Академический Документы
Профессиональный Документы
Культура Документы
IN THIS EDITION
11
Telecommunications
22
A Secure Approach for Embedded 22
Systems in Japan
Technologies
tNAC: trusted Network Access Control 23
ISSN1830-3609
2
Andrea Pirotti
providing a good return on investment. But
it is the individual members of the ENISA
team themselves who have gone the extra
mile and consistently delivered diligent and
professional service.
Panagiotis Trimintzios
ENISA’s recent work under the umbrella of We are always happy to hear your
the Emerging and Future Risks (EFR) suggestions and comments on how to
programme on the risks in an eHealth improve EQR. Please continue sending us
scenario is summarised by Barbara feedback and, of course, your articles.
Daskala, Louis Marinos and David Wright.
We received positive feedback to the last Sotiris Ioannidis and his co-authors Enjoy reading.
edition of EQR where we introduced a new present the different dimensions that exist
structure with multiple thematic areas. So when one looks at emerging risks and Dr. Panagiotis Trimintzios is an Expert at
in this issue we continue this new strategy, future threats in ICT infrastructures, as ENISA responsible for Relations with
which is made possible by the increased identified in the EU-funded project Stakeholders.
number and quality of your submissions. FORWARD.
In this edition we have contributions in six An area ENISA plans to explore more
thematic areas of Network and closely in the future is NIS skills and
Information Security (NIS): knowledge certification. Hugo Lueders
• Resilience and Information Sharing discusses the cost of ignorance when it
• Critical Information Infrastructure comes to (lack of) cyber-security skills.
Protection (CIIP) Penetration testers are specially trained
• Emerging and Future Risks
• Skills and Certifications
NIS experts who can test the security of
systems and enterprises, in the manner of
20-21 October
SECURE is the oldest IT security
• Awareness and End-user Issues ‘ethical hackers’. Peter Fagan and Peter
conference in Poland. Every year it
• Technologies Fischer help us to get to know a little
considers current issues concerning
better what a penetration tester can do,
the security of IT systems and
Anne-Marie Eklund Löwinder opens with a and they describe the relevant certification
networks. The conference is aimed at
discussion of the challenges for the future schemes. On a similar theme, Petra Barzin
senior managers, technical experts
in achieving a resilient Internet presents another (see also EQR vol. 4 no. 4
and policy- and decision-makers with
Infrastructure, focusing on the Domain Dec 2008, p. 5) new qualification scheme
overall responsibility for security.
Name System, IPv6 and resilient network intended to guarantee different levels of
design. Natalija Gelvanovska and Rytis security knowledge skills for software The main topic this year will be
Rainys then present the main results from engineers. responsible Internet traffic filtering
a survey in Lithuania which looked at the related to the most dangerous
reliability of the country’s Internet A related topic is the awareness – or lack Internet threats, as well as blocking
infrastructure, including the of it – of end-users when it comes to NIS illegal Internet content resources.
interconnection points and the issues. Steven Furnell elaborates on the
international gateways. In their article, subject based on the findings of a study of The conference celebrations will be
John Harrison and Andrea Rigoni contrast home-users, and emphasises the held under the honorary patronage of
three EU projects in the area of Trusted importance of increased usability coupled Prof. Barbara Kudrycka, Minister of
Information Sharing, including the ENISA with effective awareness raising. Ilkka and Science and Higher Education, and
Good Practice Guide on Information Leena Norros present the results from two Grzegorz Schetyna, Deputy Prime
Security Exchanges. projects in Finland that looked at the Minister and Minister of Internal
criticality of human factors in network Affairs and Administration.
In the area of Critical Infrastructure resilience and security.
SECURE 2009 is organised by the
Protection we have two articles. The first,
CERT Polska team, acting within
by Hannu Sivonen, looks at the lessons In the area of NIS technologies, Hideaki
NASK, and is a joint event supported
learned from the Finnish Public Private Kobayashi and his co-authors from the IPA
by ENISA. It takes place in Warsaw,
Partnership (PPP) for CIIP, a very Information Technology Agency, Japan,
Poland.
important subject as PPPs for CIIP are on present a number of challenges as well as
the agenda of the European Institutions the measures which could be taken to More information:
(see the recent Communication by the create more secure embedded systems, http://secure.edu.pl/en/index.html
NEISAS – A National and European The event is organised by INTECO (the National Institute for Telecommunications
Technologies), which is part of the Spanish Ministry of Industry, Tourism and Trade. This
Information Sharing & Alerting System
is a joint event supported by ENISA and takes place in León, Spain.
