School of Computer and Information Science Secure and High Integrity System (INFT 3002) Workshop 1 Tutor: William Yeoh gingsun.yeoh@UniSA.edu.au
Workshop 1: Outline • Group project details • Harvard referencing • Hints on Q1 & Q2 • Group discussion
Group project details • Form a group of 3 by Wednesday (18 Sept) • Report due on 7 November, 5pm (Friday) • You must pass this assessment to pass the course • 3000-5000 words • You may decide the company’s name, location (not necessary Australia), etc.
Harvard referencing(author-date system) Book • Watt, J., Mizuno, B., & Lee, H., 1999, Data on the web: from relations to semistructured data and XML, Prentice Hall, San Francisco. • Networking essentials plus, 2000, 3rd edn, Wiley Press, Washington. • Journal • Middleton, A., 2002, ‘Who needs a killer application’, Journal of research in IT , vol. 41, no. 12, pp. 28-29.
Harvard referencing(author-date system) Websites • Alcohol and Drug Studies, 1998, viewed 15 Sept. 2003,<http://www.mindef.org/reports/drug.pdf> • COA (Commonwealth of Australia), 1994, Creative Nation: Commonwealth Cultural Policy, October 1994, viewed 15 Jan. 2003, <http://www.nla.gov.au/creative.nation/preamble.html> • Thomas, S 1997, ‘Guide to personal efficiency’, Adelaide University, viewed 14 Nov. 2002, <http://library.unisa.edu.au/~sthomas/papers.html>
Harvard referencing(author-date system) Conference paper • Hills, J., 2000, ‘Relative timing of deformation’ in Proceedings of the 14th Australian Universities Earth Sciences Conference, Geological Society of Australia, Melbourne, pp. 38-42. Government periodical • ABS (Australian Bureau of Statistics), 2001, Catalogue of publications and products, ABS, Canberra.
In-text referencing • Poor quality information can have significant social and business impacts (Strong, Lee & Wang 1997). There is strong evidence that data quality problems are becoming increasingly prevalent in practice (Ali & Redman 2004; Cameron 1996). • Dianne (Tan 2001, p. 71) stated that most organisations have experienced the adverse effects of decisions based on information of inferior quality. • Most organisations have experienced the adverse effects of decisions based on information of inferior quality (Dianne cited by Tan 2001, p.71).
Task: Your group is a small newly formed IT Security Consultancy and recently have been employed on your first case • Abraham is a health administrator (MD) but he has no modern technical understanding of IT security issues. • Abraham has had no problems with IT Security until very recently when the Hospital’s network was subject to a series of attacks. In the period of 3 days, the Hospital’s website was defaced, a serious virus infected the Hospital’s e-mail and large quantities of data were corrupted • Abraham wonders why this is happening and he questions whether there is a link to his company’s partnership with a large Health Insurance Company. He is also concerned to find out who might be attacking his network and why. • He is very anxious to grow his business and knows that he needs quickly to implement some security measures so as to pass an external audit (he has had nothing more than some proprietary and outdated anti-virus software until now).
The issues Abraham is asking for advice on are: 1. What risks do you think he is facing as he gears up his business and how can he manage these risks? 3. Does he need to implement some cryptographic protection of data? How? 2. How can he develop a suitable security policy (given the company structure above)? Supply a security policy as Appendix 1 (you may use all the resources in the Resources for Module 2 and adapt these as necessary) 4. What is a “trusted” system, why might he need one anyway, and can he implement this within her Windows NT network?
The issues Abraham is asking for advice on are: 5. How can he protect his network? Currently it is a simple LAN, some databases, a mail server and a web server but he wants to add some E-Commerce functionality very soon. What will happen when his staff use wireless enabled PDA’s for the collection of patient data? 6. Why might hackers be attacking his network; why would they be interested in his company? 7. Is there any legislation to help him if his network is hacked into again? 8. What kind of legal or ethical issues will he herself face if the data in his databases or files is lost or damaged?
Today’s task 1. What risks do you think he is facing as he gears up his business and how can he manage these risks? 2. How can he develop a suitable security policy (given the company structure above)? Supply a security policy as Appendix 1 (you may use all the resources in the Resources for Module 2 and adapt these as necessary)
Hints forQ1. What risks do you think he is facing as he gears up his business and how can he manage these risks? Risk identification, analysis & management 1. Hardware • Database server, mail server, web server, staff’s PC/laptop • Overloaded, theft, fail to function • Housekeeping should be done on all servers, backup, monitor 2. Software • Web page, internal hospital system, firewall, commercial off-the-shelf security software • Unauthorised copying, no authentication, no trace log, anti-virus not updated • Encryption, update anti-virus, trace log, password
Hints forQ1. What risks do you think he is facing as he gears up his business and how can he manage these risks? 3. Data • Customer personal data, staff data, etc • Inference problem, no transaction security • VPN, encryption 4. People • System administrator, operator and end-users. • Ex-staff’s ID, system administrator fails to define new sensitive data, system operator neglects the physical security, end-users lack of pc knowledge • Staff training, change password periodically, create sensitive data def 5. Documentation • Sensitive data, eg invoice • How to dispose sensitive doc, exposal to third party • Proper report handling procedure
Hints for: Q2: How can he develop a suitable security policy (given the company structure above)? • Organisational domain/ stakeholders - who are they? • Corporate hierarchy - multilevel vs multi lateral • Methodologies of protection - all related issues
Hints for: Q2: How can he develop a suitable security policy (given the company structure above)? • Informational security policy • Personnel security policy • Database security • Physical & environmental • Computer & network • System development & maintenance • Etc.