1 / 92

Telecommunication Security

[ Insert Document File Name]. Telecommunication Security. Herbert Bertine Chairman, ITU-T Study Group 17. Standards. Cooperation. Awareness. ITU-T Study Groups SG 2* Operational aspects of service provision, networks and performance

Mercy
Télécharger la présentation

Telecommunication Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. [Insert Document File Name] Telecommunication Security Herbert Bertine Chairman, ITU-T Study Group 17

  2. Standards Cooperation Awareness

  3. ITU-T Study Groups • SG 2* Operational aspects of service provision, networks and performance • SG 3 Tariff and accounting principles including related telecommunications economic and policy issues • SG 4* Telecommunication management • SG 5 Protection against electromagnetic environment effects • SG 6 Outside plant and related indoor installations • SG 9 Integrated broadband cable networks and television and sound transmission  • SG 11* Signalling requirements and protocols • SG 12Performance and quality of service • SG 13* Next generation networks • SG 15 Optical and other transport network infrastructures • SG 16* Multimedia terminals, systems and applications • SG 17** Security, languages and telecommunication software • SG 19 Mobile telecommunication networks * Significant security work ** Lead Study Group on Security

  4. New Network Management Security (M.3000-series) New Message Handling Systems (MHS) (X.400-series) Telecommunication Security (X.805, X.1000-series) NGN Security (Y.2700-series) Systems Management (X.733,5,6, X.740,1) Directory Services and Authentication (X.500-series) Security Techniques (X.841,2,3) Facsimile (T-series) Protocols(X.273,4) Televisions and Cable Systems (J-series) ITU-T Security Building Blocks Security Architecture Framework (X.800-series) Securityin Frame Relay(X.272) Multimedia Communications (H-series)

  5. Study Group 17: Security, languages and telecommunication software • SG 17 is the Lead Study Group on telecommunication security - It is responsible for coordination of security across all study groups. • Subdivided into three Working Parties (WPs) • WP1 - Open systems technologies; • WP2 -Telecommunications security; and • WP3 - Languages and telecommunications software • Most (but not all) security Questions are in WP2 • Summaries of all draft new or revised Recommendations under development in SG 17 are available on the SG 17 web page at http://www.itu.int/itu-t/studygroups/com17

  6. Working Party 2/17 Work Program Telecom Systems Users Q.8/17 Telebiometrics * Multimodal modelframework * System mechanism * Protection procedure Q.7/17 Q.5/17 TelecomSystems SecurityManagement * ISMS-T * Incident management * Risk assessment methodology SecurityArchitectureand Framework * Architecture,* Model,* Concepts, * Frameworks Secure Communication Services * Secure mobile communications * Home network security * Web services security Q.9/17 Cyber Security* Vulnerability information sharing…* Incident handling operations * Identity management Q.6/17 Countering spam by technicalmeans * Technical anti-spam measures Q.17/17 Q.4/17 Communications System Security Project*Vision, Project, Roadmap, …

  7. Examples of recently approved security Recommendations

  8. Extract from current SG 17 security work program (~50 items total)

  9. Study Group 13 - Question 15/13 NGN Security: work in progress

  10. Security standardization Collaboration is key Specific Systems, Services, ApplicationsSecurity in ITU-T are developed bySG 2, 3, 4, 5, 6, 9, 11, 13, 15, 16, 19 Core Technology and Common SecurityTechniques in ITU-T are developedby SG 17 JTC 1 SC 27, 37... IETF ATIS, ETSI, OASIS, etc.

  11. Security standardization Collaboration is key • World Standards Cooperation (WSC)ISO, IEC, ITU • Global Standards Collaboration (GSC)Regional, National SDOs and ITU-T, ITU-R • exchange information between participating standards organizations to facilitate collaboration and to support the ITU as the preeminent global telecommunication and radiocommunication standards development organization • Resolution GSC-11/17 Cybersecurity • Security Standardization Exchange Network (SSEN) • an informal association of individual security practitioners with direct experience of, or strong interest in, security standardization • facilitate the informal exchange of information on security-standards-related matters to increase overall awareness of issues of common interest with the intention of helping to advance the development of needed standards and minimizing overlap and duplication of effort in security standards development

