GSC-13 Draft Presentation Template

1. Security / Cybersecurity ITU Herbert Bertine, Chairman ITU-T Study Group 17 Submission Date: July 1, 2008Presentation FOR: GSC13-XXXX-nn DOCUMENT #: Herbert Bertine CONTACT(S): AGENDA ITEM: ITU SOURCE:

Cybersecurity one of the top priorities of the ITU

Plenipotentiary Resolution 140 (2006),ITUs role in implementing the outcomes of the World Summit on the Information Society The important moderator/facilitator role of ITU in action line C5 (building confidence and security in the use of ICTs).

Plenipotentiary Resolution 149 (2006),Study of definitions and terminology relating to building confidence and security in the use of information and communication technologies

WTSA-04 Resolution 50,Cybersecurity Instructs the Director of TSB to develop a plan to undertake evaluations of ITU-T existing and evolving Recommendations, and especially signalling and communications protocol Recommendations with respect to their robustness of design and potential for exploitation by malicious parties to interfere destructively with their deployment

WTSA-04 Resolution 51,Combating spam Instructs the Director of TSB to prepare urgently a report to the Council on relevant ITU and other international initiatives for countering spam, and to propose possible follow-up actions -Done

WTSA-04 Resolution 52,Countering spam by technical means Instructs relevant study groups to develop, as a matter of urgency, technical Recommendations, including required definitions, on countering spam

ITU Global Cybersecurity Agenda (GCA)

A Framework forinternational cooperationin cybersecurity

ITU response to its role as sole Facilitator forWSIS Action Line C5

Five key work areas :Legal, Technical, Organisational, Capacity Building, International Cooperation

World renownedGroup of High-Level Experts (HLEG)working on global strategies

GCA/HLEG met 26 June 2008 to agree upon a set of recommendations on all five work areas for presentation to ITU Secretary-General

ISO/IEC/ITU-T Strategic Advisory Group on Security

Coordinates security work and identifies areas where new standardization initiatives may be warranted.Portal established.Workshops conducted.

Identity Management

Effort jump started by IdM Focus Group which produced 6 substantial reports (265 pages) in 9 months

JCA IdM and IDM-GSI established main work is in SGs 17 and 13

First IdM Recommendation X.1250 ,Requirements for global identity management trust and interoperability- now in approval process

Core security (SG 17)

Approved 14 texts in 2007, 17 so far in 2008, 15 more for action in September 2008

Summaries of Recommendations under development are available at:http://www.itu.int/dms_pub/itu-t/oth/0A/0D/T0A0D00000D0003MSWE.doc

Covering frameworks, cybersecurity, countering spam, home networks, mobile, web services, secure applications, ISMS, telebiometrics, etc.

Work underway on additional topics including IPTV, multicast, and USN security; risk management and incident management; traceback

Questionnaire issued to developing countries to ascertain their security needs

Updated security roadmap/database, compendia, manual; strengthened coordination

Security for NGN

Y.2701 , Security Requirements for NGN Release 1-published

Y.2702 ,NGN authentication and authorization requirements determined

Addressing security to enhance trust and confidence of users in networks, applications and services

With global cyberspace, what are the security priorities for the ITU with its government / private sector partnership?

Need for top-down strategic direction to complement bottom-up, contribution-driven process

Balance between centralized and distributed efforts on security standards

Legal and regulatory aspects of cybersecurity, spam, identity/privacy

Address full cycle vulnerabilities, threats and risk analysis; prevention; detection; response and mitigation; forensics; learning

Agree uniform definitions of cybersecurity terms and definitions

Marketplace acceptance of Information Security Management System (ISMS) standards (ISO/IEC 27000-series and ITU-T X.1051) the security equivalent to ISO 9000-series

Effective cooperation and collaboration across the many bodies doing cybersecurity work

PSO help is needed in keeping security database up-to-date

Informal security experts network needs commitment

There is no silver bullet for cybersecurity

All Study Groups have proposed Questions for next study period

Most study groups have Questions concerning security

Questions are mainly evolution of existing work program

See SupplementalInformation

The World Telecommunication Standardization Assembly (WTSA) in October 2008 will make decisions on the priorities, work program (Questions) and organization of Study Groups, including security / cybersecurity work

Meanwhile, the present work program continues under the current structure See Supplemental Information

E.g., Study Groups 17 and 13 will each meet in September to approve additional security Recommendations

A new edition of the ITU-T Security Manual is scheduled for October 2008

Resolution GSC-12/19, Cybersecurity

Add a newResolvesfollows:

5)supply updated information on their security standards work for inclusion in theICT Security Standards Roadmap,a database of security standards hosted by the ITU-T at: http://www.itu.int/ITU-T/studygroups/com17/ict/index.html

Supplemental Information

Security activities

ITU General Secretariat

Telecommunication Standardization Sector (ITU-T)

Radiocommunication Sector (ITU-R)

Telecommunication Development Sector (ITU-D)

Useful web resources

Constant evolution of the nature of cyberthreats

Vulnerabilities in software and hardware applications and services

Low entry barriers for cyber-criminals

Loopholes in current legal frameworks

Absence of appropriate organizational structures

Inadequate cooperation among various stakeholders

Global problem which cannot be solved by any single entity

(country or organization)

