- 1. Security / Cybersecurity ITU Herbert Bertine, Chairman ITU-T
Study Group 17 Submission Date: July 1, 2008Presentation FOR:
GSC13-XXXX-nn DOCUMENT #: Herbert Bertine CONTACT(S): AGENDA ITEM:
ITU SOURCE:
2. Strategic Direction
- Cybersecurity one of the top priorities of the ITU
- Plenipotentiary Resolution 140 (2006),ITUs role in implementing
the outcomes of the World Summit on the Information Society The
important moderator/facilitator role of ITU in action line C5
(building confidence and security in the use of ICTs).
- Plenipotentiary Resolution 149 (2006),Study of definitions and
terminology relating to building confidence and security in the use
of information and communication technologies
- WTSA-04 Resolution 50,Cybersecurity Instructs the Director of
TSB to develop a plan to undertake evaluations of ITU-T existing
and evolving Recommendations, and especially signalling and
communications protocol Recommendations with respect to their
robustness of design and potential for exploitation by malicious
parties to interfere destructively with their deployment
- WTSA-04 Resolution 51,Combating spam Instructs the Director of
TSB to prepare urgently a report to the Council on relevant ITU and
other international initiatives for countering spam, and to propose
possible follow-up actions -Done
- WTSA-04 Resolution 52,Countering spam by technical means
Instructs relevant study groups to develop, as a matter of urgency,
technical Recommendations, including required definitions, on
countering spam
3. Highlights of current activities (1)
- ITU Global Cybersecurity Agenda (GCA)
-
- A Framework forinternational cooperationin cybersecurity
-
- ITU response to its role as sole Facilitator forWSIS Action
Line C5
-
- Five key work areas :Legal, Technical, Organisational, Capacity
Building, International Cooperation
-
- World renownedGroup of High-Level Experts (HLEG)working on
global strategies
-
-
- GCA/HLEG met 26 June 2008 to agree upon a set of
recommendations on all five work areas for presentation to ITU
Secretary-General
- ISO/IEC/ITU-T Strategic Advisory Group on Security
-
- Coordinates security work and identifies areas where new
standardization initiatives may be warranted.Portal
established.Workshops conducted.
-
- Effort jump started by IdM Focus Group which produced 6
substantial reports (265 pages) in 9 months
-
- JCA IdM and IDM-GSI established main work is in SGs 17 and
13
-
- First IdM Recommendation X.1250 ,Requirements for global
identity management trust and interoperability- now in approval
process
4.
-
- Approved 14 texts in 2007, 17 so far in 2008, 15 more for
action in September 2008
-
-
- Summaries of Recommendations under development are available
at:http://www.itu.int/dms_pub/itu-t/oth/0A/0D/T0A0D00000D0003MSWE.doc
-
- Covering frameworks, cybersecurity, countering spam, home
networks, mobile, web services, secure applications, ISMS,
telebiometrics, etc.
-
- Work underway on additional topics including IPTV, multicast,
and USN security; risk management and incident management;
traceback
-
- Questionnaire issued to developing countries to ascertain their
security needs
-
- Updated security roadmap/database, compendia, manual;
strengthened coordination
-
- Y.2701 , Security Requirements for NGN Release 1-published
-
- Y.2702 ,NGN authentication and authorization requirements
determined
Highlights of current activities (2) 5. Challenges
- Addressing security to enhance trust and confidence of users in
networks, applications and services
-
- With global cyberspace, what are the security priorities for
the ITU with its government / private sector partnership?
-
- Need for top-down strategic direction to complement bottom-up,
contribution-driven process
-
- Balance between centralized and distributed efforts on security
standards
-
- Legal and regulatory aspects of cybersecurity, spam,
identity/privacy
-
- Address full cycle vulnerabilities, threats and risk analysis;
prevention; detection; response and mitigation; forensics;
learning
-
- Agree uniform definitions of cybersecurity terms and
definitions
-
- Marketplace acceptance of Information Security Management
System (ISMS) standards (ISO/IEC 27000-series and ITU-T X.1051) the
security equivalent to ISO 9000-series
-
- Effective cooperation and collaboration across the many bodies
doing cybersecurity work
-
- PSO help is needed in keeping security database up-to-date
-
- Informal security experts network needs commitment
-
- There is no silver bullet for cybersecurity
6. Next Steps/Actions for ITU-T
- All Study Groups have proposed Questions for next study
period
-
- Most study groups have Questions concerning security
-
- Questions are mainly evolution of existing work program
-
- See SupplementalInformation
- The World Telecommunication Standardization Assembly (WTSA) in
October 2008 will make decisions on the priorities, work program
(Questions) and organization of Study Groups, including security /
cybersecurity work
- Meanwhile, the present work program continues under the current
structure See Supplemental Information
-
- E.g., Study Groups 17 and 13 will each meet in September to
approve additional security Recommendations
- A new edition of the ITU-T Security Manual is scheduled for
October 2008
7. Proposed revision to Resolution
- Resolution GSC-12/19, Cybersecurity
-
- Add a newResolvesfollows:
-
- 5)supply updated information on their security standards work
for inclusion in theICT Security Standards Roadmap,a database of
security standards hosted by the ITU-T at:
http://www.itu.int/ITU-T/studygroups/com17/ict/index.html
8. Supplemental Information
-
- Telecommunication Standardization Sector (ITU-T)
-
- Radiocommunication Sector (ITU-R)
-
- Telecommunication Development Sector (ITU-D)
9. Supplemental Information ITU General Secretariat Corporate
Strategy Division 10. A Framework for InternationalCooperation in
Cybersecurity ITU Global Cybersecurity Agenda 11.
- Constant evolution of the nature of cyberthreats
Issues and Challenges Major challenge is to develop harmonized
and comprehensive global strategies at the international level
- Vulnerabilities in software and hardware applications and
services
- Low entry barriers for cyber-criminals
- Loopholes in current legal frameworks
- Absence of appropriate organizational structures
- Inadequate cooperation among various stakeholders
- Global problem which cannot be solved by any single entity
- (country or organization)
- Increasing sophistication of cybercrime
12. WSIS and Cybersecurity Strengthening the trust framework,
including information securityand network security, authentication,
privacy and consumer protection, is aprerequisite for the
development of the Information Society and for buildingconfidence
among users of ICTs. WSIS Geneva Declaration of Principles, Para 35
We reaffirmthe necessity to further promote, develop and implement
incooperation with all stakeholders a global culture of
cyber-security, as outlined in UNGA Resolution 57/239 and other
relevant regional frameworks. WSIS Tunis Agenda, Para 39 Confidence
and security are amongthe main pillars of the information society
13. ITUs Role as WSIS C5 FACILITATOR At the World Summit on the
Information Society (WSIS), world leaders andgovernments entrusted
ITU to take the leading role in coordinating internationalefforts
on cyber-security, as the sole Facilitator of Action Line C5,
Building confidence and security in the use of ICTs The
International Telecommunication Union (ITU) provides the
globalperspective and expertise needed to meet the challenges, with
a track recordof brokering agreements between public and private
interests on a levelplaying field ever since its inception in 1865.
Third Facilitation Meeting 22-23 May 2008, ITU Headquarters, Geneva
http://www.itu.int/osg/csd/cybersecurity/WSIS/3rdMeeting.html 14. A
Global Strategy for Action The strategy for a solution must
identify those existing national, regional and international
initiatives, work with all relevant players to identify priorities
and bring partners together with the goal of proposing global
solutions to address the global challenges we face today.
