Monday 22nd October - Active Loss Prevention Plenary


	Monday 22nd October - Active Loss Prevention Plenary

Monday 22nd October - Active Loss Prevention Plenary
Page 1 of 2

First Previous [1] [2] Next Last

22-Oct-2001 09:07 - Amsterdam - Allen Brown - Allen Brown said how good it was to see everybody here in Amsterdam, especially since other security conferences had been forced to disband. In view of the terrorist attacks technology alone could not help us so it is important to understand all the surrounding issues. It was also necessary to reach out to all sectors and bring them in.

Allen expressed what a wide-ranging subject Active Loss Prevention was and that it was a new way forward for consortia to take.

PA221943 .JPG

22-Oct-2001 09:07 - Amsterdam - Allen Brown

PA221944 .JPG

22-Oct-2001 09:14 - Amsterdam - Bill Hancock - Bill Hancock entertained the attendees by opening up in several languages before presenting the six main points as to why he thought were the reason why security risks were increasing:

(1) Denial of the problem, (2) Improperly designed infrastructure of existing systems, apps, networks, etc. (3) Acceleration of new technologies with no security capabilities (4) Lack of proper threat assessment for assets and development of protective measures for same (5) No legislative impetus (6) Improper recognition of risks by senior management

He stressed the importance of getting over the denial problem.

PA221947 .JPG

22-Oct-2001 09:14 - Amsterdam - Bill Hancock - He then ran through some relationships connecting new technology with new risks, which included:

Growth = dependency
Fragile = easy to break
Security = ha, ha, ha…
Early adoption = THE system
Vendor profit = minimal security
User controlled = security OFF
New Tech = no risk assessment
Integral dependency = ???
Easy to deploy = no security
Need for security = panic mode

PA221948 .JPG

22-Oct-2001 09:14 - Amsterdam - Bill Hancock - Bill said that 85% of all wireless LANs were not WEP enabled and that anyway WLANs with WEP and/or VPN solutions do not necessarily stop such things as Dos, DDos, off-WLAN sniffing, session hijacks, DNS spoofing, redirection attacks etc. before stating that the next main threats were offensive and defensive information operations. He next explained that current technology is based on the “friendly community” concept and that sadly this was now a thing of the past.

PA221949 .JPG

22-Oct-2001 09:14 - Amsterdam - Bill Hancock - Bill listed as types of offensive warfare disruption, flow intercept change, deception and disinformation when he reckoned that exploitation and certain active measures were the two main weapons of offensive warfare. He gave the following nine items as embodying the problems of offensive warfare technology:

New skill set and “view” of security
Lack of tools and techniques
Lack of knowledge on algorithm manipulation techniques
Stealth of implementation
Detection of the implementation by the opponent’s facilities or technologies
Countermeasures
Change to opponent’s infrastructure
Upgrades on both sides
Lack of standards in implementation(s)
He concluded with several reasons why everybody should care and giving several indicators to help people prepare for the new threat.

PA221950 .JPG

22-Oct-2001 09:42 - Amsterdam - Bruce Schneier - Bruce Schneier commenced by saying what a dangerous world it was and that it’s getting worse backing this up with an informative diagram picturing intruder knowledge against attack sophistication. He next outlined the business assets at risk where he gave a good explanation of the evolution of security management.

He moved onto complexity citing the following six points as examples of software complexity:

Applications and operating systems
Data mixed with programs
New Internet services - XML, SOAP, VoIP
Complex Web sites
Always-on connections
IP stacks in cell phones, PDAs, gaming consoles, refrigerators, thermostats
Accompanying this Bruce ran through a detailed diagram showing how the Internet was too complex as well.

PA221951 .JPG

22-Oct-2001 09:43 - Amsterdam - Bruce Schneier - He introduced and explained the window of exposure in the potential life cycle of software weaknesses, whilst highlighting the following points in the 'patch treadmill' Because pre-release testing is impossible, security is based on finding bugs after the fact and patching them; system administrators can no longer keep up with the flood of patches; patches frequently break other things; it is unrealistic to expect companies to keep their patches up-to-date.

Bruce then gave two security models with threat avoidance being the military model and risk management being the business model. With threat avoidance security is an absolute, it follows a computer engineering mentality and becomes a barrier to business. With risk management security is relative allowing for a variety of options. He stated that security must make business sense backing this up with a diagram of cost versus security levels.

Bruce briefly touched on the 'Why of Counterpane' before addressing the issues of prevention, detection and response of computer security. Most computer security is preventive in nature. A preventive countermeasure provides two things - barrier to overcome, time to overcome barrier. Without detection and response, the preventative countermeasure is much less effective. Most of time, detection and response is more effective, and more cost-effective.