Increasing sophistication of cybercrime

A framework for international multi-stakeholder cooperation in cybersecurity

ITU Response to its role as sole Facilitator for WSIS Action Line C5

World renowned Group of High Level Experts (HLEG) to develop global strategies

Representing main stakeholder groups working towards the same goals

:Developing harmonized global strategies

Legal Measures

Technical and Procedural

Measures

Organizational Structures

Capacity Building

International Cooperation

A global multi-stakeholder think-tank

made up of high-level experts from:

Governments

Industry

Regional and international organizations

Research and academic institutions

Individual experts

Ecole Polytechnique Fdrale de Lausanne

(EPFL), Switzerland

Information Security Institute, Australia

Moscow Technical University of

Communications, Russian Federation

African Telecommunication Union (ATU)

Asia Pacific Economic Cooperation

Telecommunications (APECTEL)

Commonwealth Telecommunications

Organisations (CTO)

Council of Europe

Department of Economic and

Social Affairs (DESA)

European Information and Network

Security Agency (ENISA)

International Criminal Police

Organization (Interpol)

Organisation for Economic Co-operation

and Development (OECD)

Organisation International de la Francophonie

Society for the Policing of Cyberspace (POLCYB)

UMTS Forum

United Nations Institute for Training

and Research (UNITAR)

United Nations Office on Drugs and Crime

Authentrus

BITEK International Inc.

Garlik

Intel Corporation

Microsoft Corporation

Tlam S.E.

VeriSign, Inc.

Stein Schjolberg, Chief Judge,

Moss Tingrett Court, Norway

Solange Ghernaouti-Helie,

HEC-Universit de Lausanne, Switzerland

Sy Goodman, Georgia Institute of Technology,

United States

Nabil Kisrawi, Chairman of WG-Def,

Syrian Republic

Bruce Schneier, Security Technologist,

Unites States

Marco Gercke, Professor, Cologne University,

Germany

The HLEG work is an ongoing dynamic process with information-sharing and interaction relating to the elaboration of Global Strategies to meet the goals of the GCA and the ITU role as sole facilitator for WSIS Action Line C.5.

Three meetings held:

First Meeting of the HLEG held on 5 October 2007

Second Meeting of the HLEGheld on 21 May 2008

Third Meeting of the HLEGheld on 26 June 2008

Chairman's Report:

The results of the work of the HLEG, including recommendations, the views expressed during the meeting and additional information about the previous work of the HLEG are contained in the Chairmans report which will be available at:http://www.itu.int/osg/csd/cybersecurity/gca/hleg/meetings/third/index.html

This Sponsorship programme will ensure that all relevant stakeholders are aware of HLEGs valuable work, will increase also a global understanding about how to work together to implement effective strategies. It will then be up to the stakeholders themselves within their respective mandates and capabilities to translate these strategies into concrete actions.

GCA Sponsors will help to promote the goals of this initiative around the world by participating in high-profile business activities including publications, pubic campaigns, an annual conference and other events. In addition to the opportunity to meet with high-level decision makers, Sponsors also stand to enhance their image and credibility with their stakeholders.

ITU-T Telecommunication Standardization Sector

SG 17, Security, Languages and Telecommunication Software

Lead Study Group on Telecommunication Security

SG 2, Operational Aspects of Service Provision, Networks and Performance

SG 4, Telecommunication Management

SG 5, Protection Against Electromagnetic Environment Effects

SG 9, Integrated Broadband Cable Networks and Television and Sound Transmission

SG 11, Signalling Requirements and Protocols

SG 13, Next Generation Networks

SG 15, Optical and Other Transport Network Infrastructures

SG 16, Multimedia Terminals, Systems and Applications

SG 19, Mobile Telecommunication Networks

ITU-T Study Group 17 Security, Languages and Telecommunication Software

Q.4/17, Communications Systems Security Project

Q.5/17, Security Architecture and Framework

Q.6/17, Cyber Security

Q.7/17, Security Management

Q.8/17, Telebiometrics

Q.9/17, Secure Communication Services

Q.17/17, Countering Spam by Technical Means

Q.2/17, Directory Services, Directory Systems and Public-key/Attribute Certificates

ITU-T SG 17 Question 4

Communications Systems Security Project

Overall Security Coordination and Vision

Outreach and promotional activities

ICT Security Standards Roadmap

Security Compendium

ITU-T Security manual

Focus Group on Security Baseline For Network Operators

Successful workshop organized at start of Study Period to consider future direction of security standards

Security Standards Roadmap developed includes security standards from ITU, ISO/IEC, IEEE, IETF, ATIS, ETSI, OASIS, 3GPP

Security Compendium and Security Manual maintained and updated

Security Baseline for Network Operators developed

Overall shortage of participants and contributors

Roadmap issues/challenges:

Taxonomy (always a challenge!)

Finding out about new standards and when to post them

Appearance of the database

Need to develop a short guide to the update process

Security Roadmap

The listing of standards has been converted to a searchable database

Further updating is planned to ease navigation

A new section (Part 5) has been added on (non-proprietary) Best Practices

Will continue to be primary SG contact for security coordination issues

Will maintain and update outreach material

Security Manual

Security Roadmap

Security Compendium

Responsibilities will be limited to coordination and outreach no Recommendations

Security architecture and framework

Strategic direction

Challenges

Major activities and accomplishments

Actions for the next study period

Q.5/17 has developed Recommendations that further develop the concepts ofX.805and provide guidance on their implementation

X.1031 ,Security architecture aspects of end users and networks in telecommunications-provides guidanceon applying the concepts of the X.805 architecture for distributing the security controls between the telecommunication networks and the end users equipment.

