overview of information security management activities undertaken
TRANSCRIPT
Overview of Information Security Management Activities
Undertaken within ITU-T SG 17 and ISO/IEC JTC1/SC 27
KDDI CorporationNICT Incident Response Group LeaderRapporteur of ITU-T SG17 Question 7
ISO/IEC SC27/WG1 National Convener
Koji NAKAO
Network dependency and Security Incidents now co-relatively getting bigger and bigger
• Popularization of Broadbandcommunication environment
• Network dependency is gettinghigher and higher– Various and advanced use of
internet
• Increasing Security Threads– Security Incidents are getting serious by Slammer, Blaster,
Sasser worms, Botnets.• Malignant worms are getting skillful and integrated.• A lot of internet users do not care to apply Security Patches.• Network itself is now included as a target of attacks.
0
200
400
600
800
1000
1200
1400
平成11年 平成12年 平成13年 平成14年 平成15年
(平成15年は9月末、その他は年度末)
(万契約)
0.0222
7.178
0.02 238
146
2.6
702
207
31
923
234
691226
943
387
8622
DSL
ケーブルインターネット
FTTH
(総務省調べ)
Information Assets
Mal-Software
Disaster earthquake
Fire
DoS, DDoS
Illegal Access
Theft
InformationLeakage
Data
Threats in our surroundings
ICT Security Incidents:1)Scans & Probes, 2)Computer Intrusions, 3)Malicious Software (Viruses, etc.), 4)Computer Sabotage & Damage (e.g. by DoS attacks), 5)Information theft and Espionage, 6)Impersonation
A short history of computing & insecurity
• Apple II Computer• Commodore • Atari• TI-99• TRS-80
• First Worm developed in Xerox Palo Alto
• First Self-destruct program (Richard Skrenta)• First Self-replicate program (Skrenta’sElk Cloner)
• FBI arrest “414s” Hacker Group
• ©Brain Virus developed by two Pakistanis’• Yale, Cascade, Jerusalem, Lehigh, etc.
• Ken Thompson demo first Trojan Horse• Fred Cohen’s VAX Viruses
• First “Concept”Macro Virus
• Stealth virus (Whale)• Variable Encryption (1260)
• Morris’ Worm
• Robert T Morris fined $10K, 3 years probation
• Melissa virus ($80m)• Excel Macro Virus (cross platform)
•Philippines’“I LOVE YOU” virus
• “Solar Sunrise” -Two California Teens attack on 500 Military, Govt, & Private Computer Systems
• Code Red• Nimda
• Melissa’s author sentenced 20 months jail
• DDoS on 13 “root” servers
• Slammer• Blaster• WeiChia
• MyDoom• Sasser
Standalone Systems – Disk/Diskette Sharing Client-server/PC-LAN Networks Internet Collaboration (Email, Web, IRC, IM, P2P, File Sharing)
Information Warfare
Computer Crimes
Trusted Operating Systems (Orange Book) Trusted Network (Red Book) – ITSEC
UK Green Book to BS 7799 to ISO 17799
Common Criteria (ISO 15408)
Insecure Default/Weak Security Techniques/Feature Misuse/Social Engineering
Protocol Weaknesses/Buffer overflow
• Spyware• Bots
• Phishingattacks proliferated
• Phishingbegins in AOL
• “Cukoo’sEgg” in LBL
Cyber Crimes
• SPAM Mails
Discovery
Experimentation
Criminal Exploitation
2005
2004
2003
2002
2001
2000
1999
1998
1997
1996
1995
1994
1993
1992
1991
1990
1989
1988
1987
1986
1985
1984
1983
1982
1981
1980
1979
1978
1977
•Pharmingattacks (DNS poisoning)
• Kevin Mitnickarrested, five years imprisonment
Produced by Meng Chow Kan
Botnet
Online BusinessBotnet Controller(IRC Servers)
DNS Servers(Pharming Attacks)
Virus/Worms Authors
Threats :Internet Attacks
Internet Hackers
Social EngineeringIM/Emails/P2P/In-person
Web DefacementsDenial of Services
Spammers
Open ProxiesOpen Mail Relays
Phishers
Phishing Web Sites
Phishers’ “Safe Houses”Bot Herders
Sypware/Trojans/Rootkits
Organized Crimes Syndicates
Produced by Meng Chow Kan
3-D display of real-
time incomingpacket
flow
Sour
ce I
P Ad
dres
s
TCP SYN
Showing arrivals of scanning packets
TCP SYN/ACK
Des
tinat
ion
IP A
ddre
ss
Dest
inat
ion
Port
Num
ber
Source Port Number
address scanning
UDP
ICMPTCP of non-SYN or non-SYN/ACK
port scanning
If there are no appropriate security countermeasures in the organization, the following RISKs can be assumed
for example:
• Loss of*customer services, sales and market share*revenue, income and financial stability
• Damage to*customer trust and confidence*image, reputation and brand name
• Non-compliance with legislation
First, what do we have to PROTECT? Information Assets in Organization
Information Assets:Information Assets:
Anything related to Anything related to ““InformationInformation”” that has that has value to the organizationvalue to the organization
Information FacilitiesCommunication Lines
Electronic Information
・Management Strategy Information・Customer Information・Personnel Information, etc.
