Download presentation
Presentation is loading. Please wait.
Published byKerry Griselda Davis Modified over 8 years ago
1
Communications-Electronics Security Group
2
Excellence in Infosec
3
John Doody Head of Infosec Customer Services Group David Hodges Technical Manager, UK IT Security, Evaluation & Certification Scheme
4
National Technical Infosec Authority
5
Presentation to The First International Common Criteria Conference, Baltimore 23 May 2000
6
UK Evaluation and Certification Services
7
Agenda Introduction The UK Evaluation and Certification Services Summary
8
The increasing need for information security Increasing Threats from viruses, hackers, fraud, espionage Increasing Exposure greater dependence on IT, increasing connectivity Increasing Expectations from customers, partners, auditors, regulators
9
Information Security Breaches Survey 2000 (sponsored by DTI) UK e-commerce transactions in 1999 were valued at c. £2.8bn This sum is projected to grow ten-fold over the next 3 years 1 in 3 business in the UK currently buys or sells over the Internet - or is intending to in the near future
10
The cost of a single serious security breach can be in excess of £100,000 Over 60% of organisations sampled, had suffered a security breach in the last 2 years 1 in 5 organisations still does not take any form of security into account before buying and selling over the Internet Waiting for the electronic Nemesis?
11
Worse to follow? “By 2003, losses due to Internet security vulnerabilities will exceed those incurred by non-Internet credit card fraud” GartnerGroup - May 1999
12
The longer term? “The 21st Century will be dominated by information wars and increased economic and financial espionage” Alvin Toffler
13
Growing proliferation of hacking tools and know-how High Low 1980198519901995 Source: US General Accounting Office, May 1996 password guessing password cracking exploiting known vulnerabilities backdoors sniffers stealth diagnostics packet spoofing Sophistication of Tools Knowledge Required
14
The world of information warfare EspionageSabotage Deception Eavesdropping Network sniffing Agent recruitment Computer hacking Password cracking Open source intelligence “Denial-of-service” attacks Computer viruses, worms, logic bombs Electronic weapons Information blockades Trojan horse programs Perception management Data modification Network or email address spoofing Hoax emails Social engineering
15
How do we ensure that these risks are minimised? UK ITSec Common Criteria Mutual Recognition
16
Certification Experience A decade of Evaluation & Certification Founding sponsor of Common Criteria Over 230 Product & System Evaluations –ITSEC, TCSEC & Common Criteria Five commercial ITSEFs (CLEFs)
17
Certification Experience Wide range of products –Operating systems & databases –Firewalls, Smartcards & Public Key Infrastructures Wide range of customers –70% Multinational –Government and Commerce Wide range of assurance –Smartcard certified to ITSEC E6 –Firewalls & Operating System to E3/EAL4
18
The Result of that Experience Providing the assurance required –understanding vulnerabilities –procedures & documentation –feedback & review Meeting the customer’s requirements for –shorter timescales –reduced risk –increased efficiency
19
Where the Future Lies Tailored evaluations –assurance & functionality components –Mutual Recognition an Option Re-use –certificate maintenance –integrating certified products
20
The Certification Body Supports both ITSEC & Common Criteria Promoting migration to Common Criteria Accredited to EN45011 Operates cost recovery
21
The CLEFs
22
The Developer’s Perspective Preparation –what do you need? –the ITSEF & the Certification Body Evaluation –deliverables –problems reports Certification –the certification report –certificate maintenance
23
Protecting the Infrastructure National Infrastructure Security Co-ordination Centre National Infrastructure Security Co-ordination Centre
24
Cabinet Office Security Service MOD Home Office Met Police ACPO
25
NISCC Role Initial poc on electronic attack issues Develop effective working relations with and between CNI organisations Assess vulnerabilities, promote protection Monitor threat, provide assessments Ensure suitable handling of incidents
26
Key Principles Partnership Trust Confidentiality
27
Availability Integrity The world of information security Encryption Platform security Personnel security Monitoring & intrusion detection Password management Physical security Infrastructure security management Business continuity management Fallback planning Virus prevention & detection Certificate registration & management Penetration testing Authentication & access control Incident response & crisis management Risk management Firewall & connectivity management Security architecture Confidentiality
28
Summary Real threats Real risks Need for evaluated products and systems UK has excellent track record in evaluation and certification services
29
Want to know more? Visit CESG stand Contact jsdoody@cesg.gov.uk Email us at info@itsec.gov.uk Visit our website at www.itsec.gov.uk Telephone us on +44 1242 238 739 Fax us on +44 1242 235 233
30
Communications-Electronics Security Group
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.