15
Cyber Security and Privacy − CHALLENGES AND SOLUTIONS − Jovan Golić Cyber Security and Privacy Panel, Rome, 11.12.2014.

Cyber Security and Privacy - EIT Digital · • Cyber privacy − Data privacy in cyberspace • Data privacy − User’s control + Security of sensitive data: • About citizens,

  • Upload
    others

  • View
    42

  • Download
    8

Embed Size (px)

Citation preview

Page 1: Cyber Security and Privacy - EIT Digital · • Cyber privacy − Data privacy in cyberspace • Data privacy − User’s control + Security of sensitive data: • About citizens,

Cyber Security and Privacy− CHALLENGES AND SOLUTIONS −

Jovan Golić

Cyber Security and Privacy Panel, Rome, 11.12.2014.

Page 2: Cyber Security and Privacy - EIT Digital · • Cyber privacy − Data privacy in cyberspace • Data privacy − User’s control + Security of sensitive data: • About citizens,

• Cyber security − Data security in cyberspace• Data security − Resistance to cyber attacks,

against data integrity, confidentiality, availability, and entity authentication & identification

• Attacks multiply rapidly and evolve dramatically • Different aims − fraud, DoS, physical damage,

defamation, data theft, cyber espionage, cyberwar• Different levels of sophistication

• In practice, identified with reactive approach• Monitoring, detection, response, and mitigation• Protection of critical infrastructures, government (e.g.,

public administration), and enterprises• N.B. Reactive approach necessary, but insufficient!

Cyber Security

Page 3: Cyber Security and Privacy - EIT Digital · • Cyber privacy − Data privacy in cyberspace • Data privacy − User’s control + Security of sensitive data: • About citizens,

• Cyber privacy − Data privacy in cyberspace• Data privacy − User’s control + Security of

sensitive data: • About citizens, private or public companies, institutions,

and organizations (personal, financial, industrial etc.)• During the whole life cycle of the data

• Loosing control of sensitive data may lead to loosing control in real world and may put at risk property, job, liberty, and even life of citizens

• N.B. No cyber privacy → No cyber security• Sensitive data are then exposed to attacks, even by

unsophisticated attackers

Cyber Privacy

Page 4: Cyber Security and Privacy - EIT Digital · • Cyber privacy − Data privacy in cyberspace • Data privacy − User’s control + Security of sensitive data: • About citizens,

• Minimality principle: Sensitive data should be controlled by the user during the whole life cycle and disclosed to the lowest possible extent, for a minimum period of time, only to entities and for purposes authorized by the user (ideal world)

• N.B. Rarely applied, because of:• Massive user profiling by online service providers,

since user data have market value (control?)• Surveillance and lawful interception by government

agencies and law enforcement authorities, to help detect and monitor social threats and detect, track, and investigate criminal or terrorist activities (abuses?)

Minimality Principle

Page 5: Cyber Security and Privacy - EIT Digital · • Cyber privacy − Data privacy in cyberspace • Data privacy − User’s control + Security of sensitive data: • About citizens,

• User profiling means collecting, processing, and modelling of user data over a period of time, e.g.:• User IDs or identity attributes, data collected from

sensors and meters, search engines, social networks, health data, client data etc.

• User profiling is useful• Personalized and targeted: information, advertising,

services, social contacts etc.• Security: authentication by behavior-based anomaly

detection• N.B. Privacy policies are difficult to control• N.B. Massive user profiling becomes massive

citizen profiling if user identity attributes are associated with user profiles!

User Profiling

Page 6: Cyber Security and Privacy - EIT Digital · • Cyber privacy − Data privacy in cyberspace • Data privacy − User’s control + Security of sensitive data: • About citizens,

• Many cryptographic algorithms and protocols are now transparent and standardized – trustworthy

• Many proprietary ones turned out to be weak after exposure

• Software products (operating systems, middleware, applications) are mostly proprietary and obfuscated, possibly with backdoors – not trustworthy

• Secure hardware requires transparent and auditable hardware fabrication facilities

• N.B. Security chain is as strong as its weakest link!

Software and Hardware Security

Page 7: Cyber Security and Privacy - EIT Digital · • Cyber privacy − Data privacy in cyberspace • Data privacy − User’s control + Security of sensitive data: • About citizens,

• Use proactive approach: deploy trustworthy and transparent innovative technologies bridging the gaps between available techniques and practice

• Apply security&privacy-by-design paradigm• Exploit great business opportunities: EU solutions

are more trustworthy, but the market is fragmented• Raise social awareness about the need for and the

value of cyber security and privacy• Influence legislation authorities to improve data

protection laws, e.g.: controllable privacy policies, minimality principle, controllable user/citizen profiling, privacy protection by new techniques, usage of transparent and secure SW and HW

What to Do

Page 8: Cyber Security and Privacy - EIT Digital · • Cyber privacy − Data privacy in cyberspace • Data privacy − User’s control + Security of sensitive data: • About citizens,

• EIT ICT Labs was set up in 2010 by the European Institute of Innovation and Technology (EIT), in order to urgently strengthen the ICT competence in Europe

• Mission: Drive European leadership in ICT innovation for economic growth and quality of life, through a network of partners and business development accelerator for startups and SMEs

• PST AL is one of eight thematic action lines• Funding of finalization stages of research and

innovation aiming at bringing to market innovative ICT products and services, through 1-year projects

EIT ICT Labs Action Line forPrivacy, Security & Trust

Page 9: Cyber Security and Privacy - EIT Digital · • Cyber privacy − Data privacy in cyberspace • Data privacy − User’s control + Security of sensitive data: • About citizens,

• Privacy-aware federated ID management & strong authentication

• Data privacy in online/mobile applications, services & communications

• Protection against malicious software & intrusion detection/prevention on computing devices, especially on mobile platforms

• N.B. Also, secure SW and HW platforms, since there is no cyber security and privacy without secure SW and HW!

