Use this forum to discuss Thursday's events!
Welcome to the Cyber Science 2021 forum
here you can discuss the day’s events and topics
Use this forum to discuss Thursday's events!
Here are my follow-up questions related to the presentation "An Anomaly Free Distributed Firewall System for SDN" by Mitali Sinha, Dr. Padmalochan Bera and Dr. Manoranjan Satpath.
Q1. Does your research address questions of situational awareness in complex networkds i.e. how to facilitate human observations about security events in complex networks, make decisions about what rules need to be implemented and use such insights to feed-forward into definition of firewall rules or is your research only focused on working out how to generate rules on the basis that the security protection requirements are already known?
[I have in mind questions about whether your approach would be capable of being integrated with the outputs from Open Source anomaly detection software such as Suricata https://suricata.io and MISP https://www.first.org/resources/papers/conf2015/first_2015_iklody-andras-building-instantly-exploitable-protection_20150630.pdf to create an end-to-end "closed-loop" system in which SDN firewall rules responded dynamically to emerging conditions in complex networks]
Q2. To what extent does your research address integrity protection of firewall configuration data to mitigate against the risks of moving from security assured physical hardware to an all-software implementation?
[e.g. using code-signing or multi-party computation methods to protect the firewall configuration data.]
Q3. To what extent does your research address security assurance/lifecycle aspects of firewall design and implementation for Software Defined Networks? [Customers for firewalls often require the products to be formally evaluated (e.g. by laboratories operating under the Common Criteria scheme https://www.commoncriteriaportal.org/products/#BP) based on ISO 15408 ( https://www.commoncriteriaportal.org/cc/) which includes both security functional requirements and security assurance (secure development and support lifecycle) requirements.]
Q4. How does your background literature review position your research in relation to the questions raised in Q1, Q2 and Q3?
[Not addressing the questions raised in Q1, Q2 and Q3 can of course be justified, but it would be good to demonstrate wider awareness of the context surrounding your research and to make explicit any decisions to de-scope consideration of wider topics such as these]
Although SDN firewalls are not my own speciality (my research in construction sector cybersecurity touches on network infrastructure, but is not entirely focused on this), please feel to follow-up with me as you wish.
Best regards,
Tim
t.d.williams@pgr.reading.ac.uk
@timdwilliams we have received an email from Mitali Sinha answering your questions, please find these below.
1. 'Till now, our work is to generate rules on the basis of pre-defined requirement. In future We extend this work to generate dynamic rules and integrated these rules to distributed firewall system.
[I have in mind questions about whether your approach would be capable of being integrated with the outputs from Open Source anomaly detection software such as Suricata https://suricata.io and MISP https://www.first.org/resources/papers/conf2015/first_2015_iklody-andras-building-instantly-exploitable-protection_20150630.pdf to create an end-to-end "closed-loop" system in which SDN firewall rules responded dynamically to emerging conditions in complex networks]
ANSWER: yes, it is possible.
Q2. To what extent does your research address integrity protection of firewall configuration data to mitigate against the risks of moving from security assured physical hardware to an all-software implementation?
[e.g. using code-signing or multi-party computation methods to protect the firewall configuration data.]
Answer: Though, there is the possibility of single point of controller’s failure in SDN. It is little risky to convert all security assured physical hardware to software.
Q3. To what extent does your research address security assurance/lifecycle aspects of firewall design and implementation for Software Defined Networks? [Customers for firewalls often require the products to be formally evaluated (e.g. by laboratories operating under the Common Criteria scheme https://www.commoncriteriaportal.org/products/#BP) based on ISO 15408 ( https://www.commoncriteriaportal.org/cc/) which includes both security functional requirements and security assurance (secure development and support lifecycle) requirements.]
ANSWER: in this work, we have taken only pre-defined security rules, in future work, we evaluate our firewall system with dynamic functional requirements and test its reliability.
Q4. How does your background literature review position your research in relation to the questions raised in Q1, Q2 and Q3?
Previously there is no work regarding Q1,Q2,Q3 for SDN. Thank you for the suggestion. We try to extend our work regarding this.
[Not addressing the questions raised in Q1, Q2 and Q3 can of course be justified, but it would be good to demonstrate wider awareness of the context surrounding your research and to make explicit any decisions to de-scope consideration of wider topics such as these]
Here are my follow-up questions related to the presentation "Towards a Healthcare Cybersecurity Certification Scheme" by Kristine Hovhannisyan, Piotr Bogacki, Consuelo Assunta Colabuono, Domenico Lofù, Maria Vittoria Marabello and Brady Eugene Maxwell
Q1. How to the aims and objectives of your research differ from those of (ISC)2's certification scheme for people working in Healthcare security and privacy, the Healthcare Certified Information Security and Privacy Practitioner (HCISPP) certification ( https://www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/HCISPP-Exam-Outline.ashx)?
