Free Crypto course with Stanford University

27 Friday Jan 2012

Posted by in ComSec, Education & Certification

Leave a Comment

Tags

, ,

For those, like myself, involved in crypto, Stanford University are offering a free online course in cryptography. It covers the internal workings of crypto (not for those who don’t like the more advance mathematics).

The course information:

Cryptography is an indispensable tool for protecting information in computer systems. This course explains the inner workings of cryptographic primitives and how to correctly use them.   Students will learn how to reason about the security of cryptographic constructions and how to apply this knowledge to real-world applications.   The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic.  We will examine many deployed protocols and analyze mistakes in existing systems.   The second half of the course discusses public-key techniques that let two or more parties generate a shared secret key. We will cover the relevant number theory and discuss public-key encryption, digital signatures, and authentication protocols. Towards the end of the course we will cover more advanced topics such as zero-knowledge, distributed protocols such as secure auctions, and a number of privacy mechanisms.   Throughout the course students will be exposed to many exciting open problems in the field.

The course will include written homeworks and programming labs.  The course is self-contained, however it will be helpful to have a basic understanding of discrete probability theory.

The course starts in Feb so sign up now at http://www.crypto-class.org/

In addition, Sanford have an online Computer Security course also starting in Feb you might be interested in – visit http://www.security-class.org/ today.

HMG IA Training

25 Wednesday Jan 2012

Posted by in Education & Certification

Leave a Comment

Tags

, , , ,

Quick post to mention some training courses that are available for those working in the HMG IA field.

[ National School of Government ]

Introduction to Information Assurance – Finding your way around IA in Government - £925 (2 days)

Topics covered:-

  • IA governance within an organisation
  • Threats, risks and impacts
  • Overview of key legislation and regulation
  • Government IA strategy
  • Government IA policy and standards
  • Assurance
  • Maintaining confidence

Information Assurance Standards IS2 and IS1 (Topic Programme 1) Process and practice – £1775 (4 days)

Topics covered:-

  • IS2 – risk management and accreditation
  • Content and development of the RMADS
  • Privacy Impact Assessments and IS6
  • The accreditation process
  • Information risk and assets
  • IS1 Part 1 – risk assessment
  • IS1 Part 2 – risk treatment

Risk Management and Accreditation Specialist Programme – IA Professionalism Stage 3 for accreditors - £630 (1 day)

Topics covered:-

  • Accreditation and the Accreditor Accreditation skills and competencies
  • Accreditation plan and process
  • Tools of the trade
  • Support and advice

[ Amethyst Risk Management ]

RMADS Introduction – Risk Management and Accreditation Document Sets - (1 day)

Topics covered:-

  • Background and Context of HMG Infosec
  • Governance and Risk Management Concepts
  • The Accreditation Process
  • Risk Management and Accreditation Documents

IA1 Practitioners Course – HMG Information Assurance Standard No.1 (IAS1) Technical Risk Assessment – (2 day)

Topics covered:-

  • The purpose, structure and context of the standard
  • Changes from previous issues of IAS1
  • The new Standard framework
  • Model-based risk analysis method
  • IAS1 risk assessment methodology
  • Security Case development
  • Detailed workshops based on a real-world case study

Business Impact Levels (BIL)

22 Sunday Jan 2012

Posted by in HMG IA (General), HMG Policy

Leave a Comment

A successful exploitation by a threat actor or threat source will result in a compromise of one or more of the following elements of an information asset:

  • Confidentiality
  • Integrity
  • Availability

This compromise will have an impact on the business. Within the SPF and IAS1 they identify business impact from IL0 (lowest) to IL6 (highest).

IAS1 states that a business impact is by definition the impact that a compromise has on the operations or efficiency of an organisation, it’s customers or citizens.

Unlike a protective marking (i.e. RESTRICTED, SECRET etc.) which is concerned with the level of control, handling and management of the information asset, the impact level (IL) determines the value of an information asset if compromised and how it can impact the following:

  • Financial loss to an organisation;
  • Operational effectiveness of a system/service if compromised;
  • Reputational damage to an organisation;
  • Stress caused to an individual/citizen;
  • International relationships with friendly or allied nations/governments.

