Enisa Quarterly 2009 Vol 5

ENISA Quarterly Review
Vol. 5, No. 3, September 2009
IN THIS EDITION
Resilience & A Letter from the Executive Director

A Word from the Editor
Resilience and Information Sharing
A Resilient and Secure Internet
2
3
4
4
Information Sharing Infrastructure

Occasional Curiosity or Regular
Routine? Evaluating the reliability of
the Internet infrastructure
6
Three European ‘Trusted Information 7
Critical Information Sharing’ Projects

Critical Information Infrastructure
Protection
9
Infrastructure Protection Public-Private Partnership for CIIP –

Case Finland
Interdependency between Energy and
9
11
Telecommunications
Emerging and Future Risks

Emerging and Future Risks 13
Identification of Emerging and Future 13
Risks in a 2011 eHealth Scenario
Drivers of Emerging and Future 15
Threats in ICT Infrastructures
Skills & Certifications

Skills and Certifications 16
Cyber-Security Skills – The Cost of 16
Ignorance
Penetration Testing – What’s That? 16
A New Qualification to Guarantee 18
Awareness & Secure Software Engineering Skills

Awareness and End-User Issues
End-user Security: Misused and
Misunderstood?
19
19
End-User Issues Human Factors in the Dependability of

IP Networks
Technologies
20
22
A Secure Approach for Embedded 22
Systems in Japan
Technologies
tNAC: trusted Network Access Control 23
ISSN1830-3609
2
A LETTER FROM THE EXECUTIVE DIRECTOR
Andrea Pirotti
providing a good return on investment. But
it is the individual members of the ENISA
team themselves who have gone the extra
mile and consistently delivered diligent and
professional service.
It has been an honour and a pleasure to

work for the European Union. I would like
to thank all those who have helped ENISA
– in the Commission, the European
Parliament, the Council, the Hellenic
Government and in FORTH.
I now leave ENISA with a sense of

satisfaction, having accomplished my
Czech Republic, Slovakia and Poland. It is mission. I wish the new Executive Director
improving its facilities with the building of every success in the Agency; I am certain
new, larger premises in Heraklion which the staff will support him as they have
will be ready in 2012, and is establishing a supported me.
branch office near Athens airport to
facilitate meetings with its stakeholders. To you, the readers of the ENISA Quarterly
Most importantly, it has published Review, I send my best regards and wish
In mid-October I shall hand over the numerous security papers and reports, you a continuing and productive
management of ENISA to my successor, gathered and shared information about relationship with our Agency.
Dr. Udo Helmbrecht. crucial issues of Network and Information
Security, provided advice and brought
After steering ENISA through its first five people together. In this way it has made a
years, I am pleased to leave behind an significant impact in the battles to make
Agency that has emerged as a Centre of information technology safer for users and Yours sincerely
Technical Competence recognised within to strengthen and secure the digital
and outside the borders of Europe. Since economy.
its establishment, ENISA has increased its
technical capacity and fine-tuned its None of this would have been possible
administrative procedures. It has without the dedicated work of our staff,
increased its operations budget by ‘the ENISians’, and I am privileged to have
reducing administrative costs, and has worked with such people. I have tried to
welcomed recruits from the new EU lead by example, reminding the staff of the Andrea Pirotti
Member States including Romania, the respect due to the European taxpayer in Executive Director, ENISA
ENISA Quarterly Review Vol. 5, No. 3, September 2009

3
A WORD FROM THE EDITOR
Panagiotis Trimintzios
European Commission, Strategy on while Marian Jungbauer and Norbert

Critical Information Infrastructure Pohlmann discuss trusted Network Access
Protection (CIIP) ’Protecting Europe from Control in the context of Trusted
large scale cyber-attacks and disruptions: Computing (see also the EQR Special Issue
enhancing preparedness, security and on Trusted Computing –
resilience’ – http://ec.europa.eu/ www.enisa.europa.eu/publications/eqr/iss
information_society/policy/nis/strategy/ ues/eqr-q3-2007-vol.-3-no.-3).
activities/ciip/index_en.htm). David Sutton
introduces another key issue in the same Finally, may I take this opportunity to tell
topical area: the interdependencies you that ENISA has recently launched a
between different critical infrastructures, new website at www.enisa.europa.eu, with
taking as an example the energy and much improved structure and functionality.
telecommunications infrastructures. I would encourage you all to visit it.
ENISA’s recent work under the umbrella of We are always happy to hear your
the Emerging and Future Risks (EFR) suggestions and comments on how to
programme on the risks in an eHealth improve EQR. Please continue sending us
scenario is summarised by Barbara feedback and, of course, your articles.
Daskala, Louis Marinos and David Wright.
We received positive feedback to the last Sotiris Ioannidis and his co-authors Enjoy reading.
edition of EQR where we introduced a new present the different dimensions that exist
structure with multiple thematic areas. So when one looks at emerging risks and Dr. Panagiotis Trimintzios is an Expert at
in this issue we continue this new strategy, future threats in ICT infrastructures, as ENISA responsible for Relations with
which is made possible by the increased identified in the EU-funded project Stakeholders.
number and quality of your submissions. FORWARD.
In this edition we have contributions in six An area ENISA plans to explore more
thematic areas of Network and closely in the future is NIS skills and
Information Security (NIS): knowledge certification. Hugo Lueders
• Resilience and Information Sharing discusses the cost of ignorance when it
• Critical Information Infrastructure comes to (lack of) cyber-security skills.
Protection (CIIP) Penetration testers are specially trained
• Emerging and Future Risks
• Skills and Certifications
NIS experts who can test the security of
systems and enterprises, in the manner of
20-21 October
SECURE is the oldest IT security
• Awareness and End-user Issues ‘ethical hackers’. Peter Fagan and Peter
conference in Poland. Every year it
• Technologies Fischer help us to get to know a little
considers current issues concerning
better what a penetration tester can do,
the security of IT systems and
Anne-Marie Eklund Löwinder opens with a and they describe the relevant certification
networks. The conference is aimed at
discussion of the challenges for the future schemes. On a similar theme, Petra Barzin
senior managers, technical experts
in achieving a resilient Internet presents another (see also EQR vol. 4 no. 4
and policy- and decision-makers with
Infrastructure, focusing on the Domain Dec 2008, p. 5) new qualification scheme
overall responsibility for security.
Name System, IPv6 and resilient network intended to guarantee different levels of
design. Natalija Gelvanovska and Rytis security knowledge skills for software The main topic this year will be
Rainys then present the main results from engineers. responsible Internet traffic filtering
a survey in Lithuania which looked at the related to the most dangerous
reliability of the country’s Internet A related topic is the awareness – or lack Internet threats, as well as blocking
infrastructure, including the of it – of end-users when it comes to NIS illegal Internet content resources.
interconnection points and the issues. Steven Furnell elaborates on the
international gateways. In their article, subject based on the findings of a study of The conference celebrations will be
John Harrison and Andrea Rigoni contrast home-users, and emphasises the held under the honorary patronage of
three EU projects in the area of Trusted importance of increased usability coupled Prof. Barbara Kudrycka, Minister of
Information Sharing, including the ENISA with effective awareness raising. Ilkka and Science and Higher Education, and
Good Practice Guide on Information Leena Norros present the results from two Grzegorz Schetyna, Deputy Prime
Security Exchanges. projects in Finland that looked at the Minister and Minister of Internal
criticality of human factors in network Affairs and Administration.
In the area of Critical Infrastructure resilience and security.
SECURE 2009 is organised by the
Protection we have two articles. The first,
CERT Polska team, acting within
by Hannu Sivonen, looks at the lessons In the area of NIS technologies, Hideaki
NASK, and is a joint event supported
learned from the Finnish Public Private Kobayashi and his co-authors from the IPA
by ENISA. It takes place in Warsaw,
Partnership (PPP) for CIIP, a very Information Technology Agency, Japan,
Poland.
important subject as PPPs for CIIP are on present a number of challenges as well as
the agenda of the European Institutions the measures which could be taken to More information:
(see the recent Communication by the create more secure embedded systems, http://secure.edu.pl/en/index.html

4
RESILIENCE AND INFORMATION SHARING

A Resilient and Secure Internet Infrastructure
Challenges for the future
Anne-Marie Eklund Löwinder

load and broke down. However, this is only There are numerous known vulnerabilities
a small part of what it means to be and there is no doubt that all users of
reliable. applications and services on the Internet
rely heavily on the Domain Name System
Domain Name System – the cornerstone to work properly. That is the main reason
of the Internet why Sweden has been a leading proponent
One of the cornerstones of a reliable and an early adopter of a more secure
Internet infrastructure is the Domain DNS, or in short DNSSEC. Discussions are
Name System (DNS). The DNS keeps track underway in various quarters to improve
of the mapping of, for example, a human the overall security of the Internet’s
readable name of a website (such as infrastructure and its ability to withstand
www.iis.se) to the slightly more arcane different types of attacks. Apart from
form of a numerical IP address that the DNSSEC, there are other – maybe less
computer needs to initiate communication. obvious – critical measures under
The DNS consists of a set of servers consideration to enhance the security in
dedicated to routing users to requested DNS as well as the routing infrastructure.
resources on the Internet. It helps users
find their way to specific websites when Major threats to the Internet
browsing the Internet, and ensures that One of the major threats to the Internet
emails arrive at their intended destination. infrastructure is the DDoS attack. There is
currently no technology to deal with this
The Internet was beautifully designed for A stable DNS is vital for most companies to problem and the recommendation is
speed and growth. The infrastructure is maintain a working and efficient operation. general vigilance and administrative
certainly working today as envisaged by If a company’s external domain name measures to minimise their potentially
that yardstick. However, the Internet servers become unavailable, no-one will devastating impact. DDoS attacks are not
continues to be vulnerable to various be able to reach its site nor will email get specifically a problem for the DNS, but a
problems with security and robustness. through, resulting in lost productivity and danger for all core Internet services (as a
customer dissatisfaction. Investing in a whole). Countermeasures are only
Basic attributes in communications and reliable DNS infrastructure is therefore a effective if they are taken by a group of
networking equipment valuable insurance policy against networks at large; individually there is not
Users need communications and downtime and forgery. much that can be done against large-scale
networking equipment with the following attacks. DDoS mitigation is an active
attributes: Although it is admirable that the design of research field and academic solutions
the DNS worked so well with the growth of have been developed. However, it might
• Secure: Antivirus software running on all the Internet, its original inventors did not take a while until they reach the
gateways, email servers and desktops, take security issues as seriously as is operational world. Until then we simply
serving all workers worldwide, is not required today. The DNS is still far from have to survive.
enough. A full scheme information security secure.
management system is also needed to be The issue of DNS amplification attacks has
ready to face attacks and to improve • Attacks against the name server showed its ugly face again in recent
dealings with internal and external software may allow an intruder to months though the problem itself has been
customers. compromise the server and gain control known for several years. Unfortunately, the
of the host. This often leads to further millions of open resolvers present on the
• Dynamic: The ability to move workloads compromise of the network. Internet have made it easy for miscreants
in an information system intelligently, • A Distributed Denial of Service (DDoS) to create large-scale DDoS attacks using a
automatically and securely, anytime, attack, even one directed at a single DNS relatively small amount of resources, thus
anywhere. Whether for purposes of server, may affect an entire network by crippling their targets easily.
migration, enhancing performance, preventing users from translating host
building co-location facilities or even cloud names into IP addresses. Another area is the deployment of IPv6.
computing, workloads should be moved • Spoofing attacks that try to induce a There are some expectations that IPv6 will
with inherent security and data protection. name server to cache false data could not only extend the address space, now
lead unsuspecting users to undesirable when we are running out of IPv4
• Robust: Implies dedicated resources and sites. addresses, but that it will also help to
well known techniques. • Information leakage from a seemingly make the Internet more secure. It is
innocent transfer of DNS data could important to realise that IPv6 is not the
• Reliable: The easiest way of putting it is expose internal network topology overall solution for the Gordian knot of
‘always available’. Nevertheless, even a information that can be used to plan Internet security, and it will certainly bring
reliable infrastructure sometimes fails. further attacks. its own security challenges during the
The recent celebrity deaths caused • A name server could even be an transition phase, which could last from
massive spikes in traffic to several sites unwitting participant in attacks on other 10-15 years. On the other hand, IPv6 will
and some of the sites could not handle the sites. enable some new applications, including
>>
5
physical security, since millions of

