Information Technology Reference
In-Depth Information
If Cisco opens the code for Routers I do not know if it is efficient to look at the code and
analyse and compile it, but the same also applies for Linux. So, there is a problem for
using operating systems, both in open and closed systems.
Vellone
: I think we could spend one week discussing this problem because it is a
problem without a solution and because there are different points of view. Each of you
has the same probability to be true as any other, but I want to remind you why in the past
the certification of products started. If we see the system as an architecture based on
building blocks, where one of the most important is an operating system, there are other
blocks which are of the same importance. Certification was based on the concept of trust.
Because people cannot assess or evaluate complicated pieces of equipment, they delegate
another person to do the job. But in this case, when they do this in this way they must
trust the other party and the common criteria has also introduced the memorandum of
agreement between nations and nations can develop one part of that product going deep
into the evaluation of the product and share for another product the same trust for other
pieces of equipment. Then there is another concept to consider; accreditation. This is
completely different from certification, because certification is a technical evaluation
which some experts have signed on the basis of some criteria to one equipment device,
one building block. Accreditation is the control of the characteristics of equipment for
the required use. So when you have equipment with a certain level of assurance, in this
case you trust the person who gives the assurance level to this equipment and we cannot
just consider the cost for the certification. I also do not think that NATO can develop a
new operating system completely within the Organisation. And I would like also to refer
to another system, the tactical post 2000 in NATO, because this problem is very
important for tactical systems. There are consortiums of companies working on this
project, trying to consider different domains of security which must be interconnected but
without trusting what happens within other domains. I think that is the only way to solve
problems and also to fix information intrusions.
Kahraman
: How do you trust Internet tools or how can you be assured that tests you
have planned before are being satisfied by these tools? Perhaps they do not cover the test
requirements or perhaps they inject some malicious programmes into the system. Do you
like custom-made programmes or do you construct custom-made tools yourself for the
tests in addition to what is available on the Internet?
Uneri
: You do not trust one tool only. For example, looking for vulnerabilities in
some system or scanning the network, there are many tools and if the tools can reach an
agreement within themselves then you use them, and we also in our Institute write codes
for those and some of the tools are open source tools. We look at the codes sometimes, so
there are methods, but saying that if a tool is found on the Internet it is not to be trusted,
is not the way to go. You have to use it and if you do not like it, do not trust it. So scan or
look at vulnerabilities. Look at the open parts of the system. Check the tools, then use
them.
Handy
: Given the fact that we do have NATO CERT information now, it would be
useful to know if there are any plans to insert some of these CERT type incidents into a
NATO exercise, where we exercise the capability of the CERT team to interact with the
rest of the Task Force, to see how effective we can all be together?
Search WWH ::
Custom Search