communications-electronics security group
DESCRIPTION
Communications-Electronics Security Group. Communications-Electronics Security Group. Excellence in Infosec. John Doody. Head of Infosec Customer Services Group David Hodges Technical Manager, UK IT Security, Evaluation & Certification Scheme. National Technical Infosec Authority. - PowerPoint PPT PresentationTRANSCRIPT
Communications-Electronics Security
Group
Communications-Electronics Security Group
Excellence in Infosec
John Doody
Head of Infosec
Customer Services Group
David HodgesTechnical Manager, UK IT Security, Evaluation &
Certification Scheme
National Technical InfosecAuthority
Presentation to The First International CommonCriteria Conference, Baltimore
23 May 2000
UK Evaluation andCertification Services
Agenda
• Introduction• The UK Evaluation and Certification Services• Summary
The increasing need forinformation security
Increasing Threats
from viruses, hackers, fraud,
espionage
Increasing Exposure
greater dependence on IT, increasing
connectivity
Increasing Expectations
from customers, partners, auditors,
regulators
Information Security Breaches Survey 2000 (sponsored by DTI)
• UK e-commerce transactions in 1999 were valued at c. £2.8bn
• This sum is projected to grow ten-fold over the next 3 years
• 1 in 3 business in the UK currently buys or sells over the Internet - or is intending to in the near future
• The cost of a single serious security breach can be in excess of £100,000
• Over 60% of organisations sampled, had suffered a security breach in the last 2 years
• 1 in 5 organisations still does not take any form of security into account before buying and selling over the Internet
Waiting for the electronic Nemesis?
Worse to follow?
“By 2003, losses due to Internet
security vulnerabilities will exceed
those incurred by non-Internet
credit card fraud”
GartnerGroup - May
1999
The longer term?
“The 21st Century will be dominated by information wars and increased economic and financial espionage”
Alvin Toffler
Growing proliferation of hacking tools and know-how
High
Low 1980 1985 1990 1995Source: US General Accounting
Office, May 1996
password guessing
password cracking
exploiting known vulnerabilities
backdoors
sniffers
stealth diagnostics
packet spoofing
Sophistication of Tools
Knowledge Required
The world of information warfare
Espionage Sabotage
Deception
Eavesdropping
Network sniffing
Agent recruitment
Computerhacking
Password cracking
Open source intelligence
“Denial-of-service” attacks
Computer viruses, worms, logic bombs
Electronic weapons
Information blockades
Trojan horseprogramsPerception
management
Data modification
Network or email address spoofing
Hoaxemails
Social engineering
How do we ensure that these risks are minimised?
• UK ITSec• Common Criteria• Mutual Recognition
Certification Experience
• A decade of Evaluation & Certification• Founding sponsor of Common Criteria• Over 230 Product & System Evaluations
– ITSEC, TCSEC & Common Criteria
• Five commercial ITSEFs (CLEFs)
Certification Experience
• Wide range of products– Operating systems & databases
– Firewalls, Smartcards & Public Key Infrastructures
• Wide range of customers– 70% Multinational
– Government and Commerce
• Wide range of assurance– Smartcard certified to ITSEC E6
– Firewalls & Operating System to E3/EAL4
The Result of that Experience
• Providing the assurance required– understanding vulnerabilities– procedures & documentation– feedback & review
• Meeting the customer’s requirements for– shorter timescales– reduced risk– increased efficiency
Where the Future Lies
• Tailored evaluations– assurance & functionality components– Mutual Recognition an Option
• Re-use– certificate maintenance– integrating certified products
The Certification Body
• Supports both ITSEC & Common Criteria• Promoting migration to Common Criteria• Accredited to EN45011• Operates cost recovery
The CLEFs
The Developer’s Perspective
• Preparation– what do you need?
– the ITSEF & the Certification Body
• Evaluation– deliverables
– problems reports
• Certification– the certification report
– certificate maintenance
Protecting the Infrastructure
National Infrastructure SecurityNational Infrastructure SecurityCo-ordination CentreCo-ordination Centre
National Infrastructure SecurityNational Infrastructure SecurityCo-ordination CentreCo-ordination Centre
Cabinet Office
Security Service
MOD
Home Office
Met Police
ACPO
NISCC Role
• Initial poc on electronic attack issues
• Develop effective working relations with and between CNI organisations
• Assess vulnerabilities, promote protection
• Monitor threat, provide assessments
• Ensure suitable handling of incidents
Key Principles
Partnership
Trust
Confidentiality
Availability
Integrity
The world of information security
Encryption
Platform security
Personnel security
Monitoring & intrusion detection
Password management
Physical security
Infrastructure security management
Business continuitymanagement
Fallbackplanning
Virus prevention & detection
Certificate registration& management
Penetration testing
Authentication & access control
Incident response & crisis management
Risk managementFirewall & connectivity
management
Security architecture
Confidentiality
Summary
• Real threats• Real risks• Need for evaluated products and systems• UK has excellent track record in evaluation and
certification services
Want to know more?
• Visit CESG stand• Contact [email protected]• Email us at [email protected] • Visit our website at www.itsec.gov.uk• Telephone us on +44 1242 238 739• Fax us on +44 1242 235 233
Communications-Electronics Security
Group