networked sensors will be able to have
their own IP addresses.
unsigned zones
OpenDNSSEC signed zones
Information security needs a more automatic zone signing
straightforward approach
Regulations are not the answer. The from hidden to public,
existing regulatory framework is sufficient authoritative authoritative
name servers name servers
for open market operation, and further
regulations are not required. reliable security solutions now, because Standardisation will bring a more secure
otherwise they will use whatever they have Internet
However, there may be some need for to get the job done. Which is what they are .SE hosted the 75th meeting of the Internet
additional action in terms of: starting to do already. Engineering Task Force (IETF) in
• Recommendations for the introduction Stockholm in July, with about 1200
of DNSSEC Tools and software to support the participants. The IETF is the Internet’s
• Recommendations for the deployment of progressive work premier standards-making body,
IPv6 At .SE we provide Internet users with responsible for the development of
• Recommendations for and best practice different tools and software to help them protocols used in IP-based networks.
of robust and resilient network design. recognise and understand how their Participants at the IETF represent an
communication with the Internet works, international community of network
Our current methods for securing systems for example, Bredbandskollen designers, operators, vendors and
are not working well. We must find a better (www.bredbandskollen.se), Kaminskytest researchers involved in the technical
way to secure our computing systems and (www.thekaminskybug.se/), DNSCheck operation of the Internet and the
digital networks. One aspect we need to (http://dnscheck.iis.se/). We run an annual continuing evolution of Internet
push is ‘practical security’. We need to health check on important parts of the architecture. It has become an important
solve our policy and technology problems Swedish information infrastructure to body for standardisation, with its broad
for sharing and protecting information in obtain an up to date picture of the current co-operation between representatives
practical – if not necessarily 100% perfect status. Facts are needed to identify from all over the world and its basic belief
– ways. problems, and to decide on which in ‘rough consensus and running code’. It
countermeasures are required. is not only a good idea – but essential – for
A fair amount of the technology developed EU Member States to be more dedicated
during the last decade is neither practical, The latest contribution to this campaign is and put more resources into the ongoing
nor reliable, nor scalable. A very good – or OpenDNSSEC (www.opendnssec.org/). standardisation process within the IETF.
bad, if you want – example that comes to OpenDNSSEC was created as an open- Ultimately that will lead to a more resilient
my mind is the Public Key Infrastructure, source turn-key solution for DNSSEC and and secure Internet infrastructure in the
PKI, which we have tried so hard to make automatic zone signing. It secures zone future.
work for more than ten years. A PKI is data just before it is published in an
difficult to implement and does not scale authoritative name server. It is the result of Anne-Marie Eklund Löwinder (anne-
well, but it has perfect mathematical a collaboration between .SE, Nominet, marie.eklund-lowinder@iis.se) is the
functions. Any number of proofs exist to NLNet Labs, SIDN, SURFnet, Kirei and Quality & Security Manager at .SE in
show that it works perfectly – on paper. John Dickinson. Sweden.
Due to its complexity, poor business model
and demands for a completely separate
infrastructure, its use has never become
widespread so it has never achieved its
potential as a means of secure
identification of users in the signing of
documents.
We also seem to have a fixation on the Holy

Grail of computer security – having a true
multilevel secure system. Of course that Insightful. Engaging. Interactive. In information security, you’re trained to expect the
would be ideal, but we have been at it for unexpected. Changes occur in a nanosecond. Stay on top by staying one step ahead –
attend RSA® Conference Europe 2009!
twenty years and have not got it right yet.
Perhaps we should just carry on solving Join us for the most comprehensive forum in information security. Come and learn
those problems we can solve. about the latest trends and technologies, get access to new best practices and gain
insight into the practical and pragmatic perspectives on the most critical business
What we need is good security now, not issues facing you today. Connect and collaborate. Build your professional network.
perfect security ten years from now. And mingle with the industry’s brightest and best.
Customers are tired of waiting and tired of
the promises that yet another piece of RSA 2009 is a joint event supported by ENISA and will take place in London, UK.
software or another kind of hardware will
solve their problems. We need to give them More information: www.rsaconference.com/2009/europe/index.htm

6

Occasional Curiosity or Regular Routine?
Evaluating the reliability of the Internet infrastructure
Natalija Gelvanovska and Rytis Rainys
national Internet infrastructure. Following its investigations into connections
RRT also noted that transparency to international gateways, RRT concluded
of connection to the IXPs also that the reliability of international Internet
helps prevent the redirection of connectivity in Lithuania depends, in effect,
national traffic through on just one international gateway operated
international ISPs, since IXPs by one of the ISPs. Consequently the
allow direct channels of data reliability of Internet operation relies on a
transmission traffic to be formed single ISP’s ability to ensure alternative
among the Lithuanian ISPs. This channels quickly in an emergency and to
provides an opportunity to reduce organise the redirection of data flow, the
costs for international transit control of stream priorities, address
services and improves the quality blocking etc.
With the growing significance of the Internet and speed of the Internet
connection – factors which are of particular RRT suggests setting procedures in place to
in society, the increase of Network and
importance to end-users. ensure the rapid and efficient organisation
Information Security incidents and the
of the redirection of data traffic, the control
cyber-attacks on Estonia, Georgia and
RRT recommends that the Lithuanian IXP of stream priorities and address blocking.
Lithuania in recent years, it is clear that
operators should increase the transparency The procedure would be binding at the
exceptional attention is needed to ensure the
of their terms of interconnection. national level and should be co-ordinated
protection of the Internet infrastructure and
with the ISP.
the reliability of its operation. Could national interconnection be
affected? Other areas investigated included the
Internet Service Providers (ISPs) usually
RRT identified five major IXP nodes in operation of the Domain Name System
become providers of public electronic
Lithuania where the major ISPs are (DNS). To make the operation of Lithuania’s
communications services. From the
interconnected. The number of IXPs should Internet infrastructure and the continuation
regulatory perspective, because they
be as high as possible in a country, so as to of its activities safer and more reliable, in the
transfer all kinds of residential traffic,
form a distributed system of international near future RRT will assess the risks posed
infrastructure operated by ISPs has become
connections. This is already the case in by, for example, the energy sector, servers
particularly relevant. Therefore aspects such
Lithuania; problems with one or even several and software, which could influence the
as interconnection between ISPs reasonably
points of interconnection would not vastly operation of public electronic
deserve regulatory attention. These
affect the interconnection of other points or communications infrastructures. As part of
circumstances led to the commissioning of a
the Internet operation of the country. the research, consultations will be held with
special survey, named “Evaluation of the
the Lithuanian ISPs and experts of the EU
Reliability of Lithuania’s Internet RRT pointed out that the operation of the Member States experienced in similar
Infrastructure”, which was performed by the Internet in Lithuania could potentially be research.
Communications Regulatory Authority of the affected by de-peering (disconnection) for
Republic of Lithuania (RRT) in 2008. economic reasons. However, closing the In 2010, RRT hopes to organise an exercise
existing connections between ISPs is usually at the national level, which would involve
The main objective of the survey was to
a manifestation of anti-competitive conduct. large ISPs and institutions dealing with
evaluate the reliability of Lithuania’s Internet
RRT recognised that such behaviour may be network and information security issues.
infrastructure operation and to identify
treated as a potential threat. So far RRT has Training would be aimed at assessing
potential risks. For this purpose the
no information whether this could have Lithuania’s readiness to repulse large-scale
following tasks were defined:
affected the operation of the Internet security attacks. More targeted tasks for
• to identify critical nodes in Lithuania, a network in Lithuania. RRT over the next few years include
violation of which could affect the preparation of a national Internet
RRT draws the attention of ISPs to the fact
functionality of the Internet infrastructure critical nodes monitoring
that ceasing network interconnection would
• to set up a scheme showing Lithuania’s system.
directly influence not only the operation of
interconnections, to identify the directions
Lithuania’s Internet, but would also affect
taken through the international gateway, More information is available at: www.rrt.lt
the quality of Internet service provided to
the total bandwidth used and the speed and www.cert.lt/en.
end-users. In the future it will be closely
• to evaluate Lithuania’s Internet
monitored whether network
infrastructure and the vulnerability of its
interconnections between ISPs in Lithuania
individual elements. Natalija Gelvanovska (ngelvanovska@rrt.lt) is
are being ceased for the reasons discussed
above. the Head of the Networks and Access
Lack of transparency
Division of the Communications Regulatory
During the evaluation of the reliability of
International gateways Authority of the Republic of Lithuania.
interconnection nodes, it became apparent
By evaluating the bandwidth of the
that the terms of connection to Internet
international Internet in Lithuania, it was Rytis Rainys (rrainys@rrt.lt) is the Head of
Exchange Points (IXP) are not sufficiently
determined that the total volume of the Network and Information Security
transparent in Lithuania; RRT identified that
Lithuania’s Internet international traffic was Division of the Communications Regulatory
they are not publicly available but that this
about 66.1 Gbps at the end of 2008. In case of Authority of the Republic of Lithuania and a
could help enhance the interconnection
emergency, this bandwidth may be member of ENISA’s Network of National
between ISPs and thus the reliability of the
insufficient to cope with a large number of Liaison Officers,
security attacks.

7

Three European ‘Trusted Information Sharing’ Projects
John Harrison and Andrea Rigoni
Information Sharing model scni.jrc.it/03-projects/05-SecNet-IE/index).
developed by the Centre for the This is being investigated.
Protection of National
NEISAS will develop a model and a prototype
Infrastructure (CPNI) in the
that respects the complex nature of trusted
UK, www.warp.gov.uk). NEISAS
relationships in the Critical Infrastructures
proposes a peer-to-peer
and Government sectors within Member
model for trusted sharing
States. The model will be flexible enough to
between countries where the accommodate the requirements of vertical
source organisation retains sectors and national governments, and will
ownership of the information it adopt an evolutionary approach that will help
shares and decides who to the organisations involved to build a trusted
share it with and at what level. relationship.
The earlier EC funded project The project has two main distinct focuses:
All organisations rely on Information and to create a Critical Infrastructure Warning • Definition of a National Information
Communications Technologies (ICT) Information Network, CIWIN, proposed a Sharing and Alerting Model and System
infrastructures to deliver core and critical centralised European system; with NEISAS • Definition of a European Information
services. The risks under which these the information is stored instead on national Sharing and Alerting Model and System,
infrastructures operate change so quickly or organisation-specific systems, hence the conceived as a European Network of
that a new Dynamic Risk Management name ‘National and European Information National Information Sharing and Alerting
approach is required. Sharing and Alerting System’. This degree of Systems.
ownership and control was not part of the
Information Sharing can help both individual The project has three main deliverables:
CIWIN requirement but to many it is very
organisations and national bodies to keep up • Develop a NEISAS European Framework:
important, as the level of trust between
to date with the latest situation and to define this will also help all Member States to
countries differs.
proactively the correct countermeasures. implement a national system or, if they
Despite a common acknowledgment of the In addition, NEISAS builds on MS3i, another already have one, to connect it to other
importance of Information Sharing, many EC funded project, which proposes an Member States in a trusted way.
initiatives have failed and many international standard for trusted sharing • Develop a NEISAS prototype: the project
organisations are still wary of the idea. This (see below). The aim is to make NEISAS will develop a software platform that can
may be because previous initiatives have compliant with this emerging standard, support NEISAS. This will be piloted in
tried to do too much too quickly, whereas an thereby making future NEISAS deployments three Member States (Italy, the
easier – the NEISAS prototype will only be Netherlands and the UK) and the results
evolutionary approach would provide more
trialled in three countries. disseminated.
opportunities for organisations to compare
• Develop a sustainable business model:
risks with benefits before choosing to take The project is starting with a requirements through the creation of an independent
part. capture and analysis phase, which includes body, to make NEISAS available to all
the evaluation of existing schemes such as Member States.
Information Sharing should respect the CIWIN and individual EU Member State
complicated lattice of relationships and initiatives. Related work is being undertaken The NEISAS project will run for two years,
connections among Critical Infrastructures, at the EC Joint Research Centre (JRC) in delivering in early 2011. The results of the
national Governments, sector-based or SecNet-IE, a project for a Platform for project will be disseminated through a web
Government Computer Emergency Information Exchange on the Security of portal, a dedicated event and other relevant
Response Teams (CERTs), the European
Commission, Associations etc. This complex
Critical Networked Infrastructures (http:// events throughout Europe.
>>
system of interactions has both a peer-to-
peer and hierarchical nature. I Encuentro Nacional
Information Sharing will not work without de la Industria de la
22-24
trust. Those providing information must be
able to trust the recipients not to disclose or
Seguridad en España October
to act upon the data inappropriately. The ENISE 3 (National Meeting of Security Industry in Spain) is an annual event with a dual
recipient needs to trust that any information aim: on one hand, the exchange of knowledge and analysis of the security sector; on the
received is validated to provide some level of other, the sharing of knowledge among different stakeholders in the sector.
confidence as to its accuracy. In this article
we are concerned only with trusted For this third meeting the principal topic will be technological innovation in the
Information Sharing projects. information security area.
NEISAS – A National and European The event is organised by INTECO (the National Institute for Telecommunications
Technologies), which is part of the Spanish Ministry of Industry, Tourism and Trade. This
Information Sharing & Alerting System
is a joint event supported by ENISA and takes place in León, Spain.
NEISAS is a new European Commission (EC)
funded project, which some are calling For more information: https://enise.inteco.es/en
‘WARPs across Europe’ (WARPs – Warning,
Advice and Reporting Points, a trusted

