1 / 33

ICT Security - The Need for International Standards

ICT Security - The Need for International Standards. reinhard.scholl@itu.int Deputy to the Director Telecommunication Standardization Bureau International Telecommunication Union www.itu.int/ITU-T. Outline. Why ICT security is becoming important The complex world of ICT Security

hong
Download Presentation

ICT Security - The Need for International Standards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ICT Security - The Need for International Standards reinhard.scholl@itu.int Deputy to the Director Telecommunication Standardization Bureau International Telecommunication Union www.itu.int/ITU-T

  2. Outline • Why ICT security is becoming important • The complex world of ICT Security • Security standards [ICT = Information & Communication Technology] Confidence & security in the use of ICT - Malaysia, 21 August 2003

  3. 1. Why ICT security is becoming important Confidence & security in the use of ICT - Malaysia, 21 August 2003

  4. Security: Telephony vs. Internet • Telephone network: Control • Offers basically one service • Network operators control if new service offered • Clear distinction: • Interface user – network • Interface network – network • Internet: “Anarchy” (no negative meaning here) • Lots of services (many of them not yet imagined …) • Everyone can set up a new services • All links network – network • Many protocols Confidence & security in the use of ICT - Malaysia, 21 August 2003

  5. A Fundamental Shift is Happening • Computers & networks are becoming a utility (like water, electricity, gas, telephone) • Business and personal life are more and more dependent on computers • Prerequisite: adequate security. • [9/11 terrorist attack confirmed the already existing trend of emphasizing security] Confidence & security in the use of ICT - Malaysia, 21 August 2003

  6. Basic Security Services • Privacy / Confidentiality: • To know that no 3rd party can read a message exchanged between 2 people • Authentication: • To know that someone is who he/she says he/she is • Integrity: • To know that a message has not been modified in transit • Non-repudiation: • To know that someone is not able to deny later that she/he sent a message Confidence & security in the use of ICT - Malaysia, 21 August 2003

  7. Security Applications • The previous basic security services can be used to build many security applications: • Digital Signature • Anonymous e-cash • Certified e-mail • Secure elections • Simultaneous contract signing • [add your ideas …] Confidence & security in the use of ICT - Malaysia, 21 August 2003

  8. 2. The complex world of ICT security Confidence & security in the use of ICT - Malaysia, 21 August 2003

  9. Some Security Risks • “Social engineering” attack: • “Amateurs hack systems, professionals hack people” (Bruce Schneier) • An organizations’ own employees may pose largest risk: • Incompetence, indifference, misconduct • New technologies bring new security problems (e.g., WiFi) • Buggy software • Viruses • Malicious hackers braking into systems • Denial of Service attacks • … Confidence & security in the use of ICT - Malaysia, 21 August 2003

  10. Non-trivial Insights • Technology alone can not fix security problems – Technology is necessary but not sufficient • Security is everyone’s business, not just the business of security experts • Security decisions must be taken by Management, not by technical staff • Security is risk management – the art to worry about the right things Confidence & security in the use of ICT - Malaysia, 21 August 2003

  11. Cryptography- the Beauty of Mathematics • Cryptographic algorithms are “building blocks” to construct secure system • Dramatic advances in cryptography in the last 30 years: • Public Key Cryptography (1976) • Microprocessor: cheap computing power • Quantum cryptography (future) • Reminder: security is more a “people problem” than a technical problem Confidence & security in the use of ICT - Malaysia, 21 August 2003

  12. Secret Key Encryption Plain text Plain text  encrypt message with decrypt message with secret key same secret key  cipher text • Both parties share a single, secret key • Problem: exchanging keys in complete secrecy is difficult • Best-known example: DES (Data Encryption Standard) Confidence & security in the use of ICT - Malaysia, 21 August 2003

  13. Public Key Encryption Plain text Plain text  encrypt message with decrypt message with public (!) key of receiver (!) private key of receiver  cipher text • Each participant has • A private key that is shared with no one else, plus • A public key known to everyone • Problem: slower than Secret Key Encryption • Best-known example: RSA Confidence & security in the use of ICT - Malaysia, 21 August 2003

