Transcript PPT - SecureComm

Information Security
23 September 2008
SecureComm 2008, Istanbul
Dr. Detlef Eckert
DG Information Society and Media
European Commission
Despite security problems the Internet has
been growing dramatically
A step back
 For a long time information security was mainly about
“keeping a secret”
– Today we speak of “confidentiality”
 It was all about making and breaking code
– Today we speak of “cryptography”

Information also needed to be accessible
– Today we speak of “availability of service”
 Assurance that information was authentic (unchanged)
– Today we speak of “integrity”
 Who was behind that information
– In other words the identity of someone or something is the
information we want to authenticate
– Today we speak of “identity” or “identity management”
How did we solve it?
 Paperless world
– Use your imagination or better not
 Paper world
– Cryptography, signature, making copies, lockers
 Telegraph and Telephone world
– Physical access control, network integrity, telephone
number, <voice recognition>,<cryptography>
 Radio communication world
– Cryptography, telephone number, <voice
recognition>, network integrity
 What about the digital world?
Security in the digital world is trickier
 Computer communication virtualises the real world
– Crashing a computer can mean losing the information equivalent to
a library, but you may have a copy
 Computers and the Internet are more complex than
traditional communication means
 Internet is not a centrally managed network
– Not designed with security in mind
– Much responsibility is pushed to the edge
– And in the edge there are millions of users, most of them do
not understand much of a computer
– Nevertheless people want freedom (and they love to click
on the “dancing pigs” link)
 => Security is becoming complex
 => This is why you guys have a job
What were our early headaches?
 The encryption debate
– National security concerns
– Export control
 Viruses and worms
– A blow to Microsoft
 Hacking
– Prominent targets
 Keeping pace with patches
– Patches were of poor quality
 SPAM
– Costly and dangerous
How did we tackle them?
 People deployed security technologies
(FW, AV, ID, …)
 SSL added a security layer to the Web
– Arguably the widest deployed cryptographic
solution
 Vendors wrote better code
 Export controls abandoned
 Changed user behaviour (somewhat)
– Partly enforced through secure configuration
 Digital signatures (laws)
– Have not really taken off yet
Information security costs a lot of
money (spent that nothing happens)
Extrapolation of threats not really
useful
courtesy
The picture is more complex
Security
Phishing attacks
Internet security soar in the UK
Cyberwar and real war
collide in Georgia
Lessons from SocGen: Internal Threats need
to become a security priority
Code red
Revealed: 8 million victims in the
world's biggest cyber heist
Grosse faille du web,
et solution en chemin
Number
The
Evolution ofone
Cyber threat
Espionageis
Privacy
stolen or
lost computer equipment (notably
laptops)
YouTube case opens can
Big Brother tightens
Web giants spark
of worms on online privacy
privacy concerns
his grip on the web
Cloud computing lets Slowly people begin
Feds read your email
Phorm to use BT customers to
Trust
to realise
that monte contre Edvige,
La colère associative
le fichier policier de données personnelles
test precision advertising
system
on net
protecting
data
will
be the
battleground
Defenseless on the Net
Identity theft, pornography, corporate blackmail
in the web's underworld, business is booming
Big Brother Spying on
Americans' Internet Data?
Internet wiretapping
Bugging the cloud
UK's Revenue and Customs loses
25 million customer records
Six more data discs
'are missing'
We can see some patterns
From the ‘walled fortress’
To the ‘open metropolis’
Closed doors, physical isolation
Open, complex, interconnected
Security as protection, perimeters
Trust and accountability
Defending data and systems
Sharing data: creativity and innovation
Avoid data use
Regulated data use (privacy, identity)
We do not really know what is
ahead of us
Three major prerequisites for trust:
Looking for scalable and usable solutions
 Data protection and control
– Remember? The old problem of secrecy
– Today data flow in all directions
– Privacy enforcement
 Identity layer for the Internet
– How to scale authentication methods, e.g. PKI?
 Security fabricated in systems, service
architectures, and networks
– Less a matter of security products, more part of the
architecture
– Attention to the weakest link (today less the OS but
the application), end to end security
– Reduce the role of the user, but sound security
policies to be implemented by professionals
Where are we?
 The market will decide about
technologies and business models
– Security is not absolute and costs money
– No central decision making, distributed
solutions
 Pre-competitive industry co-operation
– Ex: Liberty Alliance, AntiPhishingWG, …
 Regulation and Policy
– Privacy law
– Fighting cyber crime
– Network security provisions
 We also need research
FP6: Towards a global dependability &
security Framework (2003-2006)
Research Focus:
 security and dependability challenges arising
from complexity, ubiquity and autonomy
 resilience, self-healing, mobility, dynamic
content and volatile environments
 Multi-modal and secure application of
Biometrics
 Identification, authentication, privacy, Trusted
Computing, digital asset management
 Trust in the net: malware, viruses, cyber crime
Budget ~ 145 M€
ICT Work Programme 2007-08
33 new FP7 projects in Security & Trust
110 M€
Identity management,
privacy, trust policies
Network
Dynamic, reconfigurable
infrastructures
service architectures
3 Projects
9.8 m€
1 Project
9.4 m€
4 Projects
4 Projects
4 Projects
11 m€
22.5 m€
18 m€
Critical Infrastructure Protection
9 Projects: 20 m€
Enabling technologies
for trustworthy infrastructures
6 Projects: 22 m€
Biometrics, trusted computing, cryptography, secure SW
Coordination Actions
Research roadmaps, metrics and benchmarks,
international cooperation, coordination activities
4 Projects: 3.3 m€
Security in network infrastructures:
4 projects, 11 m€ EC funding
Main R&D project priorities
 An integrated security framework and tools for the security and resilience of
heterogeneous networks (INTERSECTION)
 A networking protocol stack for security and resilience across ad-hoc PANs & WSNs
(Awissenet)
 A message-oriented MW platform for increasing resilience of information systems
(GEMOM)
 Data gathering and analysis for understanding and preventing cyber threats (WOMBAT)
Security in service infrastructures:
4 projects, 18 m€ EC funding
Personalised Services
Main R&D project priorities
 Assuring the security level and regulatory compliance of SOAs handling business
processes (IP MASTER)
 Platform for formal specification and automated validation of trust and security of SOAs
(AVANTSSAR)
 Data-centric information protection framework based on data-sharing agreements
(Consequence)
 Crypto techniques in the computing of optimised multi-party supply chains without
revealing individual confidential private data to the other parties (SECURE-SCM)
Security enabling Technologies
6 projects, 22 m€ EC funding
Main R&D project priorities