8
MS3i – Messaging Standard for Sharing

Security Information
MS3i is an EC funded project which had its
completion workshop in June 2009. The
project reports are available for download at
https://www.ms3i.eu/ms3i/final-reports.html.
In 2004 the European Commission issued a
communication to the Council and the
European Parliament on “Critical
Infrastructure Protection in the fight against
terrorism (20-10-2004)”. This document
stated that the European Programme for
Critical Infrastructure Protection (EPCIP)
would promote information exchange
(sharing) where the constraints of
competition, liability and information Relationship between ‘Users’ and three European ‘trusted Information Sharing’ projects
sensitivity could be balanced with the
benefits of a more secure critical presented at a workshop in Lisbon in May • That the information exchanged should be
infrastructure. Where sector-based 2009 before being opened for wider relevant and not easily available
standards do not exist or where international consultation. elsewhere.
standards have not yet been established to
support this sharing, standardisation This project shares the same high level aims There are many more examples of good
organisations should be approached with as NEISAS and MS3i by supporting trusted practice described in the ENISA Guide. The
proposals to create harmonised security Information Sharing. Many readers of this final version is available for download at:
standards for all the various branches and Guide would also benefit from a standard in www.enisa.europa.eu/act/res/policies/good-
sectors involved. trusted Information Sharing and should practices-1/information-sharing-exchange/
therefore be encouraged to take an active information-sharing-exchange.
Although there are a number of international part in the development of ISO/IEC 27010.
bodies producing ICT security standards, the Summary
most relevant is ISO/IEC JTC 1/SC 27, The scope of this Guide deals with the This article describes three trusted
particularly in relation to its new standard, setting up and running of a Public/Private Information Sharing projects, their
ISO/IEC 27010, “Information security Partnership between national stakeholders relationships in terms of sharing user
management for inter-sector involved in Critical Information requirements and how they all aim to provide
communications”. Infrastructure Protection (CIIP). support to the same community of trusted
Information Sharing users.
The MS3i project conducted in-depth The scope of the partnership would be
interviews with stakeholders in four limited to addressing the resilience of The diagram above summarises how good
European countries to capture requirements eCommunication networks that carry voice practice and requirements from existing and
for a management standard on trusted and data services over the fixed and mobile potential trusted Information Sharing
Information Sharing. These requirements (wireless) infrastructure in both the public communities, shown in blue, are fed into the
were incorporated into data and proposals to and private circuit domains. The partnership three European ‘trusted Information Sharing
back up technical submissions to ISO SC27 would work by exchanging information on projects’, shown in green. As the NEISAS
WG1 Project 27010. security incidents, vulnerabilities, threats project is just starting, it has the opportunity
and solutions in a trusted environment to to take the outputs from the other two
Clearly it is important to agree a scope for ensure that barriers to sharing are projects so that all three will support the
the standard which meets the market minimised. The focus of this exchange is same trusted Information Sharing user
requirements and this work has been mostly to address malicious cyber-attacks, community with a consistent and
started by ISO/IEC; the working draft is but also natural disasters or physical complementary approach. Although ISO/IEC
available for download at www.ms3i.eu. attacks. The drivers are the benefits of 27010 development, shown in pink, is shown
members working together on common closely allied to MS3i, all three projects have
The relevant Standards Committee, ISO/IEC
problems and gaining access to information an opportunity to influence this important
JTC 1/SC 27, Security techniques, is actively
which is not available from any other source, standard.
soliciting views on the proposed standard.
namely competitors and national security
Contact your National Standards Body to
agencies.
make your views known. A list of
John Harrison (johnh@landitd.com) is the
participating standards bodies is available at A clear distinction is drawn between a Director and Principal Consultant at the
www.ms3i.eu. CERT/CSIRT and an NSIE; a CERT/CSIRT cluster consultancy LanditD.
deals with emergencies, while a NSIE tries
ENISA Good Practice Guide on Network
to prevent them. Andrea Rigoni (andrea.rigoni@ne.booz.com)
Information Security Exchanges (NSIEs)
This project involves the development of an Two key critical success factors for NSIEs is a Senior Advisor in Booz & Company and
ENISA Guide, based on observed good are: provides independent consultancy to
practice in different countries, which national governments, European
describes the Network Security Information • Building trust between the members of the Institutions, NATO and European Critical
Exchange model. The draft Guide was first Public/Private Partnership Infrastructures on Cyber Security.
ENISA Quarterly Review Vol. 5, No. 2, June 2009

9
CRITICAL INFORMATION INFRASTRUCTURE PROTECTION

Public-Private Partnership for CIIP – Case Finland
Hannu Sivonen
Government decision on the targets of security of supply (539/12.8.2008)
Based on: International markets, national actions and resources,

bi - and multilateral agreements on preparedness
Safeguarding the critical Safeguarding the critical
infrastructure of society production of society
• Energy transmission and • Food supply

distribution networks • Energy production
• Electronic information and • Health care
communication systems • Production that supports
• Transport logistics systems national defence
• Water supply and other • Supporting general
urban technology operational conditions of
• Construction and maintenance the export industry
of the infrastructure
The targets of security of supply
Security of supply the partnership have been updated several The partnership organisation exchanges
In Finland Critical Information times, most recently in 2008. information within sectors and across
Infrastructure Protection (CIIP) is seen sectors, monitors the business
within the larger context of security of Critical infrastructure vs. critical environment and threats to it, supports
supply. In Finnish legislation, security of production individual business continuity
supply is defined as the security of the Today, the security of supply is divided into management, arranges exercises and
livelihood of the population, the continuity two areas: security of critical carries out surveys, research and
of vital economic activity and the infrastructure and security of critical development projects with the help of
functioning of the infrastructure in normal production. consultants and academia.
conditions, during serious disturbances
and exceptional circumstances. The An important part of critical infrastructure The PPP organisation
markets usually provide security of supply, is the critical information infrastructure, in The National Emergency Supply
but special arrangements are sometimes other words, electronic information and Organisation (NESO) consists of a strategic
needed. communication systems, which include level Council for Security of Supply and
data networks and systems, mass Infrastructure (CSSI), a planning
Public-Private Partnership communication and financial systems. committee network (Clusters and Pools)
A Public-Private Partnership (PPP) for the and an executive National Emergency
security of supply in Finland was started in Tools for securing the supply Supply Agency (NESA) under the Ministry
1955. Right from the outset the principle In order to secure supply, there are several of Employment and the Economy. There
has been to gather together around the tools available to the Government and the are six NESO Clusters and 24 Pools. Their
same table the representatives of state industrial actors; international tasks are to analyse threats against the
administration and the companies that agreements, legislation and possible country’s security of supply, including the
provide vital products and services to regulation provide the framework for ICT infrastructure, to plan measures to
society. The companies come voluntarily, security of supply, and thus for CIIP and, control these threats, and to promote
and are equal partners with the more generally, for Critical Infrastructure continuity planning in individual industrial
administration. They have a common Protection (CIP). The Government’s sites. The Pools have 2000 member
interest: to make sure that the flow of economic and industrial policy takes into enterprises.
goods and services continues without consideration the requirements of security
interruption through serious disturbances of supply. A vital tool is the partnership Funding the partnership and protection
such as a heavy storm, epidemic or organisation. measures
commercial conflict, but also nowadays NESA manages the National Emergency
through cyber-attacks and, in extreme A network of leading experts Supply Fund which is outside the state
cases, an armed conflict. Securing supply in Finland has been budget. The PPP members are not paid for
organised as a comprehensive their time, but NESA finances the
The partnership organisation has grown co-operative network, the National exercises and the permanent secretaries
since 1955 and has been modernised. The Emergency Supply Organisation. The of the Pools.
organisation and the issues to be participants are the various sectors of the
considered have followed the development public administration and business, as The NESA Fund also finances stockpiles
of the economy and technology. Both the well as branch organisations. The network for oil and medical products, as well as
legal framework for security of supply and of committees consists of more than 1000 selected redundancy and protection
leading experts. measures for the critical information
infrastructure.
>>
ENISA Quarterly Review Vol. 5, No. 2, June 2009
10
have been prepared through co-operation

Council for
Security of within the partnership organisation. High
Supply and maturity level descriptions also describe
Infrastructure
Information Society Cluster best practices, and thus represent
Electronics Pool guidelines for performance improvement.
Printing Industry Pool
Prioritised
Communications Networks Pool Prioritised
Information Technology Pool Enterprises Agreement based preparedness
Enterprises Mass Communications Pool
An example of recent development in the
Food Supply Cluster PPP organisation is the agreement model
Health Cluster
Agricultural Pool
Public Health Pool for securing business continuity among
Food industry Pool
Retail and Distribution Pool
Water Supply Pool subcontractors and business partners. The
National Emergency agreements are based on minimum level
Transport and Logistics Cluster
Energy Cluster
Supply Agency Air Transport Pool
3-maturity. The model can be added as an
Power and District Heat Pool Surface Transport Pool attachment to existing agreements. There
- Regional Commissions - Regional Commissions
Oil and Gas Pool Maritime Transport Pool
are no formal sanctions, but a mutual
Industry follow-up is defined which encourages the
Prioritised
Chemical Industry Pool
Prioritised parties involved to strive towards good
Technology Pool
Enterprises Forest Industry Pool Enterprises maturity levels in their business continuity.
Plastic and Rubber Industry Pool The model is currently being implemented
Construction Pool: Regional Commissions
Textile Industry Pool
in the ICT field and will be implemented
Finance Pool
Finance cluster next in other areas of business.
Insurance Pool
Finance Pool
Insurance Pool
Hannu Sivonen (hannu.sivonen@nesa.fi) is
The PPP organisation – Organisation of security of supply a Research Manager in the Finnish
National Emergency Supply Agency.
Legal framework for CIIP CERT-FI also provides a special service for
An important part of the legal framework critical infrastructure actors. This includes
for CIIP is the Communications Market 24/7 incident warning and solving, via SMS
Act, which obliges communications and the VIRVE/TETRA public authority
operators to ensure the functioning of their mobile telephone network, personal
services at all times, including in advising and focused product vulnerability 19-20 November
exceptional situations and in times of warnings.
crisis. The act gives the Infosek 2009 is a two-day conference
telecommunications operators a right of PPP portal held jointly in co-operation with
compensation from the NESA fund if the NESA will be launching a secure ENISA. Traditionally organised at the
expenses incurred through such partnership system portal early in 2010.
end of November in Nova Gorica,
preparatory measures are significant, or if The portal will be a forum for information
the measures have been ordered by the exchange among the partners. It will Slovenia, INFOSEK is recognised as a
Ministry of Transport and include a self-assessment tool to check unique expert conference and a key
Communications. the maturity of business continuity Slovenian event. It serves as an ideal
management in each organisation. learning opportunity for all involved in
Similar legal obligations do not exist for IT National maturity reports will be available
information security, enabling them
systems services, but NESA finances for each industrial sector, although the
selected protection measures. assessments of individual companies will to keep up with the fast-paced
be kept confidential. The reporting will also environment of facilities security,
CERT-FI in co-operation with CI provide benchmarking for the individual information protection, privacy and
enterprises partners. regulatory compliance.
CERT-FI is the Finnish national Computer
Emergency Response Team. It is a part of The 5-level maturity model used is taken
the Finnish Communications Regulatory from the Capability Maturity Model Led by security experts from a variety
Authority (FICORA) under the Ministry of Integrated (CMMI) developed by the of industries from Slovenia and
Transport and Communications. CERT-FI Software Engineering Institute at Carnegie abroad, INFOSEK 2009 offers insight
promotes security in the information Mellon University. The 5-level maturity into the importance of information
society by preventing, observing and description set covers numerous items
solving information security incidents, and ranging from strategic management, security to an organisation’s success
disseminating information on threats to personnel management and ICT and indeed survival.
information security. management to sector-specific process
continuity management. The descriptions More information: www.infosek.net/

