Conference Report ISSE 2008 Madrid, Spain

Document Sample
Conference Report ISSE 2008 Madrid, Spain Powered By Docstoc
					Gold Sponsors

                                     Conference Report
                                        ISSE 2008
                                       Madrid, Spain

   This year’s ISSE conference was set in the beautiful city of Madrid, Spain, and the organisers,
   eema, TeleTrust and ENISA would like to thank the Spanish Government for their assistance,
   as well as the European Commission and the German Federal Government, who have
   continued to support ISSE since its inception in Berlin, 1999. We would also like to thank Gold
   Sponsors RIM, Microsoft, McAfee Inc. and TeleTrusT, and the many other sponsors and
   media partners who have helped to make ISSE 2008 one of the most successful security
   conferences ever. There is no substitute for attending the conference in person, but below are
   some of the highlights from ISSE 2008, and the presentations are also available online at:

                                     Opening Plenary Session

   Norbert Pohlmann, Chairman of TeleTrusT and of the ISSE Programme Committee
   welcomed the delegates and introduced the first speaker, Victor Izquierdo.

   Victor Izquierdo: Deputy Director General at the State Secretariat for
   Telecommunications and Information Society, Spain
   Mr Izquierdo outlined Spain’s objectives and progress in implementing a secure information
   society. For example, in 2005 Spain initiated a plan of action to put Spain at the forefront of
   the European information society in terms of economic growth, productivity, social equality
   and quality of life. Today, 6.5 million Spanish citizens have an electronic national ID card,
   enabling them to access 500 services. Also as a result of the 2005 action plan, internet usage
   has grown from 12 million to 22 million, making Spain number four in Europe and
   representing a leap from 66% to 90% of the population. In addition, 8% of the population have
   digital TV, making Spain number one in Europe. Mr Izquierdo then outlined an initiative that
   was launched in 2006: INTECO, which has been instrumental in improving information
   security. Today, for example, 90% of households and 80% of businesses use security tools.
   And INTECO has set up a security network involving 165 partners for the early detection of
   security breaches: it issues an average of 1400 security bulletins per year. Since May 2007 it
   has also been focusing on fraud: to date its online threat-reporting facility has recorded 2000
   fraudulent incidents. Mr Izquierdo welcomed ISSE 2008 to Spain as an opportunity for
   delegates to share opinions and knowledge with some of the most qualified experts in the

   Francisco Garcia Morán: Director General, Directorate General Informatics, the
   European Commission
   The next speaker, Francisco Garcia Morán, explained what the European Commission has
   been doing to address security, starting with the objectives of the EU Council in 2003, which
   aimed to address threats, build security, realise multilateralism and invest in advanced
   security technology. He also outlined some specific initiatives such as the EU NIS (Network
   and Information Security) Policy; the eSignatures Directive of 1999; the eEurope Action Plan
   2002, adopted in 1999; the eEurope Action Plan 2005 adopted in 2002; and i2010, adopted in
   2005. The Commission also inaugurated ENISA in 2004 with an initial five-year mandate, and
   that has now been extended for a further three years. Turning to CIIP (Critical Information
   Infrastructure Protection), he outlined progress to date, including the EU public/private
   partnership on resilience, a prototype for an early warning system, and the need for co-
   operation in terms of defence and promoting contingency planning. In addition, a public
   consultation on how to strengthen the NIS Policy will focus on research challenges such as
   cyber threats and the future of the internet, and how to develop trust and privacy for users. Of
   the €32,413 million allocated for the FP7 budget (Seventh Research Framework Programme),
   28% is to be spent on ICT security, and so far, from 2007–8 some 33 new projects have been
   launched. He explained the four steps that the EU has undertaken in terms of government
   and progress to date:
        • 2001–2005: website development and online government
        • 2006: integrated government
        • 2010: transformed government
We are currently between steps three and four.

