ISSE 2013 Securing Electronic Business Processes

Malware infected computer systems can be found with increasing evidence in private and commercial fields of use. Always exposed to the risk of a “Lying End-Point”, an already manipulated security application that pretends to run on a clean computer system, the demand for new security solutions continues to rise. Project iTES (“innovative Trustworthy Endpoint Security”), government-funded by the German Federal Ministry of Education and Research, introduces a new system to enhance security while preserving usability. Based on an existing virtualized system which diversifies the software to a specific form of use, the project aims to develop new sensors to monitor the system dynamically and deliver real-time responses.

An analysis of 6 million accounts showed that 10,000 common passwords would have access to 99.8% of the accounts. When looking at passwords for banking accounts, it can be found that 73% of users shared their online banking password with at least one non-financial site, which means that when the non-banking site gets hacked, the banking account is threatened. And it’s not only about security. According to a recent study conducted by the Ponemon Institute, more than 45% of the online transactions fail “Very Frequently” or “Frequently” due to authentication problems. Passwords do not work, yet no other technologies have been broadly deployed, why is that?

Current alternative technologies require their respective proprietary server technology. The current authentication architecture therefore consists of ’silos’ comprising the authentication method, the related client implementation and the related server technology. Instead of having a competition for better user authentication methods, authentication companies are faced with a battle for the best server technology.

Other current challenges with Authentication include the need for flexibility. Today it is used for electronically initiating high value money transactions and for accessing the personal purchase history in an online bookshop. The security needs are different. The ongoing adoption of mobile devices and the BYOD trend lead to an increasingly heterogeneous authentication landscape. There is no one approach that can meet these diverse requirements.

The FIDO Alliance, a new industry working group, has been founded to define an open, interoperable set of mechanisms that reduce the reliance on passwords.

The paper deals with security analysis of target assets protection in IT systems using federated eID technologies.

The main topic of the analysis is asset protection in a target IT system using federated eID system for IAM (Identity and Access Management), particularly for authentication.

The analysis deals with the well-known federated eID technologies i.e. oAuth, OpenId, SAML, SCIM, WS-federation and WS-trust.

The issue of relationship between target system data channel (data channel between authenticated user and target system) and authentication result of federated eID system (assertion) is analysed.

This article provides a high-level functional and technical overview of the Worldbank’s Toolkit project ’Secure Electronic Identity for Africa’. The Toolkit project was initiated by the Worldbank in 2012, with sponsorship of the French government. Its aim is to provide African nations with a guidebook addressing all required elements to establish a secure electronic identity system in their country. The Toolkit is expected to be publicly announced in 2013. Implementation funding is to be provided through a PPP (Public Private Partnership) including participation from the Worldbank.

The Tookit proposes a mixed ecosystem of government and private sector operators such as MNOs (Mobile Network Operators). It combines elements such as the collaboration of government entities such as a National Identity Register, other registers such as an Election Committee Register and Registers of Births and Deaths, various private Trust Service Providers, and a combination of mobile (e.g. SIM/USIM) and non-mobile (e.g. PKI) technologies as well as biometrics.

This paper presents a Roadmap to a Personalized Identity Management Ecosystem Infrastructure supporting Individualized Digital Identities (INDIs). The INDI ecosystem can enhance privacy by giving individual persons the ability to control with whom they share their identity data and under what conditions, while acting in a private, public or professional capacity themselves or through an authorized proxy. The role of intermediate Operators in a market for privacy-aware identity services offering individual choice is a key concept underpinning the INDI vision and is expected to contribute to the emergence of privacy-sensitive business models that differentiate from current data aggregation practices of commercial actors. The conceptualization and roadmapping was conducted by the GINI-SA project (2010-2012) that presented its outcomes and recommendations towards the main stakeholder communities: Industry, Government and Research. The material contained in the paper was extracted from the deliverables of the GINI-SA project as referenced. The GINI consortium is now engaged with the follow up stage devoted to implementation as its key partners continue to work together under a cooperation agreement aiming to continue promoting the GINI vision and lead to its implementation.

Transparency of data processing is often a requirement for compliance to legislation and/or business requirements. Furthermore, it has recognised as a key privacy principle, for example in the European Data Protection Directive. At the same time, transparency of the data processing should be limited to the users involved in order to minimise the leakage of sensitive business information and privacy of the employees (if any) performing the data processing.

We propose a cryptographic logging solution, making the resulting log data publicly accessible, that can be used by data subjects to gain insight in the data processing that takes place on their personal data, without disclosing any information about data processing on other users’ data. Our proposed solution can handle arbitrary distributed processes, dynamically continuing the logging from one data processor to the next. Committing to the logged data is irrevocable, and will result in log data that can be verified by the data subject, the data processor and a third party with respect to integrity. Moreover, our solution allows data processors to offload storage and interaction with users to dedicated log servers. Finally, we show that our scheme is applicable in practice, providing performance results for a prototype implementation.

