Releasing the potential of cloud computing in Europe –
Building the secure environment for big and small partners
Dr. Ladislav Hudec, Associate Professor
http://www2.fiit.stuba.sk/~lhudec/
Faculty of Informatics and Information Technologies Slovak University of Technology
Prepared for V4S – VISEGRAD 4 FOR SECURE DATA Meeting held on May 28, 2015 in Brussels
Introduction of the FIIT STU
We cover a wide range of the Informatics and Information Technologies (IIT) in
both the research and education.
We are the first faculty with a such mission in Slovak republic.
We offer modern study programs accredited study programs by the IET (Institution
of Engineering and Technology) community, which is established in London.
Staff
o More than 15 professors and associate professsors, allmost all full time o More than 30 teachers
o More than 5 research fellows
Students
o More than 1100 (full time only), including 50 PhD students
A baseline of study at the FIIT STU
BSc. (Bc.)FIIT 3 years PhD. FIIT 3 years university degree inanother field MSc.(Ing.)
FIIT 3 years Graduation
from high school
practice practice MSc.(Ing.) FIIT 2 years BSc. (Bc.)FIIT 4 years practice
Accredited study programs at the FIIT STU
3
rd.level
Doctoral degree study
COMPUTER AND COMMUNICATIO N SYSTEMS AND NETWORKS INFORMATICS COMPUTER AND COMMUNICATION SYSTEMS AND NETWORKS
1
st. level
Bachelor degree study
2
nd.level
Master (Engineer) degree study
SOFTWARE ENGINEERING INFORMATION SYSTEMS SOFTWARE SYSTEMS APPLIED INFORMATICS INFORMATION SECURITY
Research in security at the FIIT STU
Security evaluation model based on the score of security mechanisms
o Information security risks pose a serious threat to organizations dependent on their
information systems.
o The main process that is supposed to help in security decisions is a risk analysis.
Outputs of a risk analysis are essential inputs for risk management. It provides a risk manager with a set of significant risks and with data to assist in treatment of these risks.
Quantitative methods are usually preferred because, if following a proper methodology, they
can provide us with more accurate results.
Qualitative methods are influenced by subjective perception of a risk analyst that conducts this
process, so they tend to be biased.
o Risk managers and security professionals need formalized quantitative risk
measures and metrics, so they can efficiently and correctly measure risks.
o Our goal is to bring the objectivity into the process of the risk assessment and
evaluation and to express the security score in an organization in three basic security attributes.
We used the security mechanisms implementation score to measure the quality of
implemented security controls and the Analytic Hierarchy Process technique to express the importance of particular mechanisms.
Security controls are originated from the ISO/IEC 27002:2005 standard and we propose security
mechanisms for each control objective from this standard.
o Designed approach specifies how to use the standard with selected security
mechanisms and defines a methodology on determining weighted relations between
four layers of the proposed security model. The lowest layer are security
mechanisms, then control objectives, followed by security clauses and the upper layer consists of security attributes.
Research in security at the FIIT STU
Security mechanisms implement security controls desired by control objectives in
standard in order to improve the overall score of information security attributes,
depicted at the bottom.
Research in security at the FIIT STU
Overall score of security mechanisms implementation.
One security mechanism can contribute to one or more control objectives and one
control objective can be supported by one or more security mechansims. These
relations are weighted, so we can adjust the influence of each assignment. We
can express this part of a model with the weighted sum, where Mi is the score of
the security mechanism i and W(Mi) is its weight.
Research in security at the FIIT STU
The evaluation should be done in the following way.
o First, the security administrator or manager selects the organization type. Then he
inputs available statistics data into the evaluation system together with the security
mechanisms' implementation score, which can be obtained by security metrics or by the expert judgement.
o The system then evaluates the security clauses with respect to these specific data and
show the result in main security attributes.
For more detailed information see:
BREIER, J., HUDEC, L.: On selecting critical security controls. In: ARES 2013 : Proceedings 2013 international conference on availability, reliability and security, 2-6 September
2013, Regensburg, Germany. - Los Alamitos : IEEE Computer Society, 2013. - ISBN 978-0-7695-5008-4
(http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=6656131). - p. 582-588 BREIER, J., HUDEC, L.: On identifying proper security mechanisms. In Khabib Mustofa,
Erich J. Neuhold, AMin Tjoa, Edgar Weippl, and Ilsun You (Eds) Information and
Communicatiaon Technology. The 2013 Asian Conference on Availability, Reliability and Security (AsiaARES 2013), March 25th - 29th 2013, Gadjah Mada University, Indonesia. Volume LNCS 7804. Springer Berlin Heidelberg, 2013. ISBN 978-3-642-36818-9, p. 285-294.
