5th Conference on Information Technology for Higher Education in Afghanistan

Conferences

5th Conference on Information Technology for Higher Education in Afghanistan

Background

Information Technology (IT) has been growing rapidly in Afghan higher education institutions.
The new technology allows the universities to connect to the international scientific community and take part in the global knowledge society. The Ministry of Higher Education (MoHE) has been actively promoting the implementation of IT centers and Computer Science study programs throughout the country. Since 2002 the Center of International and Intercultural Communication (ZiiK), directed by Dr. Nazir Peroz, of the Technical University Berlin (TU Berlin) has been a close partner in this field.
As the spread of IT in Afghanistan is rising, the need to secure the IT systems is growing.
All IT users within the Afghan universities do not only need to be aware of the benefits that IT brings with it, but also of the threats that are accompanied. TU Berlin and MoHE therefore organized a conference on “IT Security” that took place on 4th to 6th of August 2009 in the Conference Hall of the MoHE in Kabul. The conference was part V of a series of conferences titled “Information Technology of Higher Education in Afghanistan” that has been organized since 2006 within in the scope of the partnership between the MoHE and TU
Berlin and has been funded by the German Academic Exchange Service (DAAD).
This fifth conference brought together the Afghan Universities, represented by their respective presidents and IT advisors, the MoHE, as well as international and national lecturers to discuss IT security issues with a special focus on threats and possible measures within the Afghan Higher Education area. The three days were organized as follows:

Day 1: Introduction to IT Security

Day 2: IT Security Workshops

Day 3: Outcome and Discussion

Day 1: Introduction to IT Security

In the first session the roles of security within society were presented. The role of IT security in networks and in Afghan universities were discussed. The session was moderated by Prof. M. Osman Babury, Deputy Minister of Higher Education for Academic Affairs, and Dr. Nazir Peroz, Director of ZiiK at TU Berlin.

Opening and Welcome
The conference was opened by Dr. Azam Dadfar, Minister of Higher Education. In his welcome to all participants the minister expressed his pleasure of seeing
many IT specialists participating in this fifth part of the conference series. The minister summarized the achievements made in the area of IT in the last years.
Currently many Computer Science lecturers of Afghan universities are receiving further qualification abroad. Among them 25 lecturers from 6 universities
that are participating in a Master program at TU Berlin with a scholarship granted
by the World Bank, 11 lecturers studying at the Technical University of Bangkok, as well as further scholarships in India and other countries. The minister thanked the DAAD, the German embassy and TU Berlin, especially Dr. Peroz, for supporting this conference as well as many other IT projects in Afghanistan. He also thanked all chancellors, lecturers and participants for joining the conference and expressed his hope that the fruits of the conference will spread to the universities throughout the country and will be applied in the reconstruction
process of Afghanistan. The second welcoming speech was held by Mr. Amir Zai Sangin, Minister of Communication and Information Technology. After welcoming all participants, the minister stressed the important role that IT is playing in the developing of economy, governance, business, and education.
If an incident is happening today in Helmand province, the news will be spread around the world in a few seconds. IT in Afghanistan started from zero about six years ago, and there was nothing before the mentioned period of time. Today more than 10 million people are using mobile phones in Afghanistan and all six
mobile companies of Afghanistan provide mobile Internet access as well. Currently it is estimated that 1 million people are using the Internet in Afghanistan. But unfortunately the progress of IT is not as fast as was hoped in the beginning. Since Afghanistan is a landlocked country, all Internet connections are currently going via satellite systems which are far more expensive and have a lower bandwidth. In the future Afghanistan will be connected to the neighboring countries via fiber optic, which is presently being built. The purpose of the current conference is data security. The Ministry of Communication and Information Technology has drafted a law on IT security, which is currently being revised
by the Ministry of Justice. The law contains rules for administrative staff, role definitions of the Ministry of the Interior as well as the Supreme Court regarding IT security. A team of IT experts should protect Afghanistan against illegal cyber attacks and hackers in the future. It is the responsibility of government to protect official data from unauthorized access. The minister thanked TU Berlin, the DAAD, and the MoHE for conducting this successful series of conferences on IT.
Words of greeting were addressed by his Excellency Werner H. Lauk, Ambassador of Germany. He was glad to see so many participants that are directly benefiting from a German-Afghan cooperation as the conference is
being jointly organized by the ZiiK of TU Berlin and the MoHE with financial support of the DAAD. The ambassador further summarized the current academic scholarships that are granted to Afghan lecturers at different German universities. He emphasized the long tradition of academic exchange between Germany and Afghanistan and promised for a long time cooperation in the future, as Afghanistan currently needs capacity building, improvement and modernization of education. Germany is cooperating in this regard in order to motivate lecturers and students for better and brighter future.
Keynote Speech: Aspects of Security and Measures
Dr. Nazir Peroz, director of the ZiiK of TU Berlin, thanked the ministers and the ambassador for their words of welcome. Dr. Peroz stressed the importance of securing IT in Afghanistan, as the use of this technology is growing rapidly. Concepts have to be developed in order to enhance the sensibility towards the aspects of IT security issues. Governments, Institutions, Universities, Schools, Companies and private persons have to be considered in the frame of a basic IT security concept. Before focusing on IT, there needs to be a common agreement on the notions of security in general and related terminology.
Dr. Peroz defined security as the state free of risks or free of endangerment. In this definition security refers both to single individuals and to other collective beings, to real objects and systems as well as to abstract subjects. He further noted that there is neither a technical nor organisational possibility of absolute security. Security is always relative and is dependent of the judgement regarding the risk potential in each area. A general framework for security must contain the following elements:

• juridical basis,

• human resources,

• task allocation,

• inventory,

• allocation of security level,

• infrastructure, and

• training for affiliates.

In continuation, Dr. Peroz gave a series of security threats and measures in different aspects of life, among those occupational safety, traffic, economy, politics, public buildings, and nature.
In traffic for example, several technical measures are taken in order to minimize the threat of an injury in a traffic accident: brakes, seat belts, air bags, etc. Furthermore organizational measures as traffic rules are implemented which are again accompanied by technical measures such as traffic lights. Only both an understanding of the organizational measures together with functioning technical measures will raise the security level. Coming to IT security, Dr. Peroz defined three fundamental aspects to be considered:

• Confidentiality,

• Availability, and

• Integrity.

