Security / Cybersecurity ITU Herbert Bertine, Chairman ITU-T Study Group 17 DOCUMENT #:

advertisement
DOCUMENT #:
GSC13-GTSC6-05
FOR:
Presentation
SOURCE:
ITU
AGENDA ITEM:
GTSC, 4.2
CONTACT(S):
Herbert Bertine
Security / Cybersecurity
ITU
Herbert Bertine, Chairman ITU-T Study Group 17
Submission Date:
July 1, 2008
Strategic Direction
Cybersecurity – one of the top priorities of the ITU





Plenipotentiary Resolution 140 (2006), ITU’s role in implementing the
outcomes of the World Summit on the Information Society – The important
moderator/facilitator role of ITU in action line C5 (building confidence and security
in the use of ICTs).
Plenipotentiary Resolution 149 (2006), Study of definitions and terminology
relating to building confidence and security in the use of information and
communication technologies
WTSA-04 Resolution 50, Cybersecurity – Instructs the Director of TSB to
develop a plan to undertake evaluations of ITU-T “existing and evolving
Recommendations, and especially signalling and communications protocol
Recommendations with respect to their robustness of design and potential for
exploitation by malicious parties to interfere destructively with their deployment”
WTSA-04 Resolution 51, Combating spam – Instructs the Director of TSB to
“prepare urgently a report to the Council on relevant ITU and other international
initiatives for countering spam, and to propose possible follow-up actions” - Done
WTSA-04 Resolution 52, Countering spam by technical means – Instructs
relevant study groups “to develop, as a matter of urgency, technical
Recommendations, including required definitions, on countering spam”
2
Highlights of current activities (1)
 ITU Global Cybersecurity Agenda (GCA)
–
–
–
–
A Framework for international cooperation in cybersecurity
ITU response to its role as sole Facilitator for WSIS Action Line C5
Five key work areas: Legal, Technical, Organisational, Capacity
Building, International Cooperation
World renowned Group of High-Level Experts (HLEG) working on global
strategies
•
GCA/HLEG met 26 June 2008 to agree upon a set of recommendations on all
five work areas for presentation to ITU Secretary-General
 ISO/IEC/ITU-T Strategic Advisory Group on Security

Coordinates security work and identifies areas where new standardization
initiatives may be warranted. Portal established. Workshops conducted.
 Identity Management
–
–
–
Effort jump started by IdM Focus Group which produced 6 substantial
reports (265 pages) in 9 months
JCA –IdM and IDM-GSI established – main work is in SGs 17 and 13
First IdM Recommendation – X.1250, Requirements for global identity
management trust and interoperability - now in approval process
3
Highlights of current activities (2)
 Core security (SG 17)
– Approved 14 texts in 2007, 17 so far in 2008, 15 more for action in
September 2008
• Summaries of Recommendations under development are available at:
http://www.itu.int/dms_pub/itu-t/oth/0A/0D/T0A0D00000D0003MSWE.doc
– Covering frameworks, cybersecurity, countering spam, home networks,
mobile, web services, secure applications, ISMS, telebiometrics, etc.
– Work underway on additional topics including IPTV, multicast, and USN
security; risk management and incident management; traceback
– Questionnaire issued to developing countries to ascertain their security
needs
– Updated security roadmap/database, compendia, manual; strengthened
coordination
 Security for NGN
– Y.2701, Security Requirements for NGN Release 1 - published
– Y.2702, NGN authentication and authorization requirements – determined
4
Challenges
Addressing security to enhance trust and confidence of users in networks, applications and services
 With global cyberspace, what are the security priorities for the ITU with its
government / private sector partnership?
 Need for top-down strategic direction to complement bottom-up,
contribution-driven process
 Balance between centralized and distributed efforts on security standards
 Legal and regulatory aspects of cybersecurity, spam, identity/privacy
 Address full cycle – vulnerabilities, threats and risk analysis; prevention;
detection; response and mitigation; forensics; learning
 Agree uniform definitions of cybersecurity terms and definitions
 Marketplace acceptance of Information Security Management System
(ISMS) standards (ISO/IEC 27000-series and ITU-T X.1051) – the
security equivalent to ISO 9000-series
 Effective cooperation and collaboration across the many bodies doing
cybersecurity work
 PSO help is needed in keeping security database up-to-date
 Informal security experts network – needs commitment
There is no “silver bullet” for cybersecurity
5
Next Steps/Actions for ITU-T
 All Study Groups have proposed Questions for next study
period
• Most study groups have Questions concerning security
• Questions are mainly evolution of existing work program
• See Supplemental Information
 The World Telecommunication Standardization Assembly
(WTSA) in October 2008 will make decisions on the
priorities, work program (Questions) and organization of
Study Groups, including security / cybersecurity work
 Meanwhile, the present work program continues under the
current structure – See Supplemental Information
• E.g., Study Groups 17 and 13 will each meet in September to
approve additional security Recommendations
 A new edition of the ITU-T “Security Manual” is scheduled
for October 2008
6
Proposed revision to Resolution
 Resolution GSC-12/19, Cybersecurity
• Add a new Resolves follows:
5) supply updated information on their security standards
work for inclusion in the ICT Security Standards Roadmap, a
database of security standards hosted by the ITU-T at:
http://www.itu.int/ITU-T/studygroups/com17/ict/index.html
7
Supplemental Information
Supplemental Information
 Security activities
•
•
•
•
ITU General Secretariat
Telecommunication Standardization Sector (ITU-T)
Radiocommunication Sector (ITU-R)
Telecommunication Development Sector (ITU-D)
 Useful web resources
8
Supplemental Information
ITU
General Secretariat
Corporate Strategy Division
9
ITU Global
Cybersecurity
Agenda
A Framework for International
Cooperation in Cybersecurity
Issues and Challenges
• Constant evolution of the nature of cyberthreats
• Vulnerabilities in software and hardware applications and services
• Low entry barriers for cyber-criminals
• Increasing sophistication of cybercrime
• Loopholes in current legal frameworks
• Absence of appropriate organizational structures
• Inadequate cooperation among various stakeholders
• Global problem which cannot be solved by any single entity
(country or organization)
Major challenge is to develop harmonized and comprehensive
global strategies at the international level
11
WSIS and Cybersecurity
Confidence and security are among
the main pillars of the information society
“Strengthening the trust framework, including information security
and network security, authentication, privacy and consumer protection, is a
prerequisite for the development of the Information Society and for building
confidence among users of ICTs. “
WSIS Geneva Declaration of Principles, Para 35
“We reaffirm the necessity to further promote, develop and implement in
cooperation with all stakeholders a global culture of cyber-security, as outlined
in UNGA Resolution 57/239 and other relevant regional frameworks.”
WSIS Tunis Agenda, Para 39
12
ITU’s Role as WSIS C5 FACILITATOR
At the World Summit on the Information Society (WSIS), world leaders and
governments entrusted ITU to take the leading role in coordinating international
efforts on cyber-security, as the sole Facilitator of Action Line C5,
“Building confidence and security in the use of ICTs”
The International Telecommunication Union (ITU) provides the global
perspective and expertise needed to meet the challenges, with a track record
of brokering agreements between public and private interests on a level
playing field ever since its inception in 1865.
Third Facilitation Meeting
22-23 May 2008, ITU Headquarters, Geneva
http://www.itu.int/osg/csd/cybersecurity/WSIS/3rdMeeting.html
13
A Global Strategy for Action
The strategy for a solution must identify those existing national, regional
and international initiatives, work with all relevant players to identify
priorities and bring partners together with the goal of proposing global
solutions to address the global challenges we face today.
ITU Global Cybersecurity Agenda (GCA)
• A framework for international multi-stakeholder cooperation in cybersecurity
• ITU Response to its role as sole Facilitator for WSIS Action Line C5
• World renowned Group of High Level Experts (HLEG) to develop global strategies
• Representing main stakeholder groups working towards the same goals
: Developing harmonized global strategies
14
GCA Work Areas
GCA rests on five pillars
or work areas:
1
2
Legal Measures
Technical and Procedural
Measures
3
Organizational Structures
4
Capacity Building
5
International Cooperation
15
High-Level Experts Group (GCA/HLEG)
A global multi-stakeholder think-tank
made up of high-level experts from:
High-Level
Expert Group
(HLEG)
• Governments
• Industry
• Regional and international organizations
• Research and academic institutions
• Individual experts
provided advice on strategies
in all five work areas or pillars
Elaboration of global strategies for
1 the development of a model cybercrime legislation
2 the creation of appropriate national and regional organizational structures and policies on cybercrime
3 the establishment of security criteria and accreditation schemes for software applications and systems
4 the creation of a global framework for watch, warning and incident response
5 the creation and endorsement of a generic and universal digital identity system
6 the facilitation of human and institutional capacity-building
7 international cooperation, dialogue and coordination
16
GCA/HLEG Members
Diversity of
Participation
Argentina Brazil Cameroon Canada China Egypt Estonia Germany Japan India Indonesia
Italy Malaysia Morocco Portugal Republic of Lithuania Russian Federation Saudi Arabia South
Africa Switzerland United States
• Ecole Polytechnique Fédérale de Lausanne
(EPFL), Switzerland
• Information Security Institute, Australia
• Moscow Technical University of
Communications, Russian Federation
• African Telecommunication Union (ATU)
• Asia Pacific Economic Cooperation
• Telecommunications (APECTEL)
• Commonwealth Telecommunications
Organisations (CTO)
• Council of Europe
• Department of Economic and
Social Affairs (DESA)
• European Information and Network
• Security Agency (ENISA)
• International Criminal Police
Organization (Interpol)
• Organisation for Economic Co-operation
and Development (OECD)
• Organisation International de la Francophonie
• Society for the Policing of Cyberspace (POLCYB)
• UMTS Forum
• United Nations Institute for Training
and Research (UNITAR)
• United Nations Office on Drugs and Crime
• Authentrus
• BITEK International Inc.
• Cybex
• Cisco
• Garlik
• Intel Corporation
• Microsoft Corporation
• Télam S.E.
• VeriSign, Inc.
• Stein Schjolberg, Chief Judge,
Moss Tingrett Court, Norway
• Solange Ghernaouti-Helie,
HEC-Université de Lausanne, Switzerland
• Sy Goodman, Georgia Institute of Technology,
United States
• Nabil Kisrawi, Chairman of WG-Def,
Syrian Republic
• Bruce Schneier, Security Technologist,
Unites States
• Marco Gercke, Professor, Cologne University,
Germany
17
GCA/HLEG
Leveraging expertise for international consensus
1
On a Global level, from government, international organizations to industry
2
For a Harmonised approach to build synergies between initiatives
3
Through Comprehensive strategies on all levels
GCA/HLEG is building synergies with existing initiatives
and working with stakeholders in these five key areas:
Legal Measures
e.g. Cybercrime legislation (Council of Europe), Moss Tingrett Court Norway, Cybex
Technical and Procedural Measures
e.g. Software (Microsoft) , hardware (Intel), Networking (CISCO), Security Apps/Services (Verisign), Global Standards
and Development (ITU)
Organisational Structures
e.g. Ecole Polytechnique Fédérale de Lausanne (EPFL), Forum of Incident Response and Security Teams, OECD
Capacity Building
e.g. United Nations Institution for Training and Research (UNITAR), European Network and Information Security Agency
(ENISA)
International Cooperation
e.g. Interpol, United Nations Office on Drug and Crime (UNODC)
18
HLEG
• The HLEG work is an ongoing dynamic process with informationsharing and interaction relating to the elaboration of Global
Strategies to meet the goals of the GCA and the ITU role as sole
facilitator for WSIS Action Line C.5.
• Three meetings held:
– First Meeting of the HLEG held on 5 October 2007
– Second Meeting of the HLEG held on 21 May 2008
– Third Meeting of the HLEG held on 26 June 2008
• Chairman's Report:
– The results of the work of the HLEG, including recommendations, the
views expressed during the meeting and additional information about
the previous work of the HLEG are contained in the Chairman’s report
which will be available at:
http://www.itu.int/osg/csd/cybersecurity/gca/hleg/meetings/third/index.html
19
GCA Sponsorship Programme – Join us!
• This Sponsorship programme – will ensure that all relevant
stakeholders are aware of HLEG’s valuable work, will increase
also a global understanding about how to work together to
implement effective strategies. It will then be up to the
stakeholders themselves – within their respective mandates
and capabilities – to translate these strategies into concrete
actions.
• GCA Sponsors will help to promote the goals of this initiative
around the world by participating in high-profile business
activities including publications, pubic campaigns, an annual
conference and other events. In addition to the opportunity to
meet with high-level decision makers, Sponsors also stand to
enhance their image and credibility with their stakeholders.
20
"The world must take action.
It must stand united.
This is not a problem any
one nation can solve alone"
Dr Óscar Arias Sánchez
Nobel Peace Laureate,
President of the Republic of Costa Rica,
Patron of the Global Cybersecurity Agenda.
21
Conclusions
Towards a global Cyberpeace…
The threats to global cybersecurity
demand a global framework!
The magnitude of this issue calls for a coordinated global
response to ensure that there are no safe havens for
cybercriminals.
ITU will act as a catalyst and facilitator for these partners to
share experience and best practice, so as to step up efforts for
a global response to cybercrime.
In this way, working together, we can create a cyberspace that
is somewhere safe for people to trade, learn and enjoy.
Dr Hamadoun I. Touré
Secretary-General, ITU
22
For More information on:
ITU Global Cybersecurity Agenda
& ITU Activities in Cybersecurity:
http://www.itu.int/cybersecurity/
Email: [email protected]
23
Supplemental Information
ITU-T
Telecommunication Standardization
Sector
24
ITU-T
ITU-T Security and Cybersecurity Activities
 SG 17, Security, Languages and Telecommunication Software
 Lead Study Group on Telecommunication Security
 SG 2, Operational Aspects of Service Provision, Networks and
Performance
 SG 4, Telecommunication Management
 SG 5, Protection Against Electromagnetic Environment Effects
 SG 9, Integrated Broadband Cable Networks and Television and
Sound Transmission
 SG 11, Signalling Requirements and Protocols
 SG 13, Next Generation Networks
 SG 15, Optical and Other Transport Network Infrastructures
 SG 16, Multimedia Terminals, Systems and Applications
 SG 19, Mobile Telecommunication Networks
25
ITU-T SG 17
ITU-T Study Group 17
Security, Languages and Telecommunication Software








