Institute for Internet Security - if(is)Westphalian University of Applied Sciences http://www.internet-sicherheit.de

Prof. Dr. (TU NN)

Norbert Pohlmann

Common Approach for more IT security

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

2

Content

Internet and IT Security(Situation, problem areas, challenges)

Methods for more IT security(Cooperation, sovereignty)

The right approach for more IT Security(Analogy, goal orientation)

Strategy for more IT Security(Objectives and tasks)

Conclusion and outlook

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

3

Content

Internet and IT Security(Situation, problem areas, challenges)

Methods for more IT security(Cooperation, sovereignty)

The right approach for more IT Security(Analogy, goal orientation)

Strategy for more IT Security(Objectives and tasks)

Conclusion and outlook

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

Internet and IT Security Situation

4

We are currently developing an Internet society (source of information, e-commerce, e-government, ..., e-assistant, ..., industry 4.0, the Internet of Things, ...)

Many local services are linked to the Internet (intelligent analysis Internet connectivity)

Private and corporate data stores increase in the Internet (central storage Internet connectivity)

The IT and IT security technologies are not sure and trustworthy enough!

Professional hackers are very successful!

The risk is growing, the damage too!

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

What are the problem areas? 1. Privacy and Autonomy

5

Privacy / Autonomy

Different perspectives

Business models "Payment with personal data"

State (e.g. NSA, BND, ...): Identifying terrorists´ activities?

Cultural differences (Private data belong to companies? US 76%, DE 22%)

User: autonomy within the meaning of self-determination

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

What are the problem areas? 2. Industrial Espionage

Industrial Espionage

about € 51 billion of damage annually

For comparison:Cybercrime: about € 100 million per year (Online banking, DDoS, …)

6

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

What are the problem areas? 3. Cyberwar

7

Cyberwar

Implementation of policy objectives Simple and “inexpensive”

Attacks on Critical Infrastructurese.g. Power supply, water supply, ...

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

IT Security The biggest challenges

8

Inadequate software quality(0.5 erros 1000 LoC..)

Manipulated IT and IT security technology(Random numbers, Backdoors, …)

Insufficient protectionagainst Malware(only 45% detection rate)

Insecure web servers(2.5 % distribute malicious software)

Internet users are not skilled enough(24 % „click“ spams)

Risk

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

Current Challenges with current risks

9

No international identity management(passwords for authentication in the Internet, …)

We need modern, easy to use, easy to integrate, … authentication systems, which can be used in every organization (mobile device based, FIDO-ready, different security level, for the real and virtual world,…).

New threats by mobile devices (BYOD, quantity instead of quality, tracking, loss / theft, …)

We need intelligent, modern and secure mobile device management systems, which make the use easy for the companies and for the users (service orientation)

Too high risks when communicating(e-mail, web, chat, …)

We need modern communication systems, which offer an easy to use, secure and trustworthy communication

Cloud computing is a major challenge (session hijacking, place of storage, …)

We need easy to use, secure and trustworthy cloud services based in Germany…

www.xign.de

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

Current Challenges with future major risks

10

Industry 4.0

Complex systems and control devices are connected to the Internet

Internet of Things (IoT)

Nearly all devices in all aspects of life get Internet connectivity

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

Internet and IT security Evaluation of the situation

11

We know the IT security problems, but the today available and used IT security systems and IT security measures do not reduce the IT security risk sufficiently!

IT security is a global challenge

Future attacks will exceed the current damage

We need innovative approaches in the field of Internet security to reduce the risk for our society at a reasonable level

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

Current conditions in Europe which will drive the IT security

12

eIDAS (European Law for trust services)

Trust Services ( TeleSec)

Electronic Signature (also in the cloud remote signature)

Electronic Seal (Signature for organizations)

Electronic Time Stamps

Electronic Registered Delivery Services

...