X.1034 ,Guidelines on Extensible Authentication Protocol based Authentication and Key Management in a Data Communication Network andX.1035 ,Password-Authenticated Key Exchange Protocol (PAK)-specify protocols and proceduresthat support functions of theAuthentication security dimension .

X.1036 ,Framework for creation, storage, distribution and enforcement of policies for network securityfurtherdevelops the concept of the security policydescribed in X.805.

Supplement to X.800-X.849 ,Guidelines for implementing system and network security provides guidelinesfor implementing system and network security utilizing the concepts of X.805 and other security Recommendations and standards.

Development of a comprehensive set of Recommendations for providing standard security solutions for telecommunications in collaboration with other Standards Development Organizations and ITU-T Study Groups.

Studies and development of a trusted telecommunication network architecture that integrates advanced security technologies.

Maintenance and enhancements of Recommendations in the X.800-series and X.103x-series.

Coordination of studies on NGN security (with Question 15/13)

Authentication and key agreementis one of the most complex and challenging security procedures.Question 5/17 has developed Recommendations that contribute to the standards solutions for authentication and key management

X.1034 ,Guidelines on Extensible Authentication Protocol based Authentication and Key Management in a Data Communication Network

Establishes a framework for the EAP-based authentication and key management for securing the link layer in an end-to-end data communication network.

Provides guidance on selection of the EAP methods.

X.1035 ,Password-Authenticated Key Exchange Protocol (PAK)

Specifies a protocol, which ensures mutual authentication of both parties in the act of establishing a symmetric cryptographic key via Diffie-Hellman exchange.

Recommendationsdeveloped by Q.5/17:

X.1031 ,Security architecture aspects of end users and networks in telecommunications

X.1034 ,Guidelines on Extensible Authentication Protocol based Authentication and Key Management in a Data Communication Network

X.1035 ,Password-Authenticated Key Exchange Protocol (PAK)

X.1036 ,Framework for creation, storage, distribution and enforcement of policies for network security

ASupplementdeveloped by Q.5/17

Supplement to X.800 - X.849 series Guidelines for implementing system and network security

Other technical documents prepared by Q.5/17

In response to theWTSA Resolution 50 , Question 5/17 has preparedGuidelines for designing secure protocols using ITU-T Recommendation X.805.

Major coordination activity conducted by Q.5/17

Question 5/17 has coordinated security studies withQuestion 15 of SG 13,NGN Securityensuring alignment of the standards work in both groups.

How should a comprehensive, coherent communications security solution be defined?

What is the architecture for a comprehensive, coherent communications security solution?

What is the framework for applying the security architecture in order to establish a new security solution?

What is the framework for applying security architecture in order to assess (and consequently improve) an existing security solution?

What are the architectural underpinnings for security?

What new Recommendations may be required for providing security solutions in the changing environment?

How should architectural standards be structured with respect to existing Recommendations on security?

How should architectural standards be structured with respect to the existing advanced security technologies?

How should the security framework Recommendations be modified to adapt them to emerging technologies and what new framework Recommendations may be required?

How are security services applied to provide security solutions?

Cyber Security

Motivation

Challenges

Highlights of activities

Actions for Next Study Period

Collaboration with SDOs

Network connectivity and ubiquitous access is central to todays IT systems

Wide spread access and loose coupling of interconnected IT systems and applications is a primary source of widespread vulnerability

Threats such as: denial of service, theft of financial and personal data, network failures and disruption of voice and data telecommunications are on the rise

Network protocols in use today were developed in an environment of trust

Most new investments and development is dedicated to building new functionality and not on securing that functionality

An understanding of cybersecurity is needed in order to build afoundation of knowledge that can aid in securing the networks of tomorrow

Definition of Cybersecurity

Security of Telecommunications Network Infrastructure

Security Knowledge and Awareness of Telecom Personnel and Users

Security Requirements for Design of New Communications Protocol and Systems

Communications relating to Cybersecurity

Security Processes Life-cycle Processes relating to Incident and Vulnerability

Security of Identity in Telecommunication Network

Legal/Policy Considerations

IP traceback technologies

Authentication Assurance

How should the current Recommendations be further enhanced for their wide deployment and usage?

How to harmonize common IdM data models across the ITU

How to define and use the term Identity within the ITU

How to detect and predict future threats and risks to networks

How to harmonize various IdM solutions

What are the best strategies to improve Cybersecurity

How to maintain a living list of IdM terms and definition and use it informally across the ITU

Enhance current Recommendations to accelerate their adoption

Work with SG 2 in Trusted Service Provider Identifier (TSPID)

Collaborate with Questions 5, 7, 9, 17/17 and with SG 2 in order to achieve better understanding of various aspects of network security

Collaborate with IETF, OASIS, ISO/IEC JTC1, Liberty Alliance and other standardization bodies on Cybersecurity

Work with OASIS on maintaining the OASIS Common Alerting Protocol V1.1 (ITU-T Recommendation X.1303)

Study new Cybersecurity issues How should ISPs deal with botnets, evaluating the output of appropriate bodies when available.

