common approach · pohlmann, ins titut für in tern et-si cherheit -if(is), we stfäl ische hoc...
TRANSCRIPT
Institute for Internet Security - if(is)Westphalian University of Applied Sciences http://www.internet-sicherheit.de
Prof. Dr. (TU NN)
Norbert Pohlmann
Common Approach for more IT security
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
2
Content
Internet and IT Security(Situation, problem areas, challenges)
Methods for more IT security(Cooperation, sovereignty)
The right approach for more IT Security(Analogy, goal orientation)
Strategy for more IT Security(Objectives and tasks)
Conclusion and outlook
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
3
Content
Internet and IT Security(Situation, problem areas, challenges)
Methods for more IT security(Cooperation, sovereignty)
The right approach for more IT Security(Analogy, goal orientation)
Strategy for more IT Security(Objectives and tasks)
Conclusion and outlook
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
Internet and IT Security Situation
4
We are currently developing an Internet society (source of information, e-commerce, e-government, ..., e-assistant, ..., industry 4.0, the Internet of Things, ...)
Many local services are linked to the Internet (intelligent analysis Internet connectivity)
Private and corporate data stores increase in the Internet (central storage Internet connectivity)
The IT and IT security technologies are not sure and trustworthy enough!
Professional hackers are very successful!
The risk is growing, the damage too!
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
What are the problem areas? 1. Privacy and Autonomy
5
Privacy / Autonomy
Different perspectives
Business models "Payment with personal data"
State (e.g. NSA, BND, ...): Identifying terrorists´ activities?
Cultural differences (Private data belong to companies? US 76%, DE 22%)
User: autonomy within the meaning of self-determination
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
What are the problem areas? 2. Industrial Espionage
Industrial Espionage
about € 51 billion of damage annually
For comparison:Cybercrime: about € 100 million per year (Online banking, DDoS, …)
6
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
What are the problem areas? 3. Cyberwar
7
Cyberwar
Implementation of policy objectives Simple and “inexpensive”
Attacks on Critical Infrastructurese.g. Power supply, water supply, ...
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
IT Security The biggest challenges
8
Inadequate software quality(0.5 erros 1000 LoC..)
Manipulated IT and IT security technology(Random numbers, Backdoors, …)
Insufficient protectionagainst Malware(only 45% detection rate)
Insecure web servers(2.5 % distribute malicious software)
Internet users are not skilled enough(24 % „click“ spams)
Risk
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
Current Challenges with current risks
9
No international identity management(passwords for authentication in the Internet, …)
We need modern, easy to use, easy to integrate, … authentication systems, which can be used in every organization (mobile device based, FIDO-ready, different security level, for the real and virtual world,…).
New threats by mobile devices (BYOD, quantity instead of quality, tracking, loss / theft, …)
We need intelligent, modern and secure mobile device management systems, which make the use easy for the companies and for the users (service orientation)
Too high risks when communicating(e-mail, web, chat, …)
We need modern communication systems, which offer an easy to use, secure and trustworthy communication
Cloud computing is a major challenge (session hijacking, place of storage, …)
We need easy to use, secure and trustworthy cloud services based in Germany…
www.xign.de
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
Current Challenges with future major risks
10
Industry 4.0
Complex systems and control devices are connected to the Internet
Internet of Things (IoT)
Nearly all devices in all aspects of life get Internet connectivity
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
Internet and IT security Evaluation of the situation
11
We know the IT security problems, but the today available and used IT security systems and IT security measures do not reduce the IT security risk sufficiently!
IT security is a global challenge
Future attacks will exceed the current damage
We need innovative approaches in the field of Internet security to reduce the risk for our society at a reasonable level
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
Current conditions in Europe which will drive the IT security
12
eIDAS (European Law for trust services)
Trust Services ( TeleSec)
Electronic Signature (also in the cloud remote signature)
Electronic Seal (Signature for organizations)
Electronic Time Stamps
Electronic Registered Delivery Services
...