  12. Security standardization Collaboration is key ISO/IEC/ITU-TStrategic Advisory Group on Security (SAG-S) • Terms of Reference • To oversee standardization activities in ISO, IEC and ITU-T relevant to the field of security • To provide advice and guidance to the ISO Technical Management Board, the IEC Standardization Management Board and the ITU-T Telecommunication Standardization Advisory Group (TSAG) relative to the coordination of work relevant to security, and in particular to identify areas where new standardization initiatives may be warranted • To monitor implementation of the SAG-S Recommendations • International workshop on security topics planned in conjunction with each SAG-S meeting • International Workshop on Transit Security, Washington DC, 4-5 October 2007 • Security portal under development

  13. Focus Group: Security Baseline for Network Operators (FG SBNO)http://www.itu.int/ITU-T/studygroups/com17/sbno/index.html • Established October 2005 by SG 17 • Objectives: • Define a security baseline against which network operators can assess their network and information security posture in terms of what security standards are available, which of these standards should be used to meet particular requirements, when they should be used, and how they should be applied • Describe a network operator’s readiness and ability to collaborate with other entities (operators, users and law enforcement authorities) to counteract information security threats • Provide meaningful criteria that can be used by network operators against which other network operators can be assessed, if required • Achieved • Surveyed network operators by means of a questionnaire • Next step: • Develop text to be proposed to SG 17 for progressing as an ITU-T publication

  14. Focus Group: Identity Management (FG IdM)http://www.itu.int/ITU-T/studygroups/com17/fgidm/index.html • Established December 2006 by SG 17 • The objectives of the FG IdMare • to perform requirements analysis based on uses case scenarios, in order • to identify generic IdM framework components, so that • a standards gap analysis can be completed, in order • to identify new standards work and the bodies (ITU and other SDOs) that should perform the work • Working Group structure • Ecosystem and Lexicon Working Group • Use Cases Working Group • Requirements Working Group • Framework Working Group • Aggressive schedule • Meetings held: February, April and May 2007; WG meeting June • Meetings planned: July and August 2007

  15. ICT Security Standards Roadmap http://www.itu.int/ITU-T/studygroups/com17/ict/index.html • Part 1 contains information about organizations working on ICT security standards • Part 2 is the database of existing security standards • Part 3 is a list of standards in development • Part 4 identifies future needs and proposed new standards • Part 5 includes security best practices European Network and Information Security Agency (ENISA) and the Network and Information Security Steering Group (NISSG) are collaborating with ITU-T in the development of the Roadmap

  16. ICT Security Standards Roadmap http://www.itu.int/ITU-T/studygroups/com17/ict/index.html • Part 2 currently includes ICT security standards from • ITU-T • ISO/IEC JTC 1 • IETF • IEEE • ATIS • ETSI • OASIS • Data is available in a database format to allow searching by organization and topic and to allow organizations to manage their own data • We invite you to contribute content to the Roadmap, provide feedback and help us develop it to meet your needs

  17. Other projects • Security in Telecommunications and Information Technology(ITU-T Security manual) • Overview of existing ITU-T Recommendations for secure telecommunications • Third edition of June 2006 to be available in the six official languages of the ITU • http://www.itu.int/ITU-T/publications/index.html • Security compendium • Catalogue of approved ITU-T Recommendations related to telecommunication security • Extract of ITU-T approved security definitions • Summary of ITU-T Study Groups with security-related activities • http://www.itu.int/ITU-T/studygroups/com17/tel-security.html

  18. The ITU Global Cybersecurity Gateway LIVE at: http://www.itu.int/cybersecurity Provides an easy-to-use information resource on national, regional and international cybersecurity-related activities and initiatives worldwide.