Ronald de Bruin: ENISA
Ronald de Bruin started by explaining some of the problems that we face in the security
arena, such as the basic difficulty in assessing the size of the problem: there is a reluctance
for people to report security incidents, it is difficult for them to report them, the statistics don’t
add up and the reporting may be biased. He also mentioned the requirement for a feasibility
study into an EU wide data collection system. Having researched the problems ENISA has
concluded that there is no one-size-fits-all security solution, and that there is a strong need to
develop existing partnerships and systems, and to create new ones. However, the role of co-
ordinating such a network will be complex. Some of the areas that ENISA is involved in
     • Social networking: To reduce the risk of massive cyber-attacks, ENISA has
         undertaken a three-year programme to take stock, develop a gap analysis and
         promote best practice recommendations. The aim is for people to start using those
         recommendations by 2010.
     • Government CERTs (Computer Emergency Response Teams): ENISA supports the
         establishment of CERTs and the plan is for Europe to have full coverage of national
         CERTs within two years.
     • Imbalance of national capabilities: To address this imbalance ENISA promotes
         information sharing, acting as a broker between nations. To some degree it already
         happens: Hungary supported Bulgaria in setting up a CERT and the UK has offered
         to share annual surveys and information with any other state, but the partnership
         approach needs to be developed throughout Europe.
     • SMEs (Small to Medium-Sized Enterprises): Within Europe, 99% of businesses are
         SMEs. As of this year ENISA has set up a work group to look into their special needs
         and a three year programme will focus specifically on resilience for SMEs.

Roger Dean: eema Executive Director
Roger Dean explained that eema had been set up in 1987 to deal with the challenges of
security and identity: the dream was to realise end-to-end seamless collaboration and a pan
European supply chain. The reason why the association is still in existence is because we
have not yet realised that dream, largely because of lack of interoperability between different
systems. The current interoperability challenge concerns eID. Citing the aims of the Lisbon
Treaty he said that one of the problems was the freedom of individual states to implement EU
Directives in their own way, according to national requirements. Several projects are now
underway to knit the EU security infrastructure together including, for example, STORK
(Secure idenTity acrOss boRders linKed), a €13 million, three-year project to enable citizens,
businesses and governments to use their identity credentials in any other Member State.
Fourteen countries are involved in the project, thirteen EU Member States and Iceland.
eema’s role is to disseminate information about the initiative, and to that end there was a
workshop on STORK on day two of ISSE.

Norbert Pohlmann: Chairman of TeleTrusT and of the ISSE Programme Committee
Norbert explained how ISSE had come to be launched following a conversation between
Detlef Eckert of the European Commission and Helmut Reimer of TeleTrusT, who felt there
was a need to develop a forum to discuss European ICT security issues. The guidelines for
ISSE were that it should encompass an EU dimension, be of an interdisciplinary nature, bring
together all stakeholders and discuss solutions to security issues in terms of latest
developments, gaps and market trends. Over the last ten years the conference has taught us
many things, but Norbert cited two in particular:
    • We still need to develop an interoperable solution for security on the internet: to work
        on NIS at the internet level to fight spam/botnets etc. That should start at a European
        level, but then become international.
    • Most security issues are due to software vulnerabilities so we need to find ways to
        improve software trustworthiness. In general we tend to be reactive to attack,
        whereas we need to be more proactive in our approach. He cited Trusted Computing
        as one approach which goes some way towards solving the problems, by evaluating
        and measuring software as it is developed.
Chris Kenworthy: Senior Vice President, McAfee Inc.
Chris Kenworthy outlined some areas of threat that McAfee carry out research into including:
mobile; social networking/IM; web/commerce; home/car appliances; virtual servers; storage;
and enterprise software. As he said, the growth in malware 2006–2007 was 246%, but the
projection for 2007–2008 is 300% and the year-to-date figure is already greater than 2006
and 2007 combined. Whilst 78,000 pieces of malware were detected in 2006, the projection is
for 800,000 pieces of malware by the end of 2008: the criminals are well organised. The
challenge with any piece of malware is that it can suddenly infect a massive number of
machines. The anti-virus companies have to get hold of it, analyse it and then send out a DAT
file, which can take, on average, up to 72 hours. McAfee aims to ameliorate this challenge
through the use of Artemis technology in the following manner:
      • A user receives a new file, either by email or over the web
      • No virus is found but it is suspect
      • A fingerprint is collected
      • An outbreak occurs
      • Artemis reviews it and identifies the threat
      • A virus scan removes the threat quickly.