EU Financial Intelligence Units (‘FIUs’) have recently started using the Ma³tch technology as additional feature to the existing exchange of information via the FIU.NET decentralised computer network. The authors of the paper analyse this concrete case of data processing as a possible practical implementation of the data protection and data security by design principle. They conclude that the Ma³tch technology can be seen as a valuable example of data protection and data security by design, as it can guarantee its fundamental elements such as data anonymisation, data minimisation and data security. Therefore, it is able not only to improve the exchange of information among FIUs and allow for the data processing in line with the applicable data protection requirements, but also remarkably enhance privacy of related data subjects. At the same time, the case study clearly shows that data protection and data security by design need to be supported and complemented by appropriate organizational and technical procedures to assure that the technology solutions devised to protect privacy will in reality do so.

The Enterprise Security Architecture for Reliable ICT Services (ESARIS) is a reference architecture for protecting ICT services [EvFWB12]. User organizations are enabled to compare offerings and assess risks. ICT service providers receive a comprehensive template for implementing and maintaining all security measures, including those relating to service management. The architecture also introduces a Security Taxonomy on Level 4 of its hierarchy of security standards. This taxonomy is explained in this paper. The structure or organization model assigns security measures to production areas. It considers state-of-the-art service management processes (ITIL) and integrates ICT security management and IT service management. The taxonomy supports division of labor and assignment of responsibility within a large-scale ICT production. The taxonomy is compatible with all types of ICT services and service models since it allows easy identification and selection of the relevant security documentation. The taxonomy is modular and derived from specific criteria. The latter result from challenges in day-to-day business and consider interests and requirements both from user organizations and from ICT service providers.

An electronic signature is always used in a context. In the EU, a lot of emphasis has been placed on legal admissibility of at least qualified signatures, and on standards for technical interoperability of esignatures. The main obstacles to use of esignatures today are probably a lack of mutual understanding of how to use them in a given process (organisational interoperability) and missing specifications on the semantic interpretation (the meaning and implications) of esignatures in the process. A signature policy is a means to specify the conditions for use of esignatures. This paper suggests a framework for specification of practically useful signature policies to simplify interoperability, emphasising that the formation of a single signature policy document for all conditions may not be the best option.

Information Security is becoming the victim of the disruptive change introduced by the latest trends in Information technology: Bring Your Own Device (BYOD), Cloud Computing and Social Networking. Today a corporation’s systems development, and therefore that of its technical security controls, is slipping away from the carefully planned IT strategy.

For the information security professional, this makes for a very challenging management landscape.

This paper outlines the changing dynamics for security governance brought about by the shifts currently taking place in IT technology against the context of the developing expectations coming from our increasingly active policy makers. It offers the first published focus on the EMEA findings of the 2013 (ISC) 2 Workforce Study, citing the experience of 3229 people in the region with responsibility for information security, including analysis for Germany, France and the United Kingdom. Findings confirm the shift in IT:

Survey insights look at the impact of these developments and stresses in the ability to defend and recover from attack. At the light of these results, we will review and comment the various policy proposals currently under discussions in the various EU instances

In recent years many new technologies and techniques have been developed for authenticating individuals attempting to access digital services. Some of these appear to offer new, innovative and flexible ways to improve security, potentially removing the need for relatively expensive hardware devices. We explore some the characteristics of these new methods in relation to the requirements of some example business services. Our intention is not to provide a full or detailed assessment of the methods but rather to provide an initial view which we hope will stimulate further debate.

Cybersecurity practice lags behind cyber technology achievements. Solutions designed to address many problems may and do exist but frequently cannot be broadly deployed due to economic constraints. Whereas security economics focuses on the cost/benefit analysis and supply/demand, we believe that more sophisticated theoretical approaches, such as economic modeling, rarely utilized, would derive greater societal benefits. Unfortunately, today technologists pursuing interesting and elegant solutions have little knowledge of the feasibility for broad deployment of their results and cannot anticipate the influences of other technologies, existing infrastructure, and technology evolution, nor bring the solutions lifecycle into the equation. Additionally, potentially viable solutions are not adopted because the risk perceptions by potential providers and users far outweighs the economic incentives to support introduction/adoption of new best practices and technologies that are not well enough defined. In some cases, there is no alignment with predominant and future business models as well as regulatory and policy requirements.