  19. Observations • Security is everybody's business • Collaboration with other SDOs isnecessary • Security needs to be designed in upfront • Security must be an ongoing effort • Systematically addressing vulnerabilities (intrinsic properties of networks/systems) is key so that protection can be provided independent of what the threats (which are constantly changing and may be unknown) may be

  20. Some useful web resources • ITU-T Home pagehttp://www.itu.int/ITU-T • Study Group 17http://www.itu.int/ITU-T/studygroups/com17 • e-mail: tsbsg17@itu.int • Recommendationshttp://www.itu.int/ITU-T/publications/recs.html • ITU-T Lighthousehttp://www.itu.int/ITU-T/lighthouse • ITU-T Workshopshttp://www.itu.int/ITU-T/worksem

  21. Supplemental Information on Security Work in ITU-T • Study Group 17 -Security, languages and telecommunication software • Study Group 4 -Telecommunication management • Study Group 11 – Signalling requirements and protocols • Study Group 13 -Next generation networks • Study Group 16 -Multimedia terminals, systems and applications

  22. ITU-T SG 17 work on security • Q.4/17 - Communications systems security project • Q.5/17 - Security architecture and framework • Q.6/17 - Cyber security • Q.7/17 - Security management • Q.8/17 - Telebiometrics • Q.9/17 - Secure communication services • Q.17/17 - Countering spam by technical means

  23. ITU-T SG 17 Question 4Communications Systems Security Project • Overall Security Coordination • ICT Security Standards Roadmap • Security Compendium • Focus Group on Security Baseline For Network Operators • ITU-T Security manual Efforts of Q.4/17 are covered in the main part of the presentation

  24. ITU-T SG 17 Question 5Security Architecture and Framework • Brief description of Q.5 • Milestones • Draft Recommendations under development

  25. Brief description of Q.5/17 • Motivation • The telecommunications and information technology industries are seeking cost-effective comprehensive security solutions that could be applied to various types of networks, services and applications. To achieve such solutions in multi-vendor environment, network security should be designed around the standard security architectures and standard security technologies. • Major tasks • Development of a comprehensive set of Recommendations for providing standard security solutions for telecommunications in collaboration with other Standards Development Organizations and ITU-T Study Groups. • Maintenance and enhancements of Recommendations in the X.800 series: X.800, X.802, X.803, X.805, X.810, X.811, X.812, X.813, X.814, X.815, X.816, X.830, X.831, X.832, X.833, X.834, X.835, X.841, X.842 and X.843

  26. Q.5/17 Milestones • ITU-T Recommendation X.805, Security Architecture for Systems Providing End-to-end Communications • Approved in 2003 • ISO/IEC Standard 18028-2, Network security architecture • Developed in collaboration between ITU-T Q.5/17 and ISO/IEC JTC 1 SC 27 WG 1. It is technically aligned with X.805 • Published in 2006 • ITU-T Recommendation X.1035,Password-authenticated key exchange (PAK) protocol • Specifies a password-based protocol for authentication and key exchange, which ensures mutual authentication of both parties in the act of establishing a symmetric cryptographic key via Diffie-Hellman exchange • Approved in 2006

  27. ITU-T Recommendation X.805 X.805 defines a network security architecture for providing end-to-end network security. The architecture can be applied to various kinds of networks where the end-to-end security is a concern and independently of the network’s underlying technology.

  28. Q.5/17 Draft Recommendations 1/2 • Applications and further development of major concepts of ITU-T Recommendation X.805 • X.805+, Division of the security features between the network and the usersSpecifies division of security features between the networks and users. It provides guidance on applying concepts of the X.805 architecture to securing service provider’s, application provider’s networks and the end user’s equipment • X.805nsa, Network security assessment/guidelines based on ITU-T Recommendation X.805Provides a framework for network security assessment/guidelines based on ITU-T Recommendation X.805, Security Architecture for Systems Providing End-to-End Communications

  29. Q.5/17 Draft Recommendations 2/2 • Standardization in support of Authentication Security Dimension (defined in X.805) • X.akm, Framework for authentication and key management for link layer security of NGNEstablishes a framework for authentication and key management for securing the link layer. It also provides guidance on selection of the EAP methods. • Standardization of network security policies • X.spn, Framework for creation, storage, distribution, and enforcement of security policies for networks • Establishes security policies that are to drive security controls of a system or service. It also specifies a framework for creation, storage, distribution, and enforcement of policies for network security that can be applied to various environmental conditions and network devices.

