Network and Information Security Standardisation Issues (interim draft version 0.33)

aurorabellyΔίκτυα και Επικοινωνίες

21 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

115 εμφανίσεις

Network and Information Security


Standardisation Issues


(interim draft version 0.3
3
)


A report issued by the joint CEN/ETSI group on Network and Information Security
(NIS)
DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


2

Document History


Version

Date

Comments

Outline Draft

5/12/2002

Initial draft for

NIS meeting (5 December 2002)

0.1

21/1/2003

Addressing comments received by email and at
meeting (5/12) + adding detail

0.2

24/2/2003

Interim Draft for NIS meeting (March 3
rd
) taking
into account most of comments received on draft
0.1

0.3

14/03/2003

Ad
dressing TIPHON concerns, comments
received at March meeting and additional
comments on version 0.2.

0.33

28/3/2003

Re
-
arranged introductory matter (JP)
;

additions
to and clarifications of the “use cases”

⡇i⤮)















DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


3

Contents



Executive Summary and Recommendations

................................
................................
........................

4

Introduction and Scope

................................
................................
................................
..........................

7

References

................................
................................
................................
................................
...............

7

Definitions and Abbreviations

................................
................................
................................
...............

8

Network and Information Se
curity

................................
................................
................................
.......

9

E
-
Business

................................
................................
................................
................................
.............

10

This Report

................................
................................
................................
................................
...........

10

User Requirements

................................
................................
................................
...............................

11

General Threats to Network and Information Security

................................
................................
....

16

Security Services, Security Measures and Recommendations for Future Activities

......................

18

A.

Registration and Authentication Services

................................
................................
..............

19

Security Measures

................................
................................
................................
........................

19

Recommendations

................................
................................
................................
.........................

29

B.

Confidentiality and Privacy Services

................................
................................
......................

30

Security Measures

................................
................................
................................
........................

30

Recommendations

................................
................................
................................
.........................

34

C.

Trust Services
................................
................................
................................
............................

35

Securi
ty Measures

................................
................................
................................
........................

35

Recommendations

................................
................................
................................
.........................

41

D.

Business Services

................................
................................
................................
......................

42

Security Measures

................................
................................
................................
........................

42

Recommendations

................................
................................
................................
.........................

44

E.

Network De
fence Services

................................
................................
................................
........

45

Security Measures

................................
................................
................................
........................

45

Recommendations

................................
................................
................................
.........................

46

F.

Assurance Services

................................
................................
................................
...................

47

Recommendations

................................
................................
................................
.........................

49

DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


4

Executive Summary and Recommendations




[summary of recommendations here


the following is a list of

some possibilities
arrived as during the writing the report ]


There is a lack of advice on appropriate security guidance and standards for
organisations wishing to set up e
-
business applications in Europe. This not only
inhibits growth but may lead to th
e development of interoperable ad
-
hoc services.




The Commission should consider the development of a “framework for e
-
business” identifying preferred security technologies and corresponding
standards for organisations wishing to implement e
-
business soluti
ons in Europe.


Home users in particular may be unaware of the need for PC
-
based software to be
resistant to attack. Developers of application software will be disinclined to build in
resistance for commercial reasons. In a global e
-
business environment th
is could
increase the spread of malicious software such as computer viruses.




The standardisation bodies should consider the possibility of developing a “kite
mark” scheme for “safe” application so
ftware for e
-
business use.




Product suppliers should be encouraged

(by whom ?)

to provide

effective,
inexpensive, easy to use security products (for instance encryption software
, anti
-
virus products
) for the home user.


Many home users will be unfamiliar w
ith computer security and would benefit
from the availability of guidance in the form of security checklists.




Product suppliers
,

ISPs

and e
-
business service providers
should be encouraged
(by whom ?)

to make such advice available to home users.



Applicat
ion software to support the home user (e.g. PC operating systems, word
processing packages, spreadsheet packages etc.) will be expected to be resistant to
attack.




Product suppliers should be encouraged
(by whom ?)

to provide assurance
that products are
robust and for
providing guidance on the safe operation of
their
systems
. [Recommendation].


The increase in the number of citizens working from home will require the
availability of easy
-
to
-
use security products

in order that commercially sensitive
mater
ial can be exc
ha
n
g
ed between
the home worker and his base office.




Employers should provide

home workers

with ready
-
to
-
use systems with good
security such as VPNs or end to end encryption facilities.


Many microprocessor devices in the home will become acc
essible from the
Internet and thus vulnerable to attack. Because, in many cases, they operate
independently of human input, the establishment of automatic and remote
DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


5

methods of protection are necessary together with codes of practice and standards
that und
erpin them. Since the average home user will be entirely ignorant of
network security, this should be regarded as a major area of concern for Network
and Information Security.




The standardisation bodies should develop
standards, protocols and guidance
m
aterial
which
the
protection of home
-
based

micro processor
devices from
external attack
.


Civil liberties concerns and general public anxiety about the possible health risks
resulting from their use will hamper the use of biometrics for authentication
(paragraphs
55

onwards)




The Commission should sponsor research to investigate assess the health risks
resulting from long
-
term use of biometric
-
based authentication methods.





National governments should develop guidelines on the recording and storing of
biome
tric records in relation to civil liberties.


There is a lack of authoritative information, best practice and standards available to
enable potential users to make informed decisions on the selection and deployment of
biometric
-
based authentication solutio
ns. (paragraph
55

onwards).




The Standards bodies should develop a “best practice” document for
Biometrics usage.




The Standards Bodies should review the activities of the various Biometrics
working groups with a view to proposing the development of official s
tandards for
performance testing, evaluation methodology, protection profiles (under the
Common Criteria standard), APIs and templates.


The increasing diversity of network (e.g. Internet, Virtual Private Networks, wireless
LANs, 3G) will invariably raise
interoperability problems as global e
-
business
expands. It is likely that a specific transaction may need to utilise a number of
different protocols in its path. Thus it is crucial that the various protocols (including
security
-
related ones) must be intero
perable in order to maintain the integrity and
confidentiality of the data over the communications path

(paragraph
16
).




Standardisation
bodies should develop security
-
related interoperability
standards communications protocols.



The growth of a global e
-
business environment will be facilitated by the availability
of interoperable PKI products. At the current time there are many commer
cial PKI
products available but many of these are not interoperable with other products.
(Paragraph
143
).




The Standards bodies should define what features of PKI systems are
necessary to provide intero
perability and to work with product suppliers to
develop specifications and standards to provide the necessary interoperability.

DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


6


There are several “standards” for digital signature products. In general products
conforming to one standard do not interopera
te with products conforming to another
standard. Users unfamiliar with digital signature technology should not be expected to
decide which standard to use on a specific occasion. (Paragraph
128
).




The standards bodies should identify a preferred set of digital signature
standards. Suppliers of e
-
business applications should be encouraged to support
each preferred standard transparently as far as the end user is concerned. E
-
business ser
vice providers should provide users of the service with access to a
preferred digital signature product.


The uptake of global e
-
business will be inhibited by the lack of harmonisation of
standards for Trust Service Providers.





Need some input here from the group working on this as to what they might
like included (if anything).





DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


7


Introduction and Scope


1.

This report is issued by CEN and ETSI in response to two

documents:
COM(2001)298
(“Network and Information Security: Proposal for A European
Policy Approach”
); and the Council Resolution of 28 January 2002 “
On a
common approach and specific actions in the area of network and information
security.”

2.

The first of
these documents raises issues for resolution and proposes actions
aimed at a number of organizations, with the ultimate aim of facilitating the
growth of e
-
business within a European environment and beyond. Some of the
issues and actions are addressed to t
he European Standards Organizations (CEN,
CENELEC and ETSI).

3.

Therefore the aim of the report is to make recommendations for standards
-
related
actions to be carried out by the European Standards Organizations and related
bodies in support of the above goal
s. Appropriate actions include the development
of new standards and frameworks, adoption of standards, awareness campaigns
and other actions that support the overall aims of COM(2001)298.

4.

It should be noted that the term “standard” in this report is used
to refer both to
standards issued by the recognised standards bodies (often known as “formal
standards”, although not all undergo a full process as such) and those issued by
open or closed industry standards consortia, academic interests, etc. (often known

as “informal” standards). It is also used to refer to “best practice” consensus
-
based
documents that contribute to Network and Information Security.

5.

This report has been developed in the context of eEurope 2002, an initiative
launched by the European Com
mission for an Information Society for All that
also addressed security and trust in electronic business (e
-
business) carried out
over private or public networks (including the Internet). Part of the aim of the
initiative is to facilitate the growth of ele
ctronic business in the European
Community.

6.

It is clear that the provision of a secure and trustworthy infrastructure for carrying
out electronic business in “cyberspace” will encourage
e
-
business
growth in
Europe. This requires that all parties in an
e
-
business environment have the
responsibility to put in place effective security measures
and
to convince the end
user that doing business in this way in Europe is not only efficient but
also
secure
.

7.

In view of the fact that e
-
business transactions t
raverse national boundaries and,
where the Internet is concerned the communications path is unpredictable, the end
user must also be sure that security measures
throughout the Internet
conform to
common
security
standards and
wherever
necessary meet
the requirement for
interoperability.


References


8.

The following references were consulted during the preparation of this report:


DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


8

a.

Council Resolution of 28
January 2002: On a common approach and
specific actions in the area of network and information security;


b.

Communication of the European Communities, COM(2001) 298: Network
and Information Security: Proposal for A European Policy Approach;


c.

e
-
Government Str
ategy Framework Policy and Guidelines Version 4.0
September 2002, issued by the UK Office of the e
-
Envoy;


d.

APEC
-
TEL Information Systems Security Standards, developed by the
APEC
-
Telecommunications Information Working Group by Standards New
Zealand;


e.

OECD G
uidelines for the Security of Information Systems and Networks.


f.

Glossary of IT Security Terminology, SD 6, SC27 N2776, issued by the
International Organisation for Standardisation and Electrotechnical
Commission (ISO/IEC).


g.

COM


D79, Study Group 17, Sec
urity Architecture for Systems
Providing End
-
to
-
End Communications.


h.