The scope of the problem makes rapid detection and removal imperative: in the US
cybercrime is a US$100 billion business, comparable to the drugs market. Because of the
multifarious nature of malware Chris said that we should look beyond anti-virus and develop
multiple integrated technologies to defend against high level threat with different technologies
for spyware, trojans, rootkits, zero day exploits etc, pulled together for endpoint security. He
saw the newest risk area as the data itself, and because data is not static, security must
accompany it as it travels. To demonstrate the scale of the problem he cited a survey of 1400
companies (size – 250 people upward), which was conducted in 2007. The results were
     • 60% had suffered a data loss within the last year
     • 70% believed that data loss would damage their brand
     • 33% said a major data breach could put them out of business
     • 45% of data was leaked accidentally
     • 23% of data was leaked maliciously
     • 32% of data was leaked intentionally but not maliciously (copied to a USB which is
         subsequently lost etc).

In other words, 77% of data loss was non-malicious! And while 77% of respondents didn’t
know how much a data breach would cost them, 23% thought the figure was, on average
US$1.8 million, in part because of the US disclosure laws.

In conclusion Chris emphasised the need to identify critical assets; balance usability with risk;
focus on policy before technology; demand more integration and lower costs from vendors;
and conduct ongoing awareness campaigns for users.

Detlef Eckert: Advisor, Directorate General Information Society
Detlef described some general security concepts before turning specifically to IPv6 (Internet
Protocol version 6), stressing the need for layered security, how end to end security may give
the false impression of absolute security, and the need to take into account the key concepts
of costs and usability.

IPv6 has been around for ten years but very few companies have deployed it. Many are still
using IPv4 because they see no immediate business case, and do not appreciate the design
advantages. However, the space problems with IPv4 are becoming increasingly felt, and
those that do not implement IPv6 in a timely fashion may find themselves having to do so very
quickly. The options are therefore to continue with IPv4 until the business drowns, or to
introduce it proactively now. ICANN and RIRS stress the need to adopt IPv6 as a matter of
urgency and this view is shared by the European Commission: in its Action Plan, the EC aims
for 25% implementation in public procurement by 2010 and to encourage more companies to
deploy it.

He said it was a myth that IPv6 is more secure than IPv4 and IPsec may not be deployed
even though it is part of the protocol. IPsec is, however, easier to deploy on IPv6, although,
since it works at the network layer, it does not protect applications. He mentioned a few IPv6
security considerations:
    •   The larger address space makes it less vulnerable to random port scanning and
        helps against self-propagating worms.
    •   The security issues with IPv6 are different to those in IPv4 and less well understood.
        There is therefore a need to start experimenting early.
    •   Security products such as firewalls may not fully support IPv6 as well as IPv4.
    •   Some protocol weaknesses have been exposed, eg Type O Routing Header
    •   Although IPv6 may not be deployed, IPv6 traffic could affect the network through

Detlef said that his presentation was a call to action, with the prize being a positive user
experience and agile business, giving seamless remote access and access to partners. He
also urged the organisers of ISSE to have a track on IPv6 security in 2009!

Ronny Bjones: Security Architect, Microsoft Corporation
Ronny emphasized the need for dialogue on security to address the exponential growth of
sophisticated malware. Microsoft has opened that dialogue based on building a trusted stack
with core security components, trust in all components: data, hardware, software and people,
and a secure foundation. Microsoft aims to achieve a secure foundation through its
Trustworthy Computing model, whereby every bit of the software development process
includes security. The corporation has published its Trustworthy Computing data, and the
initiative has produced many results and innovations such as ASLR: Address Sector Layered
Randomisation. He said that such initiatives are important because the industry has been
under attack by, for example, buffer overrun: attacks such as blaster, which take advantage of
a design mistake so that an attacker presents data to an application and it is executed.