NEISAS is a new European Commission (EC)
funded project, which some are calling For more information: https://enise.inteco.es/en
‘WARPs across Europe’ (WARPs – Warning,
Advice and Reporting Points, a trusted
Security of supply the partnership have been updated several The partnership organisation exchanges
In Finland Critical Information times, most recently in 2008. information within sectors and across
Infrastructure Protection (CIIP) is seen sectors, monitors the business
within the larger context of security of Critical infrastructure vs. critical environment and threats to it, supports
supply. In Finnish legislation, security of production individual business continuity
supply is defined as the security of the Today, the security of supply is divided into management, arranges exercises and
livelihood of the population, the continuity two areas: security of critical carries out surveys, research and
of vital economic activity and the infrastructure and security of critical development projects with the help of
functioning of the infrastructure in normal production. consultants and academia.
conditions, during serious disturbances
and exceptional circumstances. The An important part of critical infrastructure The PPP organisation
markets usually provide security of supply, is the critical information infrastructure, in The National Emergency Supply
but special arrangements are sometimes other words, electronic information and Organisation (NESO) consists of a strategic
needed. communication systems, which include level Council for Security of Supply and
data networks and systems, mass Infrastructure (CSSI), a planning
Public-Private Partnership communication and financial systems. committee network (Clusters and Pools)
A Public-Private Partnership (PPP) for the and an executive National Emergency
security of supply in Finland was started in Tools for securing the supply Supply Agency (NESA) under the Ministry
1955. Right from the outset the principle In order to secure supply, there are several of Employment and the Economy. There
has been to gather together around the tools available to the Government and the are six NESO Clusters and 24 Pools. Their
same table the representatives of state industrial actors; international tasks are to analyse threats against the
administration and the companies that agreements, legislation and possible country’s security of supply, including the
provide vital products and services to regulation provide the framework for ICT infrastructure, to plan measures to
society. The companies come voluntarily, security of supply, and thus for CIIP and, control these threats, and to promote
and are equal partners with the more generally, for Critical Infrastructure continuity planning in individual industrial
administration. They have a common Protection (CIP). The Government’s sites. The Pools have 2000 member
interest: to make sure that the flow of economic and industrial policy takes into enterprises.
goods and services continues without consideration the requirements of security
interruption through serious disturbances of supply. A vital tool is the partnership Funding the partnership and protection
such as a heavy storm, epidemic or organisation. measures
commercial conflict, but also nowadays NESA manages the National Emergency
through cyber-attacks and, in extreme A network of leading experts Supply Fund which is outside the state
cases, an armed conflict. Securing supply in Finland has been budget. The PPP members are not paid for
organised as a comprehensive their time, but NESA finances the
The partnership organisation has grown co-operative network, the National exercises and the permanent secretaries
since 1955 and has been modernised. The Emergency Supply Organisation. The of the Pools.
organisation and the issues to be participants are the various sectors of the
considered have followed the development public administration and business, as The NESA Fund also finances stockpiles
of the economy and technology. Both the well as branch organisations. The network for oil and medical products, as well as
legal framework for security of supply and of committees consists of more than 1000 selected redundancy and protection
leading experts. measures for the critical information
infrastructure.