-
- A framework for international multi-stakeholder cooperation in
cybersecurity
-
- ITU Response to its role as sole Facilitator for WSIS Action
Line C5
-
- World renowned Group of High Level Experts (HLEG) to develop
global strategies
-
- Representing main stakeholder groups working towards the same
goals
-
- :Developing harmonized global strategies
ITU Global Cybersecurity Agenda (GCA) 15. GCA Work Areas GCA
rests on five pillarsor work areas:
-
- Organizational Structures
-
- International Cooperation
1 2 3 4 5 16. Elaboration of global strategies for 1the
development ofa model cybercrime legislation 2the creation of
appropriate national and regionalorganizational structures and
policies on cybercrime3the establishment ofsecurity criteria and
accreditation schemes for software applications and systems 4the
creation of a global framework forwatch, warning and incident
response5the creation and endorsement of ageneric and universal
digital identity system 6the facilitation ofhuman and institutional
capacity-building 7international cooperation, dialogue and
coordination High-Level Experts Group (GCA/HLEG) High-Level Expert
Group (HLEG) provided advice on strategies in all five work areas
or pillars
- A global multi-stakeholder think-tank
- made up of high-level experts from:
- Regional and international organizations
- Research and academic institutions
17.
ArgentinaBrazilCameroonCanadaChinaEgyptEstoniaGermanyJapanIndiaIndonesiaItalyMalaysiaMoroccoPortugalRepublic
of Lithuania Russian FederationSaudi
ArabiaSouthAfricaSwitzerlandUnited States
- Ecole Polytechnique Fdrale de Lausanne
- Information Security Institute, Australia
- Moscow Technical University of
- Communications, Russian Federation
- African Telecommunication Union (ATU)
- Asia Pacific Economic Cooperation
- Telecommunications (APECTEL)
- Commonwealth Telecommunications
- Department of Economic and
- European Information and Network
- International Criminal Police
- Organisation for Economic Co-operation
- Organisation International de la Francophonie
- Society for the Policing of Cyberspace (POLCYB)
- United Nations Institute for Training
- United Nations Office on Drugs and Crime
- Stein Schjolberg, Chief Judge,
- Moss Tingrett Court, Norway
- Solange Ghernaouti-Helie,
- HEC-Universit de Lausanne, Switzerland
- Sy Goodman, Georgia Institute of Technology,
- Nabil Kisrawi, Chairman of WG-Def,
- Bruce Schneier, Security Technologist,
- Marco Gercke, Professor, Cologne University,
GCA/HLEG Members Diversity of Participation 18. GCA/HLEG
Leveraging expertisefor international consensus On aGloballevel,
from government, international organizations to industry For
aHarmonised approach to build synergies between initiatives
ThroughComprehensivestrategies on all levels LegalMeasurese.g.
Cybercrime legislation (Council of Europe), Moss Tingrett Court
Norway, Cybex Technical and Procedural Measures e.g. Software
(Microsoft) , hardware (Intel), Networking (CISCO), Security
Apps/Services (Verisign), Global Standards and Development (ITU)
Organisational Structurese.g. Ecole Polytechnique Fdrale de
Lausanne (EPFL), Forum of Incident Response and Security Teams,
OECDCapacity Building e.g. United Nations Institution for Training
and Research (UNITAR), European Network and Information Security
Agency (ENISA) International Cooperation e.g. Interpol, United
Nations Office on Drug and Crime (UNODC) GCA/HLEG is building
synergies with existing initiativesand working with stakeholders in
these five key areas: 1 2 3 19. HLEG
- The HLEG work is an ongoing dynamic process with
information-sharing and interaction relating to the elaboration of
Global Strategies to meet the goals of the GCA and the ITU role as
sole facilitator for WSIS Action Line C.5.
-
- First Meeting of the HLEG held on 5 October 2007
-
- Second Meeting of the HLEGheld on 21 May 2008
-
- Third Meeting of the HLEGheld on 26 June 2008
-
- The results of the work of the HLEG, including recommendations,
the views expressed during the meeting and additional information
about the previous work of the HLEG are contained in the Chairmans
report which will be available
at:http://www.itu.int/osg/csd/cybersecurity/gca/hleg/meetings/third/index.html
20. GCA Sponsorship Programme Join us!
- This Sponsorship programme will ensure that all relevant
stakeholders are aware of HLEGs valuable work, will increase also a
global understanding about how to work together to implement
effective strategies. It will then be up to the stakeholders
themselves within their respective mandates and capabilities to
translate these strategies into concrete actions.
- GCA Sponsors will help to promote the goals of this initiative
around the world by participating in high-profile business
activities including publications, pubic campaigns, an annual
conference and other events. In addition to the opportunity to meet
with high-level decision makers, Sponsors also stand to enhance
their image and credibility with their stakeholders.
21. Dr scar Arias SnchezNobel Peace Laureate,President of the
Republic of Costa Rica,Patron of the Global Cybersecurity Agenda.
"The world must take action. It must stand united. This is not a
problem any one nation can solve alone" 22. Conclusions The threats
to global cybersecuritydemand a global framework! The magnitude of
this issue calls for a coordinated global response to ensure that
there are no safe havens for cybercriminals.ITU will act as a
catalyst and facilitator for these partners to share experience and
best practice, so as to step up efforts for a global response to
cybercrime.In this way, working together, we can create a
cyberspace that is somewhere safe for people to trade, learn and
enjoy.Dr Hamadoun I. Tour Secretary-General, ITU Towards a global
Cyberpeace 23. ITU Global Cybersecurity Agenda& ITU Activities
in Cybersecurity: http://www.itu.int/cybersecurity/
Email:[email_address] For More information on: 24. Supplemental
Information
- ITU-T Telecommunication Standardization Sector
25.
- SG 17, Security, Languages and Telecommunication Software
-
- Lead Study Group on Telecommunication Security
- SG 2, Operational Aspects of Service Provision, Networks and
Performance
- SG 4, Telecommunication Management
- SG 5, Protection Against Electromagnetic Environment
Effects
- SG 9, Integrated Broadband Cable Networks and Television and
Sound Transmission
- SG 11, Signalling Requirements and Protocols
- SG 13, Next Generation Networks
- SG 15, Optical and Other Transport Network Infrastructures
- SG 16, Multimedia Terminals, Systems and Applications
- SG 19, Mobile Telecommunication Networks
ITU-T ITU-T Security and Cybersecurity Activities 26. ITU-T SG
17
- ITU-T Study Group 17 Security, Languages and Telecommunication
Software
- Q.4/17, Communications Systems Security Project
- Q.5/17, Security Architecture and Framework
- Q.7/17, Security Management
- Q.9/17, Secure Communication Services
- Q.17/17, Countering Spam by Technical Means
- Q.2/17, Directory Services, Directory Systems and
Public-key/Attribute Certificates
27. SG 17Q.4/17: Communications Systems Security Project
- Communications Systems Security Project
- Overall Security Coordination and Vision
- Outreach and promotional activities
-
-
- ICT Security Standards Roadmap
- Focus Group on Security Baseline For Network Operators
28. SG 17Q.4/17 results achieved
- Successful workshop organized at start of Study Period to
consider future direction of security standards
- Security Standards Roadmap developed includes security
standards from ITU, ISO/IEC, IEEE, IETF, ATIS, ETSI, OASIS,
3GPP
- Security Compendium and Security Manual maintained and
updated
- Security Baseline for Network Operators developed
29. SG 17Q.4/17 challenges
- Overall shortage of participants and contributors
- Roadmap issues/challenges:
-
- Taxonomy (always a challenge!)
