Roger Clarke's Web-Site© Xamax Consultancy Pty Ltd, 1995-2024 |
||||||
HOME | eBusiness |
Information Infrastructure |
Dataveillance & Privacy |
Identity Matters | Other Topics | |
What's New |
Waltzing Matilda | Advanced Site-Search |
Version of 6 April 2016
© Xamax Consultancy Pty Ltd, 2013-16
Available under an AEShareNet licence or a Creative Commons licence.
This document is at http://www.rogerclarke.com/II/NIS2410.html
This 6-hour segment develops on the foundation lectures. It comprises two segments:
See also the following:
The examinable materials comprise the following:
The Further Reading is not examinable. It's provided in order to enable you to 'drill down' on topics you're particularly interested in.
Week 5 - Tue 15 March, 15:00-16:00 - Phys T
Slides in
PDF
for viewing, and
PDF-4up
for printing
This lecture reviews each of the elements that enable networked information systems to be delivered.
During the three decades 1980-2010, networked information systems primarily involved large devices on people's desks interacting with other large devices over physical connections (i.e. wires or cables).
By about 2010, however, wireless networks were delivering sufficient transmission capacity at affordable prices; and handheld devices had become sufficiently powerful to support a wide range of needs. As a result, a significant proportion of activity in networked information systems has migrated to small devices. To date, these are primarily handheld smartphones and tablets; but that may change.
SUB-TOPICS AND REQUIRED READINGS
Categories of Network
Wired
Wireless
Mobile
The NBN
Categories of Network-Connected Device
Network Infrastructure Services
Storage (Permanent, Temporary)
Intermediary Nodes (Local and Backbone Routers, Proxies, Reverse-Proxies)
Uses and Abuses
Services
Spider-Web
Bitcoin and Blockchains
FURTHER READING
Categories of Network
Wired
Wireless
Mobile
The NBN
Categories of Network-Connected Device
Network Infrastructure Services
Storage
Intermediary Nodes
Uses and Abuses
Services
Spider-Web
Blockchains
Bitcoin
Week 5 - Thu 17 March, 14:00-15:00 -
HAT
Slides in
PDF
for viewing, and
PDF-4up
for printing
Networked information systems involve processes running on two or more devices in a coordinated manner. There are several ways in which devices may interact, ranging from complete dominance of one over the other, to a collaboration among equals. This lecture explains each of the alternatives, and provides examples of their use. It also introduces the emergent 'Internet of Things'.
SUB-TOPICS AND REQUIRED READINGS
Master-Slave
Client-Server
Cloud Computing
Mesh Networking
Peer-to-Peer (P2P)
Telemetry, SCADA, Tags, and the Internet of Things (IoT)
FURTHER READING
Cloud Computing
Mesh Networking
Peer-to-Peer (P2P)
Telemetry, SCADA, Tags, and the Internet of Things (IoT)
Week 5 - Thu 17 March, 15:00-16:00 - HAT
Slides in
PDF
for viewing, and
PDF-4up
for printing
All IT is inherently insecure. Networked information systems are even more insecure. Mobile computing is more insecure again.
But what does 'insecure' mean? And what can you do about it? This session presents the conventional security model, and introduces the processes of security risk assessment and risk management. It then identifies a range of security safeguards, and examines the important example of backup and recovery.
SUB-TOPICS AND REQUIRED READINGS
General Reference
The Notion of Security
The Conventional Security Model
Risk Assessment and Risk Management
Safeguards Generally
Backup and Recovery
FURTHER READING
The Notion of Security
The Conventional Security Model
Risk Assessment and Risk Management
Safeguards
Backup and Recovery
Week 6 - Tue 22 Mar, 15:00-16:00 - Phys T
Slides in
PDF
for viewing, and
PDF-4up
for printing
An Attack is an Intentional Threat against Information or IT. Malware, such as Viruses, is widely used by Attackers. Phishing is an example of 'social engineering' applied by Attackers. This session examines the diverse forms of malware and outlines relevant safeguards.
SUB-TOPICS AND REQUIRED READINGS
General Reference
Malcontent, Malbehaviour, Malware
Safeguards Against Malware
Other Attacks and Safeguards
FURTHER READING
Malcontent, Malbehaviour, Malware
Safeguards Against Malware
Other Attacks and Safeguards
Week 6 - Thu 24 March, 14:00-15:00 - HAT
Slides in
PDF
for viewing, and
PDF-4up
for printing
Because so much data is so important to society and the economy, organisations have legal obligations to protect it. Some of these data protection obligations relate specifically to personal data, so the second part of the lecture discussses privacy. Other obligations exist, however, in relation to other kinds of data. For example, highly-sensitive payments data passes over the networks that support ATMs, EFTPOS, interbank payments within Australia (the HVCS, BECS and CECS networks), and interbank payments internationally (SWIFT).
SUB-TOPICS AND REQUIRED READINGS
Data Protection Obligations
Data Security Safeguards
Privacy
Privacy-Enhancing Technologies
Privacy and Social Media
FURTHER READING
Data Protection Obligations
Privacy
Privacy-Enhancing Technologies
Privacy and Social Media
Week 6 - Thu 25 March, 15:00-16:00 - HAT
Slides in
PDF
for viewing, and
PDF-4up
for printing
They're are vast numbers of threats and vulnerabilities, and large numbers of safeguards. In principle, risk assessment is necessary in order to work out which safeguards to apply. In practice, people look for short-cuts.
The first segment of this lecture identifies a minimum set of safeguards that every small business (and person!?) should implement. The second segment extends the backup and recovery topic introduced in lecture 3, and examines three additional and vital safeguards - incident management, access control and assertion authentication.