Paper
DataConversation
Manuals
ControlRooms
Information Assets
・Lack of Confidence・Apology to the customers, ・Sent Gift Coupons to the customers (damage: 5 million $)
PC for development used by Contracted
vendor
Leakage of 560,000 Customer Information was detected in 2003.Leakage of 560,000 Customer Information was detected in 2003.
Private dataLeakage
Raw data
PrivateData
Theft
Salary Reduction
Salary Reduction
Example of a Security Incident
Private data are not well managed
Vendors are not well managed
Risk can be calculated by “Threats” x “Vulnerability” x “Importance of Assets”
Security Controls are indispensable!
Threat
DATA
Risk
Vulnerability
(e.g. Virus, Worm, etc)
(e.g. Uninstalled Anti-Virus software,Lack of security awareness, etc)
Information Assets
(e.g. Service interruption,Data destruction, etc)
Risk is assessed by using Threats, Vulnerability and Assets
Risks in Organizations: Risk Analysis
Human affairs information
Customer Information
Management strategy
information
New service information ・・・
3rd Step :Risk
Treatment
Implementing controls selected to reduce risk for example,
1st Step : Identification of all information assets
・・・
2nd Step : Risk Assessment
New
service information
Custom
er Information
Hum
an affairs information
Risk Q
uantifying
Managem
ent strategy information
Risk acceptance level
・・・
New
service inform
ation
Hum
an affairs inform
ation
Managem
ent strategy inform
ation
Custom
er Inform
ation
From JPDECISMS is a COMMON Language for Information Security!!
Information Security Management System (ISMS) is necessary;
PDCA model
3. Asset classification& control
2. Security organisation
1. Security policy
5. Physical & environmental security
4. Personnel security
7. Access control
10. Compliance
9. Business Continuity
8. Systems development &maintenanceInformation Assets
in Organization
Information Security Management System (ISMS) established and maintained in Organizations
6. Communications & operationsmanagement
ISO/IEC JTC 1/SC27 WG1 & ITU-T SG17
SC 27Chair Dr Walter Fumy
Vice-chair Dr Marijke de SoeteSecretariat Krystyna Passia
WG1Security management
standardsConvenor
Ted Humphreys
WG2Security techniques
ConvenorProf. Kenji Naemura
WG3Security evaluation
Convenor Mats Ohlin
SG17/WP2
WG5Identity management
and privacy technologiesProf Kai Rannenberg
WG4Security controls and
servicesM.-C. Kang
17
Terminology
Toolbox ofTechniques
Hierarchical Security Management Model(SC 27 View)
Frameworksprovide a simplified description of interrelationships used to organize
concepts, methods and technologies
Principlesprovide generally accepted high-level basic rules used as a foundation to
guidance
Element Standards
provide specific requirements that apply to a defined area of security
management
Application Guidesand Supplements
provide detailed descriptions offering guidance on how element standards may
be applied in specific situations
18
Application Guidesand Supplements
Element Standards
Frameworks
Principles
Terminology
Toolbox ofTechniques
Hierarchical Security Management Model(SC 27 View discussed in WG1)
ISMS Requirements
(27001)
ISM Measurements
(27004)
Code of Practice for
(27002/17799)
Vocabulary & concepts(27000)
Risk management
(27005)
ISMSImplementation
Guidance(27003)
IT Network Security
(IS 18028 / ITU-T X.???)
