Embed Size (px)
Citation preview
Securing E-Government Services
2016
Abdullah HamidiHerat University
• E-Government• Importance of Security in E-Government• Types of incidents• Vulnerabilities and Attacks on E-Services• Threats in E-Government Services• Attack Targets• Attack Techniques• Recommendations
Contents
E-Government• E-Government is defined as the use of the Internet and the
world-wide-web for delivering government information and services to citizens(Sharma & Gupta, 2003).
• Some E-Government Services• Passport Registration• Driver License• Employee Registration• Insurance• Tax Payment
• Natural Disaster• Malicious Attack (External Source)• Internal Attack• Malfunction and Unintentional Human Error
Types of Security Incidents
Importance of Security in E-GNo. Country Year Target Impacts1 USA 2006 Department of
Veterans AffairsNames, social security numbers, date of birth for 26.5 million veterans and active-duty military personnel and spouses were taken. Loss of half a billion dollars
2 Singapore 2014 Infocomm De-velopment Au-thority
SingPass of 1560 users were stolen. (Sing-Pass is an alphanumeric password for Singa-pore residents to access 64 agencies online to access more than 340 e-services
3 USA 2014 Going Postal names, Social Security numbers, birth dates, and other personally identifiable information on about 800,000 workers and 2.9 million customers. Attack happened between Jan and Feb but it was finally shut down on Nov.
Importance of Security in E-GNo. Country Year Target Impacts4 USA 2016 Election in US Results of the election was unbelievable
for most of the countries in the world5 USA 2008 Heartland Payment
Systems134 million credit cards exposed through SQL injection to install spyware on Heart-land's data systems
6 Estonia 2007 Government Estonian government officials were not able to log onto their e-mailMany website were attacked, but all par-ties’ sites were eventually targeted. This was the beginning of a three-week cyber attack on the country. 4 million pings per second
• Wep Applications • HTTP/ HTTPS• Scripting Languages
– Client-Side: Javascript– Server-Side: PHP, Perl, .NET
Vulnerabilities and Attacks on E-Services
Customer Company
WWW
Backend
EmployeeINTERNET
• Packet Sniffers
Threats in E-Government Services
To Prevent:Authentications and Encryption methods like cryptography should be used
• DoS Attacks
Threats in E-Government Services
For Preventing: • Use of special switch to
analyze (to apply HTTP Inspect Policy on Out-side) and find the DoS or DDoS attacks and prevent from interrupting the services.
• Ex: Oring Thunder Switches
• Injections
Threats in E-Government Services
Client
Company
DatabaseWWW
Input Search
Name:Search for user<Name>; Check thepassword;Name:
Smith; SET password=X Search for userSmith; SETpassword=X;Check the password;
To Prevent:• Input validation with defined rules• Providing least privileges for the users
• Broken Authentication and Session Management
Threats in E-Government Services
Client CompanyLog-in
Browse Catalog
OrderWWW
Web Applications need a means to combine single http requests thatfollow each other („sessions“).
Many mistakes are commonly made when implementing sessions: Transmission of unencrypted passwords Session-IDs unprotected (e. g. in the URL, in unprotected cookies) Sessions not terminated after usage
• Insecure Direct Object References
Threats in E-Government Services
Client Company
DatabaseWWW
Input
www.example.com/invoice?id=4711 Find and display invoice 4711www.example.com/invoice?id=471
2 www.example.com/invoice?id=4713 www.example.com/invoice?id=4714
Prevention• Eliminate Direct Object References
• Validate Direct Object References on each request
• Invalidated Redirects and Forwards
Threats in E-Government Services
Client Company
Shop
Product Order
Payment Provider
Payment Gateway
www.example.com/checkout?http://pay-here.com
Redirect
Payment
Client Company
Shop
Product Order
Payment Provider
www.example.com/checkout?http://pay-here.com
Redirect
Payment Data
www.example.com/ checkout?http://phish-me.com Fake Web Site
Fake ServerPrevention• Validate all redirects and forwards
• Probe• Cross-Site Scripting• Malware• Internet Infrastructure Attacks• Remote2Local (R2L) Attacks• User2Root (U2R) Attacks• Sensitive Data Exposures• And etc.
Threats in E-Government Services
Attack Targets
Distribution of Targetshttp://www.hackmageddon.com/2015/06/08/may-2015-cyber-attacks-statistics/
• To secure governmental organizations we have to stablish and im-plement ISMS
– Security policy– Guidelines– Assigning Security Roles and Responsibilities– Technical Security Tools and applications
• Cryptography• Firewall• Analysis Tools: e.g. Wikto, Acunetix scanner, CGI and NStalker.• Monitoring Tools
Recommendations
Thanks for your attention!
Any Questions?
• Kosutic, Degan. 9 Steps to Cybersecurity The Manager’s Information Security Strategy Manual, 2012
• ISO 27000 - 27001• http://www.out-law.com/en/articles/2014/june/singapore-government-data-security-bre
ach-raises-question-of-whether-government-should-be-exempt-from-new-data-protection-rules/
• http://www.informationweek.com/government/cybersecurity/4-worst-government-data-breaches-of-2014/d/d-id/1318061
• http://www.valuewalk.com/2015/06/cyber-attacks-security-and-terrorism-case-studies/?all=1
• http://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-30/dos-attacks.html
• https://www.owasp.org/• Ndou, V. (2004). E-government for developing countries: opportunities and chal-
lenges. The Electronic Journal of Information Systems in Developing Countries, 18.
References