He further identified the following four categories of risks to IT goods: force of nature, organizational deficiencies, technical deficiencies, and intentional acts. The force of nature combines threats such as lightning, fire, and water, wheres as the organizational deficiencies may include a lack of regulations and guidelines, a lack of staff, or a lack of training. Technical deficiencies are the threats created through the breakdown of power supply, the breakdown of internal supply networks, or the breakdown and loss of databases. The last
category of threats is due to criminal nature: examples include manipulation or destruction of IT components or data, theft, vandalism, attacks, and computer viruses. However, with all of these risks it can be dealt with. Measures to secure the infrastructure include the following of rules and regulations, the construction of safe buildings, and ensuring
a stable power supply to the hardware. To cope with the threats that evolve from the human resources, the key element is the training of all staff. Further the staff must be obligated to follow the rules. An IT advisor should be appointed to coordinate this process.
The management on the other hand should define an IT security policy for IT usage. The tasks within the policy must be allocated and duties separated among different persons within the staff. Guidelines should be elaborated to help the users. In order to deal with further help demand, counseling and advise should be available to all users.
Dr. Peroz concluded his presentation with the postulation of the need of Afghanistan for an office that coordinates all IT security measures on a national level. The establishment of this Office for Security in Information Technology (ASIT) will be an important step toward a secure and sustainable IT infrastructure in Afghanistan.
Sustainable Network Security for Higher Education in Afghanistan The talk about sustainable IT in Higher Education in Afghanistan by Mr. Chi-Thanh Christopher Nguyen, lecturer for Computer Networks and Security at the Department of Communication-Based Systems at TU Berlin, focused on the three main aspects of security, which are confidentiality, integrity and availability. Institutions of higher educations handle sensitive data which needs to be protected. Examples include exams, personal data from students and staff, grades, diplomas and other data which must be retained and produced on request. It was emphasized that security is not a state. It is a process. While it is not difficult to design a network and declare it \'secure\', the underlying security assumptions have to be continuously verified whether they are still valid. Mr. Nguyen proceeded to An example was given of a network which was implemented in 2003 at an institution of higher education in Afghanistan: a satellite uplink is connected to a firewall/router, behind the firewall there is a server and clients. The network plan was good, there was a router/firewall which protects the internal network from external threats. All traffic from and to hosts on the network must pass the firewall.
However, not long after this network was established, demands came up to give other institutions Internet access too. A second router was installed behind the firewall, giving provisional protection. When the router had no more free PCI slots (Peripheral Component Interconnect) for new network cards, new users were directly plugged into the switches.
This network concept was not sustainable. It worked as originally planned, but it had no provisions for growing the network beyond its original extent. When the network grew, the original security assumptions (all traffic from and to the internal network must pass the firewall) were invalidated. Now the internal network is exposed to attacks from the \'new\' parts of the network, over which we have no control. The next example that Mr. Nguyen discussed are wireless networks. Part of the 802.11 specification was the encryption method Wired Equivalent Privacy (WEP), introduced in 1997. It was regarded as secure until 2001, when an attack was published which could defeat WEP within minutes. So all models which made assumptions about the security of WEP had to be re-evaluated in the light of the new results. He further proceeded to discuss electronic \'\'high security\'\' locks. Regarded as highly secure, many organisations worldwide rely on these and similar kinds of locks for perimeter security. Until two days before the conference a successful attack was demonstrated. Besides, the locks contain auditing functionality, which has also been defeated. So not only could an intruder gain access to a facility, he could also place the blame on the person to
last legitimately open the lock. All security models which make assumptions about the security of these locks need to be re-evaluated now.
Mr. Nguyen concluded that sustainable network security requires that a process is in place which continually improves on security and reacts appropriately to new developments.
New developments are not necessarily newly-discovered security vulnerabilities or threats,
they can also be part of the development of the entire Internet. He pointed to the ubiquitous Internet Protocol in Version 4 (IPv4) which is used by almost all Internet users at this time. However, IPv4 addresses are almost exhausted. Within a few years, it will not be possible to get any more new IPv4 addresses.
What is going to happen then? At first, people are going to use more Network Address Translation (NAT). NAT is being used to have multiple computers share one public IP address, eg. a network behind dial-up Internet access. A proposal for so-called \'\'carrier grade NAT\'\' would extend this to entire groups of customers of an ISP. But NAT has severe disadvantages, such as not allowing two-way connectivity. While workarounds such as UPnP exist, these are insecure. And NAT suffers from scalability issues in Web 2.0. For all these reasons, NAT cannot be called sustainable. Governments and organizations worldwide are now pushing for IPv6 as replacement for the aging IPv4 standard, with very limited success so far. Part of the reasons behind this is that many security assumptions one might make about an IPv4 network behind NAT no longer hold when applied to an IPv6 network. So any sustainable security model should either not rely on assumptions about IPv4 or include provisions for IPv6. After discussing what should be part of a security model, Mr. Nguyen pointed out that it is also important to consider what should not be part of the security model. Making a complete list of provisions which a security model should make is not feasible, this would take too much time and effort and result in a very complex model. Instead, security must be continuously improved. Another problem is that security models can be too complex, which means that the model protects against marginal threats or the staff is not sufficiently familiar with the measures.
If the security model is too complex, the consequences can be that the staff is not able or willing to properly follow the necessary procedures. So each step of creating such a model must involve the management and staff through training and incorporating feedback.
The suggested steps from the German Federal Office for Information Security (BSI) are the following:

• Initiation of the security process

• Accepting of responsibility by the management

• Designing and planning the security process

• Creation of the policy for information security

• Establishment of a suitable organisational structure for information security management

• Provision of financial resources, personnel, and the necessary time

• Integration of all employees in the security process

• Initiation of the security process

• Creation of a security concept

• Implementation of the security concept

• Maintenance of information security during live operations and implementation of a continuous improvement process Mr. Nguyen concluded his presentation, emphasizing again that sustainable security requires implementation of a proper security process, which must make sure that all important threats are defended against, but on the other side it is not too complex for the staff to handle. And procedures must be in place, which check the security assumptions and appropriately reacts to new developments.

Current Situation of IT Security
Mr. Salim Saay, head of the IT Department at MoHE and lecturer of Kabul University, gave an overview of the current status of IT security at Afghan universities. After a short introduction on security, which summarized the aspects of confidentiality, integrity, and availability, Mr. Saay gave an example of the current status of the Internet connection and the network connections between the different institutions of higher education in Kabul. Kabul Education University, Kabul Medical University, Kabul Polytechnic University, Kabul University, the Ministry of Higher Education, and the Academy of Sciences are or will be connected to the same Internet connection provided by the NATO Silk Highway project. But currently only the computers inside Kabul University are behind a firewall which leaves open security threats to the remaining institutions that are already connected. The IT department of the MoHE has so far drafted four security policy documents: a Physical Security Policy, a Network Security Policy, a Server Security Policy, and a User Acceptable Policy.
Mr. Saay further identified the following problems and threats at Afghan Higher Education institutions: First of all there is currently often several Internet Service Providers (ISP) at one organization which multiplies the cost of the Internet connection. Second, an improper environment, not suitable for IT equipment, is threating the IT infrastructure. Dust and high temperatures far above the recommend 20° C for running hardware are just two of many examples. Third, the power supply is not stable throughout most parts of the country. And fourth, there is a big knowledge gap between the current user awareness for IT security and the knowledge needed to provide a secure IT environment.
For each of these threats, Mr. Saay presented a suggestion for the solution of the problem.
First of all, a Network Research and Education Network (NREN) should be established.
Second, an IT responsible for each IT center should be named.
Third, stabilizers and Uninterrupted Power Supply Systems (UPS) should be used for all computer hardware.
Fourth, all employees should participate in IT trainings. At the MoHE there is currently a capacity building project which provides a training for the administrators to improve their technical skills. Once completed with the training, the administrators will then train the end users.
Mr. Saay concluded his presentation with a request on feedback for the drafts of IT Security Policies from all IT advisors to the universities.

Day 2: IT Security Workshops
The second day of the conference focused on the discussion of current threats to the IT infrastructure of Afghan universities and possible measures to be taken to encounter them. The second day was moderated by Mr. Salim Saay, IT Department of MoHE, and Mr. René Herlitz, ZiiK at TU Berlin. In the workshop part of the conference, the participants were divided into two working groups. Each working group was introduced with an introductory talk by Mr. Herlitz and Mr. Nguyen. Both working groups followed the same structure, but focused on different aspects of IT security. In the first part of the workshop it was discussed, which IT goods need to be protected in the Afghan higher education system and which threats these goods are exposed to. In the second part working group 1 was discussing which of these threats could be encountered by policy measures whereas group 2 was discussing possible technical measures. In the third part of the workshops the results of the second part were discussed.

Introduction to Security Aspects I: Applications and Usage Regulations
Mr. René Herlitz gave an introductory presentation to the first working group topic. He presented three examples of threats that may be found at universities.
As the first example of a security threat, the following scenario was presented: A university student, Student A, has completed a basic computer training course. He is now granted access to the IT center of the university and has been given a username and password. Student B is a good friend of Student A. He has not
yet done a training course, but would like to write an e-mail. In order to do him a favor, Student A provides Student B with his password. As Student B had not been trained at the IT center he did not now that he has to log out of the system after use. At this computer an attacker now has access to the personal data of Student A and to the internal network of the university. This scenario was a combination of two threats: social engineering, a term which describes the process of obtaining credential information from a person through information that is available through social contact with that person, and a lack of physical access control to the IT center.
In the second example a common medium for the spread of viruses was presented, the USB flash disc. Although by itself the flash disc is not a threat, it is a medium that may contain viruses or worms. Since the operating system Windows by default runs auto-start programs from newly inserted flash discs, malicious programs can spread even without a network connection. In combination with the fact that most users are running Windows with an administrator account, this behavior makes the operating system highly vulnerable. To forbid the use of flash discs is certainly not a solution since it is needed for everyday office and academic work.
The third example was a small live demonstration of a so called cross-site scripting (XSS) attack to steal a password from a user. The following scenario was chosen: a fictitious university named Foo University has a website with several functionalities, among them a forum, on which users can give comments, and a grading system, to which only lecturers have access and in which they can store the grades of the students. In the scenario it was shown that a badly written web application (the forum) can be a threat to a different application on the same domain (the grading system). In the demonstration a student left a comment in the forum that not only contained text, but also a link to the login page of the grading system and some JavaScript code that is executed upon clicking on the link. As
the forum was badly programmed it did not make any security checks on the user input, but completely trusted the user and just outputted the complete post in the forum. Now anyone that clicked on the link in the forum was directed to the normal login page. The only difference was that upon clicking on the link, JavaScript code was executed that automatically read the password that was provided on the login page. In the demonstration the password was just reproduced in an alert box, but it could have been sent anywhere on the Internet by slightly modifying the code. By using this XSS attack students would have been easily able to steal the usernames and passwords of their lecturers for the grading system.
At the end of his introduction Mr. Herlitz rose the question on how security policies can help to minimize the mentioned threats and what kind of additional measures are needed for the policy to be effective. These questions were discussed in working group 1.

