September 24–27 2007
ISSE/SECURE 2007 was held in Warsaw, Poland, hosted by NASK, and co-organised with
the Ministry of the Interior and Administration, Poland (MSWiA). We would like to thank them
for their excellent support.
On Day One delegates were welcomed by Norbert Pohlmann, Chairman of the Board,
TeleTrust; Gizegorz Bliznink, Undersecretary of State, MSWiA; Roger Dean, Executive
Director, eema; Andrea Pirotti, Executive Director of ENISA; and Krzystof Silicki of co-
organisers SECURE. Norbert outlined two problems facing ICT security today: firstly, the
problem for the citizen, who complains that while new virus patches are applied continuously
to their computer, industry still does not seem to be able to stop people getting access to their
private data; secondly, the dangers of virtual communities in which deals are struck, but no-
one has control of the corporate data that is circulating within them. Mr Bliznink outlined some
of the projects within the Polish IT Action Plan, stressing the need for conferences such as
ISSE to provide a platform for information sharing and discussion. Roger Dean explained the
role of eema in solving security issues, and outlined some of the challenges the industry
faces such as regulatory issues and interoperability across 27 Member States; and the
subsidiarity versus standardisation debate. Andrea Pirotti congratulated the Polish
Government on its efforts to foster ICT security and outlined ENISA’s role as a co-ordinator,
communicator and information provider. Lastly, Krzysztof Silicki of NASK welcomed delegates
to Poland, explaining that SECURE is the oldest ICT conference in Poland, and describing
ISSE as a major step forward in collaboration.
Delegates heard some excellent keynote presentations from industry experts such as Costin
Raiu of Kaspersky Labs, Steve Lipner of Microsoft, Claus Lehners of DaimlerChrysler, Scott
Totzke of RIM, Howard Schmidt of R&H Security Consulting and Professor Bart Preneel of K
Costin Raiu, Kaspersky Lab
For example, Costin Raiu of Kaspersky Lab explained the evolution of the threat landscape,
the current situation, existing solutions, problems that so far have no solutions, and what the
future might hold. He described the Denzuk virus of 1988 as awesome, because of the
cleverness of producing such imagery with so little code. Mostly, he said, viruses were fairly
benign 20 years ago, in contrast to today, when you don’t see them: they are characterised by
stealth and invisibility, and that makes them hard to find. And while traditional viruses were
generally distributed via floppy discs, CDs and the web, today, the preferred method is
through social engineering. In addition, phishing sites embedded in legitimate sites present
another danger. In the first six months of 2007, the highest numbers of malware came from
China (31%), the USA (26%), Russia (11%) and Brazil (4%). Existing solutions include anti
virus software, firewalls, integrity checkers, whitelisting etc, and Costin said that if users did
not employ some of these protective measures they were likely to get infected within two
weeks. For the future he said that because the internet is still insecure we need new rules to
combat malicious attacks. Vista is a great step forward, but not the ultimate solution; and
while Windows is currently the most popular operating system for attack, we are likely to see
other operating systems suffering higher levels of attack in the future.
Steve Lipner, Microsoft
Steve started by outlining the developing IT infrastructure, from batch processing to online,
from back end systems to mission critical, from isolated networks to the internet, and from
authorised users to interconnected customers and suppliers etc. The threat landscape has
also evolved, from insiders in the seventies and eighties, to viruses and insiders in the
eighties and nineties, to website attacks, viruses and insiders in the nineties – including
patriotic hacking at the end of the nineties – and to worms from 2000 to 2003. Since then
phishing and botnets etc have been the order of the day, and these techniques have changed
the game: the attacks are now targeted, their intensity has increased, and the attackers have
significant resources, careful target selection and a command and control structure. Microsoft
has responded to the changing threat landscape, firstly by the introduction of
email@example.com and today with Microsoft’s Security Response Center. Its Trustworthy
Computing initiative is also a big step in the right direction. It aims to solve security
vulnerabilities before shipping new products. While security will never be perfect, Vista has up
to 50% fewer vulnerabilities versus XP and other platforms. In terms of protecting critical
infrastructure, Steve said that much of it is in the hands of industry. Industry should enhance
the resilience of systems, innovate through R&D, and offer supplemental services.
Government has a key role in ensuring its own services and should provide funding, enforce
the law and provide incentives for good security.
