BISM3205: Business Information Security

Week 02:
Part 1: The Need for Security (Ch. 2)
Part 2: Legal, Ethical, Professional Issues (Ch. 3)

Semester 2, 2023
It all starts with an email...

2
[Entity Name]

Cyberattacks: Phishing as the entry point | 04.10.2021 3

[Entity Name]

“Somehow in this jumble, millions of e-mails, and then I got

one…And I only thought, »what is that?« and somehow
before I really thought about it I had already clicked on
it. I think I have just said, »No!« and then shut down or
whatever. Then it took half a day until they had cleaned my
computer again and since then I am in alert and it is now
also present.”
(female, 48 years, business unit)

Cyberattacks: Phishing as the entry point | 04.10.2021 4

Part 1: The Need for Security (Ch. 2)
Week 2 – Part 1 Learning Objectives:
• Demonstrate that organizations have a business need for information security
• Identify the threats posed to information security and the more common attacks
associated with those threats, and differentiate threats to the information within systems from
attacks against the information within systems

6
When security needs and business needs collide, business wins

Information security performs four

important functions for an organization:

1. Protects ability to function

2. Enables safe operation of applications
implemented on its IT systems
3. Protects data (stored and transmitted)
that the organization collects and uses
4. Safeguards technology assets in use

7
Protecting the functionality of an organization

Decision makers in organizations must set

policy and operate their organizations in
compliance with the complex, shifting
legislation that controls the use of
technology.

8
 We need information security when we

store, process, transmit information

9
Some definitions – we encountered these in week 1:

• Threat
• Attack
• Exploit
• Vulnerability
• Risk

10
Threat: a potential risk to an asset, a loss of value, usually
targeting a weakness/vulnerability in an asset

11
Attack: An intentional or unintentional act that can damage or
otherwise compromise information and/or the systems that support it

12
Exploit: A technique used to compromise a system
A zero-day exploit is a cyber attack targeting a software vulnerability which is unknown to the software
vendor or to antivirus vendors.

13
Vulnerability: A (potential) weakness in an asset or its
defensive control system(s)

14
Management must know about the threats so the risks can be evaluated

So let's look at some threats now...

15
The 12 Categories of Threats – a classification
What top-level patterns do we detect within this data?
• Threat: an object, person, or other entity that represents an on‐going danger to an asset
• Internal/external origin; malicious/accidental origin
Category of Threat Attack Examples
Compromises to intellectual property Piracy, copyright infringement
Deviations in quality of service Internet service provider (ISP), power, or WAN service problems
Espionage or trespass Unauthorized access and/or data collection
Forces of nature Fire, floods, earthquakes. lightning
Human error or failure Accidents, employee mistakes
Information extortion Blackmail, information disclosure
Sabotage or vandalism Destruction of systems or information
Software attacks Viruses, worms, macros, denial of service
Technical hardware failures or errors Equipment failure
Technical software failures or errors Bugs, code problems, unknown loopholes
Technological obsolescence Antiquated or outdated technologies
Theft Illegal confiscation of equipment or information
16
Threat #1: Compromises to Intellectual Property
• Intellectual property (IP): “ownership of ideas and control over the tangible or virtual
representation of those ideas”
• The most common IP breaches involve software piracy
- unlawful use or duplication of software‐based intellectual property
• Two watchdog organizations investigate software abuse:
- Software & Information Industry Association (SIIA)
- Business Software Alliance (BSA)
• Enforcement of copyright law has been attempted with technical security mechanisms
(digital watermarks, bad sectors on software media, license agreement window, online
registration)

17
Threat #2: Deviations in Quality of Service
• Includes situations where products or services are not delivered as expected.
• Internet service, communications, and power irregularities dramatically affect availability of information
and systems.
• Internet service issues
– Internet service provider (ISP) failures can considerably undermine availability of information
– Outsourced Web hosting provider assumes responsibility for all Internet services as well as
hardware and Web site operating system software
• Communications and other service provider issues
– Other utility services affect organizations: telephone, water, wastewater, trash pickup, etc.
• Power irregularities
– Commonplace, organizations with inadequately conditioned power are susceptible, controls can be
applied to manage power quality, fluctuations (short or prolonged)