IT Intrusion Detection
Framework(TR 15947)
Info Security Incident
Management(TR 18044)
Guidelines for TTP Services
(IS 14516 /ITU-T X.842)
Healthcare ISMS Guide
(TC 215)
Telecom ISM Guide
(27011)(ITU-T X.1051)
Financial ISMS Guide (TC 68)
SC 27 SD 6Updated and harmonized
ISO Guide 73
Accreditation (27006)
Evolution on Information Security Management (Guideline)
BS 7799-1:1995
BS 7799-1:1999
ISO/IEC 17799:2000
ISO/IEC 17799:2005
Code of practice for information security management
15th June 05
BS 7799-2:1998
BS 7799-2:1999
ISO/IEC 27001:2005
ISMS requirements
15th Oct 05
ISMS Risk Management
ISMS requirements
ISM measurements
ISMS Accreditation Guidelines
Fundamentals and vocabulary
27000
27006
27005 27004
27003
27002
27001
27000 Family
17799 Code of
practice
ISMS implementation
guidelines
Structure of ISMS Standards in ISO
ISO/IEC 27001 Information security management system requirements
• Fact Sheet• This was published on the 15th Oct 05• It is a certification and auditable standard and
it replaces BS 7799-2:2002• Based on a mandatory risk based approach and
aims at achieving effective information securitythrough continual improvement process
• Includes an Annex (Annex A) which lists the controls from 17799 with the ‘should’ replaced with the mandatory ‘shall’
• Uses the same PDCA management systems process model as ISO 9001 (QMS) and ISO 14001 (EMS)
• Fact Sheet• This was published on the 15th Oct 05• It is a certification and auditable standard and
it replaces BS 7799-2:2002• Based on a mandatory risk based approach and
aims at achieving effective information securitythrough continual improvement process
• Includes an Annex (Annex A) which lists the controls from 17799 with the ‘should’ replaced with the mandatory ‘shall’
• Uses the same PDCA management systems process model as ISO 9001 (QMS) and ISO 14001 (EMS)
ISO/IEC 17799 Code of practice for information security management
• Fact Sheet• The revised 2000 version of this standard
was published on the 15th June 05• This is NOT a certification and auditable
standard – it is a code of best practice• It aims is to provide a catalogue of non-
mandatory best practice with some implementation guidelines – the controls in 17799 are contained in ISO/IEC 27001 Annex A as mandatory ‘shall’ statements.
• From April 2007 ISO/IEC 17799 is expected to be renumbered as 27002
• Fact Sheet• The revised 2000 version of this standard
was published on the 15th June 05• This is NOT a certification and auditable
standard – it is a code of best practice• It aims is to provide a catalogue of non-
mandatory best practice with some implementation guidelines – the controls in 17799 are contained in ISO/IEC 27001 Annex A as mandatory ‘shall’ statements.
• From April 2007 ISO/IEC 17799 is expected to be renumbered as 27002
ISO/IEC 27002 (17799) Policies, Procedures, Technical & non-technical controls
• 11 Management DomainsSecurity policy
Organising information security
Asset management
Human resources security
Physical & environmental security
Communications & operations management
Access control
Information systems acquisition, development and maintenance
Business continuity management
Compliance
Information security incident management
Business processes
Information
People
Services
ICT
Physical
Applications
Cyber Security*Vulnerability Information Sharing…*Incident Handling Operations*Security Strategy*Countering SPAM
Secure Communication Services*Mobile Secure Communications*Home Network Security*Security Web Services*X.1121, X.1122
Q6/17
Q9/17
Q7/17 Q5/17
Communications System Security *Vision, Project Roadmap, Compendia, …Q4/17
Telebiometrics*Multimodal Model Framework*System Mechanism*Protection Procedure*X.1081
Q8/17
SecurityArchitecture& Framework*Architecture,Model,Concepts, Frameworks,
*etc…*X.800 series*X.805
SecurityManagement*ISM-Guidelines for Telecom*IncidentManagement
*Risk AssessmentMethodology
*etc…*X.1051
TelecomSystems
Telecom Systems Users
Study Group 17 Security Questions2005-2008
Q17/17
Mobile Services
Web Services
Home Network Services
Other Services
***++
Designs and Specifications of Secure Application Services and Protocol
Security Architecture and Frameworkon Telecommunications Services
Security Management Guidelines for Telecommunications
Techniques of Cyber-Security for any applications
Techniques of Telebiometorics for any applications
Q5
Q6 Q17
Q8
Q9
Q7
Information Security Management Guidelines for telecommunications(Existing X.1051, Information security management system –
Requirements for telecommunications (ISMS-T) ) ・Maintain and revise Recommendation X.1051, “Information Security Management Guidelines for telecommunications based on ISO/IEC27002”.・Jointly develop a guideline of information security management with ISO/IEC JTC 1/SC 27.