-
- Finding out about new standards and when to post them
-
- Appearance of the database
-
- Need to develop a short guide to the update process
30. SG 17Q.4/17 progress since GSC-12
- The listing of standards has been converted to a searchable
database
- Further updating is planned to ease navigation
- A new section (Part 5) has been added on (non-proprietary) Best
Practices
31. SG 17Q.4/17 focus for next study period
- Will continue to be primary SG contact for security
coordination issues
- Will maintain and update outreach material
- Responsibilities will be limited to coordination and outreach
no Recommendations
32. SG 17 Q.5/17: Security Architecture and Framework
- Security architecture and framework
- Major activities and accomplishments
- Actions for the next study period
33. SG 17 Q.5/17 scope Recommendation X.805 has been a
foundation of Q.5/17 security studiesand shaped the scope of its
work X.1034, X.1035 X.1036 X.1031 Supplement to X.800-X.849,
Guidelines for implementing system and network security 34. SG 17
Q.5/17 scope(continued)
- Q.5/17 has developed Recommendations that further develop the
concepts ofX.805and provide guidance on their implementation
- X.1031 ,Security architecture aspects of end users and networks
in telecommunications-provides guidanceon applying the concepts of
the X.805 architecture for distributing the security controls
between the telecommunication networks and the end users
equipment.
- X.1034 ,Guidelines on Extensible Authentication Protocol based
Authentication and Key Management in a Data Communication Network
andX.1035 ,Password-Authenticated Key Exchange Protocol
(PAK)-specify protocols and proceduresthat support functions of
theAuthentication security dimension .
- X.1036 ,Framework for creation, storage, distribution and
enforcement of policies for network securityfurtherdevelops the
concept of the security policydescribed in X.805.
- Supplement to X.800-X.849 ,Guidelines for implementing system
and network security provides guidelinesfor implementing system and
network security utilizing the concepts of X.805 and other security
Recommendations and standards.
35. SG 17 Q.5/17 strategic direction
- Development of a comprehensive set of Recommendations for
providing standard security solutions for telecommunications in
collaboration with other Standards Development Organizations and
ITU-T Study Groups.
- Studies and development of a trusted telecommunication network
architecture that integrates advanced security technologies.
- Maintenance and enhancements of Recommendations in the
X.800-series and X.103x-series.
- Coordination of studies on NGN security (with Question
15/13)
36. SG 17 Q.5/17 c hallenges
- Authentication and key agreementis one of the most complex and
challenging security procedures.Question 5/17 has developed
Recommendations that contribute to the standards solutions for
authentication and key management
- X.1034 ,Guidelines on Extensible Authentication Protocol based
Authentication and Key Management in a Data Communication
Network
-
- Establishes a framework for the EAP-based authentication and
key management for securing the link layer in an end-to-end data
communication network.
-
- Provides guidance on selection of the EAP methods.
- X.1035 ,Password-Authenticated Key Exchange Protocol (PAK)
-
- Specifies a protocol, which ensures mutual authentication of
both parties in the act of establishing a symmetric cryptographic
key via Diffie-Hellman exchange.
37. SG 17 Q.5/17 m ajor accomplishments
- Recommendationsdeveloped by Q.5/17:
-
- X.1031 ,Security architecture aspects of end users and networks
in telecommunications
-
- X.1034 ,Guidelines on Extensible Authentication Protocol based
Authentication and Key Management in a Data Communication
Network
-
- X.1035 ,Password-Authenticated Key Exchange Protocol (PAK)
-
- X.1036 ,Framework for creation, storage, distribution and
enforcement of policies for network security
- ASupplementdeveloped by Q.5/17
-
- Supplement to X.800 - X.849 series Guidelines for implementing
system and network security
- Other technical documents prepared by Q.5/17
-
- In response to theWTSA Resolution 50 , Question 5/17 has
preparedGuidelines for designing secure protocols using ITU-T
Recommendation X.805.
- Major coordination activity conducted by Q.5/17
-
- Question 5/17 has coordinated security studies withQuestion 15
of SG 13,NGN Securityensuring alignment of the standards work in
both groups.
38. SG 17 Q.5/17actions for next study period
- How should a comprehensive, coherent communications security
solution be defined?
- What is the architecture for a comprehensive, coherent
communications security solution?
- What is the framework for applying the security architecture in
order to establish a new security solution?
- What is the framework for applying security architecture in
order to assess (and consequently improve) an existing security
solution?
- What are the architectural underpinnings for security?
- What new Recommendations may be required for providing security
solutions in the changing environment?
- How should architectural standards be structured with respect
to existing Recommendations on security?
- How should architectural standards be structured with respect
to the existing advanced security technologies?
- How should the security framework Recommendations be modified
to adapt them to emerging technologies and what new framework
Recommendations may be required?
- How are security services applied to provide security
solutions?
39. SG 17Q.6/17: Cyber Security
- Actions for Next Study Period
40. SG 17Q.6/17 motivation
- Network connectivity and ubiquitous access is central to todays
IT systems
- Wide spread access and loose coupling of interconnected IT
systems and applications is a primary source of widespread
vulnerability
- Threats such as: denial of service, theft of financial and
personal data, network failures and disruption of voice and data
telecommunications are on the rise
- Network protocols in use today were developed in an environment
of trust
- Most new investments and development is dedicated to building
new functionality and not on securing that functionality
- An understanding of cybersecurity is needed in order to build
afoundation of knowledge that can aid in securing the networks of
tomorrow
41. SG 17Q.6/17 scope
- Definition of Cybersecurity
- Security of Telecommunications Network Infrastructure
- Security Knowledge and Awareness of Telecom Personnel and
Users
- Security Requirements for Design of New Communications Protocol
and Systems
- Communications relating to Cybersecurity
- Security Processes Life-cycle Processes relating to Incident
and Vulnerability
- Security of Identity in Telecommunication Network
- Legal/Policy Considerations
- IP traceback technologies
42. SG 17Q.6/17 challenges
- How should the current Recommendations be further enhanced for
their wide deployment and usage?
- How to harmonize common IdM data models across the ITU
- How to define and use the term Identity within the ITU
- How to detect and predict future threats and risks to
networks
- How to harmonize various IdM solutions
- What are the best strategies to improve Cybersecurity
- How to maintain a living list of IdM terms and definition and
use it informally across the ITU
43. SG 17Q.6/17 highlights of activities Completed
Recommendations * Currently in the approval process Common Alerting
Protocol (CAP 1.1) X.1303 Requirements for global identity
management trust and interoperability X.1250* Guidelines for
Internet Service Providers and End-users for Addressing the Risk of
Spyware and Deceptive SoftwareX.1207 A vendor-neutral framework for
automatic checking of the presence of vulnerabilities information
updateX.1206 Overview ofCybersecurity X.1205 Title No. 44. SG
17Q.6/17 highlights of activities (2) Recommendations under
development ITU-T X.eaa | ISO/IEC xxxx, Information technology
Security techniques Entity authentication assurance This
Recommendation | International Standard provides a framework for
entity authentication assurancewhich is the quantification of the
risks that an entity is who or what he/she/it claims to be. In
other words, entity authentication assurance is a measure of the
confidence or risks associated with the authentication process and
mechanisms. ITU-T X.gopw, Guideline on preventing worm spreading in
a data communication network This Recommendation describes worm and
other malicious codes spreading patterns and scenarios in a data
communication network. The Recommendation provides guidelines for
protecting users and networks from such malicious codes. 45. SG
17Q.6/17 highlights of activities (3) Recommendations under
development ITU-T X.idif, User Control enhanced digital identity
interchange framework This Recommendation defines a framework that
covers how global interoperable digital identity interchange can be
achieved and how an entitys privacy is enhanced by providing an
entity more control over the process of identity interchange. In
addition, the Recommendation defines the general and functional
requirements of the framework that should be satisfied. Based on
the requirements, a framework is defined with basic functional
building blocks for identity interchange and enhancing entity
control. ITU-T X.idm-dm, Common identity data model This
Recommendation develops a common data model for identity data that
can be used to express identity related information among IdM
systems. 46. SG 17Q.6/17 actions for next study period
- Enhance current Recommendations to accelerate their
adoption
- Work with SG 2 in Trusted Service Provider Identifier
(TSPID)
- Collaborate with Questions 5, 7, 9, 17/17 and with SG 2 in
order to achieve better understanding of various aspects of network
security
- Collaborate with IETF, OASIS, ISO/IEC JTC1, Liberty Alliance
and other standardization bodies on Cybersecurity
- Work with OASIS on maintaining the OASIS Common Alerting
Protocol V1.1 (ITU-T Recommendation X.1303)
- Study new Cybersecurity issues How should ISPs deal with
botnets, evaluating the output of appropriate bodies when
available.