18
Threat #3: Espionage or Trespass
• Access of protected information by unauthorized individuals
• Competitive intelligence (legal) vs. industrial espionage
(illegal)
• Shoulder surfing can occur anywhere a person accesses confidential
information
• Controls let trespassers know they are encroaching on
organization’s cyberspace
• Hackers use skill, guile, or fraud to bypass controls protecting others’
information
Shoulder surfing

Image source: Michael E. Whitman and Herbert J. Mattord, Principles of

Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved.
19
Threat #4: Forces of Nature
• Forces of nature are among the most dangerous threats
• Disrupt not only individual lives, but also storage, transmission, and use of information
• Organizations must implement controls to limit damage and prepare contingency
plans for continued operations

Threat #5: Human Error or Failure

• Includes acts performed without malicious intent
• Causes include:
– Inexperience
– Improper training
– Incorrect assumptions
• Employees are among the greatest threats to an organization’s data
• Again, we need to consider the appropriate controls
20
Human Error or Failure (cont‘d.) - Social Engineering
“People are the weakest link. You can have the best technology; firewalls, intrusion-detection
systems, biometric devices ... and somebody can call an unsuspecting employee. That's all she
wrote, baby. They got everything.” —Kevin Mitnick

• Social engineering: using social skills to convince people to reveal access credentials or
other valuable information to an attacker.
• Phishing: attempt to gain personal/confidential information; apparent legitimate
communication hides embedded code that redirects user to third-party site
• Other types:
- Business e-mail compromise
- Advance-fee fraud

21
Phishing Example
• Cybercrime up 600% due to
Covid-19 pandemic
• Increased security risk from
remote working
• 18 million COVID-related
daily phishing emails

https://purplesec.us/resources/cyber-security-statistics/ 22
Information Security Statistics & Phishing
• By the end of 2023, cybercrime is expected to cost the world $8 trillion.
• The global information security market is forecasted to grow projected to grow from $172.32 billion in 2023 to
$424.97 billion in 2030.
• The average annual cost of a phishing scam in 2021 was $14.8 million for a 9,600-employee organization.

Note: BEC = Business Email Compromise

23
Impact on People and Society

Disturbances in public Threat to a hospital‘s ability to Potential manipulation of

transportation provide patient care federal elections

...And many more. How do you think phishing impacts you?

24
Threat #6: Denial of Service
• Denial‐of‐service (DoS): attacker sends large number of connection or information requests to a target
- Target system cannot handle successfully along with other, legitimate service requests
- May result in system crash or inability to perform ordinary functions
• Distributed denial‐of‐service (DDoS): coordinated stream of requests is launched against target from
many locations (zombies or bots – compromised machines) simultaneously

25
Threat #7: Deliberate Software Attacks
• Malicious software (malware) designed to damage, destroy, or deny service to target
systems
• Includes the following malware attack vectors:
- Viruses
- Worms
- Trojan horses & backdoors
- Logic bombs
- Polymorphic threats
- Worm hoaxes

26
Malware Control Strategy (Generic)
1 M A L W A R E W R IT T E N a n d R E L E A S E D ( C U R R E N T L Y V E R Y E A S Y T O D O )

2 S E C U R IT Y V E N D O R S IS O LA T E T H E V IR U S A N D E X T R A C T A S M A LL S A M P LE (w e
ca ll th is th e v iru s sig n a tu re )

3 S E C U R IT Y V E N D O R S A D D TH IS VIRU S S IG N A T U R E T O T H E IR E X IS T IN G D AT AB AS E )

4 V IR U S C H E C K IN G S O F T W A R E C H E C K S F ILE S C O M IN G T O Y O U R C O M P U T E R
A G AIN S T T H IS D AT AB A S E – IF M A T C H F O U N D – IS O LA T IO N O F F IL E

IN C O M IN G F IL E V IR U S C H E C K IN G S O F T W A R E

• This is essentially ‘pattern matching’ – there are obvious conclusions!

