310 likes | 427 Views
Communications-Electronics Security Group. Communications-Electronics Security Group. Excellence in Infosec. John Doody. Head of Infosec Customer Services Group David Hodges Technical Manager, UK IT Security, Evaluation & Certification Scheme. National Technical Infosec Authority.
E N D
Communications-Electronics Security Group Excellence in Infosec
John Doody Head of Infosec Customer Services Group David Hodges Technical Manager, UK IT Security, Evaluation & Certification Scheme
Presentation to The First International CommonCriteria Conference, Baltimore23 May 2000
Agenda • Introduction • The UK Evaluation and Certification Services • Summary
Increasing Threats Increasing Exposure Increasing Expectations from viruses, hackers, fraud, espionage greater dependence on IT, increasing connectivity from customers, partners, auditors, regulators The increasing need forinformation security
Information Security Breaches Survey 2000 (sponsored by DTI) • UK e-commerce transactions in 1999 were valued at c. £2.8bn • This sum is projected to grow ten-fold over the next 3 years • 1 in 3 business in the UK currently buys or sells over the Internet - or is intending to in the near future
Waiting for the electronic Nemesis? • The cost of a single serious security breach can be in excess of £100,000 • Over 60% of organisations sampled, had suffered a security breach in the last 2 years • 1 in 5 organisations still does not take any form of security into account before buying and selling over the Internet
Worse to follow? “By 2003, losses due to Internet security vulnerabilities will exceed those incurred by non-Internet credit card fraud” GartnerGroup - May 1999
The longer term? “The 21st Century will be dominated by information wars and increased economic and financial espionage” Alvin Toffler
High Sophistication of Tools packet spoofing stealth diagnostics sniffers backdoors exploiting known vulnerabilities password cracking Knowledge Required password guessing 1980 1985 1990 1995 Low Source: US General Accounting Office, May 1996 Growing proliferation of hacking tools and know-how
Network sniffing “Denial-of-service” attacks Computer hacking Eavesdropping Computer viruses, worms, logic bombs Password cracking Espionage Sabotage Electronic weapons Open source intelligence Information blockades Agent recruitment Deception Trojan horse programs Perception management Network or email address spoofing Data modification Hoax emails Social engineering The world of information warfare
How do we ensure that these risks are minimised? • UK ITSec • Common Criteria • Mutual Recognition
Certification Experience • A decade of Evaluation & Certification • Founding sponsor of Common Criteria • Over 230 Product & System Evaluations • ITSEC, TCSEC & Common Criteria • Five commercial ITSEFs (CLEFs)
Certification Experience • Wide range of products • Operating systems & databases • Firewalls, Smartcards & Public Key Infrastructures • Wide range of customers • 70% Multinational • Government and Commerce • Wide range of assurance • Smartcard certified to ITSEC E6 • Firewalls & Operating System to E3/EAL4
The Result of that Experience • Providing the assurance required • understanding vulnerabilities • procedures & documentation • feedback & review • Meeting the customer’s requirements for • shorter timescales • reduced risk • increased efficiency
Where the Future Lies • Tailored evaluations • assurance & functionality components • Mutual Recognition an Option • Re-use • certificate maintenance • integrating certified products
The Certification Body • Supports both ITSEC & Common Criteria • Promoting migration to Common Criteria • Accredited to EN45011 • Operates cost recovery
The Developer’s Perspective • Preparation • what do you need? • the ITSEF & the Certification Body • Evaluation • deliverables • problems reports • Certification • the certification report • certificate maintenance
National Infrastructure Security Co-ordination Centre Protecting the Infrastructure
Cabinet Office Security Service ACPO MOD Home Office Met Police
NISCC Role • Initial poc on electronic attack issues • Develop effective working relations with and between CNI organisations • Assess vulnerabilities, promote protection • Monitor threat, provide assessments • Ensure suitable handling of incidents
Key Principles Partnership Trust Confidentiality
The world of information security Platform security Physical security Risk management Firewall & connectivity management Fallback planning Business continuity management Encryption Password management Incident response & crisis management Authentication & access control Monitoring & intrusion detection Certificate registration& management Virus prevention & detection Personnel security Penetration testing Security architecture Infrastructure security management Confidentiality Availability Integrity
Summary • Real threats • Real risks • Need for evaluated products and systems • UK has excellent track record in evaluation and certification services
Want to know more? • Visit CESG stand • Contact jsdoody@cesg.gov.uk • Email us at info@itsec.gov.uk • Visit our website at www.itsec.gov.uk • Telephone us on +44 1242 238 739 • Fax us on +44 1242 235 233