>>
ENISA Quarterly Review Vol. 5, No. 2, June 2009
10
Legal framework for CIIP CERT-FI also provides a special service for
An important part of the legal framework critical infrastructure actors. This includes
for CIIP is the Communications Market 24/7 incident warning and solving, via SMS
Act, which obliges communications and the VIRVE/TETRA public authority
operators to ensure the functioning of their mobile telephone network, personal
services at all times, including in advising and focused product vulnerability 19-20 November
exceptional situations and in times of warnings.
crisis. The act gives the Infosek 2009 is a two-day conference
telecommunications operators a right of PPP portal held jointly in co-operation with
compensation from the NESA fund if the NESA will be launching a secure ENISA. Traditionally organised at the
expenses incurred through such partnership system portal early in 2010.
end of November in Nova Gorica,
preparatory measures are significant, or if The portal will be a forum for information
the measures have been ordered by the exchange among the partners. It will Slovenia, INFOSEK is recognised as a
Ministry of Transport and include a self-assessment tool to check unique expert conference and a key
Communications. the maturity of business continuity Slovenian event. It serves as an ideal
management in each organisation. learning opportunity for all involved in
Similar legal obligations do not exist for IT National maturity reports will be available
information security, enabling them
systems services, but NESA finances for each industrial sector, although the
selected protection measures. assessments of individual companies will to keep up with the fast-paced
be kept confidential. The reporting will also environment of facilities security,
CERT-FI in co-operation with CI provide benchmarking for the individual information protection, privacy and
enterprises partners. regulatory compliance.
CERT-FI is the Finnish national Computer
Emergency Response Team. It is a part of The 5-level maturity model used is taken
the Finnish Communications Regulatory from the Capability Maturity Model Led by security experts from a variety
Authority (FICORA) under the Ministry of Integrated (CMMI) developed by the of industries from Slovenia and
Transport and Communications. CERT-FI Software Engineering Institute at Carnegie abroad, INFOSEK 2009 offers insight
promotes security in the information Mellon University. The 5-level maturity into the importance of information
society by preventing, observing and description set covers numerous items
solving information security incidents, and ranging from strategic management, security to an organisation’s success
disseminating information on threats to personnel management and ICT and indeed survival.
information security. management to sector-specific process
continuity management. The descriptions More information: www.infosek.net/
Funding of any solutions will remain a key energy industry’s confidence in the entitled ‘Shared Responsibilities’ in which
issue. If motivation and finance were resilience of its electronic communications it speaks of investment by the energy
available at an EU or Member State level, infrastructure can be maintained. industry in helping to resolve the problem,
funding could be found to provide standby but it is clear that this will not work in
power for locations which are deemed to Conclusions isolation – solutions must be through joint
be of importance to the Critical National Many domestic and commercial working relationships between the EU,
Infrastructure, and this could be either in customers take the basic fixed line Member State governments, the energy
the form of capital or operational funding, telephone service for granted and, as long industry and CSPs and their respective
possibly both. as power can be supplied to the core regulators, which will provide for cost-
network and the local serving exchange, effective solutions for all concerned, using
Customer premises level service will continue to be delivered to the alternative technologies and innovative
Power resilience at the customer premises customer premises. But the telephone approaches where appropriate.
level will always be the responsibility of the handset will only continue to function if it
customer and not the CSP or the national takes power from the telephone line rather A first step in this is already underway in
government. In cases of shared than from the local electricity supply. More the form of a project managed by the
accommodation, provision of resilient needs to be done in educating customers Italian National Agency for New
power for both mobile phone or WiFi in the constraints of energy supply with Technologies, Energy and the Environment
service would rest with the landlord who respect to ICT in domestic and commercial (ENEA) and entitled ‘The Methodology for
might offer this to tenants who would have premises. Interdependencies Assessment’ (MIA). The
the final choice in whether or not to invest ultimate goal of this will be to provide both
in this. While responsibility for the provision of the the energy and electronic communications
power resilience of core networks rests industries with a methodology and metrics
Energy networks with the CSPs and that for the customer to determine interdependencies in their
On the other side of the coin, the energy premises rests with the customer, the networks.
industry itself also makes considerable middle ground is where both challenge and
use of electronic communications in three opportunity lie. The real challenges will come later, as the
areas: focus turns to the identification of practical
• the transmission of energy network There needs to be closer co-operation solutions, funding and implementation.
status information from network between the energy and electronic
components and locations back to communications industries to ensure the
regional and national monitoring and continued resilience of both types of
control centres infrastructure at key installations.
