ITU-T Telecom Security Update

1
ITU-T Telecom Security Update
Global Standards Collaboration (GSC) 14
DOCUMENT GSC14-GSC7-03
FOR Presentation
SOURCE ITU-T
AGENDA ITEM GTSC 4.2
CONTACT(S) kremer_at_rans.ru

• Arkadiy Kremer
• ITU-T SG 17 Chairman

2
Telecom Security is an Essential Part of IP-based
Networks and Services

• Integration of telecommunication and security
  infrastructures is constantly increasing
• Convergence of services where voice, data/video
  and broadcasting are appearing on all types of
  network platforms
• Internet is a part of telecommunication
  infrastructure
• Next-generation business model for network
  operators demands subscriber-centric data
  consolidation

2
3
Highlight of Current Activities

• Terms and definitions alignment across members
  of GSC
• Security Compendium includes catalogs of approved
  security-related Recommendations and security
  definitions extracted from approved
  Recommendations
• Security Standards Roadmap includes searchable
  database of approved ICT security standards from
  ITU-T and others (e.g., ISO/IEC, IETF, ETSI,
  IEEE, ATIS)
• JCA-IdM (was discussed on PLEN 6.4)
• JCA-CIT - a standard is the real standard if it
  is verified (more in supplementary slides)
• Business Use of Security Standards - a standard
  is the real standard if it has the
  business-applications. ITU-T together with the
  GSC members would like to provide a report which
  will consist of summary sheets for analysed top
  security standards (status and summary ? who does
  the standard affect? ? business benefits ?
  technologies involved ? technical implications)
  (more in supplementary slides)

3
4
Highlight of Current Activities

• Providing a Global Cybersecurity Information
  Exchange Framework X.cybief (more in
  supplementary slides)
• Responsive to GSC-13/11, resolves 5
• promote global, consistent, and interoperable
  processes for sharing incident-response related
  information
• Large-scale effort to bring best of breed of
  security information exchange standards into the
  ITU and facilitating global interoperability and
  trust
• for security state, vulnerabilities, incidents,
  threats
• Facilitated by
• a global security exchange identification scheme
  for organizations, information identifiers, and
  policies
• use of Extended Validation Certificates based on
  X.509
• Providing for close working relationship with
  principal CIRT/CERT organization (FIRST) and
  assisting developing countries to establish CIRTs
  on a national basis (WTSA Res. 58)

4
5
Strategic Directions

• Work on telecom security standardization
  convergence points gaps
• Security architecture ? SOA security
• Network security ? business infrastructure
  security
• ICT security ? information critical
  infrastructure security
• Personal data protection ? IdM
• Security management ? security collaboration
• Security collaboration
• No one organization can provide its own security
  without interaction with others
• Security collaboration contains measures, which
  pertain to the readiness and ability of the
  organizations to interact with other entities
  (including operators, users and law enforcement
  authorities) to counter the threats
• Need a framework for raising the understanding of
  what is achievable

5
6
Strategic Directions

• Essential to pessimistically evaluate threats in
  light of the success we expect
• Three great classes of threats
• Insider attacks
• Social engineering
• Organized crimes monetization of malware and
  fragility
• Connecting systems is good. Sharing vulnerability
  is bad.
• Systems must fundamentally distrust the systems
  with which they interact
• Minimal disclosure technology is fundamental in a
  federated world.
• Need to know Internet

6
Geneva, 13-16 July 2009
7
Challenges

• Keeping ahead of security needs
• vulnerabilities
• incidents
• Getting isolated security communities to
  cooperate effectively
• Implementing needed identity management platforms
  and trust models in the infrastructure
• widespread deployment of "Extended validation
  certificates" for organization/provider trust
• that accommodate the diversity of parties and
  assurance levels/requirements
• Making security measurable

7
8
Next Steps/Actions

• Proceed with the development and adoption of the
  Global Cybersecurity Information Exchange
  Framework
• Adopt X.evcert an Extended Validation
  Certificate Framework
• Get an OID identifier arc assigned for
  identifying organizations, information, and
  policies
• Work with existing and emerging new security
  organizations to facilitate development and use
  of a common exchange framework