[At the time of asking this question it was not completely clear to me that the scope was limited to Europe and oriented towards technology and processes whereas (ISC)'s certification is more focused on people and intended to deliver a global perspective, spanning both insurance-based healthcare systems such as those that predominate in the USA which include claims administration, consumer payment handling and associated financial fraud risks and national healthcare systems which are free at the point of use and which do not include consumer payment handling]
Q2. (new question, not asked during the presentation) To what extent does your research consider organisational and structure differences between the healthcare systems of different EU countries?
[Is it realistic to consider that a single set of MoSCoW requirements could be applicable to different enterprise architectures and operating models? Do healthcare security requirements need to be defined at national, regional and local levels rather than at a transnational level?]
Note that although I'm not currently active in healthcare security and privacy research, this has been an interest of mine and I would be happy to collaborate and put you in touch with people still working in this field, in the UK NHS, the USA (HiTrust etc) and in certain countries in the Middle East where I have previously worked on healthcare security and privacy.
Best regards,
Tim
t.d.williams@pgr.reading.ac.uk
P.S. Some of my old (2014 to 2016 vintage) informal communications in this area are at:
http://www.imagegently.org/Portals/6/GlobalResources/Health%20Management%202014%20Article.pdf
http://www.computerworlduk.com/blogs/infosecurity-voice/consumer-technologies-in-healthcare--what-are-the-security-challenges-3571373 /"> https://web.archive.org/web/20160407111143/http://www.computerworlduk.com/blogs/infosecurity-voice/consumer-technologies-in-healthcare--what-are-the-security-challenges-3571373/
http://www.scmagazineuk.com/healthy-scepticism/article/342603/2 /"> https://web.archive.org/web/20160610015224/http://www.scmagazineuk.com/healthy-scepticism/article/342603/2/
http://www.all-about-security.de/security-artikel/organisation/security-management/artikel/16273-consumer-technologien-im-gesundheitssektor-wo-liegen-die-he /"> https://web.archive.org/web/20140810024902/http://www.all-about-security.de/security-artikel/organisation/security-management/artikel/16273-consumer-technologien-im-gesundheitssektor-wo-liegen-die-he/
http://blogs.computerworlduk.com/infosecurity-voice/2014/03/-the-business-case-for-certified-security-professionals-in-healthcare/index.ht m"> https://web.archive.org/web/20140315122530/http://blogs.computerworlduk.com/infosecurity-voice/2014/03/-the-business-case-for-certified-security-professionals-in-healthcare/index.htm
@plegg Many thanks for your superb keynote!
The the first 6 of the 7 (far too many - sorry!) questions which are asked earlier are listed below:
Tim D Williams (You) 01:22 PM
Q1. To what extent do you consider that the work done in the US to develop the NICE framework (NIST SP 800-180) and define the roles, knowledge, skills, abilities and tasks within that framework is relavant to the UK?
Tim D Williams (You) 01:23 PM
Q2. Does the “cost plus” approach to government procurement in the US (versus the “outcome based” approach of the UK to transfer risks to the private sector) mean that the NICE approach is irrelevant/distracting?
Tim D Williams (You) 01:24 PM
Q3. Is any of the work that was previously done by TheTechPartnership (formerly E-Skills UK) and which has now been published (archived?) as the UK’s National Occupational Standards ( https://www.ukstandards.org.uk) still relevant to Cybersecurity education and skills development planning?
Tim D Williams (You) 01:29 PM
Q4. What are your views on the likely effectivenes of the UK Cyber Security Council ( https://www.gov.uk/government/news/new-uk-cyber-security-council-to-be-official-governing-body-on-training-and-standards)? Will this end up being just another Quango? Can it act as an effective umbrella body, given that it is a UK intiative and it’s trying to enlist support from established international professional organisations such as (ISC)2, ISACA and CompTIA (not just UK professional bodies like BCS, CIIS, CREST and the Engineering Council which can be assumed to be reasonably compliant and supportive)?
Tim D Williams (You) 01:31 PM
Q6. What are your views on the Problem Based Learning (PBL) cyber securty research performed by the Higher Education Academy in 2017? Has this gone anywhere?
Ref:
Many thanks in advance for a lively discussion, hopefully involving other attendees at this wonderful conference.
Best regards,
Tim
P.S. I'd welcome future collaboration on cybersecurity pedagogical techniques. During the course of my recently completed PGCHE I've done some initial design, development and piloting of a live "crane hacking" lab similar in concept to your live IoT learning environment design.
@timdwilliams Hi Tim. Thanks for the questions (I've only just seen these). I'll put some notes together shortly to address these (and then I'll reply to this post) - happy to carry on the discussion after the conference also.
Thanks
Phil
@plegg Thanks Phil. I look forward to your replies and it would be great to continue the discussion after the conference,
Thanks again,
Tim
t.d.williams@pgr.reading.ac.uk
