Communications-Electronics Security

Group

Communications-Electronics Security Group

Excellence in Infosec

John Doody

Head of Infosec

Customer Services Group

David HodgesTechnical Manager, UK IT Security, Evaluation &

Certification Scheme

National Technical InfosecAuthority

Presentation to The First International CommonCriteria Conference, Baltimore

23 May 2000

UK Evaluation andCertification Services

Agenda

• Introduction• The UK Evaluation and Certification Services• Summary

The increasing need forinformation security

Increasing Threats

from viruses, hackers, fraud,

espionage

Increasing Exposure

greater dependence on IT, increasing

connectivity

Increasing Expectations

from customers, partners, auditors,

regulators

Information Security Breaches Survey 2000 (sponsored by DTI)

• UK e-commerce transactions in 1999 were valued at c. £2.8bn

• This sum is projected to grow ten-fold over the next 3 years

• 1 in 3 business in the UK currently buys or sells over the Internet - or is intending to in the near future

• The cost of a single serious security breach can be in excess of £100,000

• Over 60% of organisations sampled, had suffered a security breach in the last 2 years

• 1 in 5 organisations still does not take any form of security into account before buying and selling over the Internet

Waiting for the electronic Nemesis?

Worse to follow?

“By 2003, losses due to Internet

security vulnerabilities will exceed

those incurred by non-Internet

credit card fraud”

GartnerGroup - May

1999

The longer term?

“The 21st Century will be dominated by information wars and increased economic and financial espionage”

Alvin Toffler

Growing proliferation of hacking tools and know-how

High

Low 1980 1985 1990 1995Source: US General Accounting

Office, May 1996

password guessing

password cracking

exploiting known vulnerabilities

backdoors

sniffers

stealth diagnostics

packet spoofing

Sophistication of Tools

Knowledge Required

The world of information warfare

Espionage Sabotage

Deception

Eavesdropping

Network sniffing

Agent recruitment

Computerhacking

Password cracking

Open source intelligence

“Denial-of-service” attacks

Computer viruses, worms, logic bombs

Electronic weapons

Information blockades

Trojan horseprogramsPerception

management

Data modification

Network or email address spoofing

Hoaxemails

Social engineering

How do we ensure that these risks are minimised?

• UK ITSec• Common Criteria• Mutual Recognition

Certification Experience

• A decade of Evaluation & Certification• Founding sponsor of Common Criteria• Over 230 Product & System Evaluations

– ITSEC, TCSEC & Common Criteria

• Five commercial ITSEFs (CLEFs)

Certification Experience

• Wide range of products– Operating systems & databases

– Firewalls, Smartcards & Public Key Infrastructures

• Wide range of customers– 70% Multinational

– Government and Commerce

• Wide range of assurance– Smartcard certified to ITSEC E6

– Firewalls & Operating System to E3/EAL4

The Result of that Experience

• Providing the assurance required– understanding vulnerabilities– procedures & documentation– feedback & review

• Meeting the customer’s requirements for– shorter timescales– reduced risk– increased efficiency

Where the Future Lies

• Tailored evaluations– assurance & functionality components– Mutual Recognition an Option

• Re-use– certificate maintenance– integrating certified products

The Certification Body

• Supports both ITSEC & Common Criteria• Promoting migration to Common Criteria• Accredited to EN45011• Operates cost recovery

The CLEFs

The Developer’s Perspective

• Preparation– what do you need?

– the ITSEF & the Certification Body

• Evaluation– deliverables

– problems reports

• Certification– the certification report

– certificate maintenance

Protecting the Infrastructure

National Infrastructure SecurityNational Infrastructure SecurityCo-ordination CentreCo-ordination Centre

National Infrastructure SecurityNational Infrastructure SecurityCo-ordination CentreCo-ordination Centre

Cabinet Office

Security Service

MOD

Home Office

Met Police

ACPO

NISCC Role

• Initial poc on electronic attack issues

• Develop effective working relations with and between CNI organisations

• Assess vulnerabilities, promote protection

• Monitor threat, provide assessments

• Ensure suitable handling of incidents

Key Principles

Partnership

Trust

Confidentiality

Availability

Integrity

The world of information security

Encryption

Platform security

Personnel security

Monitoring & intrusion detection

Password management

Physical security

Infrastructure security management

Business continuitymanagement

Fallbackplanning

Virus prevention & detection

Certificate registration& management

Penetration testing

Authentication & access control

Incident response & crisis management

Risk managementFirewall & connectivity

management

Security architecture

Confidentiality

Summary

• Real threats• Real risks• Need for evaluated products and systems• UK has excellent track record in evaluation and

certification services

Want to know more?

• Visit CESG stand• Contact jsdoody@cesg.gov.uk• Email us at info@itsec.gov.uk • Visit our website at www.itsec.gov.uk• Telephone us on +44 1242 238 739• Fax us on +44 1242 235 233

Communications-Electronics Security

Group