11

Interdependency between Energy and Telecommunications
David Sutton
Interruptions lasting from tens of environment in which the equipment is
milliseconds to tens of minutes are more located may be completely outside their
commonplace and, although the impact of control.
these may be less, the overall risk is much
greater due to the increased likelihood. This lack of control brings about three
main issues:
Short-term outages can be tolerated by • the physical security of the location may
ICT networks – a voice call can be render the equipment susceptible to
re-established on resumption of power, accidental damage, vandalism or theft
and data networks can correct for loss of • local planning regulations may preclude
data packets at the Transmission Control the expansion of facilities
Protocol (TCP) layer or within the • the size of a network may make the
application. overall cost of standby generation
unacceptable in terms of return on
Medium to long-term interruptions are investment.
more difficult to tolerate, especially in
so-called ‘mission critical’ services in Street furniture may contain cable
which the continuous exchange of television and broadband equipment, and
information is fundamental to the service may act as a transfer point for ‘Fibre To
and failure could result in serious The Cabinet’ (FTTC) technology providing
consequences. data and Voice over Internet Protocol (VoIP)
services. These and mobile base stations
Ask anybody involved in Information In ICT networks, the threat of unavailability may contain a limited duration standby
Security what it is all about and you will of power takes place at three different battery capability which addresses the
probably receive a variety of answers, levels in the service model – firstly in the short-term interruptions, but in longer
based around confidentiality, integrity and core network, the main switching hub of all interruptions this source of standby power
availability, with a dash of compliance, voice and data services; secondly in the will eventually discharge and service will
authentication and non-repudiation thrown access network, the intermediate level be lost.
in for good measure. between the core network and the
customer; and thirdly in the customer’s While it is this intermediate level which
However, Information Security is all about network. presents the greatest challenges, it also
the management of information risk, and demands the most innovative solutions.
any analysis of Information Security issues Core network level These include:
must be built around a risk assessment Core networks tend to serve large • Solar or wind-powered generation
process – beginning with an understanding numbers of customers and, because the equipment which may require less
of the services under consideration, an failure of electricity supply at such a physical space than conventional
analysis of the threats they may face, their location would result in an extremely high standby generation technology and may
vulnerabilities, the impact of those threats impact, the provision of suitable standby present fewer planning difficulties.
on the services and an understanding of power is straightforward to cost-justify. However, this option is only viable in the
the likelihood of occurrence. It is only as a correct climatic conditions.
result of this risk assessment that we can Communications Service Providers (CSPs) • Standby generators powered by Liquid
identify the priorities and develop have long understood the need for fully Propane Gas (LPG), which have a more
appropriate responses. resilient Uninterruptable Power Systems carbon-friendly appeal, are less noisy
(UPS) equipped with short-term batteries and less likely to attract theft of fuel
One of the most serious threats to any and longer term standby generation, and than diesel generators
Information and Communication they ensure that such systems are in place • Cross-organisational projects where, for
Technologies (ICT) service is the and are regularly maintained and tested. example, an electricity generation,
unavailability of the electricity supply to the transmission or distribution company
underlying infrastructure, especially to Access level might provide either a free or reduced-
public fixed and mobile Equipment at the access level can be less cost protected supply to a CSP on some
telecommunications and to wired and resilient to longer power interruptions and, form of ‘quid pro quo’ basis
wireless Broadband services. while short-term interruptions can be • ‘Femtocell’ technology, in which a small
addressed by battery backup solutions, the mobile base station is connected into
In most EU countries, the generation, option of standby generation is generally the CSP’s core network using
transmission and distribution of electricity costly to deploy across an entire network – Broadband, which might serve a single
is robust – meaning that medium to longer even assuming that space, planning and location.
term interruptions to power are relatively security considerations make it a viable
infrequent so, while the impact of such solution. None of these is a ‘silver bullet’ solution
interruptions may be significant, the low and, in practice, the best option may be a
likelihood reduces the overall risk. It is at the access level that the greatest combination used as appropriate while
challenges arise. While the equipment at recognising that even those solutions will
Where short-term outages are concerned, this level may be the responsibility of the not guarantee 100% availability.
however, it is a different matter. CSPs – either individually or jointly, the
>>
12
Funding of any solutions will remain a key energy industry’s confidence in the entitled ‘Shared Responsibilities’ in which
issue. If motivation and finance were resilience of its electronic communications it speaks of investment by the energy
available at an EU or Member State level, infrastructure can be maintained. industry in helping to resolve the problem,
funding could be found to provide standby but it is clear that this will not work in
power for locations which are deemed to Conclusions isolation – solutions must be through joint
be of importance to the Critical National Many domestic and commercial working relationships between the EU,
Infrastructure, and this could be either in customers take the basic fixed line Member State governments, the energy
the form of capital or operational funding, telephone service for granted and, as long industry and CSPs and their respective
possibly both. as power can be supplied to the core regulators, which will provide for cost-
network and the local serving exchange, effective solutions for all concerned, using
Customer premises level service will continue to be delivered to the alternative technologies and innovative
Power resilience at the customer premises customer premises. But the telephone approaches where appropriate.
level will always be the responsibility of the handset will only continue to function if it
customer and not the CSP or the national takes power from the telephone line rather A first step in this is already underway in
government. In cases of shared than from the local electricity supply. More the form of a project managed by the
accommodation, provision of resilient needs to be done in educating customers Italian National Agency for New
power for both mobile phone or WiFi in the constraints of energy supply with Technologies, Energy and the Environment
service would rest with the landlord who respect to ICT in domestic and commercial (ENEA) and entitled ‘The Methodology for
might offer this to tenants who would have premises. Interdependencies Assessment’ (MIA). The
the final choice in whether or not to invest ultimate goal of this will be to provide both
in this. While responsibility for the provision of the the energy and electronic communications
power resilience of core networks rests industries with a methodology and metrics
Energy networks with the CSPs and that for the customer to determine interdependencies in their
On the other side of the coin, the energy premises rests with the customer, the networks.
industry itself also makes considerable middle ground is where both challenge and
use of electronic communications in three opportunity lie. The real challenges will come later, as the
areas: focus turns to the identification of practical
• the transmission of energy network There needs to be closer co-operation solutions, funding and implementation.
status information from network between the energy and electronic
components and locations back to communications industries to ensure the
regional and national monitoring and continued resilience of both types of
control centres infrastructure at key installations.
• the transmission of commands to alter David Sutton (davidwsutton@mac.com) is
the configuration of key network In July 2009, the UK’s Institute for Public the Network Continuity & Restoration
components in the reverse direction Policy Research published a document Manager for Telefónica O2 UK Limited.
• the exchange of information, requests or
instructions between those centres and
the operational staff who may either
have to report on network component
status or carry out physical
configuration changes in cases where
other methods cannot be used.
As with the electronic communications

industry’s concern for robust power at the
network core, the energy industry takes
robust electronic communications AIFS 2010, 27-28 January
extremely seriously and builds resilience The Athens International Forum on Security (AIFS) is an independent information
into its voice and data networks. security conference held in Greece to deliver vendor-neutral expertise to proactive
IT professionals. AIFS provides a fresh, in-depth look into information security
However, if the wired or wireless networks technologies, policies, techniques and best practices, and helps all parties
used within the energy sector are not involved – from front-line IT personnel to policy-makers – gain valuable insights
resilient on an end-to-end basis, the into key information security issues. This year’s forum brings together world-
monitoring and control centres could lose class experts to examine security challenges that organisations will face in the
visibility of the status of parts of the energy coming decade and introduce opportunities for successfully overcoming them.
network and be unable to make dynamic AIFS is organised by The Hellenic American Union, a public service organisation
changes to it, bringing about the risk of with an international focus and strong community commitment.
network collapse under extreme
conditions such as severe weather. AIFS 2010 is a joint event in co-operation with ENISA and
Rigorous examination of the whole ICT takes place in Athens, Greece.
infrastructure and subsequent testing is
therefore required to ensure that the More information: http://conferences.hau.gr/?i=aifs2010.en.home

13
EMERGING AND FUTURE RISKS

Identification of Emerging and Future Risks in a 2011 eHealth Scenario
Barbara Daskala, Louis Marinos and David Wright
personal data; or someone might steal the