Q.4/17, Communications Systems Security Project
Q.5/17, Security Architecture and Framework
Q.6/17, Cyber Security
Q.7/17, Security Management
Q.8/17, Telebiometrics
Q.9/17, Secure Communication Services
Q.17/17, Countering Spam by Technical Means
Q.2/17, Directory Services, Directory Systems and
Public-key/Attribute Certificates
26
SG 17 – Q.4/17: Communications Systems
Security Project
ITU-T SG 17 Question 4
Communications Systems Security Project
• Overall Security Coordination and Vision
• Outreach and promotional activities
• ICT Security Standards Roadmap
• Security Compendium
• ITU-T Security manual
• Focus Group on Security Baseline For Network
Operators
27
SG 17 – Q.4/17 results achieved
• Successful workshop organized at start of Study
Period to consider future direction of security
standards
• Security Standards Roadmap developed –
includes security standards from ITU, ISO/IEC,
IEEE, IETF, ATIS, ETSI, OASIS, 3GPP
• Security Compendium and Security Manual
maintained and updated
• Security Baseline for Network Operators
developed
28
SG 17 – Q.4/17 challenges
• Overall shortage of participants and
contributors
• Roadmap issues/challenges:
– Taxonomy (always a challenge!)
– Finding out about new standards and when to
post them
– Appearance of the database
– Need to develop a short guide to the update
process
29
SG 17 – Q.4/17 progress since GSC-12
Security Roadmap
• The listing of standards has been converted to
a searchable database
• Further updating is planned to ease navigation
• A new section (Part 5) has been added on
(non-proprietary) Best Practices
30
SG 17 – Q.4/17 focus for next study period
• Will continue to be primary SG contact for
security coordination issues
• Will maintain and update outreach material
– Security Manual
– Security Roadmap
– Security Compendium
• Responsibilities will be limited to coordination
and outreach – no Recommendations
31
SG 17 – Q.5/17: Security Architecture
and Framework
ITU-T SG 17 Question 5
Security architecture and framework
•
•
•
•
•
Scope
Strategic direction
Challenges
Major activities and accomplishments
Actions for the next study period
32
SG 17 – Q.5/17 scope
Policies &
procedures
Infrastructure security
THREATS
Privacy
Destruction
Availability
Data integrity
Security
program
Data confidentiality
Definition & Planning
Authentication
Services security
VULNERABILITIES
Non-repudiation
Implementation
Access control
Maintenance
Communication security
Security layers
Applications security
Corruption
Removal
Disclosure
Interruption
ATTACKS
Technology
End-user plane
Control plane
8 Security dimensions
Management plane
X.1036
X.1031
X.1034, X.1035
X.805_F4
Supplement to X.800-X.849, Guidelines for implementing system and network security
Recommendation X.805 has been a foundation of Q.5/17 security studies
and shaped the scope of its work
33
SG 17 – Q.5/17 scope (continued)
•
•
•
•
•
Q.5/17 has developed Recommendations that further develop the concepts of
X.805 and provide guidance on their implementation
X.1031, Security architecture aspects of end users and networks in
telecommunications - provides guidance on applying the concepts of the X.805
architecture for distributing the security controls between the telecommunication
networks and the end user’s equipment.
X.1034, Guidelines on Extensible Authentication Protocol based Authentication
and Key Management in a Data Communication Network and X.1035, PasswordAuthenticated Key Exchange Protocol (PAK) - specify protocols and
procedures that support functions of the Authentication security dimension.
X.1036, Framework for creation, storage, distribution and enforcement of policies
for network security further develops the concept of the security policy
described in X.805.
Supplement to X.800-X.849, Guidelines for implementing system and network
security provides guidelines for implementing system and network security
utilizing the concepts of X.805 and other security Recommendations and
standards.
34
SG 17 – Q.5/17 strategic direction
•
•
•
•
Development of a comprehensive set of Recommendations
for providing standard security solutions for
telecommunications in collaboration with other Standards
Development Organizations and ITU-T Study Groups.
Studies and development of a trusted telecommunication
network architecture that integrates advanced security
technologies.
Maintenance and enhancements of Recommendations in
the X.800-series and X.103x-series.
Coordination of studies on NGN security (with Question
15/13)
35
SG 17 – Q.5/17 challenges
• Authentication and key agreement is one of the most complex and
challenging security procedures. Question 5/17 has developed
Recommendations that contribute to the standards solutions for
authentication and key management
• X.1034, Guidelines on Extensible Authentication Protocol based
Authentication and Key Management in a Data Communication
Network
– Establishes a framework for the EAP-based authentication and
key management for securing the link layer in an end-to-end
data communication network.
– Provides guidance on selection of the EAP methods.
• X.1035, Password-Authenticated Key Exchange Protocol (PAK)
– Specifies a protocol, which ensures mutual authentication of
both parties in the act of establishing a symmetric cryptographic
key via Diffie-Hellman exchange.
36
SG 17 – Q.5/17 major accomplishments
• Recommendations developed by Q.5/17:
– X.1031, Security architecture aspects of end users and networks in
telecommunications
– X.1034, Guidelines on Extensible Authentication Protocol based
Authentication and Key Management in a Data Communication Network
– X.1035, Password-Authenticated Key Exchange Protocol (PAK)
– X.1036, Framework for creation, storage, distribution and enforcement of
policies for network security
• A Supplement developed by Q.5/17
– Supplement to X.800 - X.849 series Guidelines for implementing system
and network security
• Other technical documents prepared by Q.5/17
– In response to the WTSA Resolution 50, Question 5/17 has prepared
Guidelines for designing secure protocols using ITU-T Recommendation
X.805.
• Major coordination activity conducted by Q.5/17
– Question 5/17 has coordinated security studies with Question 15 of SG 13,
NGN Security ensuring alignment of the standards work in both groups.
37
SG 17 – Q.5/17 actions for next study period
•
•
•
•
•
•
•
•
•
•
How should a comprehensive, coherent communications security solution
be defined?
What is the architecture for a comprehensive, coherent communications
security solution?
What is the framework for applying the security architecture in order to
establish a new security solution?
What is the framework for applying security architecture in order to assess
(and consequently improve) an existing security solution?
What are the architectural underpinnings for security?
What new Recommendations may be required for providing security
solutions in the changing environment?
How should architectural standards be structured with respect to existing
Recommendations on security?
How should architectural standards be structured with respect to the
existing advanced security technologies?
How should the security framework Recommendations be modified to adapt
them to emerging technologies and what new framework Recommendations
may be required?
How are security services applied to provide security solutions?
38
SG 17 – Q.6/17: Cyber Security
ITU-T SG 17 Question 6
Cyber Security
•
•
•
•
•
•
Motivation
Scope
Challenges
Highlights of activities
Actions for Next Study Period
Collaboration with SDOs
39
SG 17 – Q.6/17 motivation
• Network connectivity and ubiquitous access is central to today’s IT
systems
• Wide spread access and loose coupling of interconnected IT systems
and applications is a primary source of widespread vulnerability
• Threats such as: denial of service, theft of financial and personal data,
network failures and disruption of voice and data telecommunications
are on the rise
• Network protocols in use today were developed in an environment of
trust
• Most new investments and development is dedicated to building new
functionality and not on securing that functionality
• An understanding of cybersecurity is needed in order to build a
foundation of knowledge that can aid in securing the networks of
tomorrow
40
SG 17 – Q.6/17 scope
• Definition of Cybersecurity
• Security of Telecommunications Network Infrastructure
• Security Knowledge and Awareness of Telecom Personnel and
Users
• Security Requirements for Design of New Communications
Protocol and Systems
• Communications relating to Cybersecurity
• Security Processes – Life-cycle Processes relating to Incident
and Vulnerability
• Security of Identity in Telecommunication Network
• Legal/Policy Considerations
• IP traceback technologies
• Authentication Assurance
41
SG 17 – Q.6/17 challenges
• How should the current Recommendations be further
enhanced for their wide deployment and usage?
• How to harmonize common IdM data models across the
ITU
• How to define and use the term Identity within the ITU
• How to detect and predict future threats and risks to
networks
• How to harmonize various IdM solutions
• What are the best strategies to improve Cybersecurity
• How to maintain a living list of IdM terms and definition
and use it informally across the ITU
42
SG 17 – Q.6/17 highlights of activities
Completed Recommendations
No.
Title
X.1205
Overview of Cybersecurity
X.1206
A vendor-neutral framework for automatic checking
of the presence of vulnerabilities information update
X.1207
Guidelines for Internet Service Providers and Endusers for Addressing the Risk of Spyware and
Deceptive Software
X.1250*
Requirements for global identity management trust
and interoperability
X.1303
Common Alerting Protocol (CAP 1.1)
* Currently in the approval process
43
SG 17 – Q.6/17 highlights of activities (2)
Recommendations under development
ITU-T X.eaa | ISO/IEC xxxx, Information technology – Security
techniques – Entity authentication assurance
This Recommendation | International Standard provides a framework for
