Informa4on Security Management at Cer4ficate Authori4es

Similar documents
Electronic Signature. István Zsolt BERTA Public Key Cryptographic Primi4ves

CA Self-Governance: CA / Browser Forum Guidelines and Other Industry Developments. Ben Wilson, Chair, CA / Browser Forum

Execu&ve Coaching Program Design Checklist

Cybersecurity Capacity Assessment of the Republic of Kosovo. Lara Pace Kosovo June 2015

Auditor view about ETSI and WebTrust criteria. Christoph SUTTER

Danske Bank Group Certificate Policy

ETSI SECURITY WEEK EIDAS Overview CEN/ETSI esignature Standardization including standards for TSP Compliance. ETSI All rights reserved

ETSI TS V1.1.1 ( ) Technical Specification

System Aware Cyber Security Architecture

RECOMMENDATIONS for the PROCESSING of EXTENDED VALIDATION SSL CERTIFICATES January 2, 2014 Version 2.0

Best prac*ces in Cer*fying and Signing PDFs

(Instructor-led; 3 Days)

BUYPASS CLASS 3 SSL CERTIFICATES Effective date:

SPAMTRACER TRACKING FLY- BY SPAMMERS

CERTIFICATION PRACTICE STATEMENT UPDATE

How to Develop a Funding Model

Road map for ISO implementation

CA-DAY Michael Kranawetter, Chief Security Advisor (Tom Albertson, Security Program Manager) Microsoft

ETSI TS V1.4.3 ( )

ISO Information Security Management Systems Foundation

Land Registry. Version /09/2009. Certificate Policy

ETSI TS V2.4.1 ( )

How small and medium-sized enterprises can formulate an information security management system

e-szigno Digital Signature Application

ISMS Implementation Guide

CSE543 - Introduction to Computer and Network Security. Module: Public Key Infrastructure

ETSI TC ESI PRESENTATION TO CAB FORUM. ETSI All rights reserved

ETSI TS V2.1.1 ( ) Technical Specification

IT Governance: The benefits of an Information Security Management System

SAP, Credit Cards and the Bird that Talks Too Much. Ertunga Arsal

Certum QCA PKI Disclosure Statement

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

TL 9000 Measurements Handbook, Release 5.0

Technology Risk Management

ETSI TR V1.1.1 ( )

University of Greenwich Graduate Internship Programme. Welcome Jerry Allen

REGISTRATION AUTHORITY (RA) POLICY. Registration Authority (RA) Fulfillment Characteristics SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, S.A.

How To Assess Risk On A Trust Service Provider

ETSI TS V2.1.2 ( )

AllSeen Summit 2015: IoT: Taking PKI Where No PKI Has Gone Before Presented by: Scott Rea DigiCert Sr. PKI Architect ALLSEEN ALLIANCE

TTP.NL Scheme. for management system certification. of Trust Service Providers issuing. Qualified Certificates for Electronic Signatures,

InfoSec Academy Application & Secure Code Track

How To Implement An Information Security Management System

White Paper - Measuring the Effectiveness of Security using ISO 27001

TC TrustCenter GmbH Time-Stamp Policy

Egypt s E-Signature & PKInfrastructure

Cyber Security Review

CA/Browser Forum. Guidelines For The Issuance And Management Of Extended Validation Code Signing Certificates

How to gain and maintain ISO certification

Secure Signature Creation Devices (SSCDs)

SSL CERTIFICATE POLICY AND CERTIFICATION PRACTICE STATEMENT

Looking at the SANS 20 Critical Security Controls

Information Security Awareness Training

TTP.NL Guidance ETSI TS

Thai Digital ID Co.,Ltd.

Making Digital Signatures Work across National Borders

ISO/IEC Information Security Management System Vs. ITIL IT Security Management

Independent Accountants Report

Operating a CSP in Switzerland or Playing in the champions league of IT Security

Foreword Introduction - The Global Food Safety Initiative (GFSI) Scope Section Overview Normative References...

In accordance with article 11 of the Law on Electronic Signature (Official Gazette of the Republic of Serbia No. 135/04), REGULATION

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

Criminal charges are not pursued: Hacking PKI

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

CPSC 467: Cryptography and Computer Security

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

Security framework. Guidelines for trust services providers Part 1. Version 1.0 December 2013

Preparing yourself for ISO/IEC

WebTrust SM/TM for Certification Authorities WebTrust Principles and Criteria for Certification Authorities Extended Validation Code Signing

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

Frost & Sullivan. Publisher Sample

CS Network Security: Public Key Infrastructure

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management

The Value of Vulnerability Management*

Trustis FPS PKI Glossary of Terms

Microsoft s Compliance Framework for Online Services

TC TrustCenter GmbH Time-Stamp Practice and Disclosure Statement

Security Control Standard

Critical Infrastructure Private Guarding Company Requirements Checklist

How to set up a CSIRT in an ITIL driven organization. Christian Proschinger Raiffeisen Informatik GmbH

CERTIFICATE. certifies that the. Info&AA v1.0 Attribute Service Provider Software. developed by InfoScope Ltd.