8
9
Proposed Modification Resolution on Cybersecurity

• Modify the Cybersecurity resolution recognizing
  section by adding a new paragraph
• Achieving most of the above requirements is
  highly dependent on a global framework for the
  trusted structured exchange of information
  concerning the cybersecurity state of
  devices/systems, vulnerabilities, incidents, and
  heuristics among the operators, vendors, security
  organizations and agencies
• Modify the Cybersecurity resolution resolves 5
  section by changing to
• promote trusted global, structured,
  interoperable, and measurable processes for
  sharing cybersecurity state, vulnerability, and
  incident-response related information through a
  global framework

9
10
Supplementary Slides
10
11
JCA-CIT

• A standard is the real standard if it is verified
• The main objectives of the JCA-CIT are to
  coordinate
• The collection of and making available
  information about testing activities and testing
  methodologies
• Provision of feedback on collected information as
  appropriate
• Development of a common understanding of
  Conformance vs. Interoperability testing
• Development of the requirements placed on writing
  Recommendations to accommodate testing
• Provision of technical assistance to Rapporteurs
  and editors writing Recommendations for testing
  and test specification
• Provision of input towards the evolution of
  Recommendations that define testing methodology
• Dissemination of information about testing across
  other SDOs
• Preparation of material for tutorials, workshops,
  conferences and make presentation if appropriate
• Promotion of the use of a common terminology and
  methodology of testing
• Finding working methods to co-ordinate activities
  and improve sharing of results

12
Business Use of Security Standards

• A standard is the real standard if it has the
  business-applications.
• ITU-T together with the GSC members would like to
  provide a report which will consist of summary
  sheets for analysed top security standards
  (status and summary ? who does the standard
  affect? ? business benefits ? technologies
  involved ? technical implications)
• Your comments and views on the following would be
  appreciated
• Do you agree that this work activity would be
  useful to organizations and/or DC/CETs planning
  to deploy telecommunications/ICT security
  systems?
• Does your organization have existing information
  that may be related to this work activity or that
  may be used to progress this work?
• Does your organization have contact with DC/CETs
  that may further elaborate on their needs and
  detail the information they may find most useful
  to capture in the activity output?
• Does your organization have any suggestions to
  provide additional detail regarding the proposed
  summary sheet elements or criteria to select
  standards?
• Would your organization be willing to assist the
  ITU-T in progressing this work?

13
Global Cybersecurity Information Exchange
Framework

• Purposes
• Enable global capabilities for the structured
  exchange of cybersecurity information by
• identifying and incorporating existing best of
  breed platform standards
• as necessary, making the existing standards more
  global and interoperable
• Move beyond guidelines and facilitate the scaling
  and broad implementation of core capabilities
  already developed within cybersecurity
  communities

14
Global Cybersecurity Information Exchange
Framework

• Cybersecurity information structured information
  or knowledge concerning
• The state of equipment, software or network
  based systems as related to cybersecurity,
  especially vulnerabilities
• Forensics related to incidents or events
• Heuristics and signatures gained from experienced
  events
• Parties who implement cybersecurity information
  exchange capabilities within the scope of this
  framework
• Specifications for the exchange of cybersecurity
  information, including modules, schemas, and
  assigned numbers
• The identities and trust attributes of all of the
  above
• Implementation requirements, guidelines and
  practices

15
Global Cybersecurity Information Exchange
Framework
Cybersecurity Entities
Cybersecurity Entities
CybersecurityInformationacquisition(out of
scope)
CybersecurityInformationuse(out of scope)

• Structured information
• Identification discovery of cybersecurity
  information and entities
• Trusted exchange

Some specialized cybersecurity exchange
implementations may require application specific
frameworks specifying acquisition and use
capabilities
16
Global Cybersecurity Information Exchange
Framework Capabilities and Context
The Framework enables exchange capabilities for
the entire Cyber Security Ecosystem, by providing
for the dashed information exchanges
17
Framework Capabilities Outline

• Cybersecurity structured information
• Identify existing standards
• Bring some of them into ITU-T as X-series
  standards and supplement as needed for global
  interoperability
• Cybersecurity identification and discovery
• Identify existing standards
• Bring some of them into ITU-T as X-series
  standards and supplement as needed for global
  interoperability
• Cybersecurity trusted acquisition and exchange
• Identify existing standards
• Bring some of them into ITU-T as X-series
  standards and supplement as needed for
  interoperability