The first two keynote presentations were followed by the traditional ISSE debate, on how to
achieve the common goal of reducing vulnerabilities. For example:
Q: It is said that governments develop their own malware to find out more information than
citizens would wish them to have. Is this true, and if so, what should we do about it?
A. It’s not a rumour. Two years ago the US government wanted to implement a project
to spy on terrorists but were dissuaded from doing so. The German, Austrian and
Swiss governments have worked on similar schemes. If at least three EU States are
doing it, there are bound to be more.
A. Governments have had law enforcement surveillance since time immemorial, of
course they are doing it. From a vendor perspective we should avoid making it easy
for them to do that, by building security software to recognise and eliminate attacks
and make it as hard as possible.
Q. How about governments using systems to attack other nations?
A. That mirrors the real world even before computers were invented. Governments
should work together to decide what internet cyber climate they are willing to tolerate
and then deter what happens outside of those boundaries. It’s a matter of
A. We know that cyber attacks do occur between nations, but it is difficult to get
evidence. You cannot always tell whether you are witnessing a rogue incident or an
organised attack. It is therefore important not to ‘shoot first’.
Q. What are the sensible components of an effective security evaluation process?
A. Not the Common Criteria. They do not work against commercial products because
the assurance of security is in the code and not in the documents as specified by the
CC. New evaluation tools should encompass both evaluation tools and procedures.
The CC are, however, suitable for modular solutions such as firewalls.
Q. What are the respective responsibilities of vendors and users?
A. Vendors should make systems as secure as possible, and users should be
cautious; however, you can’t expect users to make fine-tuned decisions. It’s also
important to get users to practice security by default.
Q. Should software vendors be liable?
A. No. No-one forced Bill Gates to spend US$200 million in two months on the
Trusted Computing initiative. It was a matter of market forces. If you do make vendors
liable it will inhibit innovation.
A There are two sides. If the vendor is going to be liable, then perhaps the user
should also be accountable, especially if they have no security software installed. It
begs the question: ‘Should security software be mandatory?’
Claus Lehners, DaimlerChrysler AG
Claus looked at the security infrastructure, applications, processes, risk management and
infosecurity awareness. As he said, in many cases security is only implemented when
something goes wrong, and that is the wrong way around. We need a multi-faceted and
flexible approach to security. For example, anti virus software, firewalls etc are necessary, but
they only plug the holes we know about. What we need to do is to decide where the holes are
that we don’t know about: the vulnerabilities. The best way to secure applications is to embed
security in them at the development stage, it’s not so easy to implement security if the
application has already been deployed, and the worst case is to try to secure it after
something has gone wrong. DaimlerChrysler implemented a strategic approach to security in
2002, which involved identifying the information owners and making them responsible; and
adopting an holistic, people, process and technology approach to security. The risk
assessment phase was complex for each information asset, and one of the hurdles was to
overcome language barriers between the information owners and IT experts. For that reason,
the company first built a framework policy with requirements, policies and standards, then
audited compliance and risk acceptance. DaimlerChrysler carries out ongoing risk awareness
programmes such as ‘infosecurity wallpaper’ and reinforcement on certain topics such as
email encryption, the handling of mobile devices etc.
Q. What was the main challenge in implementing your Infosecurity programme
A. Getting support from the business line.
Q. Do you monitor employees?
A. Some PCs are classified as ‘green’ and are automatically patched. With others, the
company can check and see if they are patched, and if not, can alert the client group
Scott Totzke, RIM
Scott looked at security challenges for vendors, and the unique challenges for the mobile
industry. From the vendor’s viewpoint security is about selling trust to the customer, and the
vendor has to earn that trust. Once lost it is difficult to regain, and if eroded, will at least delay
the purchase decision. The financial impact of a breach can amount to 0.95% off the bottom
line overnight. However, absolute security and software defects in complex systems are
unavoidable. Furthermore, the threat of mobile malware is growing and today costs some
US$150 per customer per incident. Over the next couple of years Scott predicted that
malware will move from targeting the individual devices to the mobile network carrier. He said
that the mobile world should learn from the wired world. For example, they should
communicate better by not ignoring security problems, by providing clear and standard
messages for the customer, and by using standard communication channels such as US
CERT. He also saw a need to improve patch and upgrade cycles: customers expect timely
patches, and the process needs to improve.
Howard Schmidt, R & H Consultancy
Howard discussed the resilience of public systems and the steps necessary to build and
maintain that resilience. For example,
• Understand that security is never absolute, and risk management is an ongoing
• Understand that security is the business: there will be no business without it.
