Roger Clarke's Web-Site

 

© Xamax Consultancy Pty Ltd,  1995-2017


Roger Clarke's 'Networked Info Systems'

ANU COMP2410 / COMP6340 - Networked Information Systems
Topic Outline

Roger Clarke **

Version of 6 April 2016

© Xamax Consultancy Pty Ltd, 2013-16

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at http://www.rogerclarke.com/II/NIS2410.html


Introduction

This 6-hour segment develops on the foundation lectures. It comprises two segments:

  1. Network Infrastructure and Architecture:
    1. Lecture 1 - Network Infrastructure
    2. Lecture 2 - The Architectures of Networked Applications
  2. Information Assurance and Security:
    1. Lecture 3 - Security of Information and IT
    2. Lecture 4 - Malware and Other Attacks
    3. Lecture 5 - Data Protection and Privacy
    4. Lecture 6 - Key Security Safeguards

See also the following:


The Examinable Materials

The examinable materials comprise the following:

The Further Reading is not examinable. It's provided in order to enable you to 'drill down' on topics you're particularly interested in.


Lecture Outlines
Lecture 1: Network Infrastructure

Week 5 - Tue 15 March, 15:00-16:00 - Phys T
Slides in PDF for viewing, and PDF-4up for printing

This lecture reviews each of the elements that enable networked information systems to be delivered.

During the three decades 1980-2010, networked information systems primarily involved large devices on people's desks interacting with other large devices over physical connections (i.e. wires or cables).

By about 2010, however, wireless networks were delivering sufficient transmission capacity at affordable prices; and handheld devices had become sufficiently powerful to support a wide range of needs. As a result, a significant proportion of activity in networked information systems has migrated to small devices. To date, these are primarily handheld smartphones and tablets; but that may change.

SUB-TOPICS AND REQUIRED READINGS

Categories of Network

Wired

Wireless

Mobile

The NBN

Categories of Network-Connected Device

Network Infrastructure Services

Storage (Permanent, Temporary)

Intermediary Nodes (Local and Backbone Routers, Proxies, Reverse-Proxies)

Uses and Abuses

Services

Spider-Web

Bitcoin and Blockchains

FURTHER READING

Categories of Network

Wired

Wireless

Mobile

The NBN

Categories of Network-Connected Device

Network Infrastructure Services

Storage

Intermediary Nodes

Uses and Abuses

Services

Spider-Web

Blockchains

Bitcoin


Lecture 2: The Architectures of Networked Applications

Week 5 - Thu 17 March, 14:00-15:00 - HAT
Slides in PDF for viewing, and PDF-4up for printing

Networked information systems involve processes running on two or more devices in a coordinated manner. There are several ways in which devices may interact, ranging from complete dominance of one over the other, to a collaboration among equals. This lecture explains each of the alternatives, and provides examples of their use. It also introduces the emergent 'Internet of Things'.

SUB-TOPICS AND REQUIRED READINGS

Master-Slave

Client-Server

Cloud Computing

Mesh Networking

Peer-to-Peer (P2P)

Telemetry, SCADA, Tags, and the Internet of Things (IoT)

FURTHER READING

Cloud Computing

Mesh Networking

Peer-to-Peer (P2P)

Telemetry, SCADA, Tags, and the Internet of Things (IoT)


Lecture 3: Security of Information and IT

Week 5 - Thu 17 March, 15:00-16:00 - HAT
Slides in PDF for viewing, and PDF-4up for printing

All IT is inherently insecure. Networked information systems are even more insecure. Mobile computing is more insecure again.

But what does 'insecure' mean? And what can you do about it? This session presents the conventional security model, and introduces the processes of security risk assessment and risk management. It then identifies a range of security safeguards, and examines the important example of backup and recovery.

SUB-TOPICS AND REQUIRED READINGS

General Reference

The Notion of Security

The Conventional Security Model

Risk Assessment and Risk Management

Safeguards Generally

Backup and Recovery

FURTHER READING

The Notion of Security

The Conventional Security Model

Risk Assessment and Risk Management

Safeguards

Backup and Recovery


Lecture 4: Malware and Other Attacks

Week 6 - Tue 22 Mar, 15:00-16:00 - Phys T
Slides in PDF for viewing, and PDF-4up for printing

An Attack is an Intentional Threat against Information or IT. Malware, such as Viruses, is widely used by Attackers. Phishing is an example of 'social engineering' applied by Attackers. This session examines the diverse forms of malware and outlines relevant safeguards.