Study technical aspects of Traceback techniques

Joint work is ISO/JTC1 SC 27 on Entity Authentication Assurance

Progress work with Liberty Alliance on Identity Authntication Frameworks

Working with SG 4 and SG 13 on common IdM Data Models.

Developing frameworks forUser control enhanced digital identity interchange framework

Developing guideline on protection for personally identifiable information in RFID application

Developing r equirements for security information sharing framework

Developing guideline on preventing worm spreading in a data communication network

Maintaining the IdM Lexicon document

ISO/IEC JTC 1/SC 27

IEC/TC 25

Liberty Alliance

ETSI/TISPAN

Security management

Challenges

How should information assets in telecommunications systems be identified and managed?

How should information security policy for telecommunications systems be identified and managed?

How should specific management issues for telecommunications organizations be identified?

How should information security management system (ISMS) for telecommunications organizations be properly constructed by using the existing standards (ISO/IEC and ITU-T)?

How should measurement of information security management in telecommunications be identified and managed?

How should an information security governance framework be identified and managed?

How should the small and medium telecommunications organizations be managed and applied for security?

Review the existing management Recommendations/Standards in ITU-T and ISO/IEC management standards as for assets identification and security policy management.

Study and develop a methodology of assets identificationand policymanagement for telecommunications based on the concept of information security management (X.1051) .

Study and developinformationsecurity managementframeworkfor telecommunications based on the concept of information security management (X.1051).

Study and develop security managementguidelinesforsmall and mediumtelecommunications based on the concept of information security management (X.1051).

Study and develop a methodology to construct information security management system (ISMS) for telecommunications organizations based on the existing standards (ISO/IEC and ITU-T).

Study and develop an information security governance framework for telecommunications that encompasses information technology and information security management.

ISO/IEC JTC 1/SC27

Telebiometrics

Strategic Direction

Challenges

How should security countermeasures be assessed for particular applications of telebiometrics?

How can identification and authentication of users be improved by the use of interoperable models for safe and secure telebiometric methods?

What mechanisms need to be supported to ensure safe and secure manipulation of biometric data in any application of telebiometrics, e.g., telemedicine or telehealth?

How should the current Recommendations be further enhanced for their wide deployment and usage?

Enhance current Recommendations to accelerate their adoption to various telebiometric applicationsand populate the telebiometric database.

Review the similarities and differences among the existing telebiometrics Recommendations in ITU-T and ISO/IEC standards.

Study and develop security requirements and guidelines for any application of telebiometrics.

Study and developrequirements forevaluating security, conformance and interoperability with privacy protection techniques for any application of telebiometrics.

Study and develop requirements for telebiometric applications in a high functionality network.

Study and developrequirements fortelebiometric multi-factor authentication techniques based on biometricdata protection and biometricencryption.

Study and developrequirements forappropriate generic protocols providing safety, security, privacy protection, and consent for manipulating biometric data in any application of telebiometrics, e.g., telemedicine or telehealth.

Prepare a manual on telebiometrics.

ISO/IEC JTC 1/SCs 17, 27 and 37

ISO/TC 68 and TC 12

IEC/TC 25

International Bureau of Weight and Measurement (BIPM)

Secure Communication Services

Position of each topic

Strategic direction

Challenges

Major achievements

Security work proposed for next study period

Develop a set of standards of secure application services, including

Mobile security

Home network security

Web Services security

Secure application services

NID/USN securityUnder study

Multicast security Under study

IPTV securityUnder study

For developing the draft Recommendations on IPTV security matters:

Participate the ITU-T IPTV-GSI event (January December, 2008) to develop them being consistent with relevant Recommendations being developed by other Questions

Propose X.iptvsec-1 (Requirements and architecture for IPTV security matter) for consent by September 2008, to meet urgent market need

Based on X.iptvsec-1, continue to study a set of possible draft Recommendations which complement X.iptvsec-1 technologically

Continue to develop a set of draft Recommendations in domain-specific areas:

Mobile network, Home network, (mobile) Web Services, application services, NID/USN service, IPTV service multicasting service, etc.

Continue to adopt or update the mature standards (i.e., SAML, XACML) developed by other SDOs, especially by OASIS, in the area of Web Services security

Develop a common text of X.usnsec-1 (Security framework for USN) with ISO/IEC JTC 1/SC 6 (as of June 2008)

Keep maintaining liaison activities with 3GPP, 3GPP2, JTC 1/SC 6, 25, 27 to develop the relevant draft Recommendations

For the domain-specific draft Recommendations,it needsto strengthen the coordination work with other relevant Questions/SDOsto develop them to be consistent with their work.

During this Study period, Q.9/17 has been focused on the security framework for various domain-specific networks. However, from now on it should be emphasized to developthe pragmatic draft Recommendations which have significant impact on industry for the domain-specific networks with the collaboration with industries, other relevant SDOs and network/service providers.

For developing the draft Recommendations on IPTV security matters,the various detailed work items should continue to be identified in the future .

