security standardization in itu-t
TRANSCRIPT
International Telecommunication Union
Cybersecurity Symposium II 29 March 2005 Moscow, Russia
Security StandardizationSecurity Standardizationin ITUin ITU--TT
Herbert BertineChairman ITU-T Study Group 17
2Cybersecurity Symposium II 29 March 2005 Moscow, Russia
ITU Plenipotentiary Conference 2002Resolution PLEN/2 - Strengthening the role of ITU in
information and communication network security
resolves1 to review ITU's current activities in information and
communication network security;2 to intensify work within existing ITU study groups in order
to:a) reach a common understanding on the importance of
information and communication network security by studying standards on technologies, products and services with a view to developing recommendations, as appropriate;
b) seek ways to enhance exchange of technical information in the field of information and communication network security, and promote cooperation among appropriate entities;
c) report on the result of these studies annually to the ITU Council.
3Cybersecurity Symposium II 29 March 2005 Moscow, Russia
ITU-T World Telecommunications Standardization Assembly (WTSA)
o Resolution 50, Cyberscecurity- Evaluate existing and evolving new Recommendations with respect to their robustness of design and potential for exploitation by malicious parties- Raise awareness of the need to defend against the threat of cyber attack
o Resolution 51, Combating spam- Report on international initiatives for countering spam- Member States to take steps within their national legal frameworks to ensure measures are taken to combat spam
o Resolution 52, Countering spam by technical means- Study Groups, in cooperation with other relevant groups, to develop as a matter of urgency technical Recommendations on countering spam
4Cybersecurity Symposium II 29 March 2005 Moscow, Russia
ITU-T Study Groupswww.itu.int/ITU-T
o SG 2 Operational aspects of service provision, networks and performance
o SG 3 Tariff and accounting principles including related telecommunications economic and policy issues
o SG 4 Telecommunication management o SG 5 Protection against electromagnetic environment effects o SG 6 Outside plant and related indoor installationso SG 9 Integrated broadband cable networks and television and
sound transmissiono SG 11 Signalling requirements and protocols o SG 12 Performance and quality of serviceo SG 13 Next generation networks o SG 15 Optical and other transport network infrastructures o SG 16 Multimedia terminals, systems and applications o SG 17 Security, languages and telecommunication softwareo SG 19 Mobile telecommunication networks o TSAG Telecommunication Standardization Advisory Group
5Cybersecurity Symposium II 29 March 2005 Moscow, Russia
ITU-T Security ManualDecember 2003, October 2004
o Basic security architecture and dimensionso Vulnerabilities, threats and riskso Security framework requirementso PKI and privilege management with X.509o Applications (VoIP, IPCablecom, Fax, Network
Management, e-prescriptions)o Security terminology o Catalog of ITU-T security-related
Recommendationso List of Study Groups and security-related Questions
www.itu.int/itudoc/itu-t/85097.pdfwww.itu.int/itudoc/itu-t/86435.pdf
7Cybersecurity Symposium II 29 March 2005 Moscow, Russia
ITU-T Study Group 17www.itu.int/ITU-T/studygroups/com17
o Lead Study Group for Telecommunication Securitywww.itu.int/ITU-T/studygroups/com17/tel-security.html• Coordination/prioritization of security efforts• Development of core security Recommendations
o Led ITU-T Workshop on Security 13-14 May 2002www.itu.int/ITU-T/worksem/security• Security requirements and telecommunication reliability• Hot topics on IP-based network security• Security management• Biometric authentication
o Another ITU-T Workshop on Security being planned
o Initiated the ITU-T Security Project• Provide vision and direction for future work• Reflect situation of current work
8Cybersecurity Symposium II 29 March 2005 Moscow, Russia
E x i s t i n g R e c o m m e n d a t i o n s i n X . 8 0 0 - se r i e s
S e c u r i t y A r c h i t e c t u r eX . 8 0 0
L o w e r L a y e r sS e c u r i t y M o d e l
X . 8 0 2
U p p e r L a y e r sS e c u r i t y M o d e l
X . 8 0 3
S e c u r i t y F r a m e w o r k s : O v e r v i e w X . 8 1 0
Authentication
Framew
ork
Access C
ontrol
Framew
ork
Non-R
epudiation
Framew
ork
Confidentiality
Framew
ork
Integrity
