SECURITATEA SISTEMELOR INFORMATICE ŞI DE COMUNICAŢII Bucharest, September, 21, 2004 ATHENEE PALACE HILTON, Sala Le Diplomate Quo Vadis Information Security Professor Dr. Victor-Valeriu PATRICIU Military Technical Academy Bucharest, ROMANIA
Prof.Dr.Victor PATRICIU, ROMANIA2 Cybersecuriy = Trust in Network & Information Infrastructures Information system’s vulnerabilities affect 3 levels of society activities: personal security (privacy) companies/organization security national security. Communications Security- COMSEC. Computer Security- COMPUSEC. Information Systems Security- INFOSEC. “Security” had been so closely associated with providing confidentiality to information, it was adopted the term INFORMATION ASSURANCE -the five security services: Confidentiality- protection against unauthorized disclosure Integrity -protection against unauthorized modification of information Availability - protection against denial-of-service attacks. Authenticity -Identification/authentication, of parties to an e-transaction. Non-repudiation -Parties to a transaction cannot deny their participation.
Prof.Dr.Victor PATRICIU, ROMANIA3 Network & Information Security in States Policy Agenda Several factors push information security to the top of state’s policy agenda: Internet as a key driver in the productivity of states economies. Economies and citizens are dependent on the effective working of networks. Internet reduced the costs of accessing economic information for remote attackers. Viruses - destroy information & denying access to the Net- spread across countries. Action Plan eEurope Europe should have: Modern on-line public services: e-government e-learning services e-health services. Dynamic e-business environment, and, as an enabler for these: widespread availability of broadband access at competitive prices a secure information infrastructure. European Network and Information Security Agency-ENISA will play a key role for the security of Europe's digital economy
Prof.Dr.Victor PATRICIU, ROMANIA4 Network & Information Security Key Trends Public information and education campaign. Countires should promote use of best practice in security -ISO Countires should review their CERT system - strengthening equipment and competence. Countires should actively promote the use of ‘pluggable’ strong encryption products; must be available as an alternative to embedded in operating systems. Standardisation organisations must accelerate the work on interoperable and secure products and services (CC & Accreditation Bodies) States will support the use of electronic signatures: implementation of interoperable PKI solutions & electronic signatures in online public services. Education systems should give more emphasis on courses focused on security. - body of knowledge, topics, and concepts. Universities must offer graduate and undergraduate programs in information security. Certification standards for information security professionals -professional societies currently offer certification for security professionals.
Prof.Dr.Victor PATRICIU, ROMANIA5 Network & Information Security R&D Trends Creation of an interoperable authentication system deployed widely. The typical approach used is a public-key-infrastructure (PKI) system with a smart card that contains your cyber credentials. A national/international PKI system is required that allows for strong authentication in cyberspace. Cybersecurity with effective cyber-border protection- different technologies: firewall, encrypted tunnels (VPN’s), IDS Improve the way we write software & Automated patch management system. Enhance attack identification methods. & Attack attribution. That is the capability to geo-locate & identify the source of attacks on the Internet. Resilient systems -build systems that can continue to operate even under attack. Coordinate information during a cyberattack. Eliminate malicious code in software applications & OS Secure Open Platforms (NGSCB) Configure these systems to be as secure as possible “right out of box”
Prof.Dr.Victor PATRICIU, ROMANIA6 Cyberspace is becoming less secure because of the increasing complexity of technology "Digital Pearl Harbor" is not a critical threat today; cyber-crime is a much more critical threat. Those that can improve cybersecurity (the companies that build computer hardware and write computer software) aren't motivated to do so !?! Expose computer hardware, software, and networks to liabilities. The major reason companies don't worry about the externalities of their security decisions, the effects of their insecure products and networks on others, is that there is no real liability for their actions. Liability will immediately change the cost/benefit equation for companies, because they will have to bear financial responsibility for risks borne by others as a result of their actions. Secure government networks. Fund programs to secure government networks, both internal and publicly accessible networks. Only buy secure hardware and software products. Use buying power to drive increased security. Invest in security research & education. As the market starts demanding real security, companies will need to figure out how to supply it. Research and education are critical to improving the security of computers and networks.