Mobile security

X.1123,G eneral securityvalue added service (policy)for mobiledatacommunication , Approved 2007

X.1124,Authentication architecture in mobile end-to-end data communication, Approved 2007

X.1125,Correlative reacting system in mobile network, Approved 2007

NID security

X.1171,Framework for Protection of Personally Identifiable Information in Networked ID Services, Consented 2008

X.1111,Framework for security technologies for home network, Approved 2007

X.1112,Certificate profile for the device in the home network, Approved 2007

X.1113, Guideline on u ser authentication mechanisms for home network service, Approved 2007

X.homesec-4Authorization framework for home network, to be consented 2008

USN security

X.usnsec-1Requirement and Framework for Ubiquitous Sensor Network , New work item in2007

Multicast Security

X.mcsec-,1Security Requirement and Framework in Multicast communication , New work item in2007

IPTV security

X.iptvsec-1,Functional Requirements and architecture for IPTVsecurity aspects , New work item in 2008

X.iptvsec-2,Requirement and mechanism for Secure Transcodable Scheme New work item in 2008

X.iptvsec-3,Key management framework for secure IPTV communications , New work item in 2008

Web Services security

X.1143,Security architecture for message security in mobile Web Services, Approved 2007

Secure applications services

X.1151,Guideline on strong password authentication protocols, Approved 2007

X.1152, Secure end-to-end data communication techniques using Trusted Third Party services, Consented 2008

X.1161, Framework for secure peer-to-peer communications, Consented 2008

X.1162,Security architecture and operations for peer-to-peer network, Consented 2008

Mobile Security

NID/USN security

Multicast security

IPTV security

Web Service security

Secure application security

Mobile Security

NID/USN security

Multicast security

IPTV security, etc.

Web Service security

Secure application service, etc.

Divide Q.9/17 into two Questions: Q.O/17 and Q.P/17, considering the enormous workloads.

Countering spam by technical means

Strategic direction

Challenges

Actions for next study period

Develop a set of standards forcountering spam by technical means,including:

General technical strategies and protocols for countering spam

Guidelines, frameworks and protocols for countering email spam, IP multimedia spam, SMS spam and other new types of spam

What risks does spam pose to the telecommunication network?

What technical factors associated with the telecommunication network contribute to the difficulty of identifying the sources of spam?

How can new technologies lead to opportunities to counter spam and enhance the security of the telecommunication network?

Do advanced telecommunication network technologies (for example, SMS, instant messaging, VoIP) offer unique opportunities for spam that require unique solutions?

What technical work is already being undertaken within the IETF, in other fora, and by private sector entities to address the problem of spam?

What telecommunication network standardization work, if any, is needed to effectively counter spam as it relates to the stability and robustness of the telecommunication network?

Act as the lead group in ITU-T on technical means for countering spam

Establish effective cooperation with the relevant ITU Study Groups, other standard bodies and appropriate consortia and fora.

Identify and examine the telecommunication network security risks introduced by the constantly changing nature of spam.

Develop a comprehensive and up-to-date resource list of the existing technical measures for countering spam in a telecommunication network that are in use or under development.

Determine whether new Recommendations or enhancements to existing Recommendations, including methods to combat delivery of spyware, worm, phishing, and other malicious contents via spam and combat compromised networked equipment including botnet delivering spam.

Provide regular updates to the Telecommunication Standardization Advisory Group and to the Director of the Telecommunication Standardization Bureau to include in the annual report to Council.

Standardization bodies :

ISO/IEC JTC 1

Other bodies :

MAAWG.

Directory Services, Directory Systems and Public-key/Attribute Certificates

X.509 as basis for other specifications

Certificates

Public-Key Infrastructure (PKI)

Privilege Management Infrastructure (PMI)

Protecting directory information

User authentication

Access control

Data privacy protection

Secure Socket Layer (SSL)

The IETFInternet X.509 Public Key Infrastructure (PKIX) activity

The IETF Secure / Multipurpose Internet Mail Extensions (S/MIME) activity

The ETSI Electronic Signatures and Infrastructures (ESI) activity

Secure e-mail

Online banking

Medical electronic journals

Online public service

PKI is an infrastructure for managing certificates. It consists of one or more Certification Authorities for issuing certificates in a secure way following a set of policies.

It includes maintaining information about certificates been revoked.

Directories are major components of the infrastructure.

PMI is an infrastructure for managing authorization using attribute certificates. It consists of one or more Attribute Authorities for issuing attribute certificates in a secure way.

It includes maintaining information about attribute certificates been revoked.

Directories are major components of the infrastructure.

Recent development - (PMI) has been extended to allow privileges obtained in one domain to be used in an other domain (federation of privileges).

Authentication of users

Name + password

Name + protected password

Strong authentication based on X.509

Access control

Access control is about right-to-know (Who may do what based on level of authentication)

X.500 has comprehensive access control features

X.500 is the only directory specification having these features

Data Privacy Protection

Data Privacy Protection is about right-to-know and need-to-know.

