eConsumer Insecurity

eConsumer Insecurity

Why Isn't Security Easier for SMEs and Consumers? Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW CyberSecurity Law Sydney 13 November 2013 http://www.rogerclarke.com/EC/SSACS-13 {.html, .ppt} Copyright 2013 1 Why Isn't Security Easier for SMEs and Consumers? Agenda

Copyright 2013 The SecIllits Among Us Security Market Failure Simple Baseline Security for Organisations Security for Consumers is Even Harder How to Make Security Much Easier How to Make It Happen 2 The SecIllits Among Us LBEs 6,000 GAs 6,000 MBEs 25,000 SMEs 50,000 Es 10,000 100,000 Copyright

2013 50,000 700,000 250,000 1,000,000 3 QuickTime and a TIFF (LZW) decompressor are needed to see this picture. Copyright 2013 http://www.abs.gov.au/ausstats/[email protected]/Lookup/ 2071.0main+features952012-2013 http://www.rogerclarke.com/II/iGen.html 4

The SecIllits Among Us LBEs 6,000 GAs 6,000 MBEs 25,000 SMEs 50,000 Es 10,000 100,000 People 18,000,000 Copyright 2013 50,000 700,000 250,000 1,000,000 100,000

5 QuickTime and a BMP decompressor are needed to see this picture. Copyright 2013 http://www.rogerclarke.com/II/DRC.html 6 Conventional Security Wisdom Threatening events impinge on vulnerabilities, resulting in harm to assets Safeguards protect against threatening events, vulnerabilities and harm

Security is a condition in which harm is in part prevented and in part mitigated, because threats and vulnerabilities are countered by safeguards Avoid, prevent, minimise or cope with harm, by balancing safeguards' predictable financial costs and other disbenefits against security incidents' less predictable financial costs and other disbenefits and contingent risks Copyright 2013 7 The Challenges Security is Not Designed In to

devices, systems software or network infrastructure it's always an add-on / retro-fit Diverse Technical Contexts, at hardware and OS levels, overlaid by multiple apps Closed Technical Contexts Categories of Threats are legion, and change continually Categories of Vulnerabilities are legion, and proliferate Copyright 2013 8 The Challenges

Security is Not Designed In to devices, systems software or network infrastructure it's always an add-on / retro-fit Diverse Technical Contexts, at hardware and OS levels, overlaid by multiple apps Closed Technical Contexts Categories of Threats are legion, and change continually Categories of Vulnerabilities are legion, and proliferate Copyright 2013

Diverse Contexts of Use High value is placed on Convenience (which is experienced continually) and low value is placed on security (experienced rarely) Hedonism undermines considered, reflective and responsible attitudes Security Features involve Intrusiveness into work and play & require understanding and concentration 9 Market Failure

Copyright 2013 Those Challenges are costly to address Business enterprises only invest if: it's a cost of being in the game; or it makes money SecLits assess risk dispassionately; but SecIllits judge risk spontaneously SecIllit Customers don't value security, and certainly not enough to pay for it Market mechanisms won't solve the problem The Security Gap won't be addressed without Market Intervention 10 A Possible Intervention Copyright 2013

IPP 4 (1989-2014) NPP 4 (2001-2014) APP 11 (2014-) 11 A Possible Intervention IPP 4 (1989-2014) NPP 4 (2001-2014) APP 11 (2014-) Obligations exist to take such steps as are reasonable in the circumstances to protect [personal data] from: misuse, interference, loss unauthorised access, modification, disclosure Copyright 2013

12 A Possible Intervention In April 2013, OAIC updated its 2001 'Guide to Info Security' Did it: Declare a minimum set of safeguards? Express them in an updateable Appendix? Permit alternatives, based on an accessible risk assessment report? Copyright

2013 13 But No Intervention At All In April 2013, OAIC updated its 2001 'Guide to Info Security' Did it: Declare a minimum set of safeguards? Express them in an updateable Appendix? Permit alternatives based on an accessible risk assessment report?