• the transmission of commands to alter David Sutton (davidwsutton@mac.com) is
the configuration of key network In July 2009, the UK’s Institute for Public the Network Continuity & Restoration
components in the reverse direction Policy Research published a document Manager for Telefónica O2 UK Limited.
• the exchange of information, requests or
instructions between those centres and
the operational staff who may either
have to report on network component
status or carry out physical
configuration changes in cases where
other methods cannot be used.
Discrimination, social sorting and social of the problem here is the incidental data
exclusion – The disclosure of medical and that might be gathered from the sensors: ETSI SECURITY
personal data may lead to discrimination for example, knowing the location of the WORKSHOP
and social sorting, which may have severe patient in an emergency is critical, yet
impacts on the patient’s social life. This is others, such as law enforcement 20-22 January 2010
particularly the case where data regarding authorities or burglars, might also be
the patient’s medical condition is leaked to interested in knowing the location of a Call for Papers and
third parties which may, as a result, deny person at a given time. As with any form of Participation
services to the individual or otherwise data collection, it is difficult to predict what
discriminate against him or her. An uses or value data might have after it has The ETSI Security Workshop
example is loss of employment been collected. (www.etsi.org/SECURITYWORKSHOP) has
opportunities if data are leaked to a become the most important annual
prospective employer. Another example is For more information on the risks and the international security standardisation
the case of insurance companies offering actual methodology used to perform the workshop, bringing together international
premiums to customers who belong to low assessment and identify risks, see the full Standards Development Organisations
risk groups, or denying insurance coverage report and annexes available at: (SDOs) and security experts to discuss recent
or requesting higher insurance payments http://enisa.europa.eu/pages/02_01_press developments, share knowledge, identify
if the patient is considered a high risk _2009_03_20_being_diabetic_2011.html. gaps and co-ordinate on future actions and
because of disease records. This scenario is the first of several which work areas. This year’s Workshop will
ENISA intends to develop in the near include overviews of work being undertaken
Misinterpretation or errors in collecting future, in consultation with stakeholders, in the area of security across standards and
and handling medical data – A patient may as part of its mandate to identify and technical bodies, along with presentations
misinterpret the data generated from a analyse emerging and future risks relating from major organisations involved in security
monitoring device or from the eHealth to European information security. initiatives. The event will take place in ETSI
system or the physician. Not every user is Headquarters in Sophia Antipolis, France,
computer literate or even endowed with from 20-22 January 2010.
commonsense! The data may be too
complex or incomplete for the patient to ETSI is now calling for
understand properly. This risk will become Barbara Daskala (barbara.daskala@ papers!
greater if more responsibility for enisa.europa.eu) is an Expert in ENISA’s Please send a short abstract of your
maintaining their own monitoring Risk Analysis and Management section. presentation to events@etsi.org,
equipment is shifted to patients. together with the title of the
Dr. Louis Marinos (louis.marinos@ presentation, the name and contact
Data surveillance and profiling – Insurance enisa.europa.eu) is a Senior Expert in details of the presenter and the topic
companies, employers, credit-checking ENISA’s Risk Analysis and Management of reference as listed below
companies, researchers and/or others section. by 9 October 2009.
may successfully engage in data
surveillance and profiling because David Wright (david.wright@trilateral The Workshop would welcome papers
patients’ data have not been secured research.com) is a Managing Partner at on practical implementations and issues
sufficiently or because access control Trilateral Research & Consulting LLP, such as the practical use of standards,
measures are weak or too ‘porous’. A part London, UK. the human factors and examples of
insecurity. In particular this year the
presentations should mainly have a
focus on Security Innovation in one of
6-8 October 2009 the following topics: Next Generation
The Hague, The Netherlands Networks security, Mobile
Telecommunications systems, ICT
trustworthiness and integrity, Research
ISSE (Information Security Solutions Europe) is Europe’s only and Innovation, RFID and NFC Security
independent, interdisciplinary security conference and exhibition. issues, the Internet of Things, Identity
Management and your Privacy,
ISSE is renowned for its rich content and unbiased perspective, Cryptography, Smart Cards and future
designed to educate and inform ICT security professionals, trends, Quantum Key Distribution,
policy-makers and industry leaders on the latest developments in Machine to Machine communication,
technology, solutions, market trends and best practice. ISSE 2009 will Standards prioritisation and evaluation.