He named the core security components of the trusted stack as I=4A: identity claims,
authentication, authorisation, access control and audit. In his view, there needs to be much
more trust in the trusted stack, all applications should be signed, a white list approach based
on ID should be used, digital signatures should be added to data stores and the hardware
within the stack should be trusted. As an example of how to build trust he described bitlocker
architecture using TPM, which measures the whole chain and does not reveal the
cryptographic key.

Turning to ID claims he said that the concept was not new, but the approach had not been
holistic. ID claims should apply to devices, applications and people; should work globally;
address social, political and economic factors; and should work in a heterogeneous
distributed environment. He then described the identity metasystem and Microsoft’s claims
based identity system, CardSpace, which protects the privacy of the individual by only
supplying to the service provider the information that is needed.

In conclusion he said that the trusted stack is not there yet: there are many social, political,
economic and technological challenges to overcome. There is therefore a strong need for
broad, cross industry dialogue.

                                Presentations and Discussions

ISSE is a three day programme packed with diverse, content-rich presentations discussions
and, at times, lively debates. Here are a few of the topics that were discussed within the five-
track conference:

Towards interoperability and mutual recognition of eSignatures
Olivier Delos of Sealed gave the results of a European study on the standardisation of
eSignatures. In his view the legal and technical aspects are in place, as are standards.
However, the standards are inappropriate, and rather academic than business-oriented.
There should be a global restructuring of the standards to make them easily accessible. He
asked the question, how are you to choose which standard to adopt for an eSignature
application, and how can you be sure that you are implementing with the legal recognition
requirements of QES/AES? At the moment, applications tend to be national rather than cross
border because of insufficient mapping. In terms of cross border applications he said there
were two main approaches:
    • Bridge the differences – with the risk of it becoming unmanageable
    • Eliminate the differences – a long process
A pragmatic approach would entail the following:
    • Start from what already exists
    • Fix the basics by eliminating differences in those basic building blocks
    • Make quick wins on easier issues while ensuring easier treatment of more complex

Biometrics and ID cards, enablers for personal security
Andreas Reisen, Federal Ministry of the Interior, Germany, discussed the problem of getting
people to give their biometrics voluntarily for ID cards. As he said, there is a need to
communicate the benefits of secure ID cards to citizens, and while one biometric does not
necessarily solve the problem of theft, two goes much further. One way of getting people to
give them voluntarily would be to inaugurate ‘fast lines’ at, for example airports. In fact, he
estimated that if fast track systems were not implemented at Charles de Gaulle airport, then in
three years time there would simply not be enough time to check all travellers in.

In terms of eID projects he stressed the need for correct implementation and respect for
privacy, looking not only at security, but also at all the processes involved which must
complement each other. Turning to the German ID card, he discussed its technical
parameters, benefits and shortcomings for sovereign and internet usage.

Empirical research of IP blacklists
Christian Dietrich of the University of Applied Sciences, Gelsinkirchen, Germany, presented
some recent research findings on spam, which showed that the countries tending to be in the
top ten spam parade were the US, Russia, Turkey, China and Germany. Of the 4.2 billion IP
addresses on IPv4 only 1.8 billion are in use, of which 26% are known by reputation and
some 75% have no reputation. Statistically, only one in four spamming IP addresses is
known. In addition, spamming addresses only spam for a very short period of time – between
one and three days – to avoid detection. Christian concluded that spammers have twelve
years left before all of today’s 1.8 billion IP addresses have been used at least once.

                                      Panel Discussion

We always incorporate panel discussion into ISSE, giving delegates and speakers the chance
to discuss and debate different ideas. This year we were fortunate to secure the services of
Howard Schmidt, (ISC)2 Security Strategist and former White House Cyber Security Advisor
as a moderator. Panellists were Ronny Bjones, Microsoft; Nick Coleman, Cabinet Office, UK;
Isumi Aizu, Asia Network Research, Japan; and John Sabo of CA. Inc. Here are just a few
questions and responses from the discussion.