ETSI Technical Report 336, Telecommunications Management Network
(TMN); Introduction to standardising security for TMN.


9.

Further information was obtained from web sites of various organ
isations
notably the European Telecommunications and Standards Institute (ETSI) and the
European Standards Committee

(CEN).



Definitions and Abbreviations


Definitions




Abbreviations



DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


9

Network and Information Security


10.

Network and Information Security

is defined in COM(2001)298 as:
“The ability
of a network or an information system to resist, at a given level of confidence,
accidental events or malicious actions. Such events or actions could compromise
the availability, authenticity, integrity and conf
identiality of stored or transmitted
data as well as related services offered via these networks and systems.”


11.

The Communication
also
identifies six specific threats:

a.

Electronic communication can be intercepted and data copied or modified.
This can
cause damage both through invasion of the privacy of individuals
and through the exploitation of data intercepted.



b.

Unauthorised access into computer and computer networks is usually carried
out with malicious intent to copy, modify or destroy data and is

likely to be
extended to systems and automatic equipment in the home.


c.

Disruptive attacks on the Internet have become quite common and in future
the telephone network may also become more vulnerable.



d.

Malicious software, such as viruses, can disable comp
uters, delete or modify
data or reprogram home equipment. Some recent virus attacks have been
extremely destructive and costly.



e.

Misrepresentation of people or entities can cause substantial damages, e.g.
customers may download malicious software from a w
ebsite masquerading as
a trusted source, contracts may be repudiated, confidential information may
be sent to the wrong persons.


f.

Many security incidents are due to unforeseen and unintentional events such
as natural disasters (floods, storms, earthquakes)
, hardware or software
failures, human error.


12.

Network and Information
Security
in th
e

context

of this report

therefore
excludes

legal issues and policy (e.g. data protection

/

telecomm
unications

framework
)

and
excludes
law

enforcement (e.g. cybercrime)
. The following chart extracted from
the COM(2001) 298 illustrates this in diagrammatic form:






Network &



Hacking



CyberCrime


Information Security







ID Theft














Intrusion



Data Retention















Data Protection /






Telecomm Framework

DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


10





13.

This document does not deal in detail with legislative issues; the reader is referred
to ETSI Technical Report 336 which provides further information on
this subject
.
Also this document does not deal with Digital Rights Management (DRM); the
reader is referred to the GRMG Group in CEN and

for

Moving Pictures and Audio

issues to

ISO/IEC JTC1/SC29/WG 11

[TBC]
)


E
-
Business


14.

This report considers Network and I
nformation Security in the context of the
security issues arising in global e
-
business where e
-
business is defined simply as
any normal commercial transaction that is carried out electronically. The report
does not address all aspects of network security b
ut essentially those that relate to
the user of e
-
business services. To help understand the scope reference should be
made to the security architecture described in the ITU report COM 17


D29,
Security Architecture for Systems Providing End
-
to
-
End Communi
cations. In
essence this report addresses those security issues arising in the “End User Plane”
as defined in the ITU report.

15.

Typical transactions arising in e
-
business will include invoicing, ordering,
payment etc. Other forms of activity, which though
not strictly commercial, will
have similar security issues. A prime example is mobile health care (“e
-
health”)
where the security of communications is paramount in order to protect the privacy
of patients. This report does not address the requirements of e
-
health in detail but
appropriate references are made at various points in the report.

16.

The emphasis in the report is on the use
of generic
,

interconnected
, multi
-
vendor

public
IP
-
based based networks

(the Internet)
. However reference is also made to
the us
e of Virtual Private Networks, wireless LANs and 3G networks since it is
likely that a specific e
-
business transaction may utilise one or more of these types
of networks. Thus it is crucial that the various protocols (including security) must
be interopera
ble
where required
in order to
establish and
maintain the
communications path.


This Report


17.

In order to achieve its aim the report identifies existing relevant standards that
contribute to Network Information Security and support the require
ment for
interoperability in a global e
-
business environment. The report seeks to identify
conflicts and overlaps between existing standards and to highlight gaps in the
standards spectrum. It also identifies development activity being carried out by
group
s outside the official standardisation bodies that may result in the
development of suitable standards.

18.

The threats identified in the Commission’s communication are not solutions.
However, recommendations can only be made in the domain of solutions so

it is
DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


11

necessary to identify all of the potential solutions appropriate to each threat,
identify the deficiencies of the solutions in each relevant domain.

19.

The translation
from threat to solution
domain
is done in two ways. First, several
important “use c
ases” are identified from the points of view of several types of
user and their requirements (“user requirements”). Second the general threats to
NIS are examined.

20.

Finally, the recommendations are set out in the form of an
action

(e.g.
development of a sta
ndard, commissioning a piece of research) to be carried out
by a
target

(e.g. a standardisation body, a government) on a specific
topic

(e.g. e
-
signatures, biometrics).


User Requirements


21.

The general recommendations proposed in this section are based upon

a
consideration of the security requirements of various classes of potential users of
e
-
business services. The User classes are Home Users, Small to Medium
Enterprises and Large Organisations and industries. More specific
recommendations are also made in
Part XXXX of this report.


Home Users


22.

The home user today typically has a single PC and will use either dial
-
up over
public switched networks (PSTNs or ISDN) or broad band access facilities such as
xDSL or a cable modem. In general there will be a single
gateway (to the public
Internet.).



23.

The following paragraphs describe current and envisaged future Home User
applications (“use cases”).



Home Working


24.

It is envisaged that there will also be significant growth in the near future in
number of home worke
rs requiring access to office
-
based systems. This will lead
to a requirement for standards for communications protocols (e.g. to provide
connection from home
-
based workstations and networks to wide area networks
providing global connectivity). There will b
e a requirement for information
transmitted between home and base office to be protected.


Personal Business


25.

Many home users will wish to carry put personal business transactions with
online suppliers of products and services using the Internet. In the v
ast majority of
cases these transactions will include the use of web
-
based services or email
facilities.



DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


12

Microprocessor control of Domestic equipment


26.

It is envisaged that in the near future there will be significant growth in the use
of microprocessor
-
b
ased control for domestic systems. There will be a
requirement for the home user to control such systems using personal computers
in the home. Additionally it will be necessary for the home user to have limited
remote control and system configuration faci
lities whilst not in the home.



27.

A significant amount of work has already been carried out on behalf of the UK
Department for Trade and Industry (DTI) (“The Application Home Initiative”). A
copy of the report including recommendations for standards is avai
lable from the
DTI, The Application Home Initiative (www.theapplicationhome.com) or from
Telemetry Associates Ltd., Church Farm Barn, Rickinghall, Diss, Norfolk, UK
IP22 1EC.


General Security Requirements


28.

Consideration of the above use cases leads to th
e following general security
requirements for Home Users:


a.

Many home users will be unfamiliar with computer security and would
benefit from the availability of guidance in the form of security checklists.
These could be made available by product suppliers,

Internet Service
Providers (ISPs) and e
-
business service providers. [Recommendation].


b.

Online suppliers of products and services to the Home User will need to
provide
assurance that
private information being exchanged between
the
home user and the online supplier such as credit card details, identity
information and personal information such as addresses

is
transmitted
securely
.



c.

The home user cannot always protect the integrity and confidentiality of
perso
nal information after it leaves his personal computer. The expectation is
that the ISPs and the e
-
business service providers should provide this
assurance.


d.

The home user will need effective, inexpensive (or free) security products
to be
available to protect personal information stored on the home PC. These
products need to be easy to use (ideally “transparent” to the user) by non
-
computer experts and will counter the threat of hacking and virus attacks. The
onus here is on the product sup
pliers. [Recommendation].


e.

Application software to support the home user (e.g. PC operating systems,
word processing packages, spreadsheet packages etc.) will be expected to be
resistant to attack. Manufacturers of software for home systems should be
respo
nsible for ensuring that this is the case and for providing guidance on
the safe operation of their
systems
. [Recommendation].


DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


13

f.

The home worker will need to be provided by his employer with ready
-
to
-
use systems with good security such as VPNs or end to en
d encryption
facilities. [Recommendation].


g.

Many microprocessor devices in the home will become accessible from the
Internet and thus vulnerable to attack. Because, in many cases, they operate
independently of human input, the establishment of automatic an
d remote
methods of protection are necessary together with codes of practice and
standards that underpin them. Since the average home user will be entirely
ignorant of network security, this should be regarded as a major area of
concern for Network and Inf
ormation Security. [Recommendation].



SMEs


29.

The SME user will typically be an organisation with a small number of
employees (typically up to 50, although formally less than 250). The SME will
generally have a Local Area Network providing connectivity via
a public network.
In general there will be a limited number of gateways (perhaps just one) to the
external network.


30.

The following paragraphs describe typical use cases for SMEs. In general a
single SME may be both a users and a supplier of e
-
business serv
ices and
consequently both the use cases will apply to the SME.


SME as a user of e
-
business services.


31.

An example is an organisation that uses an Internet
-
based trading service to
source raw materials or office supplies.


32.

In this case the SME will have
similar concerns to the Home user (see above).
However the SME will hold personal data relating to employees, commercial data
relating to trading partners business critical data such as customer lists, contract
information etc. A loss of confidentiality, i
ntegrity or availability of such
information could have a significant impact on the organisation including for
instance infringement of legislation such as data protection, loss of business etc.
and could in extreme cases lead to closure of the business.



SME as a supplier of e
-
business services


33.

In this case the SME will be offering goods or services over the Internet
probably using web based applications. The SME will be responsible for
protecting sensitive information held on its customers. It may

also be perceived by
its customers as having responsibility for security for the whole transaction path
between itself and the customer.



General Security Requirements


DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


14

34.

Consideration of the above use cases leads to the following general security
requ
irements for SMEs:


a.

In some cases the SME may be unfamiliar with computer security and in
consequence may benefit from the supply of guidance material as described in
paragraph
28.a
.


b.

The SME as a user of e
-
business will expect that the ISP and the e
-
business supplier will protect the confidentiality and integrity of both personal
and commercially sensitive data when it leaves the domain of the SME
(similar to paragraph 17.
b).


c.

