Upload
mari
View
50
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Information Security 23 September 2008 SecureComm 2008, Istanbul. Dr. Detlef Eckert DG Information Society and Media European Commission. The Good. Of course, we security guys have done our best. Despite security problems the Internet has been growing dramatically. A step back. - PowerPoint PPT Presentation
Citation preview
Dr. Detlef Eckert
DG Information Society and Media
European Commission
Information Security
23 September 2008
SecureComm 2008, Istanbul
Despite security problems the Internet has been growing dramatically
Of course, we security guys have done our best
A step back A step back
For a long time information security was mainly about “keeping a secret”– Today we speak of “confidentiality”
It was all about making and breaking code– Today we speak of “cryptography”
Information also needed to be accessible– Today we speak of “availability of service”
Assurance that information was authentic (unchanged)– Today we speak of “integrity”
Who was behind that information– In other words the identity of someone or something is the
information we want to authenticate– Today we speak of “identity” or “identity management”
How did we solve it?How did we solve it?
Paperless world– Use your imagination or better not
Paper world– Cryptography, signature, making copies, lockers
Telegraph and Telephone world– Physical access control, network integrity, telephone
number, <voice recognition>,<cryptography> Radio communication world
– Cryptography, telephone number, <voice recognition>, network integrity
What about the digital world?
Security in the digital world is Security in the digital world is trickiertrickier
Computer communication virtualises the real world– Crashing a computer can mean losing the information equivalent to
a library, but you may have a copy
Computers and the Internet are more complex than traditional communication means
Internet is not a centrally managed network– Not designed with security in mind– Much responsibility is pushed to the edge– And in the edge there are millions of users, most of them do
not understand much of a computer– Nevertheless people want freedom (and they love to click
on the “dancing pigs” link) => Security is becoming complex => This is why you guys have a job
What were our early headaches?What were our early headaches?
The encryption debate– National security concerns– Export control
Viruses and worms– A blow to Microsoft
Hacking– Prominent targets
Keeping pace with patches– Patches were of poor quality
SPAM– Costly and dangerous
How did we tackle them?How did we tackle them?
People deployed security technologies (FW, AV, ID, …)
SSL added a security layer to the Web– Arguably the widest deployed cryptographic
solution
Vendors wrote better code Export controls abandoned Changed user behaviour (somewhat)
– Partly enforced through secure configuration
Digital signatures (laws)– Have not really taken off yet
Information security costs a lot of money (spent that nothing happens)
… you cannot protect
everything, so I will make my money
Extrapolation of threats not Extrapolation of threats not really usefulreally useful
courtesy
The picture is more complexThe picture is more complex
Cloud computing lets Feds read your email Phorm to use BT customers to
test precision advertising system on net
La colère associative monte contre Edvige, le fichier policier de données personnelles
Web giants spark privacy concerns
Big Brother tightens his grip on the web
YouTube case opens can of worms on online privacy
Grosse faille du web, et solution en chemin
Revealed: 8 million victims in the world's biggest cyber heist
Phishing attacks soar in the UK
Cyberwar and real war
collide in Georgia
Internet securityCode red
The Evolution of Cyber Espionage
Lessons from SocGen: Internal Threats need to become a security
priority
Six more data discs
'are missing'
Big Brother Spying on Americans' Internet Data?
UK's Revenue and Customs losesUK's Revenue and Customs loses25 million customer records25 million customer records
Identity theft, pornography, corporate blackmail in the web's underworld, business is booming
Defenseless on the NetDefenseless on the Net
Internet wiretappingBugging the cloud
Privacy
Trust
Security
Number one threat is stolen or lost computer equipment (notably laptops)
Slowly people begin to realise that protecting data will be the battleground
We can see some patternsWe can see some patterns
Closed doors, physical isolation
Security as protection, perimeters
Defending data and systems
Avoid data use
Open, complex, interconnected
Trust and accountability
Sharing data: creativity and innovation
Regulated data use (privacy, identity)
From the ‘walled fortress’From the ‘walled fortress’ To the ‘open metropolis’To the ‘open metropolis’
We do not really know what is ahead of us
Maybe, but all I
want is to stay
ahead of you
Three major prerequisites for trust: Three major prerequisites for trust:
Looking for scalable and usable solutionsLooking for scalable and usable solutions Data protection and control
– Remember? The old problem of secrecy – Today data flow in all directions– Privacy enforcement
Identity layer for the Internet– How to scale authentication methods, e.g. PKI?
Security fabricated in systems, service architectures, and networks– Less a matter of security products, more part of the
architecture– Attention to the weakest link (today less the OS but
the application), end to end security– Reduce the role of the user, but sound security
policies to be implemented by professionals
Where are we?Where are we?