• If a virus comprises NEW CODE, it cannot be ‘caught’ in the above model until it has been included in the SIGNATURE DATABASE

• If the SIGNATURE DATABASE is not kept up to date, the control strategy quickly degrades.

27
Malware Control Strategy (more specific)

• We shall look later in the course at ‘Intrusion Detection Systems’ or IDS

• There is one type of IDS that can monitor files systems – especially ‘critically important’ files within those systems
• Any changes in those critical files – the IDS reports the ‘anomaly’ and this should then be investigated.
28
Threat #8: IP Spoofing
Technique used to gain unauthorized access by replacing real IP address with a trusted IP
address

Also caller ID spoofing:

https://en.wikipedia.org/wiki/Call
er_ID_spoofing

GPS position can also be

spoofed.Tesla GPS hack:
https://www.gpsworld.com/two-
years-since-the-tesla-gps-hack/

29
GPS position spoofing
Scenario 1. Exiting the highway at the
wrong location

Scenario 2. Enforcing an incorrect

speed limit

Scenario 3. Turning into incoming traffic

Tesla GPS hack: https://www.gpsworld.com/two-years-since-the-tesla-gps-hack/

30
Threat #9: Man-in-the-middle
Attacker monitors network packets, modifies them, and inserts them back into network
Example: Apple’s SSL Bug: Another Man-in-the-Middle Attack (February 22, 2014)

https://www.keyfactor.com/blog/apples-ssl-flaw-another-man-middle-attack/
31
Threat #10: Spam
Unsolicited commercial e‐mail; more a nuisance than an attack, though is emerging as a vector for some
attacks

32
Threat #11: Sniffer
Program or device that monitors data packets traveling over a network; can be used both for legitimate
diagnostic purposes and for stealing information from a network

Download Network Sniffer Wireshark from here: https://www.wireshark.org/download.html

Tutorial at: https://www.guru99.com/wireshark-passwords-sniffer.html 33

Global reports (1): 2022 SANS Cyber Threat Intelligence (CTI) survey
From Executive Summary of report – key takeaways:
• More organizations are beginning to develop their CTI capabilities
- Increasing number of respondents report that they are early on their CTI journey
- Still going through the same growing pains that many robust CTI programs previously faced
• Several promising trends from past years (collaboration between CTI teams) in decline
- Mostly due to shift to remote work in response to the COVID-19 pandemic
• Lack of measurements for whether their CTI program is useful/valuable to organizaion
- Call for action to find better and easier ways to measure CTI success
• Threat intelligence platforms still not the main tool used by CTI teams
- „spreadsheets/emails“ still in the lead
- But encouraging trends towards automation/integration

SANS = System Administration, Networking and Security Institute

34
Global reports (1): 2022 SANS Cyber Threat Intelligence (CTI) survey
From page 3 of report:
The survey
participants

35
Global reports (1): 2022 SANS Cyber Threat Intelligence (CTI) survey
From the report: some questions

36
Global reports (1): 2022 SANS
Cyber Threat Intelligence (CTI)
survey (cont‘d)
From the report: some questions

37
Global reports (2): Check Point 2022 Cyber Security Report
(Check Point is an American-Israeli multinational provider of software and combined hardware and software products for IT security.

