Transcript Cybersecurity

Session 2:
Role of
Standardization in
Cybersecurity
Arkadiy Kremer
Chairman ITU-T Study
Group 17
“We have received a strong message from our members that ITU is,
and will remain the world’s pre-eminent global telecommunication
and ICT standards body. And we hear also, and very clearly, that ITU
should continue on its mission to connect the world, and that
bringing the standardization gap, by increasing developing country
participation in our work, is an essential prerequisite to achieve this
goal”.
Malcolm Johnson, TSB Director
(Closing speech at the WTSA-08)
ITU Open Forum on Cybersecurity, 6 December 2008
2 of 23
Strategic direction
 WSIS Action Line C5, Building confidence and security in use of ICTs
 WTSA-08 Resolution 50, Cybersecurity – Resolves “that ITU-T continue
to evaluate existing and evolving new Recommendations, and
especially signaling and telecommunication protocol
Recommendations, with respect to their robustness of design and
potential for exploitation by malicious parties to interfere destructively
with their deployment in the global information and
telecommunication infrastructure”.
 WTSA-08 Resolution 52, Countering and combating spam – Instructs
ITU-T study groups “to continue collaboration with the relevant
organizations (e.g., IETF), in order to continue developing, as a matter
of urgency, technical Recommendations with a view to exchanging
best practices and disseminating information through joint workshops,
training sessions, etc.“
ITU Open Forum on Cybersecurity, 6 December 2008
3 of 23
Strategic direction (cont.)
 Plenipotentiary Resolution 130, Strengthening the role of ITU in
building confidence and security in the use of information and
communication technologies – Instructs Director of TSB to
intensify work in study groups, address threats & vulnerabilities,
collaborate, and share information
 Plenipotentiary Resolution 149, Study of definitions and
terminology relating to building confidence and security in the
use of information and communication technologies - Instructs
Council to study terminology
 ITU Global Cybersecurity Agenda. Key work areas: Legal
Measures, Technical and Procedural Measures, Organizational
Structures, Capacity Building, International Cooperation. World
renowned Group of High-Level Experts report to ITU Secretary
General contains recommendations in each of the five areas
ITU Open Forum on Cybersecurity, 6 December 2008
4 of 23
Coordination
 ISO/IEC/ITU-T Strategic Advisory Group Security
Oversees standardization activities in ISO, IEC and ITU-T relevant to
security; provides advice and guidance relative to coordination of
security work; and, in particular, identifies areas where new
standardization initiatives may be warranted (portal established,
workshops conducted)
 Global Standards Collaboration
ITU and participating standards organizations exchange information on
the progress of standards development in the different regions and
collaborate in planning future standards development to gain synergy
and to reduce duplication. GSC-13 resolutions concerning security
include Cybersecurity (13/11), Identity Management (13/04), Network
aspects of identification systems (13/03), Personally Identifiable
Information protection (13/25).
ITU Open Forum on Cybersecurity, 6 December 2008
5 of 23
ITU-T security activities
 Study Group 17 is the lead study group in the ITU-T for
security – responsible for:
• Coordination of security work
• Development of core Recommendations
 Most of the other study groups have responsibilities for
standardizing security aspects specific to their technologies
(TMN security, IPCablecom security, NGN security, Multimedia
security, etc.)
ITU Open Forum on Cybersecurity, 6 December 2008
6 of 23
SG 17 Security Project
 Security Coordination
• Within SG 17, with ITU-T SGs, with ITU-D and externally
• Kept others informed - TSAG, IGF, ISO/IEC/ITU-T SAG-S…
• Made presentations to workshops/seminars and to GSC
• Maintained reference information on LSG security webpage
 Security Compendium
• Includes catalogs of approved security-related
Recommendations and security definitions extracted from
approved Recommendations
 Security Standards Roadmap
• Includes searchable database of approved ICT security
standards from ITU-T and others (e.g., ISO/IEC, IETF, ETSI, IEEE,
ATIS)
 ITU-T Security Manual – assisted in its development
ITU Open Forum on Cybersecurity, 6 December 2008
7 of 23
Core Security Recommendations




Strong ramp-up on developing core security Recommendations in SG
17
• 14 approved in 2007
• 27 approved in 2008
• 44 under development for approval next study period
Subjects include:
 Architecture and Frameworks  Web services  Directory
 Identity management  Risk management  Cybersecurity
 Incident management  Mobile security  Countering spam
 Security management  Secure applications  Telebiometrics
 Ubiquitous Telecommunication services  SOA security
Ramping up on:
 Multicast
 Traceback
 Ubiquitous sensor networks
Collaboration with others on many items
ITU Open Forum on Cybersecurity, 6 December 2008
8 of 23
Core Security Recommendations (cont.)