entity authentication assurance which is the quantification of the risks that
an entity is who or what he/she/it claims to be. In other words, entity
authentication assurance is a measure of the confidence or risks
associated with the authentication process and mechanisms.
ITU-T X.gopw, Guideline on preventing worm spreading in a data
communication network
This Recommendation describes worm and other malicious codes
spreading patterns and scenarios in a data communication network. The
Recommendation provides guidelines for protecting users and networks
from such malicious codes.
44
SG 17 – Q.6/17 highlights of activities (3)
Recommendations under development
ITU-T X.idif, User Control enhanced digital identity interchange
framework
This Recommendation defines a framework that covers how global
interoperable digital identity interchange can be achieved and how an
entity’s privacy is enhanced by providing an entity more control over the
process of identity interchange. In addition, the Recommendation defines
the general and functional requirements of the framework that should be
satisfied. Based on the requirements, a framework is defined with basic
functional building blocks for identity interchange and enhancing entity
control.
ITU-T X.idm-dm, Common identity data model
This Recommendation develops a common data model for identity data
that can be used to express identity related information among IdM
systems.
45
SG 17 – Q.6/17 actions for next study period
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Enhance current Recommendations to accelerate their adoption
Work with SG 2 in Trusted Service Provider Identifier (TSPID)
Collaborate with Questions 5, 7, 9, 17/17 and with SG 2 in order to achieve better
understanding of various aspects of network security
Collaborate with IETF, OASIS, ISO/IEC JTC1, Liberty Alliance and other standardization
bodies on Cybersecurity
Work with OASIS on maintaining the OASIS Common Alerting Protocol V1.1 (ITU-T
Recommendation X.1303)
Study new Cybersecurity issues – How should ISPs deal with botnets, evaluating the output
of appropriate bodies when available.
Study technical aspects of Traceback techniques
Joint work is ISO/JTC1 SC 27 on Entity Authentication Assurance
Progress work with Liberty Alliance on Identity Authntication Frameworks
Working with SG 4 and SG 13 on common IdM Data Models.
Developing frameworks for User control enhanced digital identity interchange framework
Developing guideline on protection for personally identifiable information in RFID
application
Developing requirements for security information sharing framework
Developing guideline on preventing worm spreading in a data communication network
Maintaining the IdM Lexicon document
46
SG 17 – Q.6/17 collaboration with other SDOs
•
•
•
•
•
•
•
•
•
ISO/IEC JTC 1/SC 27
IEC/TC 25
IETF
IEEE
Liberty Alliance
OASIS
W3C
3GPP
ETSI/TISPAN
47
SG 17 – Q.7/17: Security management
ITU-T SG 17 Question 7
Security management
•
•
•
•
•
Scope
Challenges
Highlights of activities
Actions for Next Study Period
Collaboration with SDOs
48
SG 17 – Q.7/17 scope
For telecommunications organizations, information and the supporting
processes, facilities, networks and communications medias are all important
business assets.
In order for telecommunications organizations to appropriately manage these
business assets and to correctly continue the business activity, Information
Security Management is extremely necessary.
The scope of this question is to provide GUIDELINES and BASELINES of
Information Security Management to be appropriately applied for
telecommunications organizations. Studies related on this issue can be a little
bit extended to cover the following items:
-
information security management guidelines (baseline)
information incident management guidelines
risk management and risk profiles guidelines
assets management guidelines
policy management guidelines
information security governance
etc.
49
SG 17 – Q.7/17 strategic directions
Baseline
Information Security
Governance
Framework
X.ismf
Incident
Mang.
Compliant
BCP
Incident
Management
Systems
Security
Policy
Organizational
Security
Access
Controls
Assets
Personnel
Physical
Operational
Security
Other Managements
Maintenance
Mang.
Event Mang. Policy Mang. Asset Mang. Risk Mang.
X.sim: Security Incident Mang.
Vulnerability
Handling Announcement
Other Incident
Management
Alert
Incident
Handling
Handling
X.rmg
***
Assets Management
Methodology
Risk Management
& Risk Profiles
Based on the proposals
from NSMF
Practical Implementation Methodologies
50
SG 17 – Q.7/17 challenges
• How should information assets in telecommunications
systems be identified and managed?
• How should information security policy for
telecommunications systems be identified and managed?
• How should specific management issues for
telecommunications organizations be identified?
• How should information security management system (ISMS)
for telecommunications organizations be properly constructed
by using the existing standards (ISO/IEC and ITU-T)?
• How should measurement of information security
management in telecommunications be identified and
managed?
• How should an information security governance framework be
identified and managed?
• How should the small and medium telecommunications
organizations be managed and applied for security?
51
SG 17 – Q.7/17 highlights of achievements
Recommendations
No.
Title
X.1051
Information security management guideline for
telecommunications organizations based on ISO/IEC
27002
X.rmg*
Risk management and risk profile guide
X.sim*
Security incident management guidelines for
telecommunications
X.ismf*
Information Security Management Framework for
Telecommunications
* Currently under development
52
SG 17 – Q.7/17 actions for next study period
• Review the existing management Recommendations/Standards in
ITU-T and ISO/IEC management standards as for assets
identification and security policy management.
• Study and develop a methodology of assets identification and
policy management for telecommunications based on the concept
of information security management (X.1051).
• Study and develop information security management framework for
telecommunications based on the concept of information security
management (X.1051).
• Study and develop security management guidelines for small and
medium telecommunications based on the concept of information
security management (X.1051).
• Study and develop a methodology to construct information security
management system (ISMS) for telecommunications organizations
based on the existing standards (ISO/IEC and ITU-T).
• Study and develop an information security governance framework
for telecommunications that encompasses information technology
and information security management.
53
SG 17 – Q.7/17 collaboration with SDOs
•
•
•
•
ISO/IEC JTC 1/SC27
ETSI
TTC
NIST
54
SG 17 – Q.8/17: Telebiometrics
ITU-T SG 17 Question 8
Telebiometrics
•
•
•
•
•
•
Scope
Strategic Direction
Challenges
Highlights of activities
Actions for Next Study Period
Collaboration with SDOs
55
SG 17 – Q.8/17 scope
Digital key / Secure protocol / Authentication infrastructure /
System mechanism / Protection procedure
Safety conformity
Storage
Biometric
Sensors
Acquisition
(capturing)
NW
NW
NW
Matching
Extraction
Score
NW
Decision
NW
Application
Yes/No
NW:Network
56
SG 17 – Q.8/17 strategic direction
Security and Protection
for telebiometric application systems
Protection procedures
System mechanism
among Client/Server/TTP
BioAPI interworking protocol
Authentication infrastructure
Biometric Digital key
Safety
in interaction with sensors
57
SG 17 – Q.8/17 challenges
• How should security countermeasures be assessed
for particular applications of telebiometrics?
• How can identification and authentication of users be
improved by the use of interoperable models for safe
and secure telebiometric methods?
• What mechanisms need to be supported to ensure
safe and secure manipulation of biometric data in any
application of telebiometrics, e.g., telemedicine or
telehealth?
• How should the current Recommendations be further
enhanced for their wide deployment and usage?
58
SG 17 – Q.8/17 highlights of activities
Approved Recommendations
No.
Title
X.1082
Telebiometrics related to human physiology
X.1083
BioAPI Interworking Protocol
X.1084
Telebiometrics system mechanism – Part 1: General
biometric authentication protocol and system model
profiles on telecommunication systems
X.1088
Telebiometrics digital key – A framework for biometric
digital key generation and protection
X.1089
Telebiometrics authentication infrastructure
59
SG 17 – Q.8/17 actions for next study period
•
•
•
•
•
•
•
•
Enhance current Recommendations to accelerate their adoption to
various telebiometric applications and populate the telebiometric
database.
Review the similarities and differences among the existing
telebiometrics Recommendations in ITU-T and ISO/IEC standards.
Study and develop security requirements and guidelines for any
application of telebiometrics.
Study and develop requirements for evaluating security, conformance
and interoperability with privacy protection techniques for any
application of telebiometrics.
Study and develop requirements for telebiometric applications in a
high functionality network.
Study and develop requirements for telebiometric multi-factor
authentication techniques based on biometric data protection and
biometric encryption.
Study and develop requirements for appropriate generic protocols
providing safety, security, privacy protection, and consent “for
manipulating biometric data” in any application of telebiometrics, e.g.,
telemedicine or telehealth.
Prepare a manual on telebiometrics.
60
SG 17 – Q.8/17 collaboration with other SDOs
•
•
•
•
•
•
ISO/IEC JTC 1/SCs 17, 27 and 37
ISO/TC 68 and TC 12
IEC/TC 25
IETF
IEEE
International Bureau of Weight and
Measurement (BIPM)
61
SG 17 – Q.9/17: Secure communication
services
ITU-T SG 17 Question 9
Secure Communication Services
•
•
•
•
•
•
Focus
Position of each topic
Strategic direction
Challenges
Major achievements
Security work proposed for next study period