Cloud services under attack (p. 21) Ransomware-as-a-Service (RaaS) (p. 28) Healthcare sector under attack (p. 19)

38
Summary (Part 1)
• Information security performs four important functions to ensure information assets remain safe and
useful
• Management must be informed about threats to its people, applications, data, and information
systems, and the attacks they face.
- Threats: any events or circumstances that have the potential to adversely affect operations and
assets.
- Attack: an intentional or unintentional act that can damage or otherwise compromise information and
the systems that support it.
- Vulnerability: a potential weakness in an asset or its defensive controls.
• Threats can fall into 12 categories (Note: we did not cover all of them today, see also set text)
- Important to remember: internal/external origin; malicious/accidental origin

39
Part 2: Legal, Ethical, Professional Issues
(Ch. 3)
Week 2 – Part 2 Learning Objectives
• Differentiate between laws and ethics. Understand the scope of an organization’s legal and ethical
responsibilities.
• Note the major national laws that relate to the practice of information security. This is important
‘terrain’ or ‘environment’ for the IS security professional. We do not strongly focus on the details of the
laws.
• Focus on privacy needs and practical issues

• To minimize liabilities/reduce risks, the information security practitioner must:

- Understand current legal environment
- Stay current with laws and regulations
- Watch for new issues that emerge
• Organization increases liability if it refuses to take measures known as due care (this issue has been
amplified by the Internet!)

41
Ethics

The branch of philosophy that involves

systematizing, defending, and
recommending concepts of right and wrong
conduct.

http://en.wikipedia.org/wiki/Ethics 42
Ethics – Not just „Good vs. Evil“

43
What is their relationship?

Moral
Legal
?

Ethical

44
Navigate to this URL in your browser please to submit your
answer: apps.elearning.uq.edu.au/poll/50335

What is the difference between: Ethical, moral and legal?

Different words for the same thing

Ethical & moral are the same, legal is different
Ethical and legal are the same, moral is different
Legal & moral are the same, ethical is different
They are all different things

45
Moral vs. Ethical
Morals define personal character, while ethics stress
a social system in which those morals are applied.

In other words, ethics point to standards or codes of

behaviour expected by the group to which the
individual belongs (national ethics, social ethics,
company ethics, professional ethics, family ethics). So
while a person’s moral code is usually unchanging,
the ethics he or she practices can be other-
dependent.
46
Legal vs. Ethical
Legality is a society's application of ethics
to the structure of society.

An act is legal if it complies to governing laws and

regulations whereas an act is also ethical if it
complies to ethical policies of an organisation
and it is also moral if it is correct in your opinion.

47
Example

Abortion is legal* and therefore medically ethical, while many people find it personally immoral.

* If necessary to preserve the woman from a serious danger to her life or health - different state laws apply in
Australia (http://en.wikipedia.org/wiki/Abortion_in_Australia).

48
Solution: ?

Moral
Legal
?

Ethical

49
Solution: Nested levels
Legal - Society

Ethical - Organisation

Moral - Person

50
Why do we talk about “Ethics”?
Most of us, day to day, have a firm ethical compass

So why talk about ethics at all?

Essentially, it’s not always clear, particularly in technology work,

what is ‘right’ or ‘wrong’ in a particular situation

Professional ethics provides frameworks to support ethical

decisions in uncertain scenarios

51
Ethics and Standards Bodies
Professional Societies providing ethical standards documents:

• The Australian Computer Society (ACS) has a Code of Ethics

• Engineers Australia (EA) has a Code of Ethics

• Australian Institute of Computer Ethics (AICE) runs conferences

and discussion groups on ethical topics
• The Australian Institute of Project Management (AIPM) has a
Code of Ethics and Professional Conduct

• APES 110 Code of Ethics for Professional Accountants†

† https://www.cpaaustralia.com.au/professional-resources/accounting-professional-and-ethical-
standards/apes-110-code-of-ethics-for-professional-accountants
52
The Australian Computer Society (ACS) †

“The ACS was established in 1966 as a result of the

merger of then existing State based computer societies.
It has become the recognised association for IT
professionals, attracting a large and active membership
from all levels of the IT industry, and providing a wide
range of services and opportunities for networking and
career enhancement.
It is the public voice of the IT professional; the guardian
of professional ethics and standards in IT; with a
commitment to the wider community to ensure the
beneficial use of IT.”