- Study technical aspects of Traceback techniques
- Joint work is ISO/JTC1 SC 27 on Entity Authentication
Assurance
- Progress work with Liberty Alliance on Identity Authntication
Frameworks
- Working with SG 4 and SG 13 on common IdM Data Models.
- Developing frameworks forUser control enhanced digital identity
interchange framework
- Developing guideline on protection for personally identifiable
information in RFID application
- Developing r equirements for security information sharing
framework
- Developing guideline on preventing worm spreading in a data
communication network
- Maintaining the IdM Lexicon document
47. SG 17Q.6/17 collaboration with other SDOs
48. SG 17Q.7/17: Security management
- Actions for Next Study Period
49. SG 17 Q.7/17 scope For telecommunications organizations,
information and the supporting processes, facilities, networks and
communications medias are all important business assets. In order
for telecommunications organizations toappropriately managethese
business assets and tocorrectly continuethe business activity,
Information Security Management is extremely necessary.The scope of
this question is to provide GUIDELINES and BASELINES of Information
Security Management to be appropriately applied for
telecommunications organizations. Studies related on this issuecan
be a little bit extended to cover the following items: -
information security management guidelines (baseline) - information
incident management guidelines - risk management and risk profiles
guidelines - assets management guidelines - policy management
guidelines - information security governance - etc. 50. SG 17
Q.7/17 strategic direction s Policy Assets Personnel Physical
Operational Security Access Controls Incident Management BCP
Compliant Organizational Security Systems Security Vulnerability
Handling Announcement AlertHandling Incident Handling Other
Incident Management X.1051 Information Security Management
Guidelines Policy Mang. Risk Mang. Asset Mang. Incident Mang.
Maintenance Mang. Event Mang. Other Managements Risk Management
& Risk Profiles Practical Implementation Methodologies Assets
Management Methodology * * * Information Security Governance X.sim:
Security Incident Mang. X.rmg Framework X.ismf Based on the
proposals from NSMFBaseline 51. SG 17 Q.7/17 challenges
- How should information assets in telecommunications systems be
identified and managed?
- How should information security policy for telecommunications
systems be identified and managed?
- How should specific management issues for telecommunications
organizations be identified?
- How should information security management system (ISMS) for
telecommunications organizations be properly constructed by using
the existing standards (ISO/IEC and ITU-T)?
- How should measurement of information security management in
telecommunications be identified and managed?
- How should an information security governance framework be
identified and managed?
- How should the small and medium telecommunications
organizations be managed and applied for security?
52. SG 17 Q.7/17 highlights of achievements Recommendations *
Currently under development Information Security Management
Framework for TelecommunicationsX.ismf* Security incident
management guidelines for telecommunicationsX. sim* Risk management
and risk profile guideX. rmg* Information security management
guideline for telecommunications organizations based on ISO/IEC
27002 X.10 51 Title No. 53. SG 17 Q.7/17 actions for next study
period
- Review the existing management Recommendations/Standards in
ITU-T and ISO/IEC management standards as for assets identification
and security policy management.
- Study and develop a methodology of assets identificationand
policymanagement for telecommunications based on the concept of
information security management (X.1051) .
- Study and developinformationsecurity managementframeworkfor
telecommunications based on the concept of information security
management (X.1051).
- Study and develop security managementguidelinesforsmall and
mediumtelecommunications based on the concept of information
security management (X.1051).
- Study and develop a methodology to construct information
security management system (ISMS) for telecommunications
organizations based on the existing standards (ISO/IEC and
ITU-T).
- Study and develop an information security governance framework
for telecommunications that encompasses information technology and
information security management.
54. SG 17 Q.7/17 collaboration with SDOs
55. SG 17Q.8/17: Telebiometrics
- Actions for Next Study Period
56. SG 17Q.8/17 scope Biometric Sensors Matching Application
Yes/No Score NW Extraction NW NW:Network NW NW Decision NW Storage
Acquisition (capturing) Safety conformity Digital key / Secure
protocol / Authentication infrastructure / System mechanism /
Protection procedure 57. SG 17Q.8/17 strategic direction Safety in
interaction with sensors Authentication infrastructure Biometric
Digital key BioAPI interworking protocol System mechanismamong
Client/Server/TTP Protection procedures Security and Protectionfor
telebiometric application systems 58. SG 17Q.8/17 challenges
- How should security countermeasures be assessed for particular
applications of telebiometrics?
- How can identification and authentication of users be improved
by the use of interoperable models for safe and secure
telebiometric methods?
- What mechanisms need to be supported to ensure safe and secure
manipulation of biometric data in any application of
telebiometrics, e.g., telemedicine or telehealth?
- How should the current Recommendations be further enhanced for
their wide deployment and usage?
59. SG 17Q.8/17 highlights of activities Approved
Recommendations Telebiometrics authentication infrastructure X.10
89 Telebiometrics digital key A framework for biometric digital key
generation and protection X.1088 Telebiometrics system mechanism
Part 1: General biometric authentication protocol and system model
profiles on telecommunication systems X.10 84 BioAPI Interworking
Protocol X.10 83 Telebiometrics related to human physiology X.10 82
Title No. 60. SG 17Q.8/17 actions for next study period
- Enhance current Recommendations to accelerate their adoption to
various telebiometric applicationsand populate the telebiometric
database.
- Review the similarities and differences among the existing
telebiometrics Recommendations in ITU-T and ISO/IEC standards.
- Study and develop security requirements and guidelines for any
application of telebiometrics.
- Study and developrequirements forevaluating security,
conformance and interoperability with privacy protection techniques
for any application of telebiometrics.
- Study and develop requirements for telebiometric applications
in a high functionality network.
- Study and developrequirements fortelebiometric multi-factor
authentication techniques based on biometricdata protection and
biometricencryption.
- Study and developrequirements forappropriate generic protocols
providing safety, security, privacy protection, and consent for
manipulating biometric data in any application of telebiometrics,
e.g., telemedicine or telehealth.
- Prepare a manual on telebiometrics.
61. SG 17Q.8/17 collaboration with other SDOs
- ISO/IEC JTC 1/SCs 17, 27 and 37
- International Bureau of Weight and Measurement (BIPM)
62.
