340 likes | 547 Views
ICT Security - The Need for International Standards. reinhard.scholl@itu.int Deputy to the Director Telecommunication Standardization Bureau International Telecommunication Union www.itu.int/ITU-T. Outline. Why ICT security is becoming important The complex world of ICT Security
E N D
ICT Security - The Need for International Standards reinhard.scholl@itu.int Deputy to the Director Telecommunication Standardization Bureau International Telecommunication Union www.itu.int/ITU-T
Outline • Why ICT security is becoming important • The complex world of ICT Security • Security standards [ICT = Information & Communication Technology] Confidence & security in the use of ICT - Malaysia, 21 August 2003
1. Why ICT security is becoming important Confidence & security in the use of ICT - Malaysia, 21 August 2003
Security: Telephony vs. Internet • Telephone network: Control • Offers basically one service • Network operators control if new service offered • Clear distinction: • Interface user – network • Interface network – network • Internet: “Anarchy” (no negative meaning here) • Lots of services (many of them not yet imagined …) • Everyone can set up a new services • All links network – network • Many protocols Confidence & security in the use of ICT - Malaysia, 21 August 2003
A Fundamental Shift is Happening • Computers & networks are becoming a utility (like water, electricity, gas, telephone) • Business and personal life are more and more dependent on computers • Prerequisite: adequate security. • [9/11 terrorist attack confirmed the already existing trend of emphasizing security] Confidence & security in the use of ICT - Malaysia, 21 August 2003
Basic Security Services • Privacy / Confidentiality: • To know that no 3rd party can read a message exchanged between 2 people • Authentication: • To know that someone is who he/she says he/she is • Integrity: • To know that a message has not been modified in transit • Non-repudiation: • To know that someone is not able to deny later that she/he sent a message Confidence & security in the use of ICT - Malaysia, 21 August 2003
Security Applications • The previous basic security services can be used to build many security applications: • Digital Signature • Anonymous e-cash • Certified e-mail • Secure elections • Simultaneous contract signing • [add your ideas …] Confidence & security in the use of ICT - Malaysia, 21 August 2003
2. The complex world of ICT security Confidence & security in the use of ICT - Malaysia, 21 August 2003
Some Security Risks • “Social engineering” attack: • “Amateurs hack systems, professionals hack people” (Bruce Schneier) • An organizations’ own employees may pose largest risk: • Incompetence, indifference, misconduct • New technologies bring new security problems (e.g., WiFi) • Buggy software • Viruses • Malicious hackers braking into systems • Denial of Service attacks • … Confidence & security in the use of ICT - Malaysia, 21 August 2003
Non-trivial Insights • Technology alone can not fix security problems – Technology is necessary but not sufficient • Security is everyone’s business, not just the business of security experts • Security decisions must be taken by Management, not by technical staff • Security is risk management – the art to worry about the right things Confidence & security in the use of ICT - Malaysia, 21 August 2003
Cryptography- the Beauty of Mathematics • Cryptographic algorithms are “building blocks” to construct secure system • Dramatic advances in cryptography in the last 30 years: • Public Key Cryptography (1976) • Microprocessor: cheap computing power • Quantum cryptography (future) • Reminder: security is more a “people problem” than a technical problem Confidence & security in the use of ICT - Malaysia, 21 August 2003
Secret Key Encryption Plain text Plain text encrypt message with decrypt message with secret key same secret key cipher text • Both parties share a single, secret key • Problem: exchanging keys in complete secrecy is difficult • Best-known example: DES (Data Encryption Standard) Confidence & security in the use of ICT - Malaysia, 21 August 2003
Public Key Encryption Plain text Plain text encrypt message with decrypt message with public (!) key of receiver (!) private key of receiver cipher text • Each participant has • A private key that is shared with no one else, plus • A public key known to everyone • Problem: slower than Secret Key Encryption • Best-known example: RSA Confidence & security in the use of ICT - Malaysia, 21 August 2003