• Write good secure code that will last a long time.
• Architect with security in mind.
• Build security into day-to-day operations.
• Develop good international standards around an agreed concept of what digital
• Continue to work with law enforcement agencies to ensure that criminals are held
accountable for their actions.
He cited the case of a hacker who gave an interview before being sent to prison. Apparently it
was easy for him to get into many systems because the IT infrastructure left gaping holes. He
had started by breaking into VOIP systems, and within a few months had managed to scan 6
million computers. Many were easy to get into because passwords weren’t changed,
passwords were predictable, e.g. ‘admin’, or the systems were misconfigured. Having broken
in, the hacker could then redirect all activity on them through his own system.
One of the key features of ISSE is its panel discussions, and this year was no exception. For
Critical Information Infrastructure Protection (CIIP)
Moderator: Ferenc Suba, CERT-Hungary
As panel member Howard Schmidt explained, 10 years ago in the US there was no CIIP, 80-
85% of the nation’s critical infrastructure (CI) was owned and operated by the private sector,
no-one in government looked after such issues, and there was no mechanism, or indeed
desire, for industry to share information. In 1998 President Clinton issued a Directive by which
government agencies were mandated to work with their counterparts in industry. For
example, the Treasury had to work with the finance industry; and ISACs (Information Sharing
Analysis Centers) were set up to look into vulnerabilities, threats and best practice. After
2001, the President also appointed a CIIP board within the White House to look at
international policies, finance, etc in relation to CIIP. This proposed a blueprint for voluntary
CIIP which is now being executed in conjunction with the ISACs.
Andreas Reisen of the Federal Ministry of the Interior, Germany, defined critical infrastructure
as ‘organisations and facilities that are of great significance for the community, whose failure
or impairment would cause shortage of supplies or significant disruption’. The sectors
involved include transport, energy, hazardous materials, IT and telecommunications, finance,
supply services, administration and justice. Having defined what it was trying to protect the
government next defined an umbrella strategy for public administrations, critical
infrastructures and the public. The National Plan is divided into two parts: the first is a federal,
administrative role to decide how to protect the governmental IT infrastructure, and the
second is a CIIP implementation plan devised with individual sectors. The structure of the
plan involves analysis, appropriate measures, communication and a road map. Thereafter,
countermeasures will be devised for each sector.
The scope of CIIP is clearly vast and the group agreed that it is difficult to scope the project.
For example, phishing could start as a relatively minor affair, but eventually turn into
something critical. It takes a great deal of expertise and foresight to scope individual
vulnerabilities from the bottom up. In the US an individual scoring system: CVSS (Common
Vulnerability Scoring System) is used. The group also agreed that there is as yet no
comprehensive global CIIP programme: the process of defining one is still very much in the
European eIDM Framework 2010 – 2 years after Manchester – what did we achieve?
Moderator: Horst Walther, Kuppinger & Cole
The Ministerial Declaration in 2005 laid the foundation for an EU eID scheme that would be
interoperable, embrace all citizens, provide easy access to public services and effective
government (Text). It was a broad vision with a 10 year timeline. As Herbert Leitold of A-SIT
Austria pointed out, the easy part was for Member States to develop an eID that would
facilitate access to services, but the hard part remains to make that eID mutually recognised
across all other Member States by 2010. Since the Manchester Declaration, the i2010 Action
Plan has clarified and enhanced it by providing common specifications and standards; and
earlier in the month, in Lisbon, the goals were reconfirmed (Text), emphasizing the need for
Daniel Blum from the Burton Group USA said that the concept of cross border eID s was
available but had never been commercialised on such a large scale before, although it will
happen. The US created interoperable standards through the development of the HSPD
scheme and Europe needs something similar. However, it will require a very large
infrastructure, validation services, involve significant investment and come up against scaling
Howard pointed out that since different countries have already spent massive amounts of
money developing their own schemes, they are unlikely to be willing to spend a lot more on
EU standardisation, which begs the question, should the scheme be based on interoperable
standards or mutual recognition? Ingo Naumann of BSI Germany cited three approaches:
standards; middleware/eID tokens; and servers to ‘speak across all languages’. Jos
Dumortier of KU Leuven outlined some of the studies that his group had been conducting on
behalf of the EU. Since it is common for EU citizens to use names and passwords for access
to services, and public applications are generally national in nature, he felt that Member
States should start to think about international interoperability and progressively introduce PKI
technologies, making it simple for users. And whilst the EU works on the principal of
subsidiarity, we should be careful of setting something up that erodes competitiveness. He
also pointed out that only four Member States have so far formally adopted a framework for
eGovernment applications: France, Norway, the UK and Austria. Besides these four, another
10–12 countries have a framework that is not formally adopted, but nevertheless promoted.
