ISSE 2010, securing electronic business processes: highlights of the Information Security Solutions Europe 2010 conference
معرفی کتاب «ISSE 2010, securing electronic business processes: highlights of the Information Security Solutions Europe 2010 conference» نوشتهٔ Pohlmann, Norbert(Editor);Reimer, Helmut;Schneider, Wolfgang، منتشرشده توسط نشر Vieweg+Teubner Verlag / Springer Fachmedien Wiesbaden GmbH در سال 2010. این کتاب در فرمت pdf، زبان انگلیسی ارائه شده است.
This book presents the most interesting talks given at ISSE 2010 – the forum for the inter-disciplinary discussion of how to adequately secure electronic business processes. The topics include: - Identity and Security Management - Technical and Economical Aspects of Cloud Security - Security Services and Large Scale Public Applications - Smart Grid Security and Emerging Security Solutions - Privacy and Data Protection Adequate information security is one of the basic requirements of all electronic business processes. It is crucial for effective solutions that the possibilities offered by security technology can be integrated with the commercial requirements of the applications. The reader may expect state-of-the-art: best papers of the Conference ISSE 2010. The content: Identity and Security Management - Technical and Economical Aspects of Cloud Security - Security Services and Large Scale Public Applications - Smart Grid Security and Emerging Security Solutions - Privacy and Data Protection – Security Threats and Contermeasures Target Groups: Developers of Electronic Business Processes IT Managers IT Security Experts Researchers About the Editors: Norbert Pohlmann: Professor for System and Information Security at the University of Applied Sciences in Gelsenkirchen Helmut Reimer: Senior Consultant, TeleTrusT Wolfgang Schneider: Deputy Institute Director, Fraunhofer Institute SIT J......Page 4 X......Page 8 References......Page 11 Cover......Page 1 D......Page 2 G......Page 3 Contents......Page 5 R......Page 6 S......Page 7 About this Book......Page 9 5 Important issues for service providers......Page 10 Welcome......Page 12 High security in miniature format......Page 13 Trust based on reciprocity......Page 14 Give and take - the principle of networked system chains......Page 15 Other components for using the German eID card......Page 16 That's what authorisation certificates warrant......Page 17 eID service as a trust authority......Page 18 Who will benefit from the new eID architecture?......Page 19 Citizens are the ones who will determine the success of the new concept......Page 20 Conclusion......Page 21 Identityand Security Management......Page 22 1.1 Problem......Page 23 1.2 Overview of OpenlD......Page 24 2.1 The main threats: Phishing and profiling......Page 26 2.2 Additional risks and concerns......Page 27 3.1 Overview of the nPA......Page 29 3.2 Course of an online authentication......Page 30 3.3 Recognition via Restricted Identification......Page 31 4.2 OP's communication sequence......Page 32 4.3 Precondition for user and services......Page 33 5 Outlook......Page 34 References......Page 35 1 Introduction......Page 36 2.1 Standardized interfaces in the context of electronic Identity Cards......Page 37 2.3 Existing and emerging SAML-related profiles......Page 38 3 The Service Access Layer as interoperable smart card Interface......Page 39 4.1 EAC Web Service Binding......Page 40 4.4.1 Naïve integration using Web Browser SSO Profile......Page 43 4.4.3 Identity Provider inside the elD-Taken......Page 46 References......Page 47 1 Introduction......Page 49 3.1 Confidentiality......Page 50 3.2 Availability......Page 52 3.3 Integrity......Page 53 4 How to Classify Information......Page 54 4.1 Process-oriented Approach......Page 55 4.2 Application-oriented Approach......Page 56 5.1 Application Classification......Page 57 5.3 The FLICTool......Page 58 6 Conclusion......Page 59 Technical and Economical Aspects of Cloud Security......Page 60 1 Examining the role of IAM as SSO enabler......Page 61 2 No SSO without solid Identity Management!......Page 62 3.1 Conventional SSO Solutions......Page 63 3.2 Access to non web based legacy applications......Page 64 4 SSO to Web applications 'in the cloud' using federation......Page 65 5 SSO to Web applications 'in the cloud' using a User Centric Identity Management Framework (UCIF)......Page 66 6 Conclusion......Page 