Securing the Future: Device & Service Security

Stephen Hope, FT R&D UK Ltdon behalf ofNigel Jefferies, VodafoneChair of Core 4 Security Industry Steering Group

The Increasing Importance of SecuritySecurity has featured as a growing element in previous Core programmesCore 1 no work on securityCore 2 agent security Core 3 security for the Personal Distributed Environment and for Interworked Networks

Strong industrial wish for a dedicated work area Reflecting the recognition of Increasingly open terminals (Java, Smartphones)Increasing internetworkingAnd, hence, increasing vulnerability and importance

The Challenge of Consumer PrivacyA Future of Ubiquitous Personal Services enabled by Wireless poses new challenges

Successful services must deliver user confidenceIf the user feels threatened, he wont use them Potential threats to users?Context and behaviourAwareness and concern, regulationCriminal threatsSolutionsModify protocolsControl gathering of informationManagement process, audit

The Challenge of the Enterprise

Traditional perimeter techniques no longer sufficeWLAN, BT, Cellular, Ad Hoc create holes in the wall Systems are needed that detect and react, not just preventNeed to integrate intrusion detection with dynamic adaptation of the system

Contact with the Jericho Forum The Jericho Forum is an Industry body comprising enterprise users across finance, aerospace, pharmaceutical, etc sectors, and the IT industry suppliers to these sectorscurrently lacks significant involvement from the telcos which provide the connectivity between enterprises and to their staffThey see de-perimeterization as already happeningSupport research work in this area

The Challenge of Establishing Trust

The Challenge of Establishing TrustWhat do we mean by trust?The network operator demonstrates trust when he allows a device to access to his networkThe user demonstrates trust when he accesses a service or downloads software or content

Changes as we move to future How do we establish trust in dynamic, ad hoc, networks ?There exists a lack of established trust hierarchiesNeed to establish trust when delivering new ubiquitous services across heterogeneous networks owned by third parties over which an operator may have minimal control

Programme StructureProgramme StructureExploring funding options with both DTI and EPSRCHave raised issues with Cyber Security KTN

Privacy and Trust AssuranceOvercome obstacles preventing full realisation of the possibilities of wireless systemsFuture device relationships will be considerably more complex and dynamic, including ad hoc peer-to-peer, as well as client-serverUser privacy concerns and regulatory issuesEnabling mobile users to enjoy the benefits of ubiquitous services that meet their requirements for privacy

ApproachManagement of multiple user 'identitiesMaintenance of user privacyEstablishment of trust relationships for mobile devices Exploit trusted hardware to help establish inter-device trust

Enterprise SecurityAcknowledge the trend of De-Perimeterisation Network topology is dynamic with wirelessNo interior Ad Hoc, Peer-to-PeerCentralized IDSs are no longer adequate

ApproachDevelop innovative functionality to enable IDSs to be deployed and managed across corporate networks incorporating dynamic and mobile wireless componentsBuild upon security concepts developed for the Personal Distributed Environment

Securing the FuturePCs todayComputer vulnerabilities & attacks increasing rapidly

Source: CERT/CC http://www.cert.orgDue to: Increasing interconnectedness & user mobilityRapid increase in vulnerabilities being discovered, arising from increasing complexity of the OS & applicationsIncreasingly sophisticated & automation of attack tools

.mobile phones today have the processing power of a PC of 5 years ago

Chart4

171

345

311

262

417

1090

2437

4129

3784

3780

5748

Vulnerabilities Reported

Year

Vulnerabilities Reported

Vulnerabilities

Sheet1

CERT/CC Statistics 1988-2005

Year19951996199719981999200020012002200320042005

Vulnerabilities1713453112624171,0902,4374,1293,7843,7805,748

Source:http://www.cert.org/stats/cert_stats.html#vulnerabilities

Year199519961997199819992000200120022003

Incidents2,4122,5732,1343,7349,85921,75652,65882,094137,529

Sheet1

Vulnerabilities Reported

Year

Vulnerabilities Reported

Vulnerabilities

Sheet2

Incidents Reported

Year

Incidents Reported

Incidents

Sheet3

Chart5

2412

2573

2134

3734

9859

21756

52658

82094

137529

Incidents Reported

Year

Incidents Reported

Incidents

Sheet1

CERT/CC Statistics 1988-2005

Year19951996199719981999200020012002200320042005

Vulnerabilities1713453112624171,0902,4374,1293,7843,7805,748

Source:http://www.cert.org/stats/cert_stats.html#vulnerabilities

Year199519961997199819992000200120022003

Incidents2,4122,5732,1343,7349,85921,75652,65882,094137,529

Sheet1

Vulnerabilities Reported

Year

Vulnerabilities Reported

Vulnerabilities

Sheet2

Incidents Reported

Year

Incidents Reported

Incidents

Sheet3