The SME will expect that effective security products will be available to
protect personal and commercially sensitive information stored on the internal
network. This will include the availability of secure web server application
software. These produ
cts should be easy to use (ideally “transparent” to the
user) by non
-
computer experts and will counter the threat of hacking and virus
attacks that could affect the availability of the SME system.



Large Organisations and industries


35.

The large organisatio
n user will typically have multiple sites possibly in
several countries. It will normally have a large range of e
-
business partners (both
providers of service and users) including commercial suppliers, banks,
government organisations and Trusted Third Part
ies (e.g. Certification and
Registration authorities). The organisation will have large numbers of networked
workstations and may make use of Virtual Private Networks (VPNs). In the
context of this report “large organisations” include government organisati
ons
where the communication is between government and citizen but government to
government is outside the scope.


36.

Use cases for large organisations are similar to SMEs but large organisations
will invariably act as both a supplier and a user of e
-
business
services.


General Security Requirements


37.

Consideration of the above leads to the following general security
requirements:


a.


Large Organisations will mirror those of the SMEs though it is expected that
they will in general be aware of the need to provide
adequate security to
protect their systems and communications.



b.

However, they may not have sufficient specialist security resources to
formulate and operate a security regime. Consequently they may need
advice/guidance/standards on security policies, risk

assessments and the like.



DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


15

c.

In general it is likely that large organisations will be prepared to pay more for
their security products than Home Users and SMEs and will be inclined to
place trust in the major software suppliers.


d.

The business of large org
anisations may extend to multiple sites in several
countries and their trading partners will also be global in nature. As a result
they will be more inclined to use security products conforming to international
standards. Hence there is a need to address t
he interoperability of
interoperability standards for Trust Service Providers and technologies such
as Public Key Infrastructures which facilitate global e
-
business.
[Recommendation].






DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


16


General Threats to Network and Information Security



38.

The e
-
busin
ess service must meet certain security objectives in order to protect the
assets of the service and to ensure the availability of the service. The assets of the
service are:


a.

The data of organisations and citizens using the e
-
business service.



b.

The assets

of the e
-
business service itself (e.g. systems, networks,
information).


c.

Data and remote control information to networked home based equipment and
systems


d.

User authentication credentials.


39.


The security objectives are:


a.

Authenticity. The property that t
he identity of a user of the e
-
business service
is reliably verified.


b.

Confidentiality and Privacy. The property that information relating to users of
the e
-
business service is not made available or disclosed to unauthorised users.


c.

Integrity. The property

that information within the e
-
business service is not
unknowingly altered or destroyed.


d.

Accountability. The property that specific action can be traced uniquely to an
individual.


e.

Availability. The property that the functions and information of the e
-
bus
iness
service is accessible and useable by an authorised user.


40.

The threats to the assets of the e
-
business service are summarised in the
Commission’s communication as follows:


41.

These threats may be distilled into the following technical descriptions as se
t out
in ETSI Technical Report No. 336:


a.

Masquerade ("spoofing"): The pretence of an entity to be a different entity.
This may be a basis for other threats like unauthorised access or forgery.


b.

Unauthorised access: An entity accesses data in violation to t
he security policy
in force.


c.

Eavesdropping: A breach of confidentiality by unauthorised monitoring of
communication.


DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


17

d.

Loss or corruption of information: The integrity of data (transferred) is
compromised by unauthorised deletion, insertion, modification,
reordering,
replay or delay.


e.

Repudiation: An entity involved in a communication exchange subsequently
denies the fact.


f.

Forgery: An entity fabricates information and claims that such information
was received from another entity or sent to another entity.


g.

Denial of service: An entity fails to perform its function or prevents other
entities from performing their functions.


42.

The following table (adapted from ETS 336


see references) shows which
security objectives are compromised by the above threats:


Thre
at

Security Objectives


Authenticity

Confidentiality

Integrity

Accountability

Availability

Masquerade

X

X

X

X

X

Unauthorised
Access

X

X

X

X

X

Eaves
-
dropping


X




Loss or
Corruption of
Data



X

X

X

Repudiation

X



X


Forgery



X

X


Denial of
Servic
e





X



43.

The security objectives may be met within a series of high
-
level security measures
as described in Part
0
.

DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


18


Security Services, Security Measures and Recommendations for
Future Activities



44.

This s
ection of the report is structured using an adapted version of the framework
devised by the UK government’s Office of the e
-
Envoy for representing the
security requirements in the context of an “e
-
citizen e
-
business e
-
government”
environment. The following

paragraphs explain how this has been done.



45.

I
n order to protect the network and information systems that provide the e
-
business services, the threats to the security objectives described in part
0

must be
countered by a number of technical or procedural security measures. These
security measures can be grouped under a set of high
-
level
security services.
The
high
-
level security services are as follows:


a.

Registration and Authentication Services
.

These services provide the means
to ensure that users are uniquely and unambiguously identified and granted
access only to those assets for which they have authorised. The overall
security of the e
-
business services and their assets rely ultimately on the

capability to authenticate users of the service.


b.

Confidentiality and Privacy Services
. These services provide the means
whereby e
-
business information is stored and transferred securely. They also
ensure that private information (such as an individual’s
medical information is
protected in accordance with legislation such as Data protection.



c.

Trust Services
. These services are required to ensure that e
-
business
transactions are properly traceable and accountable to authenticated
individuals and cannot be
subsequently disavowed. They are the services that
enable e
-
business service providers and e
-
business clients to make
commitments in electronic form.


d.

Business Services
. These services are required to ensure that the e
-
business
applications are designed,
configured and operated in a secure manner and
their information assets properly protected against non
-
malicious threats
including accidental failure. E
-
business applications include the web servers
that present the information to the e
-
business users and
the back
-
office
systems that host the applications.


e.

Network Defence Services
. These services ensure that the physical assets,
stored data and other assets of the e
-
business service are properly protected
against malicious attack.


f.

Assurance Services
. T
hese services are intended to provide the e
-
business
user with confidence that the technical (hardware and software applications)
and non
-
technical (physical, personal and procedural) security measures
provide protection against the assessed risk to the se
rvices. That confidence is
achieved by ensuring that e
-
business services have been designed, configured
and operated in a manner in accordance with identified standards. The end
DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


19

result of the process is often a statement to that effect in the form of a
cer
tificate
1
. Assurance services apply therefore across all the high
-
level
security services defined above.



A.

Registration and Authentication Services


46.

It is of paramount importance that effective and secure registration and
authentication services are put
in place in an e
-
business environment since
registration and authentication represents the “front line” in the defence of the e
-
business services and data. For the purpose of this report the definitions of
“authentication” and “registration” are taken from

the UK Governments e
-
government Strategy Framework (see references):



Registration
. Registration is the process by which a user of the e
-
business
service gains a credential (such as a username or digital certificate) for
subsequent authentication. In man
y cases this will require the potential user to
present proof of real
-
world identity (e.g. a birth certificate or passport) to the
registration authority. It includes the case for anonymous or pseudonymous
identity (i.e. the holder of the credential is ent
itled to a service without
revealing a real world identity)


Authentication
. Authentication is the process by which the electronic identity
of a user (as represented by the credential supplied in the registration process)
is asserted and validated by the e
-
business system to access specific e
-
business
services. In general the authentication process checks that the user is the true
owner of the credential supplied during the registration process by means of a
password or biometric for instance.



47.

Registratio
n and Authentication Services comprise the following activities:


a.

Effective User Registration


b.

Effective user identification and authentication;


c.

Effective access control;


d.

Effective user management.


Security Measures


Effective User Registration


48.

The ai
m of user registration is to ensure that access credentials are only issued to
those whose bona fides have been properly established. This is normally achieved



1

Note that the use of “certificate” in this context is not the same as a “digital certificate” that is used to
prove o
wnership of a public key

DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


20

by procedural means. In some cases an independent Trusted Service Provider may
be involved in op
erating the registration process.


Effective User Identification and Authentication (ID&A)


49.

The aim of User ID&A is to ensure that access to the service is only granted to
individuals whose credentials have been validated. It is achieved by the following
m
easures:


a.

The asserted credential is verified by a
password
,
biometric

or
digital
certificate
. A
smartcard

may be used to support the authentication
mechanism.



b.

The use of
firewalls
,
intrusion detection systems

(IDS) and
penetration
testing

will help prev
ent hackers gaining unauthorised access to e
-
business
services.


50.

Note that in some cases (notably in health care) it may be necessary to protect the
real world identity of the individual and provide pseudonymous or anonymous
identity. MobiHealth is an EU f
unded project in the IST programme set up to
develop new mobile, value added services in e
-
healthcare including the
identification of appropriate communications security standards. See
http:/www.mobihealth.org).


Effective Access Control


51.

The aim of Acc
ess Control is to ensure that access to the services and the
information is in accordance with user profiles. Access control may be based on
software
-
based access control mechanisms operating at a service, file or record
level and access permissions held i
n digital certificates.



Effective User Management


52.

The aim of User Management is to control and maintain user profiles in order that
e
-
business service users may access those parts of the e
-
business service that are
necessary to carry out their business
requirement. The use of digital certificates
may be appropriate to maintain such profiles.


Passwords


53.

Username/password combinations are relatively insecure. Passwords are
vulnerable to opportunistic attacks (e.g. badly structured passwords may be
guessed
, passwords may be accidentally disclosed to unauthorised individuals) or
directed attacks such as password cracking. Standards have been issued by
various bodies providing general guidance on password selection, usage,
management and maintenance and are
listed in Annex A. Additionally local
guidance has been issued widely by individual organisations and national entities.


DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


21

54.

One
-

time password systems provide better protection because each password may
be used once only. Passwords are typically generated au
tomatically using
software. Standards have been issued and are identified in Annex A.



Biometrics


55.

At face value Biometrics seem to offer a foolproof way of authenticating an
individual. However, they do have specific vulnerabilities. Biometrics based
authentication systems need to allow for day
-
to day changes in a biometric. A
“margin of error” is necessary so that day
-
to
-
day variations in an individual’s
offered biometric do not cause an authorised user to be rejected because the
offered biometric doe
s not match exactly with the stored biometric template.
However, this margin of error may allow an unauthorised user to gain access to
the system.