Framew
ork ·· ·
G e n e r i c U p p e r L a y e r s S e c u r i t y: O v e r v i e w X . 8 3 0
Security Exchange
Service Element
Protecting Transfer
Syntax Specification
Security
Information O
bject
Guideline on the
Use of TTP ·
· ··· ·
C o m m u n i c a t i o n S y s t e mS e c u r i t y
I n f o r m a t i o n S e c u r i t y M a n a g e m e n t( T e l e c o m I S M S )
M o b i l e S e c u r i t y
Te le -b i o m e t r i c s
NEW
C u r r e n t w o r k i t e m s
Study Group 17 Security Focus2001-2004
9Cybersecurity Symposium II 29 March 2005 Moscow, Russia
ITU-T SG 17 Security Focus2001-2004
o Public Key and Attribute Certificate Frameworks (X.509) Revision 2005• Ongoing enhancements as a result of more complex uses
o Security Architecture (X.805) New 2003• For end-to-end communications
o Security Management System (X.1051) New 2004• For risk assessment, identification of assets and
implementation characteristics
o Mobile Security (X.1121 and X.1122) New 2004• For mobile end-to-end data communications
o Telebiometric Multimodal Model (X.1081) New 2004• A framework for the specification of security and safety
aspects of telebiometrics
10Cybersecurity Symposium II 29 March 2005 Moscow, Russia
Cyber Security*Vulnerability information sharing…*Incident handling operations*Security Strategy
Secure Communication Services*Mobile secure communications*Security web services*X.1121, X.1122
Q6/17
Q9/17
Q7/17 Q5/17
Communications System Security *Vision, Project Roadmap, Compendia, …Q4/17
Telebiometrics *Telebiometric Model*Telebiometric Authentication*X.1081
Q8/17
SecurityArchitecture& Framework
*Architecture,Model,Concepts, Frameworks,
*etc…*X.800 series*X.805
SecurityManagement*ISMS-T*Incident
Management*Risk
AssessmentMethodology
*etc…*X.1051
TelecomSystems
Telecom Systems Users
Study Group 17 Security Questions2005-2008
11Cybersecurity Symposium II 29 March 2005 Moscow, Russia
Concluding Observations
o Security is everybody's business
o Security needs to be designed in upfront
o Security must be an ongoing effort
o Systematically addressing vulnerabilities(intrinsic properties of networks/systems)is key so that protection can be provided independent of what the threats (which are constantly changing and may be unknown) may be – X.805 is helpful here
International Telecommunication Union
Cybersecurity Symposium II 29 March 2005 Moscow, Russia
Thank You!Thank You!
Cybersecurity Symposium II 29 March 2005 Moscow, Russia
13Cybersecurity Symposium II 29 March 2005 Moscow, Russia
Additional Details on Recently Approved
Study Group 17 Security Recommendations
14Cybersecurity Symposium II 29 March 2005 Moscow, Russia
X.805: Security Architecturefor End-to-End Communications
Acc
ess
Co
ntr
ol
Infrastructure Security
Applications Security
Services Security
End User Plane
Control Plane
Management Plane
THREATS
VULNERABILITIES
8 Security Dimensions
ATTACKS
Dat
a C
on
fid
enti
alit
y
Co
mm
un
icat
ion
Sec
uri
ty
Dat
a In
teg
rity
Ava
ilab
ility
Pri
vacy
Destruction
Disclosure
Corruption
Removal
Au
then
tica
tio
n
No
n-r
epu
dia
tio
n
Interruption
3Security
layers
3 Security Planes
• Vulnerabilities can exist in each Layer, Plane and Dimension• 72 Security Perspectives (3 Layers Ò 3 Planes Ò 8 Dimensions)
X.805
15Cybersecurity Symposium II 29 March 2005 Moscow, Russia
ITU-T X.805 Approach
Bell Labs Advanced Technologies Lucent Technologies - Proprietary 21
Access Control
Authentication
Non-repudiation
Data Confidentiality
Module NineModule SixModule ThreeUser Plane
Module EightModule FiveModule TwoControl/Signaling Plane
Module SevenModule FourModule OneManagement Plane
Applications LayerServices LayerInfrastructure Layer
Communication Security
Data Integrity
Availability
Privacy
The 8 Security DimensionsAre Applied to Each Security Perspective
Execute–Top Row for Analysis
of Management Network
–Middle Column for Analysis of Network Services
–Intersection of Each Layer and Plane for analysis of Security Perspective
X.805
16Cybersecurity Symposium II 29 March 2005 Moscow, Russia
ITU-T X.805
Provides A Holistic Approach:o Comprehensive, End-to-End Network View of Securityo Applies to Any Network Technology
• Wireless, Wireline, Optical Networks• Voice, Data, Video, Converged Networks
o Applies to Any Scope of Network Function• Service Provider Networks• Enterprise Networks• Government Networks• Management/Operations, Administrative Networks• Data Center Networks