PA221954 .JPG

22-Oct-2001 09:43 - Amsterdam - Bruce Schneier - He explained the necessity of network security monitoring by human experts. Internet detection and response needs human experts so as to separate the real from the false alarms. Effective monitoring requires relentless defenders. Firewalls, IDSs, routers and servers are the terrain where the fight takes place. Effective monitoring provides resilient security. Realtime detection can catch attackers, regardless of the vulnerability. Rapid response can repel attackers. Vigilant, adaptive and relentless network monitoring helps make individual vulnerabilities less important.

Effective monitoring becomes security’s feedback loop. One must monitor first or how else do you know what kind of security you have? Network monitoring will be outsourced for the following reasons:

Six people required to staff one 24x7 seat.
Economies of scale.
Aggregation of expertise.
Support processes.
Large network visibility.
Bruce gave as an example a city hospital saying things are outsourced if they are important or distasteful.

He then showed how much data was involved in a typical company and how difficult it was to find security events amid the noise. He concluded with risks will always be with us, security products will not solve the problems of Internet security and that the best we can do is mange risk. Liability forces software quality, 24x7 managed security monitoring leverages the best protection, detection and response, insurance provides for residual risk transfer, prosecution of criminals leads to deterrence.

PA221955 .JPG

22-Oct-2001 10:32 - Amsterdam - Bruce Schneier & Bill Hancock

PA221956 .JPG

22-Oct-2001 11:13 - Amsterdam - Jeff Rulifson & Allen Brown

PA221957 .JPG

22-Oct-2001 11:26 - Amsterdam - Jacques Francoeur - Jacues Francoeur started with a presentation overview:

Barriers to adopting eBusiness
Enforceabilty of electronic business processes
Digital Trust and the Digital Chain of Trust Methodology (DCTM)
Conclusions
He stated that trust in the physical world is well established but not yet in the eBusiness world. He felt that the fundamental eBusiness question was “Can I conduct my business electronically, or deploy new eBusiness models, with comparable integrity, security, compliance and legal enforceability?” These are primary barriers to adoption of eBusiness models.

There is a need to define risks and requirements at the business model and operational level because it is assumed that a trustworthy network information and trusted computer platforms and software exist. He moved on to the legal effect and admissibility of electronic signatures, the key eBusiness enabler.

This is about eBusiness process and not just about signatures, or the technology employed. They are necessary but insufficient. E.g. in a B2C it is about the process used to engage the consumer in the electronic transaction. It depends on the integrity of the electronic business process, end-to-end. Integrity must be commensurate with the nature of the application. It also depends on electronic forensic evidence, or audit trail viz. Who did what and when? This must be demonstrable to a level commensurate with the application.

PA221959 .JPG

22-Oct-2001 11:26 - Amsterdam - Jacques Francoeur - Jacques went on to say that categories of eRisks include:

identity risk
information integrity risk
time-of-event risk
enforceability risk
confidentiality risk
data privacy risk.
Jacques stressed that the DCTM is a representation of the electronic business process from a process integrity, security, compliance and enforceability perspective. It is a systematic, analytical methodology that allows eRisks to be analysed and mitigated in a targeted way depending on the specific needs of the business model to an acceptable level applied consistently, end-to-end throughout the business process. It is a methodology that is technology, environment, application, and territory neutral.

He showed that it generates its architecture from 6 trust segments, which correspond to the previous 6 risk categories shown above. All trust segments are composed of interlinked building blocks which he showed in a diagram. He said that it is only as strong as the weakest link.

He then defined a whole set of requirements for the electronic signature Trust Building Block (TBB). Since these were very precise it may therefore not be what is required but simply an acceptable level.

PA221961 .JPG

22-Oct-2001 11:26 - Amsterdam - Jacques Francoeur - He went on to describe the six Trust Segments:

Trusted Identity Authentication
Trusted Information Integrity
Trusted Time
Trusted digital receipts
Trusted access
Personal Information Privacy
Jacques posed the question of what is Digital Trust. He answered with it being an electronic business process is said to be in a state of digital trust if, and only if, all constituent segments meet and maintain their respective trust standards consistently end-to-end and concluded that the DCTM is a systematic end-to-end audit, design and operational framework.

He quoted from the Chief Security Architect of Allstate Insurance Co. in That “DCTM is a significant contribution to the body of work on trusted systems theories and practice.” He showed how DCTM applied at the eBusiness model level and was down to the detailed specifics of compliance and technical requirements.