There is a one to one relationship between the protective marking and the impact level (but not the other way around) as can be seen below.

Non Protectively Marked (NPM) / Unclassified = IL0
PROTECT = IL1/IL2
RESTRICTED = IL3
CONFIDENTIAL = IL4
SECRET = IL5
TOP SECRET= IL6

What is the PSN?

22 Sunday Jan 2012

Posted by in PSN & GCN

Leave a Comment

Tags

The PSN, or Public Service Network, is the Government cloud (G-Cloud) computing layer sitting on top of the GCN (Government Conveyance Network (the network layer)) where it will host a number of service applications alongside enterprise services such as DNS, PKI, VoIP, eMail etc.

The plan with the PSN is that approved suppliers to the Government can offer services through a market place providing great oppertunities for industry and large savings for the public sector.

The PSN offers a consolidated network of services for the modern Government in a unique flat network architecture with different security impact levels all operating off the same infrastructure. The PSN network will be IL2 accredited  but will be able to store and process data up to a protective marking of RESTRICTED (IL3) via CESG approved encryption.

Kent and Hampshire are the first to trial the PSN service with further contracts for connectivity in early 2012.

It is expected that public sector organisations/departments will migrate to the PSN as existing contracts with service providers expire. The Government is keen to migrate all departments/agencies over to the PSN as soon as they can. This shift to the PSN could mean a shift in business for current service providers to HMG.

Links:
http://www.cabinetoffice.gov.uk/resource-library/public-services-network

Mapping SPF v6 MR to SPF v7 MR

18 Wednesday Jan 2012

Posted by in HMG Policy

Leave a Comment

A quick reference post for the mappings of the latest SPF (Security Policy Framework) 7 to SPF 6 (these are also available in the SPF 7 appendix):

SPF Version 7 – Oct 2011
MR Structure

SPF Version 6 – Apr 2011
MR Structure

MR 1
SECURITY ORGANISATION

 3 –   Board Level Responsibilities
4 –   DSO Responsibilities
9 –   DSU Training
35 – IA Roles and Responsibilities

MR 2
RISK MANAGEMENT APPROACHES

 5 –   Risk Management Approaches
32 – Managing Information Risk

MR 3
CULTURE, EDUCATION AND AWARENESS

 1 –   Education and Awareness for Staff
9 –   Protective Security Culture
21 – Personal Responsibilities for Safeguarding   Assets

MR 4
MANAGING AND RECOVERING FROM INCIDENTS

 9 –   Reporting of Security Incidents
21   – Security Breach System
49   – Disaster Recovery Planning
70 – Business Continuity

MR 5
ASSURANCE AND REPORTING

 6 –   Self Assessment and Systems of Assurance
7 –   Annual Security Returns
8 –   Audit and Review
34   – Statement of Internal Control
69 – CT Assurance Statements

MR 6
INFORMATION SECURITY POLICY

 31   – Information Security Policy
10   – International Security Agreements
11   – Government Protective Marking System (GPMS)
12   – Legal Requirements
15 – FOI

MR 7
GOVERNMENT PROTECTIVE MARKING SYSTEM

 10   – International Security Agreements
11   – Government Protective Marking System (GPMS)
16   – Need to know principle
18   – Material originating outside the HMG
19   – Universal controls
20- Special handling

MR 8
RISK ASSESSMENT AND ACCREDITATION OF ICT   SYSTEMS

 32   – Managing Information Risk
33   – Business impact levels
14   – HMG IA no 6 – Protecting personal data
36   – Accreditation and audit
37 – Compliance checks – RMADS

MR 9
TECHNICAL CONTROLS

 39-   Codes of connection and technical controls
40-   Cryptography
41-   Eavesdropping and Electro-Magnetic Countermeasures
42-   Remote working/mobile media
45- Secure Disposal

MR 10
PROCEDURAL MEASURES

 38   – Authentication controls
46   – Personnel security
48   – Education, training and awareness
42 – Mobile working