62
SG 17 – Q.9/17 focus
 Develop a set of standards of secure application services,
including
•
•
•
•
•
•
•
Mobile security
Home network security
Web Services security
Secure application services
NID/USN security Under study
Multicast security Under study
IPTV security Under study
63
SG 17 – Q.9/17 position of each topic
Mobile
Home
Network
Home Gateway
Network
Mobile Terminal
Home network security
Mobile security
Home
Network
STB
Content Provider
USN Application Server
Core Open
Network
IPTV security/Multicast security
Ubiquitous Sensor
Network
USN gateway
USN security
NID tag
NID Application Server
Application Server
NID security
NID reader
Client
Secure application
services
/Web Services security
64
SG 17 – Q.9/17 strategic direction
 For developing the draft Recommendations on IPTV security matters:
 Participate the ITU-T IPTV-GSI event (January – December, 2008) to
develop them being consistent with relevant Recommendations being
developed by other Questions
 Propose X.iptvsec-1 (Requirements and architecture for IPTV security
matter) for consent by September 2008, to meet urgent market need
 Based on X.iptvsec-1, continue to study a set of possible draft
Recommendations which complement X.iptvsec-1 technologically
 Continue to develop a set of draft Recommendations in domainspecific areas:
 Mobile network, Home network, (mobile) Web Services, application
services, NID/USN service, IPTV service multicasting service, etc.
 Continue to adopt or update the mature standards (i.e., SAML,
XACML) developed by other SDOs, especially by OASIS, in the area
of Web Services security
 Develop a common text of X.usnsec-1 (Security framework for USN)
with ISO/IEC JTC 1/SC 6 (as of June 2008)
 Keep maintaining liaison activities with 3GPP, 3GPP2, JTC 1/SC 6,
25, 27 to develop the relevant draft Recommendations
65
SG 17 – Q.9/17 challenges
 For the domain-specific draft Recommendations, it needs
to strengthen the coordination work with other relevant
Questions/SDOs to develop them to be consistent with
their work.
 During this Study period, Q.9/17 has been focused on the
security framework for various domain-specific networks.
However, from now on it should be emphasized to
develop the pragmatic draft Recommendations which
have significant impact on industry for the domain-specific
networks with the collaboration with industries, other
relevant SDOs and network/service providers.
 For developing the draft Recommendations on IPTV
security matters, the various detailed work items should
continue to be identified in the future.
66
SG 17 – Q.9/17 major achievements
 Mobile security
 X.1123, General security value
added service (policy) for mobile
data communication,
Approved 2007
 X.1124, Authentication
architecture in mobile end-to-end
data communication,
Approved 2007
 X.1125, Correlative reacting
system in mobile network,
Approved 2007
 NID security
 X.1171, Framework for Protection
of Personally Identifiable
Information in Networked ID
Services,
Consented 2008
 Home network security
 X.1111, Framework for security
technologies for home network,
Approved 2007
 X.1112, Certificate profile for the
device in the home network,
Approved 2007
 X.1113, Guideline on user
authentication mechanisms for
home network service,
Approved 2007
 X.homesec-4 Authorization
framework for home network,
to be consented 2008
 USN security
 X.usnsec-1 Requirement and
Framework for Ubiquitous Sensor
Network,
New work item in 2007
67
SG 17 – Q.9/17 major achievements (2)
 Multicast Security
 X.mcsec-,1 Security Requirement
and Framework in Multicast
communication,
New work item in 2007
 IPTV security
 X.iptvsec-1, Functional
Requirements and architecture for
IPTV security aspects,
New work item in 2008
 X.iptvsec-2, Requirement and
mechanism for Secure
Transcodable Scheme
New work item in 2008
 X.iptvsec-3, Key management
framework for secure IPTV
communications,
New work item in 2008
 Web Services security
 X.1143, Security architecture for
message security in mobile Web
Services,
Approved 2007
 Secure applications services
 X.1151, Guideline on strong
password authentication protocols,
Approved 2007
 X.1152, Secure end-to-end data
communication techniques using
Trusted Third Party services,
Consented 2008
 X.1161, Framework for secure peerto-peer communications,
Consented 2008
• X.1162, Security architecture and
operations for peer-to-peer network,
Consented 2008
68
SG 17 – Q.9/17 work for next study period
 Divide Q.9/17 into two Questions: Q.O/17 and Q.P/17,
considering the enormous workloads.
Q.9/17 for current Study Period
Q.O/17 for Next Study Period
Secure Communication Service
Security aspects for ubiquitous
telecommunication service
•
•
•
•
•
Mobile Security
Home network security
NID/USN security
Multicast security
IPTV security
•
•
•
•
•
Mobile Security
Home network security
NID/USN security
Multicast security
IPTV security, etc.
Q.P/17 for Next Study Period
Secure application services
• Web Service security
• Secure application security
• Web Service security
• Secure application service, etc.
69
SG 17 – Q.17/17: Countering spam by
technical means
ITU-T SG 17 Question 17
Countering spam by technical means
•
•
•
•
•
•
Scope
Strategic direction
Challenges
Highlights of activities
Actions for next study period
Collaboration with SDOs
70
SG 17 – Q.17/17 scope
 Develop a set of standards for countering spam by
technical means, including:
• General technical strategies and protocols for
countering spam
• Guidelines, frameworks and protocols for
countering email spam, IP multimedia spam, SMS
spam and other new types of spam
71
SG 17 – Q.17/17 strategic direction
Technical strategies on countering spam (X.1231)
SMS spam Filtering
System Based on
Users’ Rules (X.ssf)
Technologies involved
in countering email
spam (X.1240)
Technical framework for
countering email spam
(X.1241)
Overall aspects of IP multimedia
application spam (X.1244)
Framework Recommendations
IP multimedia application area
(X.fcsip)
Technology Recommendations:
Interactive countering spam gateway system (X.tcs-1) etc.
Technical means for countering email spam (X.tcs) TBD
72
SG 17 – Q.17/17 challenges
•
•
•
•
•
•
What risks does spam pose to the telecommunication network?
What technical factors associated with the telecommunication
network contribute to the difficulty of identifying the sources of
spam?
How can new technologies lead to opportunities to counter spam
and enhance the security of the telecommunication network?
Do advanced telecommunication network technologies (for
example, SMS, instant messaging, VoIP) offer unique
opportunities for spam that require unique solutions?
What technical work is already being undertaken within the IETF,
in other fora, and by private sector entities to address the problem
of spam?
What telecommunication network standardization work, if any, is
needed to effectively counter spam as it relates to the stability
and robustness of the telecommunication network?
73
SG 17 – Q.17/17 highlights of
activities
Approved Recommendations
No.
Title
X.1231
Technical Strategies on Countering Spam
X.1240
Technologies involved in countering email spam
X.1241
Technical framework for countering email spam
X.1244*
Overall aspects of IP multimedia application spam
* Currently in approval process
74
SG 17 – Q.17/17 actions for next study period
•
•
•
•
•
•
Act as the lead group in ITU-T on technical means for countering spam
Establish effective cooperation with the relevant ITU Study Groups,
other standard bodies and appropriate consortia and fora.
Identify and examine the telecommunication network security risks
introduced by the constantly changing nature of spam.
Develop a comprehensive and up-to-date resource list of the existing
technical measures for countering spam in a telecommunication network
that are in use or under development.
Determine whether new Recommendations or enhancements to existing
Recommendations, including methods to combat delivery of spyware,
worm, phishing, and other malicious contents via spam and combat
compromised networked equipment including botnet delivering spam.
Provide regular updates to the Telecommunication Standardization
Advisory Group and to the Director of the Telecommunication
Standardization Bureau to include in the annual report to Council.
75
SG 17 – Q.17/17 collaboration with SDOs
• Standardization bodies:
– IETF
– ISO/IEC JTC 1
• Other bodies:
– OECD
– MAAWG.
76
SG 17 – Q.2/17 - X.500 security aspects
ITU-T SG 17 Question 2
Directory Services, Directory Systems and Publickey/Attribute Certificates
• X.509 as basis for other specifications
– Certificates
– Public-Key Infrastructure (PKI)
– Privilege Management Infrastructure (PMI)
• Protecting directory information
– User authentication
– Access control
– Data privacy protection
77
SG 17 – Q.2/17 - X.509 applicability
The X.509 specification is the base for many other
specifications:
• Secure Socket Layer (SSL)
• The IETF Internet X.509 Public Key Infrastructure
(PKIX) activity
• The IETF Secure / Multipurpose Internet Mail
Extensions (S/MIME) activity
• The ETSI Electronic Signatures and Infrastructures
(ESI) activity
• Etc.
78
SG 17 – Q.2/17 - X.509 applicability (2)
The X.509 specification is the base for:
•
•
•
•
•
Secure e-mail
Online banking
Medical electronic journals
Online public service
Etc.
In short: The whole electronic world
79
SG 17 – Q.2/17 - Public-Key Infrastructure (PKI)
• PKI is an infrastructure for managing certificates. It
consists of one or more Certification Authorities for
issuing certificates in a secure way following a set of
policies.
• It includes maintaining information about
certificates been revoked.
• Directories are major components of the
infrastructure.
80
SG 17 – Q.2/17 - Privilege Management
Infrastructure (PMI)
• PMI is an infrastructure for managing authorization
using attribute certificates. It consists of one or more
Attribute Authorities for issuing attribute certificates in
a secure way.
• It includes maintaining information about attribute
certificates been revoked.
• Directories are major components of the