                                 Panel session at ISSE 2008

Assessing the international response to information security attacks
    •   Q. In 2006, when 95 million TJX credit and debit card numbers were breached, the
        organisation settled for some US$125 million and gave a 10% discount to customers
        via coupons. TJX’ revenue actually went up because of their lack of security so why
        should they bother with it?

    •   A. It’s possible that having been through the process they will have learned from it.
        Even though there was no financial impact, their reputation may have suffered. From
        a banking perspective you have to ask yourself where you can put your savings.
        From that viewpoint, if you had been affected, you would certainly ask questions.

    •   A. Consumers should be educated in terms of understanding their choices and what
        ID theft means to them personally, but it’s a long process. Furthermore, TJX may
        have got away with it this time, but if it happened again there would probably be very
        severe sanctions against them. There should be strict agreements to ensure that it
        can’t happen again.

    •   A. It’s also a problem in terms of educating developers. How many graduates know
        how to build a secure system?

    •   Q. How can we get people to focus on doing not talking in terms of tactical and
        operational issues?

    •   A. Information sharing has to go a lot further. It’s OK for us to talk in ISSE but we
        need to share information more broadly. ENISA is a good initiative in that field. We
        will never be able to stop criminals being criminal, so we have to make it impossible
        for them to commit crimes, as well as making them afraid. One issue is that we can’t
        expect users to become security experts before they use a computer.

    •   Q. Banks have hitherto absorbed losses with very little government intervention. It
        works because security has been a competitive advantage. Who should pay if things
        go wrong?

    •   A. There is a pressing need to do security well: institutions used to be able to absorb
        the losses, but that is not the case now, those losses are eating into their margins.

    •   A. The vendor community is stepping up to the challenge of security, but we still need
        to present a strong business case for the investment. We are fooling ourselves if we
        don’t envisage a systemic industry collapse.

                                  Plenary Session Day Two

On day two sponsors RIM and Fortify addressed delegates on their particular security
concerns. TeleTrusT then presented their Innovation Award, and eema the Award for
Excellence in Secure Electronic Business.

Scott Totzke: Research in Motion
Scott’s presentation: Privacy and authentication in a mobile world, examined the difficulties
concerning security in the mobile world. As he said, you need defence, but it will never be
bulletproof, and current weak links include vendors, external services, carrier networks etc.
Security is about finding a balance between security and usability. One of the differences
between mobile and desktop usage is that desktop activities are continuous: you authenticate
once and then stay logged in. Mobile activity is, by contrast, discontinuous, requiring multiple
authentication for short periods of time. Another problem with the smartphone is managing
scarcity: the limited battery life, processing power and storage available. You therefore have
to manage security with a view to the mobile usage paradigm. Some of the specific points
Scott raised were as follows:
    • Authentication: Use an effective authentication method, but not one that is too
         complex or it won’t be used. And bear in mind the limited resources. The smartphone
         does not have the ample resources of the desktop.
    • Privacy: There are the same risks as in the desktop world plus a few more. There
         may be lots of information on the smartphone, but it is intrinsically personal – the
         user’s connection with the world: it gets carried around everywhere and may be lost.
    •   Location-based services: Every time something gets added on there are security
        implications. For example, just loading a picture can pinpoint the device and user’s
    •   How do you control access? The default password plus PIN are common, but
        passwords are only secure if they are private.
    •   Alternatives to passwords: Biometrics and smartcards are two alternatives, but unless
        working for a government agency, are users really prepared to plug in a smartcard
        each time they want to make a phone call?
    •   Different authentication methods: It is possible to use the smartphone as a token for
        authenticating to the network, or the network can be accessed through certificates. A
        number of different options are available today.

John Taylor: Fortify
In John’s presentation: A CISO’s guide to application security, he looked at the typical
approach to security, which is to protect the network, and argued that this is the wrong
paradigm, we should be protecting applications because they have to be mobile and
accessible to all relevant parties.