patient’s sensor-embedded garment,
health card or the other IT components
used to take advantage of the remote
monitoring and treatment service. In
addition, officials and patients may be
negligent or careless in handling personal
data.
Disruption or unavailability of the medical
service – Unavailability of service may be
caused by many reasons. Some flaws in
the system design and/or infrastructure
could lead to a malfunction or breakdown
in the system, thereby disrupting service to
users and thus threatening human health.
While new technologies generally yield • To obtain feedback on the ENISA EFR Adding new functionalities to system
many benefits to society, they are not Framework, a tool used for analysing design can lead to delays in implementing
unalloyed, which is to say they may also and assessing emerging scenarios. new systems; this seems to be happening
pose risks to society. This article briefly in the case of the UK’s eHealth system
presents the results of the assessment of Of course, the scenario does not and
(see, for example, Carvel, John, “New NHS
a scenario dealing with an eHealth cannot cover all possible aspects of
computer system on brink of failure, warn
application and highlights the possible eHealth, thus the results are by no means
MPs”, The Guardian, 27 January 2009,
risks of such systems. The scenario was exhaustive and representative of other
www.guardian.co.uk/society/2009/jan/27/
assessed as part of ENISA‘s activities in eHealth applications. It does, however,
nhs-it-computer-programme-health-
2008, in consultation with experts and present some of the main risks and
public-accounts-committee). A natural
other stakeholders. challenges and is expected to contribute to
catastrophic event, such as a hurricane or
the dialogue on eHealth implementations
flood, could damage (parts of) the
Why eHealth? and to fuel further investigation of these
infrastructure on which the entire system
eHealth includes a set of systems and issues.
depends. It could also be the case where,
services for health authorities,
The scenario revolves around Ralph, a due to the unavailability of components,
professionals, patients and citizens, and is
diabetic enrolled in a remote health the system might not be able to
envisaged to result in considerable
monitoring and treatment programme. He authenticate the patients and,
improvement in the provision of health
goes about his daily business wearing a consequently, deny service provision.
services to citizens; for example, it can
help to limit costs and improve productivity special vest with biosensors, keeping track
Failure to comply with legislation – An
in areas such as record-keeping, while of his vital signs, ensuring rapid response
eHealth system will collect large amounts
enhancing the quality of patient care (i.e., from doctors, while his personal data may
of data about patients and it may be
reducing medical errors). Although the be literally flowing around, in order to
difficult to know precisely who should have
benefits of such applications are evident, enable this kind of service. The scenario
access to those data, for what purposes
eHealth remains a controversial issue and, shows us that remote health schemes
and when the patient’s informed consent
some would say, risky. One of the biggest undoubtedly offer great potential,
should be obtained. Even the notion of
challenges in implementing eHealth especially to patients with chronic
what constitutes informed consent could
concepts is convincing the public that the diseases. Many benefits can be identified
vary according to circumstances. In some
service provided in general – and the for citizens’ wellbeing and quality of life,
cases, informed consent could be intrusive
electronic health records in particular – but what are the risks?
or difficult to obtain. A failure to comply
will be safe and secure. The risks in a nutshell with data protection legislation, such as
We have to consider issues relating to the European Data Protection Directive
In this context, we considered a scenario
security, privacy, data protection and (95/46/EC) and the e-Privacy Directive
based on a proposal by Philips Research
legality, as well as social, political and (2002/58/EC), may occur because
relating to remote health monitoring and
ethical ones. The risks listed here were individuals are not aware of their
treatment. We regarded this as an
deemed by the assessment team (ENISA, obligations, which might be especially
appropriate subject for analysis, and the
its Stakeholder Forum and other consulted important in an emergency, where
results could – among other things –
experts) to have the greatest impact with a everything needs to happen fast to ensure
contribute to discussions at the European
considerable probability of occurring. It timely and appropriate treatment.
Union level and have direct policy
relevance. should also be noted that the risks are
Repurposing or secondary use of data
highly interrelated.
(‘mission creep’) – There is a serious risk
The scenario: objectives, scope and that eHealth data might be used for a
outline
Unauthorised access, modification or
disclosure of a patient’s medical data – purpose different from that for which the
We had two main objectives:
Evil-doers (both external or internal to the data were originally collected. Such
• To identify major emerging and future system) could eavesdrop on repurposing of data need not always be for
risks (EFR) in a possible remote health communication between the patient and a nefarious reasons.
monitoring and treatment scenario doctor and steal or otherwise appropriate
>>
14
Discrimination, social sorting and social of the problem here is the incidental data
exclusion – The disclosure of medical and that might be gathered from the sensors: ETSI SECURITY
personal data may lead to discrimination for example, knowing the location of the WORKSHOP
and social sorting, which may have severe patient in an emergency is critical, yet
impacts on the patient’s social life. This is others, such as law enforcement 20-22 January 2010
particularly the case where data regarding authorities or burglars, might also be
the patient’s medical condition is leaked to interested in knowing the location of a Call for Papers and
third parties which may, as a result, deny person at a given time. As with any form of Participation
services to the individual or otherwise data collection, it is difficult to predict what
discriminate against him or her. An uses or value data might have after it has The ETSI Security Workshop
example is loss of employment been collected. (www.etsi.org/SECURITYWORKSHOP) has
opportunities if data are leaked to a become the most important annual
prospective employer. Another example is For more information on the risks and the international security standardisation
the case of insurance companies offering actual methodology used to perform the workshop, bringing together international
premiums to customers who belong to low assessment and identify risks, see the full Standards Development Organisations
risk groups, or denying insurance coverage report and annexes available at: (SDOs) and security experts to discuss recent
or requesting higher insurance payments http://enisa.europa.eu/pages/02_01_press developments, share knowledge, identify
if the patient is considered a high risk _2009_03_20_being_diabetic_2011.html. gaps and co-ordinate on future actions and
because of disease records. This scenario is the first of several which work areas. This year’s Workshop will
ENISA intends to develop in the near include overviews of work being undertaken
Misinterpretation or errors in collecting future, in consultation with stakeholders, in the area of security across standards and
and handling medical data – A patient may as part of its mandate to identify and technical bodies, along with presentations
misinterpret the data generated from a analyse emerging and future risks relating from major organisations involved in security
monitoring device or from the eHealth to European information security. initiatives. The event will take place in ETSI
system or the physician. Not every user is Headquarters in Sophia Antipolis, France,
computer literate or even endowed with from 20-22 January 2010.
commonsense! The data may be too
complex or incomplete for the patient to ETSI is now calling for
understand properly. This risk will become Barbara Daskala (barbara.daskala@ papers!
greater if more responsibility for enisa.europa.eu) is an Expert in ENISA’s Please send a short abstract of your
maintaining their own monitoring Risk Analysis and Management section. presentation to events@etsi.org,
equipment is shifted to patients. together with the title of the
Dr. Louis Marinos (louis.marinos@ presentation, the name and contact
Data surveillance and profiling – Insurance enisa.europa.eu) is a Senior Expert in details of the presenter and the topic
companies, employers, credit-checking ENISA’s Risk Analysis and Management of reference as listed below
companies, researchers and/or others section. by 9 October 2009.
may successfully engage in data
surveillance and profiling because David Wright (david.wright@trilateral The Workshop would welcome papers
patients’ data have not been secured research.com) is a Managing Partner at on practical implementations and issues
sufficiently or because access control Trilateral Research & Consulting LLP, such as the practical use of standards,
measures are weak or too ‘porous’. A part London, UK. the human factors and examples of
insecurity. In particular this year the
presentations should mainly have a
focus on Security Innovation in one of
6-8 October 2009 the following topics: Next Generation
The Hague, The Netherlands Networks security, Mobile
Telecommunications systems, ICT
trustworthiness and integrity, Research
ISSE (Information Security Solutions Europe) is Europe’s only and Innovation, RFID and NFC Security
independent, interdisciplinary security conference and exhibition. issues, the Internet of Things, Identity
Management and your Privacy,
ISSE is renowned for its rich content and unbiased perspective, Cryptography, Smart Cards and future
designed to educate and inform ICT security professionals, trends, Quantum Key Distribution,
policy-makers and industry leaders on the latest developments in Machine to Machine communication,
technology, solutions, market trends and best practice. ISSE 2009 will Standards prioritisation and evaluation.
attract over 400 representatives from across Europe, providing an
informal and stimulating environment for attendees to learn, share For updates about ETSI events, join
experiences and explore solutions with their European counterparts. the recently created ETSI-Events
mailing list at:
ISSE 2009 is a joint event co-organised with ENISA. http://list.etsi.org/scripts/wa.exe?SU
BED1=ETSI-EVENTS
For more information: www.isse.eu.com/

15

Drivers of Emerging and Future Threats in ICT Infrastructures
Sotiris Ioannidis, Evangelos Markatos, Engin Kirda and Christopher Kruegel
and even eGovernment would be
considered new business models in our
taxonomy. That is, these services did exist
before (as retail stores, banks and offices),
but they are now increasingly carried out
via ICT. In addition, these services do not
represent a fundamentally different
application, since they are typically
instances of well known models of
computing that are simply adapted to suit
the business case.
Computer systems, networks and Internet allow us to set a framework in which each
users are under constant threat from working group can systematically explore New social dynamics and the human
cyber-attacks. A threat is any indication, threats. factor: This category takes into account
circumstance or event with the potential to possible changes in the way that people
cause harm to an Information and The four main dimensions identified are approach and use technology and certain
Communications Technologies (ICT) the following: applications. For example, young people
infrastructure and the assets that depend are becoming increasingly sophisticated in
on this infrastructure. Identifying and New technologies: By new technologies, their use of ICT, and at the same time ICT
evaluating threats early enough is critical we mean technical advances that provide users in general are increasingly willing to
for protecting both infrastructures and functionality that simply was not there entrust devices and applications with a
citizens. Of course this is an extremely before. Clearly, this is very difficult to significant amount of private information.
challenging endeavour. The past has predict, but there are certain drivers, such This opens up the possibility for a wide
witnessed many stunning scientific and as Moore’s law, that have been valid for a variety of new threats.
technical advances, and these advances long time. Extrapolating these steady
have transformed society and the way trends, we foresee much faster networks The results of FORWARD are expected to
people use and rely on information (both wired and wireless), a substantial be used not only by researchers, but also
technology. But attackers are also very increase in parallelism (multi-core by policy-makers who want to facilitate a
creative and constantly invent new ways of machines) and better energy and battery road towards a more secure cyber-space.
abusing technologies and applications technology, which will catalyse the Thus, researchers, policy-makers,
either for financial gain or simply because prevalence of mobile computing. decision-makers and practitioners are
they enjoy virtual vandalism. Trying to Computing devices will also become encouraged to follow the activities of
accurately predict possible new threats is smaller and cheaper. As a result, they will FORWARD and provide their feedback at
therefore no easy task, but it is important become more widespread, and they will be www.ict-forward.eu/.
to think about the potential risks and able to support more and richer
threats of emerging technologies and their applications.
applications. Otherwise, one would
surrender to the enemy and, at best, New applications: New applications
simply react to his new attacks. means completely new uses of technology,
uses that typically did not exist before or do Sotiris Ioannidis (sotiris@ics.forth.gr) is an
Operating along those lines, the scientific not have a counterpart in the real world. Associate Researcher at the Distributed
community involved in the FORWARD One important set of emerging Computing Systems Laboratory of FORTH-
project has been systematically working to applications is social networks: tools that ICS and an Adjunct Professor at the
identify emerging and future threats in ICT have rapidly reached a significant Computer Science Department of the
infrastructures. The FORWARD project is a proportion of the population and that University of Crete.
co-ordination action, supported by the support social interactions among large
European Commission, whose purpose is user groups. Another interesting class of Evangelos Markatos (markatos@ics.forth.gr)
to facilitate an agenda of research new applications revolves around the idea is the Director of the Distributed
problems by mobilising the critical mass of of software as a service – a model in which Computing Systems Laboratory at FORTH-
European researchers in network and applications are hosted by providers on a ICS, a Professor of Computer Science at
systems security. FORWARD has brought large-scale computing infrastructure, the University of Crete and a member of
together more than 100 experts from such as a cloud. This deployment and ENISA’s Permanent Stakeholders’ Group.
academia, industry and government, computing model is profoundly different
creating the critical mass needed to from the traditional client-server model, Engin Kirda (ek@iseclab.org) is Associate
identify the emerging and future security presenting new challenges in security and Professor at Eurecom and an Adjunct
threats in network and systems security. privacy. Professor at the Technical University of
Having completed two public workshops Vienna.
and hundreds of multi-party New business models: With new business
communications, the FORWARD models, we refer to the fact that certain Christopher Kruegel (chris@cs.ucsb.edu)
community has identified the dimensions services or applications that might already is an Assistant Professor and the holder of
that drive the security threats of the future. exist in some form start increasingly to rely the Eugene Aas Chair in Computer Science
These dimensions serve as the main on a working ICT infrastructure. For in the Computer Science Department of
drivers of development in general, and example, online shopping, online banking, the University of California, Santa Barbara.

16
SKILLS AND CERTIFICATIONS

Cyber-Security Skills – The Cost of Ignorance
Hugo Lueders
around €193 billion”, according to its recent e-skills agenda and for establishing multi-
Communication on Critical Information stakeholder partnerships to drive it forward.
Infrastructure Protection (CIIP), No single stakeholder can achieve this alone
(http://ec.europa.eu/information_society/policy any longer.
/nis/strategy/activities/ciip/index_en.htm).
This much is agreed: as well as delivering
A recent industry survey also finds that this crucial investment in ICT infrastructures to
human factor tops the list of the main security promote economic and social development,
risks which increase costs to businesses and Europe should clearly focus on human
public organisations; data suggests security capacity building and accompanying
breaches cost companies in the US alone in investment in related ‘Skills Infrastructures’
excess of some €12 billion annually and (see the May 2009 ILB Policy Statement on
probably significantly more (www.industry “Skills Infrastructures”: www.e-skills-
week.com/articles/end_user_it_security_ ilb.org/docs/Skills_Infrastructures_ILB_Polic
training_can_save_billions_19133.aspx? y_Statement_13May.pdf). Developing skills
SectionID=2). goes with investment. To this end there should
be a concerted effort to improve the image of
The whole issue of helping to protect Europe ICT industries through a continuous
It is not as if European policy-makers are
from large-scale cyber-attacks such as those awareness-raising campaign (for the
unaware of these challenges. But the EU risks
in 2007-2008 on Estonia, Georgia and envisaged EC e-Skills Awareness Campaign
overlooking the human capacity challenge and
Lithuania has acquired a new urgency 2010, see: www.eicta.org/index.php?id=34&id
has made little or no appropriate,
recently. In Europe, Viviane Reding, the _article=344).
co-ordinated response to the need to develop
European Union (EU) Commissioner for
cyber-security skills. After all, ENISA itself
Information Society and Media, called for On the specific issue of cyber-crime,
organised a seminar on cyber-security skills
action with a top person in charge (a European enhanced support should be given to
credentials as long ago as November 2006.
Cyber Security Chief), and in the US President industry-based and other recognised ICT
Almost three years later, at the April 2009
Barack Obama and the Pentagon have asked skills credentials for cyber-security
meeting of EU Ministers on CIIP in Tallinn
for a new ‘Cyber Czar’ to combat the growing qualifications and the spread of higher
(www.tallinnciip.eu/), the skills challenge and
threat to America’s military and corporate education courses in forensic computing. All
growing shortages went unmentioned again,
security posed by cyber-crime. EU Member States should have Computer
although they are central to the issue of
cyber-crime and security and the post i-2010 Emergency Response Teams (CERTs) to
But is the same importance being attached to integrate related training and qualifications to
Lisbon strategy for the knowledge-based
developing the required human capacity, ward off cyber-attacks.
economy.
cyber-security training and skills to combat
this threat to the digital backbone of Europe’s The problem of network and information
Clearly, there is a pressing need to re-skill the
economy and society? security will not go away; it will only grow in
EU workforce for the new digital economy.
This means giving distinct roles to: urgency and intensity. Europe needs to raise
Cyber-crime has now reportedly surpassed its game in addressing the threat that a lack of
governments (in fostering an environment
drugs in terms of the amount of illegal cyber-security skills – especially e-skills –
which enables ICT skills to be acquired);
revenue – hundreds of billions of Euros – it poses to its ability to combat cyber-attacks.
education (providing relevant learning
nets. The European Commission also
packages); and the industry itself
calculates that there is “a 10% to 20%
(encouraging its staff to demand Hugo Lueders (HLueders@comptia.org) is the
probability that telecom networks will be hit
requirements). We urgently need to put into Senior Director of Public Policy at COMPTIA,
by a major breakdown in the next 10 years
practice long-standing proposals for responsible for Europe Middle-East and Asia
with a potential global economic cost of
implementing a long-term and consistent (EMEA).
Penetration Testing – What’s That?

