months with 200 containers carried over secure channels providing online container management, status and audit trails, as well as complying with security requirements. Mark explained that this system shifted expenditure from a compliance cost to an investment cost, helped automate the SCM process, and facilitated delivery of containers.
Keith Inman, Director, Electronic Enforcement Unit, Australian Securities and Investment Commission began with an overview of ASIC's role and regulatory functions. He said ASIC's role in CIIP was based on legislative charter and operational risks. He discussed how ecommerce has boosted issues of financial performance, economy, and customer confidence. Considering the operational risks he detailed how electronic footprints may be left by an intruder and how many of the systems used may be publicly owned. This requires an integrity of public registers, reliance on others to keep records, and access to technical expertise. Keith told of how the government sees it would be counter-productive to regulate and restrict the information economy, and that there are synergistic opportunities for government and industry to work together. He discussed a number of such partnerships with ASIC that include auDa, IIA, and Standards Australia.