  14. Biometrics: your Body – your Password? • Recognize a person upon physiological or behavioral characteristics • Fingerprint • Face • Voice • Iris • Currently costs outweigh benefits Confidence & security in the use of ICT - Malaysia, 21 August 2003

  15. Economics & ICT Security • Perverse incentives explain a lot of current information insecurity (Ross Anderson, Univ of Cambridge, UK) • Distributed denial of service attack in 2000: • Vandals took over computers on low-security University networks and shut down major websites (e.g. Yahoo) • Shouldn’t Universities bear some liability for the damages to 3rd parties • Solution: assign legal liabilities to the parties best able to manage the risk (Hal Varian, Univ of California, Berkeley) Confidence & security in the use of ICT - Malaysia, 21 August 2003

  16. Security is Risk Management • How much money/time to spend on ICT security? • Balance between cost and risk: • What are the potential security breaches? • What’s the associated loss in each case? • What does it cost to defend in each case? • Mitigation (e.g. buy technology) • Outsource (s.o. else takes over the risk) • Insurance (passing risk to insurance company) • Engineers, policymakers, economists, lawyers to forge common approaches Confidence & security in the use of ICT - Malaysia, 21 August 2003

  17. 3. Security standards Confidence & security in the use of ICT - Malaysia, 21 August 2003

  18. The Need for Int’l. Security Standards • Technical standards should be international: • Ensures interoperability - the whole point of most of the standards • Economies of scale • Best practice standards would be very helpful to be international • Raises awareness • Regulatory issues & law enforcement is a national (or regional, e.g. European Union) matter Confidence & security in the use of ICT - Malaysia, 21 August 2003

  19. Security in International Standards Organizations • ISO/IEC: • 17799: “Information technology – code of practice for information security management” (71 pages; year 2000) • addresses organizations, companies • IETF: • Protocols, e.g. IPsec, TLS, SMIME … • ITU: see next slides Confidence & security in the use of ICT - Malaysia, 21 August 2003

  20. ITU Plenipo & WSIS • ITU Plenipotentiary Conference 2002: • “Strengthening the role of ITU in information and communication network security” • WSIS = World Summit on Information Society; www.itu.int/wsis: • UN-event • 1st phase: Geneva 10-12 Dec 03; 2nd phase: Tunis 16-18 Nov 05 • Target audience: Heads of State + CEOs + civil society • Topics include communication network security Confidence & security in the use of ICT - Malaysia, 21 August 2003

  21. Security in ITU-T Study Groups • SG 17 = Lead Study Group for Communication System Security: • Coordination / prioritization of security efforts • Development of core security Recs. • Existing Recommendations include: • Security architecture, model, frameworks, and protocols for open systems (X.800-series; X.270 series, jointly with ISO) • Trusted Third Party Services (X.842/X.843, jointly with ISO) • Public-key and attribute certificate frameworks (X.509, jointly with ISO) Confidence & security in the use of ICT - Malaysia, 21 August 2003

  22. ITU-T SG 17 Security Focus • Authentication (X.509, jointly with ISO): • Ongoing enhancements as a result of more complex uses • Security Architecture for end-to-end communications: • Security for management, control and use of network infrastructure, services and applications • Telebiometrics: biometrics via distance • Model for security and public safety in telebiometrics • Security Management: • Risk assessment, identification of assets and implementation characteristics • Mobile Security: • For low power, small memory size and small display devices Confidence & security in the use of ICT - Malaysia, 21 August 2003

  23. ITU-T SG 17: Upcoming Joint Work with ISO / IEC • “Information Technology – Security techniques – IT network security” • Part 1: Network security management • Part 2: Network security architecture • Part 3: Securing communications between networks using security gateways • Part 4: Remote access • Part 5: Securing communications between networks using virtual private networks Confidence & security in the use of ICT - Malaysia, 21 August 2003

  24. Security Studies in other ITU-T Study Groups • Security for multimedia systems and services (SG 16) • Emergency Telecommunications Services (SG 16) • IPCablecom project = interactive services over cable TV networks (SG 9) • Telecommunication networks security requirements (SG 2) • Framework to support emergency communications (SG 13) Confidence & security in the use of ICT - Malaysia, 21 August 2003