Priorities 2014-2016

Page 10: Cyber Security and Privacy - EIT Digital · • Cyber privacy − Data privacy in cyberspace • Data privacy − User’s control + Security of sensitive data: • About citizens,

• Enabler of ICT services − new business opportunities

• Digital identification requires verification of physical/logical identity attributes by trusted ID providers and ID credentials for real-time remote e-authentication (e.g., on HW-token)

• ID federation means that different service providers share the same ID providers, even cross border

• STORK is ID federation platform in EU (18 member states), obligatory for public entities (eIDAS)

• E-authentication based on passwords/PINs is weak and impractical; single sign-on is even less secure

• N.B. Privacy-critical: single sign-on and federated e-ID facilitate user or citizen profiling via linking!

• N.B. Multiple HW-tokens (e.g., bank) are impractical

Digital Identity Management

Page 11: Cyber Security and Privacy - EIT Digital · • Cyber privacy − Data privacy in cyberspace • Data privacy − User’s control + Security of sensitive data: • About citizens,

• Scalable security intelligence• Reply et al. 2013• Early warning and recovery services with respect to

cyber attacks, based on business intelligence technology• 24x7 Security Operations Centre, serving 100+

enterprises with a portfolio of 20+ security services

• Secure digital ID management• Telecom Italia et al. 2014• Strong authentication• Multiple ID credentials stored on advanced SIM-card• Integrated in STORK platform• Various use cases

PST AL Projects - 1

Page 12: Cyber Security and Privacy - EIT Digital · • Cyber privacy − Data privacy in cyberspace • Data privacy − User’s control + Security of sensitive data: • About citizens,

• CADENCE• TNO, Reply et al. 2014, 2015• Offline network traffic monitoring and APT (Advanced

Persistent Threat) malware detection by sophisticated statistical anomaly detection tools

• In 2015, adaptation to mobile platforms

• FIDES• Poste Italiane et al. 2015• Federated and interoperable ID management platform• Compliant with STORK and SPID• Privacy techniques• Various use cases

PST AL Projects - 2

Page 13: Cyber Security and Privacy - EIT Digital · • Cyber privacy − Data privacy in cyberspace • Data privacy − User’s control + Security of sensitive data: • About citizens,

• MobileShield – Freedome• F-Secure et al. 2014, 2015• Cloud service for privacy and security (anti-tracking, anti-

SPAM, IP masking, VPN to cloud, secured public Wi-Fi etc.)• Great market success in 2014• In 2015, focus on anti-malware protection

• MobileShield – SiMKo• TU Berlin et al. 2014, 2015• High security mobile platform – virtualization by secure

hypervisor (secure and insecure compartment)• Secure monitoring of insecure compartment – APT detection

and removal• MobileShield – Mobile anti-fraud management

• Reply, Uni Trento et al. 2014, 2015• Online mobile traffic monitoring• Fraud detection service (e.g., for m-banking)• Mobile device usage profiling

PST AL Projects - 3

Page 14: Cyber Security and Privacy - EIT Digital · • Cyber privacy − Data privacy in cyberspace • Data privacy − User’s control + Security of sensitive data: • About citizens,

• Secret sharing (no single points of trust and failure)• Privacy-preserving profiling• Secure multiparty computation (joint computation of

functions without disclosing own data, in 2015)• Practical homomorphic encryption (processing of

encrypted cloud data, in 2015)• Anonymity protocols (e.g., anonymous credentials)• Revocable anonymity (if needed)• Attribute-based encryption (cloud data sharing

according to access policies)• Searchable encryption (cloud data search)• End2end encryption (possibly, with key escrow –

secret sharing for lawful interception)

Advanced Crypto Techniquesfor Privacy

Page 15: Cyber Security and Privacy - EIT Digital · • Cyber privacy − Data privacy in cyberspace • Data privacy − User’s control + Security of sensitive data: • About citizens,

“We need an environment where those who manage and use ICT have the incentives to use high-quality security. Public and private. ... And we need the best technology. Maybe this means that we make it ourselves in Europe, thanks to a vibrant, European market that innovates to create those security solutions. And this is why we are increasing R&D in cybersecurity. Or maybe it requires that we verify that the ICT equipment and applications we buy are not designed with backdoors built in! ... The combined experience of governments, industry, academics and customers was the only way to tackle the problems ...”

EC ex-Vice-President, Neelie Kroes (2013)

Conclusion – Being Proactive