IMPLEMENTATION OF SECURITY CONTROLS ACCORDING TO ISO/IEC IN A SMALL ORGANISATION

Cybercrime Security Risks and Challenges Facing Business

Transcription:

Informa4on Security Management at Cer4ficate Authori4es István Zsolt BERTA istvan@berta.hu Public Key Cryptographic Primi4ves 1

PKI lectures 1. Public key cryptography primiaves 2. CerAficates, CerAficate AuthoriAes, CerAficaAon Paths 3. Electronic signatures: signature creaaon & validaaon 4. Informa4on security management at CAs 5. PKI Business 2 2

Informa4on Security Management (@CAs) Risk Assessment InformaAon Security Management InformaAon Security Management @ a CerAficate Authority 3 3

Risk Assessment Public InfoSec Key Cryptographic Management Primi4ves @ CAs 4

How to be secure in the middle of Africa? source 5 5

Step 1: Define Assets The first step is to define the assets we would like to protect Not only financials and tangible objects, can be assets Examples: InformaAon, good reputaaon, trust, etc. In this example, we would just like to stay alive We have one asset: Our Life 6 6

Step 2: Iden4fy Threats List what you are afraid of Try to make general categories Lions Bandits Zebras Rain Mosquitoes Earthquakes Elephants Snakes 7 7

Risk More things can happen than will happen We try to deal with uncertainty by assessing 1) how like is that an even will occur and 2) what impact can it have upon us Risk = Likelihood x Impact In (informaaon) security we usually deal with risk that have negaave impact 8 8

Step 3: Assess likelihood and impact Threat Likelihood Impact Lions low/medium high Bandits low/medium medium/high Zebras low low Rain high low Mosquitoes high high/medium Earthquakes low medium Elephants low medium Snakes low high 9 9

Decide which threats to focus on Low Impact Med Impact High Impact Low Likelihood Zebras Earthquakes Elephant Snakes Lions Med Likelihood Bandits High Likelihood Rain Mosquitoes 10 10

Prac4cal notes A generic risk assessment considering all possible threats for all different areas is almost never pracacal; one rarely sees such a matrix of everything keeping it up- to- date requires a vast amount of resources it will always be very- very subjecave; risks from different areas are extremely hard to compare Both likelihood and impact can be very hard to determine lack of experience, lack of data subjecave black swans SAll, an organizaaon must make decisions on where to allocate its resources 11 11

What can you do with a risk? 1. MiAgate via controls/countermeasures (eliminate if possible) 2. Accept the risk because there is no way to miagate it because it is not feasible to miagate it because we have no resources for it because there is no point in miagaang it 12 12

Step 4: Design countermeasures Design countermeasures to lower the risk of threats Countermeasures may reduce the likelihood and/ or the impact of threats Countermeasures also have costs Note that some countermeasures are specific to certain threats while others can address more Possible countermeasures: Armed guards Mosquito net Stockade walls Doctors, medicine Insurance Traps Campfire 13 13

Controls can be PrevenAve with the aim of prevenang an incident from happening DetecAve with the aim of detecang an incident, so any acaon / intervenaon / correcaon becomes possible CorrecAve taking an acaon aber an incident has happened to repair any damage CompensaAng control the ideal control is not in place, we use some lesser controls instead 14 14

Risk- based approach to security You have limited resource to address threats The risk- based approach helps us allocate our resources in the most efficient way; i.e. to reduce risks as much as possible reduce risk to an acceptable level reduce risk as much as you can with the available resources Modern informaaon security management systems follow a risk- based approach (too) 15 15

Approaches to security 1. Baseline: a standard set of controls everywhere easy- to implement, easy to check can become a waste of money 2. Risk- based: allocate controls based on risk hard to assess risk, hard to implement properly, can always be debated financially opamal soluaon (if done well) 3. ConAnuous improvement regardless of what you do, focus on doing a beger job than before straighhorward 4. Bring your own security policy J define your requirements, check if they are implemented correctly very flexible very hard to understand & evaluate by outsiders Note the contradicaons between these approaches 16 16

Informa4on Security Management Public InfoSec Key Cryptographic Management Primi4ves @ CAs 17

Informa4on Security InformaAon is an asset for businesses/organizaaons, so informaaon needs to be protected The aim of informaaon security is to protect this informaaon with respect to confidenaality: ensuring that unauthorized paraes cannot obtain/learn the informaaon integrity: ensuring that unauthorized changes cannot happen to the informaaon availability: ensuring that authorized paraes have access to the informaaon they need IT Security (protects IT or via IT) vs InformaAon Security (protects informaaon regardless of the media/system it resides one) 18 18