56.

Thus a compromise must be found between performance (measured by the
percentage of genuine users rejected b
y the system and security (measured by the
percentage of unauthorised users accepted by the system).



57.

Other biometric vulnerabilities include mimicry (e.g. of signature or voice),
spoofing (e.g. fake finger using the residual image left behind on a finger
print
reader).


58.

However, Biometric
-
based authentication systems offer some flexibility in use.
For instance they can be used in the same way as a password to verify a claimed
identity (i.e. one to one comparison) or in pure identification mode where an
ind
ividual asserts his identity simply by presenting a biometric alone (one to many
comparison).


59.

Biometric
-
based authentication may be used in both positive identification (i.e.
similarly to passwords
-

to prove I am who I say I am) or in negative identific
ation
(i.e. to prove I am not who I say I am not).


60.

Though there are very few issued standards on biometrics there are numerous
groups carrying out activities which could lead to the development of useful
standards:


a.

ANSI/NIST


i.

ITL
-
2000 Data Format for th
e interchange of Fingerprint, Facial and
Scar Mark/Tattoo


ii.

X9.84 Biometrics Management and Security for the Financial Services
Industry. Specifies the security of the physical hardware and the
management of the biometrics data throughout the biometric lif
e cycle.


DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


22

iii.

CBEFF Common Biometric Exchange Format. Describes a set of data
elements necessary to support biometric technologies independently of
application and use (e.g. smart cards, data storage).


iv.

Performance Testing Methodology, Assurance, Protection
Profiles,
Best Practices


v.

BioAPI version 1.1. Application Programming Interface defines a
generic way of interfacing to a broad range of biometric technologies.
Developed by the BioAPI consortium (comprising approx. 80 biometrics
vendors) with the aim of p
roviding cross
-
platform support.


vi.

B10.8/AAMVA. Driving Licenses and Identification. Format for
fingerprint minutiae on Driving Licenses.


b.

ISO/IEC/JTC1/SC17 has a series of work groups working on various aspects
of biometric
-
based authentication:


i.

WG1


Ph
ysical Characteristics of Smart Cards (e.g. location of
fingerprint sensor on card)


ii.

WG3


Machine readable travel documents


iii.

WG4


Smart Cards: ISO/IEC 7816 Personal verification through
biometrics


iv.

WG10
-

Motor Vehicle Driver Licenses: Biometrics and En
cryption


v.

WG11


Biometrics: development of BioAPI and CBEFF (see below)
into ISO standards


c.

ISO/IEC/JTC1/SC 37 is a working group with the aim of accelerating the
development and adoption of Biometrics standards such as BioAPI and
CBEFF through the ISO p
rocess.


d.

Other Organisations/Activities


i.

Work is also being undertaken widely in Industry (Biometric
Consortium), Academia and Government.


ii.

In the US the NSA and the DoD carry out research into Biometrics.
The DoD has established the Biometrics Managemen
t Office to ensure the
availability of biometrics technologies within the DoD.


iii.

In the UK the UK Biometrics User Group comprising a group of
vendors, standards developers and users is organised by the UK National
Technical Authority for Information Securi
ty (CESG) and mainly funded
by the Office of the e
-
Envoy. The group includes representatives from the
US, Canada and Germany. It is active in developing Performance
DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


23

Standards, Best Practice guidance, Protection Profiles and Common
Criteria Evaluation Meth
odology. It is intended that Protection Profiles
and Common Criteria may be issued under the ISO Common Criteria
standard in due course. Discussions are taking place between the US
Biometrics Office to attempt to rationalise the UK developed Protection
Pr
ofiles and the US Protection Profiles.


iv.

Biovision is an EU funded initiative conceived in Framework 5, the
programme being carried out in Framework 6. The aim is to produce a
“road map” for Biometrics.


v.

The UK National Authority for Infosec is currently
working on a
method that will allow the “strength” of different authentication
technologies (biometrics, passwords and tokens) to be compared.


61.

The use of biometrics for authentication is a relatively new technique which
potentially offers advantages over
traditional authentication techniques
particularly in terms of convenience and some security aspects (e.g. a biometric
cannot be stolen or guessed). However, concerns over performance versus security
means that biometrics are generally used in low risk sit
uations. In general for
higher risk situations biometrics may be combined with other authentication
technologies (such as passwords, PINS or smart cards) to provide a combined
security measure which is commensurate with the assessed risk to the system.



62.

There are also general public concerns about the physiological effects of the use
of biometrics and civil liberty issues related to the holding of biometrics records
by law enforcement authorities.


Digital Certificates


63.

A digital certificate contains

information in electronic form that identifies the
owner of a specific public key. A third party who is trusted by the e
-
business
service provider digitally signs the certificate to prove its authenticity. The user
presents the digital certificate to the
e
-
business service and is authenticated by
providing the matching private key. A Public Key Infrastructure is generally
required to support the distribution, management and maintenance of digital
certificates. Digital certificate standards define the forma
t of the certificate and
privacy enhancing features. Relevant standards are listed in Annex A.


Smart Cards


64.

A smart card is a credit card sized token containing a micro processor enabling it
to
process

and store information, to support single or multiple
applications and to
operate both off
-
line and on
-
line. They may be used as
contact

cards where the
card and the card reader are in contact during the operation or
contactless

cards
where the card and the card reader communicate with each other over a short

distance.


DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


24

65.

Smart cards are an important enabler of e
-
business applications particularly
because they can be used to hold authentication information such as a user’s
private key in a PKI infrastructure scheme or a user’s biometric template. The
card may be

activated by a user PIN or biomeric sample thus avoiding security
issues associated with sending authentication credentials over computer networks.
In addition to providing secure access control, smart cards may also be used in a
wide variety of other app
lications such as electronic purses, storage of confidential
information and loyalty cards.


66.

Though smart cards are vulnerable to physical attacks, these attacks are
technologically difficult to mount so for this reason smart cards do offer secure
access c
ontrol.


67.

Many of the standards associated with smart cards are associated with defining the
physical design of the card in order to achieve interoperability with card readers.
Other standards are application specific and describe how the smart card interac
ts
with the application. See Annex A for issued smart card standards. In addition the
following groups are working on smart card activities.


68.

CEN has issued a large number of European standards on aspects of smart cards.
See Annex A for a full list. The fo
llowing proposed standards are in
development: (see the CEN web page www.cenorm.be/isss) for the latest status of
these documents):




Reference

Title



Comments




CEN pr TS
1332
-
5

Identification card systems


Man
-
machine


interface


Tactile identif
ication of applications
-
embossed symbols
for the differentiation of applications of ID1 cards




Working draft to be provided by
WG 6



CEN pr TS

IOPTA

Identification card systems


Interoperable public
transport applications


Ticketing applications




Working draft to be
provided by CEN/TC 224
WG 11



CEN pr TS
14062
-
3

Identification card systems


Electronic fee collection


Part 3 : Application and security aspects




Working draft to be
provided by CEN/TC 224
WG 11



CEN pr TS
14062
-
4

Identificatio
n card systems


Electronic fee collection


Part 4 : Test procedures



Working draft to be
provided by CEN/TC 224
WG 11



EN ISO/IEC
7810

Identification cards


Physical characteristics




Revision of EN ISO/IEC
7810:1996 by transposition
of the revised
edition of the
ISO /IEC Standard



EN 13343
-
1

Identification card systems


Telecommunications IC
cards and terminals


Test methods and conformance
testing for EN 726
-
3


Part 1 : Implementation
Conformance Statement (ICS) proforma specification




Forma
l Vote to be
launched



EN 13343
-
2

Identification card systems


Telecommunications IC
cards and terminals


Test methods and conformance


Formal Vote to be
launched

DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


25

testing for EN 726
-
3


m慲琠t 㨠W敳琠eu楴攠s瑲uc瑵r攠慮d
瑥獴 purpos敳
q卓 慮d qm)




b丠NPP4P
J
P

fd敮瑩t楣慴楯n 捡rd sys瑥ms


q敬散ommun楣慴楯ns fC
捡rds 慮d 瑥tm楮a汳


q敳琠eethods 慮d 捯nform慮捥
瑥獴ing for b丠TOS
J



m慲琠t 㨠Wbs瑲慣琠瑥s琠tu楴攠EAq匩p
慮d imp汥m敮瑡瑩tn for 瑥獴ing Ef塉q) proform愠
sp散楦楣慴楯n




Formal Vote to be
la
unched



EN 13344
-
1

Identification card systems


q敬散ommun楣慴楯ns fC
捡rds 慮d 瑥tm楮a汳


q敳琠eethods 慮d 捯nform慮捥
瑥獴ing for b丠TOS
J



m慲琠t 㨠Wmp汥men瑡瑩tn
捯nforman捥 s瑡瑥men琠tfC匩pproform愠sp散if楣慴楯n




Formal Vote to be
launched



E
N 13344
-
2

Identification card systems


q敬散ommun楣慴楯ns fC
捡rds 慮d 瑥tm楮a汳


q敳琠eethods 慮d 捯nform慮捥
瑥獴ing for b丠TOS
J



m慲琠t 㨠W敳琠eu楴攠s瑲uc瑵r攠慮d
瑥獴 purpos敳
q卓 慮d qm)




Formal Vote to be
launched



EN 13344
-
3

Identification
card systems


q敬散ommun楣慴楯ns fC
捡rds 慮d 瑥tm楮a汳


q敳琠eethods 慮d 捯nform慮捥
瑥獴ing for b丠TOS
J



m慲琠t 㨠Wbs瑲慣琠瑥s琠tu楴攠EAq匩p
慮d imp汥m敮瑡瑩tn 敘瑲愠inform慴楯n for 瑥獴楮g Ef塉q)
proform愠sp散if楣慴楯n




Formal Vote to be
launched



EN 13345
-
1

Identification card systems


q敬散ommun楣慴楯ns fC
捡rds 慮d 瑥tm楮a汳


q敳琠eethods 慮d 捯nform慮捥
瑥獴ing for b丠TOS
J



m慲琠t 㨠Wmp汥men瑡瑩tn
捯nforman捥 s瑡瑥men琠tfC匩pproform愠sp散if楣慴楯n




Formal Vote to be
launched



EN 13345
-
2

Identification card systems


q敬散ommun楣慴楯ns fC
捡rds 慮d 瑥tm楮a汳


q敳琠eethods 慮d 捯nform慮捥
瑥獴ing for b丠TOS
J



m慲琠t 㨠W敳琠eu楴攠s瑲uc瑵r攠慮d
瑥獴 purpos敳
q卓 慮d qm)




Formal Vote to be
launched



EN 13345
-
3

Identification card sys
tems


q敬散ommun楣慴楯ns fC
捡rds 慮d 瑥tm楮a汳


q敳琠eethods 慮d 捯nform慮捥
瑥獴ing for b丠TOS
J



m慲琠t 㨠Wbs瑲慣琠瑥s琠tu楴攠EAq匩p
慮d imp汥m敮瑡瑩tn 敘瑲愠inform慴楯n for 瑥獴楮g Ef塉q)
pro
J
form愠sp散if楣慴楯n



Formal Vote to be
launched


69.