attract over 400 representatives from across Europe, providing an
informal and stimulating environment for attendees to learn, share For updates about ETSI events, join
experiences and explore solutions with their European counterparts. the recently created ETSI-Events
mailing list at:
ISSE 2009 is a joint event co-organised with ENISA. http://list.etsi.org/scripts/wa.exe?SU
BED1=ETSI-EVENTS
For more information: www.isse.eu.com/
around €193 billion”, according to its recent e-skills agenda and for establishing multi-
Communication on Critical Information stakeholder partnerships to drive it forward.
Infrastructure Protection (CIIP), No single stakeholder can achieve this alone
(http://ec.europa.eu/information_society/policy any longer.
/nis/strategy/activities/ciip/index_en.htm).
This much is agreed: as well as delivering
A recent industry survey also finds that this crucial investment in ICT infrastructures to
human factor tops the list of the main security promote economic and social development,
risks which increase costs to businesses and Europe should clearly focus on human
public organisations; data suggests security capacity building and accompanying
breaches cost companies in the US alone in investment in related ‘Skills Infrastructures’
excess of some €12 billion annually and (see the May 2009 ILB Policy Statement on
probably significantly more (www.industry “Skills Infrastructures”: www.e-skills-
week.com/articles/end_user_it_security_ ilb.org/docs/Skills_Infrastructures_ILB_Polic
training_can_save_billions_19133.aspx? y_Statement_13May.pdf). Developing skills
SectionID=2). goes with investment. To this end there should
be a concerted effort to improve the image of
The whole issue of helping to protect Europe ICT industries through a continuous
It is not as if European policy-makers are
from large-scale cyber-attacks such as those awareness-raising campaign (for the
unaware of these challenges. But the EU risks
in 2007-2008 on Estonia, Georgia and envisaged EC e-Skills Awareness Campaign
overlooking the human capacity challenge and
Lithuania has acquired a new urgency 2010, see: www.eicta.org/index.php?id=34&id
has made little or no appropriate,
recently. In Europe, Viviane Reding, the _article=344).
co-ordinated response to the need to develop
European Union (EU) Commissioner for
cyber-security skills. After all, ENISA itself
Information Society and Media, called for On the specific issue of cyber-crime,
organised a seminar on cyber-security skills
action with a top person in charge (a European enhanced support should be given to
credentials as long ago as November 2006.
Cyber Security Chief), and in the US President industry-based and other recognised ICT
Almost three years later, at the April 2009
Barack Obama and the Pentagon have asked skills credentials for cyber-security
meeting of EU Ministers on CIIP in Tallinn
for a new ‘Cyber Czar’ to combat the growing qualifications and the spread of higher
(www.tallinnciip.eu/), the skills challenge and
threat to America’s military and corporate education courses in forensic computing. All
growing shortages went unmentioned again,
security posed by cyber-crime. EU Member States should have Computer
although they are central to the issue of
cyber-crime and security and the post i-2010 Emergency Response Teams (CERTs) to
But is the same importance being attached to integrate related training and qualifications to
Lisbon strategy for the knowledge-based
developing the required human capacity, ward off cyber-attacks.
economy.
cyber-security training and skills to combat
this threat to the digital backbone of Europe’s The problem of network and information
Clearly, there is a pressing need to re-skill the
economy and society? security will not go away; it will only grow in
EU workforce for the new digital economy.
This means giving distinct roles to: urgency and intensity. Europe needs to raise
Cyber-crime has now reportedly surpassed its game in addressing the threat that a lack of
governments (in fostering an environment
drugs in terms of the amount of illegal cyber-security skills – especially e-skills –
which enables ICT skills to be acquired);
revenue – hundreds of billions of Euros – it poses to its ability to combat cyber-attacks.
education (providing relevant learning
nets. The European Commission also
packages); and the industry itself
calculates that there is “a 10% to 20%
(encouraging its staff to demand Hugo Lueders (HLueders@comptia.org) is the
probability that telecom networks will be hit
requirements). We urgently need to put into Senior Director of Public Policy at COMPTIA,
by a major breakdown in the next 10 years
practice long-standing proposals for responsible for Europe Middle-East and Asia
with a potential global economic cost of
implementing a long-term and consistent (EMEA).