Biometrics: your Body – your Password? • Recognize a person upon physiological or behavioral characteristics • Fingerprint • Face • Voice • Iris • Currently costs outweigh benefits Confidence & security in the use of ICT - Malaysia, 21 August 2003
Economics & ICT Security • Perverse incentives explain a lot of current information insecurity (Ross Anderson, Univ of Cambridge, UK) • Distributed denial of service attack in 2000: • Vandals took over computers on low-security University networks and shut down major websites (e.g. Yahoo) • Shouldn’t Universities bear some liability for the damages to 3rd parties • Solution: assign legal liabilities to the parties best able to manage the risk (Hal Varian, Univ of California, Berkeley) Confidence & security in the use of ICT - Malaysia, 21 August 2003
Security is Risk Management • How much money/time to spend on ICT security? • Balance between cost and risk: • What are the potential security breaches? • What’s the associated loss in each case? • What does it cost to defend in each case? • Mitigation (e.g. buy technology) • Outsource (s.o. else takes over the risk) • Insurance (passing risk to insurance company) • Engineers, policymakers, economists, lawyers to forge common approaches Confidence & security in the use of ICT - Malaysia, 21 August 2003
3. Security standards Confidence & security in the use of ICT - Malaysia, 21 August 2003
The Need for Int’l. Security Standards • Technical standards should be international: • Ensures interoperability - the whole point of most of the standards • Economies of scale • Best practice standards would be very helpful to be international • Raises awareness • Regulatory issues & law enforcement is a national (or regional, e.g. European Union) matter Confidence & security in the use of ICT - Malaysia, 21 August 2003
Security in International Standards Organizations • ISO/IEC: • 17799: “Information technology – code of practice for information security management” (71 pages; year 2000) • addresses organizations, companies • IETF: • Protocols, e.g. IPsec, TLS, SMIME … • ITU: see next slides Confidence & security in the use of ICT - Malaysia, 21 August 2003
ITU Plenipo & WSIS • ITU Plenipotentiary Conference 2002: • “Strengthening the role of ITU in information and communication network security” • WSIS = World Summit on Information Society; www.itu.int/wsis: • UN-event • 1st phase: Geneva 10-12 Dec 03; 2nd phase: Tunis 16-18 Nov 05 • Target audience: Heads of State + CEOs + civil society • Topics include communication network security Confidence & security in the use of ICT - Malaysia, 21 August 2003
Security in ITU-T Study Groups • SG 17 = Lead Study Group for Communication System Security: • Coordination / prioritization of security efforts • Development of core security Recs. • Existing Recommendations include: • Security architecture, model, frameworks, and protocols for open systems (X.800-series; X.270 series, jointly with ISO) • Trusted Third Party Services (X.842/X.843, jointly with ISO) • Public-key and attribute certificate frameworks (X.509, jointly with ISO) Confidence & security in the use of ICT - Malaysia, 21 August 2003
ITU-T SG 17 Security Focus • Authentication (X.509, jointly with ISO): • Ongoing enhancements as a result of more complex uses • Security Architecture for end-to-end communications: • Security for management, control and use of network infrastructure, services and applications • Telebiometrics: biometrics via distance • Model for security and public safety in telebiometrics • Security Management: • Risk assessment, identification of assets and implementation characteristics • Mobile Security: • For low power, small memory size and small display devices Confidence & security in the use of ICT - Malaysia, 21 August 2003
ITU-T SG 17: Upcoming Joint Work with ISO / IEC • “Information Technology – Security techniques – IT network security” • Part 1: Network security management • Part 2: Network security architecture • Part 3: Securing communications between networks using security gateways • Part 4: Remote access • Part 5: Securing communications between networks using virtual private networks Confidence & security in the use of ICT - Malaysia, 21 August 2003
Security Studies in other ITU-T Study Groups • Security for multimedia systems and services (SG 16) • Emergency Telecommunications Services (SG 16) • IPCablecom project = interactive services over cable TV networks (SG 9) • Telecommunication networks security requirements (SG 2) • Framework to support emergency communications (SG 13) Confidence & security in the use of ICT - Malaysia, 21 August 2003