Turning to vulnerabilities, he said that 75% of them sit within the code, and cited the case of
the US Air Force which had a massive increase in attacks on software applications over two
years. Therefore, if you can remediate as you build, rather than later, you are in a much better
position. If you are too late what do you do? You could get someone to sign a waiver, or
remediate, but now there is a time and therefore cost element. It’s much cheaper to find
vulnerabilities earlier. He therefore argued that success is foreseeing failure, and that
studying failure is an important part of avoiding needless risk.

He also stated that common intentions such as to try harder, fix it later or test your way out of
the problem do not work: hackers are very well organised and have plenty of money to invest
in finding and exploiting vulnerabilities. So security has to be layered into every stage of the
development lifecycle.

The TeleTrusT Innovation Award – presented by Günther Welsh, MD, TeleTrust
The Innovation Award is judged according to the following criteria: innovation, trustworthiness,
secure design/implementation, adequate levels of security, interoperability and economic
efficiency. This year’s winner was Secu Smart in partnership with T Systems, who have
developed an encryption system for mobile phones that is included on the SD card. At the
moment the solution is only available on Nokia phones, but it is being developed for others.

eema Award for Excellence in Secure Electronic Business – presented by Roger Dean,
Executive Director, eema
Congratulations to SURFnet and Everett for winning the eema Award for Excellence in
Secure Electronic Business. The award was presented to Robert Garskamp and Gerald Horst
of Everett by Roger Dean at ISSE 2008. Gerald Horst commented: “Both Everett and
SURFnet are honoured to receive this prestigious award. The SURF foundation project has
succeeded in providing a federated identity management and authentication infrastructure
that enables the efficient use of electronic resources across higher education in The
Netherlands and it continues to grow.”


On day three of ISSE there was a special workshop on STORK (Secure idenTity acrOss
boRders linKed) – a Large Scale Pilot (LSP) to ensure cross-border recognition of national
electronic identity (eID) systems and enable easy access to public services. The project is
divided into seven work packages (WPs) and the purpose of the workshop was to introduce
them and to invite feedback.

WP1 and WP2 are to do with definitions. WP4 and WP5 are on architecture and WP6 will be
implementation pilots.

WP2: This package started by taking an e-ID inventory. An initial study has defined four
authentication assurance levels, registration requirements and authentication requirements,
and produced an overview of how to bring registration and authentication requirements
together. Work is ongoing to draw up a list of authentication schemes for WP6 and to match
them with a report produced by IDABC. Future tasks will be to examine legal requirements
with a view to producing a report on legal interoperability by December this year. Starting in
October, the team will look at the interoperability of trust and how to map different applications
and needs in different situations.

WP3: This will produce an inventory of technologies, continuously elaborate on it, assess it
against the common specifications and provide prototypes and demonstrations of some
technologies. One of the main aims is to ensure that STORK keeps abreast of innovation.
The list of technologies is underway, assessment will commence in 2009, and the final study
will be prepared in 2010.

WP4: The purpose here is to examine business process flows:
  • Citizen and business cross border authentication
  • Citizen and cross-border use of digital signatures
  • Cross border user control and identity attributes.

The goal is to minimize duplication of data and the results will mainly feed into WP5 and WP6.

WP5: This concerns eID common specifications and involves 18 partners in 12 countries,
each of which will have its own types of credentials and national infrastructures. The aim is to
develop an interoperable technical layer while respecting existing national developments.

WP6: The pilots in WP6 will concern:
  • Cross-border authentication for electronic services
  • Safer chat (children)
  • Student mobility
  • Electronic delivery
  • Change of address

The pilots will commence in June 2010 and run to May 2011.

                                  Networking Opportunities

ISSE provides a content-rich programme for a multidisciplinary approach to the complex issue
of security. However, it is not designed just as an educational programme, it is also a great
opportunity for business meetings and networking with peers and experts. In addition, the
accompanying exhibition serves as a showcase for some of the most innovative technologies
around today. This year, as part of the networking experience, we organised a drinks
reception on day one of the conference, and a gala dinner at the Palacio del Negralejo on day

       If you have not been to an ISSE conference yet, take a look at some of the
                  presentations and make a date to join us next year.