Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Document 17656371

advertisement 
Communications-Electronics
Security Group
Excellence in Infosec
John Doody
Head of Infosec
Customer Services Group
David Hodges
Technical Manager, UK IT Security, Evaluation &
Certification Scheme
National Technical Infosec
Authority
Presentation to
The First International Common
Criteria Conference, Baltimore
23 May 2000
UK Evaluation and
Certification Services
Agenda
• Introduction
• The UK Evaluation and Certification Services
• Summary
The increasing need for
information security
Increasing
Threats
from viruses,
hackers, fraud,
espionage
Increasing
Expectations
from customers,
partners, auditors,
regulators
Increasing
Exposure
greater dependence
on IT, increasing
connectivity
Information Security Breaches
Survey 2000 (sponsored by DTI)
• UK e-commerce transactions in 1999 were
valued at c. £2.8bn
• This sum is projected to grow ten-fold over the
next 3 years
• 1 in 3 business in the UK currently buys or sells
over the Internet - or is intending to in the near
future
Waiting for the electronic Nemesis?
• The cost of a single serious security breach can
be in excess of £100,000
• Over 60% of organisations sampled, had
suffered a security breach in the last 2 years
• 1 in 5 organisations still does not take any form
of security into account before buying and
selling over the Internet
Worse to follow?
“By 2003, losses due to Internet security
vulnerabilities will exceed those incurred
by non-Internet credit card fraud”
GartnerGroup - May
1999
The longer term?
“The 21st Century will be dominated by
information wars and increased economic
and financial espionage”
Alvin Toffler
Growing proliferation of hacking tools and know-how
High
Sophistication of Tools
packet spoofing
stealth diagnostics
sniffers
backdoors
exploiting known vulnerabilities
password cracking
Knowledge Required
password guessing
Low
1980
1985
1990
1995
Source: US General Accounting
Office, May 1996
The world of information warfare
Network
sniffing
“Denial-of-service”
attacks
Computer
hacking
Eavesdropping
Computer viruses, worms,
logic bombs
Password
cracking
Espionage
Open source
intelligence
Sabotage
Electronic
weapons
Information
blockades
Agent
recruitment
Deception
Perception
management
Trojan horse
programs
Network or email
address spoofing
Data
modification
Hoax
emails
Social
engineering
How do we ensure that
these risks are minimised?
• UK ITSec
• Common Criteria
• Mutual Recognition
Certification Experience
• A decade of Evaluation & Certification
• Founding sponsor of Common Criteria
• Over 230 Product & System Evaluations
– ITSEC, TCSEC & Common Criteria
• Five commercial ITSEFs (CLEFs)
Certification Experience
• Wide range of products
– Operating systems & databases
– Firewalls, Smartcards & Public Key Infrastructures
• Wide range of customers
– 70% Multinational
– Government and Commerce
• Wide range of assurance
– Smartcard certified to ITSEC E6
– Firewalls & Operating System to E3/EAL4
The Result of that Experience
• Providing the assurance required
– understanding vulnerabilities
– procedures & documentation
– feedback & review
• Meeting the customer’s requirements for
– shorter timescales
– reduced risk
– increased efficiency
Where the Future Lies
• Tailored evaluations
– assurance & functionality components
– Mutual Recognition an Option
• Re-use
– certificate maintenance
– integrating certified products
The Certification Body
•
•
•
•
Supports both ITSEC & Common Criteria
Promoting migration to Common Criteria
Accredited to EN45011
Operates cost recovery
The CLEFs
The Developer’s Perspective
• Preparation
– what do you need?
– the ITSEF & the Certification Body
• Evaluation
– deliverables
– problems reports
• Certification
– the certification report
– certificate maintenance
National Infrastructure Security
Co-ordination Centre
Protecting the Infrastructure
Cabinet
Office
Security
Service
ACPO
Met Police
MOD
Home
Office
NISCC Role
• Initial poc on electronic attack issues
• Develop effective working relations with and
between CNI organisations
• Assess vulnerabilities, promote protection
• Monitor threat, provide assessments
• Ensure suitable handling of incidents
Key Principles
Partnership
Trust
Confidentiality
The world of information security
Firewall & connectivity
management
Platform
security
Risk
management
Physical
security
Fallback
planning
Business continuity
management
Encryption
Password
management
Confidentiality
Availability
Incident response &
crisis management
Authentication &
access control
Certificate registration
& management
Integrity
Virus prevention
& detection
Personnel security
Security
architecture
Monitoring &
intrusion detection
Infrastructure security
management
Penetration
testing
Summary
•
•
•
•
Real threats
Real risks
Need for evaluated products and systems
UK has excellent track record in evaluation and
certification services
Want to know more?
•
•
•
•
•
•
Visit CESG stand
Contact jsdoody@cesg.gov.uk
Email us at info@itsec.gov.uk
Visit our website at www.itsec.gov.uk
Telephone us on +44 1242 238 739
Fax us on +44 1242 235 233
Related documents
January 2, 2009 Employee name 1900 N Third Street
January 2, 2009 Employee name 1900 N Third Street
CENTRAL WASHINGTON UNIVERSITY Evaluation for Certification Requirements NAME:_______________________________________ LIBRARY MEDIA
CENTRAL WASHINGTON UNIVERSITY Evaluation for Certification Requirements NAME:_______________________________________ LIBRARY MEDIA
REQUEST FOR CERTIFICATION OF ENROLLMENT AND DEGREE VERIFICATION 973-642-7898
REQUEST FOR CERTIFICATION OF ENROLLMENT AND DEGREE VERIFICATION 973-642-7898
THIS WEEK Information Session History M.A. & Social Studies Certification
THIS WEEK Information Session History M.A. & Social Studies Certification
Download
advertisement