Peter Fagan and Peter Fischer
In the aftermath of the various security
incidents within UK Government in 2007 and
2008, a report on Data Handling Procedures in
Government was published by the Cabinet
Office (www.cabinetoffice.gov.uk/reports/
data_handling.aspx), together with a set of
Mandatory Minimum Measures. Top of the list
of core measures to protect information was
the ‘independent penetration testing of
Departmental systems’.
>>
17

Penetration Testing – What’s That?
However, the term ‘penetration testing’ is There is a fundamental and important So, how does the organisation know whether a
used loosely to cover many different activities. difference between an aggressive penetration testing company or individual is competent?
These include: test – executing scripts to test whether a For many years CESG, the UK Government
vulnerability can be exploited – and a National Technical Authority for Information
• Social Engineering – There are inevitably vulnerability assessment – checking for Assurance, has operated a scheme – CHECK
‘touch points’ where users interact with known vulnerabilities. Unless absolutely – which independently assures companies
system administration staff (dealing with essential, aggressive penetration testing of and senior level vulnerability assessment
lost passwords, application problems etc.). live operational systems should be avoided; it testers (using the CHECK Team Leaders (CTL)
Although the term ‘social engineering’ is safer to test a reference or development standard) for the purpose of undertaking
itself covers a lot of ground, usually it is system. penetration tests and IT Health checks
based on trying to exploit these touch against systems and networks which process
points to gain unauthorised access. Tests The field of penetration testing continues to UK Classified information. Recently, two
assess staff awareness of threats and evolve. One emerging approach is to identify schemes have emerged which assess testers
information sensitivity, and the strength of the key assets of the system (the user to a standard evaluated by CESG as equivalent
the processes governing the interaction. database, the database schema, key to their CTL assessment – the CHECK ‘Assault
credentials etc.), and ask the penetration Course’. One of these two schemes is run by
• A Network/Systems Test – This is the
testing team how they would use access to the Council for Registered Ethical Security
usual interpretation of a ‘penetration test’.
that asset in order to attack the system. Not Testers (CREST); the other is the TIGER
The testers look at the switches, routers,
only does that identify key assets requiring Scheme.
firewalls, servers etc., inspecting their
specific protection, it can also assist with
configurations for weaknesses (e.g.,
incident handling. All three schemes – CHECK, CREST and
inappropriate access control lists),
TIGER – recognise the need to ensure that
checking for the latest patches to eradicate The first lesson from this discussion is that testers maintain their knowledge base. This is
known vulnerabilities and looking for penetration tests, vulnerability assessments a dynamic area where the scene is constantly
specific issues such as weak passwords. or IT Health Checks (all are used to cover changing. Consequently the certification
These tests can also be extended or roughly the same types of activity) need to be offered by each scheme has a lifespan of only
constrained to specific aspects such as the defined and managed, and must have clear three years, following which the tester must
use of Voice over Internet Protocol (VoIP) or objectives. All too often ‘Someone in be reassessed.
wireless networks. A successful check will Authority’ deems that a penetration test would
provide confidence that the underlying be a ‘good thing’ and someone else is tasked The TIGER scheme model is particularly
network infrastructure is well-configured, with ensuring that one is commissioned. That appropriate for providing development and
and will identify any residual weaknesses. individual might have no idea of what a training for security testers throughout their
However, for a system of any significant penetration test is, how it should be specified, career, and can be replicated across the
size, it is usually better to base the what precautions should be taken or what to European Community. There are four levels of
approach on sampling. expect. In other words, he or she represents certification – Associate, Qualified, Senior and
the perfect example of an unintelligent, ill- Specialist – each supported by training
• An Application Test – Web-based systems
informed customer! courses, and each achieved by passing an
clearly have to accept web traffic to
assessment that is set and marked by a
function. In this case, the ‘doorways’ for the Additionally, the project or system manager of recognised academic Examining Body,
traffic represent unavoidable the ‘target’ might have no knowledge or currently the University of Glamorgan. The
vulnerabilities. An application test will experience of such a test and be totally scheme also has a number of approved
check that these openings are only as wide unprepared for what is involved and what Training Partners, and a specific IT Health
as they need to be. Typically this will ensure might happen. The result could be Check Management course aimed at
that common browser-based attacks are misunderstanding, confusion, disaster and, individuals in organisations procuring such
blocked, that ‘man in the middle’ threats inevitably, recriminations. In the worst case tests. More information can be found at
are managed, that Simple Object Access the value of a penetration test could be www.tigerscheme.org.
Protocol interfaces (SOAP) and Application completely overshadowed by the problems
Programming Interfaces (APIs) are secure, caused, to such an extent that ‘management’ Information on CHECK can be found at
that any tokens (such as cookies or Security bans further tests. www.cesg.gov.uk and on CREST at www.crest-
Assertion Markup Language (SAML) approved.org.
tokens) are passed in a secure way, and Scoping normally takes place during an initial
that, for example, Extensible Markup meeting involving the organisation Peter Fagan (p.fagan@ukonline.co.uk) is a
Language (XML)-based attacks are commissioning the tests and the party Solutions Director and Head of Security
prevented. performing the tests. It is essential at this Practice at Sogeti UK Ltd and one of the initial
meeting to define the types of tests required, members of the CESG Listed Adviser Scheme
• A Network Device Test – This is the test of with their scope and related boundaries.
the configuration on a single network device (CLAS).
There have been a number of cases reported
such as a router or a firewall. It is unusual, where public and private sector systems, Peter Fischer (peter.fischer@btinternet.com)
because of the expense of arranging the usually web portals, have been ‘attacked’ by is a Managing Consultant at Sogeti UK Ltd, a
tests for just a single machine, but so-called penetration testers exceeding the Lecturer in Information Assurance at the UK
sometimes it is necessary (e.g., when a boundaries of their test targets. This suggests National School of Government, an ENISA
firewall has been replaced or to confirm not only poor management of the process, but Independent Expert and a former Head of
that a heuristic device such as a web also a degree of incompetence by the testers. Information Assurance and Certification
application firewall has ‘learned’ correctly). Services at CESG.

18

A New Qualification to Guarantee Secure Software Engineering Skills
Petra Barzin
certification standard for secure software focus on the areas of the application that
engineering. have the most impact on security.
ISSECO deals with the education of people The creation of secure coding requires an
involved in the software development understanding of which programming
lifecycle. This new personnel certification is errors lead to vulnerabilities such as Cross
aimed at everyone who is directly involved in Site Scripting (XSS) or injection flaws. All
the software development lifecycle, vulnerabilities are introduced by so called
including requirements engineers, software vulnerability patterns, e.g., buffer overflow,
architects, designers, developers, software race conditions or improper error handling.
quality managers, software testers, project Certified Professionals for Secure Software
managers and all related software Engineering must be able to identify, avoid
development stakeholders. and remedy all of them.
The ISSECO syllabus During security testing Certified

The structure of the syllabus is based on the Professionals will have to verify whether all
different phases of the software security requirements are met and that all
development lifecycle. mitigation techniques are effective. They
must therefore understand the test
The first step in creating secure software is methods of security testing and how to
to understand the attacker and the interpret the results.
customer. In order to see with the eyes of
the enemy, Certified Professionals for Even when security issues are considered at
Why Secure Software Engineering? Secure Software Engineering must the initial stages of software development
Security at the application level is a growing appreciate the hackers’ motives, their skills and secure design and coding practice are
concern and one of the biggest challenges and resource situation, as well as typical applied during development, the security
that will face the IT community over coming hacker thinking when attacking systems. In implications of deployment are often
years. Although vendors provide security addition, Certified Professionals must have overlooked. Much vulnerability may still
patches free of charge, their roll-out understood why and what customers expect arise during this final phase. Thus, secure
produces extra costs and brings with it the in terms of software security in order to be deployment is another important concern.
risk of new security vulnerabilities and able to classify customers’ requirements.
critical incompatibilities in complex IT Once the software has been deployed, the
environments. The constant race against Next, Certified Professionals for Secure focus shifts to the implementation of a
time to identify security vulnerabilities Software Engineering must have a basic security response process in order to make
before an attacker finds them, and to publish understanding of the different trust and sure that security issues in software
security patches before published exploits threat models. In contrast with threat installations are fixed and communicated
can cause harm is not the best approach to models, there are various access control responsibly.
bolster confidence in the security of models that describe how to constrain the
software. In order to win the race, the real ability of a subject to access or perform Security metrics serve to quantify the
cause of security vulnerabilities – rather some sort of operation on an object. security of an application. Security involves
than their effect – must be eliminated. every stakeholder, has an impact on many
Certified Professionals for Secure Software features and must be considered by
A firewall cannot distinguish between a valid Engineering must also feel comfortable with Certified Professionals for Secure Software
input parameter and a ‘code injection’ the methodologies for secure software Engineering throughout the complete
attack. This distinction can only be judged at development. Processes that consistently software development lifecycle.
the level of the application itself. So possible produce secure software do not require any
attacks could be eliminated earlier, i.e., particular design, development, testing or Last but not least, the correct use of code
during the application development phase. other methods. They can be applied to any and resource protection will assure the
Unfortunately, insufficient attention is development methodology or lifecycle quality of software and protect it from
usually paid to security aspects in the model. foreign sabotage.
software development lifecycle in university-
level curricula, or later in the day-to-day Security must be incorporated from the very Future prospects
business of software engineers, in order to beginning of the software development Besides the foundation level certification,
counter security vulnerabilities in software lifecycle. In the requirements engineering further advanced levels are planned to be
as they are emerging. phase Certified Professionals should focus defined later. These advanced levels may
on developing security requirements for the address security matters specific to a
Secure software development demands respective application. There are numerous programming language, IT security
security-conscious and well-educated different sources of requirements and many management or other topics. In the future,
software architects and developers. There is of them are relevant to security. ISSECO is also considering offering security
need for qualifications demonstrating that a auditor training for assessing software
person possesses the necessary skills to Because architectural and design-level development with respect to security.
develop secure software. errors made during the design phase are
the hardest vulnerabilities to fix and the
The International Secure Software most difficult to defend against, security
Engineering Council (ISSECO – principles and security design patterns Petra Barzin (petra.barzin@secorvo.de)
www.isseco.org) aims to fill this gap by must be well understood. At design reviews works for Secorvo Security Consulting and
providing an international personnel Certified Professionals must be able to is one of the Vice Presidents of ISSECO.