Risk Management Methodology・Study and develop a methodology of risk management for telecommunications in line with Recommendation X.1051.・Produce and consent a new ITU-T Recommendation for risk management methodology.
Incident Management・Study and develop a handling and response procedure on security incidents for the telecommunications in line with Recommendation X.1051.・Produce and consent a new ITU-T Recommendation for incident management methodology and procedures.
Security Management working scopes in Q7
Information Security Management Guidelines for telecommunications based
on ISO/IEC 27002under Question 7/SG17
Security policy
Organising information security
Asset management
Human resources security
Physical & environmental security
Communications & operations management
Access control
Information systems acquisition, development and maintenance
Business continuity management
Compliance
Information security incident management
Revised X.1051
Introduction of Information security management guidelines for Telecommunications (Revised X.1051)
Information Assetsfor Telecom
Approach to develop the revised Recommendation X.1051
CONTROLCONTROL
Implementation guidance
Implementation guidance
Other information
Other information
ISO/IEC 17799 (2005)
CONTROLCONTROL
Implementation requirementsfor Telecom
Implementation requirementsfor Telecom
ISMS ProcessISMS Process
Existing X.1051
CONTROLCONTROL
Implementation guidance
for Telecom
Implementation guidance
for Telecom
Other information
Other information
Revised X.1051
Information Security Management Guidelines for Telecommunications based on ISO/IEC27002
① ISO/IEC17799 (2005)→ Strategies in 11 areas for general business○○ ControlControl
1. Security policy2. Organization of information security3. Asset management 4. Human resources security5. Physical and environmental security6. Communications and operations
management7. Access control8. Information systems acquisition,
development and maintenance9. Information security incident
management10. Business continuity management11. Compliance
③ Legal requirements for telecommunications organizations
○○ Telecommunications Business LawTelecommunications Business Law① Protecting the confidentiality of
communications② Priority treatment for important
communications③ Delineation of responsibilities
○○ Other legislation relevant to Other legislation relevant to telecommunicationstelecommunications
② ISMS-T (X.1051) Annex. A (2004)
① ISO/IEC17799(2005)② ITU recommendations ISMS-T (X.1051)③ Legal requirements for telecommunications
Framew
ork
Brief Introduction of revised X.1051Main elements of information security management guideline for telecommunicationsMain elements of information security management guideline for telecommunications
Importance of information security management in telecommunications organizations
Importance of information security management in telecommunications organizations
Telecommunications organizations are required to consider additional considerations with ISO/IEC 17799 to further ensure their information security.
Ex 1: Telecommunications organizations should consider that telecommunications equipment and facilities are used by users of telecommunications services outside the organization, in addition to consider that information processing facilities are used by employees and subcontractors internal the organization.
Ex 2: Telecommunications organizations provide telecommunications services by means of interconnecting, sharing telecommunications equipments with other telecommunications organizations, and by means of using telecommunications business of services of other telecommunications organizations. The information security of telecommunications organizations is mutually dependent.
Ex 3: Business continuity plan is strongly required for telecommunications organizations since threats such as cyber attacks, viruses and worms are increasing on the Internet.
Additionally, they should ensure compliance and prevent violation of the relevant legislative requirements with respect to ensuring the confidentiality of communications and protecting personal information.
