Security Issues on E-Government Presented by, Pranita Upadhyaya PhD Student, KU Presented by, Pranita Upadhyaya PhD Student, KU

Presentation Overview E-Government & its applications Information Security Security concerns in E-government Nepal’s scenario M-government security

Traditional Government Structure : Characteristic TOP DOWN NO or LIMITED LATERAL CONNECTIVITY LIMITED COLLABORATION INFORMATION FLOW PREDOMINANTLY VERTICLE CUSTOMER HAS NO PLACE: WHY? RULES BOUND CULTURE: AUTHORITARIAN

Traditional Government Mandate ENACTING & IMPLEMENTING LAWS TAX COLLECTION SECURITY LAW AND ORDER MAINTENANCE NATIONAL DEFENCE

Present Day: Government Mandate Besides mentioned above……… Poverty Eradication Social Development Enhancing balanced Economic Development Promote Transparency, Accountability and Democracy Better Service to public, efficient and cost effective

The use of digital technologies to transform government operations in order to improve effectiveness, efficiency, and service delivery Definition : E-Government

Understanding E-Government e-Government is not about one-time service delivery but about a life-long association ! e-Government is not about isolated government but about partnering with citizens and business! e-Government is not about government centricity but about stakeholder-centric government!

Advantages To increase internal efficiency To create new services Easy access to information To participate global information networks Information sharing among Institution Online access to public services Individual efficiency High Performance in teamwork Transparent

Examples of e-Services – G2C Birth Certificate Health Care School Admission Scholarships e-Learning Examination Results Employment Services Vehicle Registration Driver’s License Passport/Visa Agriculture Land Record Property Registration Marriage Certificates Taxes Utility Services Municipality Services Pensions Insurance Health Care Death Certificate

Examples of e-Services – G2B Close Expand Operate Start-up Explore Opportunities Approvals Permissions Registrations Returns Taxes Permits Compliance Approvals Permissions Project Profiles Infrastructure State Support Approvals Compliance

Disadvantages Difficult access for disabilities. Overloaded information. Ambiguity in the cases of confidentiality. copyrights and protection of public information. Gaps result from unequal avaibility opportunities.

What is Information Security? Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction

Building blocks of secure system 1.Authentication- to prove one’s identity 2.Privacy/confidentiality- to ensure that no one can read except the intended receiver 3.Integrity- The message received by receiver is not altered 4.Non repudiation- to prove that sender has really sent the message 5.Availability- system still functions efficiently after some security violations No single measure can ensure complete security

Various security measures taken so far……

Symmetric and public key cryptosystems Symmetric-key cryptosystem same key is used for encryption and decryption Public-key cryptosystem separate keys for encryption and decryption

Public-key encryption: confidentiality Alice wants to send message M to Bob –uses Bob’s public key to encrypt M Bob uses his private key to decrypt M –only Bob has key –no one else can decipher M Identification provided by public key encryption But … anyone can send message to Bob using his public key –how are we sure the message came from Alice?

Digital signatures Electronic equivalent of handwritten signatures Handwritten signatures are hard to forge Electronic information is easy to duplicate Digital signatures using public key encryption –Idea: Bob uses his private key to “sign” a message Alice verifies signature using Bob’s public key Data authentication provided by digital signatures

Signed challenges User authentication provided by signed challenges –Alice and Bob are real or fraud ?

Certification authority A third party trusted by all users that creates, distributes, revokes, & manages certificates Certificates bind users to their public keys Integrity is provided by the certification authority

Problem still remains……. Problems of …. attack on availability: disruption or denial of services

Solution One cannot get stuck with only fault avoidance Needs to move ahead ….towards fault tolerance Shall cater dynamic behavior of the intrusion

Security Assessment & countermeasures Proper planning & security program & techniques are essential to cater threats –Regarding it, one needs to perform Classify the type of service based on ISMM Continuous monitoring using Security Readiness assessment & Follow multiple screening mechanisms ………

Screening Mechanisms Prevention Detection Mitigation Response

Prevention Establishment of policy and access control –who: identification, authentication, authorization –what: granted on “need-to-know” basis Implementation of hardware, software, and services –users cannot override, unalterable (attackers cannot defeat security mechanisms by changing them) –examples of preventative mechanisms passwords - prevent unauthorized system access firewalls - prevent unauthorized network access encryption - prevents breaches of confidentiality physical security devices - prevent theft Maintenance

Prevention is not enough! Bruce Schneier, Counterpane Internet Security, Inc. Prevention systems are never perfect. No bank ever says: "Our safe is so good, we don't need an alarm system." No museum ever says: "Our door and window locks are so good, we don't need night watchmen.“ Detection and response are how we get security in the real world, and they're the only way we can possibly get security in the cyberspace world.

Detection Determine that either an attack is underway or has occurred and report it Real-time monitoring Intrusion verification and notification –intrusion detection systems (IDS) –typical detection systems monitor various aspects of the system, looking for actions or information indicating an attack example: denial of access to a system when user repeatedly enters incorrect password

Mitigation If detection is not possible,reduce the level of security risk Accomplished by decreasing the threat level best strategy is a combination of all three elements, –decreasing threats by eliminating or intercepting the adversary before attack –blocking opportunities through enhanced security and –reducing consequences if attack occur

Response If all of the above are not possible Stop/increase availability of an attack –must be timely! incident response plan developed in advance Assess and repair any damage Resumption of correct operation Evidence collection and preservation –very important identifies vulnerabilities strengthens future security measures

Survey report on E-Government Nepal’s Scenario Major threat - DDoS attack –Not only in Nepal but worldwide…. –Here, Increasing system availability major concern

Defense Mechanisms What should be the optimal architecture for Nepal? Follow a Security Architecture which consists of all the following building blocks –Prevention –Detection –Mitigation –Response(stop/increase availability) –Increase cost effectiveness through WOG approach

Research focus…. Development of WOG architecture and analyze using SHARPE tool Markov chain chosen to cater dynamic behavior of the intruder In WOG system - Security sub system architecture made highly available

M-Government Security Similar modality could as well be implemented in M-government Further research in this regard is needed

Thank You for your attention