infrastructure.
• Recent development - (PMI) has been extended to
allow privileges obtained in one domain to be used in
an other domain (federation of privileges).
81
SG 17 – Q.2/17 - Protecting Directory
Information
Authentication of users
• None
• Name
• Name + password
• Name + protected password
• Strong authentication based on X.509
82
SG 17 – Q.2/17 - Protecting Directory
Information
Access control
• Access control is about right-to-know
(Who may do what based on level of
authentication)
• X.500 has comprehensive access control
features
• X.500 is the only directory specification
having these features
83
SG 17 – Q.2/17 - Protecting Directory
Information
Data Privacy Protection
• Data Privacy Protection is about right-toknow and need-to-know.
• Protection against malicious searches
• Protection against data trawling
• Minority protection
84
SG 17 – Q.2/17 - New security extension work
Password policy, that is rules for administration of
password to increase directory security:
•
•
•
•
•
•
Password lifetime
Maintain password history (avoid reuse)
Password quality
Password warnings
Error signalling
Etc.
Part of next X.500 edition (2011-2012)
85
ITU-T SG 2
ITU-T Study Group 2
Operational aspects of service provision, networks and performance
86
SG 2 – Scope of security study
• Operational aspects such as prevention
and detection of:
– Fraud
– Misuse
• Corresponding operational measures
• Security requirements
87
SG 2 – Accomplishment
• Recommendations:
– E.156 Guidelines for ITU-T action on reported misuse
of E.164 number resources
– E.408 Telecommunication networks security
requirements
– E.409 Incident organization and security incident
handling: Guidelines for telecommunication
organizations
– Numerous Recommendations on operational aspects
of network management
88
ITU-T SG 4
ITU-T Study Group 4
Telecommunication management
89
SG 4 – Scope of security study
• Security of management plane
• Management of security for
telecommunications management
• Protocols of securities for management
90
SG 4 – Strategic direction
• Establishment of interface Recommendations
among security function groups or entities for
management of security (Enhancement of
M.3410)
• Study on use of IdM in management plan
• Study on the management of IdM
• Continuation of protocol profiling for security
management
91
SG 4 – Challenges
• Fill the gap in security on management
plane and management of its security
• Collaboration with ATIS TMOC and ETSI
TISPAN on the subject
92
SG 4 – Accomplishment
• Consent of Recommendation M.3410
– Guidelines and Requirements for
Security Management Systems to
Support Telecommunications
Management
93
SG 4 – Next steps
• Enhancement of M.3016 series
Recommendations for security of
management plane
• Enhancement of M.3410 Recommendation
for management of security for
telecommunications management
• Enhancement of Q.811 and Q.812,
management protocol profiles from security
subject perspective
94
SG 4 – Questions
• What security mechanisms and protocols are
required to support security of management for
NGNs?
• What management mechanisms and protocols are
required to support management of security for
NGNs?
• What use of Service-Oriented Architecture concepts
should be applied in specifying protocol and
security Recommendations?
• What collaboration inside and outside the ITU-T is
needed to develop protocol and security functions?
95
ITU-T SG 5
ITU-T Study Group 5
Protection against electromagnetic
environment effects
96
SG 5 – Scope
• To provide guidance on the protection of
Telecommunications and Data Centres against
disruption of service and/or physical damage due to:
– Natural EM phenomena
• Lightning, Electrostatic Discharge (ESD)
– Interactions with the RF Spectrum
• Electromagnetic Compatibility (EMC)
– Man-Made/Malicious Electromagnetic threats
• High-altitude EM Pulse (HEMP);
• High-Power EM weapons (HPEM);
• To provide guidance on the protection of electronic
data from interception via EM means
97
SG 5 – Strategic direction
• Do not reinvent the wheel
– Reference existing K-Series Recommendations
wherever possible
• Lightning, ESD, EMC
– Develop effective liaisons with other International
Standardization Organizations to exploit additional
expertise
• Liaison with IEC TC 77 – Electromagnetic Compatibility
(EMC) – SC 77C – High Power Transient Phenomena –
provided expertise in HEMP and HPEM
• Liaison with National Institute of Information and
Communications Technology (NICT) of Japan –
provided expertise on EM interception of data
– Apply existing expertise to the telecommunications
and data centre domain
98
SG 5 – Challenges
• Knowledge management
– Liaisons with other bodies has granted access to rich
veins of existing expertise
– This has taken time to assimilate and present within the
context of a telecommunications and data centre
• EM intercept
– Previously officially secret in some regions (i.e. previously
known as TEMPEST within the US)
99
SG 5 – Recent accomplishments
• A document set is planned
• K.sec – basic introduction that references the following:
–
–
–
–
–
–
K.hemp
K.hpem
K.leakage
K.sec_miti
Existing K-series Recommendations on lightning
Existing K-series Recommendations on EMC
• Steady progress has been made on developing the
document set
100
SG 5 – Next steps/actions
Development of document set continues with the following timing
Document
Title of the Recommendation
Timing
K.sec
Guide for the application of electromagnetic security
requirements - Basic Recommendation
2011
K.hemp
Application of requirements against HEMP to
telecommunication systems
2008
K.hpem
Application of requirements against HPEM to
telecommunication systems
2008
K.leakage
Test method and requirements against information
leak through unintentional EM emission
2009
K.secmiti
Mitigation methods against EM security threats
2011
101
ITU-T SG 9
ITU-T Study Group 9
Integrated broadband cable networks and
television and sound transmission
102
SG 9 – Scope of security work
 Security requirements are spread across multiple questions:
– Improve the security of conditional access systems used for
television subscription, pay-per-view and similar services
distributed to the home by cable television (Q3)
– Security, conditional access, protection against unauthorized
copying, protection against unauthorized redistribution
requirements to be supported by an universal integrated receiver
or set-top box for the reception of cable television and other
services (Q5)
– Security requirements and protocols associated with high-speed
bidirectional data facilities intended to support, among other
payloads, those utilizing Internet Protocols (IP) exploiting the
broadband capacity provided by hybrid fiber/Coaxial (HFC) digital
cable television systems (Q8)
– Security requirements and protocols for Voice over IP/Video over
IP applications in IP-based cable television networks (Q9)
– Extend the security requirements for entertainment video delivery
associated with cable network video service onto the home
network (Q10)
 Provide all the security requirements for the network elements
and services offered by cable operators
103
SG 9 – Strategic direction for security for
Cable Networks
Network Elements
- Link privacy for cable modem implementations
J.125
- Third generation Transmission systems –
security services J.222.3
- IP Cablecom security specification J.170
- IP Cablecom 2 architecture including
securityJ.360
- Security features based on 3G mobile telecom
system as modified for Cable J.366.7
- IMS network domain security specification
J.366.8
- Generic authentication architecture specification
J.366.9
Home Networking –
Devices and Applications
- A Residential Gateway to
support delivery of cable data
services J.192
- Requirements for next
generation set-top boxes J.193
- High level requirements for
DRM Bridge for Cable access
Network to home network J.197
- Next generation set-top box
architecture J.290
- IPTV requirements for
secondary distribution J.700
104
SG 9 – Challenges for cable networks security
• Authentication, privacy, access control and content
protection both on the access network and the
bridge to home network are key considerations for
multi-media applications/services
• Security requirements for network elements in the
access networks determine how the applications
(voice, video and data) are transmitted securely to
authenticated users/subscribers
• Security requirements for network elements in the
home network such as residential gateway and settop boxes meet the access control for the user
105
SG 9 – Major accomplishments
• Approved 2 security requirements Recommendations:
• “Link Privacy for cable modems” (J.125)
• “Third generation transmission systems” (cable Modem and
Cable Modem Termination System, J.222.3)
• Approved “IPTV requirements for secondary
distribution” (J.700)
• Approved the Recommendation on “Component
definition and interface specification for next
generation set-top box” (J.293)
106
SG 9 – Security work for next study period
Security studies for the next study period will be
continued in the following questions:
• Cable television delivery of digital services and
applications that use Internet Protocols (IP) and/or
packet-based data
• Voice and video applications over cable TV
networks
• Functional requirements for a universal integrated
receiver or set-top box for the reception of cable
television and other services
• The extension of cable-based services over
broadband in Home Networks
• Security requirements for IPTV interfaces for
secondary distribution (identified in J.700)
107
ITU-T SG 11
ITU-T Study Group 11
Signalling Requirements and Protocols
108
SG 11 – Scope of security work
 Each Question of SG11 has to consider
security aspects to develop protocol
Recommendations used for network control
signalling, based on the general
requirements developed by other SGs, such
as SG 2, SG 13, SG 17 and SG 19.
 Q.7/11, entitled as “Signalling and control
requirements and protocols to support
attachment in NGN environments”, has specific
requirements for authentication and
