2018年7月12日星期四

HKAS & HKCTC Seminar on Cybersecurity Testing

Hong Kong Accreditation Service (HKAS) and Hong Kong Council for Testing and Certification (HKCTC) co-organized a Seminar on Cybersecurity Testing on 12 July 2018. With the rapid development and wider use of new technology applications, such as online services, mobile payment, cloud services and smart products, the transmission of digital data has become frequent. This has also resulted in increasing public concern about associated information security risks. This seminar aimed to introduce the standards developed to address protection of smart products and IT systems from security threats and cyber-attacks.


All guest speakers took a group photo.


The first speaker was Mr. Ronald Pong (Council member, Smart City Consortium) and his topic named “How to apply ISO/IEC 15408 in Smart City for IoT Security Risk Mitigation?” Firstly, he shared smart city smart criminal that many security issues came from IoT devices.


Then Mr. Ronald Pong shared many security incidents including CCTV, smart car, IoT sensors, smart toys, etc.  He asked us some questions including IP devices, security assurance and other awareness problem.  It could raise our alert on information security around us. 


After that he proposed three level mechanism to solve the problem and they were Testing and Evaluation, Identity and Traceability, as well as, Monitoring and Investigation.  


Finally, Mr. Pong pointed out some existing security mechanism below.
-          To use ISO 15408 Common Criteria (Evaluated Assurance Level) for all IoT device.
-          To use ISO 26262 Road Vehicles Functional safety of electrical systems for all Smart Car security evaluation.
-          Digital Identification (Digital Certificate) within your jurisdictions.
-          To deploy the ISO 27001 and Security Information and Event Management (SIEM) system for IoT device.
-          To deploy ISO 17025 Computer Forensics Lab and Cross Jurisdictions Region Digital Evidence Exchange.
For ISO 15408, he demonstrated which countries employed for our reference.


Mr. Bernard Kan (Senior Consultant, HKCERT, HKPC) was the second speaker and his presentation was “The Needs of IoT Security Assessment”.  In the beginning, Mr. Kan briefed the history of the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) which established in 2001 and operated by HKPC.  


Mr. Bernard Kan mentioned the potential trends in 2018 below:
1.      Financially Motivated Cyber Crimes continue to proliferate.
2.      Internet of Things (IoT) attacks on the Rise.
3.      Mobile Payment Apps as New Attack Targets
4.      More Regulation for Security and Privacy.
5.      Supply Chain Attacks bypass Enterprise Defense. 
And he described how many things connected to the internet from 2003 to 2020 (upto 50 billion!).


Mr. Kan used the following diagram to explain what if IoTs were infected by ransomwares and it would be terrible.  He also mentioned Mirai Botnet which was a piece of malware designed to launch multiple types of DDoS attacks (using CCTV system and routers).  


Then Mr. Kan said there was poor or non-existent security built into the IoT device which directly exposed to the Internet with poor network segmentation that’s why IoT Devices were so vulnerable.  He explained a simplified IoT architecture to explain it.  


Finally, Mr. Bernard Kan concluded that need for a framework and systematic approach of assessing IoT devices before launching in the market such as OWASP IoT Project (Open community organization focused on improving security of software) and shared some principles of IoT Security.


The third speaker was Mr. Hongsong Shi (China Information Technology Security Evaluation Center) and his topic entitled “Development and Application of the Common Criteria for IT Security Evaluation”. 


Firstly, Mr. Shi explained the interface and side channel could be the entry points of the attacks.  Availability of interfaces and the existence of weakness would induce attack.  Weakness in IT products included Design defects, Implementation errors, Delivery loopholes, Setup mis-configuration and Environment protect inappropriateness.


Then Mr. Shi briefed the role of security evaluation and demonstrated the general framework for security evaluation as follow diagram.


After that Mr. Shi introduced the history of Common Criteria (CC) which is a fundamental standard for security evaluation using ISO/IEC 15408:2009.
Part I – The general model for security evaluation
Part II – Security functional components can be chosen to express requirement in a standard way (11 security functional classes)
Part III – Security assurance components can be used to express evaluation requirement in a generic way (7 security assurance classes & 7 predefined assurance package)
ISO/IEC 18045:2009 is a companion standard.


The general model of Common Criteria (CC) evaluation was showed in the following diagram. It included Protection Profile (PP) construction, Security Target (ST) construction, Target to Evaluation (TOE) evaluation and Certification.  Moreover, 7 Predefined Evaluation Assurance Levels (EALs) were showed as follows:
EAL 7 – Formally verified design and tested
EAL 6 – Semi-formally verified design and tested
EAL 5 –Semi-formally design and tested
EAL 4 – Methodically designed, tested and reviewed
EAL 3 – Methodically tested and checked
EAL 2 – Structurally tested
EAL 1 – Functionally tested


At the end, Mr. Shi introduced CC applications in China and quoted CCRA document statement as conclusion that “The complexity of information system is such that even the most carefully written security evaluation criteria and evaluation methodology cannot cover every eventuality.”


The fourth speaker was Mr. Junshu Wang (Testing Engineer, The Fifth Electronics Research Institute of the Ministry of Industry and Information Technology) and his presentation topic was “Introduction of ISO/IEC 15408 and its application in China”. 