SUB-TOPICS AND REQUIRED READINGS

General Reference

Malcontent, Malbehaviour, Malware

Safeguards Against Malware

Other Attacks and Safeguards

FURTHER READING

Malcontent, Malbehaviour, Malware

Safeguards Against Malware

Other Attacks and Safeguards


Lecture 5: Data Protection and Privacy

Week 6 - Thu 24 March, 14:00-15:00 - HAT
Slides in PDF for viewing, and PDF-4up for printing

Because so much data is so important to society and the economy, organisations have legal obligations to protect it. Some of these data protection obligations relate specifically to personal data, so the second part of the lecture discussses privacy. Other obligations exist, however, in relation to other kinds of data. For example, highly-sensitive payments data passes over the networks that support ATMs, EFTPOS, interbank payments within Australia (the HVCS, BECS and CECS networks), and interbank payments internationally (SWIFT).

SUB-TOPICS AND REQUIRED READINGS

Data Protection Obligations

Data Security Safeguards

Privacy

Privacy-Enhancing Technologies

Privacy and Social Media

FURTHER READING

Data Protection Obligations

Privacy

Privacy-Enhancing Technologies

Privacy and Social Media


Lecture 6: Key Security Safeguards

Week 6 - Thu 25 March, 15:00-16:00 - HAT
Slides in PDF for viewing, and PDF-4up for printing

They're are vast numbers of threats and vulnerabilities, and large numbers of safeguards. In principle, risk assessment is necessary in order to work out which safeguards to apply. In practice, people look for short-cuts.

The first segment of this lecture identifies a minimum set of safeguards that every small business (and person!?) should implement. The second segment extends the backup and recovery topic introduced in lecture 3, and examines three additional and vital safeguards - incident management, access control and assertion authentication.

SUB-TOPICS AND REQUIRED READINGS

Minimum Safeguards

Service Continuity and Recovery

Incident Management

Access Control

Authentication of Assertions Generally

Authentication of (Id)Entity

FURTHER READING

Minimum Safeguards

Service Continuity and Recovery

Incident Management

Access Control

Authentication of (Id)Entity


Lab Session 3 - Wk 8, from Mon 18 April (immediately after the Mid-Semester Break)

[ ADVANCED DRAFT of 29 March 2016 ]

The aim of this laboratory session is to apply the ideas you met during the four-lecture series on security topics.

Part I is a discussion session.

Part II presents you with some challenges to address. You are then to discuss the results with your colleagues.

Part I: DISCUSSION - FIRST 45 MINUTES ONLY

Discuss at least the questions in sections A-C, plus whichever of the topics in sections D-F you can fit into the time and find most interesting.

A. Device Seizure

Your mobile phone or tablet has been impounded by the university, under the suspicion that it contains:

What challenges do the investigators have to overcome in order to establish a case against you?

B. Your Defences Against Accusations

The investigators have found some material, and have accused you of committing criminal acts by having inappropriate content on your device.

Assume that you are innocent of the accusations that they've made ...

  1. How could that material have got onto your device?
  2. What can you do to defend ourself against the accusations?

C. Your Security Safeguards

On your own mobile device(s):

  1. What perimeter safeguards do you have?
  2. What internal safeguards do you have?
  3. Are further safeguards available that you're not using? Why not?
  4. Your lecturer for this topic does not run anti-malware software on any of his devices. Why not?
  5. Are there additional safeguards that you'd like to have, but that aren't available to you?

D. Auto-Updating

Your software providers offer to update your operating system, virus-protection and apps automatically. This is done by pushing patches to your device over the network, and using auto-invocation settings to install them on your device, and to activate them.

  1. Which is better:
  2. Does your answer apply to everyone, or only to some categories of people?

E. Social Media

  1. Do you have any concerns about the provider of the social media services that you use?
  2. Are their Terms of Service and Privacy Policy Statements fair?
  3. Do the privacy features and settings that are available fill your needs, and are they reliable?
  4. Are you happy for the service-provider to collect, retain, use and disclose your content, and all of the data about your behaviour?

F. Internet of Things

  1. Identify examples of malperformance of applications of the IoT idea.
  2. Why are these problems happening?

Part II. CHALLENGES, FOLLOWED BY DISCUSSION - 50 MINUTES

You are to first address five challenges, then discuss them within your group.

CHALLENGES (25 MINUTES):

Choose one (or more) device-types and OS that you have some familiarity with and that you have access to during the Laboratory session. Possibilities include the Laboratory desktops running Linux, your own laptop running whatever OS/es you have installed (Windows, OSX, Linux), and smartphones and tablets (iOS, Android, etc.).