  30. ITU-T SG 17 Question 6Cyber Security • Motivation • Objectives • Scope • Current area of focus • Draft Recommendations under development

  31. Q.6/17 Motivation • Network connectivity and ubiquitous access is central to today’s IT systems • Wide spread access and loose coupling of interconnected IT systems is a primary source of widespread vulnerability • Threats such as: denial of service, theft of financial and personal data, network failures and disruption of voice and data telecommunications are on the rise • Network protocols in use today were developed in an environment of trust • Most new investments and development is dedicated to building new functionality and not on securing that functionality • An understanding of cybersecurity is needed in order to build a foundation of knowledge that can aid in securing the networks of tomorrow

  32. Q.6/17 Objectives • Perform actions in accordance with Lead Study Group (LSG) responsibility with the focus on Cybersecurity • Identify and develop standards required for addressing the challenges in Cybersecurity, within the scope of Q.6/17 • Provide assistance to other ITU-T Study Groups in applying relevant cybersecurity Recommendations for specific security solutions. Review project-oriented security solutions for consistency • Maintain and update existing Recommendations within the scope of Q.6/17 (this includes E.409) • Coordinate security activities with other ITU-T SGs, ISO/IEC JTC 1 e.g., SC 6, SC 27 and SC 37), and consortia as appropriate • Provide awareness on new security technologies related to Cybersecurity • Provide an Identity Management Framework that defines the problem space, representative use case scenarios and requirements. This includes leveraging other on-going Identity Management activities • Collaborate with Next Generation Networks activities in ITU-T in the areas of Cybersecurity and Identity Management

  33. Q.6/17 Scope • Definition of Cybersecurity • Security of Telecommunications Network Infrastructure • Security Knowledge and Awareness of Telecom Personnel and Users • Security Requirements for Design of New Communications Protocol and Systems • Communications relating to Cybersecurity • Security Processes – Life-cycle Processes relating to Incident and Vulnerability • Security of Identity in Telecommunication Network • Legal/Policy Considerations

  34. Q.6/17 Current Area of Focus 1/2 • Work with SG 2 on the definition and requirements of Cybersecurity • Collaborate with Q5,7,9,17/17 and SG 2 in order to achieve better understanding of various aspects of network security • Collaborate with IETF, OASIS, ISO/IEC JTC1, W3C, APEC-TEL and other standardization bodies on Cybersecurity • Work with OASIS on adopting the OASIS Common Alerting Protocol V1.1 as an ITU-T Recommendation • Work on framework for secure network operations to address how telecommunications network providers secure their infrastructure and maintain secure operations • Work on Recommendation for standardization of vulnerability data definition • Work on network security management framework to address how telecommunications operators operate uniformly various kind of security functions • Study new Cybersecurity issues – How should ISPs deal with botnets, evaluating the output of appropriate bodies when available

  35. Q.6/17 Current Area of Focus 2/2 • Work on Recommendations on Identity Management (IdM) addressing the following areas: • An umbrella Recommendation that determines IdM security requirements from ITU-T prospective • An umbrella Recommendation that defines a framework and architecture(s) for IdM after identifying IdM security mechanisms that needs to be addressed • An umbrella Recommendation that assesses security threats and vulnerabilities associated with IdM • Collaborate with Q.15/13 on NGN IdM issues • Develop guidelines on the protection of personal information and privacy • Call for contributions for the outstanding questions identified in the revised scope • Promote the wide adoption of IdM through the IdM Focus Group that considers the challenges and issues associated with IdM across various SDO and consortia

  36. Q.6/17 Draft Recommendations 1/5 • Overview of Cybersecurity (X.1205, formerly X.cso) • Provides a definition for Cybersecurity and a taxonomy of security threats from an operator point of view. Cybersecurity vulnerabilities and threats are presented and discussed at various network layers. • Various Cybersecurity technologies that are available to remedy the threats include: Routers, Firewalls, Antivirus protection, Intrusion detection systems, Intrusion protection systems, Secure computing, Audit and Monitoring. Network protection principles such as defence in depth, access and identity management with application to Cybersecurity are discussed. Risk Management strategies and techniques are discussed including the value of training and education in protecting the network. A discussion of Cybersecurity Standards, Cybersecurity implementation issues and certification are presented. • A vendor-neutral framework for automatic checking of the presence of vulnerabilities information update (X.vds) • Provides a framework of automatic notification on vulnerability information. The key point of the framework is that it is a vendor-neutral framework. Once users register their software, updates on the vulnerabilities and patches of the registered software will automatically be made available to the users. Upon notification, users can then apply.

