220 likes | 346 Views
Information Security 23 September 2008 SecureComm 2008, Istanbul. Dr. Detlef Eckert DG Information Society and Media European Commission. The Good. Of course, we security guys have done our best. Despite security problems the Internet has been growing dramatically. A step back.
E N D
Information Security 23 September 2008 SecureComm 2008, Istanbul Dr. Detlef Eckert DG Information Society and Media European Commission
The Good Of course, we security guys have done our best Despite security problems the Internet has been growing dramatically
A step back • For a long time information security was mainly about “keeping a secret” • Today we speak of “confidentiality” • It was all about making and breaking code • Today we speak of “cryptography” • Information also needed to be accessible • Today we speak of “availability of service” • Assurance that information was authentic (unchanged) • Today we speak of “integrity” • Who was behind that information • In other words the identity of someone or something is the information we want to authenticate • Today we speak of “identity” or “identity management”
How did we solve it? • Paperless world • Use your imagination or better not • Paper world • Cryptography, signature, making copies, lockers • Telegraph and Telephone world • Physical access control, network integrity, telephone number, <voice recognition>,<cryptography> • Radio communication world • Cryptography, telephone number, <voice recognition>, network integrity • What about the digital world?
Security in the digital world is trickier • Computer communication virtualises the real world • Crashing a computer can mean losing the information equivalent to a library, but you may have a copy • Computers and the Internet are more complex than traditional communication means • Internet is not a centrally managed network • Not designed with security in mind • Much responsibility is pushed to the edge • And in the edge there are millions of users, most of them do not understand much of a computer • Nevertheless people want freedom (and they love to click on the “dancing pigs” link) • => Security is becoming complex • => This is why you guys have a job
What were our early headaches? • The encryption debate • National security concerns • Export control • Viruses and worms • A blow to Microsoft • Hacking • Prominent targets • Keeping pace with patches • Patches were of poor quality • SPAM • Costly and dangerous
How did we tackle them? • People deployed security technologies (FW, AV, ID, …) • SSL added a security layer to the Web • Arguably the widest deployed cryptographic solution • Vendors wrote better code • Export controls abandoned • Changed user behaviour (somewhat) • Partly enforced through secure configuration • Digital signatures (laws) • Have not really taken off yet
THE BAD … you cannot protect everything, so I will make my money Information security costs a lot of money (spent that nothing happens)
courtesy Extrapolation of threats not really useful
Phishing attacks soar in the UK Internet security Code red Grosse faille du web, et solution en chemin Cyberwar and real war collide in Georgia Revealed: 8 million victims in the world's biggest cyber heist The Evolution of Cyber Espionage Web giants spark privacy concerns YouTube case opens can of worms on online privacy La colère associative monte contre Edvige, le fichier policier de données personnelles Cloud computing lets Feds read your email Phorm to use BT customers to test precision advertising system on net UK's Revenue and Customs loses 25 million customer records Big Brother Spying on Americans' Internet Data? Defenseless on the Net Big Brother tightens his grip on the web Six more data discs'are missing' Lessons from SocGen: Internal Threats need to become a security priority Identity theft, pornography, corporate blackmail in the web's underworld, business is booming Internet wiretapping Bugging the cloud The picture is more complex Security Number one threat is stolen or lost computer equipment (notably laptops) Slowly people begin to realise that protecting data will be the battleground Privacy Trust
We can see some patterns From the ‘walled fortress’ To the ‘open metropolis’ Open, complex, interconnected Trust and accountability Sharing data: creativity and innovation Regulated data use (privacy, identity) Closed doors, physical isolation Security as protection, perimeters Defending data and systems Avoid data use
THE UGLY Maybe, but all I want is to stay ahead of you We do not really know what is ahead of us