  25. Strengths of ITU-T • Unique mix of industry & government • Truly global • Consensus decisions guarantee wide acceptance • Fast procedures • Brand name • IPR Policy • World-class meeting facilities • Excellent Secretariat staff Confidence & security in the use of ICT - Malaysia, 21 August 2003

  26. Backup Slides on ITU-T (not to be shown in talk) Confidence & security in the use of ICT - Malaysia, 21 August 2003

  27. ITU-T Structure Workshops Focus Group Joint Group Project Team Confidence & security in the use of ICT - Malaysia, 21 August 2003

  28. ITU-T Study Groups • SG 2 Operational aspects of service provision, networks and performance • SG 3 Tariff and accounting principles including related telecommunications economic and policy issues • SG 4 Telecommunication management, including TMN • SG 5 Protection against electromagnetic environment effects • SG 6 Outside plant • SG 9 Integrated broadband cable networks and television and sound transmission   • SG 11 Signalling requirements and protocols • SG 12 End-to-end transmission performance of networks and terminals • SG 13 Multi-protocol and IP-based networks and their internetworking • SG 15 Optical and other transport networks • SG 16 Multimedia services, systems and terminals • SG 17 Data networks and telecommunication software • SSG Special Study Group "IMT-2000 and beyond" • TSAG Telecommunication Standardization Advisory Group Confidence & security in the use of ICT - Malaysia, 21 August 2003

  29. Lead Study Groups • SG 2 service definition, numbering and routing • SG 4 TMN • SG 9 integrated broadband cable and television networks • SG 11 intelligent networks • SG 12 Quality of Service and performance • SG 13 IP related matters, B-ISDN, Global Information Infrastructure and satellite matters • SG 15 access network transport and optical technology • SG 16 multimedia services, systems and terminals and on e-business and e-commerce • SG17 frame relay, communication system security, languages and description techniques • SSG IMT 2000 and beyond and for mobility Confidence & security in the use of ICT - Malaysia, 21 August 2003

  30. IP project study areas • Integrated architecture • Impact to telecommunications access infrastructures of access to IP applications • Interworking between IP based network and switched-circuit networks, including wireless based networks • Multimedia applications over IP • Numbering and addressing • Transport for IP-structured signals • Signalling support, IN and routing for services on IP-based networks • Performance • Integrated management of telecom and IP-based networks • Security aspects Confidence & security in the use of ICT - Malaysia, 21 August 2003

  31. Other areas to consider • IP-based networks and their interconnection with telecommunication networks; • IP cablecom project; • establishment of GII; • IMT-2000 and mobility; • e-business and e-commerce; • reform of accounting rates and tariff studies; • MEDIACOM-2004 project and related multimedia activities; • security aspects of networks and services; • optical transport network; • access networks enhancements with xDSL techniques; • numbering and routing; • network performances and quality of services; • protocols for new services and intelligent networks. Confidence & security in the use of ICT - Malaysia, 21 August 2003

  32. ITU-T Series (A-L) • Organization of the work of ITU-T • Means of expression: definitions, symbols, classification • General telecommunication statistics • General tariff principles • Overall network operation, telephone service, service operation and human factors • Non-telephone telecommunication services • Transmission systems and media, digital systems and networks • Audiovisual and multimedia systems • Integrated services digital network • Transmission of television, sound programme and other multimedia signals • Protection against interference • Construction, installation and protection of cables and other elements of outside plant Confidence & security in the use of ICT - Malaysia, 21 August 2003

  33. ITU-T Series (M-Z) • TMN and network maintenance: international transmission systems, telephone circuits, telegraphy, facsimile and leased circuits • Maintenance: international sound programme and television transmission circuits • Specifications of measuring equipment • Telephone transmission quality, telephone installations, local line networks • Switching and signalling • Telegraph transmission • Telegraph services terminal equipment • Terminals for telematic services • Telegraph switching • Data communication over the telephone network • Data networks and open system communications • Global information infrastructure and Internet protocol aspects • Languages and general software aspects for telecommunication systems Confidence & security in the use of ICT - Malaysia, 21 August 2003

More Related