Introduction to Security Aspects II: Technical Issues
Mr. Chi-Thanh Christopher Nguyen introduced technical aspects of IT security. Institutions of higher education have large amounts of data stored in a de-centralized way, with very different security requirements. Mr. Nguyen addressed first the common need for
availability. The standard way to increase availability is redundancy. In a given network, having a single network connection to a single server means that if either fails, then the clients will no longer be able to access the data. So the first step can be to have two or more redundant network connections, preferably along different routes. Hovever, not only the network needs redundancy, but the data itself and the servers on which it is stored too. Redundant data storage can be achieved through backup. With servers, especially database servers, redundancy is further achieved through replication and clustering. The next part which was addressed in the presentation maintaining data integrity by using access control to limit who has the privileges to modify the data, and cryptographic hashed and digital signatures. Similarly, confidentiality is maintained by access control, too, and by using proper encryption schemes for transferring the data. The demonstration that Mr. Nguyen gave during his presentation pointed out the insecurity of unencrypted wireless networks. The audience was invited to connect to a specially prepared wireless network, and Mr. Nguyen could then monitor their activities using special software tools.

Working Group I: Applications and Usage Regulations
The working group on Security Policies was moderated by Mr. René Herlitz, TU Berlin, and Mr. Naweed Rahmani, lecturer at Balkh University. By bringing together persons that are working on the administrative and management side of the universities and IT experts, such as Computer Science lecturers and IT advisors, the workshop has been very productive (see Results section below). In this atmosphere it was possible to discuss security policies from the administrative as well as the technical side. Awareness of the security problems were raised among the participants.

Working Group II: Technical Issues
The second working group on technical security measuers was moderated by Mr. Chi-Thanh Christopher Nguyen, TU Berlin, and Mr. Abdul Rahman Vakili, lecturer and IT administrator at Herat University. During the workshop, the participants analyzed the IT security needs of an institution of higher education in
Afghanistan focusing on the technical side. During the workshop a mixture of both lively and productive discussions and detailed technical explanations were experienced. The positive results of the three workshop sessions were presented on the third day.

Day 3: Outcome and Discussion
The aim of the final session of this year\'s conference on IT in higher education was the presentation of the outcomes and the discussion of the results from the working groups that would lead to a conclusion of the next steps to take. The session was moderated by Prof. M. Osman Babury and Dr. Nazir Peroz.
Presentation of the Results of Working Group I: Applications and Usage Regulations
Mrs. Seema Azimi, Computer Science lecturer at Kabul Polytechnic University, presented the results of the first working group. The first part of the working group was to gather all kinds of IT goods that are valuable in a university. The working group participants gathered:

• Official University Data

• Personal Data

• Software, e.g. University Website

• Hardware Equipment

• Internet Bandwidth

• CPU Time of University Servers

• Software

• Power Supply
These goods are each exposed to certain threats, which were grouped into three categories: equipment threats, network threats, and threats from insecure applications. In the first category all kind of natural threats were found: high and low temperatures, humidity, dust, water, and fire. Unauthorized physical access (e.g. through insecure doors or lost keys) was a threat to the hardware equipment as well as power failures, and intentional or unintentional improper use.
The software running on university hardware might also be a threat, if the standard software that is used is not updated to the latest security patches or if university applications were programmed in a way that left security holes open (e.g. the forum of Foo University in the introductory presentation). But usernames and passwords can not only be obtained by insecure applications, but also through so called Social Engineering, i.e. a person is finding out another one\'s password by asking or guessing names of relatives etc. Through all software security holes viruses or worms could be installed at the local computer. Sources are numerous: malware from fake websites, e-mail-attachments or HTML mails, flash discs, and others were named. A virus might even cause that the computer becomes part of a bot-net (a network of thousands of infected computers, that are remotely controlled by an attacker) and thereby attacks other computers without the knowledge of the user. One attack in which bot-nets are used is a distributed Denial-of-Service-Attack (DDOS), where thousands of computers are accessing the same service at the same time and thereby causing the service to become unavailable. Mrs. Azimi continued to mention the three categories into which the working group 1 organized the possible measures to take against these threats:

1. Infrastructure

2. Training

3. Organization / Management
Possible measures to protect the infrastructure from natural threats are: dust filter systems or smoke sensors. During the working group discussion it got clear that the threats are the same at all universities, but the measures to be taken might have to be adapted to the local surroundings. One university might require the users to take off their shoes in the IT center in order to encounter the dust problem, others might suffice a long corridor before entering the IT center. To encounter other threats to the equipment, cleaning guidelines, physical access restrictions for unauthorized users, and UPS (uninterrupted power supply)
systems were mentioned. One of the workshop findings was that many security measures were not sufficient if the users were not trained on security issues. It was recommend that all university members who use IT should be trained on security, in order to be aware of the threats and to know the correct behavior to circumvent these threats. Basic training should include the training on Internet guidelines, the use of office applications, the choice of strong passwords, and others. One workshop participant suggested that the MoHE should provide basic IT training
packages which could be taught at all universities. Further there should be specific advanced training for users who are responsible for IT tasks that go beyond the basic usage. These persons include IT administrators, technical staff, application developers, and web designers. Topics depend on the specific working area, they might include: choice of antivirus programs, software update plans, use of firewalls, or good programming practices.
As an organizational measure it should be clearly specified who is taking the responsibility for which tasks within the security management. If the university is running a website on its own server, it should be clear, who is taking care of the hardware equipment, who is responsible for security updates of the operating system, the web server, and further software running on the server, who is responsible for the security of the web applications and web pages of the university, and finally who is responsible for the content of the website.
The results of working group I can be summarized as follows:

• There is a need for an IT security policy at each university. A Security Policy Framework and Security Guidelines should be provided by the MoHE, since threats are the same at different universities, but different measures might be taken to encounter them.

• The Security Policy must incorporate plans for a secure infrastructure, security training, and security management.

• Organizational security measures are always accompanied by technical security measures and vice versa.

• The Security Policy must not be static, it is a constant process in which the following steps are continuously iterated:

1. Preparation of Policy

2. Awareness, Penetration, and Training

3. Evaluation of Outcomes

4. Improvement of Security Measures

• The whole process will only work sustainably if there is a person within the university who is responsible to coordinate all security measures. There is a need for an IT security officer at each university.