68 1 Cloud Computing......Page 69 3 Cloud Application Security & Compliance......Page 70 3.1 Authorization Management......Page 71 3.2 Model Driven Security Policy Automation & Reporting......Page 72 4 OpenPMF SCaaS: Security & Compliance as a Service......Page 74 4.1 Policy Configuration in the Cloud (Policy as a Service)......Page 75 4.2 Automatic Technieal Poliey Generation in the Cloud......Page 76 4.4 Automatic Poliey Monitoring into the Cloud......Page 77 Acknowledgements......Page 78 1 Introduction: Shaking things up......Page 80 2.1 The Cloud......Page 81 2.2 Security......Page 82 4 Breaking things down further......Page 83 5 The technical opportunity......Page 84 7 Case Study: TriCipher security for Google Apps......Page 85 8 Conclusion......Page 86 References......Page 87 1 Introduction......Page 88 2 The Cloud Dilemma, Facts and Benefits......Page 89 3 Classification of Service Models and Origin of Risks......Page 90 4.1 Perceived Security and Business Risk......Page 91 4.2 Standard Risk Management versus Ultimate Purchase......Page 92 5.1 General Model of Adaption......Page 93 5.2 Managing Vendor Risks......Page 94 5.3 Choosing the Service Model......Page 95 5.4 Managing Specific Issues......Page 96 7 Conclusion......Page 97 References......Page 98 1 Introduction......Page 99 2 Security Issues in Cloud Computing......Page 100 3 Privacy regulations on a global scale......Page 101 4 Compliance in clouds......Page 102 5 Applying the APEX approach to Cloud Computing Systems......Page 104 6 Conclusion......Page 107 1 Changes in the Security Universe......Page 109 2 Reviewing Contractual lnstruments......Page 110 3 Systemic Risks and Crises......Page 112 4 Applying the BMIS......Page 113 4.1 Taking Stock - What is There in Terms of Security......Page 114 4.2 Cloud Requirements and Internalising Them to the BMIS......Page 115 4.3 Introducing and Measuring Systemic Improvements......Page 118 5 Conclusion......Page 119 Security Services and Large Scale Public Applications......Page 121 1 PARSIFAL - An Overview......Page 122 3 Mapping CFI Challenges to Scenarios......Page 123 4 PARSIFAL Recommendations and Research Directions......Page 124 5 Dependencies between the Recommendations......Page 125 6 Stakeholders' Voting on the Recommendations......Page 126 8 Conclusion......Page 127 1 Introduction......Page 129 2 The given situation......Page 130 3 The Vision of SPOCS......Page 131 4.1 Layers of an OCD......Page 132 4.2 Use of OCD in the SPOCS context......Page 134 5 Example: eDelivery......Page 135 5.1 Cross-Border eDelivery Framework......Page 136 5.2 Usage of Cross-Border eDelivery in SPOCS......Page 137 1 Introduction......Page 138 2 Goals of STORK......Page 140 3 Legal and operational aspects......Page 141 4.1.1 PEPS Model......Page 142 4.1.2 MW model......Page 143 4.2.1 PEPS – PEPS Scenario......Page 144 5.1 PEPS Architecture......Page 145 5.1.1 Authentication PEPS......Page 146 5.2 MW Architecture......Page 147 6 Conclusion......Page 148 References......Page 149 1 Introduction......Page 150 2 The current state of German e-health infrastructure systems......Page 151 3 Parallel vs. integrated e-health infrastructures......Page 153 4.2 Taiwan......Page 155 5 Migration towards an integrated public e-health infrastructure......Page 156 References......Page 157 Advanced Security Service cERTificate for SOA: Certified Services go Digital!......Page 158 1 Concept and Objectives......Page 159 2 Certification Drawbacks......Page 161 3.1 SaaS Technology......Page 162 3.2 Limitation of Security Certification......Page 163 4 Bringing Certification-based Assurance to Service-based Systems......Page 164 5 Conclusion......Page 166 References......Page 167 Privacyand Data Protection......Page 168 1 Introduction......Page 169 2 Main Legal lssues Relate to Cloud Computing......Page 170 3.1 When Does the Directive 95/46/EC Apply?......Page 172 3.2 Data Controller or Data Processor?......Page 173 3.3 Data Security Measures......Page 175 3.4 Data Transfer to Countries Outside the EEA......Page 176 3.5 Data Subject Rights......Page 177 References......Page 178 1.1 Real World Anonymity......Page 179 1.2 Internet Anonymity......Page 180 2.1 The Invention of the Bauta Device......Page 181 2.2 Hedonistic and Unethical?......Page 182 3 Social Disadvantages and Advantages of Anonymity......Page 183 4.1 The Ethical and Political