†
https://www.acs.org.au/

53
ACS and Ethics
The Australian Computer Society Code of Ethics

The code is part of the Society's Regulations

The Society requires its members to subscribe to
a set of values and ideals which uphold and
advance the honor, dignity and effectiveness of
the profession of information technology

54
https://www.acs.org.au/content/dam/acs/rules-and-regulations/Code-of-Ethics.pdf 55
ACS Code of Ethics
• It is a standard of behaviour

• Not exhaustive

• Is meant to be illustrative

• Written in terms of specific behaviour

• May conflict with standards from other sources

• The delineation between ethical and unethical has some element of subjectivity

• Members are expected to take into consideration the spirit of the code in
resolving contentious issues

56
Policy, Law and Ethics in Information Security
• Policies: Most organizations develop and formalize a body of management
views/expectations called policy. Policies serve as organizational laws – the view of
management.

• To be enforceable, policy must be distributed, readily available, easily understood, and

acknowledged by employees – and assessed from a legal viewpoint.

• The Code of Ethics provides a framework for ethical decision-making, while policies provide
specific guidance on how to implement that framework in practice.

57
Privacy
• One of the hottest topics in information security:
• Privacy is a “state of being free from unsanctioned intrusion”

• Ability to aggregate data from multiple sources allows creation of information databases previously
unheard of
• Many types of privacy issues: spamming, fraud, government intrusion.

• Information Privacy: ”the claim of individuals, groups, or institutions to determine for themselves
when, how and to what extent information about them is communicated to others”.
(Alan Westin – Columbia University 1967)

58
iPhone Privacy Ad (On Blackboard)

59
Australian IT/Privacy Law
• Telecommunications Act 1997:
- Prohibits breaches of privacy in telecoms traffic. Exemptions made for police – with judicial approval – obligations on internet service
providers (ISPs)
• Cybercrime Act 2001:
- Unauthorised access, modification or impairment with intent to commit a serious offence (Section 477), Possession or control of data with
intent to commit a computer offence (Section 478), Producing, supplying or obtaining data with intent to commit a computer offence (Section
478)
• Spam Act 2003:
- three steps (Consent, Identity, Unsubscription)
• Privacy Act 1988:
- 10 principles: Collection, Use and disclosure, Data quality, Data Security, Openness, Access and correction, Identifiers, Anonymity,
Transborder data flows, Sensitive information.
- Targets public sector. Private sector coverage introduced in 2001.
• Privacy Amendment (Notifiable Data Breaches) Act 2017:
- established the NDB scheme in Australia - applies to all agencies and organizations with existing personal information security obligations
under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018.
• TOLA (Access and Assistance) Bill 2018
- “Going dark” – see next slides
• Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021 "the decryption
- Extends TOLA bill – “Unprecedented powers for online surveillance, data interception and altering data” laws“

60
“Going Dark” #1
• Traditional ‘person-to-person’ communications – who could access the communicated ‘information’?
• Traditionally, these (telephone) communications (telephone and ‘snail mail’) have allowed police/law enforcement to
‘listen-in’ (subject to judicial approval)

61
“Going Dark” #2
• Modern unsecured ‘person-to-person’ communications – who can access the communicated ‘information’?
• Email – can be copied at work or in private (with judicial approval). Work calls can be monitored (at work) and can be
monitored in private (with judicial approval)

62
“Going Dark” #3
• Modern secured ‘person-to-person’ communications – who can access the communicated ‘information’?
• Secure email, secure digital apps (e.g. WhatsApp) cannot (in theory) be copied at any intermediate point (‘end-to-
end’ communication). This is quite different to routine ‘secured’ digital communications (e.g. between me and my
bank – this is explained later in the course in some detail)

63
“Going Dark” #4
• Modern secured ‘person-to-person’ communications – who can access the communicated ‘information’?
• Secure telephony cannot (in theory) be copied at any intermediate point (‘end-to- end’ communication)

64
‘Going dark’ – a term first introduced by the FBI (US)
• Short paper: ‘Going dark’: the unprecedented government measures to access encrypted data – Arthur
Kopsias – Feb, 2019 (On course Blackboard site)

“The greatest benefit of encryption also creates the biggest problem. Secure, encrypted communications
are being used by terrorist groups and organised criminals to avoid detection, and the inability of law
enforcement agencies to read or even partially understand encrypted communications has presented real
challenges for these agencies worldwide.”