In addi
tion CEN Technical Committees 224, 251 and 278 are carrying out
application specific work on smart cards in the areas of healthcare, transport and
people with special needs.


70.

CEN/ISSS Workshop FINREAD validated a set of technical specifications
produced by

a consortium of banking interests for a secure IC card reader for
bankcard payments and remote banking services delivered over the Internet and
open networks. CEN/ISSS Workshop Embedded FINREAD is now extending the
specification to card acceptance devices

linked to mobiles, PDAs and set
-
top
boxes. The FINREAD specifications are available from the CEN web site for
downloading


see Annex A for details.


71.

A new CEN/ISSS Workshop will shortly be announced for European Electronic
Authentication, to cover a func
tional architecture and required IAS (Identification,
authentication and electronic signature) characteristics for a European Public
DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


26

Identity using smart cards and other aspects related to multi
-
application cards and
user best practice. This will take the
major results of the Smart Card Charter
activity and collaborate with similar work in Japan and the US


72.

ETSI is also carrying out a considerable amount of work under the Smart Card
Project (EP SCP) approved in March 2000 to replace the SMG Technical Sub
-
Co
mmittee SMG9. EP SCP provide a central focus for the standardisation of a
common integrated circuit (IC) card platform for 2G and 3G mobile
communication systems. It also enables the participation of companies involved in
standardisation work in 3GPP, 3GPP
”, GAIT, T1P1, TR45 and other related
activities.


73.

The main responsibilities of EC SCP are:




development and maintenance of a common IC card platform for all mobile
telecommunication systems;




development and maintenance of the application independent s
pecifications for
the Integrated Circuit Card/Mobile Equipment interface of those
telecommunication systems under the responsibility of ETSI;




development and maintenance of IC card standards for general telecommunication
purposes;




development and mainte
nance of IC card standards employing advanced security
methods for telecommunications applications such as financial transactions over
Mobile Telecommunication Networks ("mobile commerce").


74.

The main tasks of EP SCP are:





maintenance of the common platfo
rm standards developed by the committee;




specification of enhancements to the common platform to allow the addition of
innovative features and functions;




specification of generic issues for IC cards for Telecommunications, these include
but are not restr
icted to:




physical enhancements and specification of new form factors;




interface enhancements such as new commands and improved speed;




generic application download and load mechanisms;




electrical parameters and protocol issues;




advanced security mecha
nisms and related protocols;


DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


27



advanced functionality for use by applications supported by the common
platform standards;




specifications for the use of low voltage technology for telecommunications cards;




enhancement of the existing specification ETSI TS

102 222 for administrative
commands;




elaboration and maintenance of IC card related test specifications for the common
platform in collaboration with the respective groups of 3GPP and other mobile
smart card specification bodies;




identification and inve
stigation of the standardisation of application features such
as ME personalisation, PLMN selectors, access technology selectors and a
common phonebook (Telecom Directory);




identification and investigation of new features and functionalities such as
trans
mission enhancements and the use of databases.



75.

SCP has established direct liaisons with the relevant bodies of all committees
involved in elaborating the common platform. In particular, SCP has direct
liaisons with ETSI TC SEC involved in the specificati
on of security matters. In
addition, SCP has liaison with CEN TC224. Other liaisons with regional and
national bodies remain to be identified. For further information on SCP liaison
activities see:
http://webapp.etsi.org/Forawatch/HOME.ASP?TB=534&FIND=SEARCH_TB



76.

SCP has established 3 Working groups SCP WG1
-
3) to progress its work on smart
cards. Further information on their terms of reference can be found on the above.


77.

ETS
I has also published numerous specifications regarding authentication for
mobile telephony. Annex A contains a list of these specifications. The
specifications may be downloaded from the ETSI web site (www.etsi.org).


78.

Annex A contains a list of current ET
SI specifications and current work items.


79.

The eEurope Smart Card (eESC) is an activity that was launched by the European
Commission in 1999 in response to the eEurope initiative. The aim of eESC is to
accelerate and develop the development of smart cards

across Europe as the
preferred method of access control to information society services. The activity is
industry
-
driven but membership is open to developers and potential users of smart
card based applications. The eESC have produced a set of Common Spec
ifications
with the aim of achieving an interoperable European smart card infrastructure
based upon existing standards, workshop agreements including:


a.

ETSI/CEN Joint Workshops EESSII


b.

ISSS Workshops eURI, FASTEST


DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


28

c.

FINREAD and Embedded FINREAD


d.

Common Crit
eria for smart card security


e.

NICSS Documents


f.

US NIST GSC documents.


80.

A full list of eESC documents extracted from the eESC web site is contained in
Annex A. More details on eESC can be found at
www.eeurope
-
smartcards.org



81.

The Personal Computer Smart Card workgroup comprising Groupe Bull, Hewlett
Packard, Microsoft, Schlumberger and Siemans Nixdorf have developed a
specification to facilitate interoperability in a PC environment. The specification
is in eig
ht parts as follows:


a.

Part 1, Introduction and Architecture overview


b.

Part 2, Interface Requirements for Compatible Smart cards and Interface
Devices


c.

Part 3, Requirements for PC
-
Connected Interface Devices


d.

Part 4, IFD Design Considerations and Reference
Design Information


e.

Part 5, ICC Resource Manager Definition


f.

Part 6, ICC Service Provider Definition


g.

Part 7, Application Domain/Developer Design Considerations


h.

Part 8, Recommendations for Implementation of Security and Privacy ICC
Devices.


82.

The Smart Ca
rd Alliance is a US/European association of various organisations
including representatives from government, the finance, computing and
telecommunications, healthcare, retail and entertainment sectors. The alliance aim
is to encourage the use of smart card
s through education programs, market
research, advocacy and open forums (see www.smartcardalliance.org).


83.

Eurosmart is a joint project between Europe and Japan with the aim of reinforcing
co
-
operation between Europe and Japan. In particular it has develope
d a series
specifications for electronic purse applications, a glossary of smart card security
terms and a set of Common Criteria protection profiles for smart cards (see
www.eurosmart.com)
.



84.

A working group consi
sting of Europay International, Mastercard and Visa
(EMV) have issued a series of specifications for smart cards and smart card
terminals. These include aspects such as public key security, secure messaging
DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


29

and data authentication. The specifications are c
overed in the documents
Integrated Specifications for Payment comprising::


a.

Part 1


Electromechanical Characteristics, Logical Interface, and
Transmission Protocols, EMV 1996


b.

Part 2


Data Elements and Commands, EMV 1996


c.

Part 3


Transaction Proces
sing, EMV 1996


d.

Part 4


Integrated Circuit Card Terminal Specification, EMV 1996.


85.

Visa and Mastercard International have also issued the joint specification for
Secure Electronic Payment (SET). SET specifies the use of message encryption,
digital signa
tures and cryptographic certificates to provide confidentiality,
integrity and authentication services using RSA cryptography.


86.

The European Committee for Banking Standards (ECBS) has developed guidance
in the form of technical reports (generally based upo
n existing European or
International standards) on secure banking over the Internet. See
www.ecbs.org

for
details.


87.

ISO/IEC JTC1 SC25 WG1 is starting to work on a standard for aspects of security
as they impinge on the h
ome
-
based user of home electronic systems and
equipment. Input to the sub group that will be developing this standard will be
welcomed.

Recommendations

DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


30


B.

Confidentiality and Privacy Services


88.

Confidentiality services provide the means by which sensitive i
nformation held on
or transmitted from e
-
business systems is prevented from being disclosed to
individuals not authorised to see it. This includes Information that may be
sensitive at a national level (e.g. national security), or at a corporate (e.g.
comme
rcial) level or appertaining to a specific individual (privacy).



89.

Unauthorised disclosure can cause damage both through invasion of the privacy of
individuals and through the exploitation of data intercepted. It may also be subject
to statutory requiremen
ts such as Data Protection or Human rights or legislation
associated with national security such as Lawful Interception. ETSI has issued a
series of technical papers through Technical Committee U on aspects of Lawful
Interception and work is also being un
dertaken in Technical Subgroups such as
SPAN, TETRA, TIPHON and 3GPP. A list of completed documents can be found
in Annex A.


Security Measures


90.

The
aim

of Confidentiality services is to prevent the disclosure of sensitive
information stored within the e
-
b
usiness services or in transit over networks to
individuals not authorised to receive the information.


91.

The
aim

of Privacy services is to ensure that private data appertaining to an
individual (such as medical or financial data) is protected in accordance
with data
protection legislation. Note that in some cases it may be necessary to provide
protection many of the transaction fields including identity, origin, destination etc.
See
www.mobihealth.org
.


92.

The security m
easures that support confidentiality and privacy are mainly
predicated upon effective access control functions and consequently are the same
as those for authentication (see section
A
). This section of the report deals with
additional measures over and above those for authentication.


93.

The additional security measures required are:


a.

The use of
encryption

to control access to stored or transmitted data.


b.