- Secure Communication Services
- Security work proposed for next study period
SG 17 Q.9/17: Secure communication services 63. SG 17Q.9/17
focus
- Develop a set of standards of secure application services,
including
-
- Secure application services
-
- NID/USN securityUnder study
-
- Multicast security Under study
64. SG 17 Q.9/17 position of each topic Mobile Terminal Mobile
Network Mobile security Home network security Secure application
services /Web Services security HomeNetwork IPTV security/Multicast
security Content Provider STB Home Gateway Application Server
Client Ubiquitous Sensor Network HomeNetwork USN security NID
security NID reader NID tag USN gateway USN Application Server NID
Application Server Core Open Network 65. SG 17Q.9/17 strategic
direction
- For developing the draft Recommendations on IPTV security
matters:
-
- Participate the ITU-T IPTV-GSI event (January December, 2008)
to develop them being consistent with relevant Recommendations
being developed by other Questions
-
- Propose X.iptvsec-1 (Requirements and architecture for IPTV
security matter) for consent by September 2008, to meet urgent
market need
-
- Based on X.iptvsec-1, continue to study a set of possible draft
Recommendations which complement X.iptvsec-1 technologically
- Continue to develop a set of draft Recommendations in
domain-specific areas:
-
- Mobile network, Home network, (mobile) Web Services,
application services, NID/USN service, IPTV service multicasting
service, etc.
- Continue to adopt or update the mature standards (i.e., SAML,
XACML) developed by other SDOs, especially by OASIS, in the area of
Web Services security
- Develop a common text of X.usnsec-1 (Security framework for
USN) with ISO/IEC JTC 1/SC 6 (as of June 2008)
- Keep maintaining liaison activities with 3GPP, 3GPP2, JTC 1/SC
6, 25, 27 to develop the relevant draft Recommendations
66. SG 17Q.9/17 challenges
- For the domain-specific draft Recommendations,it needsto
strengthen the coordination work with other relevant
Questions/SDOsto develop them to be consistent with their
work.
- During this Study period, Q.9/17 has been focused on the
security framework for various domain-specific networks. However,
from now on it should be emphasized to developthe pragmatic draft
Recommendations which have significant impact on industry for the
domain-specific networks with the collaboration with industries,
other relevant SDOs and network/service providers.
- For developing the draft Recommendations on IPTV security
matters,the various detailed work items should continue to be
identified in the future .
67. SG 17Q.9/17 major achievements
-
- X.1123,G eneral securityvalue added service (policy)for
mobiledatacommunication , Approved 2007
-
- X.1124,Authentication architecture in mobile end-to-end data
communication, Approved 2007
-
- X.1125,Correlative reacting system in mobile network, Approved
2007
-
- X.1171,Framework for Protection of Personally Identifiable
Information in Networked ID Services, Consented 2008
-
- X.1111,Framework for security technologies for home network,
Approved 2007
-
- X.1112,Certificate profile for the device in the home network,
Approved 2007
-
- X.1113, Guideline on u ser authentication mechanisms for home
network service, Approved 2007
-
- X.homesec-4Authorization framework for home network, to be
consented 2008
-
- X.usnsec-1Requirement and Framework for Ubiquitous Sensor
Network , New work item in2007
68. SG 17Q.9/17 major achievements (2)
-
- X.mcsec-,1Security Requirement and Framework in Multicast
communication , New work item in2007
-
- X.iptvsec-1,Functional Requirements and architecture for
IPTVsecurity aspects , New work item in 2008
-
- X.iptvsec-2,Requirement and mechanism for Secure Transcodable
Scheme New work item in 2008
-
- X.iptvsec-3,Key management framework for secure IPTV
communications , New work item in 2008
-
- X.1143,Security architecture for message security in mobile Web
Services, Approved 2007
- Secure applications services
-
- X.1151,Guideline on strong password authentication protocols,
Approved 2007
-
- X.1152, Secure end-to-end data communication techniques using
Trusted Third Party services, Consented 2008
-
- X.1161, Framework for secure peer-to-peer communications,
Consented 2008
-
- X.1162,Security architecture and operations for peer-to-peer
network, Consented 2008
69. SG 17Q.9/17 work for next study periodQ.9/17for current
Study Period
- Secure application security
- Secure application service, etc.
Q.O/17for Next Study Period Q.P/17for Next Study Period Secure
Communication Service Security aspects for
ubiquitoustelecommunication service Secure application services
- Divide Q.9/17 into two Questions: Q.O/17 and Q.P/17,
considering the enormous workloads.
70. SG 17 Q.17/17: Countering spam by technical means
- Countering spam by technical means
- Actions for next study period
71. SG 17Q.17/17 s cope
- Develop a set of standards forcountering spam by technical
means,including:
-
- General technical strategies and protocols for countering
spam
-
- Guidelines, frameworks and protocols for countering email spam,
IP multimedia spam, SMS spam and other new types of spam
72. SG 17Q.17/17 s trategic direction Technologies involved in
countering email spam (X.1240)Framework Recommendations IP
multimedia application area(X.fcsip) Technical framework for
countering email spam (X.1241)Overall aspects of IP multimedia
application spam (X.1244)Technology Recommendations: Interactive
countering spam gateway system (X.tcs-1)etc. Technical means for
countering email spam (X.tcs)TBD Technical strategies on countering
spam (X.1231)SMS spam Filtering System Based on Users Rules (X.ssf)
73. SG 17Q.17/17 c hallenges
- What risks does spam pose to the telecommunication
network?
- What technical factors associated with the telecommunication
network contribute to the difficulty of identifying the sources of
spam?
- How can new technologies lead to opportunities to counter spam
and enhance the security of the telecommunication network?
- Do advanced telecommunication network technologies (for
example, SMS, instant messaging, VoIP) offer unique opportunities
for spam that require unique solutions?
- What technical work is already being undertaken within the
IETF, in other fora, and by private sector entities to address the
problem of spam?
- What telecommunication network standardization work, if any, is
needed to effectively counter spam as it relates to the stability
and robustness of the telecommunication network?
74. SG 17Q.17/17 h ighlights of activities Approved
Recommendations * Currently in approval process Overall aspects of
IP multimedia application spamX.1244 * Technical framework for
countering email spam X.1241 Technologies involved in countering
email spam X.1240 Technical Strategies on Countering Spam X.1231
Title No. 75. SG 17Q.17/17 a ctions for next study period
- Act as the lead group in ITU-T on technical means for
countering spam
- Establish effective cooperation with the relevant ITU Study
Groups, other standard bodies and appropriate consortia and
fora.
- Identify and examine the telecommunication network security
risks introduced by the constantly changing nature of spam.
- Develop a comprehensive and up-to-date resource list of the
existing technical measures for countering spam in a
telecommunication network that are in use or under
development.
- Determine whether new Recommendations or enhancements to
existing Recommendations, including methods to combat delivery of
spyware, worm, phishing, and other malicious contents via spam and
combat compromised networked equipment including botnet delivering
spam.
- Provide regular updates to the Telecommunication
Standardization Advisory Group and to the Director of the
Telecommunication Standardization Bureau to include in the annual
report to Council.