>>
ENISA Quarterly Review Vol. 5, No. 3, September 2009
17
However, the term ‘penetration testing’ is There is a fundamental and important So, how does the organisation know whether a
used loosely to cover many different activities. difference between an aggressive penetration testing company or individual is competent?
These include: test – executing scripts to test whether a For many years CESG, the UK Government
vulnerability can be exploited – and a National Technical Authority for Information
• Social Engineering – There are inevitably vulnerability assessment – checking for Assurance, has operated a scheme – CHECK
‘touch points’ where users interact with known vulnerabilities. Unless absolutely – which independently assures companies
system administration staff (dealing with essential, aggressive penetration testing of and senior level vulnerability assessment
lost passwords, application problems etc.). live operational systems should be avoided; it testers (using the CHECK Team Leaders (CTL)
Although the term ‘social engineering’ is safer to test a reference or development standard) for the purpose of undertaking
itself covers a lot of ground, usually it is system. penetration tests and IT Health checks
based on trying to exploit these touch against systems and networks which process
points to gain unauthorised access. Tests The field of penetration testing continues to UK Classified information. Recently, two
assess staff awareness of threats and evolve. One emerging approach is to identify schemes have emerged which assess testers
information sensitivity, and the strength of the key assets of the system (the user to a standard evaluated by CESG as equivalent
the processes governing the interaction. database, the database schema, key to their CTL assessment – the CHECK ‘Assault
credentials etc.), and ask the penetration Course’. One of these two schemes is run by
• A Network/Systems Test – This is the
testing team how they would use access to the Council for Registered Ethical Security
usual interpretation of a ‘penetration test’.
that asset in order to attack the system. Not Testers (CREST); the other is the TIGER
The testers look at the switches, routers,
only does that identify key assets requiring Scheme.
firewalls, servers etc., inspecting their
specific protection, it can also assist with
configurations for weaknesses (e.g.,
incident handling. All three schemes – CHECK, CREST and
inappropriate access control lists),
TIGER – recognise the need to ensure that
checking for the latest patches to eradicate The first lesson from this discussion is that testers maintain their knowledge base. This is
known vulnerabilities and looking for penetration tests, vulnerability assessments a dynamic area where the scene is constantly
specific issues such as weak passwords. or IT Health Checks (all are used to cover changing. Consequently the certification
These tests can also be extended or roughly the same types of activity) need to be offered by each scheme has a lifespan of only
constrained to specific aspects such as the defined and managed, and must have clear three years, following which the tester must
use of Voice over Internet Protocol (VoIP) or objectives. All too often ‘Someone in be reassessed.
wireless networks. A successful check will Authority’ deems that a penetration test would
provide confidence that the underlying be a ‘good thing’ and someone else is tasked The TIGER scheme model is particularly
network infrastructure is well-configured, with ensuring that one is commissioned. That appropriate for providing development and
and will identify any residual weaknesses. individual might have no idea of what a training for security testers throughout their
However, for a system of any significant penetration test is, how it should be specified, career, and can be replicated across the
size, it is usually better to base the what precautions should be taken or what to European Community. There are four levels of
approach on sampling. expect. In other words, he or she represents certification – Associate, Qualified, Senior and
the perfect example of an unintelligent, ill- Specialist – each supported by training
• An Application Test – Web-based systems
informed customer! courses, and each achieved by passing an
clearly have to accept web traffic to
assessment that is set and marked by a
function. In this case, the ‘doorways’ for the Additionally, the project or system manager of recognised academic Examining Body,
traffic represent unavoidable the ‘target’ might have no knowledge or currently the University of Glamorgan. The
vulnerabilities. An application test will experience of such a test and be totally scheme also has a number of approved
check that these openings are only as wide unprepared for what is involved and what Training Partners, and a specific IT Health
as they need to be. Typically this will ensure might happen. The result could be Check Management course aimed at
that common browser-based attacks are misunderstanding, confusion, disaster and, individuals in organisations procuring such
blocked, that ‘man in the middle’ threats inevitably, recriminations. In the worst case tests. More information can be found at
are managed, that Simple Object Access the value of a penetration test could be www.tigerscheme.org.