An effective
object re
-
use

pr
ocedure to prevent the accidental release of
sensitive information to unauthorised individuals.


Encryption


94.

Encryption may be used to protect information stored within the systems
providing the e
-
business services and the end user systems. It may also be
applied
at various levels in the networking infrastructure to protect transmitted
information.

DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


31


Encryption of stored information


95.

There are many stand
-
alone low cost (or free) PC
-
based products available for
encrypting stored information. Unfortunately the
se are often difficult to use for the
non
-
technical user. Documentation is generally poor and there is a lack of
information on issues such as key management. Stand
-
alone systems may be
based upon symmetric key techniques involving the end
-
user in key gene
ration
and distribution. More efficient products are based upon a mixture of symmetric
encryption for bulk encryption supported by asymmetric (public key) encryption
for transfer of keys. Many products also require the recipient to have the same or a
compa
tible product installed on his system. In some cases encryption features are
included in application products such as word processing packages.



96.

Some of the more sophisticated (and expensive) products are supported by a
Public Key Infrastructure

to provi
de for the maintenance and distribution of key
material. However, in general these products are considered too expensive for the
home user.


Electronic mail encryption



97.

The de
-
facto standard for defining the content, format and capabilities of
electronic

mail is the Multipurpose Internet Mail Extensions (MIME)
specification. MIME enables the encryption of messages and multi
-
media
attachments. Secure MIME (S/MIME) adds security to email messages using the
MIME standard. Messages are encrypted using symmetr
ic encryption but use an
asymmetric (public key) mechanism for key exchange. Note that S/MIME also
provides a digital signature using a public key mechanism. S/MIME utilises the
X.509 certificate standard for the provision of certificate hierarchy. The S/M
IME
standard is defined in RFC 2633 (see APEC 6.1.132).


98.

S/MIME supports the Digital Encryption Standard (DES), Triple DES and RC2
for symmetric encryption and the Rivest Shamir, Addleman algorithm (RSA) for
public key encryption.


99.

Other proprietary speci
fications such as Pretty Good Privacy (PGP) are also
widely used but are not yet regarded as official standards. The main issue
surrounding the use of products such as PGP is a lack of interoperability with
other encryption products.


Network Encryption


100.

The industry standard network layer protocol for Ethernet networks and the
Internet is the Internet Protocol (IP) standard. IP protocol is a packet switching
protocol providing for the fragmentation, routing and re
-
assembly of packets.



101.

The industry stan
dard transport layer protocol for Ethernet and the Internet is
the Transmission Layer Protocol (TCP). TCP adds reliable communication, flow
control, multiplexing and connection
-
oriented communication to the IP services.
DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


32

TCP is used to communicate between c
lient and server in a client/server
environment and supports applications such as Web services, electronic mail and
file transport.


102.

Transport Layer Security Protocol (TLS) was developed by the Internet
Engineering Task Force (IETF) to provide encrypted co
mmunications on the
Internet. TLS is based upon the proprietary product Secure Sockets Layer
developed by Netscape. SSL/TLS provides transport layer communications
security by encrypting the content of a TCP connection between two end points in
a network.
It may be used to provide security for use with protocols such as
Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP3) and
Lightweight Directory Access Protocol (LDAP) but it is mainly used to provide
security between web browsers and web serv
ers. TLS/SSL also allows sessions
that are not encrypted but are authenticated and proof against tampering.


103.

TLS/SSL has the advantage of being present in most of the common web
browsers on the market. However, it should be borne in mind that it only pr
ovides
security between TCP endpoints in a network, it does not provide security for
stored data or application level security. The TLS standard is defined in ISO/IEC
10736 (see APEC, section 4.1.8).



104.

IPSec is a security architecture developed by the IET
F for securing the
transmission of data across IP based networks. It may be used in Transport mode
to encrypt the data part of the transmitted package (i.e. routing information is sent
in clear) or in Tunnel mode where the whole package is encrypted. In th
e former it
is widely used as the mechanism for creating IP based Virtual Private Networks
(VPNs). However, the only non
-
trivial encryption algorithm supported by the
IPSec standard is DES and pending the development of the new Advanced
Encryption Standard

(AES) this means that products based on DES are vulnerable
to brute force attacks. The IPSsec standard is described in RFC 2401: Security
Architecture for the Internet Protocol (see APEC 6.1.76).


105.

Note that the current protocol standard for IP networks, I
Pv4, is expected to
run out of address space in the near future. The successor to IPv4 is IPv6 will
resolve the address space issue and is compatible with IPSec.


106.

ETSI SAGE (Security Algorithms Expert Group) is a task force with
responsibility for standard
isation in the areas of cryptographic algorithms, fraud
prevention, unauthorised access to private and public telecommunications services
and privacy of user data. In particular SAGE has recently delivered algorithm
specifications to the Third generation P
artnership Project (3GPP) for the
protection of confidentiality and integrity of information transmitted over
Universal Mobile Telecommunications System (UMTS).


107.

The increasing use of voice over IP may introduce security concerns resulting
from the unm
anaged and unpredictable nature of voice traffic. ETSI has
established the “TIPHON (Telecommunications and Internet Protocol
Harmonisation over Networks) group in order to establish standards for voice over
IP networks.

DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


33


108.

The project's objective is to sup
port the market for voice communication and
related voiceband communication (such as facsimile) between users. It will ensure
that users connected to IP based networks can communicate with users in
Switched Circuit Networks (SCN
-

such as PSTN /ISDN and GS
M, and vice
versa. as well as between users in SCN, where IP
-
based networks are used for
connection/trunking between the SCN involved.


109.

The support comes in the production of appropriate ETSI deliverables:
technical specifications and reports. In addition
, the activity will include
validation and demonstrations, in order to confirm the appropriateness of the
solutions proposed.


110.

Given the universal nature of IP networks, the prime goal is to produce global
standards. As ETSI is essentially a European body,

it recognises that co
-
operation
with relevant groupings in ITU
-
T and IETF is necessary. ETSI specifically
believes that it has a role in opinion leadership and in helping to build

consensus
between all the major market players. The Institute co
-
operates c
losely with
relevant Fora, especially the IMTC VoIP Activity Group.


111.

The following workshop themes have been identified:




Requirements for service interoperability, technical aspects of charging/billing
and security;



Architecture and reference configurati
ons;



Call control procedures, information flows and protocols;



Naming, Numbering and Addressing;



Quality of Service;



Verification and Demonstration Implementation.


112.

A major issue for the future security of network security is the potential use of
many comm
unications protocols (e.g. IP, Wireless telephony such as Bluetooth,
mobile telephony) within a single transaction. Security will need to be both
effective and user transparent over the transaction path. There is a requirement for
the standardisation bodie
s to develop interoperability standards which will
facilitate the security of transactions over multiple protocols.



Object Re
-
use Policy


113.

An object re
-
use policy should be in place to prevent the inadvertent release of
sensitive information to unauthori
sed individuals. This applies to unauthorised
individuals within the e
-
business environment (i.e. in the domain of the e
-
business
supplier or within the domain(s) of e
-
business users. In most cases the threat will
arise if workstations or computers or magn
etic media (e.g. floppy discs, tapes, CD
ROMs) are released for disposal. Disclosure of sensitive information may be
subject to data protection legislation.


DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


34

114.

The use of secure physical disposal procedures and/or the use of reputable
software based data era
sure products are appropriate measures against this threat.

Recommendations




]

DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


35


C.

Trust Services


115.

Trust services provide the confidence that e
-
business transactions have in fact
been carried out by those individuals purporting to have carried them out

and
provide the necessary evidence that to support that fact. They ensure that
commitments were made by authenticated individuals cannot be subsequently
disavowed. Effective Trust Services are predicated on the fact that individuals
have been subject to
a rigorous registration and authentication process to establish
their credentials.



116.

The evidence created may be required to support informal or formal
agreements between parties, financial transactions or legal actions between
parties. In many cases it ma
y also be necessary to retain evidence that transactions
resulting from the commitment were in fact carried out.


117.

Trust Services will often be provided by independent Trusted Service
Providers (TSPs) to participants in the e
-
business service.


118.

In the con
text of this document Trust Services comprises the following
activities:


a.

Key Management


b.

Non
-
Repudiation.


c.

Evidence of Receipt.


d.

Trusted Commitment Service.


e.

Integrity.


119.

Other services which are commonly supplied by TSPs include archive services
(e.g
. long term storage of documents, key pairs, certificates), directory services
and notarisation services. These services are considered to be outside the scope of
this report.



120.

Note that the activities described below in the section on Security Objectives

and Security Measures may be carried out by a single TSP or a combination of
TSPs.


Security Measures


Key Management


121.

The aims of Key Management are as follows:


DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


36

a.

Provide the means for the secure generation, storage, distribution, revocation,
and recovery

of cryptographic keys;


b.

Protect secret keys from disclosure to unauthorised individuals whilst in
storage or in transit;


c.

Protect the integrity of archived keys and if appropriate apply
time
-
stamping

to indicate the validity period of the key.


d.

Where ap
propriate provide key escrow facilities to enable key recovery under
legal warrant or for business purposes. (ETSI LI group has developed several
documents (including European Standards) covering standards for Lawful
Interception. They are not covered in t
his documents but can be found at
http://portal.etsi.org/li)
.



Non
-
Repudiation


122.

The aim of a Non
-
Repudiation service is to furnish evidence that the originator
of an electronic transaction or communication must
have the real world identity
associated with the electronic identity. Measures which support this service are:


a.

At very low risk levels user identity and a transaction number may provide the
appropriate level of confidence. Additional confidence may be pro
vided using
agreed
passwords

to authorise the transaction.


b.

Stronger measures will be based upon
electronic signatures

supported by
proof of ownership of public keys.


c.

Procedural measures such as audit log files showing transaction times and
records of sy
stem activities may be used to support the security measures.


d.

A secure
time
-
stamp

may be used to show the specific time that an e
-
business
transaction was carried out.


e.

Independent Certification Authorities may be used to confirm the identity of
individu
als, prove the ownership of public keys and provide a
Public Key
Infrastructure (PKI)

to support the generation, distribution and maintenance
of key material.


f.