Strengths of ITU-T • Unique mix of industry & government • Truly global • Consensus decisions guarantee wide acceptance • Fast procedures • Brand name • IPR Policy • World-class meeting facilities • Excellent Secretariat staff Confidence & security in the use of ICT - Malaysia, 21 August 2003
Backup Slides on ITU-T (not to be shown in talk) Confidence & security in the use of ICT - Malaysia, 21 August 2003
ITU-T Structure Workshops Focus Group Joint Group Project Team Confidence & security in the use of ICT - Malaysia, 21 August 2003
ITU-T Study Groups • SG 2 Operational aspects of service provision, networks and performance • SG 3 Tariff and accounting principles including related telecommunications economic and policy issues • SG 4 Telecommunication management, including TMN • SG 5 Protection against electromagnetic environment effects • SG 6 Outside plant • SG 9 Integrated broadband cable networks and television and sound transmission • SG 11 Signalling requirements and protocols • SG 12 End-to-end transmission performance of networks and terminals • SG 13 Multi-protocol and IP-based networks and their internetworking • SG 15 Optical and other transport networks • SG 16 Multimedia services, systems and terminals • SG 17 Data networks and telecommunication software • SSG Special Study Group "IMT-2000 and beyond" • TSAG Telecommunication Standardization Advisory Group Confidence & security in the use of ICT - Malaysia, 21 August 2003
Lead Study Groups • SG 2 service definition, numbering and routing • SG 4 TMN • SG 9 integrated broadband cable and television networks • SG 11 intelligent networks • SG 12 Quality of Service and performance • SG 13 IP related matters, B-ISDN, Global Information Infrastructure and satellite matters • SG 15 access network transport and optical technology • SG 16 multimedia services, systems and terminals and on e-business and e-commerce • SG17 frame relay, communication system security, languages and description techniques • SSG IMT 2000 and beyond and for mobility Confidence & security in the use of ICT - Malaysia, 21 August 2003
IP project study areas • Integrated architecture • Impact to telecommunications access infrastructures of access to IP applications • Interworking between IP based network and switched-circuit networks, including wireless based networks • Multimedia applications over IP • Numbering and addressing • Transport for IP-structured signals • Signalling support, IN and routing for services on IP-based networks • Performance • Integrated management of telecom and IP-based networks • Security aspects Confidence & security in the use of ICT - Malaysia, 21 August 2003
Other areas to consider • IP-based networks and their interconnection with telecommunication networks; • IP cablecom project; • establishment of GII; • IMT-2000 and mobility; • e-business and e-commerce; • reform of accounting rates and tariff studies; • MEDIACOM-2004 project and related multimedia activities; • security aspects of networks and services; • optical transport network; • access networks enhancements with xDSL techniques; • numbering and routing; • network performances and quality of services; • protocols for new services and intelligent networks. Confidence & security in the use of ICT - Malaysia, 21 August 2003
ITU-T Series (A-L) • Organization of the work of ITU-T • Means of expression: definitions, symbols, classification • General telecommunication statistics • General tariff principles • Overall network operation, telephone service, service operation and human factors • Non-telephone telecommunication services • Transmission systems and media, digital systems and networks • Audiovisual and multimedia systems • Integrated services digital network • Transmission of television, sound programme and other multimedia signals • Protection against interference • Construction, installation and protection of cables and other elements of outside plant Confidence & security in the use of ICT - Malaysia, 21 August 2003
ITU-T Series (M-Z) • TMN and network maintenance: international transmission systems, telephone circuits, telegraphy, facsimile and leased circuits • Maintenance: international sound programme and television transmission circuits • Specifications of measuring equipment • Telephone transmission quality, telephone installations, local line networks • Switching and signalling • Telegraph transmission • Telegraph services terminal equipment • Terminals for telematic services • Telegraph switching • Data communication over the telephone network • Data networks and open system communications • Global information infrastructure and Internet protocol aspects • Languages and general software aspects for telecommunication systems Confidence & security in the use of ICT - Malaysia, 21 August 2003