o Can Map to Existing Standardso Completes the Missing Piece of the Security Puzzle of what to
do nextX.805
17Cybersecurity Symposium II 29 March 2005 Moscow, Russia
Security Management
o Information security management system –Requirements for telecommunications(ISMS-T)
- specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the telecommunication’s overall business risks.- leverages ISO/IEC 17799:2000, Information technology, Code of practice for information security management- based on BS 7799-2:2002, Information Security Management Systems — Specifications with Guidance for use
X.1051
18Cybersecurity Symposium II 29 March 2005 Moscow, Russia
3. Asset classification& control
2. Organizational Security
1. Security policy
5. Physical & environmental security
4. Personnel security
7. Access control
10. Compliance
9. Business continuitymanagement
8. Systems development &maintenance
Information Assetsfor Telecom
6. Communications &operations management
Information Security Management Domains defined in ISO/IEC 17799
19Cybersecurity Symposium II 29 March 2005 Moscow, Russia
o Organizational securityo Asset managemento Personnel securityo Physical and environmental securityo Communications and operations managemento Access controlo System development and maintenance
ISMS
Information Security
Management System
X.1051
20Cybersecurity Symposium II 29 March 2005 Moscow, Russia
Mobile Security
Multi-part standard o Framework of security technologies for mobile end-
to-end data communications- describes security threats, security requirements, and securityfunctions for mobile end-to-end data communication- from the perspectives of the mobile user and application service provider (ASP)
o Guideline for implementing secure mobile systems based on PKI- describes considerations of implementing secure mobile systems based on PKI, as a particular security technology
o Security Policy (under development)- different quality of security service needs to satisfy various requirements of security services of both user and ASP
X.1121
X.1122
21Cybersecurity Symposium II 29 March 2005 Moscow, Russia
Mobile Network Open Network
Data communication
Application Server(ASP)
Mobile Terminal
(Mobile User)
Datacommunication
Application Server(ASP)
Mobile Terminal
(Mobile User)
Datacommunication
GeneralCommunication
Framework
GatewayFramework
• Security threats• Relationship of security threats and models• Security requirements• Relationship of security requirements and threats• Security functions for satisfying requirementsX.1121
Security framework for mobileend-to-end data communications
Mobile SecurityGateway
22Cybersecurity Symposium II 29 March 2005 Moscow, Russia
Mobile Network Open Network
Application Server(ASP)
Mobile Terminal
(Mobile User)
MobileUser VA
ASP’s VA
Mobile user’s side CA
CA
RA
Repository
Repository
ASP’s side CA
Mobile Network Open Network
Application Server(ASP)
Mobile Terminal
(Mobile User)
MobileUser VA
ASP’s VA
Mobile user’s side CA
CA
RA
Repository
Repository
ASP’s side CAGateway
Model
General Model
X.1122
Secure mobile systems based on PKI
ASP Application Service ProviderCA Certification AuthorityRA Registration AuthorityVA Validation Authority
23Cybersecurity Symposium II 29 March 2005 Moscow, Russia
Telebiometrics
o A model for security and public safety in telebiometrics that can -• assist with the derivation of safe limits for the operation of
telecommunications systems and biometric devices• provide a framework for developing a taxonomy of
biometric devices; and• facilitate the development of authentication mechanisms,
based on both static (for example finger-prints) and dynamic (for example gait, or signature pressure variation) attributes of a human being.
o A taxonomy is provided of the interactions that can occur where the human body meets devices capturing biometric parameters or impacting on the body.
X.1081
24Cybersecurity Symposium II 29 March 2005 Moscow, Russia
Telebiometric Multimodal Model:A Three Layer Model
o the scientific layer• 5 disciplines: physics, chemistry, biology,
culturology, psychology
o the sensory layer – 3 overlapping classifications of interactions• video (sight), audio (sound), chemo (smell, taste),
tango (touch); radio (radiation) - each with an out(emitted) and in (received) state
• behavioral, perceptual, conceptual• postural, gestural, facial, verbal, demeanoral, not-a-
signo the metric layer
• 7 SI base units (m, kg, s, A, K, mol, cd)X.1081