IT security law (in Germany)

Situation awareness, SIEM systems, reaction strategies, …

Minimum standards, “State of the art” and audits will drive the IT security market (critical infrastructure industry all user)

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

13

Content

Internet and IT Security(Situation, problem areas, challenges)

Methods for more IT security(Cooperation, sovereignty)

The right approach for more IT Security(Analogy, goal orientation)

Strategy for more IT Security(Objectives and tasks)

Conclusion and outlook

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

IT Security Replaceability Standard Software from USA/cooperation

14

Security Kernel(Trusted Computing Base)

Isolation, separationand modeling

IT Security made in Germany(no backdoors, no manipulation, …)

More data encryption

Internet users mustbe well educated

Examples► Modern IT security architecture► disk encryption► IP encryption► …

Examples► Modern IT security architecture► disk encryption► IP encryption► …

ModernIT securityarchitecture

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

IT Security Sovereignty Everything comes from DE

15

Security Kernel(Trusted Computing Base)

Isolation, separationand modeling

IT Security made in Germany(no backdoors, no manipulation, …)

Standardization of interfaces and protocols

IT security infrastructure

ModernIT securityarchitecture

Examples► Industry 4.0 ► Internet of Things► …

Examples► Industry 4.0 ► Internet of Things► …

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

16

Content

Internet and IT Security(Situation, problem areas, challenges)

Methods for more IT security(Cooperation, sovereignty)

The right approach for more IT Security(Analogy, goal orientation)

Strategy for more IT Security(Objectives and tasks)

Conclusion and outlook

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

Road deaths 1991 until today (analogy)

17

0 2.000 4.000 6.000 8.000 10.000 12.000

1991

1996

2001

2006

2011

heute

Number of road deaths in DE

1991 1996 2001 2006 2011 heuteQuelle: Statistisches Bundesamt/Statista

3.368

11.300

-70%

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

Rapide reduction of road deaths How was this achieved?

18

► Modern safety systems (seat belt, airbag, ABS, ESP, …)

► More robustconstruction

Manufacturers and Suppliers(Implementation of standards, innovations)

► New innovative ideas(Car2Car / Communication Infrastructure)

► Awareness car drivers(e.g. "Slow Down" campaigns, "seventh sense", ...)

► Seat Belts

► EnhancedDrug Tests

Executive Authorities("Enforcement", speed limits, traffic regulations)

► TÜV duty for cars

► Vests mandatory in case of accidents

► Stronger controls of buses and trucks

► deforested avenue trees

► Better infrastructure (New streets, modern traffic control systems, , …)

Infrastructure operators(Cities, states, federal government)

► Improved tunnels and bridges

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

19

Content

Internet and IT Security(Situation, problem areas, challenges)

Methods for more IT security(Cooperation, sovereignty)

The right approach for more IT Security(Analogy, goal orientation)

Strategy for more IT Security(Objectives and tasks)

Conclusion and outlook

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

Strategy IT Security The general objective and tasks

20

adequate

riskadequate

riskadequate

riskCreating a capital market

for IT security

Mandatory minimum standards for IT security

Definition of requirements on IT security for the future

Extensive product liability for IT security in the IT

Strengthen the IT security infrastructure

Competence development of employees and citizens

Motivating a higher use of encryption ...

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

21

Content

Internet and IT Security(Situation, problem areas, challenges)

Methods for more IT security(Cooperation, sovereignty)

The right approach for more IT Security(Analogy, goal orientation)

Strategy for more IT Security(Objectives and tasks)

Conclusion and outlook

P

rof.

N

orb

ert

Pohlm

ann,

Inst

itut

für

Inte

rnet-

Sic

herh

eit

-if(is)

, W

est

fälis

che H

ochsc

hule

, G

els

enki

rchen

Conclusion and outlook focused and common activities

We now have to define common objectives with all stakeholders and actively implement tasks accordingly!

IT security manufacturers(Simple, manageable and combined solutions that are well integrated in technologies, products and services, ...)

User Companies(purchasing cooperatives in order to motivate for example modern IT security architectures, existing and needed solutions have to be used actively, ...)

Universities(Close gaps, meet new requirements, generate innovation in the necessary fields, ...)

State(Motivation of the necessary steps and promotion / regulation, …)

User(Demand new business models, obtain skills, …)

22

Institute for Internet Security - if(is)Westphalian University of Applied Sciences http://www.internet-sicherheit.de

Prof. Dr. (TU NN)

Norbert Pohlmann

The right way to a trusted and secure modern future

Common Approach for more IT security