• “Assurance is best addressed during the initial design and engineering of security systems, NOT as an after market patch. The earlier you include a security architect in your design process, the greater the likely hood of a successful and robust design. As the quip goes, he who gets to the (module) interface first wins.”

    Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need Assurance", AusCERT 2008

  • "First and foremost, there is no proper excuse for continued use of a broken cryptographic primitive (MD5) when sufficiently strong alternatives are readily available, for example SHA-2. Secondly, there is no substitute for security awareness." ... "Advice from experts should be taken seriously and early in the process. In this case, MD5 should have been phased out soon after 2004."

    Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Wegerr, "MD5 considered harmful today - Creating a rogue CA certificate", December 2008

  • In the next five years we will counter many 'hacker' attacks but we will not be safe from Nation States and other large entities

    Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need assurance!", 1999-2008

  • “Consider the use of smart cards ... for especially critical functions.  Although more costly than software, when properly implemented the assurance gain is great.  The form-factor is not as important as the existence of an isolated processor and address space for assured operations – an ‘Island of Security,’ if you will.  Such devices can communicate with each other through secure protocols and provide a web of security connecting secure nodes located across a sea of insecurity in the global net.”

    Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need assurance!", 1999-2008

  • “The time needed to factor an RSA integer is the same order as the time needed to use that same integer as modulus for a single RSA encryption.   In other words, it takes no more time to break RSA on a quantum computer (up to a multiplicative constant) than to use it legitimately on a classical computer.”

    Professor Gilles Brassard,  "Quantum Information Processing: The Good, the Bad and the Ugly", 1997

  • “When will we be secure? Nobody knows for sure – but it cannot happen before commercial security products and services possess not only enough functionality to satisfy customers’ stated needs, but also sufficient assurance of quality, reliability, safety, and appropriateness for use. Such assurances are lacking in most of today’s commercial security products and services.”

    Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need Assurance", 2005

  • “Given today’s common hardware and software architectural paradigms, operating systems security is a major primitive for secure systems – you will not succeed without it. This area is so important that it needs all the emphasis it can get. It is the current ‘black hole’ of security.”

    Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need assurance!", 1999-2008

  • "My colleagues at MIT and I have been building simple quantum computers and executing quantum algorithms since 1996, as have other scientists around the world. Quantum computers work as promised. If they can be scaled up, to thousands or tens of thousands of qubits from their current size of a dozen or so, watch out!

    Prof Seth Lloyd of MIT, MIT Review 2008

  • “Business now relies on information infrastructures that are interlinked and interdependent… The way in which these hidden interdependencies pervade our everyday lives is staggering and, in some cases, may go unchecked for many years until an incident occurs that revels the true nature of the interdependences' impact.”

    The British Government’s Technology Strategy Board, 2008

  • "The future ability of quantum computers might be a decade or two away, their future ability to break public-key cryptography has important implications for the encryption of highly sensitive information today. For these applications, we must already design new public-key cryptosystems and one-way functions that are immune to quantum cryptanalysis."

    ARDA, Report of the Quantum Information Science and Technology Experts Panel, 2004

  • “The more complex the threats become, the more you have to do the basics and groundwork really well. Staying aware and on top of new vulnerabilities and ensuring that patches and software updates are rapidly implemented is crucial.”

    Jeff Shipley, Cisco Intelligence Collection Manager, Cisco 2008 Annual Security Report

  • "Today’s systems must anticipate future attacks. Any comprehensive system – whether for authenticated communications, secure data storage, or electronic commerce – is likely to remain in use for five years or more. It must be able to withstand the future: smarter attackers, more computational power, and greater incentives to subvert a widespread system. There won’t be time to upgrade it in the field."

    Bruce Schneier, "Why Cryptography Is Harder Than It Looks", 1997

  • The software security industry today is at about the same stage as the auto industry was in 1930" ... "it looks fast, goes nice but in an accident you die.” ... "The major shortfall is absence of assurance (or safety) mechanisms in software. If my car crashed as often as my computer does, I would be dead by now."

    Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need assurance!", 1999-2008

  • "Even a relatively small quantum computer, one that had a few tens of thousands of qubits, could consider so many different values at once that it would be able to break all known [ed: RSA, D&H, ECC, AES-128] codes commonly used for secure Internet communication.”

    Prof Seth Lloyd of MIT, MIT Review 2008

Resources Synaptic publications Input to EC and US funded ICT initiatives pub: Part 4 of Synaptic Labs' input to Think-Trust's D3.1 consultation process
pub: Part 4 of Synaptic Labs' input to Think-Trust's D3.1 consultation process
Authors: Benjamin Gittins, Ron Kelson
Organisation: Synaptic Laboratories Limited
Date: January, 2010
Keywords: NIST, FIPS, SP, Requirements Management, Information Assurance
Electronic Publication: Download as PDF
Abstract:

The need for the EC to fund the development of an electronic requirements management process and deliverables to support existing standards, existing policy guidelines and existing laws of several nations simultaneously in a unified model that also supports national and regional variations.

Such a process could also include new standards requirements and best practice recommendations as they become available.

The process and deliverables would reduce costs and duplication of effort across European organisations and remove the existing discriminatory barrier that all micro and SME face when attempting to create innovative solutions that satisfy legislative, standards and best practice for the European and global markets.
Quote:

"The US National Institute of Standards and Technologies Computer security Division has 17 active Federal Information Processing Standards (FIPS), and over 100 active Special Publications that all Federal Information Processing systems must comply with. These standards and special publications relate to information assurance risk management processes, identity management, cryptographic security standards, configuration of security hardware, business survivability, achieving high availability, auditing, physical access controls and other important subjects relating to information processing.

The NIST FIPS and SP documents are freely available to the public and can be used as a basis for creating IT processing systems by non US Federal organisations. This body of work represents many best-practices that could be adapted for use internationally and if adopted, would result in a more secure global IT infrastructure. Corresponding documents are known to exist for the UK and Europe. "

"It is exceedingly difficult for a new software project (such as an e-commerce web-site) to know that it has met these requirements. This difficulty is compounded because the requirements are not readily defined in an exploitable format. There is currently no mechanism available for a new project to import all the legislative requirements and best practice recommendations on data privacy into a requirements management tool. Each project must individually identify, and read the relevant laws, manually extract the requirements (imperfectly), so that they can then begin to show traceability of requirements satisfaction down to the executable, test suite and business processes. These requirements will need to represented in open standards based formats so they can be imported by most of the project management and requirement management tools. For example the process should generate deliverables that can be imported by tools like Borland Calibre and IBM Rational DOORS and their open source equivalents."
See also: Think Trust Public Consultation on Deliverable 3.1
Citation:

Benjamin Gittins, Ronald Kelson, "Part 4 of Synaptic Laboratories Limited's input to ThinkTrust's consultation on their D3.1b Recommendations Report to the European Commission", January 2010
Related work:


 
This website uses cookies to manage authentication, navigation, and to provide you with a better and more personal service. By continuing to use this website, you are consenting to this use. Find out more here.

 

 

 

 

 

 

 

Universal Transaction System