Transcript operators

ITU-T Workshop on
“New challenges for Telecommunication
Security Standardizations"
Geneva, 9(pm)-10 February 2009
International collaboration for
national public networks security
Antonio Guimaraes,
ITU-T SG-17 vice-chairman
Anatel (Brazil)
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
Contents
 WTSA-08 results concerning
security and collaboration:
 Resolution 50
 Resolution 52
 Resolution 58
 Security Baseline for national
public networks operators:
 operator policy
 technical tools
 collaboration
 ITU role in organizing
collaboration and coordination:
 capacity building
 information exchange
 strategy and practical issues International
Geneva, 9(pm)-10 February 2009
Telecommunication
Union
2
Cybersecurity – Resolution 50
Considering:
 inherent security properties in PSTN
(hierarchical struct., management);
 in IP nets, separation between user
and system components is reduced;
 converged legacy networks with IP
networks are more vulnerable;
 new cyberattacks are emerging and
having serious impacts;
 ITU-T and JTC 1 (ISO/IEC) have
significant published materials and
ongoing works on cybersecurity.
Resolves:
 ITU-T should work closely with ITU-D, particularly in Q. 22/1;
 use as a framework ITU-T Recs.(X.805, X.1205), ISO/IEC
products/standards and deliverables from other organizations;
 global, consistent and interoperable processes for sharing
incident-response related information should be promoted;
.
International
Geneva, 9(pm)-10 February 2009
Telecommunication
Union
3
Countering/combating spam – Res.52
Recognizing that :
 "Declaration of Principles" of
WSIS states in 37 that: "Spam is
a significant and growing problem
for users, networks and the
Internet as a whole”.
 spamming is used for criminal,
fraudulent or deceptive activities;
 technical work is carried in SG 17
(Recs. X.1231, X.1240, X.1241).
Resolves to instruct the relevant study groups:
 to support ongoing work, in particular in SG 17, related to
countering spam (e.g., e-mail) and to accelerate their work in
order to address existing and future threats;
 to continue collaboration with relevant organizations (e.g.
IETF)), in order to continue developing technical Recs.,
exchange best practices and disseminating information
through joint workshops, training sessions, etc.,
International
Geneva, 9(pm)-10 February 2009
Telecommunication
Union
4
Creation of CIRTs - Resolution 58
Noting:
 the increasing attacks and threats
on ICT nets through computers;
 the high level of interconnectivity of
networks could be affected by
attacks from less-prepared nations;
 the work carried out on this subject
by ITU-D, under Q. 22/1;
 importance of computer emergency
preparedness in all countries.
Instructs TSB, in collaboration with TDB :
 to support the creation of national computer incident response
teams (CIRTs), where needed and are currently absent;
 to collaborate with experts for establishment of national CIRTs;
 to facilitate collaboration between national CIRTs, such as
exchange of information, within an appropriate framework .
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
5
Security baseline for network operators
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
6
Policy baseline – legal and regulatory
Network operators must :
 have info. security provisions
compliant with legal and
regulatory
requirements of
the jurisdiction of business
activity;
 meet the requirements of
local jurisdiction, related to
cooperation with the law
enforcement agencies.
It is recommended that:
 operator adopts a security policy based on recognized best
practices (such as [b-ISO/IEC 27002] and [b-ITU-T
X.1051]) and risk assessment, that meets the demands of
business activity, compliant with national legislation and
that is in accordance with the internal network operator
procedures.
International
Geneva, 9(pm)-10 February 2009
Telecommunication
Union
7
Policy baseline – contracts
Network operators must:
 make aware its personnel and
the external participants (users,
interconnected operators and
other interested parties) of the
requirements of security policy
It is recommended that:
 the security policy has a clause dedicated to delimitation of
responsibility within the operator's personnel, between the
operator and its partners, and between the operator and
its customers.
 information security requirements that must be followed by
personnel are included in the labor contracts of all
employees dealing with publicly-accessible information.
 network operators work collaboratively to address risks
and vulnerabilities.
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
8
Policy baseline – implementation
Operators must :
 implement security facilities
which should address the
reduction of risk;
 make the cost of such
measures reflect the value
of the assets protected and
the potential damage.
It is recommended that:
 measures implemented to protect an operator's resources
or the resources of its customers, should not result in
harmful consequences for third parties in an information
exchange, nor should any side effects of their deployment
cause damage or inconvenience that exceeds the impact of
the risk being mitigated.
