arkadiy kremer chairman itu-t study group 17 session 2: role of standardization in cybersecurity

Arkadiy KremerChairman ITU-T Study

Group 17

Session 2:Role of

Standardization in Cybersecurity

ITU Open Forum on Cybersecurity, 6 December 2008

“We have received a strong message from our members that ITU is, and will remain the world’s pre-eminent global telecommunication and ICT standards body. And we hear also, and very clearly, that ITU should continue on its mission to connect the world, and that bringing the standardization gap, by increasing developing country participation in our work, is an essential prerequisite to achieve this goal”.

Malcolm Johnson, TSB Director

(Closing speech at the WTSA-08)

2 of 23


Strategic direction WSIS Action Line C5, Building confidence and security in use of ICTs WTSA-08 Resolution 50, Cybersecurity – Resolves “that ITU-T continue

to evaluate existing and evolving new Recommendations, and especially signaling and telecommunication protocol Recommendations, with respect to their robustness of design and potential for exploitation by malicious parties to interfere destructively with their deployment in the global information and telecommunication infrastructure”.

WTSA-08 Resolution 52, Countering and combating spam – Instructs ITU-T study groups “to continue collaboration with the relevant organizations (e.g., IETF), in order to continue developing, as a matter of urgency, technical Recommendations with a view to exchanging best practices and disseminating information through joint workshops, training sessions, etc.“

3 of 23


Strategic direction (cont.)

4 of 23

Plenipotentiary Resolution 130, Strengthening the role of ITU in building confidence and security in the use of information and communication technologies – Instructs Director of TSB to intensify work in study groups, address threats & vulnerabilities, collaborate, and share information

Plenipotentiary Resolution 149, Study of definitions and terminology relating to building confidence and security in the use of information and communication technologies - Instructs Council to study terminology

ITU Global Cybersecurity Agenda. Key work areas: Legal Measures, Technical and Procedural Measures, Organizational Structures, Capacity Building, International Cooperation. World renowned Group of High-Level Experts report to ITU Secretary General contains recommendations in each of the five areas


Coordination

5 of 23

ISO/IEC/ITU-T Strategic Advisory Group SecurityOversees standardization activities in ISO, IEC and ITU-T relevant to security; provides advice and guidance relative to coordination of security work; and, in particular, identifies areas where new standardization initiatives may be warranted (portal established, workshops conducted)

Global Standards CollaborationITU and participating standards organizations exchange information on the progress of standards development in the different regions and collaborate in planning future standards development to gain synergy and to reduce duplication. GSC-13 resolutions concerning security include Cybersecurity (13/11), Identity Management (13/04), Network aspects of identification systems (13/03), Personally Identifiable Information protection (13/25).


ITU-T security activities

6 of 23

Study Group 17 is the lead study group in the ITU-T for security – responsible for:• Coordination of security work• Development of core Recommendations

Most of the other study groups have responsibilities for standardizing security aspects specific to their technologies (TMN security, IPCablecom security, NGN security, Multimedia security, etc.)


SG 17 Security Project

7 of 23

Security Coordination• Within SG 17, with ITU-T SGs, with ITU-D and externally• Kept others informed - TSAG, IGF, ISO/IEC/ITU-T SAG-S…• Made presentations to workshops/seminars and to GSC• Maintained reference information on LSG security webpage

Security Compendium• Includes catalogs of approved security-related

Recommendations and security definitions extracted from approved Recommendations

Security Standards Roadmap• Includes searchable database of approved ICT security

standards from ITU-T and others (e.g., ISO/IEC, IETF, ETSI, IEEE, ATIS)

ITU-T Security Manual – assisted in its development


Core Security Recommendations

8 of 23

Strong ramp-up on developing core security Recommendations in SG 17• 14 approved in 2007• 27 approved in 2008• 44 under development for approval next study period

Subjects include: Architecture and Frameworks Web services Directory Identity management Risk management Cybersecurity Incident management Mobile security Countering spam Security management Secure applications Telebiometrics Ubiquitous Telecommunication services SOA security

Ramping up on: Multicast Traceback Ubiquitous sensor networks

Collaboration with others on many items


Core Security Recommendations (cont.)

