Research on Security and Identity Management (by Marco Casassa Mont)

Security Trends Report by Microsoft and McAfee: Phishing Scams Relying More Heavily on Worms and Trojans

marcocasassamont — Mon, 02 Nov 2009 18:04:00 GMT

Based on a recent security trends report by Microsoft and MAfee, it looks like that social networks have been targeted with phishing scams and relying more heavily on worms and Trojans to attack computers. Rogue security software also remains a big issue.

Some related articles on this topic can also be found here and here.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

3rd PrivacyOS meeting

marcocasassamont — Mon, 02 Nov 2009 18:00:00 GMT

The 3^rd PrivacyOS meeting has taken place in Vienna, 26-27 October 2009.

I attended, along with a few colleagues from HP Labs Bristol, the 3^rd PrivacyOS meeting, in Vienna.

It has been a very interesting meeting, with presentations from various stakeholders of the privacy community and debates.

A summary of presentations and related notes can be found here.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Article - Malware is bound to hit smartphone devices as users do not consider security

marcocasassamont — Mon, 02 Nov 2009 17:57:00 GMT

Interesting article, by Dan Raywood (called "Malware is bound to hit smartphone devices as users do not consider security"):

"Smartphone attacks are likely to increase, as users are encouraged to take as much care with their device as with their PC. According to a report by CNN, smartphone security threats are likely to rise as the popularity of smartphones is on the rise and malware could be heading for them. ..."

I believe this is a real threat. At risk, among many, are business corporate executives and senior people relying in and using more and more smartphones as their core device for their communications, including handling emails and storing confidential data.

I predict that more efforts (in terms of products, solutions, services) will be paid to address these issues, at least at a corporate level ...

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Update about TSB UK EnCoRe Project – Ensuring Consent and Revocation

marcocasassamont — Mon, 02 Nov 2009 17:54:00 GMT

The 5^th Quarter Summary of EnCoRe (http://www.encore-project.info) R&D activities in the space of Consent and Revocation management is now available online at: http://www.encore-project.info/press_archive/Q5%20summary.pdf

In addition, a new "service" has been launched, about "Latest EnCoRe Tidbits" aiming at providing links to snippets of news related to consent and revocation: http://www.encore-project.info/news.html#story1

More to come. Enjoy.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Research on Security and Identity Management

marcocasassamont — Fri, 09 Oct 2009 17:22:00 GMT

The time has come to update the topic (and focus) of this blog.

In the last few years my R&D work and research at HP Labs has been involving a variety of aspects, including security, identity management and privacy.

Most of my posts have actually been reflecting this - hence my decision to update my blog. Hope this will further increase the community of people that are interested and follow my blog.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

New W3C PLING General Phone Call – 14 October 2009, 12:00 UTC

marcocasassamont — Fri, 09 Oct 2009 17:20:00 GMT

The next W3C Policy Language Interest Group (PLING) general meeting is going to happen on October, 14^th - 12:00 UTC.

Topics to be discussed include: (1) Best practices for privacy awareness; (2) web policy language working group proposal.

Please consider attending.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Article – Phishing or not, leaked passwords show lazy habits

marcocasassamont — Fri, 09 Oct 2009 17:18:00 GMT

This article, called Phishing or not, leaked passwords show lazy habits, by Elinor Mills, is quite interesting.

It is not a novelty the fact that there are bad practices when dealing with passwords - but it is also true that people are usually good at making risk assessments and judge which level of protection to choose, depending on the value of the asset to protect ...

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

3rd PrivacyOS Conference, Vienna, 25-27 October 2009

marcocasassamont — Mon, 28 Sep 2009 16:43:00 GMT

The Third PrivacyOS conference is going to take place in Vienna, 25-27 October 2009:

http://www.amiando.com/3rdprivacyos.html

"The third PrivacyOS Conference focuses on "rising awareness - functions and impact of data protection".

Participants are invited to join the Austrian Big Brother Awards Gala on the evening of the 25^th of October and to discuss about privacy issues or their experiences in this field. The conference provides a unique opportunity to articulate and exchange best practices, challenges and solutions in privacy and data protection on the 26th and 27th of October.

The conference primarily addresses legal and technical IT experts, interested manufacturers of IT products or services as well as data protection authorities. All persons interested in privacy or data protection aspects are welcome to register for the event. "

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Workshop on Access Control (and Privacy) Application Scenarios

marcocasassamont — Mon, 28 Sep 2009 16:37:00 GMT

Please consider submitting a position paper at the W3C Workshop on Access Control (and Privacy) Application Scenarios, by October 23^rd:

http://www.w3.org/2009/policy-ws/cfp.html

"W3C invites people to participate in a Workshop on Access Control Application Scenarios on 17-18 November 2009 in Luxembourg. This Workshop is intended to explore evolving application scenarios for access control technologies, such as XACML. Results from a number of recent European research projects in the grid, cloud computing, and privacy areas show overlapping use cases for these technologies that extend beyond classical intra-enterprise applications. The Workshop, co-financed by the European Commission 7th framework program via the PrimeLife project, is free of charge and open to anyone, subject to review of their statement of interest and space availability.

The workshop is intended to discuss issues around access control in very wide sense, encompassing conditions and rules derived from the fact of accessing information. Topics that might serve as appropriate discussion points for position papers include, but are not limited to:

interaction between access control and privacy policies
language extensions to connect access control languages to novel types of credentials
large-scale cloud and grid computing use cases for access control technologies
policy management
mechanisms for controlling progressive disclosure of information by user agents and servers
the emerging role of trust delegation and supportive mechanisms in cloud computing, grid, and Web use cases
mechanisms for richer user control over downstream data controllers

The workshop will examine experiences and recent research results in these areas, their need for agreed semantics, the need for extensions to existing access control languages, and perhaps for radically new approaches.