He finally concluded that DCTM:

Is Technology, Environment Application and Territory neutral consistent with the EU directive
Delivers assured and measurable integrity, security, compliance and enforceability to global electronic business processes

PA221963 .JPG

22-Oct-2001 - Amsterdam - Jeff Rulifson

PA221964 .JPG

22-Oct-2001 12:13 - Amsterdam - Allen Brown & Jeff Rulifson - Allen Brown, President and CEO, The Open Group interviews Jeff Rulifson, Chief Technical Officer, Sun Microsystems and Chairman, The Open Group Governing Board.

Jeff Rulifson looked back to the time when he and others first introduced the subject of Active Loss Prevention to The Open Group, about two years ago. He reflected on the US and Japanese Government Commissions that were working on Critical Infrastructure and their focus on short term technology solutions rather than policy. He explained the fire department model which was pro-active contrasting this with the police department model which was reactive.

PA221965 .JPG

22-Oct-2001 13:51 - Amsterdam - Ed Gerck's WEBcast - Ed Gerck was unable to personally present so his talk was web cast. His presentation discussed the critical role of trust in Internet security, what trust is in terms of qualified reliance on information, and how we can bind adequate systems of trust to security systems.

PA221966 .JPG

22-Oct-2001 14:12 - Amsterdam - Matthew Yeo - Matthew Yeo started with four propositions of PKI:

The problem of trusted identity is not as pervasive in eCommerce as many thought likely
The verdict is not yet in on the commercial viability of trusted identity services
Where PKI is appropriate, it is policy interoperability, not technical interoperability, that is the key
Ultimately, it is all about liability
A belief that universal PKI solutions will prevail is not necessarily so since the need for trusted identity is more granular and, anyway, where it does occur, a “one size fits all” solution rarely works. He introduced the interplay of signatures and risks and touched on US and EU signature laws. He explained that an electronic signature could be one of several different things and looked at how to choose amongst them.

Moving on to risk allocation he felt that sometimes there was not always a need for it depending on criticality and cost. Matthew looked at the issues of a transaction’s anonymity and “virtuality”. Attribution is the strength of “binding” between the signature and the signer’s identity and whilst PKI-based solutions add “something you have” to “something you know” they are by no means necessary for legal enforceability.

Whilst legal considerations included:

Is a particular type of signature technology required by law for a transaction?
Is there a need to benefit from “presumptions” created by law?
so practical considerations include:

Cost and complexity of implementation
Frequency of transaction between the parties
Other security needs
Consumer adoption issues (B2C)
Need to operate within an industry-standard model (B2B)

PA221967 .JPG

22-Oct-2001 14:13 - Amsterdam - Matthew Yeo - Matthew next delved in to when we needed to trust, when we did not need to trust and, indeed, whom we needed to trust. He said that Trusted Third Parties (TTPs) did three things:

Perform Identification and Authentication (I&A) of certificate holders based on government identification
Bind certificates to to the government issued identity
Offer assurances as to identity and/or attributes to relying parties
He asked why we should trust TTPs and then compared Government with TTPs.

He also posed “a Government solution?” and stated that where we now were included:

Entreprise PKI implementions
Industry PKI implementations
Universal PKI implementations
Matthew went on to define a trust model as the set of rules and procedures governing the issuance, use, and revocation of certificates in a PKI.

He explained that trust model basics should include such things as :

What is to be authenticated
How are certificates issued
What are the security requirements
How may the certificates be used
What are the intended legal consequences of certificate usage
Who assumes various PKI risks and at what levels of liability
Matthew felt that trust models should be designed at the highest possible level of common utility and presented two slides nicely showing distinct and uniform policies.

PA221969 .JPG

22-Oct-2001 14:13 - Amsterdam - Matthew Yeo - He stated that the process of I&A was a critical link in the entire authentication process. Identity is critical to non-repudiation but often not sufficient. He said that what often matters to a relying party is whether the signer possesses certain authorities or attributes. He outlined some PKI risks as:

Failure to issue certificate in accordance with stated I&A procedures
Fraud/misrepresentation
Compromise of subscriber’s private key
Compromise of CA keys
Failure to revoke certificates upon proper request
Wrongful revocation of certificates
Reliance upon certificate for unlawful purposes
Failure to validate certificate prior to reliance
Finally he expressed that:

The allocation of any one type of risk is not preordained
The allocation of different risks is almost always subject to some limit on the amount of liability incurred
Allocation of risk depends on environment
Winding up with the assumption of liability he stated that one of the principal values of a digital signature is the extent to which it is backed up by financial guarantees when he looked at different warranty models and how warranties were secured.

PA221970 .JPG

First Previous [1] [2] Next Last

Page 1 of 2