Framework......Page 184 4.2 The Role of Playing a Predefined Role......Page 185 6 Acceptance as the Key Factor......Page 186 References......Page 187 1 Introduction......Page 188 2.1 Keeping pace with progressing technologies......Page 189 2.4 Avoiding future risks for the individuals' privacy......Page 190 3.1 Keeping pace with progressing technologies......Page 191 3.2 Preventing erosion of the IT security level......Page 192 3.4 Avoiding future risks for the individuals' privacy......Page 193 3.5 Handling different stages of Iife......Page 194 Acknowledgement......Page 195 References......Page 196 2 Example Scenario......Page 197 2.1 Example Purchasing Process......Page 198 2.2 Example Fraud Scenarios......Page 199 3.1 Example Audit Data......Page 200 5 Organizational Reconciliation of Conflicting Interests......Page 201 6.1 Requirements for Audit Data Pseudonymization for Fraud Screening......Page 202 6.2.1 Confidentiality and Linkability......Page 203 6.2.3 Organizational Purpose Binding......Page 204 References......Page 205 Threats and Countermeasures......Page 206 1 Introduction......Page 207 2 Overview of the Botnet detection solutions......Page 209 3 Telecom Italia strategy......Page 210 3.1 Malware Domain Monitoring......Page 211 3.2 Malware Prevention......Page 213 3.4 Security Portal......Page 214 3.5 Passive DNS Monitoring......Page 215 3.6 Malware Analysis and Remediation......Page 216 References......Page 217 1 Introduction......Page 218 1.1 Game Change in Cybersecurity and Threat Modeling......Page 219 1.2 Economic Aspects of Threat Analysis......Page 220 2 Approaches to Threat Agents......Page 221 2.1 Approach in Intel TAL......Page 223 3 Uses of TAL......Page 224 3.2.1 Device Remarking......Page 225 3.2.2 Cognitive Hacking: Another Example......Page 226 References......Page 227 1 Introduction......Page 230 2 Proposed Solution......Page 233 2.1.1 Bootstrap Phase......Page 235 2.1.2 Transaction Phase......Page 237 4 Conclusion......Page 238 References......Page 239 1 Introduction......Page 240 2 Related Work......Page 241 3 Online Banking in a Nutshell......Page 242 3.1 SSL/TLS Usage......Page 243 3.2.3 (T3): Unauthorized manipulation of online banking sessions......Page 244 4.1 Deployment Phase......Page 245 4.1.1 Key creation Problems......Page 246 4.3.1 (T1) Misuse of Authentication Data and (T2) Misuse of Authentication and Authorization Data......Page 247 4.3.3 (T3.2): Unauthorized manipulation of online banking sessions by performing malware attacks (local)......Page 248 4.4.2 (2) Practicability to banks......Page 249 References......Page 250 Smart Grid Security and Future Aspects......Page 251 1 Motivation......Page 252 2 The Energy Landscape under Change......Page 253 2.1 Yesterday: Few Players, Strong lies......Page 254 2.3 Tomorrow: Smart Grid Utopia......Page 255 3.2 Interfaces where No Interfaces Existed Before......Page 256 3.4 High Amounts of Privacy Related Data......Page 257 4.2 Interfaces where No Interfaces Existed Before......Page 258 4.5 Overarching Architecture......Page 259 5 Related Work......Page 260 References......Page 261 1 Introduction......Page 263 2 The Smart Grid......Page 264 3 Personally Identifiable Information and Privacy on the Smart Grid......Page 265 5 Best Practices for Privacy and the Smart Grid......Page 267 7.1 The Smart Grid in Ontario......Page 270 References......Page 272 1 Introduction......Page 274 2 Use Case Scenario......Page 275 3 Security Challenges......Page 276 4.1 Security Module......Page 277 4.2 Communication Protocol......Page 278 4.4 Testbed and Implementation......Page 279 5 Related Work......Page 280 6 Conclusions......Page 281 1 Introduction: From Paper to Electronic......Page 283 2.1 Visual Appearance vs Verification......Page 285 2.2 Visual Appearance......Page 286 2.3 Signature Verification......Page 287 3 Principles......Page 288 3.1 The Signature Appearance is Only a Claim......Page 289 3.4 Consistency of Visual Representation of Electronic Signatures and Familiarity......Page 290 3.6 Verification Clearly separate from Document Visible Content......Page 291 5 Conclusions......Page 292 6 References:......Page 293 1 Introduction......Page 294 1.1 Hlstory of the 'keyprov' working group......Page 296 2.2 Cryptographic properties......Page 297 2.3 DSKPP bindings......Page 298 3.1 PSKC Data Model......Page 299 3.2 PSKC Example......Page 300 4 