He felt that the EU should not focus on just one path, and make sure that ad hoc solutions are
not mutually exclusive. The group felt that one of the main drivers for interoperability would be
in the area of social services, and migrant workers.
Social aspects of IT security: social engineering
Moderator: Johannes Wiele: LANline Germany
Sharon Conheady of Ernst & Young started this session with a look at how easy it is for a
hacker to get into an organisation, and gave a detailed description of how to do it:
• Target identification
• Reconnaissance: passive, such as through search engines and other websites, job
ads, annual reports, employees etc; or physical: learning when the security guards
patrol, who goes out for a smoke and when, CCTVs , come and go times etc.
• Creating the scenario: what props to use: how sophisticated the attack needs to be
depends on the organisation’s level of security. The scenario is the means to gain
• Going in for the attack
• Getting out again
She then gave a case study on how she had broken into a company and provided evidence
that she would have been able to hack into the computers and steal corporate data. She has
been successful in every attempt so far.
Gigi Tagliapietra of CLUSIT Italy gave his view of how a security awareness campaign should
be run, stressing the need for communication and education over technology, and simplicity.
As he said, only give people one message at a time, and use different media such as
television, papers, movies and PCs to support it, through language, rhythm and metaphor.
And the ‘scare’ part of the message should be equally balanced by the positive or ressuring
part. For example, it helps to make employees feel that they make a difference as an
individual, and that information is their future.
The conference ran across five tracks. Below are some of the topics that delegates
SOA and Web Service architectures are coming – let’s do security right this time
Matthew Gardiner, CA USA
Matthew described SOA /WS, asked how far we had come and looked at some typical SOA
security management mistakes. As he said, SOA and WS go well together even though one
is an architecture and the other software for machine to machine integration: WS makes SOA
possible. The adoption path for SOA/WS is evolutionary: it will be adopted, particularly by
large organisations, and while usage will be primarily internal in the early stages, the biggest
payoff potential is external. Typical mistakes that are made include:
• Architecting silos of security: building security into applications instead of abstracting
it, which means that security becomes the responsibility of application developers.
• Thinking that stopping malware equals effective security management, which means
that the company is forgetting that identity and who gets access to what matters.
• Not understanding that SOA applications have many layers/steps to be secured:
thinking that security of the channel is enough when in fact a highly distributed
security architecture is needed.
Matthew recommended that companies should not create more security silos; should
leverage the current security infrastructure/people/processes; should architect as if services
will eventually be external; and should leverage WS even if not immediately required.
Technical guidelines for the implementation and usage of RFID-based systems
Cord Bartels, NXP Semiconductors and Harald Kelter, BSI Germany
Cord and Harald described a project for the secure deployment of applications using RFID.
The mission was to develop open and practical solutions for applications such as ticketing,
logistics and transport that were both transparent and compliant. Practical considerations
• Existing reference applications
• The needs of all parties in terms of security, economics, feasibility and trust
• Having solutions that are open to all interested suppliers and integrators.
The project drew on existing expertise to look at international experiences, to define state-of-
the-art in terms of what the client expected, the services required, available technology and
operational processes; and invited all relevant parties to review. The definition of the security
system depended upon parameters such as the character and value of the services
supported, different aspects of the application area, and boundary conditions of the system
implementation. The security assessment looked at the definition of security targets, related
threats, safeguards and residual threats.
Security guidelines developed during the project addressed aspects such as the meaning of
IT security in terms of safety, information security and privacy, which were defined as generic
security targets. These were then divided into specific targets such as protecting the privacy
of the individual in a ticketing application. The next step was to define protection demand
categories and the possible consequences of different security threats, leading to the type of
security necessary at each layer. The message was that no one piece of security stands
alone. Encryption, for example, will involve a whole cast of players from client and server
integration, to CA processes, key and data recovery processes, policy, provisioning and
Large scale fingerprint applications: which technology should be used?