76. SG 17Q.17/17 c ollaboration with SDOs
77. SG 17Q.2/17 - X.500 security aspects
- Directory Services, Directory Systems and Public-key/Attribute
Certificates
- X.509 as basis for other specifications
-
- Public-Key Infrastructure (PKI)
-
- Privilege Management Infrastructure (PMI)
- Protecting directory information
78. SG 17Q.2/17 - X.509 applicability
- Secure Socket Layer (SSL)
- The IETFInternet X.509 Public Key Infrastructure (PKIX)
activity
- The IETF Secure / Multipurpose Internet Mail Extensions
(S/MIME) activity
- The ETSI Electronic Signatures and Infrastructures (ESI)
activity
The X.509 specification is the base for many other
specifications: 79. SG 17Q.2/17 - X.509 applicability (2)
- Medical electronic journals
The X.509 specification is the base for: In short: The whole
electronic world 80. SG 17Q.2/17 - Public-Key Infrastructure
(PKI)
- PKI is an infrastructure for managing certificates. It consists
of one or more Certification Authorities for issuing certificates
in a secure way following a set of policies.
- It includes maintaining information about certificates been
revoked.
- Directories are major components of the infrastructure.
81. SG 17Q.2/17 - Privilege Management Infrastructure (PMI)
- PMI is an infrastructure for managing authorization using
attribute certificates. It consists of one or more Attribute
Authorities for issuing attribute certificates in a secure
way.
- It includes maintaining information about attribute
certificates been revoked.
- Directories are major components of the infrastructure.
- Recent development - (PMI) has been extended to allow
privileges obtained in one domain to be used in an other domain
(federation of privileges).
82. SG 17Q.2/17 - Protecting Directory Information
- Name + protected password
- Strong authentication based on X.509
83. SG 17Q.2/17 - Protecting Directory Information
- Access control is about right-to-know (Who may do what based on
level of authentication)
- X.500 has comprehensive access control features
- X.500 is the only directory specification having these
features
84. SG 17Q.2/17 - Protecting Directory Information
- Data Privacy Protection is about right-to-know and
need-to-know.
- Protection against malicious searches
- Protection against data trawling
85. SG 17Q.2/17 - New security extension work
- Maintain password history (avoid reuse)
Password policy, that is rules for administration of password to
increase directory security: Part of next X.500 edition (2011-2012)
86. ITU-T SG 2
- Operational aspects of service provision, networks and
performance
87. SG 2Scope of security study
- Operational aspects such as prevention and detection of:
- Corresponding operational measures
88. SG 2Accomplishment
-
- E.156 Guidelines for ITU-T action on reported misuse of E.164
number resources
-
- E.408 Telecommunication networks security requirements
-
- E.409 Incident organization and security incident handling:
Guidelines for telecommunication organizations
-
- Numerous Recommendations on operational aspects of network
management
89. ITU-T SG 4
- Telecommunication management
90. SG 4Scope of security study
- Security of management plane
- Management of security for telecommunications management
- Protocols of securities for management
91. SG 4Strategic direction
- Establishment of interface Recommendations among security
function groups or entities for management of security (Enhancement
of M.3410)
- Study on use of IdM in management plan
- Study on the management of IdM
- Continuation of protocol profiling for security management
92. SG 4Challenges
- Fill the gap in security on management plane and management of
its security
- Collaboration with ATIS TMOC and ETSI TISPAN on the
subject
93. SG 4Accomplishment
- Consent of Recommendation M.3410
-
- Guidelines and Requirements for Security Management Systemsto
Support Telecommunications Management
94. SG 4Next steps
- Enhancement of M.3016 series Recommendations for security of
management plane
- Enhancement of M.3410 Recommendation for management of security
for telecommunications management
- Enhancement of Q.811 and Q.812, management protocol profiles
from security subject perspective
95. SG 4Questions
- What security mechanisms and protocols are required to support
security of management for NGNs?
- What management mechanisms and protocols are required to
support management of security for NGNs?
- What use of Service-Oriented Architecture concepts should be
applied in specifying protocol and security Recommendations?
- What collaboration inside and outside the ITU-T is needed to
develop protocol and security functions?
96. ITU-T SG 5
- Protection against electromagnetic environment effects
97. SG 5Scope
- To provide guidance on the protection of Telecommunications and
Data Centres against disruption of service and/or physical damage
due to:
-
-
- Lightning, Electrostatic Discharge (ESD)
-
- Interactions with the RF Spectrum
-
-
- Electromagnetic Compatibility (EMC)
-
- Man-Made/Malicious Electromagnetic threats
-
-
- High-altitude EM Pulse (HEMP);
-
-
- High-Power EM weapons (HPEM);
- To provide guidance on the protection of electronic data from
interception via EM means
98. SG 5Strategic direction
- Do not reinvent the wheel
-
- Reference existing K-Series Recommendations wherever
possible
-
- Develop effective liaisons with other International
Standardization Organizations to exploit additional expertise
-
-
- Liaison with IEC TC 77 Electromagnetic Compatibility (EMC) SC
77C High Power Transient Phenomena provided expertise in HEMP and
HPEM
-
-
- Liaison with National Institute of Information and
Communications Technology (NICT) of Japanprovided expertise on EM
interception of data
-
- Apply existing expertise to the telecommunications and data
centre domain
99. SG 5Challenges
-
- Liaisons with other bodies has granted access to rich veins of
existing expertise
-
- This has taken time to assimilate and present within the
context of a telecommunications and data centre
-
- Previously officially secret in some regions (i.e. previously
known as TEMPEST within the US)
100. SG 5 Recent accomplishments
- A document set is planned
- K.sec basic introduction that references the following:
-
- Existing K-series Recommendations on lightning
-
- Existing K-series Recommendations on EMC
- Steady progress has been made on developing the document
set
101. SG 5Next steps/actions Development of document set
continues with the following timing 2011 Mitigation methods against
EM security threats K.secmiti 2009 Test method and requirements
against information leak through unintentional EM emission
K.leakage 2008 Application of requirements against HPEM to
telecommunication systems K.hpem 2008 Application of requirements
against HEMP to telecommunication systems K.hemp 2011 Guide for the
application of electromagnetic security requirements - Basic
Recommendation K.sec Timing Title of the Recommendation Document
102. ITU-T SG 9
- Integrated broadband cable networks and television and sound
transmission
103. SG 9 Scope of security work
- Security requirements are spread across multiple
questions:
-
- Improve the security of conditional access systems used for
television subscription, pay-per-view and similar services
distributed to the home by cable television (Q3)
-
- Security, conditional access, protection against unauthorized
copying, protection against unauthorized redistribution
requirements to be supported by an universal integrated receiver or
set-top box for the reception of cable television and other
services (Q5)
-
- Security requirements and protocols associated with high-speed
bidirectional data facilities intended to support, among other
payloads, those utilizing Internet Protocols (IP) exploiting the
broadband capacity provided by hybrid fiber/Coaxial (HFC) digital
cable television systems (Q8)
-
- Security requirements and protocols for Voice over IP/Video
over IP applications in IP-based cable television networks
(Q9)
-
- Extend the security requirements for entertainment video
delivery associated with cable network video service onto the home
network (Q10)
- Provide all the security requirements for the network elements
and services offered by cable operators
104. SG 9 Strategic direction for security for Cable Networks
Network Elements Home Networking Devices and Applications - Link
privacy for cable modem implementations J.125 - Third generation
Transmission systems security services J.222.3 - IP Cablecom
security specification J.170 - IP Cablecom 2 architecture including
securityJ.360 - Security features based on 3G mobile telecom system
as modified for Cable J.366.7 - IMS network domain security
specification J.366.8 - Generic authentication architecture
specification J.366.9 - A Residential Gateway to support delivery
of cable data services J.192 - Requirements for next generation
set-top boxes J.193 - High level requirements for DRM Bridge for
Cable access Network to home network J.197 - Next generation
set-top box architecture J.290 - IPTV requirements for secondary
distribution J.700 105. SG 9 Challenges for cable networks
security
- Authentication, privacy, access control and content protection
both on the access network and the bridge to home network are key
considerations for multi-media applications/services
- Security requirements for network elements in the access
networks determine how the applications (voice, video and data) are
transmitted securely to authenticated users/subscribers
- Security requirements for network elements in the home network
such as residential gateway and set-top boxes meet the access
control for the user
106. SG 9 Major accomplishments
-
- Approved 2 security requirements Recommendations:
-
-
- Link Privacy for cable modems (J.125)
-
-
- Third generation transmission systems (cable Modem and Cable
Modem Termination System, J.222.3)
-
- Approved IPTV requirements for secondary distribution
(J.700)
-
- Approved the Recommendation on Component definition and
interface specification for next generation set-top box
(J.293)
107. SG 9 Security work for next study period
- Security studies for the next study period will be continued in
the following questions:
- Cable television delivery of digital services and applications
that use Internet Protocols (IP) and/or packet-based data
- Voice and video applications over cable TV networks
- Functional requirements for a universal integrated receiver or
set-top box for the reception of cable television and other
services
- The extension of cable-based services over broadband in Home
Networks
- Security requirements for IPTV interfaces for secondary
distribution (identified in J.700)
108. ITU-T SG 11
- Signalling Requirements and Protocols
109. SG 11 Scope of security work
- Each Question of SG11 has to consider security aspects to
develop protocol Recommendations used for network control
signalling, based on the general requirements developed by other
SGs, such as SG 2, SG 13, SG 17 and SG 19.