Presentation of the Results of Working Group II: Technical Issues
The findings of the second working group were presented by Mr. M. Mussadiq Jalalzai, Computer Science lecturer at Kabul University.
The workshop began with the identification of which kinds of data are stored at such an Afghan higher education institution and which aspects of security need to be protected. Among the identified kinds of data with security needs are:

• Data stored on a public web server (needs availability; A)

• Evaluation and Grades (needs all three of availability, integrity and confidentiality)

• Users\' passwords (needs integrity and confidentiality; I and C)

• Profiles and personal data (all)

• Information about lecturers and staff, e.g. bank account, CV (all)

• Administrative information:

◦ public information: (I, A)

◦ non-public information: (all)

• Official documents, certificates, diplomas: (I, A)

• Library data and information system

◦ Information about users: (all)

◦ Information about books and other publications: (I, A)

• Research data

◦ Before publication: (all)

◦ After publication: (I, A)

It was then proceeded to discuss some of these issues, beginning with an example library information system, consisting of a database server, a client and a network connection between them. The server stores the data, and the client can read and modify the data on the server.
The confidentiality of the data which is transferred over the network link can be ensured by using encrypting protocols, such as SSL/TLS for the application data or WPA for encrypting all network traffic. These protocols also guarantee integrity.
For availability, we need to guard both against failure in the network and failure in the server. This means to have two or more redundant network connections, preferably along different routes, so that if one of them fails, the client will still be able to communicate with the server. With the database, redundancy is achieved by setting up a cluster of servers so that failure of one of the servers can be sustained by the others without interruption of service. The next topic to be discussed was access control. One problem of access control is making sure that only authorized users can access the data. So users need to be authenticated. Or more precisely, first identified and then authenticated.
Common identification/authentication pairs are: Identification Authentication

User name

Smart card

Biometry

RfID

Passport

Name

Password

PIN code

Biometry

RfID

Picture

Signature

We could for example consider biometry (e.g. a fingerprint sensor) for authentication. One problem with this is that it is also used for identification, and especially fingerprint sensors often suffer from serious issues, such as

• Vulnerability to replay attacks (if transmission between sensor and authentication

server is not encrypted)

• Replica fingers can be made so that the sensor is unable distinguish it from a real finger

• False positive/false negative rates are high with inexpensive sensors

But it has an advantage, namely that it is very easy and convenient to use. The user does not need to memorize a password or carry another type of authentication token with him.
The consequence of the drawbacks is that usually, the “classic” method of authentication with username and password is used.
The other examples that were discussed during the workshop are summarized in the table
below:

Problem Security aspects Solution
Unauthorized listening to WLAN traffic C Encryption Research data release C, A Key Escrow Library database accessiblity A Redundant network and server cluster
Unauthorized modification of data I Checkums, authentication Releasing part of administrative info C, A Separation of servers and pushing of public data
Safe disposal of storage media (hard disk, flash memory, CDs, etc.)
C Policy (mandating encryption, or shredding/burning afterwards)

Discussion
The first comment in the discussion that was moderated by Prof. Babury and Dr. Peroz was Mr. Salim Saay, Head of the IT Department of the MoHE. Before implementing IT in Afghanistan, it was difficult to handle all the works, but today in aspect of education especially in MoHE, most of the works are computerized. Infrastructure and networks are needed for the universities as well. Some of them have already taken this step, but the next step is to consider training staff and security. The head of universities should use the ideas which are collected here
in the conference and support the teachers who are going to teach and implement IT in universities. In aspects of security we have to think about the the students data stored in the servers as well.
Dr. Hamidzay, Dean of Kabul Education University, noted that we should prevent the problems before we face with damages. In the aspect of IT training and educating people, it is necessary to start on time. We have to use IT properly as well. Infrastructure and hardware is not sufficient if the expertise and knowledge about the systems are not there, it will be impossible to improve the university\'s activities with the help of IT.
Dr. Shirshah, Dean of Foreign Affairs Office in the MoHE, said that it is important to equally extend IT in all universities. Otherwise there will be a lack of good connection and coordination among them. This may go as far as loosing scholarships for the lack of good connectivity. Something needs to be done in aspect of having a proper connection and co- operation between MoHE and universities.
Mr. Shafiq, director of IT in Kabul Medical University, said that at his institutions there are many computers but not enough lecturers to teach. In his opinion, the most important problem is that we do not have IT personals in our university and no salary is considered for them.
Prof. Rashid, Dean of Alberony University, mentioned that, most of the time we are speaking about IT in public universities, but the private universities should be a part of this process as well.

Summary and Conclusion
Prof. M. Osman Babury started the summary and conclusion by thanking for the valuable outcomes from the workshop. This conference has been the first conference within the Ministry of Higher Education that has been dealing with the topic of IT security. He is glad that the importance of this topic was spread throughout all Afghan higher education institutions through the conference.
Prof. Babury further stated that he would be glad about any comments on the draft of the IT Security Framework prepared and distributed to the participants by the IT department of the MoHE. After its finalization the framework will be sent out to all universities where it can be adopted as a security policy according to the specific needs of the university.
Prof. Babury further stated that the implementation of policies needs resources and facilities, which have to be identified. On behalf of the human resources side, he emphasized the increase of qualified personnel at six Afghan universities after the return of 25 lecturers currently participating in a Master program at TU Berlin in March 2010. To further extend the qualification of university staff, Prof. Babury announced that talks about future scholarships have been and are being held with different foreign institutions, TU Berlin being one of them. On the infrastructural side, the universities of Kabul and Herat can count on wellequipped IT centers with qualified staff that will play a key role in raising security awareness and training students, lecturers, and employees on this issue. The third resource

needed is financing. The MoHE will implement its promises and has set up a renewed financial plan for fi
e years. Currently the MoHE is trying to coordinate and synchronize the efforts within the universities, as not all universities are showing the same progress in achieving the planned goals. He concluded his speech by thanking Dr. Peroz and his ZiiK team from TU Berlin, the DAAD, and German Embassy for their support.
Dr. Nazir Peroz remarked that the responsibility for IT risks is not limited to the respective IT departments and its personnel, but it is a task of the whole society, of common sense and human reasoning, of thoughtful organizational arrangements, and of responsible and well trained and well informed staff. Therefore the Afghan society needs, first trained personnel, second trained personnel, and third trained personnel. This personnel will later independently adhere to security requirements in a disciplined at routine manner and will train the staff of the risks of the technologies at their workplaces.
Security is a basic need of human beings and therefore of society. The societal changes, the increasing number of IT systems, the increasing dependence on technology, the lack of personal and technical resources as well as the small financial budgets force Afghanistan to think about IT security. Otherwise Afghanistan will face massive damage through IT risks which will limit the country\'s ability to develop, act, and manage.
Dr. Peroz continued to give a short reflection to follow up his presentation on the first conference day. IT security is an ongoing and never ending process in which 100 % can never be reached. 100 % availability and 100 % integrity cannot always be achieved at the same time. IT threats are worldwide and Afghanistan is no exception in this regard. But plans need to be made how attacks can be encountered in the future because currently Afghanistan\'s IT is like a glass house, and all neighbors can look inside. He further remarked, that in the conference we have covered issues such as terms, law, training, management, and infrastructure. Although some laws regarding IT are already in place there is still deficiencies
in enforcing these laws. IT users need to be made aware and trained in order to
use IT according to these laws, policies, and rules. This challenge will need to be encountered by the growing young generation of IT professionals in Afghanistan.
Regarding the drafting of IT policies and laws, Dr. Peroz further suggested, that these activities should be done in cooperation and coordination with the Ministry of Communication and Information Technology, as this issue is effecting both sectors.
Dr. Peroz thanked Prof. Babury and Mr. Saay for their continuing efforts in the establishment of a stable IT supply at Afghan universities.
Acknowledgments

Conference Organization:

• Salim Saay, MoHE, IT Department

Photos:

• Haidar Zazaiy, MoHE, IT Department

• Tareq, MoHE, IT Department

• Jaweed, MoHE, Publication Department

Conference Translation:

• Naweed Rahmani, Balkh University

• Seema Azimi, Kabul Polytechnic University

• Abdul Rahman Vakili, Herat University

• Abdul Sattar Kakar, Kandahar University

Protocols:

