1 / 30

Communications-Electronics Security Group

Communications-Electronics Security Group. Communications-Electronics Security Group. Excellence in Infosec. John Doody. Head of Infosec Customer Services Group David Hodges Technical Manager, UK IT Security, Evaluation & Certification Scheme. National Technical Infosec Authority.

mya
Download Presentation

Communications-Electronics Security Group

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Communications-Electronics Security Group

  2. Communications-Electronics Security Group Excellence in Infosec

  3. John Doody Head of Infosec Customer Services Group David Hodges Technical Manager, UK IT Security, Evaluation & Certification Scheme

  4. National Technical InfosecAuthority

  5. Presentation to The First International CommonCriteria Conference, Baltimore23 May 2000

  6. UK Evaluation andCertification Services

  7. Agenda • Introduction • The UK Evaluation and Certification Services • Summary

  8. Increasing Threats Increasing Exposure Increasing Expectations from viruses, hackers, fraud, espionage greater dependence on IT, increasing connectivity from customers, partners, auditors, regulators The increasing need forinformation security

  9. Information Security Breaches Survey 2000 (sponsored by DTI) • UK e-commerce transactions in 1999 were valued at c. £2.8bn • This sum is projected to grow ten-fold over the next 3 years • 1 in 3 business in the UK currently buys or sells over the Internet - or is intending to in the near future

  10. Waiting for the electronic Nemesis? • The cost of a single serious security breach can be in excess of £100,000 • Over 60% of organisations sampled, had suffered a security breach in the last 2 years • 1 in 5 organisations still does not take any form of security into account before buying and selling over the Internet

  11. Worse to follow? “By 2003, losses due to Internet security vulnerabilities will exceed those incurred by non-Internet credit card fraud” GartnerGroup - May 1999

  12. The longer term? “The 21st Century will be dominated by information wars and increased economic and financial espionage” Alvin Toffler

  13. High Sophistication of Tools packet spoofing stealth diagnostics sniffers backdoors exploiting known vulnerabilities password cracking Knowledge Required password guessing 1980 1985 1990 1995 Low Source: US General Accounting Office, May 1996 Growing proliferation of hacking tools and know-how

  14. Network sniffing “Denial-of-service” attacks Computer hacking Eavesdropping Computer viruses, worms, logic bombs Password cracking Espionage Sabotage Electronic weapons Open source intelligence Information blockades Agent recruitment Deception Trojan horse programs Perception management Network or email address spoofing Data modification Hoax emails Social engineering The world of information warfare

  15. How do we ensure that these risks are minimised? • UK ITSec • Common Criteria • Mutual Recognition

  16. Certification Experience • A decade of Evaluation & Certification • Founding sponsor of Common Criteria • Over 230 Product & System Evaluations • ITSEC, TCSEC & Common Criteria • Five commercial ITSEFs (CLEFs)

  17. Certification Experience • Wide range of products • Operating systems & databases • Firewalls, Smartcards & Public Key Infrastructures • Wide range of customers • 70% Multinational • Government and Commerce • Wide range of assurance • Smartcard certified to ITSEC E6 • Firewalls & Operating System to E3/EAL4

  18. The Result of that Experience • Providing the assurance required • understanding vulnerabilities • procedures & documentation • feedback & review • Meeting the customer’s requirements for • shorter timescales • reduced risk • increased efficiency

  19. Where the Future Lies • Tailored evaluations • assurance & functionality components • Mutual Recognition an Option • Re-use • certificate maintenance • integrating certified products

  20. The Certification Body • Supports both ITSEC & Common Criteria • Promoting migration to Common Criteria • Accredited to EN45011 • Operates cost recovery

  21. The CLEFs

  22. The Developer’s Perspective • Preparation • what do you need? • the ITSEF & the Certification Body • Evaluation • deliverables • problems reports • Certification • the certification report • certificate maintenance

  23. National Infrastructure Security Co-ordination Centre Protecting the Infrastructure

  24. Cabinet Office Security Service ACPO MOD Home Office Met Police

  25. NISCC Role • Initial poc on electronic attack issues • Develop effective working relations with and between CNI organisations • Assess vulnerabilities, promote protection • Monitor threat, provide assessments • Ensure suitable handling of incidents

  26. Key Principles Partnership Trust Confidentiality

  27. The world of information security Platform security Physical security Risk management Firewall & connectivity management Fallback planning Business continuity management Encryption Password management Incident response & crisis management Authentication & access control Monitoring & intrusion detection Certificate registration& management Virus prevention & detection Personnel security Penetration testing Security architecture Infrastructure security management Confidentiality Availability Integrity

  28. Summary • Real threats • Real risks • Need for evaluated products and systems • UK has excellent track record in evaluation and certification services

  29. Want to know more? • Visit CESG stand • Contact jsdoody@cesg.gov.uk • Email us at info@itsec.gov.uk • Visit our website at www.itsec.gov.uk • Telephone us on +44 1242 238 739 • Fax us on +44 1242 235 233

  30. Communications-Electronics Security Group

More Related