Informa4on Security Management Management: gekng things done through others InformaAon Security Management describes controls an organizaaon needs to implement to ensure that it sensibly reduces informaaon security risks InformaAon security management standards provide frameworks for establishing informaaon security management systems in an organizaaon allow informaaon security to be assessed or compared at different organizaaons provide means to express that you are secure towards management / customers / etc. 19 19

ISO/IEC 27001 A key standard for informaaon security management Defines an InformaAon Security Management System (ISMS) Follows the philosophy of the quality management standard ISO 9001 quality vs security Based on previous BS 7799 standards COBIT is another widespread IS management / IT governance standard, but this presentaaon follows ISO 27001 20 20

ISO 27001 contents at a high level Context of the organizaaon who are the stakeholders? what are their requirements/expectaaons? Leadership commitment form senior management for infosec informaaon security policy defined infosec roles and responsibiliaes Planning & Support risk based, based on stakeholder expectaaons documented plans, retaining evidence OperaAon Performance EvaluaAon check if we are doing the right things; internal audit Improvement handling incidents, taking correcave acaons, conanuous improvement Annex A: Reference control objecaves 21 21

ISO 27001: Plan Do Check Act Plan Planning Support Improvement Act Do OperaAons Performance EvaluaAons Check 22 22

ISO 27001 key concepts Ensure you understand stakeholder requirements Gain support for senior management to informaaon security Maintain an inventory of assets, follow a risk- based approach when planning controls Check for security gaps, check if you are going the right way Learn from your mistakes, improve the system conanuously 23 23

ISO 27001 Annex A: Reference controls InformaAon security policies OrganizaAon of informaaon security Human resource security Asset Management Access Control Cryptography Physical and environmental security OperaAons security CommunicaAons security System acquisiaon, development and maintenance Supplier relaaonship InformaAon security incident management Business conanuity management Compliance 24 24

Statement of Applicability The organizaaon states that it applies ISO 27001 States which controls it applies And jusafies which controls it does not apply Must be output of risk assessment 25 25

InfoSec Management requirements at Cer4ficate Authori4es Public InfoSec Key Cryptographic Management Primi4ves @ CAs 26

Assets Key assets of the CA are: CA signing keys signing ceraficates, revocaaon lists, OCSP responses, etc. Registries which ceraficate was issued to which person what verificaaon has been performed which ceraficate has been revoked and when Public Key Cryptographic Primi4ves 27

Threats - A`ackers Cybercriminals they are in for the money want to maximize their profit agack targets where the most money can be gained with the least investment / risk HackAvist groups loosely organized follow ideologies, not for financial gain Government- sponsored supports real- world acaviaes of a state not only works in cyberspace, not for financial gain cyber war vs cyber espionage 28 28

Anatomy of an cyber a`ack 1. Reconnaissance 2. WeaponizaAon 3. Delivery 4. ExploitaAon 5. InstallaAon 6. Command and Control 7. AcAons 8. (Covering tracks) Source: Hutchins, Cloppert, Amin (2011) 29 29

Norma4ve documents EU ETS TS 101 456: Policy requirements for ceraficaaon authoriaes issuing qualified ceraficates ETSI TS 102 042: Policy requirements for ceraficaaon authoriaes issuing public key ceraficates CEN CWA 14167-1: Security Requirements for Trustworthy Systems Managing CerAficates for Electronic Signatures - Part 1: System Security Requirements NaAonal + EU- wide regulaaons US + internaaonal Webtrust CAB Forum Baseline Requirements (CAB Forum EV Guidelines) CAB Forum Network Security Controls 30 30

Key points CA signing keys must be in an HSM with a security ceraficaaon (e.g. FIPS 140- X) CA must act with due diligence when verifying the request / requestor CA must accept revocaaon request conanuously and take Amely acaon to revoke the necessary certs CA must employ trusted people (e.g. clear criminal record) who are competent (must be trained, must formally accept responsibility) CA is liable for the ceraficates issues financial requirements (e.g. liability insurance) CA must maintain conanuous operaaon, revocaaon informaaon must be available to relying paraes CA must be audited regularly, with some parts of the audit made public 31 31

Summary / conclusions Cryptography is bypassed, not penetrated Adi Shamir Crypto can only work if there are good key management processes behind it CAs also need good, secure processes InformaAon security management can ensure that an organizaaon and its processes are secure; key principles: Support from senior management Risk- based approach for distribuang resources Learn from mistakes (Plan- Do- Check- Act) ConAnuous improvement ISO 27001 is one of the key infosec management standards 32 32

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information