Research in security at the FIIT STU
Secure access control in Mobile Ad-hoc NETworks (MANET)
o The MANET network is a special kind of mobile ad-hoc network, which does not rely on
any fixed infrastructure (e.g. swarm of drones, conferences, meetings, where group of people needs to exchange data or share the connection to the Internet).
o PKI consists of trusted third party – certificate or attribute authority – and clients which
rely on and trust to certificates signed by this authority. The common way of how certificate authority works is binding public key to legal identity of its owner.
o The main goal of this work is to develop new approach for secure access control in
conditions of MANET networks with utilization of public key infrastructure.
o This new approach improve the public key infrastructure deployability in the mobile
ad-hoc networks routed by B.A.T.M.A.N. Advanced. We have extended the
B.A.T.M.A.N. Advanced routing protocol with authentication and authorization of routing updates based on X.509 certificates.
o Furthermore we have determined several levels of node's trustworthiness and two
levels of interoperability between trusted authorities in the network.
o To mitigate extra load caused by renewing of certificates, we have identified critical
factors affecting it and designed the computation formula for optimal amount of cross certificates issued by trusted authority.
o To further improve the service reachablity in highly mobile networks in earlier stages of
PKI deployment, we have designed the Cluster Glue.
o The ClusterGlue helps to connect groups of nodes from different parts of network which
owns the certificates issued by the same authority. Thanks to these modifications we are able to mitigate various security risks and provide the more secure route for
Research in security at the FIIT STU
Secure access control in Mobile Ad-hoc NETworks (MANET)
o For more details see:
VILHAN, P., HUDEC, L.: Building Public Key Infrastructure for MANET with Help of
B.A.T.M.A.N. Advanced. In: Proceeding of the 2013 European Modelling Symposium. Manchester, UK, 20-22 November, 2013. IEEE Computer Society. ISBN 978-1-4799-2578-0. P 530-535.
VILHAN, P., HUDEC, L.: Cluster glue - improving service reachability in PKI enabled MANET. In: UKSim-AMSS 2014 : proceedings UKSim-AMSS 16th international conference on computer modelling and simulation. 26-28 March 2014, Cambridge, United Kingdom. - Los Alamitos : IEEE Computer Society, 2014. - ISBN 978-1-4799-4923-6. - S. 493-498
Research in security at the FIIT STU, FMFI UK and CSIRT.SK (proposal)
Centre of excellence in information security
o Consortium consists of the FIIT STU, FMFI UK (Faculty of Mathemetics, Physics and
Informatics of Comenius University), CSIRT.SK (Computer Security Incident Response Team Slovakia).
o This year infrastructural project for completing existing technology at the consortium
partners is proposed. Next four years research and innovation activities will be performad.
o Field of research:
o Development and implementation of SIEM (Security Information and Event
Management) solution for public administration:
SIEM will be built on open-source technologies.
Developed solution will be built with an emphasis on the ability to monitor and process a large
number of events and data flows (at least 10,000 events per second and 100,000 flows per second), the ability to evaluate information from these events and flows.
o Research in wireless and mobile networks built up on the current network technologies
with focus on security and privacy.
This includes the possibility of monitoring and evaluation of existing users, but also thorough
analysis of wired and wireless technologies, including the possibility to analyze the behavior of groups.
o Distributed NIDS (Network Intrusion Detection System) for home networks with Internet
access.
The project goal is to design new model for observing and profiling of the network traffic with
end-device granularity from the perspective of the home Wi-Fi router.
Proposed model should provide information about the type of network traffic and about its
Research in security at the FIIT STU, FMFI UK and CSIRT.SK (proposal)
Centre of excellence in information security
o Field of research:
o Secure communication in networked embedded systems.
The project aim is to research of security requirements of embedded systems with regard to
specific characteristics of automotive communication buses.
Security extension of currently used buses CAN (Controlled Area Network) using Ethernet
network. For example exploitation of higher bandwidth or other security mechanisms.
o Research in wireless and mobile networks built up on the current network technologies
with focus on security and privacy.
This includes the possibility of monitoring and evaluation of existing users, but also thorough
analysis of wired and wireless technologies, including the possibility to analyze the behavior of groups.
o Development of secure active networks devices.
For the security of the physical layer of computer networks pays that almost all active network
components of computer networks (switches, routers, hardware firewall with IPS and IDS functions, etc.) are implemented as embedded systems. Increasing the security of these embedded systems imlpies increasing security of active network devices.
o Big data analyse for security purpose.
Computer logs contais a huge amount of data. Looking for patterns of malicious activities
requires to design fast parallel algorithms for big data processing.
o Biometric methods.
The aim of research in this area will be user authentication based on the dynamics of writing
and dynamics of working with a mouse and may be supplemented by the inclusion of additional authentication methods based on other characteristics of the user.
Research in security at the FIIT STU, FMFI UK and CSIRT.SK (proposal)
Centre of excellence in information security
o Field of research:
o Research and development in the field of secure software of personal computers,
servers, networking, consumer and industrial electronics.
testing and analysis of the weaknesses of the firmware, operating systems and applications the design and development of solutions to increase the resilience of software against various
forms of attack the safety of operating systems and applications in virtual environments and in cloud
the design and operation of honeypots to detect new attacks.
o Research and development in the field of secure hardware of personal computers,
servers, networking, consumer and industrial electronics.
testing and analysis of the weaknesses of the hardware elements and their interfaces
the design and development of solutions to increase the resilience of hardware against various
forms of attack
the development of equipment for the discovery and demonstration of hardware security
vulnerabilities
a side channel analysis (time, sampling, electromagnetic radiation).
o Research and development of security systems for population services.
cryptographic currency, payment protocols, electronic voting, mass remote control, health (eg.
medical equipment).