9 of 23

ITU-T Recommendation X.1205Overview of Cybersecurity

SummaryThis Recommendation provides a definition for Cybersecurity. The Recommendation provides taxonomy of security threats from an organization point of view. Cybersecurity threats and vulnerabilities including the most common hacker’s tools of the trade are presented. Threats are discussed at various network layers.Various Cybersecurity technologies that are available to remedy the threats are discussed including: routers, firewalls, antivirus protection, intrusion detection systems, intrusion protection systems, secure computing and audit and monitoring. Network protection principles such as defence in depth, access management with application to Cybersecurity are discussed. Risk management strategies and techniques are discussed including the value of training and education in protecting the network. Examples for securing various network based on the discussed technologies are also discussed.



10 of 23

ITU-T Recommendation X.1206A vendor-neutral framework for automatic notification of security related information and dissemination of updates

SummaryThis Recommendation provides a framework for automatic notification of security related information and dissemination of updates. The key point of the framework is that it is a vendor-neutral framework. Once an Asset is registered, updates on vulnerabilities information and patches or updates can be automatically made available to the users or directly to applications regarding the Asset.



11 of 23

Recommendation ITU-T X.1207Guidelines for telecommunication service providers for addressing the

risk of spyware and potentially unwanted software SummaryRecommendation ITU-T X.1207 provides guidelines for telecommunication service providers (TSPs) for addressing the risks of spyware and potentially unwanted software. This Recommendation promotes best practices around principles of clear notices and user's consents and controls for TSP web hosting services. This Recommendation develops and promotes best practices to users on personal computer (PC) security, including use of anti-spyware, anti-virus, personal firewall and security software updates on client systems.



12 of 23

ITU-T Recommendation X.1231Technical Strategies on Countering Spam

SummaryThis Recommendation emphasizes technical strategies on countering spam, and includes general characteristics of spam and main objectives of countering spam as well. Furthermore, recognizing that there is no single solution to resolve the spam problem, this Recommendation also provides a checklist to evaluate promising tools for countering Spam.



13 of 23

ITU-T Recommendation X.1240Technologies involved in countering email spam

SummaryThis Recommendation specifies basic concepts, characteristics, and effects of email spam, and technologies involved in countering email spam. It also introduces the current technical solutions and related activities from various standard development organizations and relevant organizations on countering email spam. It provides guidelines and information to the users who want to develop technical solutions on countering email spam. This Recommendation will be used as a basis for further development of technical Recommendations on countering email spam.



14 of 23

ITU-T Recommendation X.1241Technical framework for countering email spam

SummaryThis Recommendation provides a technical framework for countering email spam. The framework describes one recommended structure of an anti-spam Processing Domain, and defined function of major modules in it. The key point of the framework is that it establishes a mechanism to share information about email spam between different email servers. Systems follow the framework would improve efficiency through interconnection



15 of 23

Recommendation ITU-T X.1244Overall aspects of countering spam in IP-based multimedia applications

SummaryThis Recommendation specifies the basic concepts, characteristics, and technical issues related to countering spam in IP multimedia applications such as IP telephony, instant messaging, etc. The various types of IP multimedia application spam are categorized, and each categorized group is described according to its characteristics. This Recommendation describes various spam security threats that can cause IP multimedia application spam. There are various techniques developed to control the email spam which has become a social problem. Some of those techniques can be used in countering IP multimedia application spam. This Recommendation analyzes the conventional spam countering mechanisms and discusses their applicability to countering IP multimedia application spam. This Recommendation concludes by mentioning various aspects that should be considered in countering IP multimedia application spam.


Identity Management

16 of 23

Networks are increasingly distributed, converged, and packet based where access to services can be based on identity contexts and roles and accessed anywhere, anytime.