Smart cards

may be used as signature creation devices to carry public and
private keys and
dig
ital certificates.




Evidence of Receipt.


123.

The aim of an Evidence of Receipt service is to furnish evidence that the
intended recipient of an electronic transaction has in fact received the
communication. Depending on the nature of the transaction the e
vidence provided
will range from simple proof that the recipient’s communication equipment or his
electronic address has received the communication to proof that the
DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


37

communication has been delivered and read by the real world identity of the
recipient. The

following measures support an Evidence of Receipt service:


a.

At very low risk levels simple indications that a message has been received
may suffice.


b.

Stronger measures will be based upon responses to the originator which are
protected by appropriate non
-
repudiation and integrity services and possibly
supported by a
PKI
.


Trusted Commitment Service.


124.

The aim of a Trusted Commitment Service is to furnish evidence that
electronic commitments (such as payments) entered into by parties to an e
-
business transa
ction have been properly authorised.


125.

A Trusted Commitment service requires that the
commitment

entered into
between parties to the e
-
business transaction is protected by an appropriate level
of non
-
repudiation, proof of receipt and integrity service. Hen
ce this aim is
achieved by the measures defined for non
-
repudiation, proof of receipt and
integrity.


Integrity


126.

The aim of an Integrity service is to furnish evidence that the contents of an
electronic communication or transaction received by the recipien
t is the same as
the communication sent by the originator and could not have been modified, either
deliberately or accidentally, en route to the recipient. The following security
measures protect an Integrity requirement:


a.

At low risk levels, simple
checks
ums

may be adequate (to protect against
accidental corruption for example).


b.

At higher risk levels,

electronic signatures
are preferred

to create a signed
hash of the message that is appended to the transaction by the originator and
verified by the recipi
ent. A PKI may be used to support an electronic signature
regime.


Electronic signatures


127.

An electronic signature is data in electronic form that is attached to or
logically associated with other electronic subject data and serves as a means of
authenticat
ion. The definition includes scanned images, signatures produced by
hand
-
written signature capture devices and digital signatures. This report only
addresses
digital signatures
.


128.

A
digital signature
is one form of electronic signature that uses a
crypto
graphic transformation of the data to allow the recipient of the data to prove
the origin and integrity of the subject data and to protect against forgery of the
data by the recipient. A digital signature is created by encrypting a
hash

of the
DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


38

component to

be signed (e.g. an electronic message) with the originator’s private
key. The digital signature is transmitted to the recipient of the message. The
message recipient decrypts the digital signature with the originator’s public key to
prove origin and integ
rity of the message.


129.

On 1999
-
12
-
13 the European Commission published Directive 1999/93/EC to
provide a Community framework for electronic signatures (Dir.1999/93). Details
can be found at
http://www.ict.etsi.org/eessi/Documents/e
-
sign
-
directive.pdf
. This

Directive focuses on the legal recognition of electronic signatures. It

identifies
minimal requirements for certificates, certification service providers and signature
creation and verification devices. Individual Member States were tasked with
implementi
ng the Directive in national legislation.


130.

Directive 1999/93 allows the European Commission to establish and publish
references of generally recognised standards for electronic signature products. As
a consequence, European Union Member States’ laws shall

presume compliance
with the requirements laid down in the Directive when an electronic signature
product meets the requirements laid down in those standards.


131.

The lack of standards to support the use of electronic signatures and public
key certificates h
as been identified as one of the greatest impediments to
electronic commerce. The deployment of vendor
-
specific new infrastructures is
currently in progress. It is recognized by different parties that there is an urgent
need for standards to provide the ba
sis for an open electronic commerce
environment. Speedy specifications in this area will make it possible to influence
early developments.


132.

The European ICT Standards Board, with a mandate from the European
Commission, has launched an industry initiative b
ringing together industry and
public authorities, experts and other market players, in support of the European
Directive on electronic signatures: the European Electronic Signature
Standardisation Initiative (EESSI). The initiative is open to all who wish

to
participate. Wherever possible the EESSI has built upon existing specifications
from ITU, ISO and IETF and focussed on profiling and supplementing available
material and, where necessary, developing new specifications. The EESSI process
is not in the
course of completion; the most relevant EESSI deliverables are in the
process of consideration by the European Commission, in consultation with the
Article 9 Committee of Member States, for adoption as “generally recognised
standards” under the Directive.


133.

Under the work programme defined and co
-
ordinated by the EESSI Steering
Group the development and maintenance of the required standards is entrusted to
two separate bodies. These bodies are the European Standards Committee,
Information Society Standardis
ation System (CEN/ISSS) and the European
Telecommunications Standards Institute (ETSI/ESI). Each has developed a range
of standards under their own procedures, but also under the umbrella of the EESSI
programme and in close co
-
operation with one another.

In each case some of the
standards are drafted by expert teams, subsequently reviewed by the industry
DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


39

representatives attending the respective working groups of CEN and ETSI, and
finally approved by members of the organisations.


134.

The EESSI also commissio
ned a special group to identify digital signature
algorithms which meet the Directive’s requirements of security and
interoperability. The resulting report is published on the EESSI web pages.



135.

Further information regarding EESSI can be found at http://

www.ict.etsi.org/eessi/EESSI
-
homepage.htm
.



136.

CEN/ISSS has developed documents through the operation of an open
technical Workshop ‘E
-
SIGN’, created specifically for this purpose. Documents

developed and approved by this process are CEN Workshop Agreements (CWAs).
See Annex A for a list of current E
-
SIGN Workshop agreements. Further
information is available from
http://www.cenorm.be/isss
/workshop/e
-
sig



137.

In ETSI, standardisation in the area of electronic signatures and infrastructures
is currently taking place in the ETSI Technical Committee ESI. ETSI TC ESI
collaborates with interested parties and stakeholders in the marketplace includi
ng
vendors, operators, user organizations and other standards bodies. The overall aim
of ETSI TC ESI is to address some basic needs of secure electronic commerce and
of secure electronic document exchange in general by providing specifications for
a select
ed set of technical items that have been found both necessary and
sufficient to meet minimum interoperability requirements. Examples of business
transactions based on electronic signatures and public key certificates are purchase
requisitions, contracts an
d invoice applications.



Hash Functions


138.

A hash function is a function which compresses strings of bits (input string) to
fixed length strings (output string) such that:


a.

it is not computationally feasible to determine the input string from the output
str
ing and.


b.

it is not computationally feasible to generate for a given output string a second
different output string.



139.

A list of current hash function standards is contained in Annex A.


Time
-
stamping


140.

A time stamping function creates a verifiable cr
yptographic binding between a
data item (such as a digital signature) and the time the data item was generated.
ISO/IEC have issued ISO/IEC 18014 a two part standard comprising Part 1:
Framework and Part 2: Mechanisms involving independent tokens. ETSI hav
e
DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


40

also produced ETSI TS 102 023 v1.2.1
Policy requirements for time
-
stamping
authorities.

More details of these and other standards can be found in Annex A.





Non
-
Repudiation


141.

Non
-
repudiation services are intended to resolve (legal) disputes relating to

a
wide range of actions and events. Examples include:


a.

Non
-
repudiation of creation. Providing proof that the originator created the
message.


b.

Non
-
repudiation of delivery. Providing proof that the intended recipient
received the message and recognised the

content


c.

Non
-
repudiation of knowledge. Providing proof that a recipient took account
of the message contents


d.

Non
-
repudiation of origin. Providing proof that the originator created and sent
message


e.

Non
-
repudiation of receipt. Providing proof that the int
ended recipient has
received the message.


f.

Non
-
repudiation of sending. Providing proof that the originator did send the
message


g.

Non
-
repudiation of submission. Providing proof that a delivery authority
accepted the message for transmission


h.

Non
-
repudiat
ion of transport. Providing proof that a delivery authority has
delivered the message to the intended recipient.


142.

The standard that describes non
-
repudiation mechanisms is ISO/IEC 13888.




Public Key Infrastructures


143.

In a global e
-
business environment a P
ublic Key Infrastructure (PKI) is
required to support the following services:


a.

Registration, storage and maintenance of public keys owned by users of the e
-
business service.


b.

Retrieval and delivery of public keys of participants in the e
-
business service.


c.

Archive and retrieval of public key certificates for the life
-
time of the
documents to which they refer.


d.

Verification of the ownership of specific public keys.

DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


41


e.

Where required, the creation and distribution of public/private key pairs and
symmetric keys
to participants in the e
-
business services.


f.

Key recovery for lost keys, revocation of stolen keys and, where appropriate,
the provision of facilities for access to keys for law enforcement purposes (key
escrow).


144.

Various groups such as the PKIX WG, NIST,
The Open Group and national
governments, are developing PKI standards. There are also many commercial PKI
products in the market place. In general though there is a lack of attention to
interoperability
requirements
.


Harmonisation of Trust Services


145.

ETSI and CEN via the European Electronic Signature Standardisation
Initiative (EESSI)
is undertaking work on the harmonisation of trust service
provider services. The scope of the work is to provide the set of specifications,
which will allow interoperable

provision of TSP (CA) status information to
relying parties, who need to validate the trustworthiness of the service which
certified the signer of a contract, transaction, etc.



146.

The standardisation effort needs the support of the different national
organ
isations that run and supervise national certification schemes. These
organisations need to be involved in the standards development, promotion and
implementation process.

In order to help achieve this EESSII and the UK
department of Trade and Industry ho
sted a workshop in December 2002 aimed at
reviewing a proposed standard for establishing trust in electronic signatures.


Recommendations


DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


42


D.

Business Services


147.

Business services refer to the applications and infrastructure within the domain
of the e
-
busi
ness service that support the delivery of that service to the user. In
this context the term e
-
business service will also include TSPs supporting the e
-
business service. Business services are intended to protect the systems and
network infrastructures supp
orting the e
-
business service from non
-
malicious
threats such as faulty hardware or software.



148.

Business Services in the context of this report includes applications such as
web services, interactive services and electronic messaging


149.

Business Services co
mprises the following issues:


a.