Protection against malicious searches

Protection against data trawling

Minority protection

Password lifetime

Maintain password history (avoid reuse)

Password quality

Password warnings

Error signalling

ITU-T Study Group 2

Operational aspects of service provision, networks and performance

Operational aspects such as prevention and detection of:

Misuse

Corresponding operational measures

Security requirements

Recommendations:

E.156 Guidelines for ITU-T action on reported misuse of E.164 number resources

E.408 Telecommunication networks security requirements

E.409 Incident organization and security incident handling: Guidelines for telecommunication organizations

Numerous Recommendations on operational aspects of network management

ITU-T Study Group 4

Telecommunication management

Security of management plane

Management of security for telecommunications management

Protocols of securities for management

Establishment of interface Recommendations among security function groups or entities for management of security (Enhancement of M.3410)

Study on use of IdM in management plan

Study on the management of IdM

Continuation of protocol profiling for security management

Fill the gap in security on management plane and management of its security

Collaboration with ATIS TMOC and ETSI TISPAN on the subject

Consent of Recommendation M.3410

Guidelines and Requirements for Security Management Systemsto Support Telecommunications Management

Enhancement of M.3016 series Recommendations for security of management plane

Enhancement of M.3410 Recommendation for management of security for telecommunications management

Enhancement of Q.811 and Q.812, management protocol profiles from security subject perspective

What security mechanisms and protocols are required to support security of management for NGNs?

What management mechanisms and protocols are required to support management of security for NGNs?

What use of Service-Oriented Architecture concepts should be applied in specifying protocol and security Recommendations?

What collaboration inside and outside the ITU-T is needed to develop protocol and security functions?

ITU-T Study Group 5

Protection against electromagnetic environment effects

To provide guidance on the protection of Telecommunications and Data Centres against disruption of service and/or physical damage due to:

Natural EM phenomena

Lightning, Electrostatic Discharge (ESD)

Interactions with the RF Spectrum

Electromagnetic Compatibility (EMC)

Man-Made/Malicious Electromagnetic threats

High-altitude EM Pulse (HEMP);

High-Power EM weapons (HPEM);

To provide guidance on the protection of electronic data from interception via EM means

Do not reinvent the wheel

Reference existing K-Series Recommendations wherever possible

Lightning, ESD, EMC

Develop effective liaisons with other International Standardization Organizations to exploit additional expertise

Liaison with IEC TC 77 Electromagnetic Compatibility (EMC) SC 77C High Power Transient Phenomena provided expertise in HEMP and HPEM

Liaison with National Institute of Information and Communications Technology (NICT) of Japanprovided expertise on EM interception of data

Apply existing expertise to the telecommunications and data centre domain

Knowledge management

Liaisons with other bodies has granted access to rich veins of existing expertise

This has taken time to assimilate and present within the context of a telecommunications and data centre

EM intercept

Previously officially secret in some regions (i.e. previously known as TEMPEST within the US)

A document set is planned

K.sec basic introduction that references the following:

K.hemp

K.hpem

K.leakage

K.sec_miti

Existing K-series Recommendations on lightning

Existing K-series Recommendations on EMC

Steady progress has been made on developing the document set

ITU-T Study Group 9

Integrated broadband cable networks and television and sound transmission

Security requirements are spread across multiple questions:

Improve the security of conditional access systems used for television subscription, pay-per-view and similar services distributed to the home by cable television (Q3)

Security, conditional access, protection against unauthorized copying, protection against unauthorized redistribution requirements to be supported by an universal integrated receiver or set-top box for the reception of cable television and other services (Q5)

Security requirements and protocols associated with high-speed bidirectional data facilities intended to support, among other payloads, those utilizing Internet Protocols (IP) exploiting the broadband capacity provided by hybrid fiber/Coaxial (HFC) digital cable television systems (Q8)

Security requirements and protocols for Voice over IP/Video over IP applications in IP-based cable television networks (Q9)

Extend the security requirements for entertainment video delivery associated with cable network video service onto the home network (Q10)

Provide all the security requirements for the network elements and services offered by cable operators

Authentication, privacy, access control and content protection both on the access network and the bridge to home network are key considerations for multi-media applications/services

Security requirements for network elements in the access networks determine how the applications (voice, video and data) are transmitted securely to authenticated users/subscribers

Security requirements for network elements in the home network such as residential gateway and set-top boxes meet the access control for the user

Approved 2 security requirements Recommendations:

Link Privacy for cable modems (J.125)

Third generation transmission systems (cable Modem and Cable Modem Termination System, J.222.3)

Approved IPTV requirements for secondary distribution (J.700)

Approved the Recommendation on Component definition and interface specification for next generation set-top box (J.293)

Security studies for the next study period will be continued in the following questions:

Cable television delivery of digital services and applications that use Internet Protocols (IP) and/or packet-based data

Voice and video applications over cable TV networks

Functional requirements for a universal integrated receiver or set-top box for the reception of cable television and other services

The extension of cable-based services over broadband in Home Networks

Security requirements for IPTV interfaces for secondary distribution (identified in J.700)

ITU-T Study Group 11

Signalling Requirements and Protocols

Each Question of SG11 has to consider security aspects to develop protocol Recommendations used for network control signalling, based on the general requirements developed by other SGs, such as SG 2, SG 13, SG 17 and SG 19.

Q.7/11, entitled as Signalling and control requirements and protocols to support attachment in NGN environments, has specific requirements for authentication and authorization of users and terminals.

Security consideration has been incorporated within the text for each Question of SG11.

Various security arrangements are embedded within the protocols defined at various reference points, by reusing existing mechanisms defined by other organization (e.g., IETF and 3GPP).

Strengthen the coordination on security issues across SGs, as well as among Questions within SG 11 by proposing a dedicated new Question on security coordination for the next study period.