Position papers are due 23 October. See the call for participation for more information."

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

Interesting article – “Phishing Fraud hits two year high”

marcocasassamont — Mon, 28 Sep 2009 16:34:00 GMT

http://www.theregister.co.uk/2009/09/28/phishing_fraud_trends/

"Phishing attacks reached a record high during the second quarter of 2009, with 151,000 unique attacks, according to a study by brand reputation firm MarkMonitor. ..."

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

On Enterprise Security Playbooks

marcocasassamont — Tue, 08 Sep 2009 16:25:00 GMT

I am interested in getting a few real-world examples of enterprise "Security Playbooks" and explore them.

What is an enterprise Security Playbook? It is the "outcome" of organisation's scenario planning and security risk assessment exercises, describing what should be done in presence of specific events and threats, for given contexts.

A security playbook can relate both to current and foreseeable situations where decisions must be taken by one or more "decision makers" and courses of actions carried out by specific people.

Why are "security playbooks" important? They are strategic for organisations as they synthesize what has to be done in critical situations (and who has to carry out actions) when very little time is allowed for debates and reactions.

Interestingly enough, "playbooks" are available in many fields, related to traditional business risk management (in case of faults, natural disasters, etc.).

I am interested in learning more about enterprise playbook that specifically focus on "IT security and cybercrime" aspects: I am wondering if any public template, example or guideline has ever been produced. I struggled to find anything really relevant ...

I am also interested in better understanding what the implications are in the IAM space, which impact playbooks have on people, IAM processes and related IT operations ...

Any input or links would be greatly appreciated.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

On my Experience in Using Twitter …

marcocasassamont — Tue, 08 Sep 2009 16:22:00 GMT

I've now been using my Twitter account for a few months, in order to provide quick updates about my work and activities.

My overall experience is positive. The 140 chars limitation is actually a pros, imposing some discipline on what to say and focus.

I have used Twitter many times to complement my blogging activities, to provide short pointers to blog posts of interest, to a wide community of followers.

I noticed that the communities operating in Twitter are nowadays much more active and dynamic than the ones operating in the traditional blogging space.

But this is just based on my personal experience and discussed topics ...

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

W3C Policy Languages Interest Group (PLING) - Public Teleconference - 09 September 2009 – 12:00 AM (UTC)

marcocasassamont — Tue, 08 Sep 2009 16:19:00 GMT

The next W3C Policy Languages Interest Group (PLING) public teleconference is going to be held on 09 September 2009, at 12:00 AM (UTC).

Among many other topics, the agenda includes:

PLING Note on Best Practices for Privacy Awareness. See W3C GeoLocation API WD and FireFox Location-Aware Browsing for inspiration
HTML 5 Licensing Works
Proposal for a new Web Policy Language Working Group

Please consider attending this teleconference.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Good R&D Progress in the Space of Identity (and Security) Analytics

marcocasassamont — Tue, 25 Aug 2009 12:11:00 GMT

Good progress has been made in the R&D space of Identity Analytics at HP Labs (in the broader context of Security Analytics).

Various IAM case studies have been explored, investigating how event-driven probabilistic modelling, coupled with economic studies, can be used to help decision makers to make decision on investments, identify suitable metrics & policies, better understand the impact of choices, trade-offs and risk implications.

We got a few papers accepted in international conferences, in particular at IEEE Policy 2009 Symposium, Trust Economics 2009 Workshop and IEEE MetriSec 2009 - covering various IAM aspects.

A few HP Labs Technical Reports are now publicly available:

HPL-2009-173 Adrian Baldwin, Marco Casassa Mont, David Pym, Simon Shiu - System Modelling for Economic Analysis of Security Investments: A Case Study in Identity and Access Management - HPL-2009-173
HPL-2009-142 Yolanta Beres, Marco Casassa Mont, Jonathan Griffin, Simon Shiu - Using Security Metrics Coupled with Predictive Modelling and Simulation to Assess Security Processes - HPL-2009-142
HPL-2009-138 Anna Squicciarini, Marco Casassa Mont, Sathya Dev Rajasekaran - Towards an Analytic Approach to Evaluate Enterprises' Risk Exposure to Social Networks - HPL-2009-138
HPL-2009-57 Marco Casassa Mont, Adrian Baldwin, Simon Shiu - Identity Analytics - User provisioning Case Study: Using Modelling and Simulation for Policy Decision Support - HPL-2009-57, 2009
HPL-2009-56 Adrian Baldwin, Marco Casassa Mont, Simon Shiu - Using Modelling and Simulation for Policy Decision Support in Identity Management - HPL-2009-56, 2009
HPL-2008-84 Marco Casassa Mont, Adrian Baldwin, Simon Shiu - On Identity Analytics: Setting the Context- HPL-2008-84, 2008

I am looking for input and feedback, in particular additional case studies where to apply our approach and techniques.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Serving in the Technical Program Committee of International Conferences

marcocasassamont — Tue, 25 Aug 2009 12:06:00 GMT

This year I have been serving as a member of many Technical Program Committees, in various International (IEEE, ACM, etc.) Conferences, including: ACSAC 2009, IEEE BIDS 2009, IEEE InSpec 2009, ACM DIM 2009, IEEE ICSC 2009, TrustBus 2009 and ICIMP 2009.

I found this experience very rewarding. Despite the need to allocate some amount of time for peer reviewing papers, this really provides good overviews of the state-of-art of research (and applied research) in the field of interest - in my case security, identity management and privacy.

I would encourage the members of this community in having a similar role, especially the ones interested in R&D and research.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---