Service Availability


b.

Information Availability


c.

Effective Accounting and Audit

Security Measures


Service Availability


150.

The aim of Service Availability is to ensure that access to the software
applications and infrastructure
including web facilities comprising the e
-
business
service is provided in a timely manner. It is supported by the following measures:


a.

The use of commercial best practise products and adherence to good practise
for system design, implementation and operati
ons.


b.

Ongoing
Failure Impact analysis
,
Capacity Planning
,
Business Continuity
Planning

and
Configuration Management
.


c.

Alternative communications facilities in case of failure, the availability of
battery backup or Un
-
interruptable Power Supplies (UPS) need

to be in place.


d.

Regular testing of system recovery.


e.

Service Level Agreements setting out availability targets with clients of the
service.


Information Availability



151.

The aim of Information Availability is to ensure that access to the information
asso
ciated with the required e
-
business service is provided in a timely manner.
Measures to aid information recovery after an accidental interruption to service
include:

DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


43


a.

A planned programme of information data backups



b.

Technical measures such as
checksums

or

cyclic redundancy checks

to
safeguard the integrity of system software, configuration data and storage
facilities.


c.

Regular testing of Recovery Plans.


d.

A password or key recovery mechanism should be provided to users of the
service in cases where a passw
ord has been lost


Effective Accounting and Audit


152.

The aim of Accounting and Audit is to ensure that relevant user related
information is recorded for specified user transactions. The service will also
provide the means to record and analyse client and ser
vice transactions that could
compromise the service. The level of accounting and audit will depend upon the
assessed impact of a failure but may include:


a.

Accounting. Recording of client information for each transaction undertaken
(e.g. client identifier,
time of transaction, type of transaction, success or failure
of transaction, current transaction status).


b.

Audit. The capability to display and carry out detailed analysis of accounting
records.


c.

The requirement to protect the confidentiality, integrity an
d availability of
audit logs particularly in cases where transactions are financial in nature or are
legally binding or may be subject to legal requirements such as data
protection.


Failure Impact Analysis



153.

Failure Impact Analysis determines the impact o
f failure of a service
component upon the e
-
business provider. The analysis may need to take into
account external factors (such as time of year that may affect the impact.


Capacity Planning


154.

E
-
business service providers must assess the potential load on
the service and
ensure that the system and network infrastructure is sufficient to meet current and
forecasted future demand in accordance with agreed availability targets.


Business Continuity Planning


155.

A Business Continuity Plan should be developed and m
aintained. It should
cover the following activities:



DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


44

a.

Management roles and responsibilities for business continuity;


b.

Recovery procedures and audit trails;


c.

Security related recovery actions.


156.

Though guidance documents on Business Continuity Planning exis
t at national
and industry sector level there as yet no internationally approved standards.


Configuration Management


157.

A configuration management plan identifying the processes, information
systems and communications components that make up the e
-
business

service
should be designed, documented and implemented. The plan should identify all
components that are affected by specific changes to the system configuration. The
System Manager should approve configuration changes before implementation.


Checksums an
d Cyclic Redundancy Checks


158.

These functions detect a loss of integrity in a data item. A checksum detects
changes in data by calculating a number such as sum of all the bits of a data item
to be transmitted. The checksum is transmitted with the data item a
nd is
subsequently compared with a checksum created from the transmitted data item. A
cyclic redundancy check uses a more complicated formula to determine a function
of the transmitted data item for subsequent comparison.


Recommendations



DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


45


E.

Network Def
ence Services


159.

Network Defence services provide the means by which
malicious

threats
emanating from electronic connection to external IT resources and networks
(including the Internet) are countered. If such threats materialise they may have
one or more of

the following effects:


a.

Undermine the continued availability of the e
-
business services;


b.

Compromise the integrity of the e
-
business services or information:


c.


Cause damage to user systems connected to the e
-
business services.


Security Measures


160.

The aim
of Network Defence is protect the network infrastructure from
electronic attack. There are two types of security measures which provide
protection:


a.

Measures that
prevent

the attack taking place;


b.

Measures that
detect

the attack.


Preventative Measures


161.

Pr
eventative measures comprise a combination of procedural and technical
measures:


a.

Processes that prevent the automatic execution of imported macros in the
absence of express permission for their execeution;


b.

Effective, current
anti
-
virus policies
. Screenin
g of all imported and exported
material for recognisable virus signatures. Recording of all imports
transaction for audit
purposes
.


c.

Procedures that discourage employees of e
-
business service providers from
accessing web sites that are not pertinent to t
heir job function. Import of
material should be strictly controlled and limited to that which is necessary to
carry out their job. Where software is imported it should preferably be
restricted to “trusted” (i.e. digitally signed) objects. Where appropriate

PKI
-
based certification

of software objects should be used.


d.

Using suitably configured
firewalls

to prevent hacking attacks. System
responses to service refusals should be designed to prevented a potential
hacker deducing useful system information such as

physical IP addresses.


DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


46

e.

Restricting access to e
-
business services in accordance with agreed user
profiles.


Detection Measures


162.

The main technical measure is the deployment of
Intrusion Detection
Systems

(IDS). These are designed to detect unusual acti
vity on the network.
Additionally
Penetration Tests

may be used periodically to identify potential
vulnerabilities in the system and associated network infrastructure.

Recommendations


DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


47


F.

Assurance Services


163.

Chapters
A

to
E

address the security measures that counter the threats to the
security of networks and information systems providing e
-
business services. In
order to encourage the use of electronic services i
t is important that potential users
of the service have confidence that all those technical and non
-
technical security
measures have been designed, configured and are being operated in a secure
manner. The aim of Assurance Services is to provide that confi
dence.


164.

Confidence in an e
-
business service will also be increased if the organisation
providing the service conforms to an internationally recognised standard for the
overall management of Information Security.


165.

In the context of this report Assurance Se
rvices comprises the following
activities:


a.

Risk Assessment.


b.

Evaluation.




c.

Certification


d.

Accreditation.


Information Security Management Standards


166.

There are several standards the form of recommended codes of practice for
Information Security Management
.
APEC
-
TEL Information Systems Security
Standards, section 3.2)) provides more information on these. In brief they are:


a.

OECD Guidelines for the Security of Information Systems


b.

ISO/IEC TR 13335. Information Technology


Guidelines for the
management of IT

security (GMITS)


c.

ISO/IEC 17799
-
1:2000. Information Security Management


Code of Practice


167.

In addition there are other national and international standards aimed at
specific sector requirements (e.g. government, banking) as well as guidelines
issued by i
ndustry (such as the International Security Forum) and academic
consortia.



Risk Assessment


168.

A risk assessment is carried out to determine the probability and impact of the
threats to the assets of the system and infrastructure forming the e
-
business
ser
vice.



DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


48

169.

There are in existence a number of national and international risk assessment
methodologies but there are no internationally recognised standards. A list of
documents providing guidance material is provided in Annex A.


170.

Guidance material has also b
een issued for specific sectors (national and
international) and by industrial and academic consortia.


Evaluation


171.

Evaluation is a detailed examination of the system(s) comprising the e
-
business services or of components of the system or of individual sof
tware
products with the aim of determining whether the security functions that make up
the security measures are implemented to the appropriate level as required by the
risk assessment. [ISO/IEC WD 15443
-
1 (11/2001)].

172.

More specifically the assessment of a
Protection Profile (PP), a Security
Target (ST) or a Target of Evaluation) TOE, against defined criteria. [ISO/IEC
15408
-
1: 1999] or the assessment of a deliverable against defined criteria.
[ISO/IEC WD 15443
-
1 (11/2001)]

173.

The main international standard f
or evaluation is ISO/IEC 15408 Common
Criteria for Information Technology Security Evaluation. The Common Criteria
aligns the European (ITSEC), US (TCSEC) and Canadian (CTCPEC) schemes
and increasingly is replacing these individual schemes.


174.

The US Nationa
l Institute of Standards and Technology has issued FIPS 140
aimed at the evaluation of cryptographic mechanisms. Currently laboratories
accredited to carry out FIPS 140 conformance are based in the US, however there
are plans to set up European
-
based testi
ng facilities. It is also planned to convert
FIPS 140 into an international standard through the ISO
process
.


175.

Other guidance is provided in Annex A.


Certification


176.

Certification is a procedure by which an independent third party assesses the
Informa
tion Security Management System (ISMS) of an organisation against a
recognised standard and provides written assurance that the ISMS conforms to the
standard. It also assesses whether an organisation has carried out a risk assessment
of its operations and
has implemented appropriate security measures to counter
the assess risk.


177.

Discussions are currently taking place within various European standards
groups to agree a common standard for certification. Pending the completion of
these discussions this report

will make no specific recommendations regarding
certification.


178.

Organisations that provide certification services are assessed by Accreditation
Bodies (see below) against internationally accepted criteria so that e
-
business
users will have confidence in
the certification process and ultimately the services
of the e
-
business service supplier.

DRAFT NIS Report

Version 0.3
3


DRAFT NIS Report

Version 0.3
3


49


Accreditation Bodies


179.

Accreditation bodies have been set up on an International basis in order that
the methods and practices of Certification Authorities conform
to international
standards and guidelines and ensure the consistency of certificates on a global
basis. There are several international standards which define the requirements for
Certification Authorities:


a.

ISO/IEC/EN 17025: General Requirements for the
Competence of Calibration
and Testing Laboratories


b.

ISO/IEC/EN 45011: Guide 65 Product Certification


c.

ISO/IEC/EN 45012: Guide 62 Management System Certification


d.

ISO/IEC/EN 45003: Guide 58 Accreditation of Laboratories


e.

ISO/IEC/EN 45010: Guide 61 Accredit
ation of Certification Bodies


f.

ISO 17010: Accreditation of Inspection Bodies


180.

The European Authority for Accreditation (EA) has been set up to provide
conformity of assessment activities on a European basis. Members of the EA are
the nationally recognised
accreditation bodies of the member countries or the
candidate countries of the European Union and the European Free Trade
Association. The EA has published several guides on the application of the above
standards. See
www.european
-
accreditation.org

for further information.


Recommendations