Conclusion......Page 301 References......Page 302 1 Introduction......Page 303 1.1 Background......Page 304 1.2 The Focus ofThis Paper......Page 305 2.1 Noise......Page 306 2.2 Challenge-Response Space......Page 307 2.4 Physical Unclonabilty......Page 308 2.6 Area Efficiency......Page 309 3.1.1 Lightweight PUF Authentication......Page 310 3.1.2 Controlled PUFs......Page 311 3.2.1 PUF Based Secure Key Storage......Page 312 References......Page 313 Biometries and Teehnieal Solutions......Page 315 1 Introduction......Page 316 2 Objectives......Page 317 4 Software Architecture......Page 319 5 Introducing Visa applications in the TR Biometrics......Page 320 References......Page 323 1 Introduction......Page 324 2.1 Original Objectives......Page 325 2.2 Paradigm Shift: Embedding handwritten signatures in digital processes instead of replacing them......Page 326 2.5 Award-Winning Solution receiving worldwide attention......Page 327 2.6.1 Project Phases:......Page 328 2.6.2 Project Management:......Page 329 2.7.1 Client component......Page 330 2.7.2 Server component......Page 331 2.8.1 Making the Auditing Department happy......Page 332 4.1 Impacts beyond banking......Page 333 References......Page 334 1 Introduction......Page 335 3 Related Work......Page 337 4 Secure OverLay for IPsec Discovery (SOLID)......Page 338 5 Network Services......Page 339 5.1 Time Synchronization......Page 340 5.2 DNS Name Resolution......Page 341 5.4 Other Services......Page 342 1 Cyber Security in Industrial Control Systems......Page 344 1.1 ICS Security Incidents On the Rise......Page 345 1.2 New Technologies Expose Old Vulnerabilities......Page 346 1.4.1 Security Assumptions are Built-in to Tools and Procedures......Page 347 1.4.2 ICS Components are Extremely Vulnerable......Page 348 2.1 ANSI/lSA-99 and 1EC62443......Page 349 2.2 The Tofino Security Appliance......Page 350 3 Trusted Network Connect: the Next Generation......Page 351 3.1 TNC on the Plant Floor......Page 352 References......Page 354 1 Introduction......Page 355 2.1 Practical Examples of Data Leakage......Page 356 2.2 Data Leakage Prevention Techniques......Page 357 3 Evaluation Methodology......Page 358 3.3 Basic Setup and Reporting......Page 359 3.4.1 Identify......Page 360 3A.3 React......Page 361 3.5.1 Identify......Page 362 3.5.4 System Security......Page 363 4 Conclusion......Page 364 References......Page 365 eID and the new German Identity Card......Page 366 1 Introduction......Page 367 2 Commercial applications......Page 368 2.1 Electronic authentication......Page 369 2.2 Qualified Digital Signature......Page 370 3.2.2 Authentication of the Service Provider (Terminal Authentication)......Page 371 3.2.3 Authentication of the Document (Chip Authentication)......Page 372 3.3.2 Revocation of Service Providers......Page 373 AusweisApp and the eID Service/Server - Online Identification Finally more Secure......Page 374 1.1 Certificated identity makes online services more secure......Page 375 2.1 AusweisApp......Page 376 2.3 Interaction between AusweisApp and the eID service......Page 377 3.2 Differences between the identification and signature function......Page 379 4 Application scenarios and testing......Page 380 4.1 Publlc authorities......Page 381 4.2 Enterprises......Page 382 5 Important issues for service providers......Page 383 1.1 The situation in today's identification market......Page 385 1.2 Future challenges......Page 386 2.1 The online strategy of Postident......Page 387 2.3 Benefits of Postident Online for companies......Page 390 3 Summary and outlook......Page 391 1.1 The way from paper-based to electronic ID......Page 392 1.2 German field trial......Page 393 2 The architecture and technical infrastructure......Page 394 3 Conclusion......Page 397 References......Page 398 1 Digital Signatures in Public Administration......Page 399 1.1.1 Hierarchical Structure......Page 400 1.1.3 Role of Time......Page 401 2 Mediated Signatures and RSA......Page 402 3 Mediated Merkle Signatures......Page 403 3.1.1 Construction Idea......Page 404 3.1.2 Implementation Issues......Page 405 3.2 Mediated Merkle Signatures......Page 406 B......Page 408 D......Page 409 G......Page 410 I......Page 411 L......Page 412 P......Page 413 S......Page 414 X......Page 415
دانلود کتاب ISSE 2010, securing electronic business processes: highlights of the Information Security Solutions Europe 2010 conference