SUB-TOPICS AND REQUIRED READINGS
Minimum Safeguards
Service Continuity and Recovery
Incident Management
Access Control
Authentication of Assertions Generally
Authentication of (Id)Entity
FURTHER READING
Minimum Safeguards
Service Continuity and Recovery
Incident Management
Access Control
Authentication of (Id)Entity
[ ADVANCED DRAFT of 29 March 2016 ]
The aim of this laboratory session is to apply the ideas you met during the four-lecture series on security topics.
Part I is a discussion session.
Part II presents you with some challenges to address. You are then to discuss the results with your colleagues.
Discuss at least the questions in sections A-C, plus whichever of the topics in sections D-F you can fit into the time and find most interesting.
A. Device Seizure
Your mobile phone or tablet has been impounded by the university, under the suspicion that it contains:
What challenges do the investigators have to overcome in order to establish a case against you?
B. Your Defences Against Accusations
The investigators have found some material, and have accused you of committing criminal acts by having inappropriate content on your device.
Assume that you are innocent of the accusations that they've made ...
C. Your Security Safeguards
On your own mobile device(s):
D. Auto-Updating
Your software providers offer to update your operating system, virus-protection and apps automatically. This is done by pushing patches to your device over the network, and using auto-invocation settings to install them on your device, and to activate them.
E. Social Media
F. Internet of Things
You are to first address five challenges, then discuss them within your group.
CHALLENGES (25 MINUTES):
Choose one (or more) device-types and OS that you have some familiarity with and that you have access to during the Laboratory session. Possibilities include the Laboratory desktops running Linux, your own laptop running whatever OS/es you have installed (Windows, OSX, Linux), and smartphones and tablets (iOS, Android, etc.).
Conduct research in order to answer the following questions. You may use any resources you like to assist you. You may work with one or more other people if you wish - this is a learning exercise, not an exam. Of course, you need to keep notes of what resources provided you with which information.
DISCUSSION (25 MINUTES):
You are to spend the remaining available time on the following:
Advance Notice Only - Revision of 30 March 2016
This forms part
of Assignment 2, due 16 May 2016
You are to undertake this Assignment in a team of 2 people.
This can be the same team as you used for Assignment 1.
You are to work as a team. You may divide up the work so that some tasks are performed by one team-member, and other tasks by another team-member. However, each of you must share what you've learnt with the other team-member, and your submission must be a single, integrated and cohesive team-answer. Marks will be deducted if it isn't.
1. Apply the risk assessment process to your use
of your bank accounts.
[30% of the marks]
Relevant sources include Slides 12 and 21 of Lecture 3.
As a short guide,
use the first 5 steps ('Analysis') in this table in the
Required
Readings.
Your statements on each point may be reasonably brief, but
they need to cover all aspects in the Process.
Remember that the primary
stakeholder interests that you are to consider are your own, as consumers, not
the bank's.
2. You need to do some preparation - explained in (a) and (b). Then you can answer the questions in (c) and (d).
(a) Identify two (2) banks, building societies or credit unions.
You may choose any such organisations, whether you currently use their services or not.
(b) Identify two (2) other organisations that deliver important services over the Internet.
Examples include insurance companies, superannuation funds,
stock exchange brokers, Apple/Microsoft/Amazon/Google, eBay/Gumtree,
Centrelink, the ATO, universities, the Universities Admission Centre (UAC).
Again, you may choose any such organisations, whether you currently use
their services or not.
(c) Describe the access control processes used by
each of the four (4) organisations.
[30% of the
marks]
Relevant sources include Slides 7-11, 16-18 and 25-31 of Lecture 6 and the Required Readings on Access Control.
(d) To what extent do the access control processes
used by the four (4) organisations address the risks that you identified in
step 1.
[25% of the marks]
TEXT?
3. Provide a brief, joint report on your team dynamics during the
project.
[15% of the marks]
In reflecting on how your team worked, you may find it helpful to consider two models that are used in business:
Include mention in your report of any within-team security issues that you encountered.
If you think it's necessary (and only in those circumstances), you may provide a personal report in addition to the joint report.
_________
a. Gathering Information
The various services that you choose to investigate may be readily accessible to you, and there may even be official documentation and/or community resources to help you answer the questions.
On the other hand, some services might not be readily accessible and/or documentation might not be available.
If you simply cannot find out how the organisation's access control system works, abandon that organisation and choose another one.
If you only find enough information to prepare an incomplete answer, explain what additional information you needed, and why.
b. Sources
In preparing your answers, you may use any published source of information (including, for example, postings on discussion fora).
But of course you must attribute your sources by citing them in the appropriate places, and including them in your reference list.
If you suspect that the best available source of information on any aspect is unreliable or out-of-date, you may use it, but you must communicate your concerns about the information quality.
c. Marking
The primary criterion used in marking your report will be:
'How well does it address the questions?'.
Challenges that you run into in gathering quality information will be taken into account; but you need to explain what those challenges were and what you did about tackling them.
Clear communication is important, and structure and brevity matter.
The length of your report, on the other hand, is a secondary consideration.
It should be as long as it needs to be to answer the questions
convincingly, and no longer.
However, an indicative length is +/- 2500 words, plus the reference list and attachments as appropriate.
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Research School of Computer Science at the Australian National University,, and in the Cyberspace Law & Policy Centre at the University of N.S.W.
Personalia |
Photographs Presentations Videos |
Access Statistics |
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax. From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021. Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer |
Xamax Consultancy Pty Ltd ACN: 002 360 456 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 6916 |
Created: 26 February 2013 - Last Amended: 6 April 2016 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/II/NIS2410.html
Mail to Webmaster - © Xamax Consultancy Pty Ltd, 1995-2022 - Privacy Policy