• Ogai Ahmadi, Kabul University

• Fereshteh Forough, Herat University

• M. Ismail Khatibi, Nangarhar University

• Obaidullah Rashed, MoHE

• Zoia Sahab, Kabul University

• Ahmad Zia Sharifi, Nangarhar University

• Haji-Ghul Wahaj, Nangarhar University

Afghanistan ministry of higher education
دري پشتو24 May 2013

Home Introduction Ministry of Higher Education History News Universities Governmential universities Private universities Website of Universities University entry exams Daily exam result Nightly exam result Employees exam result University entry exams news Educational scholarship Masters Students Strategic plan Projects Higher Education Portals Afghanistan Higher Education Portal Afghanistan Medical Education Community Conferences Publication Saarc Seminar FAQ SHEP Introduction Announcement Opportunity links Diploma Contact us Archive: Only for ministry staff: Email Address: example: prefix@mohe.gov.af Password:		Conferences 5th Conference on Information Technology for Higher Education in Afghanistan Background Information Technology (IT) has been growing rapidly in Afghan higher education institutions. The new technology allows the universities to connect to the international scientific community and take part in the global knowledge society. The Ministry of Higher Education (MoHE) has been actively promoting the implementation of IT centers and Computer Science study programs throughout the country. Since 2002 the Center of International and Intercultural Communication (ZiiK), directed by Dr. Nazir Peroz, of the Technical University Berlin (TU Berlin) has been a close partner in this field. As the spread of IT in Afghanistan is rising, the need to secure the IT systems is growing. All IT users within the Afghan universities do not only need to be aware of the benefits that IT brings with it, but also of the threats that are accompanied. TU Berlin and MoHE therefore organized a conference on “IT Security” that took place on 4th to 6th of August 2009 in the Conference Hall of the MoHE in Kabul. The conference was part V of a series of conferences titled “Information Technology of Higher Education in Afghanistan” that has been organized since 2006 within in the scope of the partnership between the MoHE and TU Berlin and has been funded by the German Academic Exchange Service (DAAD). This fifth conference brought together the Afghan Universities, represented by their respective presidents and IT advisors, the MoHE, as well as international and national lecturers to discuss IT security issues with a special focus on threats and possible measures within the Afghan Higher Education area. The three days were organized as follows: Day 1: Introduction to IT Security Day 2: IT Security Workshops Day 3: Outcome and Discussion Day 1: Introduction to IT Security In the first session the roles of security within society were presented. The role of IT security in networks and in Afghan universities were discussed. The session was moderated by Prof. M. Osman Babury, Deputy Minister of Higher Education for Academic Affairs, and Dr. Nazir Peroz, Director of ZiiK at TU Berlin. Opening and Welcome The conference was opened by Dr. Azam Dadfar, Minister of Higher Education. In his welcome to all participants the minister expressed his pleasure of seeing many IT specialists participating in this fifth part of the conference series. The minister summarized the achievements made in the area of IT in the last years. Currently many Computer Science lecturers of Afghan universities are receiving further qualification abroad. Among them 25 lecturers from 6 universities that are participating in a Master program at TU Berlin with a scholarship granted by the World Bank, 11 lecturers studying at the Technical University of Bangkok, as well as further scholarships in India and other countries. The minister thanked the DAAD, the German embassy and TU Berlin, especially Dr. Peroz, for supporting this conference as well as many other IT projects in Afghanistan. He also thanked all chancellors, lecturers and participants for joining the conference and expressed his hope that the fruits of the conference will spread to the universities throughout the country and will be applied in the reconstruction process of Afghanistan. The second welcoming speech was held by Mr. Amir Zai Sangin, Minister of Communication and Information Technology. After welcoming all participants, the minister stressed the important role that IT is playing in the developing of economy, governance, business, and education. If an incident is happening today in Helmand province, the news will be spread around the world in a few seconds. IT in Afghanistan started from zero about six years ago, and there was nothing before the mentioned period of time. Today more than 10 million people are using mobile phones in Afghanistan and all six mobile companies of Afghanistan provide mobile Internet access as well. Currently it is estimated that 1 million people are using the Internet in Afghanistan. But unfortunately the progress of IT is not as fast as was hoped in the beginning. Since Afghanistan is a landlocked country, all Internet connections are currently going via satellite systems which are far more expensive and have a lower bandwidth. In the future Afghanistan will be connected to the neighboring countries via fiber optic, which is presently being built. The purpose of the current conference is data security. The Ministry of Communication and Information Technology has drafted a law on IT security, which is currently being revised by the Ministry of Justice. The law contains rules for administrative staff, role definitions of the Ministry of the Interior as well as the Supreme Court regarding IT security. A team of IT experts should protect Afghanistan against illegal cyber attacks and hackers in the future. It is the responsibility of government to protect official data from unauthorized access. The minister thanked TU Berlin, the DAAD, and the MoHE for conducting this successful series of conferences on IT. Words of greeting were addressed by his Excellency Werner H. Lauk, Ambassador of Germany. He was glad to see so many participants that are directly benefiting from a German-Afghan cooperation as the conference is being jointly organized by the ZiiK of TU Berlin and the MoHE with financial support of the DAAD. The ambassador further summarized the current academic scholarships that are granted to Afghan lecturers at different German universities. He emphasized the long tradition of academic exchange between Germany and Afghanistan and promised for a long time cooperation in the future, as Afghanistan currently needs capacity building, improvement and modernization of education. Germany is cooperating in this regard in order to motivate lecturers and students for better and brighter future. Keynote Speech: Aspects of Security and Measures Dr. Nazir Peroz, director of the ZiiK of TU Berlin, thanked the ministers and the ambassador for their words of welcome. Dr. Peroz stressed the importance of securing IT in Afghanistan, as the use of this technology is growing rapidly. Concepts have to be developed in order to enhance the sensibility towards the aspects of IT security issues. Governments, Institutions, Universities, Schools, Companies and private persons have to be considered in the frame of a basic IT security concept. Before focusing on IT, there needs to be a common agreement on the notions of security in general and related terminology. Dr. Peroz defined security as the state free of risks or free of endangerment. In this definition security refers both to single individuals and to other collective beings, to real objects and systems as well as to abstract subjects. He further noted that there is neither a technical nor organisational possibility of absolute security. Security is always relative and is dependent of the judgement regarding the risk potential in each area. A general framework for security must contain the following elements: • juridical basis, • human resources, • task allocation, • inventory, • allocation of security level, • infrastructure, and • training for affiliates. In continuation, Dr. Peroz gave a series of security threats and measures in different aspects of life, among those occupational safety, traffic, economy, politics, public buildings, and nature. In traffic for example, several technical measures are taken in order to minimize the threat of an injury in a traffic accident: brakes, seat belts, air bags, etc. Furthermore organizational measures as traffic rules are implemented which are again accompanied by technical measures such as traffic lights. Only both an understanding of the organizational measures together with functioning technical measures will raise the security level. Coming to IT security, Dr. Peroz defined three fundamental aspects to be considered: • Confidentiality, • Availability, and • Integrity. He further identified the following four categories of risks to IT goods: force of nature, organizational deficiencies, technical deficiencies, and intentional acts. The force of nature combines threats such as lightning, fire, and water, wheres as the organizational deficiencies may include a lack of regulations and guidelines, a lack of staff, or a lack of training. Technical deficiencies are the threats created through the breakdown of power supply, the breakdown of internal supply networks, or the breakdown and loss of databases. The last category of threats is due to criminal nature: examples include manipulation or destruction of IT components or data, theft, vandalism, attacks, and computer viruses. However, with all of these risks it can be dealt with. Measures to secure the infrastructure include the following of rules and regulations, the construction of safe buildings, and ensuring a stable power supply to the hardware. To cope with the threats that evolve from the human resources, the key element is the training of all staff. Further the staff must be obligated to follow the rules. An IT advisor should be appointed to coordinate this process. The management on the other hand should define an IT security policy for IT usage. The tasks within the policy must be allocated and duties separated among different persons within the staff. Guidelines should be elaborated to help the users. In order to deal with further help demand, counseling and advise should be available to all users. Dr. Peroz concluded his presentation with the postulation of the need of Afghanistan for an office that coordinates all IT security measures on a national level. The establishment of this Office for Security in Information Technology (ASIT) will be an important step toward a secure and sustainable IT infrastructure in Afghanistan. Sustainable Network Security for Higher Education in Afghanistan The talk about sustainable IT in Higher Education in Afghanistan by Mr. Chi-Thanh Christopher Nguyen, lecturer for Computer Networks and Security at the Department of Communication-Based Systems at TU Berlin, focused on the three main aspects of security, which are confidentiality, integrity and availability. Institutions of higher educations handle sensitive