ITU-T Recommendation X.1205
Overview of Cybersecurity
Summary
This Recommendation provides a definition for Cybersecurity. The
Recommendation provides taxonomy of security threats from an
organization point of view. Cybersecurity threats and vulnerabilities
including the most common hacker’s tools of the trade are presented.
Threats are discussed at various network layers.
Various Cybersecurity technologies that are available to remedy the threats
are discussed including: routers, firewalls, antivirus protection, intrusion
detection systems, intrusion protection systems, secure computing and
audit and monitoring. Network protection principles such as defence in
depth, access management with application to Cybersecurity are discussed.
Risk management strategies and techniques are discussed including the
value of training and education in protecting the network. Examples for
securing various network based on the discussed technologies are also
discussed.
ITU Open Forum on Cybersecurity, 6 December 2008
9 of 23
Core Security Recommendations (cont.)
ITU-T Recommendation X.1206
A vendor-neutral framework for automatic notification of
security related information and dissemination of updates
Summary
This Recommendation provides a framework for automatic
notification of security related information and dissemination of
updates. The key point of the framework is that it is a vendorneutral framework. Once an Asset is registered, updates on
vulnerabilities information and patches or updates can be
automatically made available to the users or directly to
applications regarding the Asset.
ITU Open Forum on Cybersecurity, 6 December 2008
10 of 23
Core Security Recommendations (cont.)
Recommendation ITU-T X.1207
Guidelines for telecommunication service providers for addressing the
risk of spyware and potentially unwanted software
Summary
Recommendation
ITU-T
X.1207
provides
guidelines
for
telecommunication service providers (TSPs) for addressing the risks of
spyware and potentially unwanted software. This Recommendation
promotes best practices around principles of clear notices and user's
consents and controls for TSP web hosting services. This
Recommendation develops and promotes best practices to users on
personal computer (PC) security, including use of anti-spyware, antivirus, personal firewall and security software updates on client systems.
ITU Open Forum on Cybersecurity, 6 December 2008
11 of 23
Core Security Recommendations (cont.)
ITU-T Recommendation X.1231
Technical Strategies on Countering Spam
Summary
This Recommendation emphasizes technical strategies on
countering spam, and includes general characteristics of spam and
main objectives of countering spam as well. Furthermore,
recognizing that there is no single solution to resolve the spam
problem, this Recommendation also provides a checklist to
evaluate promising tools for countering Spam.
ITU Open Forum on Cybersecurity, 6 December 2008
12 of 23
Core Security Recommendations (cont.)
ITU-T Recommendation X.1240
Technologies involved in countering email spam
Summary
This Recommendation specifies basic concepts, characteristics,
and effects of email spam, and technologies involved in countering
email spam. It also introduces the current technical solutions and
related activities from various standard development
organizations and relevant organizations on countering email
spam. It provides guidelines and information to the users who
want to develop technical solutions on countering email spam.
This Recommendation will be used as a basis for further
development of technical Recommendations on countering email
spam.
ITU Open Forum on Cybersecurity, 6 December 2008
13 of 23
Core Security Recommendations (cont.)
ITU-T Recommendation X.1241
Technical framework for countering email spam
Summary
This Recommendation provides a technical framework for
countering email spam. The framework describes one
recommended structure of an anti-spam Processing Domain, and
defined function of major modules in it. The key point of the
framework is that it establishes a mechanism to share information
about email spam between different email servers. Systems follow
the framework would improve efficiency through interconnection
ITU Open Forum on Cybersecurity, 6 December 2008
14 of 23
Core Security Recommendations (cont.)
Recommendation ITU-T X.1244
Overall aspects of countering spam in IP-based multimedia applications
Summary
This Recommendation specifies the basic concepts, characteristics, and
technical issues related to countering spam in IP multimedia applications such
as IP telephony, instant messaging, etc. The various types of IP multimedia
application spam are categorized, and each categorized group is described
according to its characteristics. This Recommendation describes various spam
security threats that can cause IP multimedia application spam. There are
various techniques developed to control the email spam which has become a
social problem. Some of those techniques can be used in countering IP
multimedia application spam. This Recommendation analyzes the conventional
spam countering mechanisms and discusses their applicability to countering IP
multimedia application spam. This Recommendation concludes by mentioning
various aspects that should be considered in countering IP multimedia
application spam.
ITU Open Forum on Cybersecurity, 6 December 2008
15 of 23
Identity Management
 Networks are increasingly distributed, converged, and packet
based where access to services can be based on identity
contexts and roles and accessed anywhere, anytime.