Design interface protocols which have various security mechanisms based on Recommendations / specificationsdeveloped by SG 17 and other SDOs.

Special attention should be drawn to the interface between legacy telephone networks and emerging NGN.

It would also be necessary to guide actual protocol implementations so that there will be no security holes, for example, by defining implementers guides.

24 Recommendations and 6 Supplements have been approved so far, regarding NGN protocols with security mechanisms embedded.

The following two Recommendations have been approved at the January 2008 SG11 meeting in Q.7/11 in Network attachment control protocol work:

Q.3201, EAP-based security signalling protocol architecture. Note - EAP: Extensible Authentication Protocol

Q.3202.1, Authentication protocols for interworking among 3GPP, WiMax and WLAN in NGN.

New Question on security coordination

What is the content of an appropriate policy for the consideration ofprotocol securityin the work of the Study Group?

What are themeansto assure that such a policy is being followed in practice?

Whatexceptionsto the general policy are permissible in the case of specific Recommendations?

What is the impact ofsecurity-related work in other groupson the work of protocol security within this Study Group at the policy level?

What are the means by which technical developments in protocol security achieved in other groups may be communicated to interested Questions in this Study Group, and the reverse?

Next Generation Networks

Conduct NGN Security studies to develop network architectures that:

Provide for maximal network and end-user resources protection

Allow for highly-distributed intelligence end-to-end

Allow for co-existence of multiple networking technologies

Provide for end-to-end security mechanisms

Provide for security solutions that apply over multiple administrative domains

Provide for secure Identity Management

Provide for security solutions for IPTV that are cost-effective and have acceptable impact on the performance, quality of service, usability, and scalability

Provide security guidance on NGN security to all Questions of SG 13 and other Study Groups

IdM Frameworkdefines the concepts of the IdM

IdM Use casesis a base for deriving theIdM requirements

IdM Mechanismsprovide support for the requirements

Authentication is one of the most complex and challenging procedures in NGN security. The following study items of SG 13 are focused on various aspects of authentication:

Y.2702 , NGN Authentication and Authorization Requirements

NGN Security Mechanisms

NGN Certificate Management

NGN Authentication Authorization and Accounting

NGN IdM Requirements

NGN IdM Mechanisms

Question 15/13 has:

Achieveddeterminationof the draft ITU-T RecommendationY.2702 , NGN Authentication and Authorization Requirements

Defined the direction for the studies ofIdentity Management(IdM) for NGN and started development of four ITU-T Recommendations on IdM

Provided security expertise to other Questions and Study Groups through activeparticipation in NGN-GSIandIdM-GSI

Continued productivecollaboration with ITU-T SG 17 - Lead Study Group on Telecommunication Securityand started joint (with Q.6/17) development of Recommendation X.idm-dm,Identity Data Model

Initiated a liaison exchange with3GPP SA 3aimed at harmonization of the standards onmedia security

Security studies for the next study period will address:

What new Recommendations or guidance to other Study Groups are needed to standardizeidentification of NGN threats and vulnerabilities ?

What are the security requirements of NGN to effectivelycounter these threats ?

What new Recommendations are necessary to enable comprehensive,end-to-end security in NGN that span across multiple heterogeneous administrative domains ?

What new Recommendations or guidance are necessary to enableattachment of terminals in a secure fashion , including Authentication, Authorization, and Accounting ( AAA ) considerations, to NGN?

How todefine security architecture of Identity Managementin NGN?

What are security requirements to Identity Management in NGN?

What new Recommendations are needed forsupporting security requirements of Identity Managementin NGN?

What new Recommendations are needed forsupporting secure interoperability among different Circles of Trusts (CoT)in NGN?

What new NGN Recommendations are needed forsupporting security requirements of IPTV ?

Optical and Other Transport Network Infrastructures

Multimedia terminals, systems and applications

Study Group 16 concentrates on m ultimedia systems.

Q.25/16 focuses on the application-security issues of MM applications in existing and next generation networks

Standardizes multimedia security

So far Q.25/16 has been standardizing MM-security for the 1st generation MM/pre-NGN systems:

H.323/H.248-based systems

Major restructuring of H.235v3 Amd1 and annexes in stand-alone sub-series Recommendations

H.235.x sub-series specify scenario-specific MM-security procedures as H.235-profiles for H.323

Some new parts added

Some enhancements and extensions

Incorporated corrections

Approved in September 2005

H.235.0 Security framework for H-series (H.323 and other H.245-based) multimedia systems

Overview of H.235.x sub-series and common procedures with baseline text

H.235.1"Baseline Security Profile

Authentication & integrity for H.225.0 signaling using shared secrets

H.235.2"Signature Security Profile

Authentication & integrity for H.225.0 signaling using X.509 digital certificates and signatures

H.235.3"Hybrid Security Profile"

Authentication & integrity for H.225.0 signaling using an optimized combination of X.509 digital certificates, signatures and shared secret key management; specification of an optional proxy-based security processor

H.235.4"Direct and Selective Routed Call Security"

Key management procedures in corporate and interdomain environments to obtain key material for securing H.225.0 call signaling in GK direct-routed/selective routed scenarios

H.235.5 "Framework for secure authentication in RAS using weak shared secrets"

Secured password (using EKE/SPEKE approach) in combination with Diffie-Hellman key agreement for stronger authentication during H.225.0 signaling