data which needs to be protected. Examples include exams, personal data from students and staff, grades, diplomas and other data which must be retained and produced on request. It was emphasized that security is not a state. It is a process. While it is not difficult to design a network and declare it \'secure\', the underlying security assumptions have to be continuously verified whether they are still valid. Mr. Nguyen proceeded to An example was given of a network which was implemented in 2003 at an institution of higher education in Afghanistan: a satellite uplink is connected to a firewall/router, behind the firewall there is a server and clients. The network plan was good, there was a router/firewall which protects the internal network from external threats. All traffic from and to hosts on the network must pass the firewall. However, not long after this network was established, demands came up to give other institutions Internet access too. A second router was installed behind the firewall, giving provisional protection. When the router had no more free PCI slots (Peripheral Component Interconnect) for new network cards, new users were directly plugged into the switches. This network concept was not sustainable. It worked as originally planned, but it had no provisions for growing the network beyond its original extent. When the network grew, the original security assumptions (all traffic from and to the internal network must pass the firewall) were invalidated. Now the internal network is exposed to attacks from the \'new\' parts of the network, over which we have no control. The next example that Mr. Nguyen discussed are wireless networks. Part of the 802.11 specification was the encryption method Wired Equivalent Privacy (WEP), introduced in 1997. It was regarded as secure until 2001, when an attack was published which could defeat WEP within minutes. So all models which made assumptions about the security of WEP had to be re-evaluated in the light of the new results. He further proceeded to discuss electronic \'\'high security\'\' locks. Regarded as highly secure, many organisations worldwide rely on these and similar kinds of locks for perimeter security. Until two days before the conference a successful attack was demonstrated. Besides, the locks contain auditing functionality, which has also been defeated. So not only could an intruder gain access to a facility, he could also place the blame on the person to last legitimately open the lock. All security models which make assumptions about the security of these locks need to be re-evaluated now. Mr. Nguyen concluded that sustainable network security requires that a process is in place which continually improves on security and reacts appropriately to new developments. New developments are not necessarily newly-discovered security vulnerabilities or threats, they can also be part of the development of the entire Internet. He pointed to the ubiquitous Internet Protocol in Version 4 (IPv4) which is used by almost all Internet users at this time. However, IPv4 addresses are almost exhausted. Within a few years, it will not be possible to get any more new IPv4 addresses. What is going to happen then? At first, people are going to use more Network Address Translation (NAT). NAT is being used to have multiple computers share one public IP address, eg. a network behind dial-up Internet access. A proposal for so-called \'\'carrier grade NAT\'\' would extend this to entire groups of customers of an ISP. But NAT has severe disadvantages, such as not allowing two-way connectivity. While workarounds such as UPnP exist, these are insecure. And NAT suffers from scalability issues in Web 2.0. For all these reasons, NAT cannot be called sustainable. Governments and organizations worldwide are now pushing for IPv6 as replacement for the aging IPv4 standard, with very limited success so far. Part of the reasons behind this is that many security assumptions one might make about an IPv4 network behind NAT no longer hold when applied to an IPv6 network. So any sustainable security model should either not rely on assumptions about IPv4 or include provisions for IPv6. After discussing what should be part of a security model, Mr. Nguyen pointed out that it is also important to consider what should not be part of the security model. Making a complete list of provisions which a security model should make is not feasible, this would take too much time and effort and result in a very complex model. Instead, security must be continuously improved. Another problem is that security models can be too complex, which means that the model protects against marginal threats or the staff is not sufficiently familiar with the measures. If the security model is too complex, the consequences can be that the staff is not able or willing to properly follow the necessary procedures. So each step of creating such a model must involve the management and staff through training and incorporating feedback. The suggested steps from the German Federal Office for Information Security (BSI) are the following: • Initiation of the security process • Accepting of responsibility by the management • Designing and planning the security process • Creation of the policy for information security • Establishment of a suitable organisational structure for information security management • Provision of financial resources, personnel, and the necessary time • Integration of all employees in the security process • Initiation of the security process • Creation of a security concept • Implementation of the security concept • Maintenance of information security during live operations and implementation of a continuous improvement process Mr. Nguyen concluded his presentation, emphasizing again that sustainable security requires implementation of a proper security process, which must make sure that all important threats are defended against, but on the other side it is not too complex for the staff to handle. And procedures must be in place, which check the security assumptions and appropriately reacts to new developments. Current Situation of IT Security Mr. Salim Saay, head of the IT Department at MoHE and lecturer of Kabul University, gave an overview of the current status of IT security at Afghan universities. After a short introduction on security, which summarized the aspects of confidentiality, integrity, and availability, Mr. Saay gave an example of the current status of the Internet connection and the network connections between the different institutions of higher education in Kabul. Kabul Education University, Kabul Medical University, Kabul Polytechnic University, Kabul University, the Ministry of Higher Education, and the Academy of Sciences are or will be connected to the same Internet connection provided by the NATO Silk Highway project. But currently only the computers inside Kabul University are behind a firewall which leaves open security threats to the remaining institutions that are already connected. The IT department of the MoHE has so far drafted four security policy documents: a Physical Security Policy, a Network Security Policy, a Server Security Policy, and a User Acceptable Policy. Mr. Saay further identified the following problems and threats at Afghan Higher Education institutions: First of all there is currently often several Internet Service Providers (ISP) at one organization which multiplies the cost of the Internet connection. Second, an improper environment, not suitable for IT equipment, is threating the IT infrastructure. Dust and high temperatures far above the recommend 20° C for running hardware are just two of many examples. Third, the power supply is not stable throughout most parts of the country. And fourth, there is a big knowledge gap between the current user awareness for IT security and the knowledge needed to provide a secure IT environment. For each of these threats, Mr. Saay presented a suggestion for the solution of the problem. First of all, a Network Research and Education Network (NREN) should be established. Second, an IT responsible for each IT center should be named. Third, stabilizers and Uninterrupted Power Supply Systems (UPS) should be used for all computer hardware. Fourth, all employees should participate in IT trainings. At the MoHE there is currently a capacity building project which provides a training for the administrators to improve their technical skills. Once completed with the training, the administrators will then train the end users. Mr. Saay concluded his presentation with a request on feedback for the drafts of IT Security Policies from all IT advisors to the universities. Day 2: IT Security Workshops The second day of the conference focused on the discussion of current threats to the IT infrastructure of Afghan universities and possible measures to be taken to encounter them. The second day was moderated by Mr. Salim Saay, IT Department of MoHE, and Mr. René Herlitz, ZiiK at TU Berlin. In the workshop part of the conference, the participants were divided into two working groups. Each working group was introduced with an introductory talk by Mr. Herlitz and Mr. Nguyen. Both working groups followed the same structure, but focused on different aspects of IT security. In the first part of the workshop it was discussed, which IT goods need to be protected in the Afghan higher education system and which threats these goods are exposed to. In the second part working group 1 was discussing which of these threats could be encountered by policy measures whereas group 2 was discussing possible technical measures. In the third part of the workshops the results of the second part were discussed. Introduction to Security Aspects I: Applications and Usage Regulations Mr. René Herlitz gave an introductory presentation to the first working group topic. He presented three examples of threats that may be found at universities. As the first example of a security threat, the following scenario was presented: A university student, Student A, has completed a basic computer training course. He is now granted access to the IT center of the university and has been given a username and password. Student B is a good friend of Student A. He has not yet done a training course, but would like to write an e-mail. In order to do him a favor, Student A provides Student B with his password. As Student B had not been trained at the IT center he did not now that he has to log out of the system after use. At this computer an attacker now has access to the personal data of Student A and to the internal network of the university. This scenario was a combination of two threats: social engineering, a term which describes the process of obtaining credential information from a person through information that is available through social contact with that person, and a lack of physical access control to the IT center. In the second example a common medium for the spread of viruses was presented, the USB flash disc. Although by itself the flash disc is not a threat, it is a medium that may contain viruses or worms. Since the operating system Windows by default runs auto-start programs from newly inserted