AOS2: Cybersecurity

Goals and Objectives

Goals and Objectives FHS 🛝

• Goals are broad statements that help set an organisations culture and priorities

• Objectives are specific and measurable in service to the larger org goals

• Sub-organisations / Departments should also have Goals and Objectives that follow and support the larger goals

Legislation and Frameworks

Legislation 🛝,  Frameworks (incomplete) 🛝

• Privacy Act 1988 (Privacy Amendment Act 2012) (Federal)

  • APP Summary, Privacy Fact Sheet

  • Applies to all levels of Government, Contractors 

  • Organisations with >$3M turnover, medical info, or sell/distribute personal information

  • Consequences of breaking this law are fines (and loss of reputation, etc) 

    • nad prison for COVID data 2020 amendment

• Privacy and Data Protection Act 2014 (Vic)

  • IPP Summary, PDP FAQ

  • Applies to Vic Governments and Contractors

• Copyright Act 1968 (Federal)

  • Creative Commons

  • Choose a License, Opensource Licenses

  • Politics of GPL

• Essential Eight

• Information Security Manual

Ethics in Software Development

TODO 🛝

• ETHICAL != LEGAL

• Ineffective security practices

• Use of artificial intelligence during development

• intellectual property

• Copyright issues

Details

• Social Impact - displaces/changes jobs & can produce unhealthy work environments

• Inequitable access and training - could exaggerate social inequities (financial, racial, social, accessibility, etc...)

• Creates a reliance on technology - adds risk and requires ongoing maintenance and updates.

• Creates large amounts of data that can be exploited, lost, etc...

• Environmental impact - energy use and e-waste

Cybersecurity

SofDev Environment Vulnerabilities & Security Controls 🛝 (incomplete)

• Vulnerabilities

  • Use of application programming interfaces (APIs)

  • Malware

    • Need to know: virus, worm, trojan, spyware, adware, ransomware

  • Unpatched software

    • Zero-day exploits (not in study design)

  • Poor identity and access management practices

  • Man-in-the-middle attacks  (Computerphile video)

  • Insider threats

  • Cyber security incidents

  • Risks present from software acquired by third parties

  • Ineffective code review practices

  • Use of combined development, testing and production environments

  • Social Engineering (including spear-phishing) not in study design

Software Security Controls

• Version Control

• Identity and access management 

  • Password hashing and salting (is not encryption)
  • Extreme: write up, read down

• Encryption: Symmetric and Asymmetric; In transit and at rest

• Code Review

• Software Updates and Patches

• Separated Dev, Test and Prod environments

• Anti-Malware 

• Physical Security Controls (no longer in study design)

  • Barriers, Locks, Biometrics, Access Logs, Cameras, Guards/Receptionists

  • Security Appliances (Firewalls, VPNs, IPS)

  • Backups, Uninterruptable Power Supplies

Threat modelling principles

TODO 🛝

• Defining security requirements

• Identifying and mitigating threats

• Confirming threats have been mitigated

Criteria for evaluating the security of software development practices within an organisation

Examples

• See the strong privacy policy at code.org as they mainly deal with student data which is inherently more sensitive

• Analyse the privacy policy at repl.it to see how well it might meet the APPs

• See BitWarden for clearly written terms & privacy policy

• Explore Win10 updates - what types of security issues are fixed and how often are updates released?

• PayID data breach - 13 Australian banks 2019, 98000 details lost

  • The Conversation Article

  • AFR Article

• 22k records stolen in ADF Academy hack (SQLi)

• PTV SQLi vulnerability - teen white-hat hacker investigated [1, 2]