170 likes | 309 Views
Global Standards Collaboration (GSC) 14. ITU-T Telecom Security Update. Arkadiy Kremer ITU-T SG 17 Chairman. Integration of telecommunication and security infrastructures is constantly increasing
E N D
Global Standards Collaboration (GSC) 14 ITU-T Telecom Security Update Arkadiy Kremer ITU-T SG 17 Chairman
Integration of telecommunication and security infrastructures is constantly increasing Convergence of services where voice, data/video and broadcasting are appearing on all types of network platforms Internet is a part of telecommunication infrastructure Next-generation business model for network operators demands subscriber-centric data consolidation Telecom Security is an Essential Part of IP-based Networks and Services 2
Terms and definitions alignment across members of GSC Security Compendium includes catalogs of approved security-related Recommendations and security definitions extracted from approved Recommendations Security Standards Roadmap includes searchable database of approved ICT security standards from ITU-T and others (e.g., ISO/IEC, IETF, ETSI, IEEE, ATIS) JCA-IdM (was discussed on PLEN 6.4) JCA-CIT - a standard is the real standard if it is verified (more in supplementary slides) Business Use of Security Standards - a standard is the real standard if it has the business-applications. ITU-T together with the GSC members would like to provide a report which will consist of summary sheets for analysed top security standards (status and summary who does the standard affect? business benefits technologies involved technical implications) (more in supplementary slides) Highlight of Current Activities 3
Highlight of Current Activities • Providing a Global Cybersecurity Information Exchange Framework – X.cybief (more in supplementary slides) • Responsive to GSC-13/11, resolves 5: • promote global, consistent, and interoperable processes for sharing incident-response related information • Large-scale effort to bring “best of breed” of security information exchange standards into the ITU and facilitating global interoperability and trust • for security state, vulnerabilities, incidents, threats • Facilitated by • a global security exchange identification scheme for organizations, information identifiers, and policies • use of Extended Validation Certificates based on X.509 • Providing for close working relationship with principal CIRT/CERT organization (FIRST)and assisting developing countries to establish CIRTs on a national basis (WTSA Res. 58) 4
Strategic Directions • Work on telecom security standardization convergence points gaps: Security architecture SOA security Network security business infrastructure security ICT security information critical infrastructure security Personal data protection IdM Security management security collaboration • Security collaboration • No one organization can provide its own security without interaction with others • Security collaboration contains measures, which pertain to the readiness and ability of the organizations to interact with other entities (including operators, users and law enforcement authorities) to counter the threats • Need a framework for raising the understanding of what is achievable 5
Strategic Directions • Essential to pessimistically evaluate threats in light of the success we expect • Three great classes of threats: • Insider attacks • Social engineering • Organized crime’s monetization of malware and fragility • Connecting systems is good. Sharing vulnerability is bad. • Systems must fundamentally distrust the systems with which they interact • Minimal disclosure technology is fundamental in a federated world. • “Need to know” Internet 6 Geneva, 13-16 July 2009
Challenges • Keeping ahead of security needs • vulnerabilities • incidents • Getting isolated security communities to cooperate effectively • Implementing needed identity management platforms and trust models in the infrastructure • widespread deployment of "Extended validation certificates" for organization/provider trust • that accommodate the diversity of parties and assurance levels/requirements • Making security “measurable” 7
Next Steps/Actions • Proceed with the development and adoption of the Global Cybersecurity Information Exchange Framework • Adopt X.evcert – an Extended Validation Certificate Framework • Get an OID identifier arc assigned for identifying organizations, information, and policies • Work with existing and emerging new security organizations to facilitate development and use of a common exchange framework 8
Proposed Modification Resolution on Cybersecurity • Modify the Cybersecurity resolution “recognizing” section by adding a new paragraph: • Achieving most of the above requirements is highly dependent on a global framework for the trusted structured exchange of information concerning the cybersecurity state of devices/systems, vulnerabilities, incidents, and heuristics among the operators, vendors, security organizations and agencies • Modify the Cybersecurity resolution resolves 5 section by changing to • promote trusted global, structured, interoperable, and measurable processes for sharing cybersecurity state, vulnerability, and incident-response related information through a global framework 9
JCA-CIT A standard is the real standardif it is verified The main objectives of the JCA-CIT are to coordinate: • The collection of and making available information about testing activities and testing methodologies • Provision of feedback on collected information as appropriate • Development of a common understanding of Conformance vs. Interoperability testing • Development of the requirements placed on writing Recommendations to accommodate testing • Provision of technical assistance to Rapporteurs and editors writing Recommendations for testing and test specification • Provision of input towards the evolution of Recommendations that define testing methodology • Dissemination of information about testing across other SDOs • Preparation of material for tutorials, workshops, conferences and make presentation if appropriate • Promotion of the use of a common terminology and methodology of testing • Finding working methods to co-ordinate activities and improve sharing of results
Business Use of Security Standards A standard is the real standardif it has the business-applications. ITU-T together with the GSC members would like to provide a report which will consist of summary sheets for analysed top security standards (status and summary who does the standard affect? business benefits technologies involved technical implications) Your comments and views on the following would be appreciated: • Do you agree that this work activity would be useful to organizations and/or DC/CETs planning to deploy telecommunications/ICT security systems? • Does your organization have existing information that may be related to this work activity or that may be used to progress this work? • Does your organization have contact with DC/CETs that may further elaborate on their needs and detail the information they may find most useful to capture in the activity output? • Does your organization have any suggestions to provide additional detail regarding the proposed summary sheet elements or criteria to select standards? • Would your organization be willing to assist the ITU-T in progressing this work?
Global Cybersecurity Information Exchange Framework Purposes • Enable global capabilities for the structured exchange of cybersecurity information by • identifying and incorporating existing “best of breed” platform standards • as necessary, making the existing standards more global and interoperable • Move beyond guidelines and facilitate the scaling and broad implementation of core capabilities already developed within cybersecurity communities
Global Cybersecurity Information Exchange Framework Cybersecurity information: structured information or knowledge concerning The “state” of equipment, software or network based systems as related to cybersecurity, especially vulnerabilities Forensics related to incidents or events Heuristics and signatures gained from experienced events Parties who implement cybersecurity information exchange capabilities within the scope of this framework Specifications for the exchange of cybersecurity information, including modules, schemas, and assigned numbers The identities and trust attributes of all of the above Implementation requirements, guidelines and practices
Global Cybersecurity Information Exchange Framework Cybersecurity Entities Cybersecurity Entities CybersecurityInformationacquisition(out of scope*) CybersecurityInformationuse(out of scope*) • Structured information • Identification & discovery of cybersecurity information and entities • Trusted exchange *Some specialized cybersecurity exchange implementations may require application specific frameworks specifying acquisition and use capabilities
Global Cybersecurity Information Exchange Framework – Capabilities and Context The Framework enables exchange capabilities for the entire Cyber Security Ecosystem, by providing for the dashed information exchanges
Framework Capabilities Outline • Cybersecurity structured information • Identify existing standards • Bring some of them into ITU-T as X-series standards and supplement as needed for global interoperability • Cybersecurity identification and discovery • Identify existing standards • Bring some of them into ITU-T as X-series standards and supplement as needed for global interoperability • Cybersecurity trusted acquisition and exchange • Identify existing standards • Bring some of them into ITU-T as X-series standards and supplement as needed for interoperability