Andreas Wolf, Cross Match Technologies
Andreas discussed different applications and projects, standards, requirements and
recommendations in fingerprint technologies. Within the area of applications, for example,
there are tenprinters, palmprinters, ID flats scanners, two finger scanners and single finger
scanners that may use total reflection, semi-conductor or other forms of technology
(ultrasound, photo etc). Andreas asserted that it should be the application and not the budget
that determines which technology should be used. He then turned to a number of different
applications including the US AFIS specifications and the EU passport. The specifications for
the EU passport were defined by ICAO, and fingerprints are optional. It encompasses the
largest imaginable user group and various inspection systems are likely to be developed.
However, there are some problems with it. For example, it is not possible to update the data
during the lifetime of the passport, and biometric interoperability will be an issue.
Mobile device policy enforcement
Sami Petäjäsoja and John Rhoton, HP
Sami discussed the pros and cons of robustness testing and fuzzing. For example, since
there is the problem of infinitive input space with both approaches there is a need for
heuristics to finish the testing in a reasonable timeframe. Moving to tests carried out on
Bluetooth, he said there is a big problem with Bluetooth hacking tools available on the web
such as BlueBug, BlueBump, BlueDump etc. Not many Bluetooths pass robustness and
fuzzing testing, and the root cause of the problem is the complexity of the stack, which is
similar to WiMAX. As Sami asserted, ‘Security incidents are really QA issues that have
reached the outside world.’ Referring to mobiles, John Rhoton said that the major perceived
threats are information theft and unauthorized access. There are a number of solutions that
can be used to protect the mobile such as locking mechanisms that require authentication, or
encrypting the data on the device, and these should be used. Comparing WiFi to Bluetooth he
said that it is not as difficult to configure, although it is still possible for the user to connect to
decoy access points, or to bring their own access point in and plug it into the network, which
is a gaping hole in security. He then outlined some of the mechanisms to enforce policy, such
as ensuring that everything at the edge of the network is compliant with the company’s
policies, provisioning security tools, device lockout mechanisms, user support etc. He also
stressed the need for devices to be compliant with the most recent policies before they are
allowed to send emails. The HP Enterprise Mobility Suite is one solution that works on the
basis of empowering the user and self-care. It works at four levels:
• Set up my device
• Diagnose my device
• Update software
• Lock and wipe device.
John summarized by saying that security is the greatest obstacle to mobile adoption. Industry
has addressed the main user challenges of misconfiguration and now the issue is one of
enforcing policy. Mobile device management both enforces policy and reduces the cost of
Success criteria for PKI implementation
Sachar Paulus, SAP Germany
Sachar Paulus gave the findings of a report into the success criteria for a PKI implementation.
It was a joint research project by the Technical University of Brandenburg and TeleTrusT, with
the help of industry and academic experts, looking at technical, economical and
From the technical viewpoint the report found, for example, that replacing cryptographic
algorithms may be useful for governmental applications, but not necessarily for standard
enterprise applications; that biometrics will be used increasingly; and that developing
technology without involving the human factor does not make sense. In terms of economics,
PKI is a business enabler rather than a security technology; and it cannot be proven by ROSI.
In order to justify the investment there must be several business processes implemented with
it, but putting the business case to several separate departments is a lengthy and difficult
task. Sachar therefore recommended different value techniques to prove the business case.
From the user’s point of view, the trust decision must be simple, and derived from business
process requirements. Key management should be hidden and better integrated across
applications. He recommended, among others, implementing virtual key chains across
applications and platforms, introducing security balanced scorecard models and adding
sociological expertise to the implementation of PKI projects.
The eema Award for Excellence in Secure Electronic Computing
Symantec’s endpoint security solution, in conjunction with waste recycling company the
Solum Group were this year’s winners of eema’s prestigious Award for Excellence in Secure
Electronic Computing. The solution affords protection against sophisticated attacks and
reduces the cost of managing infosecurity. Furthermore, it is easy to understand and use, and
does not require extra IT staff to manage growth. Congratulations to Symantec and the Solum
We would like to thank Gold Sponsor Microsoft; Silver Sponsors Blackberry, Thales and
TeleTrusT; Bag Sponsor Symantec; Badge Sponsor CoreStreet; Media Partners
Computerworld, Infosecurity and securitystandard.pl; and all the exhibiting sponsors who
came along to demonstrate their products and services to the delegates at ISSE/SECURE.
The presentations from ISSE/SECURE are available on the website. Remember that you
will need your password and username to access them.