We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJennifer Sharp
Modified over 3 years ago
Reliable Security Current State, Challenges, Desired State S. Rao Vasireddy Bell Laboratories, Alcatel-Lucent Tel: 732-582-7179 rvasireddy@Alcatel-Lucent.com
All Rights Reserved © Alcatel-Lucent 2006, ##### 2 | Presentation Title | Month 2006 Quality of Service Quality of Service: Availability 99.95%; Packet Loss 10 -8 You cannot improve what you cannot measure – Lord Kelvin Quality of Security ?
All Rights Reserved © Alcatel-Lucent 2006, ##### 3 | Presentation Title | Month 2006 What is Quality of Security? Quality of security requires establishment of a set of metrics that can be: – Consistently measured and tracked – Engineered to achieve comprehensive network security Example metric: Encryption protocol strength – Measured by Time to Break Encryption (TBE) = 10 N years Security metrics should be enablers to measure and engineer security, similar to the role played by performance and reliability metrics. Key Length 19972005 Number of Key Combinations 40-bit DES4 HrsSeconds~ 10 12 56-bit DES140 days~ Hrs~ 10 15 128-bit 3DES NA~10 21 years~ 10 24
All Rights Reserved © Alcatel-Lucent 2006, ##### 4 | Presentation Title | Month 2006 Characteristics of Metrics Specific, Measurable, Attainable, Repeatable, Time-dependent (SMART) Measurable attributes that can be objective or subjective Provide evidence of effectiveness for security engineering (e.g. 99% of traffic has communications security) Network security is implemented by several measures. Example techniques: Encrypt traffic with Integrity checks Authenticate transactions and processes Log & analyze security events Ensure that traffic from Source A reaches intended Destination X Harden ports, Interfaces and Operating Systems Prevent/filter unwarranted traffic Adhere to security policy and operations/management procedures Security metrics should represent the technology, process and operational measures required to achieve comprehensive security
All Rights Reserved © Alcatel-Lucent 2006, ##### 5 | Presentation Title | Month 2006 Current State of Quality of Security Technology, standards and measurement techniques are still evolving – Lack comprehensive measurement and tracking for the emerging engineering discipline Qualitative measures: – An estimate of the state of security – Example: 95%+ success rate for zero-day virus prevention. Not an accurate measure of availability Need additional measures such as: – P% of transactions authenticated – Q% of the events logged & analyzed – R% guarantee that traffic from Source A reaches Destination X – 100% of the procedure that are relevant to network operations and security policy are followed Current focus Gap Mainly driven by security compliance audits, penetration tests etc. – Compliance to policy, regulatory and legal requirements – Reactive as opposed to proactive measures
All Rights Reserved © Alcatel-Lucent 2006, ##### 6 | Presentation Title | Month 2006 Challenges A security metric is not independent by itself – Dependencies exist on other metrics and operational procedures – A fix that will result in improved quality for one metric may positively or negatively impact other Quality of security requires process as well as technology based metrics. Technology based Metrics need to be embedded in the process metrics as a stop gap measure to compensate for the lack of measuring tools.
All Rights Reserved © Alcatel-Lucent 2006, ##### 7 | Presentation Title | Month 2006 A Foundation for Quality of Security Security Frameworks, Process/ certification guidelines: – Define Metrics, Architecture – Help build the security Genome for networks – Example: ITU-T X.805, ISO/IEC 27001, NIST NETWORK Technology Specific Standards: – Define/Specify new technologies, protocols and operations/management techniques – IETF, IEEE, ISO/IEC, ITU, 3GPP, 3GPP2, ANSI, ETSI ITU-T X.805 together with other security standards provides a framework to establish metrics for security.
All Rights Reserved © Alcatel-Lucent 2006, ##### 8 | Presentation Title | Month 2006 A standards Based Approach for Evaluating Quality of Security ITU-T X.805 NIST, NRIC etc Security Frameworks, Verification tools Standards, BPs Metrics % Compliance Access Control Authentication Non-Repudiation Data Confidentiality Communication Security Data Integrity Availability Privacy Process, policy compliance Status Summary – A systematic measure, akin to broadly accepted ways to measuring performance and reliability, is needed for quality of security – A combination of technical, process and operational methods are needed to implement quality of security to cover all phases of security life-cycle – Industry standards and best practices provide a foundation for evaluating quality of security
The Need For Trust in Communications Networks Carlos Solari Bell Labs, Security Solutions May 2007.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Security Controls – What Works Southside Virginia Community College: Security Awareness.
Registry system data exchange General design requirements Pre-sessional Consultations on Registries 19 October 2002 New Delhi, India UNFCCC secretariat.
Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005.
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
MethodGXP The Solution for the Confusion.
Vision: A strong and capable civil society, cooperating and responsive to Cambodias development challenges 1.
Additional Assurance Services: Other Information Chapter 20 McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Checking & Corrective Action EPA Regions 9 & 10 and The Federal Network for Sustainability.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
ISO Most Common Problems May 25, 2000 Underwriters Laboratories Inc. May 25, 2000 Underwriters Laboratories Inc.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
1 Quality of Service Issues Network design and security Lecture 12.
Information Systems Controls for System Reliability -Information Security-
Security is not just… 1 A Compliance Exercise Certification and Accreditation FISMA.
Chapter 40 Network Security (Access Control, Encryption, Firewalls)
E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean
Security Policy. TOPICS Objectives WLAN Security Policy General Security Policy Functional Security Policy Conclusion.
Public Key Infrastructure Ammar Hasayen ….
Secure Systems Research Group - FAU Process Standards (and Process Improvement)
1 Chapter 13 – Network Security Password Protection Security Models Firewalls Security Protocols.
Enterprise Privacy Architectures Leveraging Encryption to Keep Data Private Karim Toubba VP of Product Management Ingrian Networks.
EMS Checklist (ISO model) EPA Regions 9 & 10 and The Federal Network for Sustainability 2005.
Chapter 20 Additional Assurance Services: Other Information McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
Castlebridge associates |www.castlebridge.ie | Castlebridge changing how people think about information How to Implement the.
1 Why ETSI is the place to bridge EU and LA initiatives on e-administration Francisco Da Silva Chairman of the Kick Off Meeting Sophia Antipolis,
7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Standards Certification Education & Training Publishing Conferences & Exhibits 1 Copyright © ISA ISA99 - Industrial Automation and Controls Systems Security.
Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies.
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Tammy Clark, Chief Information Security Officer, William Monahan, Lead Information Security Administrator Georgia State University, Atlanta GA Developing.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Compliance storyboard: Classifying & controlling content at the input device.
Software Engineering Tools and Methods Presented by: Mohammad Enamur Rashid( ) Mohammad Rashim Uddin( ) Masud Ur Rahman( )
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
COBIT - IT Governance. IT governance is an integrated part of the organization and main resistibility of Executive and senior management. : With vast.
Standards Certification Education & Training Publishing Conferences & Exhibits 1 Copyright © ISA, All Rights reserved ISA99 - Industrial Automation and.
Environmental Management Systems Refresher EPA Regions 9 & 10 and The Federal Network for Sustainability.
© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Building Confidence in E-government Services ITU-T Workshop on.
1 Best Practices for Vulnerability Assessments Presented by: Nathan Heck, IT Security & Privacy Analyst.
© 2017 SlidePlayer.com Inc. All rights reserved.