• The trust created by secure communications is essential for digital business.

• ‘End-to-end’ encryption – incorporated into email two decades ago
• ‘End-to-end’ encryption – since approximately 2015 incorporated into mobile telephony services and various apps.
This has been developed into a very powerful marketing concept by corporate communication companies (see video
from Apple on next slide)
• Over 90 percent of telecommunications information being lawfully intercepted by the Australian Federal Police now
uses some form of encryption.
• End to end security (i.e. digital privacy) now a very significant marketing discourse for the corporate telcos

65
‘Going dark’ – Australian government response
The Telecommunications and Other Legislation Amendment Act 2018 (TOLA Act)
• Also known as the Assistance and Access Act 2018
• Became law on 8 December 2018 – first law of its type! (but not the last!)

• TOLA is an attempt to counter the ‘going dark’ problem faced by Australian law enforcement agencies

• TOLA creates a new operational framework for Australian law agencies seeking access to data
and content held by designated communications providers within or outside the Australian
jurisdiction.

• TOLA has implications for the operation of the US CLOUD Act 2018. This US law enables US federal law enforcement to compel US-
based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are
stored in the U.S. or on foreign soil.

66
TOLAAct – overview – it is designed to be ‘cooperative’
• Schedule 1 of the TOLA Act inserts a new ‘Industry Assistance’ section into the Telecommunications
Act 1997.
- A new operational protocol by which Carriers/Carriage Service Providers (‘CSPs’) will provide
assistance to law enforcement and security agencies.

• This ‘Industry Assistance’ framework contains three distinct new powers which allow an agency
head to issue:
• ‘technical assistance request’ (TAR) for voluntary assistance from the CSP
• ‘technical assistance notice’ (TAN) for compulsory assistance from the CSP – this power is
used in cases where the CSP is already capable of providing the assistance.
• ‘technical capability notice’ (TCN) for new capabilities. This notice can only be used by the
Australian Attorney-General and requires a CSP to create a specific capability where the CSP is
not currently able to assist.

67
TOLAAct – overview – carriers/carriage service providers
• The term ‘Carriers/Carriage service providers (CSPs)’ is broadly defined in the Act so that it includes the
wide range of entities integral to the 21st century Australian communications operational environment.
The main descriptors are as follows:

− CSPs that are based in Australia, and those providers based offshore who operate or supply
communications services, devices or products for use within Australia.

− Anyone who facilitates the services of CSPs.

− Electronic service providers (with at least one end-user in Australia) and anyone who facilitates
the services of electronic service providers, e.g. Facebook, Google, and Amazon Web Services;
and

− Manufacturers of electronic equipment and anyone who facilitates the manufacture of

electronic equipment used in Australia, e.g. Samsung, Apple.

68
TOLAAct – overview – what kind of assistance?
• Section 317E sets out, in some detail, the types of assistance that may be specified. These types
include (but not limited to):
• Providing technical information.
• Facilitating access to services and equipment.
• Removing one or more forms of electronic protection.
• Modifying technology.
• Concealing that the company has done any of the above.
• Example: The assistance may require the issue (to a specific criminal suspect) of a notice to update
messaging software – when in fact the ‘update’ will then allow access to the messages of that suspect.
• No introduction of systemic weaknesses and vulnerabilities (also know as ‘backdoors’ for
encryption mechanisms)
• Civil immunity is available for CSPs acting in good faith to ensure that they are protected from any legal
risk.