Copyright 2013 Nope OAIC spurned the opportunity The document features: 32 x 'appropriate' 80 x 'reasonable' some 'steps and strategies which may be reasonable to take' no minimum requirements http://www.oaic.gov.au/privacy/privacy-resources/

privacy-guides/guide-to-information-security 14 Absolute-Minimum InfoSec Safeguards 1. Physical Safeguards 2. Access Control 3. Malware Detection and Eradication 4. Patching Procedures 5. Firewalls 6. Incident Management Processes 7. Logging 8. Backup and Recovery 9. Training 10. Responsibility Copyright 2013 http://www.xamax.com.au/EC/ISInfo.pdf 15 Absolute-Minimum InfoSec Safeguards

2. ACCESS CONTROL, including: user-accounts allocated to individuals for their, & only their, personal use privileges limited to only the software, functions and data that are required for that person's work tight control over super-user accounts, to reduce the opportunity for abuse of access privileges 3. MALWARE DETECTION AND ERADICATION (Malware is used here as a generic, encompassing viruses, worms, spyware, bots, rootkits, etc. http://rogerclarke.com/II/RCMal.html) on all inbound traffic; and periodically on all storage devices 4.

PATCHING PROCEDURES To ensure the frequent application of all security-relevant updates and patches to all systems software and application software Copyright 2013 16 Absolute-Minimum InfoSec Safeguards Copyright 2013 That set relates to the era of IT Departments and desktops For the Mobile / Wireless / Untethered Age?

BYOD Policies? Mobile Device Management / Mobile Application Management (MDM/MAM) Tools? ? 17 Absolute-Minimum InfoSec Safeguards A Less Ad Hoc Approach Stratify into Market Segments For each Market Segment: Conduct a generic Risk Assessment Establish a generic Risk Management Strategy Articulate Strategy into a Management Plan ? Segment by sector and segment ? 'Exposed' / 'Normal Business' / 'Carefree' Copyright

2013 18 Consumers Some Extra Problems Copyright 2013 Risks are very difficult to understand Safeguards are very difficult to understand, to find, to install, to configure, to maintain, to trust Consumer Devices are designed to be insecure To avoid designed-in vulnerabilities, consumers have to forego some of 'the Internet experience' Some basic transactions, even payments,

rely on consumer devices being insecure SME solutions need to be scaled for Consumers 19 Server Control of Consumer Devices Copyright 2013 Java Applets ActiveX 'Controls' 'Asynchronous JavaScript and XML' (AJAX) Drive-by Downloads HTML5 Mobile Apps

20 HTML QuickTime and a TIFF (LZW) decompressor are needed to see this picture. Support for: Copyright 2013 QuickTime and a

TIFF (LZW) decompressor are needed to see this picture. multi-media streaming open channels as well as sessions geolocation A way to subvert sandboxing A way to subvert user control, by inverting the Web from pull to push A way to access local data and devices (e.g. cameras, microphones), giving rise to "A Pandoras box of tracking in the Internet http://www.sophos.com/en-us/medialibrary/PDFs /other/sophosHTML5andsecurity.pdf 21 The Primary Geolocation Technologies QuickTime and a TIFF (LZW) decompressor

are needed to see this picture. Copyright 2013 http://www.rogerclarke.com/DV/LTMD.html 22 Mobile Apps QuickTime and a TIFF (LZW) decompressor are needed to see this picture. Will Google and Apple really protect eConsumers against other parties? And who will protect eConsumers against Google and Apple?

Retrofitting of Mobile OS to the Desktop Mac OSX iOS bluetracks Copyright 2013 QuickTime and a TIFF (LZW) decompressor are needed to see this picture. Android / 23 Do we really know NOTHING??

ASD (2013) 'Information Security Manual' ('the ISM') Defence / Australian Signals Directorate, August 2013, at http://www.dsd.gov.au/infosec/ism/index.htm ASD (2013) 'Strategies to Mitigate Targeted Cyber Intrusions' Defence / Australian Signals Directorate, April 2013, at http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm DBCDE (2013a) 'Stay Smart Online Business' Dept of Broadband Communications and the Digital Economy, 2013, at http://www.staysmartonline.gov.au/business DBCDE (2013b) 'Stay Smart Online Home Users' Dept of Broadband Communications and the Digital Economy, 2013, at http://www.staysmartonline.gov.au/home_users RACGP (2013) 'Computer and Information Security Standards' Royal Australian College of General Practitioners, 2nd Edition, June 2013, at http://www.racgp.org.au/your-practice/standards/ciss/ Copyright 2013

24 Possible Security Profiles Copyright 2013 Low Security / High Convenience 'Carefree social media' ... social ephemera, trivia Medium Security / Medium Convenience 'Careful social media' Enterprise purposes Privacy and/or security concerns High Security / Low Convenience Undercover operatives, corporate takeover analysts, researchers handling delicate data, diplomats, ... Persons-at-Risk (protected witness, whistleblower) 25