Conduct research in order to answer the following questions. You may use any resources you like to assist you. You may work with one or more other people if you wish - this is a learning exercise, not an exam. Of course, you need to keep notes of what resources provided you with which information.

  1. What are the most recently announced malware threats for that particular device-type and OS?
  2. Explain briefly how each threat achieves its designer's objectives.
    Use the three-part structure provided in the lectures (vector, payload, invocation).
  3. What do you think may have been designers' motivation in deploying these malware items?
    What categories of people and organisations can you think of who might have that motivation?
  4. What impact might these particular malware items have on your device?
    On you?
    On other people's devices and interests?
  5. What recommendations are available about how to address these particular malware threats?

DISCUSSION (25 MINUTES):

You are to spend the remaining available time on the following:

  1. Swap your findings with your colleagues.
  2. Are your findings similar, or diverse?
  3. Tell your colleagues what sources you found useful in answering these questions, how you found them, and how you evaluated their reliability and usefulness.

The Assignment: Access Control

Advance Notice Only - Revision of 30 March 2016
This forms part of Assignment 2,
due 16 May 2016

Preparation

You are to undertake this Assignment in a team of 2 people.
This can be the same team as you used for Assignment 1.

You are to work as a team. You may divide up the work so that some tasks are performed by one team-member, and other tasks by another team-member. However, each of you must share what you've learnt with the other team-member, and your submission must be a single, integrated and cohesive team-answer. Marks will be deducted if it isn't.

The Assignment

1. Apply the risk assessment process to your use of your bank accounts.
[30% of the marks]

Relevant sources include Slides 12 and 21 of Lecture 3.
As a short guide, use the first 5 steps ('Analysis') in this table in the Required Readings.
Your statements on each point may be reasonably brief, but they need to cover all aspects in the Process.
Remember that the primary stakeholder interests that you are to consider are your own, as consumers, not the bank's.

2. You need to do some preparation - explained in (a) and (b). Then you can answer the questions in (c) and (d).

(a) Identify two (2) banks, building societies or credit unions.

You may choose any such organisations, whether you currently use their services or not.

(b) Identify two (2) other organisations that deliver important services over the Internet.

Examples include insurance companies, superannuation funds, stock exchange brokers, Apple/Microsoft/Amazon/Google, eBay/Gumtree, Centrelink, the ATO, universities, the Universities Admission Centre (UAC).
Again, you may choose any such organisations, whether you currently use their services or not.

(c) Describe the access control processes used by each of the four (4) organisations.
[30% of the marks]

Relevant sources include Slides 7-11, 16-18 and 25-31 of Lecture 6 and the Required Readings on Access Control.

(d) To what extent do the access control processes used by the four (4) organisations address the risks that you identified in step 1.
[25% of the marks]

TEXT?

3. Provide a brief, joint report on your team dynamics during the project.
[15% of the marks]

In reflecting on how your team worked, you may find it helpful to consider two models that are used in business:

Include mention in your report of any within-team security issues that you encountered.

If you think it's necessary (and only in those circumstances), you may provide a personal report in addition to the joint report.

_________

Notes

a. Gathering Information

The various services that you choose to investigate may be readily accessible to you, and there may even be official documentation and/or community resources to help you answer the questions.

On the other hand, some services might not be readily accessible and/or documentation might not be available.

If you simply cannot find out how the organisation's access control system works, abandon that organisation and choose another one.

If you only find enough information to prepare an incomplete answer, explain what additional information you needed, and why.

b. Sources

In preparing your answers, you may use any published source of information (including, for example, postings on discussion fora).

But of course you must attribute your sources by citing them in the appropriate places, and including them in your reference list.

If you suspect that the best available source of information on any aspect is unreliable or out-of-date, you may use it, but you must communicate your concerns about the information quality.

c. Marking

The primary criterion used in marking your report will be:

'How well does it address the questions?'.

Challenges that you run into in gathering quality information will be taken into account; but you need to explain what those challenges were and what you did about tackling them.

Clear communication is important, and structure and brevity matter.

The length of your report, on the other hand, is a secondary consideration.
It should be as long as it needs to be to answer the questions convincingly, and no longer.

However, an indicative length is +/- 2500 words, plus the reference list and attachments as appropriate.


Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Research School of Computer Science at the Australian National University,, and in the Cyberspace Law & Policy Centre at the University of N.S.W.



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 26 February 2013 - Last Amended: 6 April 2016 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/II/NIS2410.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2017   -    Privacy Policy