MR 11
DELIVERY PARTNERS AND SUPPLIERS

 2 –   SPF Compliance among Delivery Partners and Suppliers
31   – Information Security Policy DPs & 3PS
43 – Procurement

MR 12
MANAGING AND REPORTING SECURITY INCIDENTS

 9 –   Reporting Incidents
21   – Security Breach System
44 – Reporting ICT Incidents

MR 13
RECRUITMENT CHECKS AND NATIONAL SECURITY   VETTING

 23   – BPSS compliance
24   – National Security Vetting compliance
26 – Clearance Decisions

MR 14
ONGOING PERSONNEL SECURITY MANAGEMENT

 22   – Applying Personal Security Controls
25   – National Security Vetting Issues
27 – National Security Vetting Aftercare

MR 15
APPEALS

 28   – National Security Vetting Appeals
MR 29 – Notifying GSS of Legal Challenges

MR 16
SECURITY RISK ASSESSMENT

 50-   Defence in Depth
51-   Storage of Sensitive Assets
55-   Building Security
62- Operational Requirements

MR 17
INTERNAL CONTROLS

 47   – Physical Security of ICT Assets
52-   Secure Containers
53-   Secure Rooms
54- Officer Areas

MR 18
BUILDING AND PERIMETER SECURITY

 56-   Physical Access Control
57-   Physical Access Control
58   – Access Control Policies
59-   Incoming Mail
60-   Manned Guarding
61- Perimeter Security

MR 19
PREPARING FOR CRITICAL INCIDENTS

 64-   Categorisation of the Government Estate
65- Government Estate Response Level System

MR 20
RESPONDING TO CRITICAL INCIDENTS

 67-   CT Protective Security Policy and Plans
68- Testing CT Arrangements

What is the GCN?

18 Wednesday Jan 2012

Posted by in PSN & GCN

Leave a Comment

The GCN, or Government Conveyance Network is the replacement for the aging siloed GSi (Government Secure Intranet) network that interconnects multiple UK Government networks. The idea behind the GCN is to provide a flat network space across multiple service providers to provide a more harmonised network that can provide the services needed in both today and tomorrow’s Government market. The services will form the PSN (Public Services Network) in a cloud based solution where the underlying hardware architecture is abstracted away from the application layer.

The official definition is:

The GCN will provide the core backbone infrastructure of the PSN – and it will be a mesh of existing telecoms industry networks. It will be built to Industry standards. Suppliers who meet the standards will be able to supply GCN services.

The network layout will look like:

GCN - Government Conveyance Network
For more information on the GCN, check out the GCN Service Description document.

New CLAS Scheme

23 Friday Dec 2011

Posted by in Education & Certification

Leave a Comment

Tags

, ,

The new CESG Listed Advisor Scheme (CLAS) scheme will be started in January 2012 and a pre-requisit will be the new CESG Certified Professional (CCP) accreditation in at least one IA role.

Below is an extract from an eMail from the CLAS Admin team at CESG:

Applications for membership of the old version of CLAS have now closed. To obtain membership of a forthcoming, new version of CLAS you must first obtain certification of competence in at least one IA role from one of the 3 Certification Bodies appointed by CESG:

- APMG; http://www.apmg-international.com/APMG-UK/Qualifications/CESGCertProfessionalQuals.aspx

- BCS, the Chartered Institute for IT, http://www.bcs.org/

- IISP; https://www.instisp.org

The three CBs are preparing their new certification arrangements before they fully open in early 2012.

The defined IA roles are Accreditor, Security Architect, Security & Information Risk Advisor, IA Auditor, Communications Security Officer and IT Security Officer.  Each role is defined at 3 levels of responsibility. Full details of the IA roles are at http://www.cesg.gov.uk/products_services/training/certification_for_ia_specialists.pdf.

To become a CLAS member you must subsequently apply for membership.  The application process is expected to open in early 2012.  You will need to:

- be a UK Citizen (dual nationality considered);

- be employed in the private sector;

- have a UK sponsoring company who will sign up to the CLAS Contract;

CLAS membership is only open to individuals, there is no corporate membership.

A membership fee for new CLAS has not been agreed as yet but as a guide, the annual membership fee for the old scheme was £1250 + VAT.

