Presentation on theme: "Improving Cybersecurity Through Research & Innovation Dr. Steve Purser Head of Technical Competence Department European Network and Information Security."— Presentation transcript:
Improving Cybersecurity Through Research & Innovation Dr. Steve Purser Head of Technical Competence Department European Network and Information Security Agency SRC’10 Research, Development & Innovation For a More Secure Europe. Oostende 2010 16/6/20101
Who are we? The European Network & Information Security Agency (ENISA) was formed in 2004. The Agency is a Centre of Expertise that supports the Commission and the EU Member States in the area of information security. We facilitate the exchange of information between EU institutions, the public sector and the private sector.
The Big Picture Secure ICT systems are essential for economic and societal development Complexity of global networks is increasing, as is the number of people having access to these networks. The number of security breaches is growing. Such breaches can have a major effect on people’s lives – think of the impact of privacy issues. They often lead to financial damage. As a result, they undermine user confidence. The economy of Europe is at stake if we do not manage security properly
Attack Trends (I) The CERT published an overview of attack trends in 2002 (!). The key points were as follows: Automation; speed of attack tools. Increasing sophistication of attack tools. Faster discovery of vulnerabilities. Increasing permeability of Firewalls. Increasing asymmetric threat. Increasing threat from infrastructure attacks. These trends remain valid to this day.
Attack Trends (II) But there are some new trends….. Some attacks are changing: Malicious code as a way of supporting botnets. The evolution of botnets as a commercial tool. Threats of denial of service against targeted web sites in order to extort payment. Others are becoming more important: Phishing & Identity theft. Data theft and data leakage.
The Real Issue Attackers have learnt how to exploit the weaknesses created by the new business model and are themselves becoming more efficient. The window between the publication of a vulnerability and the appearance of exploit code is continually decreasing. The real issue - As businesses strive for greater speed and efficiency, it becomes more difficult to maintain an effective system of internal controls. The solution to this problem lies in how people react, not technology.
Priorities Priorities for addressing the challenges to NIS at the EU level are: The creation of a knowledgeable and proactive NIS community throughout Europe The development of secure infrastructure and services The establishment of a framework for managing identity, accountability and trust This is based on the following considerations: Technology will only achieve its goal if it is used willingly and appropriately Electronic services must be secured in a coherent manner, where architectural components reinforce each other.
Effectiveness & Efficiency Effectiveness is doing the right thing. Efficiency is doing the thing right. Where security is concerned, effectiveness is much more important than efficiency. The major tool used to decrease OPEX costs is to increase efficiency.... We need to concentrate more on effectiveness. This is where innovation and research can help.
The Role of Innovation It is not uncommon to see engineers discussing solutions before the problem has been completely understood. As a result, many of today’s security solutions are based on old ideas. The concepts upon which these solutions are based cannot offer the level of scalability and flexibility that is required to secure modern business environments. Sometimes, we are not really solving the problem at all.... Innovative ideas are required to develop approaches that solve the right problems and take account of the right constraints.
The Role of Research More research is needed in a number of areas.... Economics: What are the barriers to uptake of new security solutions? How well is the supply of security solutions mapped to the demand? Societal Issues: Why are existing tools not being used in an optimal fashion? How do we encourage citizens to adopt simple risk management techniques in the electronic world? Technical Issues: Which security models are most appropriate for tomorrow’s electronic services? How do we build scalability and flexibility into security solutions?
Some Final Thoughts.... Real security is not algorithmic – it is based on a thorough understanding of the problem and constraints. Security engineers tend to be extremely good at spotting logical errors but are poor at challenging assumptions. Security solutions that look good at face value can fail miserably when analysed at a more fundamental level.... These problems can be attributed to the way in which we think about security – there is a clear need to challenge existing beliefs at a very fundamental level. This is a task for the R&D community.