Trusted Computing  IP TECOM
 trusted embedded systems: HW platforms with integrated trust components
Cryptography  NoE eCrypt II
Multi-modal Biometrics
 multi-biometric authentication (based on face and voice) for mobile devices (MOBIO)
 activity related and soft biometrics technologies for supporting continuous authentication and
monitoring of users in ambient environments (ACTIBIO)
Secure SW implementation
 providing SW developers with the means to prevent occurrences of known vulnerabilities when
building software (SHIELDS)
 A toolbox for cryptographic software engineering (CACE)
Timetable for Work Programme 09-10
25-27 Nov
~ Apr 09
~ Oct 09
~ Febr 10
Presentation in ICT Conference in Lyon (FR)
Closure Call 4
Closure Call 5 (Trustworthy ICT)
Closure Call 6
http://cordis.europa.eu/fp7/ict/security/home_en.html
Becoming an expert?
https://cordis.europa.eu/emmfp7/
Security, Privacy, Trust
in the Information Society
• Complexity, ease of use
• Role of end-users
• Society-protecting business models
Technology &
Innovation
• Global ICT - national “frontiers”
• “Economics of security”
• Policies for privacy-respecting
T&I?
End-Users &
the Society
Trustworthy
Information
Society?
Policy & Regulation
• Protection of human values
• Transparency, accountability
• Auditing and Law enforcement
Thank you!