1 / 14

Overview and System Security to Security Testing

Overview and System Security to Security Testing. Company: NEC Corporation Author(s): Anand R. Prasad, Chairman Security & Privacy Working Group Contact: anand@bq.jp.nec.com Purpose: Discussion Document#: GISFI_SP_201206244. Purpose.

lynnea
Download Presentation

Overview and System Security to Security Testing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Overview and System Security to Security Testing Company: NEC Corporation Author(s): Anand R. Prasad, Chairman Security & Privacy Working Group Contact: anand@bq.jp.nec.com Purpose: Discussion Document#: GISFI_SP_201206244 Operator-GISFI Workshop22 June, 2012

  2. Purpose • Start relationship between mobile operators and GISFI • This workshop on network security requirements is to • Share initial information and • Bring common understanding • Next step is to have regular meetings and/or workshops • Preferably during GISFI meetings • Separately, just before or after a GISFI meeting Operator-GISFI Workshop22 June, 2012

  3. Tasks Work on security, privacy, legal intercept and algorithms Perform threat analysis and identify requirements Develop recommendations regarding the above security and privacy solutions legal intercept solutions Bring Indian requirements to international bodies Activities Network security testing requirements of India Proposed new topics Identity management Unsolicited communication Child security in cyber space Inter-WGs Internet-of-things Service Oriented Networks Future Radio Networks GISFI Security & Privacy WG Operator-GISFI Workshop22 June, 2012

  4. Security Testing Requirements • Companies should fulfill ISO 27k security guidelines • Highest level of security from design, development, deployment, maintenance to running of all comm. products and networks • Security testing of all products and network based on Indian guidelines set as per Common Criteria (ISO 15408) where testing: • performed by Indian labs from 1 April 2013 onwards – yearly • labs will be accredited by Indian government • test result will be certified by Indian government • only “type” testing will be done • Products/network should fulfill Indian security requirements, implementation should comply with common security considerations and implemented as per standard specification (e.g. 3GPP) Operator-GISFI Workshop22 June, 2012

  5. Impact of requirements Technical skills growth Security awareness Vendors will see delay in sales and increase in product cost Operator cost will increase impacting rural deployment Potential trade impact Gaps Lab: Accreditation and certification method Common criteria CC level PP & STs – certify? who? Specification details Relation with CCRA, 3GPP etc. Acceptable level of risk Define safe to connect How to test existing network Impacts and Gaps CC: Common Criteria PP: Protection Profile ST: Security Target Operator-GISFI Workshop22 June, 2012

  6. Testing Related • Duration of testing: Longer time to wait will impact business • Periodicity of testing: Given product can have monthly software or firmware update • Timing of testing: Before purchase will mean impact on vendors while after purchase could mean issues for operators/service providers • Volume of testing, number of points: Type approval, extent/depth of testing to be performed and level of value-chain to be touched • Human resource: Initially sufficient people will not be available to perform security tests. Steps to perform test and develop resources should be a concern • Cost of testing: Cost of testing will lead to impact on market. • Responsibility of accidents: Vendors pay for the accidents due to certified products? Security threats / attacks are maturing with time thus there should be consideration from long-term perspective • Confidentiality and intellectual property: How can the testing “person” be certified? Also issue regarding escrow. Operator-GISFI Workshop22 June, 2012

  7. S&P Work Item Following deliverables are expected: • Requirement analysis and proposals • (Framework) Complete security together with terminology definitions and proposals • Policy study and proposals • Security architecture in mobile communication systems: Comparison and proposals for India • Monitoring • Proposals for security testing Planning to liaise with 3GPP and CCRA Operator-GISFI Workshop22 June, 2012

  8. Market Trend: Over-The-Top Services (OTT) and Cyber Attacks • OTT is the killer app • Impact: • Loss of profit source and no new source of profit • Increase in CAPEX & OPEX Advertisement Over-the-top services • Cyber attacks is increasing • Impact: • Increase in CAPEX & OPEX • Dissatisfied customers HSS/AAA X-CSCF xGSN MSC PDG S/PGW MME H(e)NBGW RNC WLAN AP H(e)NB • Market trend: Moving towards services • Mobile operator becoming part of “the Internet” • OTT services is the killer app • Cyber attack is increasing NodeB eNodeB Operator-GISFI Workshop22 June, 2012

  9. Security Considerations Overloading of network (DoS / DDoS) Finding network topology (privacy) Network element attacks Protocol attack Over-the-top services Subscriber privacy issues Fraudulent charging HSS/AAA OAM attack, spoofing etc. used to get subscriber private data and cause fraudulent charging X-CSCF xGSN MSC Protocol weaknesses used to perform attack PDG S/PGW MME H(e)NBGW Analyzing network to find network topology Attacking specific network elements RNC WLAN AP H(e)NB NodeB eNodeB • Several attacks are possible on mobile network • Newer services bring new business opportunities and also threats • Complete system security consideration is necessary Overloading network with botnets, malware, home made terminals etc. Operator-GISFI Workshop22 June, 2012

  10. Mobile Systems Security Comparison Operator-GISFI Workshop22 June, 2012

  11. Designing Security • Determine the assets • Determine the threats and risks to each asset  set security requirements • Design and implement countermeasures for the threats and residual risks  economical • Monitor, manage and update the implementation • Deter, detect and react against any attack Operator-GISFI Workshop22 June, 2012

  12. Common Criteria Testing Certification Product Test Code Review Design Review PP ST Documentation 9 ~ 24 months Operator-GISFI Workshop22 June, 2012

  13. Accreditation & Certification TEC/DOT & CCRA,3GPP 3.Result: Certified or not certified 2.Send security test results for certification 0.Security test labs accredited by CCRA taking care of Indian needs as per TEC SecurityTest Lab SecurityTest Lab SecurityTest Lab 1.Vendors/operators request security testing 4.Result: Certified or not certified Vendors /Operators Operator-GISFI Workshop22 June, 2012 CCRA: Common Criteria Recognition Arrangement DOT: Department of Telecommunications TEC: Telecommunications Engineering Centres

  14. Finally • A balance need to be found between what is needed and what can be done regarding the Indian national security requirements • Should be acceptable to all, particularly operators • Current national requirements have gaps • GISFI is working on several topics related to security testing requirements • GISFI proposes Indian mobile operators to work together on network security testing requirements Operator-GISFI Workshop22 June, 2012

More Related