authorization of users and terminals.
109
SG 11 – Strategic direction
• Security consideration has been incorporated within
the text for each Question of SG11.
• Various security arrangements are embedded within
the protocols defined at various reference points, by
reusing existing mechanisms defined by other
organization (e.g., IETF and 3GPP).
• Strengthen the coordination on security issues
across SGs, as well as among Questions within SG
11 by proposing a dedicated new Question on
security coordination for the next study period.
110
SG 11 – Challenges for secure protocols
• Design interface protocols which have
various security mechanisms based on
Recommendations / specifications
developed by SG 17 and other SDOs.
• Special attention should be drawn to the
interface between legacy telephone
networks and emerging NGN.
• It would also be necessary to guide actual
protocol implementations so that there will
be no security holes, for example, by
defining implementers’ guides.
111
SG 11 – Recent accomplishments
• 24 Recommendations and 6 Supplements have
been approved so far, regarding NGN protocols
with security mechanisms embedded.
• The following two Recommendations have been
approved at the January 2008 SG11 meeting in
Q.7/11 in Network attachment control protocol
work:
– Q.3201, “EAP-based security signalling protocol
architecture.”
Note - EAP: Extensible Authentication Protocol
– Q.3202.1, “Authentication protocols for interworking
among 3GPP, WiMax and WLAN in NGN.”
112
SG 11 – Security work for next study period
New Question on security coordination
• What is the content of an appropriate policy for the
consideration of protocol security in the work of the
Study Group?
• What are the means to assure that such a policy is
being followed in practice?
• What exceptions to the general policy are permissible
in the case of specific Recommendations?
• What is the impact of security-related work in other
groups on the work of protocol security within this
Study Group at the policy level?
• What are the means by which technical developments
in protocol security achieved in other groups may be
communicated to interested Questions in this Study
Group, and the reverse?
113
ITU-T SG 13
ITU-T Study Group 13
Next Generation Networks
114
SG 13 – Scope of NGN security work in Q.15
 Conduct NGN Security studies to develop network
architectures that:
– Provide for maximal network and end-user resources
protection
– Allow for highly-distributed intelligence end-to-end
– Allow for co-existence of multiple networking technologies
– Provide for end-to-end security mechanisms
– Provide for security solutions that apply over multiple
administrative domains
– Provide for secure Identity Management
– Provide for security solutions for IPTV that are costeffective and have acceptable impact on the performance,
quality of service, usability, and scalability
 Provide security guidance on NGN security to all
Questions of SG 13 and other Study Groups
115
SG 13 – Strategic direction for NGN security
Y.2701 is a base for development of the detailed
Recommendations on NGN Security
Y.2701 Security Requirements for
NGN Release 1
Y.2701 is built on
application
of the concepts
of
Y.2702 NGN
Authentication
and
Authorization
Requirements
Identity Management has evolved into
a separate topic of the NGN security work
NGN AAA
X.805
to Y.2201 ,
NGN requirements
NGN
Certificate
Management
NGN
Security
Mechanisms
NGN IdM
Framework
NGN IdM Use
cases
NGN IdM
Requirements
and Y.2012,
NGN Functional Requirements and Architecture
NGN IdM
Mechanisms
•IdM Framework defines the concepts of the IdM
•IdM Use cases is a base for deriving the IdM requirements
•IdM Mechanisms provide support for the requirements
116
SG 13 – Challenges for NGN security
• Authentication is one of the most complex and
challenging procedures in NGN security. The
following study items of SG 13 are focused on
various aspects of authentication:
– Y.2702, NGN Authentication and Authorization
Requirements
– NGN Security Mechanisms
– NGN Certificate Management
– NGN Authentication Authorization and Accounting
– NGN IdM Requirements
– NGN IdM Mechanisms
117
SG 13 – Major security accomplishments
Question 15/13 has:
– Achieved determination of the draft ITU-T Recommendation
Y.2702, NGN Authentication and Authorization Requirements
– Defined the direction for the studies of Identity Management
(IdM) for NGN and started development of four ITU-T
Recommendations on IdM
– Provided security expertise to other Questions and Study
Groups through active participation in NGN-GSI and IdM-GSI
– Continued productive collaboration with ITU-T SG 17 - Lead
Study Group on Telecommunication Security and started joint
(with Q.6/17) development of Recommendation X.idm-dm,
Identity Data Model
– Initiated a liaison exchange with 3GPP SA 3 aimed at
harmonization of the standards on media security
118
SG 13 – Security work for next study period
Security studies for the next study period will address:
•
•
•
•
•
•
•
•
•
What new Recommendations or guidance to other Study Groups are
needed to standardize identification of NGN threats and vulnerabilities?
What are the security requirements of NGN to effectively counter these
threats?
What new Recommendations are necessary to enable comprehensive,
end-to-end security in NGN that span across multiple heterogeneous
administrative domains?
What new Recommendations or guidance are necessary to enable
attachment of terminals in a secure fashion, including Authentication,
Authorization, and Accounting (AAA) considerations, to NGN?
How to define security architecture of Identity Management in NGN?
What are security requirements to Identity Management in NGN?
What new Recommendations are needed for supporting security
requirements of Identity Management in NGN?
What new Recommendations are needed for supporting secure
interoperability among different Circles of Trusts (CoT) in NGN?
What new NGN Recommendations are needed for supporting security
requirements of IPTV?
119
ITU-T SG 15
ITU-T Study Group 15
Optical and Other Transport Network
Infrastructures
120
SG 15 - Responsibilities
SG15 is responsible for the development of standards
on optical and other transport network infrastructures,
systems, equipment, optical fibres, and their
management and the corresponding control plane
technologies to enable the evolution toward intelligent
transport networks. This encompasses the
development of related standards for the customer
premises, access, metropolitan and long haul sections
of communication networks.
This responsibility includes security-related aspects,
including encryption, protection and restoration, and
security management.
121
SG 15 – Security related work in SG 15
Question
Topic and security-related issues
1/15
Coordination of Access Network Transport standards
Access Network Transport planning security aspects
2/15
Optical systems for fibre access networks
Example: Link level encryption
3/15
General characteristics of optical transport networks
OTN planning security aspects
4/15
Transceivers for customer access and in-premises networking systems on metallic conductors
Example: Notching out frequency bands used by amateur radio etc.
6/15
Characteristics of optical systems for terrestrial transport networks
Safety and reliability requirements
9/15
Transport equipment and network protection/restoration
Security requirements for equipment functions and protection switching processes for transport
networks
10/15
Optical fibres and cables for the access network to and in buildings and homes
Safety and reliability requirements
12/15
Transport network architectures
Architecture aspects, including security-related issues
14/15
Management and control of transport systems and equipment
Security requirements for managing the transport network/system/equipment and the supporting
management communication network and signalling communication network
122
SG 15 – Major security accomplishments
The common transport equipment management
requirements Recommendation G.7710/Y.1701 (7/2007)
has added M.3016 Series (2005) as normative reference
for management plane security requirements.
The requirements in G.7710/Y.1701, including the
security requirements, continue to be the base for
managing technology-specific transport equipment,
including EoT in G.8051/Y.1345 (10/2007) and T-MPLS
in G.8151/Y.1374 (10/2007).
123
SG 15 – Security work for next study period
Will continue to study security requirements for
managing transport network/system/equipment and
their control plane and revise the recommendations
are necessary
G.806 (Generic Equipment Functions) will be revised
and security requirements will be included.
124
ITU-T SG 16
ITU-T Study Group 16
Multimedia terminals, systems and
applications
125
SG 16 – Q.25/16, Multimedia security in NGN
•
•
•
•
Study Group 16 concentrates on multimedia systems.
Q.25/16 focuses on the application-security issues of
MM applications in existing and next generation
networks
Standardizes multimedia security
So far Q.25/16 has been standardizing MM-security for
the “1st generation MM/pre-NGN systems”:
–
H.323/H.248-based systems
126
SG 16 – Evolution of H.235
Core Security
Framework
Engineering
1st Deployment
Improvement and Additions
Consolidation
Reorganization
H.235V3 H.235V3 H.235V3
Amd1 +
Amd1
+
Annex I Annex H
H.235 Annex G
H.235V4
H.235.0
~
H.235.9
approved
H.235V2
H.235V1
approved
Initial
Draft
H.323V1
1996
Security
Profiles
Annex D
Annex E
started
H.323V2
1997
1998
Annex D
Annex F
H.530
consent
Annex E
approved
H.323V4
1999
2000
H.323V5
2001
2002
2003
H.323V6
2004
2005
2006
127
SG 16 – H.235 V4 sub-series Recommendations
•
•
Major restructuring of H.235v3 Amd1 and annexes in
stand-alone sub-series Recommendations
H.235.x sub-series specify scenario-specific MMsecurity procedures as H.235-profiles for H.323
•
Some new parts added
•
•
Some enhancements and extensions
Incorporated corrections
•
Approved in September 2005
128
SG 16 – H.323 Security Recommendations (1)
•
H.235.0 “Security framework for H-series (H.323 and
other H.245-based) multimedia systems”