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
9
Technical tools baseline - principles
Basic orientations:
 deploy hardware and software
according to the terms of license
agreement;
 install updates and patches in a
timely manner as recommended;
 bring to the notice of users
information
about
applicable
patches and updates.
Best practices:
 have accounts for access to the interfaces of communication
hardware management (group accounts not recommended).
 do not use default passwords (set by the manufacturer) to
authorize access to any communication hardware/ software;
 protect network management system information by
confidentiality and integrity mechanisms or by using
network segments physically isolated from service domains.
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
10
Technical tools baseline – procedures
Message labelling:
 inspected packages can be
labelled, so that interconnected
operators know that outgoing
address is correct;
 for all incoming messages,
mark messages with unsolicited
information.
Recommendations for counteracting spam :
 operators should filter spam within their own network;
 e-mail servers must have the ability to limit the amount of
outgoing messages from one user within a unit of time (e.g.
protecting against spam or denial of service attacks).
 ability to delay the delivery of outgoing messages by such
sender, until the server administrator confirmation is
obtained.
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
11
Technical tools baseline – filters
It is recommended for all network operators:
 to install anti-spoofing filters at the points of interconnection
with other networks (operators) and end-users;
 these filters prevent the transmission of packages with the
outgoing addresses from external networks or multicast
addresses, as well as receiving packages with such
addresses or with reserved or incorrect addresses.
Anti-virus and anti-spam:
 network operators and public information
server owners must deploy regularlyupdated anti-viral software.
 is recommended to have facilities for
detecting infected messages, marking
and optionally deleting them;
 each e-mail information server must be
enabled with spam-detection;
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
12
Technical tools baseline – inspection
Data traffic analysis:
 operators can deploy automated
discovery of statistical traffic
anomalies;
 such traffic anomaly analysis can
be used for counteraction to
DDoS attacks.
Recommendations
 the operator should deploy technical and organizational
measures that allow him to determine the source of a
violation (e.g., a DoS attacks) and to block (de-activate) the
attacks;
 regularly-updated intrusion detection and prevention
services (IDS/IPS) can be applied to handle selective realtime contextual traffic analysis for the traffic received from
users and other operators.
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
13
Technical tools baseline – logs
Security logs:
 personnel activities on the communication facility should be
logged;
 the logs of detected incidents must be stored for a time long
enough to facilitate the investigation of incidents.
 technical correlation tools can be deployed to assess
information from all available security logs.
Critical information:
 operators must assure the
confidentiality of transmitted
and/or stored information
related to management and
billing systems, personal user
data and information about
services provided to users.
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
14
Technical tools baseline – settings
Security settings:
 operators should offer the
capability to selectively block
or filter traffic, at the request
of the user.
 routine control facilities can be
used for configuration and
maintenance of the security
settings
of
communication
facilities
and
management
network elements (including
firewalls, routers and servers).
Best practices:
 operators should use approved best security practices (such
as [b-ISO/IEC 27002] and [b-ITU-T X.1051]) whenever
developing applications and services for end-users (for
example, when offering self-service capabilities).
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
15
Technical tools baseline – users
Security mechanisms:
 security mechanisms and other parameters beyond default
security mechanisms shall be configurable (static for NNI
interface and may be negotiated for UNI interfaces);
 the security mechanism negotiation shall have a certain
minimum level to be defined by the security domain; e.g.,
avoid bidding-down attacks.
Users decision:
 users shall be able to
reject communications
that do not comply
with their minimum
security policy.
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
16
Collaboration baseline - interaction
Recognizing risks:
 the operators should help
customers (end-users) and
service providers recognize
risks that arise from the use
of network services.
Actions to be taken:
 it would be advisable to establish national interoperator
bodies, to work with government branches in the security
and integrity of public networks operation;
 these bodies would have facilities to identify all users and
other operators involved in the interactions on the network,
to prevent illegal acts (such as child pornography);
 the operators should inform users about fundamental risks
that arise from the network and about counter-measures
against these risks, aimed at the reduction of damages.
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
17
Collaboration baseline – prevention
Operators must have the ability :
 to determine the jurisdiction (i.e., the territory or state) in
which a publicly-available information network resource is
located.
 to obtain information about the owner (administrator) of a
publicly-available information network resource for purposes
of incident investigation or resolution.