Three major prerequisites for trust: Looking for scalable and usable solutions • Data protection and control • Remember? The old problem of secrecy • Today data flow in all directions • Privacy enforcement • Identity layer for the Internet • How to scale authentication methods, e.g. PKI? • Security fabricated in systems, service architectures, and networks • Less a matter of security products, more part of the architecture • Attention to the weakest link (today less the OS but the application), end to end security • Reduce the role of the user, but sound security policies to be implemented by professionals
Where are we? • The market will decide about technologies and business models • Security is not absolute and costs money • No central decision making, distributed solutions • Pre-competitive industry co-operation • Ex: Liberty Alliance, AntiPhishingWG, … • Regulation and Policy • Privacy law • Fighting cyber crime • Network security provisions • We also need research
FP6: Towards a global dependability & security Framework (2003-2006) Research Focus: • security and dependability challenges arising from complexity, ubiquity and autonomy • resilience, self-healing, mobility, dynamic content and volatile environments • Multi-modal and secure application of Biometrics • Identification, authentication, privacy, Trusted Computing, digital asset management • Trust in the net: malware, viruses, cyber crime Budget ~ 145 M€
Networkinfrastructures Identity management,privacy, trust policies Dynamic, reconfigurableservice architectures 1 Project 9.4 m€ 4 Projects 18 m€ 4 Projects 11 m€ Critical Infrastructure Protection Enabling technologies for trustworthy infrastructures Biometrics, trusted computing, cryptography, secure SW 4 Projects: 3.3 m€ 4 Projects 22.5 m€ 3 Projects 9.8 m€ 6 Projects: 22 m€ 9 Projects: 20 m€ ICT Work Programme 2007-0833 new FP7 projects in Security & Trust 110 M€ Coordination Actions Research roadmaps, metrics and benchmarks, international cooperation, coordination activities
Security in network infrastructures: 4 projects, 11 m€ EC funding Main R&D project priorities • An integrated security framework and tools for the security and resilience of heterogeneous networks (INTERSECTION) • A networking protocol stack for security and resilience across ad-hoc PANs & WSNs (Awissenet) • A message-oriented MW platform for increasing resilience of information systems (GEMOM) • Data gathering and analysis for understanding and preventing cyber threats (WOMBAT)
Personalised Services Security in service infrastructures: 4 projects, 18 m€ EC funding Main R&D project priorities • Assuring the security level and regulatory compliance of SOAs handling business processes (IPMASTER) • Platform for formal specification and automated validation of trust and security of SOAs (AVANTSSAR) • Data-centric information protection framework based on data-sharing agreements (Consequence) • Crypto techniques in the computing of optimised multi-party supply chains without revealing individual confidential private data to the other parties (SECURE-SCM)
Security enabling Technologies6 projects, 22 m€ EC funding Main R&D project priorities • Trusted Computing IP TECOM trusted embedded systems: HW platforms with integrated trust components • Cryptography NoE eCrypt II • Multi-modal Biometrics multi-biometric authentication (based on face and voice) for mobile devices (MOBIO) activity related and soft biometrics technologies for supporting continuous authentication and monitoring of users in ambient environments (ACTIBIO) • Secure SW implementation providing SW developers with the means to prevent occurrences of known vulnerabilities when building software (SHIELDS) A toolbox for cryptographic software engineering (CACE)
Timetable for Work Programme 09-10 25-27 Nov Presentation in ICT Conference in Lyon (FR) ~ Apr 09 Closure Call 4 ~ Oct 09 Closure Call 5 (Trustworthy ICT) ~ Febr 10 Closure Call 6 Becoming an expert? https://cordis.europa.eu/emmfp7/ http://cordis.europa.eu/fp7/ict/security/home_en.html
Complexity, ease of use • Role of end-users • Society-protecting business models Technology & Innovation End-Users & the Society Trustworthy Information Society? • Global ICT - national “frontiers” • “Economics of security” • Policies for privacy-respecting T&I? • Protection of human values • Transparency, accountability • Auditing and Law enforcement Policy & Regulation Security, Privacy, Trust in the Information Society