- Q.7/11, entitled as Signalling and control requirements and
protocols to support attachment in NGN environments, has specific
requirements for authentication and authorization of users and
terminals.
110. SG 11 Strategic direction
- Security consideration has been incorporated within the text
for each Question of SG11.
- Various security arrangements are embedded within the protocols
defined at various reference points, by reusing existing mechanisms
defined by other organization (e.g., IETF and 3GPP).
- Strengthen the coordination on security issues across SGs, as
well as among Questions within SG 11 by proposing a dedicated new
Question on security coordination for the next study period.
111. SG 11 Challenges for secure protocols
- Design interface protocols which have various security
mechanisms based on Recommendations / specificationsdeveloped by SG
17 and other SDOs.
- Special attention should be drawn to the interface between
legacy telephone networks and emerging NGN.
- It would also be necessary to guide actual protocol
implementations so that there will be no security holes, for
example, by defining implementers guides.
112. SG 11 Recent accomplishments
- 24 Recommendations and 6 Supplements have been approved so far,
regarding NGN protocols with security mechanisms embedded.
- The following two Recommendations have been approved at the
January 2008 SG11 meeting in Q.7/11 in Network attachment control
protocol work:
-
- Q.3201, EAP-based security signalling protocol architecture.
Note - EAP: Extensible Authentication Protocol
-
- Q.3202.1, Authentication protocols for interworking among 3GPP,
WiMax and WLAN in NGN.
113. SG 11 Security work for next study period
- New Question on security coordination
- What is the content of an appropriate policy for the
consideration ofprotocol securityin the work of the Study
Group?
- What are themeansto assure that such a policy is being followed
in practice?
- Whatexceptionsto the general policy are permissible in the case
of specific Recommendations?
- What is the impact ofsecurity-related work in other groupson
the work of protocol security within this Study Group at the policy
level?
- What are the means by which technical developments in protocol
security achieved in other groups may be communicated to interested
Questions in this Study Group, and the reverse?
114. ITU-T SG 13
115. SG 13 Scope of NGN security work in Q.15
- Conduct NGN Security studies to develop network architectures
that:
-
- Provide for maximal network and end-user resources
protection
-
- Allow for highly-distributed intelligence end-to-end
-
- Allow for co-existence of multiple networking technologies
-
- Provide for end-to-end security mechanisms
-
- Provide for security solutions that apply over multiple
administrative domains
-
- Provide for secure Identity Management
-
- Provide for security solutions for IPTV that are cost-effective
and have acceptable impact on the performance, quality of service,
usability, and scalability
- Provide security guidance on NGN security to all Questions of
SG 13 and other Study Groups
116. SG 13 Strategic direction for NGN security Y.2701is built
on applicationof theconceptsof X.805 toY.2201, NGN requirements
andY.2012 , NGN Functional Require- ments and Architecture Y.2702
NGN Authentication and Authorization Requirements Y.2701 Security
Requirements for NGN Release 1 NGN Security Mechanisms NGN
Certificate Management NGN AAA Y.2701 is a base for development of
the detailed Recommendations on NGN Security NGN IdM Framework
Identity Management has evolved into a separate topic of the NGN
security work NGN IdM Use cases NGN IdM Requirements NGN IdM
Mechanisms
- IdM Frameworkdefines the concepts of the IdM
- IdM Use casesis a base for deriving theIdM requirements
- IdM Mechanismsprovide support for the requirements
117. SG 13 Challenges for NGN security
- Authentication is one of the most complex and challenging
procedures in NGN security. The following study items of SG 13 are
focused on various aspects of authentication:
-
- Y.2702 , NGN Authentication and Authorization Requirements
-
- NGN Certificate Management
-
- NGN Authentication Authorization and Accounting
118. SG 13 Major security accomplishments
-
- Achieveddeterminationof the draft ITU-T RecommendationY.2702 ,
NGN Authentication and Authorization Requirements
-
- Defined the direction for the studies ofIdentity
Management(IdM) for NGN and started development of four ITU-T
Recommendations on IdM
-
- Provided security expertise to other Questions and Study Groups
through activeparticipation in NGN-GSIandIdM-GSI
-
- Continued productivecollaboration with ITU-T SG 17 - Lead Study
Group on Telecommunication Securityand started joint (with Q.6/17)
development of Recommendation X.idm-dm,Identity Data Model
-
- Initiated a liaison exchange with3GPP SA 3aimed at
harmonization of the standards onmedia security
119. SG 13 Security work for next study period
- Security studies for the next study period will address:
- What new Recommendations or guidance to other Study Groups are
needed to standardizeidentification of NGN threats and
vulnerabilities ?
- What are the security requirements of NGN to effectivelycounter
these threats ?
- What new Recommendations are necessary to enable
comprehensive,end-to-end security in NGN that span across multiple
heterogeneous administrative domains ?
- What new Recommendations or guidance are necessary to
enableattachment of terminals in a secure fashion , including
Authentication, Authorization, and Accounting ( AAA )
considerations, to NGN?
- How todefine security architecture of Identity Managementin
NGN?
- What are security requirements to Identity Management in
NGN?
- What new Recommendations are needed forsupporting security
requirements of Identity Managementin NGN?
- What new Recommendations are needed forsupporting secure
interoperability among different Circles of Trusts (CoT)in
NGN?
- What new NGN Recommendations are needed forsupporting security
requirements of IPTV ?
120.