69
TOLAAct – overview – other relevant details
• Organisations: The use of the powers has been restricted to the Australian Federal Police, the
Australian Criminal Intelligence Commission, the Australian Security Intelligence Organisation, the
Australian Secret Intelligence Service, the Australian Signals Directorate, and State and Territory Police
forces.
• Responsible officer: A TAR or a TAN may be issued by the head (or delegate) of each agency above.
A TCN may only be issued by the Attorney-General
• Suspected offence: The use of the powers is connected to the safeguarding of national security or
(for State/Territory/Commonwealth Police) the enforcing of criminal law so far as it relates to serious
Australian or foreign offences (defined as punishable by a maximum term of 3 years imprisonment,
or more, or for life’.
• Enforcement: The framework is not intended to be adversarial – it intends to engender a spirit of
cooperation. However – civil penalty for contravention is $10 million for corporate entities and
$50,000 for private individuals.
• Oversighting and reporting: The Commonwealth Ombudsman or Inspector- General of Intelligence
and Security. The use of industry assistance powers is subject to annual reports to the Home Affairs
Minister.

70
TOLAAct – overview – other relevant details
• The TOLA Bill was introduced to the Australian Parliament on 20 September 2018.
• The Bill created significant interest (here and abroad) – the main concerns were:
- Perceived privacy implications
- Withdrawal of international corporate investment in Australia,
- Loss of public confidence in Internet trust levels.

• The Bill was subsequently referred to the Parliamentary Joint Committee on Intelligence and Security (PJCIS)
for inquiry and report.
• The PJCIS then received a very large number of submissions expressing concerns with the Bill (from the Law
Society of NSW, the Law Council of Australia, carrier industry providers, law enforcement/security agencies, and a
large number of other commercial and private legal institutions.
• The Bill became law on 8 December 2018. The reason given for the rapid passage of these complex reforms: a
heightened risk of terrorist incidents over the Christmas and New Year period (2018)

71
Fast forward to 2021 – Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021
• Updates Surveillance Devices Act 2004 and Telecommuications Act 1979/1997
Three new powers:
1. “data disruption warrants”: allow authorities to “disrupt data” by copying, deleting or modifying data
as they see fit
2. “network activity warrants”: permit the collection of intelligence from devices or networks that are
used, or likely to be used, by subject of the warrant
3. “account takeover warrants”: let agencies take control of an online account (such as a social
media account) to gather information for an investigation.
What’s different to previous laws?
• Telecommunications Act 1997: only permits to intercept or access communications and data under
certain circumstance.
• Identify and Disrupt Bill 2021: unprecedented interception or “hacking” powers (access can be gained to
encrypted data which could be copied, deleted, modified, and analysed even before its relevance can
be determined).

What are the privacy concerns? What are the security issues and impact?
72
Privacy concerns & security issues
• The bill may impact third parties who are not suspected in the investigation of criminal activities.
- The bill can authorize access to third party computers, communication and data.
• Broad powers can potentially compel any individual with relevant knowledge of the targeted computer
or network to conduct hacking activities.

• Law enforcement could modify potential evidence in criminal proceedings (Integrity of data)
• In lawful hacking, authorities also depend on zero-day exploits.
- Ethical issues? Think how you’d feel if your government would put its citizens at risk by not reporting
software vulnerabilities to software manufactures so that they can be patched.
- Security issues? In 2016, CIA’s secret stash of hacking tools itself was stolen and published
 (https://www.washingtonpost.com/national-security/elite-cia-unit-that-developed-hacking-tools-failed-to-secure-its-own-
systems-allowing-massive-leak-an-internal-report-found/2020/06/15/502e3456-ae9d-11ea-8f56-63f38c990077_story.html)

73
Codes of Ethics & Professional Organizations
(next 5 slides – important for professionals – briefly discussed here)
• ACM established in 1947 as “the world's first educational and scientific computing society”.
Membership approx. 100000. Web: www.acm.org

