S&T report | Challenges and Opportunities in Information Security

Abstract

The biennial Infosec Challenges report provides information to the Defence Signals Directorate (DSD) on a range of current and emerging areas in information security. In our 2012 report, areas have been selected to reflect potential information security interests across a broad range of ICT scenarios in the Australian Government. In each of these areas, we consider the current state-of-the-art, in research and/or practice, and identify existing challenges and opportunities

Executive Summary

The biennial Infosec Challenges report provides information to the Defence Signals Directorate (DSD) on a range of current and emerging areas in information security. In our 2012 report, areas have been selected to reflect potential information security interests across a broad range of Information and Communications Technology (ICT) scenarios in the Australian Government.

In each area, we have considered the current state-of-the-art, in research and/or practice, and identified existing challenges and opportunities. These areas are:

• The application of Human Computer Interaction (HCI) techniques to computer security, particularly in the area of authentication, by using biometrics, cognitive fingerprints and other contextual interfaces to provide more usable security services.
• Approaches for resilient security that look beyond prevention and detection to incorporate remediation and recovery techniques, enabling ongoing operation in the presence of insecurity.
• Challenges to Service Oriented Architecture (SOA) Security, including the lack of an authorisation standard for SOAs, as well as vulnerabilities affecting SOA-based systems.
• The challenges in implementing and accrediting a Multi-Level Secure (MLS) SOA for Defence, including covert channels, inference and aggregation, and achieving the required levels of certification.
• The risks and challenges yet to be addressed in cloud computing security, including data security, identity and access management (IAM), as well as legal, contractual, governance and policy issues.
• Opportunities to improve data privacy and confidentiality for outsourced computation through expected developments in and application of fully/somewhat homomorphic encryption schemes in the near future.
• Issues that need to be resolved (through policy or research) before personally-owned smartphones and other mobile devices may be integrated into Government operations in a way that is secure, practical and sensitive to the (sometimes conflicting) needs of the various parties involved.
• Challenges to IPv6 transition, including IPv6 protocol vulnerabilities and flaws in the IPv4 to IPv6 transition mechanisms of dual stack, translation and tunnelling.
• Threats associated with untrusted hardware, the entry vectors and possible damage, as well as the potential for an arms race in attempting to find ways to counteract malicious circuitry.
• The modernisation of critical infrastructure by the introduction of "Smart Grid" systems and the security implications of turning well-controlled, contained systems into a massively distributed network.