◎ Considerations on Information security for telecommunications organizations
Structure of Descriptions in revised X.1051
15
14
13
12
11
10
9
87
6
5
Compliance
Business continuity management
Information security incident management
Information systems acquisition, development and maintenance
Access Control
Communications and Operation Management
Physical and Environmental Security
Human Resources SecurityAsset Management
Organization of Information Security
Security Policy
Objective
Objective
ControlsControls・・・
ControlsControls・・・
◎11 Security Management Areas ◎Objectives ◎Controls ◎implementation
guidance
・・・
・・・
・・・
・・・
add “objective” for telecommunications
Add “controls” for telecommunications
◎Related information(Same structure as ISO/IEC
17799(2005) )
Implementation guidance
Other information
Implementation guidance
Other information
Implementation guidance
Other information
Add “implementation guidance” for
telecommunications
00..IntroductionIntroduction1. Scope1. Scope2. Terms and definitions2. Terms and definitions
2.1 Terms and definitions for information security in general2.2 Terms and definitions for information security in telecommun2.2 Terms and definitions for information security in telecommunications ications
organizations organizations 3. Structure of this Guideline3. Structure of this Guideline4. Information security management systems in the telecommunicat4. Information security management systems in the telecommunications industryions industry
4.1 Goal4.1 Goal 4.2 Information assets to be protected4.2 Information assets to be protected4.3 Establishment of information security management4.3 Establishment of information security management
5. Security policy5.1 Information security policy
6 Organization of information security6.1 Internal organization6.1 Internal organization 6.2 External parties6.2 External parties
7 Asset management7.1 Responsibility for assets 7.1 Responsibility for assets 7.2 Information classification 7.2 Information classification
8 Human resources security8.1 Prior to employment8.1 Prior to employment 8.2 During employment 8.3 Termination or change of
employment9 Physical and environmental security
9.1 Secure area9.1 Secure area 9.2 Equipment security9.2 Equipment security9.3 Security under the control of other parties9.3 Security under the control of other parties
Outline(1/2)
*Underlines indicate the newly described area compared with ISO/IEC17799.
10 Communications and operations management10.1 Operational procedures and responsibilities10.1 Operational procedures and responsibilities 10.2 Third party service delivery management 10.3 System planning and acceptance10.4 Protection against malicious and mobile code 10.4 Protection against malicious and mobile code 10.5 Back-up10.6 Network security management 10.6 Network security management 10.7 Media handling 10.8 Exchange of information10.9 E-commerce service 10.10 Monitoring10.10 Monitoring
11 Access control11.1 Business requirements for access control11.1 Business requirements for access control 11.2 User access management 11.3 User responsibilities 11.4 Network access control11.4 Network access control 11.5 Operating system accesscontrol11.6 Application and information access control 11.7 Mobile computing and teleworking
12 Information systems acquisition, development and maintenance 12.1 Security requirements of information systems12.1 Security requirements of information systems 12.2 Correct processing in applications12.3 Cryptographic controls 12.4 Security of system files12.4 Security of system files12.5 Security in development and support processes 12.6 Technical vulnerability management
13 Information security incident management 13.1 Reporting information security events and weaknesses 13.1 Reporting information security events and weaknesses 13.2 Management of information security incidents and improvemen13.2 Management of information security incidents and improvementsts
14 Business continuity management 14.1 Information security aspects of business continuity managem14.1 Information security aspects of business continuity management ent
15 Compliance15.1 Compliance with legal requirements15.1 Compliance with legal requirements15.2 Compliance with security policies and standards, and technical compliance15.3 Information systems audit considerations
Outline(2/2)
Recommendations planed to developin Q7/17 (Security Management)
X.1050: To be proposedX.1051: In revision process
Information Security Management Guidelines for Telecommunications based on ISO/IEC 27002
X.1052: To be proposedX.1053: To be proposed
(Implementation Guide for Telecoms)X.1054: To be proposed
(Measurements and metrics for Telecommunications) X.1055 :In the first stage of development
Risk Management Guidelines for TelecommunicationsX.1056: In the first stage of development
Security Incident Management Guidelines for Telecommunications X.1057: To be proposed
(Identity Management for Telecoms)
Future Schedule
*2007 September – ITU-T SG17 meetingDraft Rec.X.1051 :Final Review in ITU-T
*2007 October – ISO/IEC SC27 meetingDraft ISO/IEC 27011(X.1051) : FCD process (Final Technical Review)
*2007 December – ITU-T SG17 WP2 meetingDraft Rec.X.1051 : Finalizing processConsent in ITU-T and FDIS process in ISO
=
Information Security Management should be established and maintained to consider in overall environments not only for Organizations, but also for Network Providers (telecommunications organizations) and Customers.
Information Assets
Data
Organizations
ISPISP
ISPISPTelecom.
Network Providers
Customers
Customers ISMS 27001 and ITU-T X1051
ISMS ISO 27001
Final Remark