• IEEE established in 1963 to advance theory and application and facilitate innovation in
engineering, computer science and electronics. Currently publishes nearly one third of all
research literature in those disciplines. Membership approx. 420000. Web: www.ieee.org

• Both promote a code of ethics contains references to protecting information confidentiality,

causing no harm, protecting others’ privacy, and respecting others’ intellectual property

• Sources of information: www.ieee.org and www.acm.org

74
International Information System Security Certification Consortium (ISC2)
• Non‐profit organization focusing on development and implementation of information security
certifications and credentials (CISSP – Certified Information Systems Security Professional)

• Membership approx. 140000. Web: www.isc2.org

• Code primarily designed for information security professionals who have certification
from (ISC)2

• Code of ethics focuses on four mandatory canons:

– Protect society and infrastructure; act honorably/honestly/justly/responsibly/legally;

provide diligent and competen service to principals; advance and protect the profession.

75
System Administration, Networking and Security Institute (SANS)
• SANS is a founding organization of the Center for Internet Security

• Professional organization with a large membership dedicated to protection of

information and systems

• SANS offers set of certifications called Global Information Assurance Certification (GIAC)

• Website: www.sans.org

76
Information Systems Audit and Control Association (ISACA)
• Professional association with focus on auditing, control, and security (i.e. a focus on IT
governance). Formed in 1967.

• Current membership: 140000.

• Concentrates on providing IT control practices and standards (COBIT) – Control Objectives

for Information and Related Technologies – a framework for IT management governance.

• ISACA has code of ethics for its professionals

77
Australian Computer Society (ACS)
• Founded 1966.
• Membership: 45,000.
• Focus: computer and information processing technology

• As the Professional Association and peak body representing Australia’s ICT sector, ACS’
mission is to deliver authoritative independent knowledge and insight into technology, build
relevant technology capacity and capability in Australia and to be a catalyst for innovative
creation and adoption of technology for the benefit of commerce, governments and society.

• Web: www.acs.org.au

78
Australian Cyber Security Centre
• The Australian Cyber Security Centre (ACSC) is the Australian Government lead agency for cybersecurity.
• The ACSC was established in 2014 replacing the Cyber Security Operations Centre.

The role of the Australian Cyber Security Centre is to:

• lead the Australian Government’s operational response to cyber security incidents
• organize national cyber security operations and resources
• encourage and receive reporting of cyber security incidents
• raise awareness of the level of cyber threats to Australia
• study and investigate cyber threats.

The ASCS integrates cyber security capabilities across the Australian Signals Directorate, the Digital
Transformation Agency, the Defence Intelligence Organisation, the Computer Emergency Response Team,
the Cyber Security Policy Division of the Department of Home Affairs, Australian Security Intelligence
Organisation cyber and telecommunications specialists, Australian Federal Police cyber crime investigators,
and Australian Criminal Intelligence Commission cyber crime threat intelligence specialists. The Centre is also a
hub for collaboration and information sharing with the private sector and critical infrastructure providers.

79
AusCERT
• AusCERT is a leading Cyber Emergency Response Team (CERT) for Australia and provides
information security advice to its members, including the higher education sector. It is a single point of
contact for dealing with cyber security incidents affecting or involving member networks.

• AusCERT provides members with proactive and reactive advice and solutions to current threats and
vulnerabilities. We’ll help you prevent, detect, respond and mitigate cyber‐based attacks.

• AusCERT monitors and evaluates global cyber network threats and vulnerabilities, and remains
on‐call for members after hours. AusCERT publishes the Security Bulletin Service, drawing on
material from a variety of sources, with recommended prevention and mitigation strategies.

• AusCERT's Incident Management Service can be an effective way to halt an ongoing cyber attack or,
provide practical advice to assist in responding to and recovering from an attack.

• Web site: www.auscert.org.au

80
Thank you
Dr Lennart Jaeger | Lecturer
School of Business
[email protected]

CRICOS code 00025B