Please confirm that you wish your email address to be added to our CLAS distribution list. You will then be informed by email when the scheme is open for applications and the process for application.”

This may be subject to change.

CESG Certified Professional Scheme (HMG IA)

04 Sunday Dec 2011

Posted by in Education & Certification

Leave a Comment

Tags

,

I’m still catching up on putting news up on the blog, so this is a few weeks later than planned..

For those of you, like myself, that work in the field of HMG IA, the Government has released a new certification scheme via CESG (GCHQ) that will assist with certifying your skills within defined roles that can enable you to show new employees or contracts that you have the right skills for the job.

From the IISP website, who are one of three bodies accredited by CESG to certify people:

As part of the Government’s investment in cyber security, the IISP consortium has been appointed by CESG to provide certification for UK Government Information Assurance (IA) professionals. The consortium has been awarded a licence to issue the CESG Certified Professional (CCP) Mark based on the IISP Skills Framework, as part of a certification scheme driven by CESG, the IA arm of GCHQ.

The certification process is designed to increase levels of professionalism in Information Assurance and uses the established IISP Skills Framework to define the competencies, knowledge and skills required for specialist IA roles. Developed through public and private sector collaboration by world-renowned academics and security experts, the Framework has been adopted by GCHQ as the basis for its CESG Certified Professional specification.

This builds on the IISP’s existing competency based membership programmes, so not only will an individual be certified, but their areas of specialism will be recognised, offering the individual and their customers’ greater confidence that an individual has the right skills and experience for a role. The consortium comprises the Institute of Information Security Professionals (IISP), the Council of Registered Ethical Security Testers (CREST), and Royal Holloway’s Information Security Group (RHUL), with the IISP certifying competency, CREST providing examination for the more technical roles and RHUL supporting with their experience in setting rigorous and consistent assessment processes.

Timings

This programme will be launch in “pilot” phase during the autumn of 2011, with a predetermined number of roles/individuals being certified. The full programme will launch in early 2012 and be open to all who wish to apply.

Certified Roles

This certification will develop further, and the initial roles identified are detailed below. All roles have 3 levels of certification, at practitioner level, at senior practitioner level and at lead level.

The roles are:

  • Accreditor
  • IA Auditor
  •  Communications Security Officer/Crypto Custodian
  • Information Security Officer
  • Security & Information Risk Advisor
  • Security Architect

News release: https://www.instisp.org/SSLPage.aspx?pid=457

Visit the IISP for more details: https://www.instisp.org/SSLPage.aspx?pid=456

HMG Security Policy Framework (SPF) v7 Released

01 Thursday Dec 2011

Posted by in HMG Policy

Leave a Comment

HMG have released the next version of the SPF (ver 7) last week.

  • Basically SPF v7 has reduced MR’s down from 68 (officially 70, but two were unused) to 20.
  • The new 20 MR’s have expanded scope, so (almost all) the requirements from within SPF v6 are still covered.
  • There is a ‘mapping’ between v6 and v7 – this can be seen in the appendic of the SPF
  • From v6 – MR 30 (reporting security vetting controls) and MR 63 (use of CCTV in accordance with DPA) have been removed. These are covered under other policies/procedures.

Get your copy here

UK Cyber Security Strategy Released

01 Thursday Dec 2011

Posted by in HMG Policy

Leave a Comment

Tags

On Friday 25th November, the eagerly awaited UK Cyber Security strategy was released by HMG.

In my opinion it is a good clear statement, but lacking the finer details on implementation. I guess we will see over the coming months how its picked up and taken forward. I think it needs further detailed discussion with the public and private sector key (technical) players to develop in to an implementation programme to cover various government departments through to industry. I dont think there is going to be a one fits all method… might be wrong though… its definitely a big step in the right direction!

Additionally its nice to see the push on qualified/certified IA specialists, and I believe the HMG IA certification programme starting 2012 will definitely help.

Interesting times ahead!

A couple of links to the release:

The UK Cyber Security Strategy can be downloaded from here

Follow

Get every new post delivered to your Inbox.