Security and trust of identity information in this environment is significantly more complex. • Users may have multiple, context dependent “identities”• Network services may require different identity trust levels• Identity information is distributed throughout the network

Old methods of managing of identity information are inadequate, may limit services, and cause significant cybersecurity problems

Consequently, a new, robust set of secure and trusted capabilities is needed i.e IdM


IdM is a set of capabilities that

17 of 23

Attach identity data to a person, device, or application. Facilitate the secure storage, retrieval and secure exchange of identity data. Provide significantly better identity lifecycle management. Can allow user control of personally identifiable information (PII).


ITU-T work on IdM

18 of 23

Managing digital identities and personally identifiable information key aspect for improving security of networks and cyberspace

Effort jump started by IdM Focus Group which produced 6 substantial reports (265 pages) in 9 months

JCA-IdM and IdM-GSI established by TSAG in December 2007• Main work is in SGs 17 and 13

Intense work program, difficult First IdM Recommendations determined under TAP:

• X.1250, Capabilities for global identity management trust and interoperability

• X.1251, A framework for user control of digital identity • Y.2720, NGN identity management framework

Many additional IdM Recommendations are under development Working collaboratively with other key bodies including:

ISO/IEC JTC 1/SC 27, Liberty Alliance, FIDIS, OASIS


Challenges

19 of 23

Addressing security to enhance trust and confidence of users in networks, applications and services

Balance between centralized and distributed efforts on developing security standards

Legal and regulatory aspects of cybersecurity, spam, identity/privacy

Address full cycle – vulnerabilities, threats and risk analysis; prevention; detection; response and mitigation; forensics; learning

Uniform definitions of cybersecurity terms and definitions Effective cooperation and collaboration across the many bodies

doing cybersecurity work – within the ITU and with external organizations

Keeping ICT security database up-to-date


Challenges (cont.)

20 of 23

There are a number of standards in field of security of telecommunication and information security. But a standard is the real standard when it is used in real world applications. Business and governmental bodies need to learn more about standards from their business applications rather than from a technical point of view.

Report for the next IGF on the business use of the main security standards• Who does this standard effect?• Status and summary of standard.• Business benefits• Technologies involved• Technical implications


Challenges (cont.)

21 of 23

WTSA-08 Resolution 76, Studies related to conformance and interoperability testing, assistance to developing countries, and a possible future ITU mark programme Interoperability of international telecommunication networks was the main reason to create ITU in the year 1865 Conformance testing would increase the chance of interoperability of equipment conforming to ITU standards Technical training and institutional capacity development for testing and certification are essential issues for countries to improve their conformity assessment processes, to promote the deployment of advanced telecommunication networks and to increase global connectivity ITU-T study groups will develop the necessary conformance testing Recommendations as soon as possible ITU-T Recommendations to address interoperability testing shall be progressed as quickly as possible


Some useful web resources

22 of 23

• ITU Global Cybersecurity Agenda (GCA) http://www.itu.int/osg/csd/cybersecurity/gca/

• ITU-T Home page http://www.itu.int/ITU-T/• Study Group 17 http://www.itu.int/ITU-T/studygroups/com17/index.asp

e-mail: [email protected]• LSG on Security http://www.itu.int/ITU-T/studygroups/com17/tel-security.html• Security Roadmap http://www.itu.int/ITU-T/studygroups/com17/ict/index.html• Security Manual http://www.itu.int/publ/T-HDB-SEC.03-2006/en• Cybersecurity Portal http://www.itu.int/cybersecurity/• Cybersecurity Gateway http://www.itu.int/cybersecurity/gateway/index.html• ITU-T Recommendations http://www.itu.int/ITU-T/publications/recs.html• ITU-T Lighthouse http://www.itu.int/ITU-T/lighthouse/index.phtml• ITU-T Workshops http://www.itu.int/ITU-T/worksem/index.html


Thank you!

Arkadiy Kremer [email protected]

23 of 23

arkadiy kremer chairman itu-t study group 17 session 2: role of standardization in cybersecurity

Documents

role of itu

itu open forum

itut relevant

itut study groups

cybersecurity slide

itu secretary general

global information

use of information