19
AWARENESS AND END-USER ISSUES

End-user Security: Misused and Misunderstood?
Steven Furnell
record both system-initiated events (e.g., of actually understanding the nature of
warnings, alerts, update messages) and security measures may remain
security actions they tried to perform for unresolved; users can navigate the
themselves (e.g., configuring protection, interface and click the buttons, but it does
setting permissions). Almost 90 system- not mean that they are making informed
initiated events were recorded and in 16% and correct decisions in the process. In
of cases users reported being ‘totally short, users need to understand what they
unclear’ on what had happened and/or are doing and why they are doing it.
what they were supposed to do, with a Without at least a baseline understanding
further 23% reporting that the event was of the threats and countermeasures we
‘mostly unclear’. Additionally, in 22% of will find that users are simply unaware of
reported cases, the occurrence of the their security needs. For example, findings
event prevented the users from completing from a more recent University of Plymouth
whatever task they had been performing at survey of 259 home-users suggest that,
the time. Meanwhile, from almost 30 user- while most people have concerns about
initiated events, the situation was even online security, many are not positioned to
worse, with 31% ‘totally unclear’ and 21% protect themselves. Only 5% of
Today’s end-users have to contend with a ‘mostly clear’, and users being able to respondents reported that they were not at
variety of threats, many of which target and complete their intended action in only 62% all worried about their security and
affect them directly, and so require of cases. privacy, whereas 13% classed themselves
associated protection. However, actually as ‘very worried’ and a further 36% as
addressing this issue is complicated by the Such findings highlight the need for ‘fairly concerned’. In spite of these
fact that users are often asked to accept security to become more usable, and it has concerns, there appeared to be some
the existence of threats that they cannot long been recognised that the way in which significant gaps in the respondents’
see and to protect against risks that they security measures are presented to users awareness of their own security:
do not really understand. Moreover, they can be a barrier to effective protection.
are frequently asked to do so via software Indeed, evidence of usability problems • 44% did not know if they were using
that seemingly requires a strong grasp of abound, from misconfigured firewalls encryption on their wireless network,
security concepts and terminology. through to classic problems such as with a further 15% reporting that they
passwords that are poorly selected and were not using it
Nonetheless, with Internet threats having subsequently mismanaged. Thus, at its • 35% did not know whether their
received greater recognition in the public fullest extent, the concept of usable antivirus solution also provided
mind, security is now more prominent in security embraces considerations from the protection against spyware
modern systems and applications. As a design of the user interface through to the • 19% were unaware of whether they were
consequence, users can encounter a range effect that it has on the user experience using spam filters
of security-related features and and system performance. Focusing on the • 17% did not know what their firewall
notifications during routine daily use. For interface level, where users must interact does, while a further 22% did not know
example, a modern web browser such as and make decisions, security tools and where to find the related configuration
Internet Explorer 8 incorporates anti- features need to satisfy the following settings
phishing (via the SmartScreen Filter), characteristics if users are to stand a good • 12% reported that they did not know
pop-up protection, data privacy controls chance of handling them effectively: about backing up their data, with a
(via the InPrivate Browsing feature), as further 33% reporting that they did not
well as numerous options relating to • Understandable – Features should be do it.
content that can be downloaded and run presented in a manner that is
within pages. In this way, users may find meaningful to the target audience. For Unfortunately, the problems do not end
themselves interacting with a variety of example, reliance upon jargon and with lack of awareness and lack of usage.
related menus and notifications – as well technical terminology could easily Even when particular technologies have
as potentially needing to respond to them. exclude novice users. been adopted, users’ lack of
• Locatable – If users have to spend too understanding can be their undoing. As
Unfortunately, evidence suggests that long looking for security it increases the evidence, we can consider findings from
users are frequently ill-equipped to deal chances that they will give up and the National Cyber Security Alliance and
with security events, particularly when remain unprotected. Symantec (NCSA-Symantec. 2008. NCSA-
handling them requires a decision to be • Visible – A clear indication of security Symantec National Cyber Security
made. A study at the University of status will help to remind users to Awareness Study – Newsworthy Analysis.
Plymouth investigated this issue, with 26 enable appropriate safeguards. October 2008. http://staysafeonline.
users being asked to record their security- • Convenient – Security should not be so mediaroom.com/file.php/100/2008+NCSAS
related interactions over a two-week prominent that it becomes inconvenient, ymantecStudyAnalysis.pdf). This study
period (Chatziapostolou, D. and Furnell, as users may disable features that are asked home-users in the US about the
S.M. 2007. “Assessing the usability of deemed overly intrusive. protection in use on their PCs, and then
system-initiated and user-initiated scanned 400 of them to see how closely the
security events”, Proceedings of Having said this, usability will only take us users’ beliefs matched the reality. In some
ISOneWorld 2007, Las Vegas, 11-13 April so far. While interfaces can be made more areas the results were fairly positive. For
2007). The participants were asked to visually appealing, the underlying problem example, 93% believed they had antivirus
>>
20
measures installed, whereas 95% actually evidence of a lack of understanding and/or successful in which contexts. In this
did, and 83% claimed to have antispyware, neglect. respect, activities such as those of the
with 82% indeed having the protection. ENISA Awareness Raising Section are
However, in other cases the situation was These findings emphasise the importance important in highlighting and sharing good
rather less encouraging. For example, 81% of usability being supported by effective practice, as well as potentially feeding
believed they had firewall protection, but awareness raising, in order to build an back into initiatives for supporting security
only 58% actually had one appropriately underlying culture of security amongst the awareness at both national and local
installed, updated and enabled. user population. This applies to both levels.
Meanwhile, 75% thought they had anti- individuals and the organisations in which
spam protection, whereas only 42% they work, and would help to ensure that
actually did so. Of course, with the users are better equipped to understand
prevalence of malware and other online the reasons that they are at risk and the
attacks, it could be argued that all of the protection that they require as a Prof. Steven Furnell (steven.furnell@
respondents should have had antivirus, consequence. These objectives will only be plymouth.ac.uk) leads the Centre for
antispyware and firewall protection. As achieved via continued efforts to reach the Security, Communications & Network
such, the fact that some users were still target audience, and by achieving a better Research at the University of Plymouth,
knowingly unprotected presents further understanding of which approaches are UK.
Human Factors in the Dependability of IP Networks

Ilkka Norros and Leena Norros
• What kind of skill, knowledge and
collaboration requirements does
operation of the network set?
• How do the network operators act on

the network?
• What is the impact of human error on

the dependability of the network?
The background, results and conclusions

of the study will be presented and
discussed in detail in a report that will
appear on the project’s homepage in
October 2009. Below are summarised the
results of a so called ‘core-task demand
The motivation for the Finnish Government The human factors of network operation analysis’ of the work of network operation,
funded research project IPLU, It seems to be a common view in the the interviewees’ thoughts on the impact of
“Dependability evaluation methods for IP networking domain that a high percentage human error, and some general
networks”, in 2006 and its follow-up, of network failures are caused by human conclusions drawn from the study.
IPLU-II, was concern about the error. Therefore it is very interesting to
dependability of the IP-based know what happens ‘behind the scene’, Demands of the work of network
communication infrastructure. IPLU’s task where experts with various qualifications operation
was to create a broad conceptual work continuously to keep the ‘invisible’ The special work demands in high tech
framework for considering the complex infrastructure functioning. IPLU-II environments that are intrinsically implied
problem, “Can one rely on IP technology?”, interviewed 20 people who operate the by features of the work domain can
and to identify and develop methods for networks of the Finnish generally be classified as being related
assessing the dependability of IP telecommunications company, Elisa, either to its (i) dynamics, (ii) complexity, or
networks. IPLU-II continued with selected resulting in the collection of empirical (iii) uncertainty. These three dimensions
focused topics. A special feature of both material comprising 500 pages of cover and structure the features of the
IPLU and IPLU-II was their transcribed protocols. The answers were object of Communication Network
multidisciplinary nature, drawing on the analysed, applying an approach developed Operation (CNO) very well. Mastering these
expertise of the VTT Technical Research at VTT for the study of experts’ work in high features requires many kinds of skill,
Centre of Finland, which carried out both tech environments. The four research knowledge and collaborative resources as
research projects, in communication questions of the study were formulated as well as specific emotional resources. The
technologies, mathematical modelling, follows: core-task demand structure obtained is
statistics, safety-critical systems and
illustrated in the diagram overleaf.
psychology.The projects were supported by • How do the actors perceive the network
most of Finland’s key players in the field. as the object of their activity?
>>
21

Human Factors in the Dependability of IP Networks
network failures is an integral part of CNO

Collaboration and professional work.
confidence
Third, CNO work is also socially highly
Dynamics Complexity
Dynamics of the object of work Complexity of technologies
networked by its nature, and
Fast action requirements Complexity of the existing network communication and collaboration over
organisational boundaries is a challenge
Making network changes collaboratively Combination of competences in problem solving
Directing problems to right instances Collaboration for controlling reliability that needs attention. A socio-technical
Mastering the load of the situation Appreciation of others’ contribution approach to the network should be
developed. We also noted that a customer-
centric approach seems to be gaining
Development of new skills and situation awareness in practice Knowledge on implemented solutions
Decisions under time pressure Conceptual mastering of networks
momentum – the network also exists for
Changes and experiments motivate Perception of totalities its customers in the minds of the experts.
Understanding motivates
To follow up this work, fault diagnosis and
Identification of protection needs Interpretation of experiences and errors recovery processes should be observed
Checking the result Readiness to learn from literature
Documentation of changes and analysed in detail as they occur in CNO
Skill and feeling of Bringing the work until its end Mastering of repetition
Knowledge
and work practice. This would be valuable not
control meaning of activity only for the development of good work
practices but also for the development of
Uncertainty better tools for network management.
Technical uncertainty
Defective information
Other results of IPLU-II
IPLU developed the basic idea of a
Core-task demands of CNO ‘dependability case’ methodology that
makes it possible to combine a
heterogeneous set of relevant
The role of human error individuals and could thus be alleviated by requirements, facts, tools, techniques etc.
The majority of the interviewees, though changes in processes, customer solutions, into an organised argument in support of a
not all, considered the impact of human working habits and education. Errors were claim concerning the dependability of a
errors on network failures as remarkable. said to result from circumstances such as network. The feasibility of this approach
Erroneous acts were found possible at two the defective documentation of was tested in IPLU-II by building a
levels: the individual level and the implemented solutions, the defective comprehensive dependability case of the
organisational process level. consideration of the effects of changes, Funet network in collaboration with
incomplete implementation of changes, experts from CSC – the IT Center for
As regards the work of an individual neglect of checks and unpredictability Science Ltd (www.csc.fi/english) which is
network operator, hurry, stress, taking connected with new solutions. Defects in administered by the Finnish Ministry of
care of several jobs simultaneously and knowledge were also mentioned as a Education – who manage the network. A
night work were identified as situation source of errors. Excessive tailoring of complete description of the case and a
factors which increase the vulnerability of customer solutions was considered much related article are available on the project’s
work performance. Two particular types of more error-prone than favouring a set of homepage.
error were identified in work standardised solutions. Learning from
performances: errors is accentuated by their repetition On a more technical level, IPLU-II
• lapses and confusions, in particular with but, on the other hand, is often hindered by contributed to the difficult concept of IP-
configuration and with the allocation of their latency. availability, the monitoring of IP-TV
subcontractor jobs availability, on/off process modelling for
• errors in reasoning in configuration and Some conclusions from the study network reliability analysis and a
planning. First, the social importance of the comparison of strategies for improving
networking branch and network operation network dependability.
The vulnerability of performance at the work is increasing as the ubiquity of
general level seems to be caused by Internet access becomes an integral part The outputs of IPLU and IPLU-II are
factors resulting from habits and culture of the common technological environment. available on their common homepage at:
such as: The social appreciation of CNO work http://iplu.vtt.fi.
• meaningless repetition of performance, deserves to be heightened.
and slackening of the control of activity
during the work Second, a combination of proactive and
• neglect of the use of knowledge or resilient methods is needed in the
instructions organisation and processes of CNO work. Ilkka Norros (ilkka.norros@vtt.fi) and
• weakening of interest and motivation. Whereas planned acts upon the network Leena Norros (leena.norros@vtt.fi) are
should be prepared as carefully as Research Professors at the VTT Technical
On the other hand, many problems were possible, preparedness for online Research Centre of Finland.
less connected with the performance of problem-solving prompted by unexpected

22
TECHNOLOGIES
A Secure Approach for Embedded Systems in Japan
Hideaki Kobayashi, Manabu Nakano and Tomoka Hasegawa
The Information-technology Promotion