Mr. Wang introduced ISO/IEC 15408 structure and its target reader included consumer, developers and evaluators.  Some key words were described as follows:
Target of evaluation (TOE): An IT product or system and its associated guidance documentation that is the subject of an evaluation.
Protection Profile (PP): an implementation-independent set of security requirements for a category of TOEs that meet specific consumer needs.
Security Target (ST): a set of security requirements and specifications to be used as the basis for evaluation of an identified TOE.
Class: a grouping of families that share a common focus.
Component: the smallest selectable set of elements that may be included in a PP or an ST.


The second part requirements were discussed.


The third part had 10 classes in security assurance requirements were also discussed.


The workflow of ISO/IEC 15408 in China was introduced.  The classified protection of information system included “Physical Environment”, “Network Security”, “Management System”, “Application Security” and “Host Security”. 


Finally, Mr. Wang discussed a case using ISO/IEC 15408 + PP in web application firewall using GB/T 18336 (ISO/IEC 15408) and GB/T 20281 Information security technology – Security technical requirements and testing and evaluation approaches for firewall.  


The fifth speaker was Ms. Gonda Lamberink (Senior Business Development Manager, UL International Ltd.) and her topic was “Tackling Insecurity of Things with UL 2900”.  Firstly, she briefed the background of UL such as UL software was used by more than 10,000 organizations in over 10 industries.  Then she briefed the insecurity of things through many security incidents.


And then Ms. Lamberink mentioned IoT security was a commercial problem.  She introduced cybersecurity assurance program through UL 2900 series of standards which were accreditated ANSI standards included UL 2900-1 (Software Cybersecurity), UL 2900-2-1 (Medical Devices), UL 2900-2-2 (Industrial Control System) and UL 2900-2-3 (Life Safety & Security).


Finally, she briefed the UL recommended minimum security requirements and concluded TRUST was the solution for this complexity of IoT security.


Mr. Jon Murthy (Chairs of the International Laboratory Accreditation Cooperation (ILAC) and International Accreditation Forum (IAF) Communications Committees) was the last speaker and his topic named “Cybersecurity – UK / European Experience”.  Firstly, he briefed cyber crime and risk from data theft, corporate hacking, smart cities/homes and IoT, as well as transport system, etc. 


Then Mr. Jon Murthy mentioned the current situations that multiple standards and different national regulatory responses to the market needs. For instance, industrial automation system had many components in confined physical areas and railway system also had many components which spread over a large physical area.  


After that Mr. Murthy stated UK experience that they had 59 laboratories accredited for IT security testing and 3,367 companies certified ISO 27001.  National Cyber Security Centre (NCSC) operated its own accredited certification programme with 5 Accreditation Bodies and 170 Certification Bodies.


For European experience, they recognized the value of accreditation certification schemes on security of systems and digital technologies.  The EU is reforming ENISA to increase the trust and security of ICT products and services, to harmonize the existing certification landscape and to progress the Digital Single Market. Recently, NIS Directive, GDPR and the eIDAS regulation were driven.  New ENISA Reg would require that organizations certifying EU cyber security schemes must be accredited by the national accreditation body in line with the requirements of regulation 765/2008.


Lastly, Mr. Murthy introduced UNECE and IEC proposal applying in a systems-approach for the best cybersecurity (world’s best practices through international standards) and showed in the following diagram.


The 5 steps for this system approach was described.  The next steps were to validate the Generic Matrix Model (GMM) approach, to obtain sector-specific GMM such as critical infrastructure, railways, cloud computing, smart energy, smart factory and smart building; as well as to develop risk analysis and ranking methods.  



Reference:
HKCTC Seminar presentation file - http://www.hkctc.gov.hk/en/work_seminars.html#b44
20150619: HKCTC & HKAS Workshop on ISO 27001 ISMS Certification - https://qualityalchemist.blogspot.com/2015/06/hkctc-hkas-workshop-on-iso-27001-isms.html
20150424: PMI Seminar on QMS based Information Security Management - http://qualityalchemist.blogspot.hk/2015/04/pmi-seminar-on-qms-based-information.html
20120214: Seminar on Supplement VIII to CEPA for Testing and Certification Industry - https://qualityalchemist.blogspot.com/2012/02/seminar-on-supplement-viii-to-cepa-for.html
20120620: Meeting with Prof. Edward Humphreys (Father of ISMS Standard) - https://qualityalchemist.blogspot.com/2012/06/meeting-with-prof-edward-humphreys.html
20080802: Seminar on ISO 9001:2000 UPGRADE to 2008 Version & Secure your information with ISO 27001 - https://qualityalchemist.blogspot.com/2008/08/seminar-on-iso-90012000-upgrade-to-2008.html
Publications:
Lai, Lotto K.H. and K.S. Chin (2014) “Development of a Failure Mode and Effects Analysis Based Risk Assessment Tool for Information Security”,  Industrial Engineering & Management Systems, Vol 13, No. 1, pp.88-101.
Lai, Lotto K.H., Chin, K.S. & Tsang, A.H.C. (2010) “Risk Management of Information Security – Information Security FMEA Circle” The eighth ANQ Congress, paper HK01. (Reprinted in SQI Yearbook 2011, pp.66-72)
Lai, Lotto K.H., Chin, K.S. & Tsang, A.H.C. (2009) “Integration of Quality Management System and Information Security Management System – HKSTP implementation case” Proceedings CD-ROM of The seventh ANQ Congress, paper HK02.

沒有留言:

發佈留言