  37. Q.6/17 Draft Recommendations 2/5 • Guidelines for Internet Service Providers and End-users for Addressing the Risk of Spyware and Deceptive Software (X.sds) • Provides guidelines for Internet Service Providers (ISP) and end-users for addressing the risks of spyware and deceptive software. The Recommendation promotes best practices around principles of clear notices, and users’ consents and controls for ISP web hosting services. The Recommendation also promotes best practices to end-users on the Internet to secure their computing devices and information against the risks of spyware and deceptive software. • Identity Management Framework (X.idmf) • Develops an Identity Management Framework that leverages the use case scenarios as it applies to Telecommunications and includes non-Telecom applications when (i.e., the orchestration of business processes that include supply change management, client resource management, enterprise resource management, location, presence, and other services). The framework enables service providers to provide entities with reliable, trusted and secure IdM services over distributed networks, through the appropriate use of authorization, authentication, access control mechanisms, and policy management mechanisms.

  38. Q.6/17 Draft Recommendations 3/5 • Identity Management Requirements (X.idmr) • Develops use case scenarios and requirements for the Identity Management Framework Recommendation (X.idmf). The developed use cases cover Telecommunications and non-Telecom scenarios (i.e., the orchestration of business processes that include supply change management, client resource management, enterprise resource management, location, presence, and other services). • Identity Management Security (X.idms) • Performs security analysis on the identity Management Framework as developed in X.idmf. The Recommendation develops guidelines and best practice approach for ensuring that security is maintained when the Identity Management Framework is used as the vehicle for providing Telecommunications and non-Telecom IdM solutions.

  39. Q.6/17 Draft Recommendations 4/5 • Common Alerting Protocol(CAP v1.1), (X.1303, formerly X.cap) • Specifies the common alerting protocol (CAP) which is a simple but general format for exchanging all-hazard emergency alerts and public warnings over all kinds of networks. CAP allows a consistent warning message to be disseminated simultaneously over many different warning systems, thus increasing warning effectiveness while simplifying the warning task. CAP also facilitates the detection of emerging patterns in local warnings of various kinds, such as might indicate an undetected hazard or hostile act. And CAP provides a template for effective warning messages based on best practices identified in academic research and real-world experience. This Recommendation is technically equivalent and compatible with the OASIS Common Alerting Protocol, v.1.1 standard. • ASN.1 specification for the Common Alerting Protocol (CAP v1.1), (X.1303.1, formerly X.cap2) • The common alerting protocol (CAP) is specified in ITU-T Rec. X.1303, which is technically equivalent and compatible with the OASIS Common Alerting Protocol, V1.1 standard. This Recommendation provides an equivalent ASN.1 specification that permits a compact binary encoding and the use of ASN.1 as well as XSD tools for the generation and processing of CAP messages. This Recommendation enables existing systems, such as H.323 systems, to more readily encode, transport and decode CAP messages.

  40. Q.6/17 Draft Recommendations 5/5 • Privacy guideline for RFID(X.rfpg) • Recognizes that as RFID greatly facilitates the access and dispersion of information pertaining specifically to the merchandise that individuals wear and/or carry; it creates an opportunity for the same information to be abused for tracking an individual's location or invading their privacy in a malfeasant manner. For this reason the Recommendation develops guidelines and best practices regarding RFID procedures that can be used by service providers to gain the benefits of RFID while attempting to protect the privacy rights of the general public within national policies. • Network Security Management Framework (X.nsmf) • Defines the framework for security management to address how telecom-operators can uniformly operate various kinds of security functions. • Guideline on preventing worm spreading in a data communication network (X.gopw) • Describes worm spreading patterns and scenarios in a data communication network. In addition, it specifies countermeasures to prevent from worm spreading. This Recommendation can be used as a guideline to network designers, network operator, and end users for preventing Worm spreading.