QuickTime and a TIFF (LZW) decompressor are needed to see this picture. Copyright 2013 26 Baseline: Low Security / High Convenience User Accounts Authentication required for: payment transactions above a low minimum threshold transactions that involve the disclosure of payment-related data communications that contain particular keywords Backup

Auto-backup / mirroring of: configuration settings address-books Copyright 2013 27 Storage Controls L Vulnerability detection and notification software, installed, configured, auto-updated, and run cyclically on all stored executables Auto-update of selected system software and applications Logging of all changes to settings M + Logging of all changes to software Protection of logs H +Logging of all changes to user data

Encrypted data storage Prohibition on, or at least controls over, publicly-shared files Frequent, automated date-time synchronisation Copyright 2013 28 Solutions Driven from the Supply-Side? Desktop Virtualisation, e.g. Citrix Service not application, high dependence on server, complete network dependence, network latency Native Solutions from equipment / OS providers High dependence on supplier, supplier-specific, not platform-independent Container Solutions

A virtual machine or other segmented area, data sandboxing, access denied to the full set of facilities available on and from the device Copyright 2013 http://www.itnews.com.au/Resource/ 358142,the-true-cost-of-byod.aspx 29 Formal and 'Soft' Regulatory Options QuickTime and a TIFF (LZW) decompressor are needed to see this picture. Copyright 2013 30 Formal and 'Soft' Regulatory Options

Copyright 2013 Formal Regulation Merchantable Goods, Product Liability applied to software as well as hardware? Co-Regulation PC'er Industry Code power has failed DBCDE not prepared to be a regulator Industry Self-Regulation Standards Associations? ECMA? CCIA? AIIA?? ACM? IEEE? SAGE? ISSA? SANS? IFIP? ACS?? ISOC-AU?? SAGE-AU?? AISA?? 31

Why Isn't Security Easier for SMEs and Consumers? Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW CyberSecurity Law Sydney 13 November 2013 http://www.rogerclarke.com/EC/SSACS-13 {.html, .ppt} Copyright 2013 32

Recently Viewed Presentations

  • Both tone and mood can be identified by one-word descriptors…

    Both tone and mood can be identified by one-word descriptors…

    Both tone and mood can be identified by one-word descriptors… Think about the following sentence: Think about the following sentence: More on tone and mood…. Now that you've got the theory down…
  • Organisational Health: Workforce perspective

    Organisational Health: Workforce perspective

    Organisational Health: Workforce perspective Overall Workforce RAG Rating 1: This would be the overall rating presented to the Quality Board every two months. Employee Experience Rating Productivity Rating Effective Workforce Rating Available Workforce Rating Staff Skill-Mix Rating
  • Switched Capacitor DC-DC Converters: Topologies and Applications

    Switched Capacitor DC-DC Converters: Topologies and Applications

    Switched Capacitor DC-DC Converters: Topologies and Applications Bill Tsang and Eddie Ng Outline Motivations Dickson's Charge Pump Other Various Charge Pumps Applications Conclusion Motivations Inductorless On-chip integration Low cost High switching frequency Easy to implement (open-loop system) Fast transient but...
  • C.A.T.C.H. Annotation protocol - History with Ms. Osborn

    C.A.T.C.H. Annotation protocol - History with Ms. Osborn

    Why is annotation important? Annotating the text indicates a deeper understanding of the text past the student's ability to answer questions about the text. In math a student is asked to "show Your answer" in order to show the order...
  • Accident Causation - Army Education Benefits Blog

    Accident Causation - Army Education Benefits Blog

    ACCIDENT CAUSATION Factory managers reasoned that workers were hurt because — Heinrich's Theorems INJURY - caused by accidents. ACCIDENTS - caused by an unsafe act - injured person or an unsafe condition - work place.
  • The role of community-based Driving Assistants in road

    The role of community-based Driving Assistants in road

    Largest world-wide community . Navigation and traffic application. Community of 50 million people in 110 countries. Free on Smartphones. Community exchanges info. on traffic conditions, accidents, police presence, danger zones. Company was bough by Google in June 2013
  • Rocks - North Rose-Wolcott Central School District

    Rocks - North Rose-Wolcott Central School District

    Bioclastic (Organic) - made from the parts of living things, such as plants and animals. Sedimentary Rocks. Processes that create sedimentary rocks - Compaction- pressing of sediments together by force . Sedimentary Rocks.
  • Unit 9. Introspective techniques

    Unit 9. Introspective techniques

    What exactly are constructs? Often referred to in connection with research. Verbal form of the term helpful: „construe as…" Practice using the verb, making 2-3 statements about your findings.