Protocol interfaces (SOAP) and Application completely overshadowed by the problems
Programming Interfaces (APIs) are secure, caused, to such an extent that ‘management’ Information on CHECK can be found at
that any tokens (such as cookies or Security bans further tests. www.cesg.gov.uk and on CREST at www.crest-
Assertion Markup Language (SAML) approved.org.
tokens) are passed in a secure way, and Scoping normally takes place during an initial
that, for example, Extensible Markup meeting involving the organisation Peter Fagan (p.fagan@ukonline.co.uk) is a
Language (XML)-based attacks are commissioning the tests and the party Solutions Director and Head of Security
prevented. performing the tests. It is essential at this Practice at Sogeti UK Ltd and one of the initial
meeting to define the types of tests required, members of the CESG Listed Adviser Scheme
• A Network Device Test – This is the test of with their scope and related boundaries.
the configuration on a single network device (CLAS).
There have been a number of cases reported
such as a router or a firewall. It is unusual, where public and private sector systems, Peter Fischer (peter.fischer@btinternet.com)
because of the expense of arranging the usually web portals, have been ‘attacked’ by is a Managing Consultant at Sogeti UK Ltd, a
tests for just a single machine, but so-called penetration testers exceeding the Lecturer in Information Assurance at the UK
sometimes it is necessary (e.g., when a boundaries of their test targets. This suggests National School of Government, an ENISA
firewall has been replaced or to confirm not only poor management of the process, but Independent Expert and a former Head of
that a heuristic device such as a web also a degree of incompetence by the testers. Information Assurance and Certification
application firewall has ‘learned’ correctly). Services at CESG.
ISSECO deals with the education of people The creation of secure coding requires an
involved in the software development understanding of which programming
lifecycle. This new personnel certification is errors lead to vulnerabilities such as Cross
aimed at everyone who is directly involved in Site Scripting (XSS) or injection flaws. All
the software development lifecycle, vulnerabilities are introduced by so called
including requirements engineers, software vulnerability patterns, e.g., buffer overflow,
architects, designers, developers, software race conditions or improper error handling.
quality managers, software testers, project Certified Professionals for Secure Software
managers and all related software Engineering must be able to identify, avoid
development stakeholders. and remedy all of them.
measures installed, whereas 95% actually evidence of a lack of understanding and/or successful in which contexts. In this
did, and 83% claimed to have antispyware, neglect. respect, activities such as those of the
with 82% indeed having the protection. ENISA Awareness Raising Section are
However, in other cases the situation was These findings emphasise the importance important in highlighting and sharing good
rather less encouraging. For example, 81% of usability being supported by effective practice, as well as potentially feeding
believed they had firewall protection, but awareness raising, in order to build an back into initiatives for supporting security
only 58% actually had one appropriately underlying culture of security amongst the awareness at both national and local
installed, updated and enabled. user population. This applies to both levels.
Meanwhile, 75% thought they had anti- individuals and the organisations in which
spam protection, whereas only 42% they work, and would help to ensure that
actually did so. Of course, with the users are better equipped to understand
prevalence of malware and other online the reasons that they are at risk and the
attacks, it could be argued that all of the protection that they require as a Prof. Steven Furnell (steven.furnell@
respondents should have had antivirus, consequence. These objectives will only be plymouth.ac.uk) leads the Centre for
antispyware and firewall protection. As achieved via continued efforts to reach the Security, Communications & Network
such, the fact that some users were still target audience, and by achieving a better Research at the University of Plymouth,
knowingly unprotected presents further understanding of which approaches are UK.
TECHNOLOGIES
A Secure Approach for Embedded Systems in Japan
Hideaki Kobayashi, Manabu Nakano and Tomoka Hasegawa