International Collaboration for Advancing Information Security Technology Der-Tsai Lee, Ph.D. PI, iCAST Director, Institute of Information Science, Academia Sinica Director, TWISC 3/27/2006 Good Morning, Ladies and Gentleman.
Outline Recent Severe Incidents R&D in Information Security (IS) Status of IS R&D in Taiwan Objectives Conceiving of iCAST iCAST Organization and Projects iCAST Program Office iCAST Activities & Expected Outcomes In today’s talk, we will talk about some recent information security incidents, Give an overview of Information security research in the past decade, introduction of secure e-Taiwan project as part of the National Development program, known as Challenge 2008 and finally talk about a recent effort to integrate our resources in Establishing TWISC, which stands for Taiwan Information Security Center. I’ll conclude with a future international collaborative plan with the TRUST of UCB and CMU. Recent Information Attacks and Damages 網路攻擊事件近10年來層出不窮,為因應日益嚴重的網路安全問題,美國國會早於1993年便通過政府資訊安全法(Government Information Security Act),要求每個政府單位必須擬妥電腦系統與網路安全維護的計畫,以及加強相關電腦技術人員的訓練,並且每年度均須提出檢討、提交報告。此外,亦於2003年提出「國家網路安全策略(The National Strategy to Cyberspace) 」,以防護網路安全以及減輕因網路攻擊所受之傷害。 2/17
Recent Severe Incidents June 17, 2005 CardSystems, located in Arizona, was breached by SQL Injection (SecurityFocus) 200,000 transactions got stolen 40 million accounts were leaked June 19, 2005 A USC database containing about 270,000 records of past applicants were leaked. (SecurityFocus) Aug 03, 2005 Cisco.com search tool was found vulnerable that could expose passwords of registered users (CNET news) All of its customers were notified to change their passwords Here is a list of recent famous attacks. First, June 17th 2005, CardSystems Solutions – a credit card on-line transaction processing company located in Arizona was breached by SQL Injection. [Click] More than 200,000 transactions were stolen and [Click] Information of over 40M accounts got leaked. Soon after, the company was sued and about to go bankrupt [Click] to be bought out by CyberSource [InfoWorld] Visa spokeswoman Rosetta Jones told Wired News that CardSystems Solutions received certification in June 2004 that it was compliant with the (data security industry) standard, but an assessment after the breach showed it was not compliant. Second, June 19 2005, University of Southern California database was breached, about 270k records of past applicants were leaked. [Click] And Third, about two months ago. There was a vulnerability found in a Cisco.com search tool that could expose passwords of registered users. [Click] All Cisco customers have received an e-mail advising them of the security breach of its website and were notified to change their passwords Ref: USC: http://online.securityfocus.com/news/11239 Cisco: http://news.com.com/Cisco+warns+customers+of+site+breach/2100-7349_3-5816809.html 3/17
R&D in Info. Security Digital Signature Cryptography AAA Electronic Cash PKI Smart Card OS Security Data Privacy Protection Digital Rights Protection Virus IDS/ IPS Software Security Hardware Security Anti- Spyware/ Malware Mobile Commerce P2P Security For the research and development in TWISC, we cover the following (currently over 18) topics, Including [Click] Cryptography, Digital Signature, Authentication, Authorization, Accounting [Click] Electronic Cash, PKI, Smart Card, OS Security [Click] Digital Rights Protection, Data Privacy Protection [Click] Virus and IDS IPS [Click] And we also devoted some efforts to research on preventing some novel malicious attacks at application-level and on other research topics, including software security, Anti-Spyware/Malware, Mobile Commerce, Hardware Security and P2P Security. [More]Smart Card: how to protect smart card with short key? IDS/IPS is very hot now since 2000 Secure Ubiquitous Computing: identity 編碼學重大突破義守大學成功解出「平方剩餘碼」 http://www.ettoday.com/2005/02/18/91-1755022.htm 4/17