The market will decide about technologies and business models– Security is not absolute and costs money– No central decision making, distributed
solutions
Pre-competitive industry co-operation– Ex: Liberty Alliance, AntiPhishingWG, …
Regulation and Policy– Privacy law– Fighting cyber crime– Network security provisions
We also need research
Research Focus: security and dependability challenges arising
from complexity, ubiquity and autonomy resilience, self-healing, mobility, dynamic
content and volatile environments Multi-modal and secure application of
Biometrics Identification, authentication, privacy, Trusted
Computing, digital asset management Trust in the net: malware, viruses, cyber crime
Budget ~ 145 M€
FP6: Towards a global dependability & security Framework (2003-2006)
Coordination ActionsResearch roadmaps, metrics and benchmarks, international cooperation, coordination activities
4 Projects: 3.3 m€
Networkinfrastructures
4 Projects
11 m€
Dynamic, reconfigurableservice architectures
4 Projects
18 m€
Identity management,privacy, trust policies
4 Projects
22.5 m€
6 Projects: 22 m€
Enabling technologies for trustworthy infrastructuresBiometrics, trusted computing, cryptography, secure SW
3 Projects
9.8 m€1 Project
9.4 m€
9 Projects: 20 m€Critical Infrastructure Protection
110 M€
ICT Work Programme 2007-08ICT Work Programme 2007-0833 new FP7 projects in Security & 33 new FP7 projects in Security &
TrustTrust
Main R&D project prioritiesMain R&D project priorities An integrated security framework and tools for the security and resilience of
heterogeneous networks (INTERSECTIONINTERSECTION)
A networking protocol stack for security and resilience across ad-hoc PANs & WSNs
(AwissenetAwissenet)
A message-oriented MW platform for increasing resilience of information systems
(GEMOMGEMOM)
Data gathering and analysis for understanding and preventing cyber threats (WOMBATWOMBAT)
Security in network infrastructures:Security in network infrastructures: 4 projects, 11 m€ EC funding 4 projects, 11 m€ EC funding
Main R&D project prioritiesMain R&D project priorities Assuring the security level and regulatory compliance of SOAs handling business
processes (IPIP MASTERMASTER)
Platform for formal specification and automated validation of trust and security of SOAs (AVANTSSARAVANTSSAR)
Data-centric information protection framework based on data-sharing agreements (ConsequenceConsequence)
Crypto techniques in the computing of optimised multi-party supply chains without revealing individual confidential private data to the other parties (SECURE-SCMSECURE-SCM)
Security in service infrastructures:Security in service infrastructures: 4 projects, 18 m€ EC funding 4 projects, 18 m€ EC funding
Personalised Services
Main R&D project prioritiesMain R&D project priorities
Trusted ComputingTrusted Computing IP TECOMIP TECOM
trusted embedded systems: HW platforms with integrated trust components
CryptographyCryptography NoE eCrypt IINoE eCrypt II
Multi-modal BiometricsMulti-modal Biometrics multi-biometric authentication (based on face and voice) for mobile devices (MOBIOMOBIO)
activity related and soft biometrics technologies for supporting continuous authentication and monitoring of users in ambient environments (ACTIBIOACTIBIO)
Secure SW implementationSecure SW implementation providing SW developers with the means to prevent occurrences of known vulnerabilities when
building software (SHIELDSSHIELDS) A toolbox for cryptographic software engineering (CACECACE)
Security enabling TechnologiesSecurity enabling Technologies6 projects, 22 m€ EC funding6 projects, 22 m€ EC funding
Timetable for Work Programme 09-Timetable for Work Programme 09-1010
25-27 Nov Presentation in ICT Conference in Lyon (FR)
~ Apr 09 Closure Call 4
~ Oct 09 Closure Call 5 (Trustworthy ICT)
~ Febr 10 Closure Call 6
Becoming an expert?
https://cordis.europa.eu/emmfp7/
http://cordis.europa.eu/fp7/ict/security/home_en.html
Trustworthy Information
Society?
End-Users & the Society
Policy & Regulation
Technology & Innovation
Security, Privacy, Trust Security, Privacy, Trust in the Information Societyin the Information Society
• Global ICT - national “frontiers”Global ICT - national “frontiers”• “ “Economics of security”Economics of security”• Policies for privacy-respecting Policies for privacy-respecting T&I? T&I?
• Complexity, ease of use• Role of end-users• Society-protecting business models
• Protection of human values Protection of human values • Transparency, accountabilityTransparency, accountability• Auditing and Law enforcementAuditing and Law enforcement
Thank you!Thank you!