 Security and trust of identity information in this environment is
significantly more complex.
• Users may have multiple, context dependent “identities”
• Network services may require different identity trust levels
• Identity information is distributed throughout the network
 Old methods of managing of identity information are
inadequate, may limit services, and cause significant
cybersecurity problems
 Consequently, a new, robust set of secure and trusted
capabilities is needed i.e IdM
ITU Open Forum on Cybersecurity, 6 December 2008
16 of 23
IdM is a set of capabilities that
 Attach identity data to a person, device, or
application.
 Facilitate the secure storage, retrieval and
secure exchange of identity data.
 Provide significantly better identity lifecycle
management.
 Can allow user control of personally
identifiable information (PII).
ITU Open Forum on Cybersecurity, 6 December 2008
17 of 23
ITU-T work on IdM







Managing digital identities and personally identifiable information key aspect
for improving security of networks and cyberspace
Effort jump started by IdM Focus Group which produced 6 substantial
reports (265 pages) in 9 months
JCA-IdM and IdM-GSI established by TSAG in December 2007
• Main work is in SGs 17 and 13
Intense work program, difficult
First IdM Recommendations determined under TAP:
• X.1250, Capabilities for global identity management trust and
interoperability
• X.1251, A framework for user control of digital identity
• Y.2720, NGN identity management framework
Many additional IdM Recommendations are under development
Working collaboratively with other key bodies including:
ISO/IEC JTC 1/SC 27, Liberty Alliance, FIDIS, OASIS
ITU Open Forum on Cybersecurity, 6 December 2008
18 of 23
Challenges
 Addressing security to enhance trust and confidence of users in
networks, applications and services
 Balance between centralized and distributed efforts on
developing security standards
 Legal and regulatory aspects of cybersecurity, spam,
identity/privacy
 Address full cycle – vulnerabilities, threats and risk analysis;
prevention; detection; response and mitigation; forensics;
learning
 Uniform definitions of cybersecurity terms and definitions
 Effective cooperation and collaboration across the many bodies
doing cybersecurity work – within the ITU and with external
organizations
 Keeping ICT security database up-to-date
ITU Open Forum on Cybersecurity, 6 December 2008
19 of 23
Challenges (cont.)
 There are a number of standards in field of security of
telecommunication and information security. But a standard is
the real standard when it is used in real world applications.
Business and governmental bodies need to learn more about
standards from their business applications rather than from a
technical point of view.
 Report for the next IGF on the business use of the main security
standards
• Who does this standard effect?
• Status and summary of standard.
• Business benefits
• Technologies involved
• Technical implications
ITU Open Forum on Cybersecurity, 6 December 2008
20 of 23
Challenges (cont.)
WTSA-08 Resolution 76, Studies related to conformance and interoperability
testing, assistance to developing countries, and a possible future ITU mark
programme
 Interoperability of international telecommunication networks was the main
reason to create ITU in the year 1865
 Conformance testing would increase the chance of interoperability of
equipment conforming to ITU standards
 Technical training and institutional capacity development for testing and
certification are essential issues for countries to improve their conformity
assessment processes, to promote the deployment of advanced
telecommunication networks and to increase global connectivity
 ITU-T study groups will develop the necessary conformance testing
Recommendations as soon as possible
 ITU-T Recommendations to address interoperability testing shall be
progressed as quickly as possible
ITU Open Forum on Cybersecurity, 6 December 2008
21 of 23
Some useful web resources
• ITU Global Cybersecurity Agenda (GCA)
http://www.itu.int/osg/csd/cybersecurity/gca/
• ITU-T Home page http://www.itu.int/ITU-T/
• Study Group 17 http://www.itu.int/ITU-T/studygroups/com17/index.asp
e-mail:
[email protected]
• LSG on Security http://www.itu.int/ITU-T/studygroups/com17/tel-security.html
• Security Roadmap http://www.itu.int/ITU-T/studygroups/com17/ict/index.html
• Security Manual http://www.itu.int/publ/T-HDB-SEC.03-2006/en
• Cybersecurity Portal http://www.itu.int/cybersecurity/
• Cybersecurity Gateway http://www.itu.int/cybersecurity/gateway/index.html
• ITU-T Recommendations http://www.itu.int/ITU-T/publications/recs.html
• ITU-T Lighthouse http://www.itu.int/ITU-T/lighthouse/index.phtml
• ITU-T Workshops http://www.itu.int/ITU-T/worksem/index.html
ITU Open Forum on Cybersecurity, 6 December 2008
22 of 23
Thank you!
Arkadiy Kremer
[email protected]
ITU Open Forum on Cybersecurity, 6 December 2008
23 of 23