flash discs, malicious programs can spread even without a network connection. In combination with the fact that most users are running Windows with an administrator account, this behavior makes the operating system highly vulnerable. To forbid the use of flash discs is certainly not a solution since it is needed for everyday office and academic work. The third example was a small live demonstration of a so called cross-site scripting (XSS) attack to steal a password from a user. The following scenario was chosen: a fictitious university named Foo University has a website with several functionalities, among them a forum, on which users can give comments, and a grading system, to which only lecturers have access and in which they can store the grades of the students. In the scenario it was shown that a badly written web application (the forum) can be a threat to a different application on the same domain (the grading system). In the demonstration a student left a comment in the forum that not only contained text, but also a link to the login page of the grading system and some JavaScript code that is executed upon clicking on the link. As the forum was badly programmed it did not make any security checks on the user input, but completely trusted the user and just outputted the complete post in the forum. Now anyone that clicked on the link in the forum was directed to the normal login page. The only difference was that upon clicking on the link, JavaScript code was executed that automatically read the password that was provided on the login page. In the demonstration the password was just reproduced in an alert box, but it could have been sent anywhere on the Internet by slightly modifying the code. By using this XSS attack students would have been easily able to steal the usernames and passwords of their lecturers for the grading system. At the end of his introduction Mr. Herlitz rose the question on how security policies can help to minimize the mentioned threats and what kind of additional measures are needed for the policy to be effective. These questions were discussed in working group 1. Introduction to Security Aspects II: Technical Issues Mr. Chi-Thanh Christopher Nguyen introduced technical aspects of IT security. Institutions of higher education have large amounts of data stored in a de-centralized way, with very different security requirements. Mr. Nguyen addressed first the common need for availability. The standard way to increase availability is redundancy. In a given network, having a single network connection to a single server means that if either fails, then the clients will no longer be able to access the data. So the first step can be to have two or more redundant network connections, preferably along different routes. Hovever, not only the network needs redundancy, but the data itself and the servers on which it is stored too. Redundant data storage can be achieved through backup. With servers, especially database servers, redundancy is further achieved through replication and clustering. The next part which was addressed in the presentation maintaining data integrity by using access control to limit who has the privileges to modify the data, and cryptographic hashed and digital signatures. Similarly, confidentiality is maintained by access control, too, and by using proper encryption schemes for transferring the data. The demonstration that Mr. Nguyen gave during his presentation pointed out the insecurity of unencrypted wireless networks. The audience was invited to connect to a specially prepared wireless network, and Mr. Nguyen could then monitor their activities using special software tools. Working Group I: Applications and Usage Regulations The working group on Security Policies was moderated by Mr. René Herlitz, TU Berlin, and Mr. Naweed Rahmani, lecturer at Balkh University. By bringing together persons that are working on the administrative and management side of the universities and IT experts, such as Computer Science lecturers and IT advisors, the workshop has been very productive (see Results section below). In this atmosphere it was possible to discuss security policies from the administrative as well as the technical side. Awareness of the security problems were raised among the participants. Working Group II: Technical Issues The second working group on technical security measuers was moderated by Mr. Chi-Thanh Christopher Nguyen, TU Berlin, and Mr. Abdul Rahman Vakili, lecturer and IT administrator at Herat University. During the workshop, the participants analyzed the IT security needs of an institution of higher education in Afghanistan focusing on the technical side. During the workshop a mixture of both lively and productive discussions and detailed technical explanations were experienced. The positive results of the three workshop sessions were presented on the third day. Day 3: Outcome and Discussion The aim of the final session of this year\'s conference on IT in higher education was the presentation of the outcomes and the discussion of the results from the working groups that would lead to a conclusion of the next steps to take. The session was moderated by Prof. M. Osman Babury and Dr. Nazir Peroz. Presentation of the Results of Working Group I: Applications and Usage Regulations Mrs. Seema Azimi, Computer Science lecturer at Kabul Polytechnic University, presented the results of the first working group. The first part of the working group was to gather all kinds of IT goods that are valuable in a university. The working group participants gathered: • Official University Data • Personal Data • Software, e.g. University Website • Hardware Equipment • Internet Bandwidth • CPU Time of University Servers • Software • Power Supply These goods are each exposed to certain threats, which were grouped into three categories: equipment threats, network threats, and threats from insecure applications. In the first category all kind of natural threats were found: high and low temperatures, humidity, dust, water, and fire. Unauthorized physical access (e.g. through insecure doors or lost keys) was a threat to the hardware equipment as well as power failures, and intentional or unintentional improper use. The software running on university hardware might also be a threat, if the standard software that is used is not updated to the latest security patches or if university applications were programmed in a way that left security holes open (e.g. the forum of Foo University in the introductory presentation). But usernames and passwords can not only be obtained by insecure applications, but also through so called Social Engineering, i.e. a person is finding out another one\'s password by asking or guessing names of relatives etc. Through all software security holes viruses or worms could be installed at the local computer. Sources are numerous: malware from fake websites, e-mail-attachments or HTML mails, flash discs, and others were named. A virus might even cause that the computer becomes part of a bot-net (a network of thousands of infected computers, that are remotely controlled by an attacker) and thereby attacks other computers without the knowledge of the user. One attack in which bot-nets are used is a distributed Denial-of-Service-Attack (DDOS), where thousands of computers are accessing the same service at the same time and thereby causing the service to become unavailable. Mrs. Azimi continued to mention the three categories into which the working group 1 organized the possible measures to take against these threats: 1. Infrastructure 2. Training 3. Organization / Management Possible measures to protect the infrastructure from natural threats are: dust filter systems or smoke sensors. During the working group discussion it got clear that the threats are the same at all universities, but the measures to be taken might have to be adapted to the local surroundings. One university might require the users to take off their shoes in the IT center in order to encounter the dust problem, others might suffice a long corridor before entering the IT center. To encounter other threats to the equipment, cleaning guidelines, physical access restrictions for unauthorized users, and UPS (uninterrupted power supply) systems were mentioned. One of the workshop findings was that many security measures were not sufficient if the users were not trained on security issues. It was recommend that all university members who use IT should be trained on security, in order to be aware of the threats and to know the correct behavior to circumvent these threats. Basic training should include the training on Internet guidelines, the use of office applications, the choice of strong passwords, and others. One workshop participant suggested that the MoHE should provide basic IT training packages which could be taught at all universities. Further there should be specific advanced training for users who are responsible for IT tasks that go beyond the basic usage. These persons include IT administrators, technical staff, application developers, and web designers. Topics depend on the specific working area, they might include: choice of antivirus programs, software update plans, use of firewalls, or good programming practices. As an organizational measure it should be clearly specified who is taking the responsibility for which tasks within the security management. If the university is running a website on its own server, it should be clear, who is taking care of the hardware equipment, who is responsible for security updates of the operating system, the web server, and further software running on the server, who is responsible for the security of the web applications and web pages of the university, and finally who is responsible for the content of the website. The results of working group I can be summarized as follows: • There is a need for an IT security policy at each university. A Security Policy Framework and Security Guidelines should be provided by the MoHE, since threats are the same at different universities, but different measures might be taken to encounter them. • The Security Policy must incorporate plans for a secure infrastructure, security training, and security management. • Organizational security measures are always accompanied by technical security measures and vice versa. • The Security Policy must not be static, it is a constant process in which the following steps are continuously iterated: 1. Preparation of Policy 2. Awareness, Penetration, and Training 3. Evaluation of Outcomes 4. Improvement of Security Measures • The whole process will only work sustainably if there is a person within the university who is responsible to coordinate all security measures. There is a need for an IT security officer at each university. Presentation of the Results of Working Group II: Technical Issues The findings of the second working group were presented by Mr. M. Mussadiq Jalalzai, Computer Science lecturer at Kabul University. The workshop began with the identification of which kinds of data are stored at such an Afghan higher education institution and which aspects of security need to be protected. Among the