Communications-Electronics Security Group
description
Transcript of Communications-Electronics Security Group
![Page 1: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/1.jpg)
Communications-Electronics Security
Group
![Page 2: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/2.jpg)
Communications-Electronics Security Group
Excellence in Infosec
![Page 3: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/3.jpg)
John Doody
Head of Infosec
Customer Services Group
David HodgesTechnical Manager, UK IT Security, Evaluation &
Certification Scheme
![Page 4: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/4.jpg)
National Technical InfosecAuthority
![Page 5: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/5.jpg)
Presentation to The First International CommonCriteria Conference, Baltimore
23 May 2000
![Page 6: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/6.jpg)
UK Evaluation andCertification Services
![Page 7: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/7.jpg)
Agenda
• Introduction• The UK Evaluation and Certification Services• Summary
![Page 8: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/8.jpg)
The increasing need forinformation security
Increasing Threats
from viruses, hackers, fraud,
espionage
Increasing Exposure
greater dependence on IT, increasing
connectivity
Increasing Expectations
from customers, partners, auditors,
regulators
![Page 9: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/9.jpg)
Information Security Breaches Survey 2000 (sponsored by DTI)
• UK e-commerce transactions in 1999 were valued at c. £2.8bn
• This sum is projected to grow ten-fold over the next 3 years
• 1 in 3 business in the UK currently buys or sells over the Internet - or is intending to in the near future
![Page 10: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/10.jpg)
• The cost of a single serious security breach can be in excess of £100,000
• Over 60% of organisations sampled, had suffered a security breach in the last 2 years
• 1 in 5 organisations still does not take any form of security into account before buying and selling over the Internet
Waiting for the electronic Nemesis?
![Page 11: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/11.jpg)
Worse to follow?
“By 2003, losses due to Internet
security vulnerabilities will exceed
those incurred by non-Internet
credit card fraud”
GartnerGroup - May
1999
![Page 12: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/12.jpg)
The longer term?
“The 21st Century will be dominated by information wars and increased economic and financial espionage”
Alvin Toffler
![Page 13: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/13.jpg)
Growing proliferation of hacking tools and know-how
High
Low 1980 1985 1990 1995Source: US General Accounting
Office, May 1996
password guessing
password cracking
exploiting known vulnerabilities
backdoors
sniffers
stealth diagnostics
packet spoofing
Sophistication of Tools
Knowledge Required
![Page 14: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/14.jpg)
The world of information warfare
Espionage Sabotage
Deception
Eavesdropping
Network sniffing
Agent recruitment
Computerhacking
Password cracking
Open source intelligence
“Denial-of-service” attacks
Computer viruses, worms, logic bombs
Electronic weapons
Information blockades
Trojan horseprogramsPerception
management
Data modification
Network or email address spoofing
Hoaxemails
Social engineering
![Page 15: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/15.jpg)
How do we ensure that these risks are minimised?
• UK ITSec• Common Criteria• Mutual Recognition
![Page 16: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/16.jpg)
Certification Experience
• A decade of Evaluation & Certification• Founding sponsor of Common Criteria• Over 230 Product & System Evaluations
– ITSEC, TCSEC & Common Criteria
• Five commercial ITSEFs (CLEFs)
![Page 17: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/17.jpg)
Certification Experience
• Wide range of products– Operating systems & databases
– Firewalls, Smartcards & Public Key Infrastructures
• Wide range of customers– 70% Multinational
– Government and Commerce
• Wide range of assurance– Smartcard certified to ITSEC E6
– Firewalls & Operating System to E3/EAL4
![Page 18: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/18.jpg)
The Result of that Experience
• Providing the assurance required– understanding vulnerabilities– procedures & documentation– feedback & review
• Meeting the customer’s requirements for– shorter timescales– reduced risk– increased efficiency
![Page 19: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/19.jpg)
Where the Future Lies
• Tailored evaluations– assurance & functionality components– Mutual Recognition an Option
• Re-use– certificate maintenance– integrating certified products
![Page 20: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/20.jpg)
The Certification Body
• Supports both ITSEC & Common Criteria• Promoting migration to Common Criteria• Accredited to EN45011• Operates cost recovery
![Page 21: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/21.jpg)
The CLEFs
![Page 22: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/22.jpg)
The Developer’s Perspective
• Preparation– what do you need?
– the ITSEF & the Certification Body
• Evaluation– deliverables
– problems reports
• Certification– the certification report
– certificate maintenance
![Page 23: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/23.jpg)
Protecting the Infrastructure
National Infrastructure SecurityNational Infrastructure SecurityCo-ordination CentreCo-ordination Centre
National Infrastructure SecurityNational Infrastructure SecurityCo-ordination CentreCo-ordination Centre
![Page 24: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/24.jpg)
Cabinet Office
Security Service
MOD
Home Office
Met Police
ACPO
![Page 25: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/25.jpg)
NISCC Role
• Initial poc on electronic attack issues
• Develop effective working relations with and between CNI organisations
• Assess vulnerabilities, promote protection
• Monitor threat, provide assessments
• Ensure suitable handling of incidents
![Page 26: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/26.jpg)
Key Principles
Partnership
Trust
Confidentiality
![Page 27: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/27.jpg)
Availability
Integrity
The world of information security
Encryption
Platform security
Personnel security
Monitoring & intrusion detection
Password management
Physical security
Infrastructure security management
Business continuitymanagement
Fallbackplanning
Virus prevention & detection
Certificate registration& management
Penetration testing
Authentication & access control
Incident response & crisis management
Risk managementFirewall & connectivity
management
Security architecture
Confidentiality
![Page 28: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/28.jpg)
Summary
• Real threats• Real risks• Need for evaluated products and systems• UK has excellent track record in evaluation and
certification services
![Page 29: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/29.jpg)
Want to know more?
• Visit CESG stand• Contact [email protected]• Email us at [email protected] • Visit our website at www.itsec.gov.uk• Telephone us on +44 1242 238 739• Fax us on +44 1242 235 233
![Page 30: Communications-Electronics Security Group](https://reader034.fdocuments.us/reader034/viewer/2022051116/568151b6550346895dbfe35c/html5/thumbnails/30.jpg)
Communications-Electronics Security
Group