•
H.235.1 "Baseline Security Profile”

•
Overview of H.235.x sub-series and common procedures with
baseline text
Authentication & integrity for H.225.0 signaling using shared
secrets
H.235.2 "Signature Security Profile”

Authentication & integrity for H.225.0 signaling using X.509
digital certificates and signatures
129
SG 16 – H.323 Security Recommendations (2)
•
H.235.3 "Hybrid Security Profile"

enhanced
•
H.235.4 "Direct and Selective Routed Call
Security"

extended
Authentication & integrity for H.225.0 signaling using
an optimized combination of X.509 digital certificates,
signatures and shared secret key management;
specification of an optional proxy-based security
processor
Key management procedures in corporate and
interdomain environments to obtain key material for
securing H.225.0 call signaling in GK directrouted/selective routed scenarios
130
SG 16 – H.323 Security Recommendations (3)
•
enhanced

•
modified
H.235.5 "Framework for secure authentication
in RAS using weak shared secrets"
Secured password (using EKE/SPEKE approach) in
combination with Diffie-Hellman key agreement for
stronger authentication during H.225.0 signaling
H.235.6 "Voice encryption profile with native
H.235/H.245 key management"


Key management and encryption mechanisms for
RTP
Amendment 1 (June 2008) added support for cipher
key lengths of 192 and 256 bit to AES
131
SG 16 – H.323 Security Recommendations (4)
•
H.235.7 "Usage of the MIKEY Key Management
Protocol for the Secure Real Time Transport
Protocol (SRTP) within H.235"

•
NEW
•
NEW
Usage of the MIKEY key management for SRTP
H.235.8 "Key Exchange for SRTP using Secure
Signalling Channels"

SRTP keying parameter transport over secured
signaling channels (IPsec, TLS, CMS)
H.235.9 "Security Gateway Support for H.323"

Discovery of H.323 Security Gateways
(SG = H.323 NAT/FW ALG) and key management for
H.225.0 signaling
132
SG 16 – Other MM-SEC results
•
H.350.2 (2003) “H.350.2 Directory Services Architecture
for H.235”

•
H.530 (2002) “Symmetric security procedures for H.323
mobility in H.510” + Cor.1 (2003)

•
An LDAP schema to represent H.235 elements (PWs,
certificates, ID information)
Authentication, access control and key management in mobile
H.323-based corporate networks
H.460.22 (2007) “Security protocol negotiation” +
Cor.1 (2008)

Negotiate security protocols (IPsec or TLS or others) for H.323
signaling
133
SG 16 – Q.5/16 (H.300 NAT/FW traversal)
results
•
H.460.18 (2005) “Traversal of H.323 signalling across
FWs and NATs”