Improving R&D Effort in IS Domestic IS R&D needs improvements in five areas: High failure rate (false positive/negative) in Intrusion Detection Security of application program Security loopholes embedded in program coding Security for heterogeneous networks Problem originated from the data communication through heterogeneous networks Digital monitoring/authentication Privacy issues in RFID and monitor systems Application of IS technology IS risk assessment and expert system 國內研發團隊在五個面向有所不足 網路安全(入侵偵測誤判率偏高) Network Security (high false alarm in intrusion detection) 應用程式安全(安全漏洞潛伏於程式碼階段) Application Software Security (software vulnerability) 異質網安全(異質網路匯流後所造成之安全議題Security Concerns for Cross-Network Platform (concerns for cross platform information transfer) 數位監控/鑑識(RFID與監控系統造成隱私權爭議)Digital Monitoring (Privacy issues of RFID and Tele-surveillance) 資安科技應用(資安風險評估及專家系統)Application for IS technology (IS Risk Assessment and Expert System) 5/17
5 Years Later-IS in Taiwan? Own several world-class technologies? A solid research infrastructure that supports Training of People Knowledge and Technology Transition People Networking (global) Resources Utilization/Sharing (global) International Competition Academia-Industry collaboration in info. security with real applications Derive new business model? Trigger new IS industry? Beyond OEM, ODM? Toward IIT (Invent in Taiwan)? Information Security Awareness has got attention globally. New chances are around-the-corner. So let’s have a few second to think about after 5 years, what the case will become? [Click] After 5 years, Can Taiwan have several world-class unique technologies? [Click] Can we setup a solid research system that operate independently, include [Click] Training System, Expertise, Knowledge, People, Connection, Resources, and Operation [Click] Furthermore, can we have Academia-Industry collaboration in information security technology for real application? [Click] Can Taiwan drive new business model? [Click] Can this kinds of chance trigger new industry [Click] There are many good opportunities and possibilities. [Click] 6/17
Objective: Build Infrastructure Build IS Research Infrastructure Transfer know-how of world-class research labs Teamwork Build a mechanism for information and knowledge sharing and management Training Info. Security research needs more hands-on experience Education Curriculum Exchange program International Workshops/Conferences Government Support Via International Collaboration, a Security Research System should be generated [Click]. The functionality includes: First, transfer experience from world-class research labs [Click] Second, setup Teamwork environment for potential researchers and students to join research project between collaboration parties. [Click] Third, build architecture of knowledge sharing and management Fourth, Provide Training, this is because Information Security research need more hands-on experience. Qualification will be included. [Click] For education, exchange program might be included. [Click] Finally, holding of workshops, conferences, and others. 7/17
Objective: Attain Core Values World-class IS technologies Creativity, Originality and Usability, Academia-Industry Cooperation Dynamics: a multi-dimensional operation Exchange of scholars/engineers Engage in security research forum, e.g. TRUST discussion forum Join int’l working groups, e.g. IETF, OASIS, OWASP Open source development Competitiveness and Practical Choose the right target to attack (i.e., plan strategically) Dedication, Teamwork & Execute! And what do we expect? [Click] We expect Valuable Outputs. [Click] We need to build core value, that is, to build world-class information security technology via research collaboration.emphasizing Creativity, Originality and Usability [Click] And we have to be as Flexible as possible. In the era of speed, only people that act dynamically can survive. Therefore, the way of Intel’ Collaboration should enter n- dimension operation, including [Click] Visiting [Click] Join security research forum, e.g. TRUST discussion forum [Click] Join International Standard Working group, e.g. IETF(Internet Engineering Task Force ), OASIS (Organization for the Advancement of Structured Information Standards), OWASP [Click] Open Web Application Security Project http://www.owasp.org/index.jsp Or Join Open source development [Click] And Others [Click] And we need to bring the next core competitiveness of Taiwan in both information security research and also industry! [Click] The base of hitting our milestone is to act practically and carefully. We need to [Click]: First, choose the right target to attack. [Click] Second, plan it carefully. [Click] Third, Just Execute It! [Click] 8/17
Conceiving of iCAST IS Delegation Visited UCB and CMU On 6/11/2005 Led by Minister Lin, the information Security Delegation visited University of California, Berkeley and Carnegie Mellon University and signed MOU for International Collaboration ---> Initiation of International Collaboration for Advancing Security Technology (iCAST) 9/17
iCAST international Collaboration for Advancing Security Technology TRUST TWISC III iCAST UCB, Cornell, Stanford, Vanderbilt iCAST serves as a communication channel and bridge between the Taiwanese institutes and the counterparts in the States (and other countries if applied in the future). ITRI etc. CMU 10/17
iCAST Organization (draft) 行政院科技顧問組 資安小組 主持人 李德財 中央研究院 資訊科學所 所長 許清琦 (共同) 資訊工業策進會 副執行 長 林寶樹 工業技術研究院資通所 李漢銘 國立台灣科技大學 教授 政策規劃 與督導 計畫執行成果呈現 資安科技跨國合作 總計畫 計畫 Review board 辦公室 蘇惠琴 (聯絡人) 分項計畫一 何寶中 資訊工業策進會網路多媒體研究所 副所長 網路安全診測技術研發(1) 分項計畫二 余孝先 工業技術研究院資通所 資安技術國際合作研究計畫(3) 分項計畫三 吳宗成 國立台灣科技大學 教授 資通安全跨國合作人才培育與關鍵技術研發計畫(6) 分項計畫四 陸續 國防大學中正理工學院 院長 國防資訊安全防護中心(ND-SOC)跨領域人才培訓(1) 我建議 請將工研院電通所林寶樹所長,台科大教授李漢銘(代表TWISC)列入共同主持人。 分項計畫二,工研院部份改由余孝先副所長(?他的職稱好像是副所長,請確認) 分項計畫三,我已經改為由吳宗成教授擔任主持人。避免與我的角色混淆。 11/17
iCAST Projects 資安科技跨國合作 計畫 計畫組織架構包含3部分, 一為資安科技跨國合作計畫,為協助分項計畫之推動並建立協調、支援、訓練機制以維持計畫運作。二為分項計畫,為學研機構所研提之各分項計畫,其與國外合作單位共同進行研發之合作;三為子計畫。 12/17
iCAST Program Office Single Contact Point Coordinate, monitor, and steer the projects Organize tutorials, seminars, workshops, and conferences Optimize the outcome of International Collaboration Coordinate the contract preparation, signing and related issues Disseminate Technology, support IS Industry Bridge between academia and industry Assist industry to acquire desired core technologies Help coordinate training program for professionals in public and private sectors Facilitate technology transfer 13/17
Planned Activities Monthly Progress 2006 2007 1 2 3 4 5 6 7 8 9 10 11 12 PI Monthly Meeting Tutorials/ workshops/ short courses Strategic and review meetings Annual review and exhibition 14/17
92 professionals, 23 papers/reports 7 patents, 9 prototypes/systems Expected Outcome Group US Proj. People trained Publications /reports Patents Prototype /system/ platform ITRI CMU 1 UCB 2 4 3 TWISC 33 8 6 III 10 NDU 11 Total 92 23 7 9 92 professionals, 23 papers/reports 7 patents, 9 prototypes/systems 15/17
Conclusions Bring core values to Taiwan Information Security Research via International Collaboration Build a solid Info. Security research infrastructure as a key outcome of International Collaboration Attain world-class info. security technologies through International Collaboration and upgrade our competitiveness Commitment, Dedication, and Teamwork will be key to success for International Collaboration To conclude, [Click] First, the International Collaboration MUST bring core value to Taiwan Information Security Research. [Click] Second, a solid Security Research System should be generated as one of key output of International Collaboration. [Click] Third, The improvement of core competitiveness, via International Collaboration, will benefit both the academia and industry. [Click] That is, it’s expected to bring New Opportunities to Taiwan! 16/17
Thank you for your attention