Leakage of information:
 It is recommended that the
operator promptly inform all
affected parties in the event
of leakage of a user's data, or
the data of an interconnected
operator.
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
18
Collaboration baseline - incidents
Recognizing risks:
 personnel responsible for
the information security of
corporate resources shall be
appointed by enterprise
users (legal entities);
 such
employees
should
have sufficient qualifications
and authority to counteract
security threats.
Treatment of incidents:
 the operator should have a round-the-clock incident response
team (IRT), use an outsourced IRT or a National-CSIRT ;
 operator's IRT must be accessible via phone and e-mail for
authorized customers or interconnected operators, in
accordance with the operator's policy or service agreement;
 incidents should be investigated based on the best practices.
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
19
Collaboration baseline – follow up
Notification of vulnerabilities :
 inform users about threats
relating to the use of services
and information resources;
 educate the users about settings
in the edge network equipment;
 notification should also be sent
to equipment manufacturers.
Service level agreement:
 stipulate, in service level agreement, a clause on procedures
for informing users about discovered vulnerabilities in
hardware or software that can cause negative consequences
to them, mainly those respecting their privacy;
 the agreement should contain a comprehensive statement of
security requirements, should they be violated, it will cause
the suspension or termination of communication services.
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
20
ITU’s role in organizing cooperation
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
21
ITU’s role – WSIS and GCA
Implementing WSIS action line C.5:
 a fundamental role of ITU, according to WSIS and the 2006
ITU Plenipotentiary Conference is to build confidence and
security in the use of information and communication
technologies (ICTs).
 Heads of states and government and other global leaders
participating in WSIS as well as ITU Member States
entrusted ITU to take concrete steps towards limiting the
threats and insecurities related to the information society.
Global Cybersecurity Agenda :
 on 17 May 2007, ITU launched the
CGA to provide a framework within
which the international response to the
growing challenges to cybersecurity
can be coordinated and addressed in
response to its role as Facilitator for
action line C.5;
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
22
ITU’s role – capacity building
Capacity building:
 experts’ training is highly important
because people are the weakest link
in cybersecurity;
 training and a high level of user
awareness is thus one of the key
challenges today.
International collaboration and coordination:
 people are the main actors - they develop the systems, they
elaborate the policies and strategies to secure transactions;
 security threats information exchange: cyberthreat issues
are global (countries cannot easily close their borders to
incoming cyberthreats);
 time and geography, as well as the location of victims, are
no longer barriers to where and when these attacks are
launched by cybercriminals.
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
23
ITU’s role – cooperation
Knowledge sharing:
 best
practices
and information
exchange, including reports on
strategy and practical issues of
security standardization, evaluation
and implementation .
Functions available in GCA:
 the Discussion Forum aimed at exchanging views and ideas
on the different work areas, follow the discussion threads,
and respond to specific items that have been posted;
 the Wiki area, providing post and upload resources, links and
articles on cybersecurity, in the different work areas of GCA;
 the Documents area, allowing upload written contributions
and documents - all outcome documents resulting from the
work of GCA will be posted in this area;
 the Chat area meant to engage in on-line talks with the other
logged-on users.
International
Geneva, 9(pm)-10 February 2009
Telecommunication
Union
24
ITU’s role – cybersecurity gateway
Sections:
 information sharing of national
approaches, good practices and
guidelines;
 developing watch, warning and
incident response capabilities;
 technical
standards
and
industry solutions;
 harmonizing
national
legal
approaches, international legal
coordination and enforcement;
 privacy, data and consumer
protection.
For citizens, governments, business and international
organizations.
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
25
ITU’s role – security standards
Generalizing the recommendations on various aspects
of security (from different SDOs) for telecom operators.
Geneva, 9(pm)-10 February 2009
ITU-T Study Group 17:
 SG-17 is the leading study group
for activities on telecommunication
security;
 SG-17 produces materials that can
be of interest and use to developing
countries when identifying practical
security solutions;
 an example of this is the newly
revised “ICT Security Standards
Roadmap”.
 this roadmap captures networkrelated security work of not only
ITU-T but also of ISO/IEC, IETF and
consortia groups as part of their
International
out-reach activities
Telecommunication
Union
26
Thank you !
Antonio Guimaraes
[email protected]
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
27