•
H.323 protocol enhancements and new client/server proxies to
allow H.323 signalling protocols traverse NATs & FWs;
H.323 endpoints can remain unchanged
H.460.19 (2005) “NAT & FW traversal procedures for
RTP in H.323 systems”

Uses multiplexed RTP media mode and symmetric RTP in
conjunction with H.460.18 as a short-term solution
134
SG 16 – More Q.5/16 results
•
Technical Paper (2005) “Requirements for Network
Address Translator and Firewall Traversal of H.323
Multimedia Systems”

•
Technical Paper (2005) “Firewall and NAT traversal
Problems in H.323 Systems”

•
Documentation of scenarios and requirements for NAT &
FW traversal in H.323
An analysis of scenarios and various problems encountered
by H.323 around NAT & FW traversal
H-Series Supplement 10 (2008) “Proxy-aided
NAT/FW Traversal Scheme for H.323 Multimedia
Systems”

Describe proxy-aided NAT/firewall traversal mechanism as
a NAT traversal solution for H.323 multimedia systems
135
SG 16 – New security items under current study
•
MM security aspects of Advanced Multimedia Systems
(AMS) under Q.12/16

•
Security consideration in the third generation MM system with
a decomposed and distributed architecture
Security aspects of IPTV system under Q.13/16

Content protection related metadata
136
SG 16 – Summary
•
Multimedia systems and applications as being studied by
SG16 face important security challenges:
–
•
•
•
MM-security and NAT/FW traversal
Q.25/16 and Q.5/16 are addressing these issues and
have provided various Recommendations
The work continues in the scope of
NGN-Multimedia Security
Security considerations are key part of draft new
Question B7/16 “Advanced functions for H.300-series
systems and beyond”
–
Other Questions will also address the topic within their areas of
competence
137
ITU-T SG 19
ITU-T Study Group 19
Mobile Telecommunication Networks
138
SG 19 – Scope of security work
• Scope: IMT-2000 Family Member Networks
• Broad requirements for security are covered in the
following ITU-T Recommendations:
– Q.1701 “Framework for IMT-2000 networks”
– Q.1702 “Long-term vision of network aspects for
systems beyond IMT-2000”
– Q.1703 “Service and network capabilities framework
of network aspects for systems beyond IMT-2000”
139
SG 19 – Strategic directions
• Mainly derived from Q.1702 and Q.1703
– Q.1702 indicates the following objectives to provide
network security among heterogeneous interconnected networks:
• Comprehensive, cross-provider security infrastructure
support
• Well-defined and conducted routine system risk analysis
• Robust system intrusion monitoring and response system
to control damage
• Low overhead security protocols to accommodate
wireless bandwidth limitation
• Provide seamless security across heterogeneous access
technologies
140
SG 19 – Strategic directions
• Mainly derived from Q.1702 and Q.1703
– Rec. Q.1703 specifies that at least the following
security services should be provided:
• Integrity: contents as received are exactly as sent
• Confidentiality: user data is kept secret from
unintended listeners
• Non-repudiation: prevent denying a transmission was
initiated
• Mutual authentication: assurance that a participant is
who he claims to be
• Authorization: control user access to various network
resources
141
SG 19 – Security challenges
• To address security concerns arising due to:
– Migration from circuit switching to Packet switching (using
IP in wireless networks)
– Fixed Mobile Convergence (FMC): access & services
across heterogeneous networks (GSM, Wi-Fi, PSTN,
WiMAX, etc.) with the usage of IP
• To define a security framework applicable across
heterogeneous networks
142
SG 19 – Major security accomplishments
• Q.1707/Y.2804 (02/2008) “Generic Framework of Mobility
Management for NGNs”
– Designed to ensure that MM functions can interwork with the
relevant authentication and security protocols.
• Q.1742-series “IMT-2000 references to ANSI-41 evolved
core network with cdma2000 access”
– References to 3GPP security specifications
•
•
•
•
•
•
S.S0078: Common Security Algorithms
S.R0082: Enhanced Packet Data Air Interface Security
S.R0083: Broadcast-Multicast Service Security Framework
S.S0114: Security Mechanisms using GBA
S.S0110: IP-Based Location Services Security Framework
S.R0086: IMS Security Framework.
143
SG 19 – Major security accomplishments (2)
• Q.1762/Y.2802 “Fixed-mobile convergence general
requirements”
– Notes need for uniform authorization mechanism
– FMC may contain access-specific or -dependent parts but the
procedure for handling these is uniform
• Q.1763 “FMC service using legacy PSTN or ISDN as the
fixed access network for mobile network users”
– Authentication through a fixed network access provides for same
security mechanism as in the mobile network
– Refers to 3GPP TS 33.102 / ETSI TS 133.102 which address
UMTS 3G security and security architecture
144
SG 19 – Major security accomplishments (3)
• Working Draft Q.FMC-IMS “Fixed mobile convergence
with a common IMS session control domain” as of 14
May 2008
– Mobile access in mobile networks faces an increased level of
security threats compared to stationary access in fixed
networks
– Nomadic and wireless access in fixed networks utilize the
mobile world security framework (TS 33.203) for IMS access,
with the IMS Subscriber Identity Module (ISIM) as a key
component
– References IMS security (3GPP TR 33.978) and
authentication mechanisms (ETSI TS 187.003)
145
SG 19 – Security work for next study period
• F/19 : Convergence of existing and evolving IMT and
fixed networks
– FMC cannot be studied in isolation
– Has to take into account the ongoing work on NGN
scenarios, services, architecture, mobility, security and QoS,
and on mobile network technologies outside of ITU-T
– Study of specific FMC scenarios and solutions requires a solid
understanding of mobile network technologies and close
liaison with mobile network SDOs
146
SG 19 – Specific actions member
organizations of GSC should take
• Aim for globally consistent end-user security support
– Identify FMC security requirements for uniform authentication
and authorization mechanisms (i.e., authentication and
authorization combined)
– Network specific requirements for T-SPID
147
Supplemental Information
ITU-D
Telecommunication Development Sector
148
ITU-D
ITU-D Cybersecurity Activities: Two Main Pillars
•
•
ITU-D Study Group 1 Question 22/1: Securing information and communication
networks: Best practices for developing a culture of cybersecurity
– Developing a Framework for Organizing National Cybersecurity Efforts
ITU-D Programme 3 ITU Cybersecurity Work Programme to Assist Developing
Countries. Example activities include:
– Assistance related to Establishment of National Strategies and Capabilities
for Cybersecurity and Critical Information Infrastructure Protection (CIIP)
– Assistance related to Establishment of appropriate Cybercrime Legislation
and Enforcement Mechanisms
– Assistance related to establishment of Watch, Warning and Incident
Response (WWIR) Capabilities
– Assistance related to Countering Spam and Related Threats, Establishment
of an ITU Cybersecurity/CIIP Directory, Contact Database and Who’s Who
Publication
– Cybersecurity Indicators
– Fostering Regional Cooperation Activities
149
Supplemental Information
ITU-R
Radiocommunication Sector
150
ITU-R
ITU-R Cybersecurity Activities
•
Radio spectrum global frequency management is increasingly important for
building confidence and security and creating an enabling environment in the use
of ICTs. ITU-R plays a central role in facilitating complex intergovernmental
negotiations needed to develop legally binding agreements between
sovereign states in an increasingly ‘unwired’ world.
•
ITU-R activities related to cybersecurity
– Recommendation ITU-R M.1457 “Security mechanism incorporated in IMT-2000”
– Recommendation ITU-R S.1711 “Performance enhancements of transmissions control
protocol over satellite”
– Recommendation ITU-R M.1645 “Framework and overall objectives of the future
development of IMT-2000 and systems beyond IMT-2000”
– Recommendation ITU-R M.1223 “Evaluation of security mechanism for IMT-2000”ITUR
– Recommendation ITU-R S.1250 “Network management architecture for digital satellite
systems forming part of SDH transport networks in the fixed-satellite service”
– Recommendation ITU-R M.1078 “Security principles for IMT-2000”
151
Some useful web resources
•
ITU-T Home page
http://www.itu.int/ITU-T/
•
Study Group 17
e-mail:
http://www.itu.int/ITU-T/studygroups/com17/index.asp
[email protected]
•
LSG on Security
http://www.itu.int/ITU-T/studygroups/com17/tel-security.html
•
Security Roadmap
http://www.itu.int/ITU-T/studygroups/com17/ict/index.html
•
Security Manual
http://www.itu.int/publ/T-HDB-SEC.03-2006/en
•
Cybersecurity Portal
http://www.itu.int/cybersecurity/
•
Cybersecurity Gateway
http://www.itu.int/cybersecurity/gateway/index.html
•
Recommendations
http://www.itu.int/ITU-T/publications/recs.html
•
ITU-T Lighthouse
http://www.itu.int/ITU-T/lighthouse/index.phtml
•
ITU-T Workshops
http://www.itu.int/ITU-T/worksem/index.html
152
Download