This paper provides an overview of the economics of security, reviewing work that helped to define economic models for the Internet economy from the 1990s. We bring forward examples of potential use of theoretical economics in defining metrics for emerging technology areas, positioning infrastructure investment, and building real-time response capability as part of software development. These diverse examples help us understand the gaps in current research. Filling these gaps will be instrumental for defining viable economic incentives, economic policies, regulations as well as early-stage technology development approaches, that can speed up commercialization and deployment of new technologies in cybersecurity.

The Chief Information Security Officer (CISO) is facing particular career challenges, being rooted in a quickly changing field where managerial tasks are applied to a highly specialized technical foundation. The objective of this study is to explore individuals’ careers that led them to aspire to and achieve the role.

22 current and former CISOs have been interviewed for this project. One can identify four segments of career patterns, based upon a broad classification into a preference for problem solving or organization building. Orthogonally, one can identify the orientation of the individual’s Psychological Contract towards the employing organization and its representatives, or towards the professional community at large.

Many respondents displayed signs of protean career management in their career history and in the description of their plans going forward. While individuals may not always consciously realize it the need to manage their own career is prominently ingrained in their career philosophy and aspiration. Shared concerns were a requirement for active career management and potentially career limiting decisions.

This study provides a reference framework for security management careers, based on established structural and psychological concepts from the field of career research. Statistically representative analysis and longitudinal studies can be based upon this framework but are not attempted here.

All information security professionals around the globe acknowledge that “everyone is responsible for information security” in a company. This trivial statement looks clever but hides core challenges, ”Who is everyone? How does everyone contribute or challenge information security?”

In our researched project we researched in-depth roles, processes and interaction in the corporate information security, by creating a framework for crystal clear defined roles and its associated security obligations and responsibilities. 20 corporate roles are analyzed from management and security perspective; classical interactions between information security roles leveraging and turning down security are given in case studies. Furthermore we generated structured tasks descriptions of the roles and open the road to the fulfillment of an information security consultants dream by creating Job descriptions including its security responsibilities!

We justified the necessity of defining roles and by introducing benefits of this approach:

Illustrative corporate examples demonstrate the need to supplement traditional corporate information security governance frameworks with roles and responsibilities for all positions.

Browsing the Web is an indispensible tool in everyday business life. On the same PC, which we use for browsing, we work on sensitive data, e.g. personal data or internal business critical information. The immense benefits from using the Web are threatened by the continuously evolving risk of attacks to the browser. These attacks exploit the capabilities of modern browsers and inject malware into the internal network. The protection mechanisms of the browser and the operating system fail short and do not deliver an adequate level of security. In this article we discuss several attempts to secure Web browsing under the aspect of security, Web functionality, usability, efforts and costs, recovery in case of an infection and mobile use.

The status of information security becomes more and more relevant for management representatives. Therefore, the information security function has to provide relevant information in a way business understands. Furthermore, the demand for accurate and timely information about security compliance or key information risks is increasing.

Normally, senior management receives nowadays feedback regarding the information security status based on different heterogeneous ways like internal/external audit reports, self assessment reports, control assessment reports or specific system reporting.

SCM is a tool-based approach that correlates security information from different sources, assesses this information based on relevant controls, enriches the results with business context information, and provides meaningful views to stakeholders for making an informed decision.

The paper describes the methodology for security compliance monitoring as well as technical aspects like an overall architecture. In addition to describing each component in detail, the paper outlines a use case for a complex risk-based control example in the telecommunication industry and how SCM has been used to address this management issue.

Digital Forensics, as a science and part of the forensic sciences, is facing new challenges that may well render established models and practices obsolete. The dimensions of potential digital evidence supports has grown exponentially, be it hard disks in desktop and laptops or solid state memories in mobile devices like smartphones and tablets, even while latency times lag behind. Cloud services are now sources of potential evidence in a vast range of investigations and network traffic also follows a growing trend and in cyber security the necessity of sifting through vast amount of data quickly is now paramount. On a higher level investigations - and intelligence analysis - can profit from sophisticated analysis of such datasets as social network structures, corpora of text to be analysed for authorship and attribution. All of the above highlights the convergence between so-called data science and digital forensics, to tack the fundamental challenge of analyse vast amount of data ("big data") in actionable time while at the same time preserving forensic principles in order for the results to be presented in a court of law. The paper, after introducing digital forensics and data science, explores the challenges above and proceed to propose how techniques and algorithms used in big data analysis can be adapted to the unique context of digital forensics, ranging from the managing of evidence via Map-Reduce to machine learning techniques for triage and analysis of big forensic disk images and network traffic dumps. In the conclusion the paper proposes a model to integrate this new paradigm into established forensic standards and best practices and tries to foresee future trends.