identified kinds of data with security needs are: • Data stored on a public web server (needs availability; A) • Evaluation and Grades (needs all three of availability, integrity and confidentiality) • Users\' passwords (needs integrity and confidentiality; I and C) • Profiles and personal data (all) • Information about lecturers and staff, e.g. bank account, CV (all) • Administrative information: ◦ public information: (I, A) ◦ non-public information: (all) • Official documents, certificates, diplomas: (I, A) • Library data and information system ◦ Information about users: (all) ◦ Information about books and other publications: (I, A) • Research data ◦ Before publication: (all) ◦ After publication: (I, A) It was then proceeded to discuss some of these issues, beginning with an example library information system, consisting of a database server, a client and a network connection between them. The server stores the data, and the client can read and modify the data on the server. The confidentiality of the data which is transferred over the network link can be ensured by using encrypting protocols, such as SSL/TLS for the application data or WPA for encrypting all network traffic. These protocols also guarantee integrity. For availability, we need to guard both against failure in the network and failure in the server. This means to have two or more redundant network connections, preferably along different routes, so that if one of them fails, the client will still be able to communicate with the server. With the database, redundancy is achieved by setting up a cluster of servers so that failure of one of the servers can be sustained by the others without interruption of service. The next topic to be discussed was access control. One problem of access control is making sure that only authorized users can access the data. So users need to be authenticated. Or more precisely, first identified and then authenticated. Common identification/authentication pairs are: Identification Authentication User name Smart card Biometry RfID Passport Name Password PIN code Biometry RfID Picture Signature We could for example consider biometry (e.g. a fingerprint sensor) for authentication. One problem with this is that it is also used for identification, and especially fingerprint sensors often suffer from serious issues, such as • Vulnerability to replay attacks (if transmission between sensor and authentication server is not encrypted) • Replica fingers can be made so that the sensor is unable distinguish it from a real finger • False positive/false negative rates are high with inexpensive sensors But it has an advantage, namely that it is very easy and convenient to use. The user does not need to memorize a password or carry another type of authentication token with him. The consequence of the drawbacks is that usually, the “classic” method of authentication with username and password is used. The other examples that were discussed during the workshop are summarized in the table below: Problem Security aspects Solution Unauthorized listening to WLAN traffic C Encryption Research data release C, A Key Escrow Library database accessiblity A Redundant network and server cluster Unauthorized modification of data I Checkums, authentication Releasing part of administrative info C, A Separation of servers and pushing of public data Safe disposal of storage media (hard disk, flash memory, CDs, etc.) C Policy (mandating encryption, or shredding/burning afterwards) Discussion The first comment in the discussion that was moderated by Prof. Babury and Dr. Peroz was Mr. Salim Saay, Head of the IT Department of the MoHE. Before implementing IT in Afghanistan, it was difficult to handle all the works, but today in aspect of education especially in MoHE, most of the works are computerized. Infrastructure and networks are needed for the universities as well. Some of them have already taken this step, but the next step is to consider training staff and security. The head of universities should use the ideas which are collected here in the conference and support the teachers who are going to teach and implement IT in universities. In aspects of security we have to think about the the students data stored in the servers as well. Dr. Hamidzay, Dean of Kabul Education University, noted that we should prevent the problems before we face with damages. In the aspect of IT training and educating people, it is necessary to start on time. We have to use IT properly as well. Infrastructure and hardware is not sufficient if the expertise and knowledge about the systems are not there, it will be impossible to improve the university\'s activities with the help of IT. Dr. Shirshah, Dean of Foreign Affairs Office in the MoHE, said that it is important to equally extend IT in all universities. Otherwise there will be a lack of good connection and coordination among them. This may go as far as loosing scholarships for the lack of good connectivity. Something needs to be done in aspect of having a proper connection and co- operation between MoHE and universities. Mr. Shafiq, director of IT in Kabul Medical University, said that at his institutions there are many computers but not enough lecturers to teach. In his opinion, the most important problem is that we do not have IT personals in our university and no salary is considered for them. Prof. Rashid, Dean of Alberony University, mentioned that, most of the time we are speaking about IT in public universities, but the private universities should be a part of this process as well. Summary and Conclusion Prof. M. Osman Babury started the summary and conclusion by thanking for the valuable outcomes from the workshop. This conference has been the first conference within the Ministry of Higher Education that has been dealing with the topic of IT security. He is glad that the importance of this topic was spread throughout all Afghan higher education institutions through the conference. Prof. Babury further stated that he would be glad about any comments on the draft of the IT Security Framework prepared and distributed to the participants by the IT department of the MoHE. After its finalization the framework will be sent out to all universities where it can be adopted as a security policy according to the specific needs of the university. Prof. Babury further stated that the implementation of policies needs resources and facilities, which have to be identified. On behalf of the human resources side, he emphasized the increase of qualified personnel at six Afghan universities after the return of 25 lecturers currently participating in a Master program at TU Berlin in March 2010. To further extend the qualification of university staff, Prof. Babury announced that talks about future scholarships have been and are being held with different foreign institutions, TU Berlin being one of them. On the infrastructural side, the universities of Kabul and Herat can count on wellequipped IT centers with qualified staff that will play a key role in raising security awareness and training students, lecturers, and employees on this issue. The third resource needed is financing. The MoHE will implement its promises and has set up a renewed financial plan for fi e years. Currently the MoHE is trying to coordinate and synchronize the efforts within the universities, as not all universities are showing the same progress in achieving the planned goals. He concluded his speech by thanking Dr. Peroz and his ZiiK team from TU Berlin, the DAAD, and German Embassy for their support. Dr. Nazir Peroz remarked that the responsibility for IT risks is not limited to the respective IT departments and its personnel, but it is a task of the whole society, of common sense and human reasoning, of thoughtful organizational arrangements, and of responsible and well trained and well informed staff. Therefore the Afghan society needs, first trained personnel, second trained personnel, and third trained personnel. This personnel will later independently adhere to security requirements in a disciplined at routine manner and will train the staff of the risks of the technologies at their workplaces. Security is a basic need of human beings and therefore of society. The societal changes, the increasing number of IT systems, the increasing dependence on technology, the lack of personal and technical resources as well as the small financial budgets force Afghanistan to think about IT security. Otherwise Afghanistan will face massive damage through IT risks which will limit the country\'s ability to develop, act, and manage. Dr. Peroz continued to give a short reflection to follow up his presentation on the first conference day. IT security is an ongoing and never ending process in which 100 % can never be reached. 100 % availability and 100 % integrity cannot always be achieved at the same time. IT threats are worldwide and Afghanistan is no exception in this regard. But plans need to be made how attacks can be encountered in the future because currently Afghanistan\'s IT is like a glass house, and all neighbors can look inside. He further remarked, that in the conference we have covered issues such as terms, law, training, management, and infrastructure. Although some laws regarding IT are already in place there is still deficiencies in enforcing these laws. IT users need to be made aware and trained in order to use IT according to these laws, policies, and rules. This challenge will need to be encountered by the growing young generation of IT professionals in Afghanistan. Regarding the drafting of IT policies and laws, Dr. Peroz further suggested, that these activities should be done in cooperation and coordination with the Ministry of Communication and Information Technology, as this issue is effecting both sectors. Dr. Peroz thanked Prof. Babury and Mr. Saay for their continuing efforts in the establishment of a stable IT supply at Afghan universities. Acknowledgments Conference Organization: • Salim Saay, MoHE, IT Department Photos: • Haidar Zazaiy, MoHE, IT Department • Tareq, MoHE, IT Department • Jaweed, MoHE, Publication Department Conference Translation: • Naweed Rahmani, Balkh University • Seema Azimi, Kabul Polytechnic University • Abdul Rahman Vakili, Herat University • Abdul Sattar Kakar, Kandahar University Protocols: • Ogai Ahmadi, Kabul University • Fereshteh Forough, Herat University • M. Ismail Khatibi, Nangarhar University • Obaidullah Rashed, MoHE • Zoia Sahab, Kabul University • Ahmad Zia Sharifi, Nangarhar University • Haji-Ghul Wahaj, Nangarhar University - Other: Academic Conference for Development Human Resource Capacity of Engineering Education in Afghanistan International Conference on Information Technology for Higher Education in Afghanistan Information Technology Training Report at Ministry of Higher Education International Conference on Information Technology for Higher Education in Afghanistan Part IV

Copyright^© 2006 Ministry of Higher Education Powered & Developed by ICTA - info@icta-co.com

Afghanistan ministry of higher education

Only for ministry staff:

Conferences

5th Conference on Information Technology for Higher Education in Afghanistan

Other: