Marco Casassa Mont's "Research on Security and Identity Management" (Mirror)

Security Trends Report by Microsoft and McAfee: Phishing Scams Relying More Heavily on Worms and Trojans

noreply@blogger.com (Marco Casassa Mont) — Mon, 02 Nov 2009 18:02:00 +0000

Based on a recent security trends report by Microsoft and MAfee, it looks like that social networks have been targeted with phishing scams and relying more heavily on worms and Trojans to attack computers. Rogue security software also remains a big issue.

Some related articles on this topic can also be found here and here.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

3rd PrivacyOS meeting

noreply@blogger.com (Marco Casassa Mont) — Mon, 02 Nov 2009 18:00:00 +0000

The 3rd PrivacyOS meeting has taken place in Vienna, 26-27 October 2009.

I attended, along with a few colleagues from HP Labs Bristol, the 3rd PrivacyOS meeting, in Vienna.

It has been a very interesting meeting, with presentations from various stakeholders of the privacy community and debates.

A summary of presentations and related notes can be found here.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Article - Malware is bound to hit smartphone devices as users do not consider security

noreply@blogger.com (Marco Casassa Mont) — Mon, 02 Nov 2009 17:56:00 +0000

Interesting article, by Dan Raywood (called “Malware is bound to hit smartphone devices as users do not consider security”):
“Smartphone attacks are likely to increase, as users are encouraged to take as much care with their device as with their PC. According to a report by CNN, smartphone security threats are likely to rise as the popularity of smartphones is on the rise and malware could be heading for them. …”
I believe this is a real threat. At risk, among many, are business corporate executives and senior people relying in and using more and more smartphones as their core device for their communications, including handling emails and storing confidential data.

I predict that more efforts (in terms of products, solutions, services) will be paid to address these issues, at least at a corporate level …

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Update about TSB UK EnCoRe Project – Ensuring Consent and Revocation

noreply@blogger.com (Marco Casassa Mont) — Mon, 02 Nov 2009 17:52:00 +0000

The 5th Quarter Summary of EnCoRe (http://www.encore-project.info) R&D activities in the space of Consent and Revocation management is now available online at: http://www.encore-project.info/press_archive/Q5%20summary.pdf

In addition, a new “service” has been launched, about “Latest EnCoRe Tidbits” aiming at providing links to snippets of news related to consent and revocation: http://www.encore-project.info/news.html#story1

More to come. Enjoy.

]--- NOTE: my original HP blog can be found here ---

Research on Security and Identity Management

noreply@blogger.com (Marco Casassa Mont) — Fri, 09 Oct 2009 17:22:00 +0000

The time has come to update the topic (and focus) of this blog.

In the last few years my R&D work and research at HP Labs has been involving a variety of aspects, including security, identity management and privacy.

Most of my posts have actually been reflecting this – hence my decision to update my blog. Hope this will further increase the community of people that are interested and follow my blog.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

New W3C PLING General Phone Call – 14 October 2009, 12:00 UTC

noreply@blogger.com (Marco Casassa Mont) — Fri, 09 Oct 2009 17:20:00 +0000

The next W3C Policy Language Interest Group (PLING) general meeting is going to happen on October, 14th – 12:00 UTC.

Topics to be discussed include: (1) Best practices for privacy awareness; (2) web policy language working group proposal.

Please consider attending.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Article – Phishing or not, leaked passwords show lazy habits

noreply@blogger.com (Marco Casassa Mont) — Fri, 09 Oct 2009 17:18:00 +0000

This article, called Phishing or not, leaked passwords show lazy habits, by Elinor Mills, is quite interesting.

It is not a novelty the fact that there are bad practices when dealing with passwords – but it is also true that people are usually good at making risk assessments and judge which level of protection to choose, depending on the value of the asset to protect …

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

3rd PrivacyOS Conference, Vienna, 25-27 October 2009

noreply@blogger.com (Marco Casassa Mont) — Mon, 28 Sep 2009 16:43:00 +0000

The Third PrivacyOS conference is going to take place in Vienna, 25-27 October 2009:

http://www.amiando.com/3rdprivacyos.html

“The third PrivacyOS Conference focuses on “rising awareness – functions and impact of data protection”.

Participants are invited to join the Austrian Big Brother Awards Gala on the evening of the 25th of October and to discuss about privacy issues or their experiences in this field. The conference provides a unique opportunity to articulate and exchange best practices, challenges and solutions in privacy and data protection on the 26th and 27th of October.

The conference primarily addresses legal and technical IT experts, interested manufacturers of IT products or services as well as data protection authorities. All persons interested in privacy or data protection aspects are welcome to register for the event. “

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Workshop on Access Control (and Privacy) Application Scenarios

noreply@blogger.com (Marco Casassa Mont) — Mon, 28 Sep 2009 16:36:00 +0000

Please consider submitting a position paper at the W3C Workshop on Access Control (and Privacy) Application Scenarios, by October 23rd:

http://www.w3.org/2009/policy-ws/cfp.html

"W3C invites people to participate in a Workshop on Access Control Application Scenarios on 17-18 November 2009 in Luxembourg. This Workshop is intended to explore evolving application scenarios for access control technologies, such as XACML. Results from a number of recent European research projects in the grid, cloud computing, and privacy areas show overlapping use cases for these technologies that extend beyond classical intra-enterprise applications. The Workshop, co-financed by the European Commission 7th framework program via the PrimeLife project, is free of charge and open to anyone, subject to review of their statement of interest and space availability.

The workshop is intended to discuss issues around access control in very wide sense, encompassing conditions and rules derived from the fact of accessing information. Topics that might serve as appropriate discussion points for position papers include, but are not limited to:

interaction between access control and privacy policies
language extensions to connect access control languages to novel types of credentials
large-scale cloud and grid computing use cases for access control technologies
policy management
mechanisms for controlling progressive disclosure of information by user agents and servers
the emerging role of trust delegation and supportive mechanisms in cloud computing, grid, and Web use cases
mechanisms for richer user control over downstream data controllers

The workshop will examine experiences and recent research results in these areas, their need for agreed semantics, the need for extensions to existing access control languages, and perhaps for radically new approaches.

Position papers are due 23 October. See the call for participation for more information."

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

--- NOTE: my original HP blog can be found here ---

Interesting article – “Phishing Fraud hits two year high”

noreply@blogger.com (Marco Casassa Mont) — Mon, 28 Sep 2009 16:33:00 +0000

http://www.theregister.co.uk/2009/09/28/phishing_fraud_trends/

“Phishing attacks reached a record high during the second quarter of 2009, with 151,000 unique attacks, according to a study by brand reputation firm MarkMonitor. …”

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

On Enterprise Security Playbooks

noreply@blogger.com (Marco Casassa Mont) — Tue, 08 Sep 2009 16:25:00 +0000

I am interested in getting a few real-world examples of enterprise “Security Playbooks” and explore them.

What is an enterprise Security Playbook? It is the “outcome” of organisation’s scenario planning and security risk assessment exercises, describing what should be done in presence of specific events and threats, for given contexts.

A security playbook can relate both to current and foreseeable situations where decisions must be taken by one or more “decision makers” and courses of actions carried out by specific people.

Why are “security playbooks” important? They are strategic for organisations as they synthesize what has to be done in critical situations (and who has to carry out actions) when very little time is allowed for debates and reactions.

Interestingly enough, “playbooks” are available in many fields, related to traditional business risk management (in case of faults, natural disasters, etc.).

I am interested in learning more about enterprise playbook that specifically focus on “IT security and cybercrime” aspects: I am wondering if any public template, example or guideline has ever been produced. I struggled to find anything really relevant …

I am also interested in better understanding what the implications are in the IAM space, which impact playbooks have on people, IAM processes and related IT operations …

Any input or links would be greatly appreciated.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

On my Experience in Using Twitter …

noreply@blogger.com (Marco Casassa Mont) — Tue, 08 Sep 2009 16:22:00 +0000

I’ve now been using my Twitter account for a few months, in order to provide quick updates about my work and activities.

My overall experience is positive. The 140 chars limitation is actually a pros, imposing some discipline on what to say and focus.

I have used Twitter many times to complement my blogging activities, to provide short pointers to blog posts of interest, to a wide community of followers.

I noticed that the communities operating in Twitter are nowadays much more active and dynamic than the ones operating in the traditional blogging space.

But this is just based on my personal experience and discussed topics …

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

W3C Policy Languages Interest Group (PLING) - Public Teleconference - 09 September 2009 – 12:00 AM (UTC)

noreply@blogger.com (Marco Casassa Mont) — Tue, 08 Sep 2009 16:18:00 +0000

The next W3C Policy Languages Interest Group (PLING) public teleconference is going to be held on 09 September 2009, at 12:00 AM (UTC).

Among many other topics, the agenda includes:

PLING Note on Best Practices for Privacy Awareness. See W3C GeoLocation API WD and FireFox Location-Aware Browsing for inspiration
HTML 5 Licensing Works
Proposal for a new Web Policy Language Working Group

Please consider attending this teleconference.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Good R&D Progress in the Space of Identity (and Security) Analytics

noreply@blogger.com (Marco Casassa Mont) — Tue, 25 Aug 2009 12:11:00 +0000

Good progress has been made in the R&D space of Identity Analytics at HP Labs (in the broader context of Security Analytics).

Various IAM case studies have been explored, investigating how event-driven probabilistic modelling, coupled with economic studies, can be used to help decision makers to make decision on investments, identify suitable metrics & policies, better understand the impact of choices, trade-offs and risk implications.

We got a few papers accepted in international conferences, in particular at IEEE Policy 2009 Symposium, Trust Economics 2009 Workshop and IEEE MetriSec 2009 – covering various IAM aspects.

A few HP Labs Technical Reports are now publicly available:

HPL-2009-173 Adrian Baldwin, Marco Casassa Mont, David Pym, Simon Shiu - System Modelling for Economic Analysis of Security Investments: A Case Study in Identity and Access Management - HPL-2009-173
HPL-2009-142 Yolanta Beres, Marco Casassa Mont, Jonathan Griffin, Simon Shiu - Using Security Metrics Coupled with Predictive Modelling and Simulation to Assess Security Processes - HPL-2009-142
HPL-2009-138 Anna Squicciarini, Marco Casassa Mont, Sathya Dev Rajasekaran - Towards an Analytic Approach to Evaluate Enterprises’ Risk Exposure to Social Networks - HPL-2009-138
HPL-2009-57 Marco Casassa Mont, Adrian Baldwin, Simon Shiu - Identity Analytics - User provisioning Case Study: Using Modelling and Simulation for Policy Decision Support - HPL-2009-57, 2009
HPL-2009-56 Adrian Baldwin, Marco Casassa Mont, Simon Shiu - Using Modelling and Simulation for Policy Decision Support in Identity Management - HPL-2009-56, 2009
HPL-2008-84 Marco Casassa Mont, Adrian Baldwin, Simon Shiu - On Identity Analytics: Setting the Context- HPL-2008-84, 2008

I am looking for input and feedback, in particular additional case studies where to apply our approach and techniques.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Serving in the Technical Program Committee of International Conferences

noreply@blogger.com (Marco Casassa Mont) — Tue, 25 Aug 2009 12:05:00 +0000

This year I have been serving as a member of many Technical Program Committees, in various International (IEEE, ACM, etc.) Conferences, including: ACSAC 2009, IEEE BIDS 2009, IEEE InSpec 2009, ACM DIM 2009, IEEE ICSC 2009, TrustBus 2009 and ICIMP 2009.

I found this experience very rewarding. Despite the need to allocate some amount of time for peer reviewing papers, this really provides good overviews of the state-of-art of research (and applied research) in the field of interest – in my case security, identity management and privacy.

I would encourage the members of this community in having a similar role, especially the one interested in R&D and research.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Call for Actions: W3C Policy Languages Interest Group (PLING)

noreply@blogger.com (Marco Casassa Mont) — Tue, 25 Aug 2009 12:03:00 +0000

We are looking for active contributions in the context of the W3C PLING Interest Group, in the space of: use cases, policy language reviews, policy initiatives and open issues.

Of particular interest are any input related to the implication of using policies and policy management in the space of cloud computing.

The charter of W3C PLING ha now been extended to December 2009. We are looking for your input and contributions.

The next general phone meeting (open to everybody) is planned to happen on 09 September 2009, 12:00 AM (UTC)

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Good progress in the TSB EnCoRe Project – Ensuring Consent and Revocation

noreply@blogger.com (Marco Casassa Mont) — Tue, 25 Aug 2009 12:00:00 +0000

The TSB EnCoRe project (Ensuring Consent and Revocation) is making good progress towards his various objectives, involving the provision and management of consent and revocation.

This topic has been tackled from various perspectives including: legal and social aspects, user requirements, architectural and technological aspects, risk assessment and compliance.

More information is available on the EnCoRe web site, including a brief summary of the project’s fourth quarter activities.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

New HP Labs Technical Report – “Secure Delivery of Services: The HP Labs Vision and Framework”

noreply@blogger.com (Marco Casassa Mont) — Tue, 25 Aug 2009 11:58:00 +0000

A new HP Labs Technical Report has been released, in the area of Security management, called “Secure Delivery of Services: The HP Labs Vision and Framework” by Marco Casassa Mont and Patrick Goldsack:

“The secure delivery and management of services and information is complex and subject to a multitude of factors and issues. Key challenges are posed by current trends towards outsourcing of services/decentralization, loss of control over the IT infrastructure, remote access to services by citizens and civil servants, an increasingly mobile workforce along with mutable threat environments and new risks posed by new devices and ways to store, process and transport information. Traditional approaches to security and related controls (e.g. Vulnerability Management, Identity and Access Management, Data Protection, etc.) need to be reassessed and adapted to cope with this ever changing IT environment. To ensure secure delivery, IT consultants, government planners, decision makers and IT Operations teams need to have a holistic approach to security and understand the implications and impact of these aspects. At HP Labs we are developing a vision and framework for the secure delivery of services and related information, based on an integrated approach underpinned by four core capabilities and technologies developed in HP Laboratories: Security Analytics to model policy and reason about the security and other risks; Secure IT Configuration and Deployment to act as the automated engine of policy implementation; Trusted Infrastructure which is the basic building block for the secure delivery of services; and finally Continuous Compliance and Monitoring which ensures that the systems behave as intended in the policy description.”

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

About IEEE Policy 2009 Symposium

noreply@blogger.com (Marco Casassa Mont) — Wed, 22 Jul 2009 11:03:00 +0000

I attended the 10th edition of the IEEE Policy 2009 Symposium - http://www.policy-workshop.org/program.html.

This year it has been a particularly interesting conference. Good Keynotes and very interesting presentations, covering various aspects of policies and their management – including IT Governance, Analytics, Security and Privacy, Access Control, Formal Representations, Reasoning, Semantic Web and extensions of current languages (e.g. XACML).

I gave a presentation on “Using Modeling and Simulation for Policy Decision Support in Identity Management. This is part of ongoing HP Labs work on Security and Identity Analytics. My presentation slideset is available here.

All other presentations are also going to be made available online, in the Policy 2009 web site.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

New HP Labs Technical Report – “Systems Modelling for Economic Analyses of Security Investments: A Case Study in Identity and Access Management”

noreply@blogger.com (Marco Casassa Mont) — Wed, 22 Jul 2009 10:55:00 +0000

A new HP Labs Technical Report has been released, in the area of Security and Identity Analytics, called “Systems Modelling for Economic Analyses of Security Investments: A Case Study in Identity and Access Management” by Adrian Baldwin, Marco Casassa Mont, David Pym and Simon Shiu:

“Identity and Access Management (IAM) is a key issue for systems security managers such as CISOs. More specifically, it is a difficult problem to understand how different investments in people, process, and technology affect the intended security outcomes. We position this problem within the framework of optimal control models in macroeconomics, and use a process model to understand the dynamics of the utility of possible trade-offs between investment, access, and security incidents (breaches). A utility function is used to express the security manager's IAM preferences, and the functional behaviour of its components is described via a process model. Executing our process model as Monte Carlo simulations, we illustrate the behaviour of the utility function for varying levels of investment and threat, and so provide the beginnings of a decision-support tool for systems security managers.”

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Blog under spamming attack – end of anonymous comments?

noreply@blogger.com (Marco Casassa Mont) — Wed, 15 Jul 2009 09:24:00 +0000

I just noticed that my blog on “Research on Identity Management”, hosted by the HP portal, is under “comment spamming” attack.

This is not a major issue as the current blog platform’s security controls just filter these undesired comments.

However, in my view, this shows how the capability of having anonymous posting of comments can be easily abused.

I believe this capability will be increasingly disabled in most blog sites. The same could happen for “authenticated” comments, as most of the time this just requires a user setting an account with a fake profile, hence enabling spammers to post again their comments.

Switching-off the capability of posting comments or introducing further controls will make the blog experience harder and harder …

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Interesting BBC article – “Cyber crooks get business savvy”

noreply@blogger.com (Marco Casassa Mont) — Wed, 15 Jul 2009 09:22:00 +0000

This article, called “Cyber crooks get business savvy” is particularly interesting as it illustrates how cybercrime is evolving and maturing:

“Cyber crooks are increasingly operating like successful businesses, deploying the same tools legitimate companies use to boost their profits. Networking giant Cisco said online criminals were increasingly using proven business practices.
In its mid-year security report, Cisco said this new approach puts the bad guys way ahead. "When your enemy is financially motivated you have to be on alert," said Cisco fellow Patrick Peterson.”

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

IEEE Policy 2009 Symposium – Ready to Go

noreply@blogger.com (Marco Casassa Mont) — Wed, 15 Jul 2009 09:18:00 +0000

The 10th IEEE Policy 2009 Symposium (www.ieee-policy.org) is coming, 20-22 July 2009, Imperial College, London, UK.

This year’s programme is particularly interesting, with Keynote Speeches from Dr. Anne Adams (The Open University), Dr. Claudio Bartolini (HP Labs) and Dr. Mark Ryan (University of Birmingham).

I will present a paper describing recent HP Labs work on Identity Analytics, i.e. on how to use modeling and simulation to explore investment trade-offs and predict the impact of decisions in the space of Identity and Access Management. A related HPL Technical Report, on this topic, can be found here.

Registrations to the conference are still open.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

EEMA e-Identity: Presentation on the Future of the Identity in the Cloud

noreply@blogger.com (Marco Casassa Mont) — Mon, 29 Jun 2009 22:30:00 +0000

I recently attended the EEMA e-Identity Conference, in London, 25-26 June 2009. There have been interesting presentation and good talks.

I also gave a presentation on “The Future of Identity in the Cloud: Requirements, Risks and Opportunities”:

“This presentation aims at: setting the context about Identity in the Cloud; discussing related identity management issues along with core requirements (coming from users and organisations); illustrating, from an HP Labs’ perspective, future possible models, approaches and IT infrastructures to handle Identity in the Cloud.
The introduction of the presentation sets some background: it gives an overview of Cloud Computing and its implications, in terms of service provisioning, security, privacy and identity management. In particular it discusses the paradigm shift from a close & controlled approach (within enterprises) to potentially, on-the-fly composable and customisable services, in the Cloud.
Use cases are introduced to illustrate “common” usage and management tasks involving Identity in the Cloud - from both user and organisational perspectives, including the implications of having to deal with Identity in composable and dynamic services. New emerging, related threats and risks are briefly discussed, such as the potential growth of bogus service providers, targeted attacks to the weakest points in the service provisioning chain and identity thefts.
This will lead to a discussion of key requirements, determined by new interaction models and service-provisioning paradigms in the Cloud, including: control of identity flows and management of distributed user accounts; trust and reputation about service providers in the Cloud; identity assurance; transparency about security practices; privacy (including consent and revocation).
I will then discuss current (categories of) identity management solutions and approaches that deal with aspects of Identity in the Cloud (such as identity federation, identity brokering, Identity 2.0, etc.), along with their pros and cons and failures to address some of the core requirements (such as assurance, trust and privacy control).
The final part of this presentation challenges current assumptions and approaches and illustrates future directions, by presenting HP Labs’ medium and long–term vision about how the underlying Cloud infrastructure is going to evolve along with its implication in terms of Identity and Identity Management. This includes the paradigm shifts introduced by the usage of trusted virtualisation, remote attestation of platform capabilities (Trusted Computing Platforms) and identity-driven computational environment (coming from the cloud) that could run on local systems (e.g. at the user side); new emerging identity management models driven by identity-aware platforms and policy-driven delegation of credentials; the role that Security and Identity Analytics can play, by using modelling and simulation, to help organisations to evaluating and predicting the consequences of using services in the Cloud, based on assumptions made on the underlying identity management model and existing threats.”

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Another New HP Labs Technical Report: Using Security Metrics Coupled with Predictive Modelling and Simulation to Assess Security Processes

noreply@blogger.com (Marco Casassa Mont) — Mon, 29 Jun 2009 22:26:00 +0000

Another new HP Labs Technical Report has been recently released, called “Using Security Metrics Coupled with Predictive Modelling and Simulation to Assess Security Processes” (authors: Yolanta Beres, Marco Casassa Mont, Jonathan Griffin, Simon Shiu):

“It is hard for security practitioners and decision-makers to know what level of protection they are getting from their investments in security, especially when they have invested in a number of technologies and processes which interact and combine together. It is even harder to estimate how well these investments can be expected to protect their organizations in the future as security policies, regulations and the threat environment are constantly changing. In this paper we propose that for measuring the effectiveness of security processes in large organizations, a greater emphasis needs to be put on process-based metrics, in contrast to the more commonly used symptomatic lagging indicators. We show how these process-based metrics can be combined with executable, predictive models, based on a sound mathematical foundation, to both assess organizations' security processes under current conditions and predict how well they are likely to perform in potential future scenarios, which may include changes in working practices, policies or threat levels, or new investments in security. We present two case studies, in the areas of vulnerability threat management, and identity and access management, as significant examples to illustrate how this modeling and simulation-based approach can be used to provide a rich picture of how well existing security processes are protecting the organization and to answer "what- if" questions, such as exploring the effects of a change in security policy or an investment in new security technology. Our approach enables the organization to apply the metrics that are most relevant to its business, and provide a comprehensive view that shows the benefits and losses to the different stakeholders”

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---