Today, expanding digitalization and networking in many living and working areas is an inexorable process. It concerns infrastructures which are essential for modern societies and thus classified as critical. These infrastructures must be well-secured against erratic behavior. This especially applies to electronic attacks from criminal or foreign organizations. Very critical is electricity in that regard, because many areas depend on power. Through modern process IT and future ICT-based smart grids, energy suppliers are prone to cyber-attacks. In the industrial sectors, on a national level and on an European level there are several regulative and legal activities to be found in order to make information security independent of business hazards and to define the security level by legal acts. For this purpose we have well-defined national and international standards. In particular the ISO/IEC 27000 standard framework has been complemented in the last years by documents regarding industrial sectors e.g. power supply. Everything points to the requirement that some markets and market roles are so important for economic impact that the security level should be reviewed by independent organizations under governmental supervision. In the future many enterprises may have to accept that external audits, certification and frequent recertification is a binding requirement for doing business in critical market roles. Operation permit necessarily requires information security.

Hospitals are indispensable institutions for public healthcare and part of society’s critical infrastructures. The increasing use of information technology and networks creates new dependencies and risks that could affect medical service availability. A systematic analysis of risks associated with IT will help to determine the risks for critical processes caused by IT disruptions or failures.

This paper outlines a practical risk analysis approach with focus on the risks associated with the dependency on hospital IT. The method was developed within the project “Risk analysis hospital IT” (”Risikoanalyse Krankenhaus-IT” - RiKrIT) launched by the Federal Office for Security in Information Technology (BSI), the Federal Office for Civil Protection and Disaster Assistance (BBK), the Senate Department for Health, Environment and Consumer Protection of the State of Berlin, and the Unfallkrankenhaus Berlin (ukb).

Each day many millions of communications take place by means of social media. Communication via social media has not created new behaviour but merely facilitates old behaviour, but due to its characteristics such communication may have in some instances devastating consequences which were not possible prior to the availability of social media. The question arises how should social media usage be governed and more specifically, what role if any the criminal law should full-fill in this regard? For example, when does social media usage amount to abuse and if the communication does amount to abuse, should such conduct be criminalized? The effect such criminalization might have on human rights is but one of the relevant factors that should be considered in this regard. The paper also investigates emergent legal developments pertaining to the criminalization of communication. The topic touches on a variety of issues that necessitate a discussion within a global context as socialization and democratisation of information is becoming an integral part of the global society. Although the discussion emanate from a South African perspective, a legal comparative approach is followed as social media abuse is a global phenomenon affecting various countries.

A significant fraction of Internet-connected computing devices is infected with malware. With the increased connectivity and software extensibility of embedded and industrial devices, this threat is now also relevant for our industrial infrastructure and our personal environments. Since many of these devices interact with remote parties for security-critical or privacy sensitive transactions, it is important to develop security architectures that allow a stakeholder to assess the trustworthiness of a computing device, and that allow such stakeholders to securely execute software on that device. Over the past decade, the security research community has proposed and evaluated such architectures. Important and promising examples are protected software module architectures. These architectures support the secure execution of small protected software modules even on devices that are malware infected. They also make it possible for remote parties to collect trust evidence about a device; the remote party can use the security architecture to collect measurements that give assurance that the device is in a trustworthy state.

In this paper we outline the essential ideas behind this promising recent line of security research, and report on our experiences in developing several protected module architectures for different types of devices.

In recent years, it has been more than obvious that electronic hardware devices are more than pervasive parts, in most aspects of everyday life. Although, the increased need for communications and transactions, makes both security and privacy manners a crucial factor, that has to be considered with high attention. New methodologies and approaches are developed, in order the need for high security levels, to be satisfied successfully.

Physical Unclonable Functions (PUFs) have attracted the interest of the research community the last years. PUFs basically support cryptographic primitives, in order to implement security schemes, such as key generation and storage, authentication, as well as identification.

This work carries out operation aspects of PUFs, as well as use cases, which are currently investigated by the researchers. In this paper, design approaches of PUFs are introduced, with detailed aspects of their behaviour. The security properties of the presented designs are given in detail, in order to demonstrate the security properties, introduced by the physical properties, in the most sufficient way. Comparisons of the alternative philosophies of the different designs are given.

In this paper, we consider an overview of a possible secure model for m-government and m-banking systems. The proposed model is based on secure mobile application and SOA-Based central platform. The model additionally consists of external entities/servers, such as: PKI, XKMS, Authentication and Time Stamping server. The proposed model could be used in different local and/or cross-border m-government scenarios, as well as in different kind of m-banking systems. As a possible example of described secure mobile application we considered and experimentally evaluated a possible usage of secure Android based Web services application in the proposed model.