Embed Size (px)
Citation preview
©Dr. Respickius Casmir
IT Security & Cybercrime
IT & Communication Summit 2010 March 8, 2010
By
Respickius Casmir, PhD.University of Dar es Salaam Computing Centre (UCC)
©Dr. Respickius Casmir
Outline
Introduction A Conceptual IT System IT Security in a Nutshell IT Security Risks, Threats and Vulnerabilities Why Worry about IT Security and Cybercrime Conclusion and the Way Forward
©Dr. Respickius Casmir
Introduction
Every progressive organization is governed by a Corporate Strategy.
IT Governance is part and parcel of Corporate Strategy. IT Security is an integral part of IT Governance. Therefore, Corporate Strategy, IT Governance, and IT
Security are inseparable elements. Cybercrime is a form of crime where the Internet or
computers are used as a medium to commit crime.
©Dr. Respickius Casmir
A Conceptual IT System
Macro View of a Conceptual IT System
©Dr. Respickius Casmir
A Conceptual IT System (2)
Generalised Model of an IT System
©Dr. Respickius Casmir
A Conceptual IT System (3)
Technology as part of an IT System
©Dr. Respickius Casmir
A Conceptual IT System (4)
A non exhaustive List of Data and Information
©Dr. Respickius Casmir
A Conceptual IT System (5)
People as Part of the IT System
©Dr. Respickius Casmir
A Conceptual IT System (5)
People include:
1. Insiders (i.e. staff, temporary staff, consultants)
2. Outsiders with access to the inside (i.e. partners, suppliers, customers)
3. Outsiders with some knowledge about the inside (i.e. ex-staff, ex-consultants)
4. Outsiders with certain motivation to launch attacks against your organisation (competitors, hackers, industrial espionages, other attackers)
©Dr. Respickius Casmir
IT Security in a Nutshell
IT security is all about controlling access to information assets to ensure:
Confidentiality – ensuring that information is accessible only to those authorized to have access to it.
Integrity – safeguarding the accuracy and completeness of information and processing methods.
Availability – ensuring that authorized users have access to information and associated assets when required.
©Dr. Respickius Casmir
Security Goals
Integrity
Confidentiality
Availability
©Dr. Respickius Casmir
Security Attacks
©Dr. Respickius Casmir
Security Attacks
Interruption: This is an attack on availability
Interception: This is an attack on confidentiality
Modification: This is an attack on integrity
Fabrication: This is an attack on authenticity
©Dr. Respickius Casmir
Security Risks, Threats & Vulnerability
©Dr. Respickius Casmir
Budgeting for security precautions
Remember the old saying, “Do not place all of your eggs in one basket”?.
This wisdom definitely applies to budgeting for your IT security. Do not spend all of your budget on one mode of protection.
For example, it does little good to invest $15,000 in fire-walling technology if someone can simply walk through the front door and walk away with your corporate server.
©Dr. Respickius Casmir
Budgeting for security precautions (2)
The bottom line is to be creative. The further you can stretch your security budget, the
more precautions you can take. Security is a proactive expenditure, meaning that we
invest money in security precautions to avoid spending additional money later playing for recovery from a network disaster.
The more precautions that can be taken, the less likely disaster is to strike.
©Dr. Respickius Casmir
IT Security Challenges
IT security challenges include: Increased global exposure of Information Assets via the
Internet. Ubiquitous security threats and vulnerabilities Increased dependence on IT Systems without proper
strategies to deal with security issues Inadequacy of IT security awareness programs for end
users Lack of National level/Institutional Strategy for handling IT
Security and Cybercrime issues.
©Dr. Respickius Casmir
Conclusion and the Way Forward
We need to have a national/institutional strategy for handling IT security and cybercrime issues.
Such a strategy should include security training and awareness programmes to ensure that all users of IT systems have the basics of security.
Adopt International IT security Best Practices such as ISO/IEC 27000 family of standards, is an Information Security Management System (ISMS), and
Adopt and customize BS 7799-3:2005 to come up with our own TZ 7799 standard for Information security management systems that is tailored to our own business context.
©Dr. Respickius Casmir
Conclusion and the Way Forward
It is imperative to note that a well-trained, well-informed workforce is one of the most powerful weapons in an information security manager’s arsenal.