Agency, Japan (IPA) is a Japanese
Government organisation working under
the Ministry of Economy, Trade and
Industry (METI). The IPA’s IT Security
Center (ISEC) is the core unit for
promoting Japanese IT security
countermeasures, including
disseminating information and raising
security awareness among Japanese
citizens, providing alerts on the latest
Embedded systems used in automobiles 7. Software Implementation: avoid security vulnerabilities, hosting basic
and home information appliances are one discovery of vulnerabilities by and advanced security seminars
of the major industries in Japan. However, implementing tamper-resistant throughout the country, and publishing
security measures are given less priority software security guidelines for businesses and
because of the reduction in the 8. Approach for Outsourcing personal computer users.
development period, or lack of resources Development: specify the design
and IT security awareness, caused by rules to the outsourcing company and Level 2: Security measures are performed
aggravated market competition. This could clarify the responsibility of each under the leadership of the person in
affect the whole future of the global stakeholder charge
deployment of Japanese software 9. Security Evaluation Test and Debug: Level 3: Organisational security measures
embedded systems. verify the existence of are taken
vulnerabilities by evaluation tests Level 4: Organisational security measures
IPA is therefore providing embedded 10.User’s Guide: create a are taken and an external audit
system security guidelines aimed at troubleshooting manual for mechanism exists
raising awareness and promoting secure embedded system users
implementation. It is particularly targeting 11. Factory Production Control: Summary
engineers and managers. establish a physical or network By applying these guidelines, embedded
barrier to manage security aspects systems developers now have practical
Challenges and measures for the entire
guidelines to help them implement secure
lifecycle of embedded systems IV. Operation embedded systems.
We have interviewed developers of 12. Handling of Security Problems:
embedded systems and summarised our prepare for unexpected incidents by IPA is working to expand its approach and
findings into four phases of the production establishing incident response to improve the contents of the guidelines
lifecycle: Planning, Development, contact points or determining the by interviewing additional embedded
Operation and Disposal, adding one more handling flow system developers. In addition, we plan to
critical aspect, Management, to cover the 13. Method of Advising Users and make practical proposals for improving the
entire lifecycle within an organisation. In Countermeasures: develop a method level of embedded system security by
addition, we have produced fifteen to deliver information to users upon introducing security countermeasure tools
practical guidelines for IT security based discovery of a vulnerability and various case examples. Working with
on these five phases, to help both 14.Practical Use of Vulnerability relevant organisations, we will contribute
engineers and managers identify the Information: review the approach to to the enhancement of security measures
threats to embedded systems and to prevent recurrence upon discovery of among users, manufacturers and service
decide ‘what should be done’. a vulnerability providers and, by advancing international
collaboration, contribute to the promotion
The fifteen guidelines are as follows: V. Disposal of global security countermeasures.
15.Announce the Method of
I. Management Equipment Disposal: announce to
1. Security Rule: create a documented users how to eliminate data within
organisational rule for security the embedded system
2. Security Education: provide security
education on vulnerabilities etc. Hideaki Kobayashi (hd-koba@ipa.go.jp) is
3. Security Information Gathering: the Laboratory Manager of the Security
Towards an organisational approach to Engineering Laboratory in the IT Security
collect information relevant to embedded system security
security for the entire lifecycle Center (ISEC) of the Information-
To tackle threats to embedded systems technology Promotion Agency, Japan (IPA).
effectively, their various components need
II. Planning to be treated as a whole, which requires an
4. Budget: allocate budget for security Dr. Manabu Nakano (mn-naka@ipa.go.jp)
organisational approach. is a member of the Security Engineering
from the perspective of risk
avoidance Laboratory in the IT Security Center (ISEC)
We have classified each of the fifteen
of the Information-technology Promotion
security guidelines listed above into four
III. Development Agency, Japan (IPA).
levels as an index of how well an
5. Design: extract the appropriate organisation has adopted an
security challenges to be considered Tomoka Hasegawa (tm-hase@ipa.go.jp) is
organisational approach to IT security.
and review the countermeasures a member of the Security Engineering
Details differ within each guideline but the
6. Adoption of the Development Laboratory in the IT Security Center (ISEC)
characteristics of each level are the same:
Platform: configure the platform to of the Information-technology Promotion
avoid leaks of confidential Level 1: There are no security measures in Agency, Japan (IPA).
information to attackers place

23
TECHNOLOGIES
tNAC – trusted Network Access Control
Access Control meets security platform
Marian Jungbauer and Norbert Pohlmann
tNAC (trusted Network Access Control)
project. The tNAC consortium consists of
the German Universities of Applied
Sciences Gelsenkirchen (Institute for
Internet Security) and Hanover and a
number of companies – Datus AG, Sirrix
AG and Steria Mummert Consulting. The
project is sponsored by the Federal
Ministry of Education and Research.
The main aim is the realisation of a

complete open source NAC solution based
on the TNC specifications, including an
integration of TNC into a security platform
to achieve a higher level of trust. tNAC is
based on two existing Trusted Computing
projects – TNC@FHH, an Open Source TNC
solution developed by the UAS Hanover,
and the Turaya security platform,
developed by the former European
At present there are a number of NAC Multilaterally Secure Computing Base
Current and future networks must be
solutions in existence – the most (EMSCB) project in which the Institute for
flexible and open in terms of their
prominent representatives are Cisco Internet Security participated. Turaya does
expansion. At the same time these
Network Admission Control and Microsoft not replace common operating systems. It
networks should enable trusted
Network Access Protection. And there are is a new security layer positioned between
communication. The flexibility and
further approaches under development – the hardware and the operating system. It
relatively low cost of the Internet open the
such as the Trusted Network Connect can control security-relevant processes
way to a lack of security. Field workers, for
(TNC) specification which aims to be an and offers the ability to use Trusted
example, use their computer systems in
open, producer-independent specification Computing functions securely.
many different environments with varying
security requirements and conditions. If a for verifying endpoint integrity.
One of its core functions is the ability to
computer is compromised by malware
Limitations of today’s NAC solutions isolate processes and applications
outside a company network, the company’s
All current NAC concepts – including those securely. Any process or application can
security mechanisms will be bypassed
listed above – have limitations. The core run in parallel but in strictly isolated
upon its reintegration into the company
limitation is the lack of trustworthiness environments which are called
network.
caused by the use of common operating ‘compartments’. A security relevant
systems. The trustworthiness created by application – such as an online banking
Even today there are possibilities for
any NAC solution depends on the application – runs in isolation from a
expanding networks in a flexible manner
trustworthiness of the client’s common operating system. Any access by
and equipping them with security services
measurement readings representing the the operating system, or any other
– for example via Virtual Private Networks
client state. By the use of common compartment, to data which is stored in
(VPNs). However these security
operating systems, malware can this compartment is prevented. In this way
mechanisms cannot guarantee the
manipulate the measurement readings at even compromised compartments cannot
trustworthiness and the identity of the
any time which leads to a paradox. be used by an attacker to access the
computer systems that are used.
Because of this permanent risk of isolated data.
The Network Access Control (NAC) unnoticed falsification, any collected data
must be considered as being compromised Integration of TNC into the Turaya
concept aims to make the trustworthiness
and therefore not trustworthy. This was security kernel
of computer systems verifiable to allow
demonstrated at the Black Hat Conference The potential of the Turaya security
trustworthy and secure network
2007 using Cisco NAC. By means of a platform to separate compartments with
connections. In a NAC-enabled network,
modified Cisco Trust Agent (CTA) it was running applications is also a great
the configuration of any connecting
possible at all times – irrespective of the advantage for NAC. The applications that
computer system is checked before it is
computer status – to gain access to a NAC- need to be measured and the TNC
allowed network access. Only if predefined
protected network. components can be isolated securely by
security policies are fulfilled will a
means of the security platform. The
computer system be considered
Solution: integration of NAC into security simultaneous compromising of an
trustworthy and allowed to access the
platforms application as well as the TNC components
network and the connected services.
The limitation mentioned above can only be is made considerably more difficult to
Computer systems with a faulty or
solved by integrating NAC into a security accomplish for a possible attacker. Faulty
undesirable system configuration cannot
platform. This article gives an example of integrity measurements of the applications
enter the network.
such an integration on the basis of the are therefore prevented.
>>
TECHNOLOGIES
However, the ‘integration’ is not trivial. As

applications of the security kernel, the
TNC components have to rely on the
integrity of the kernel itself. This cannot be
determined securely by TNC, due to the
fact that a possible compromise of the
security kernel would cause the
measurement values collected by this
kernel not to be trustworthy. At this point
one paradox is exchanged for another.
A promising approach which prevents a

new paradox is the combination of TNC
with another Trusted Computing concept –
Remote Attestation.
Combination of Attestation and TNC
Like NAC concepts, Remote Attestation
allows integrity checks of remote recertification has to be executed in a changing configuration – for example an
computer systems to verify their trustworthy (and complex) process. In the antivirus application – by a trustworthy use
trustworthy state. If a computer system’s case of an antivirus scanner, which may be of TNC (see diagram above).
configuration has changed, the attestation updated many times a day, this procedure
would fail, allowing the communication is not practical. It is therefore more As a result, the use of NAC in combination
partner to abort the network connection. practical to exclude frequently changing with Trusted Computing functions enables
There are three entities participating in a applications from a Remote Attestation. trustworthy communication which in turn
Remote Attestation. Besides the computer establishes a base for new trustworthy
system whose state has to be checked and A combination of TNC/NAC and Remote applications.
the computer system that is demanding Attestation raises trusted and manageable
the attestation, the presence of a Third verification of computer systems to a
Party (or Trusted Party) is required to higher level, but avoids the limitations Marian Jungbauer (marian.jungbauer
perform the certification. Without the resulting from the use of a single testing @informatik.fh-gelsenkirchen.de) is a
process of certification by a third party method. As a computer system’s integrity researcher at the Institute for Internet
there is no possibility of performing a has to be checked, the security platform Security at the University of Applied
Remote Attestation, other than the so and the TNC components are measured by Sciences Gelsenkirchen in Germany.
called Direct Anonymous Attestation Remote Attestation, while applications
(DAA), introduced in the TPM-Specification such as a firewall or an antivirus Norbert Pohlmann (norbert.pohlmann
1.2. application are tested by TNC. As long as @informatik.fh-gelsenkirchen.de) is a
the configuration of the security platform Professor at the Institute for Internet
On the downside, any change in the remains relatively static (stable), the Security at the University of Applied
computer system’s state – even that number of recertifications is minimised. At Sciences Gelsenkirchen in Germany and a
caused by a new antivirus signature – the same time it is possible to check member of ENISA’s Permanent
could result in a recertification. This compartments and applications with often Stakeholders’ Group.
ENISA wishes to thank all the contributors Editor-in-Chief, Panagiotis Trimintzios:

to the publication. Please remember that all eq-editor@enisa.europa.eu
contributions reflect the views of their
authors only, and are not in any way
endorsed by the European Network and More about ENISA
Information Security Agency. ENISA For the latest information about ENISA,
assumes no responsibility for any damages check out our website at:
that may result from use of the publication www.enisa.europa.eu.
contents or from errors therein.
The ENISA Quarterly Review is European Communities, 2009

published once each quarter. You can find Reproduction is authorised provided the
information about the ENISA Quarterly source is acknowledged.
Review, including back issues and
subscription information, on the EQR
pages on the ENISA website:
www.enisa.europa.eu/publications/eqr

Enisa Quarterly 2009 Vol 5

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Enisa Quarterly 2009 Vol 5

Загружено:

Авторское право:

Доступные форматы

ENISA Quarterly Review

Vol. 5, No. 3, September 2009

Resilience & A Letter from the Executive Director

Information Sharing Infrastructure

Three European ‘Trusted Information 7

Critical Information Sharing’ Projects

Infrastructure Protection Public-Private Partnership for CIIP –

Emerging and Future Risks

Skills & Certifications

Awareness & Secure Software Engineering Skills

End-User Issues Human Factors in the Dependability of

A LETTER FROM THE EXECUTIVE DIRECTOR

It has been an honour and a pleasure to

I now leave ENISA with a sense of

ENISA Quarterly Review Vol. 5, No. 3, September 2009

A WORD FROM THE EDITOR

European Commission, Strategy on while Marian Jungbauer and Norbert

ENISA Quarterly Review Vol. 5, No. 3, September 2009

RESILIENCE AND INFORMATION SHARING

Anne-Marie Eklund Löwinder

RESILIENCE AND INFORMATION SHARING

physical security, since millions of

We also seem to have a fixation on the Holy

ENISA Quarterly Review Vol. 5, No. 3, September 2009

RESILIENCE AND INFORMATION SHARING

ENISA Quarterly Review Vol. 5, No. 3, September 2009

RESILIENCE AND INFORMATION SHARING

ENISA Quarterly Review Vol. 5, No. 3, September 2009

RESILIENCE AND INFORMATION SHARING

MS3i – Messaging Standard for Sharing

ENISA Quarterly Review Vol. 5, No. 2, June 2009

CRITICAL INFORMATION INFRASTRUCTURE PROTECTION

Based on: International markets, national actions and resources,

• Energy transmission and • Food supply

The targets of security of supply

CRITICAL INFORMATION INFRASTRUCTURE PROTECTION

have been prepared through co-operation

ENISA Quarterly Review Vol. 5, No. 3, September 2009

CRITICAL INFORMATION INFRASTRUCTURE PROTECTION

CRITICAL INFORMATION INFRASTRUCTURE PROTECTION

As with the electronic communications

ENISA Quarterly Review Vol. 5, No. 3, September 2009

EMERGING AND FUTURE RISKS

personal data; or someone might steal the

EMERGING AND FUTURE RISKS

ENISA Quarterly Review Vol. 5, No. 3, September 2009

EMERGING AND FUTURE RISKS

ENISA Quarterly Review Vol. 5, No. 3, September 2009

SKILLS AND CERTIFICATIONS

Penetration Testing – What’s That?

SKILLS AND CERTIFICATIONS

ENISA Quarterly Review Vol. 5, No. 3, September 2009

SKILLS AND CERTIFICATIONS

The ISSECO syllabus During security testing Certified

ENISA Quarterly Review Vol. 5, No. 3, September 2009

AWARENESS AND END-USER ISSUES

AWARENESS AND END-USER ISSUES

Human Factors in the Dependability of IP Networks

• How do the network operators act on

• What is the impact of human error on

The background, results and conclusions

AWARENESS AND END-USER ISSUES

network failures is an integral part of CNO