H.235.6"Voice encryption profile with native H.235/H.245 key management"

Key management and encryption mechanisms for RTP

Amendment 1 ( June 2008 ) added support for cipher key lengths of 192 and 256 bit to AES

H.235.7 "Usage of the MIKEY Key Management Protocol for the Secure Real Time Transport Protocol (SRTP) within H.235"

Usage of the MIKEY key management for SRTP

H.235.8 "Key Exchange for SRTP using Secure Signalling Channels"

SRTP keying parameter transport over secured signaling channels (IPsec, TLS, CMS)

H.235.9 " Security Gateway Support for H.323 "

Discovery of H.323 Security Gateways (SG = H.323 NAT/FW ALG) and key management for H.225.0 signaling

H.350.2 (2003) H.350.2 Directory Services Architecture for H.235

An LDAP schema to represent H.235 elements (PWs, certificates, ID information)

H.530 (2002) Symmetric security procedures for H.323 mobility in H.510 + Cor.1 (2003)

Authentication, access control and key management in mobile H.323-based corporate networks

H.460.22 (2007) Security protocol negotiation +Cor.1 (2008)

Negotiate security protocols (IPsec or TLS or others) for H.323 signaling

H.460.18 (2005) Traversal of H.323 signalling across FWs and NATs

H.323 protocol enhancements and new client/server proxies to allow H.323 signalling protocols traverse NATs & FWs; H.323 endpoints can remain unchanged

H.460.19 (2005) NAT & FW traversal procedures for RTP in H.323 systems

Uses multiplexed RTP media mode and symmetric RTP in conjunction with H.460.18 as a short-term solution

Technical Paper (2005) Requirements for Network Address Translator and Firewall Traversal of H.323 Multimedia Systems

Documentation of scenarios and requirements for NAT & FW traversal in H.323

Technical Paper (2005) Firewall and NAT traversal Problems in H.323 Systems

An analysis of scenarios and various problems encountered by H.323 around NAT & FW traversal

H-Series Supplement 10 (2008) Proxy-aided NAT/FW Traversal Scheme for H.323 Multimedia Systems

Describe proxy-aided NAT/firewall traversal mechanism as a NAT traversal solution for H.323 multimedia systems

MM security aspects of Advanced Multimedia Systems (AMS) under Q.12/16

Security consideration in the third generation MM system with a decomposed and distributed architecture

Security aspects of IPTV system under Q.13/16

Content protection related metadata

Multimedia systems and applications as being studied by SG16 face important security challenges:

MM-security and NAT/FW traversal

Q.25/16 and Q.5/16 are addressing these issues and have provided various Recommendations

The work continues in the scope of NGN-Multimedia Security

Security considerations are key part of draft new Question B7/16 Advanced functions for H.300-series systems and beyond

Other Questions will also address the topic within their areas of competence

Mobile Telecommunication Networks

Scope: IMT-2000 Family Member Networks

Broad requirements for security are covered in the following ITU-T Recommendations:

Q.1701 Framework for IMT2000 networks

Q.1702 Long-term vision of network aspects for systems beyond IMT-2000

Q.1703 Service and network capabilities framework of network aspects for systems beyond IMT-2000

Mainly derived from Q.1702 and Q.1703

Q.1702 indicates the following objectives to provide network security among heterogeneous inter-connected networks:

Comprehensive, cross-provider security infrastructure support

Well-defined and conducted routine system risk analysis

Robust system intrusion monitoring and response system to control damage

Low overhead security protocols to accommodate wireless bandwidth limitation

Provide seamless security across heterogeneous access technologies

Mainly derived from Q.1702 and Q.1703

Rec. Q.1703 specifies that at least the following security services should be provided:

Integrity: contents as received are exactly as sent

Confidentiality: user data is kept secret from unintended listeners

Non-repudiation: prevent denying a transmission was initiated

Mutual authentication: assurance that a participant is who he claims to be

Authorization: control user access to various network resources

To address security concerns arising due to:

Migration from circuit switching to Packet switching (using IP in wireless networks)

Fixed Mobile Convergence (FMC): access & services across heterogeneous networks (GSM, WiFi, PSTN, WiMAX, etc.) with the usage of IP

To define a security framework applicable across heterogeneous networks

Q.1707/Y.2804 (02/2008) Generic Framework of Mobility Management for NGNs

Designed to ensure that MM functions can interwork with the relevant authentication and security protocols.

Q.1742-series IMT2000 references to ANSI-41 evolved core network with cdma2000 access

References to 3GPP security specifications

S.S0078: Common Security Algorithms

S.R0082: Enhanced Packet Data Air Interface Security

S.R0083: Broadcast-Multicast Service Security Framework

S.S0114: Security Mechanisms using GBA

S.S0110: IP-Based Location Services Security Framework

S.R0086: IMS Security Framework.

Q.1762/Y.2802 Fixed-mobile convergence general requirements

Notes need for uniform authorization mechanism

FMC may contain access-specific or -dependent parts but the procedure for handling these is uniform

Q.1763 FMC service using legacy PSTN or ISDN as the fixed access network for mobile network users

Authentication through a fixed network

GSC-13 Draft Presentation Template

Technology

security cybersecurity

security questions

security requirements

security priorities

security needs

security roadmapdatabase

security equivalent

itut security manual