  41. ITU-T SG 17 Question 7Security Management • Tasks • Plan on Recommendations • Revised Recommendation X.1051

  42. Q.7/17 Tasks • Information Security Management Guidelines for telecommunications • (Existing X.1051, Information security management system – Requirements for telecommunications (ISMS-T)) • Maintain and revise Recommendation X.1051, “Information Security Management Guidelines for telecommunications based on ISO/IEC27002”. • Jointly develop a guideline of information security management with ISO/IEC JTC 1/SC 27 (ISO/IEC 27031 =.Recommendation X.1051). • Risk Management Methodology • Study and develop a methodology of risk management for telecommunications in line with Recommendation X.1051. • Produce and consent a new ITU-T Recommendation for risk management methodology. • Incident Management • Study and develop a handling and response procedure on security incidents for the telecommunications in line with Recommendation X.1051. • Produce and consent a new ITU-T Recommendation for incident management methodology and procedures.

  43. Q.7/17 plan on Recommendations X.1050: To be proposed X.1051:In revision processInformation Security Management Guidelines for Telecommunications based on ISO/IEC 27002 X.1052: To be proposed X.1053: To be proposed(Implementation Guide for Telecommunications) X.1054: To be proposed(Measurements and metrics for Telecommunications) X.1055: In the first stage of developmentRisk Management Guidelines for Telecommunications X.1056: In the first stage of developmentSecurity Incident Management Guidelines for Telecommunications X.1057: To be proposed(Identity Management for Telecommunications)

  44. Information Assets for Telecom Information security management guidelines for Telecommunications (Revised X.1051) Revised X.1051 Security policy Organising information security Asset management Human resources security Physical & environmental security Communications & operations management ISMS Process CONTROL CONTROL CONTROL Access control Implementation requirementsfor Telecom Implementation guidancefor Telecom Implementation guidance Information systems acquisition, development and maintenance Other information Other information Information security incident management Existing X.1051(2004) Revised X.1051 ISO/IEC 17799 (2005) Business continuity management Approach to develop the revised Recommendation X.1051 Compliance

  45. ITU-T SG 17 Question 8Telebiometrics • Objectives • Study areas on biometric processes • Recommendations

  46. Q.8/17 Objectives • To define telebiometric multimodal model framework • To specify biometric authentication mechanism in open network • To provide protection procedures and countermeasures for telebiometric systems

  47. X.tai: Telebiometrics Authentication Infrastructure X.bip: BioAPI Interworking Protocol X.tsm: Telebiometrics System Mechanism X.tpp: Telebiometrics Protection Procedure X.1081 X.Physiol Safety conformity Storage Biometric Sensors NW Acquisition (capturing) NW NW Matching Extraction Score NW NW Decision Application NW:Network Yes/No Q.8/17 Study areas on Biometric Processes

  48. Q.8/17 Recommendations 1/3 • X.1081, The telebiometric multimodal model framework – A framework for the specification of security and safety aspects of telebiometrics Defines a telebiometric multimodal model that can be used as a framework for identifying and specifying aspects of telebiometrics, and for classifying biometric technologies used for identification (security aspects). • X.physiol, Telebiometrics related to human physiology Gives names and symbols for quantities and units concerned with emissions from the human body that can be detected by a sensor, and with effects on the human body produced by the telebiometric devices in his environments. • X.tsm-1, General biometric authentication protocol and profile on telecommunication system Defines communication mechanism and protocols of biometric authentication for unspecified end‑users and service providers on open network.

  49. Q.8/17 Recommendations 2/3 • X.tsm-2, Profile of telecomunication device for Telebiometrics System Mechanism (TSM) Defines the requirements, security profiles of client terminals for biometric authentication over the open network. • X.tai, Telebiometrics authentication infrastructure Specifies a framework to implement biometric identity authentication with certificate issuance, management, usage and revocation. • X.bip, BioAPI interworking protocol Common text of ITU-T and ISO/IEC JTC 1/SC 37. It specifies the syntax, semantics, and encodings of a set of messages ("BIP messages") that enable BioAPI-conforming application in telebiometric systems.

  50. Q.8/17 Recommendations 3/3 • X.tpp-1, A guideline of technical and managerial countermeasures for biometric data security Defines weakness and threats in operating telebiometric systems and proposes a general guideline of security countermeasures from both technical and managerial perspectives. • X.tpp-2, A guideline for secure and efficient transmission of multi-modal biometric data Defines threat characteristics of multi-modal biometric system, and provides cryptographic methods and network protocols for transmission of multi-modal biometric data.

More Related