IT security law (in Germany)
Situation awareness, SIEM systems, reaction strategies, …
Minimum standards, “State of the art” and audits will drive the IT security market (critical infrastructure industry all user)
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
13
Content
Internet and IT Security(Situation, problem areas, challenges)
Methods for more IT security(Cooperation, sovereignty)
The right approach for more IT Security(Analogy, goal orientation)
Strategy for more IT Security(Objectives and tasks)
Conclusion and outlook
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
IT Security Replaceability Standard Software from USA/cooperation
14
Security Kernel(Trusted Computing Base)
Isolation, separationand modeling
IT Security made in Germany(no backdoors, no manipulation, …)
More data encryption
Internet users mustbe well educated
Examples► Modern IT security architecture► disk encryption► IP encryption► …
Examples► Modern IT security architecture► disk encryption► IP encryption► …
ModernIT securityarchitecture
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
IT Security Sovereignty Everything comes from DE
15
Security Kernel(Trusted Computing Base)
Isolation, separationand modeling
IT Security made in Germany(no backdoors, no manipulation, …)
Standardization of interfaces and protocols
IT security infrastructure
ModernIT securityarchitecture
Examples► Industry 4.0 ► Internet of Things► …
Examples► Industry 4.0 ► Internet of Things► …
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
16
Content
Internet and IT Security(Situation, problem areas, challenges)
Methods for more IT security(Cooperation, sovereignty)
The right approach for more IT Security(Analogy, goal orientation)
Strategy for more IT Security(Objectives and tasks)
Conclusion and outlook
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
Road deaths 1991 until today (analogy)
17
0 2.000 4.000 6.000 8.000 10.000 12.000
1991
1996
2001
2006
2011
heute
Number of road deaths in DE
1991 1996 2001 2006 2011 heuteQuelle: Statistisches Bundesamt/Statista
3.368
11.300
-70%
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
Rapide reduction of road deaths How was this achieved?
18
► Modern safety systems (seat belt, airbag, ABS, ESP, …)
► More robustconstruction
Manufacturers and Suppliers(Implementation of standards, innovations)
► New innovative ideas(Car2Car / Communication Infrastructure)
► Awareness car drivers(e.g. "Slow Down" campaigns, "seventh sense", ...)
► Seat Belts
► EnhancedDrug Tests
Executive Authorities("Enforcement", speed limits, traffic regulations)
► TÜV duty for cars
► Vests mandatory in case of accidents
► Stronger controls of buses and trucks
► deforested avenue trees
► Better infrastructure (New streets, modern traffic control systems, , …)
Infrastructure operators(Cities, states, federal government)
► Improved tunnels and bridges
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
19
Content
Internet and IT Security(Situation, problem areas, challenges)
Methods for more IT security(Cooperation, sovereignty)
The right approach for more IT Security(Analogy, goal orientation)
Strategy for more IT Security(Objectives and tasks)
Conclusion and outlook
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
Strategy IT Security The general objective and tasks
20
adequate
riskadequate
riskadequate
riskCreating a capital market
for IT security
Mandatory minimum standards for IT security
Definition of requirements on IT security for the future
Extensive product liability for IT security in the IT
Strengthen the IT security infrastructure
Competence development of employees and citizens
Motivating a higher use of encryption ...
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
21
Content
Internet and IT Security(Situation, problem areas, challenges)
Methods for more IT security(Cooperation, sovereignty)
The right approach for more IT Security(Analogy, goal orientation)
Strategy for more IT Security(Objectives and tasks)
Conclusion and outlook
P
rof.
N
orb
ert
Pohlm
ann,
Inst
itut
für
Inte
rnet-
Sic
herh
eit
-if(is)
, W
est
fälis
che H
ochsc
hule
, G
els
enki
rchen
Conclusion and outlook focused and common activities
We now have to define common objectives with all stakeholders and actively implement tasks accordingly!
IT security manufacturers(Simple, manageable and combined solutions that are well integrated in technologies, products and services, ...)
User Companies(purchasing cooperatives in order to motivate for example modern IT security architectures, existing and needed solutions have to be used actively, ...)
Universities(Close gaps, meet new requirements, generate innovation in the necessary fields, ...)
State(Motivation of the necessary steps and promotion / regulation, …)
User(Demand new business models, obtain skills, …)
22