- Optical and Other Transport Network Infrastructures
ITU-T SG 15 121. SG15 is responsible for the development of
standards on optical and other transport network infrastructures,
systems, equipment, optical fibres, and their management and the
corresponding control plane technologies to enable the evolution
toward intelligent transport networks. This encompasses the
development of related standards for the customer premises, access,
metropolitan and long haul sections of communication networks.This
responsibility includes security-related aspects, including
encryption, protection and restoration, and security management. SG
15 - Responsibilities 122. SG 15 Security related work in SG 15
Management and control of transport systems and equipment Security
requirements for managing the transport network/system/equipment
and the supporting management communication network and signalling
communication network 14/15 Transport network architectures
Architecture aspects, including security-related issues 12/15
Optical fibres and cables for the access network to and in
buildings and homes Safety and reliability requirements 10/15
Transport equipment and network protection/restoration Security
requirements for equipment functions and protection switching
processes for transport networks 9/15 Characteristics of optical
systems for terrestrial transport networks Safety and reliability
requirements 6/15 Transceivers for customer access and in-premises
networking systems on metallic conductors Example: Notching out
frequency bands used by amateur radio etc. 4/15 General
characteristics of optical transport networks OTN planning security
aspects 3/15 Optical systems for fibre access networks Example:
Link level encryption 2/15 Coordination of Access Network Transport
standards Access Network Transport planning security aspects 1/15
Topic andsecurity-related issues Question 123. SG 15 Major security
accomplishments The common transport equipment management
requirements Recommendation G.7710/Y.1701 (7/2007) has added M.3016
Series (2005) as normative reference for management plane security
requirements. The requirements in G.7710/Y.1701, including the
security requirements, continue to be the base for managing
technology-specific transport equipment, including EoT in
G.8051/Y.1345 (10/2007) and T-MPLS in G.8151/Y.1374 (10/2007). 124.
Will continue to study security requirements for managing transport
network/system/equipment and their control plane and revise the
recommendations are necessary G.806 (Generic Equipment Functions)
will be revised and security requirements will be included. SG 15
Security work for next study period 125.
- Multimedia terminals, systems and applications
ITU-T SG 16 126. SG 16 Q.25/16, M ultimedia security in NGN
- Study Group 16 concentrates on m ultimedia systems.
- Q.25/16 focuses on the application-security issues of MM
applications in existing and next generation networks
- Standardizes multimedia security
- So far Q.25/16 has been standardizing MM-security for the 1st
generation MM/pre-NGN systems:
-
- H.323/H.248-based systems
127. SG 16Evolution of H.235 1997 1998 1999 2000 2001 2002
Initial Draft H.323V2 H.323V4 H.235V1 approved Core Security
Framework Engineering Consolidation Improvement and Additions 1st
Deployment 2003 H.235V2 Annex D Annex Eapproved Annex F H.530
consent H.235V3+ Annex I Security Profiles Annex D Annex E started
2004 H.235V3 Amd1 + Annex H H.235V3 Amd1 H.235 Annex G H.323V5 1996
2005 H.235V4 H.235.0 ~ H.235.9 approved Reorganization H.323V1
H.323V6 2006 128. SG 16H.235 V4 sub-series Recommendations
- Major restructuring of H.235v3 Amd1 and annexes in stand-alone
sub-series Recommendations
- H.235.x sub-series specify scenario-specific MM-security
procedures as H.235-profiles for H.323
- Some enhancements and extensions
- Approved in September 2005
129. SG 16H.323 Security Recommendations (1)
- H.235.0 Security framework for H-series (H.323 and other
H.245-based) multimedia systems
-
- Overview of H.235.x sub-series and common procedures with
baseline text
- H.235.1"Baseline Security Profile
-
- Authentication & integrity for H.225.0 signaling using
shared secrets
- H.235.2"Signature Security Profile
-
- Authentication & integrity for H.225.0 signaling using
X.509 digital certificates and signatures
130. SG 16H.323 Security Recommendations (2)
- H.235.3"Hybrid Security Profile"
-
- Authentication & integrity for H.225.0 signaling using an
optimized combination of X.509 digital certificates, signatures and
shared secret key management; specification of an optional
proxy-based security processor
- H.235.4"Direct and Selective Routed Call Security"
-
- Key management procedures in corporate and interdomain
environments to obtain key material for securing H.225.0 call
signaling in GK direct-routed/selective routed scenarios
enhanced extended 131. SG 16H.323 Security Recommendations
(3)
- H.235.5 "Framework for secure authentication in RAS using weak
shared secrets"
-
- Secured password (using EKE/SPEKE approach) in combination with
Diffie-Hellman key agreement for stronger authentication during
H.225.0 signaling
- H.235.6"Voice encryption profile with native H.235/H.245 key
management"
-
- Key management and encryption mechanisms for RTP
-
- Amendment 1 ( June 2008 ) added support for cipher key lengths
of 192 and 256 bit to AES
enhanced modified 132. SG 16H.323 Security Recommendations
(4)
- H.235.7 "Usage of the MIKEY Key Management Protocol for the
Secure Real Time Transport Protocol (SRTP) within H.235"
-
- Usage of the MIKEY key management for SRTP
- H.235.8 "Key Exchange for SRTP using Secure Signalling
Channels"
-
- SRTP keying parameter transport over secured signaling channels
(IPsec, TLS, CMS)
- H.235.9 " Security Gateway Support for H.323 "
-
- Discovery of H.323 Security Gateways (SG = H.323 NAT/FW ALG)
and key management for H.225.0 signaling
NEW NEW 133. SG 16Other MM-SEC results
- H.350.2 (2003) H.350.2 Directory Services Architecture for
H.235
-
- An LDAP schema to represent H.235 elements (PWs, certificates,
ID information)
- H.530 (2002) Symmetric security procedures for H.323 mobility
in H.510 + Cor.1 (2003)
-
- Authentication, access control and key management in mobile
H.323-based corporate networks
- H.460.22 (2007) Security protocol negotiation +Cor.1
(2008)
-
- Negotiate security protocols (IPsec or TLS or others) for H.323
signaling
134. SG 16Q.5/16 (H.300 NAT/FW traversal) results
- H.460.18 (2005) Traversal of H.323 signalling across FWs and
NATs
-
- H.323 protocol enhancements and new client/server proxies to
allow H.323 signalling protocols traverse NATs & FWs; H.323
endpoints can remain unchanged
- H.460.19 (2005) NAT & FW traversal procedures for RTP in
H.323 systems
-
- Uses multiplexed RTP media mode and symmetric RTP in
conjunction with H.460.18 as a short-term solution
135. SG 16More Q.5/16 results
- Technical Paper (2005) Requirements for Network Address
Translator and Firewall Traversal of H.323 Multimedia Systems
-
- Documentation of scenarios and requirements for NAT & FW
traversal in H.323
- Technical Paper (2005) Firewall and NAT traversal Problems in
H.323 Systems
-
- An analysis of scenarios and various problems encountered by
H.323 around NAT & FW traversal
- H-Series Supplement 10 (2008) Proxy-aided NAT/FW Traversal
Scheme for H.323 Multimedia Systems
-
- Describe proxy-aided NAT/firewall traversal mechanism as a NAT
traversal solution for H.323 multimedia systems
136. SG 16New security items under current study
- MM security aspects of Advanced Multimedia Systems (AMS) under
Q.12/16
-
- Security consideration in the third generation MM system with a
decomposed and distributed architecture
- Security aspects of IPTV system under Q.13/16
-
- Content protection related metadata
137. SG 16Summary
- Multimedia systems and applications as being studied by SG16
face important security challenges:
-
- MM-security and NAT/FW traversal
- Q.25/16 and Q.5/16 are addressing these issues and have
provided various Recommendations
- The work continues in the scope of NGN-Multimedia Security
- Security considerations are key part of draft new Question
B7/16 Advanced functions for H.300-series systems and beyond
-
- Other Questions will also address the topic within their areas
of competence
138. ITU-T SG 19
- Mobile Telecommunication Networks
139. SG 19 Scope of security work
- Scope: IMT-2000 Family Member Networks
- Broad requirements for security are covered in the following
ITU-T Recommendations:
-
- Q.1701 Framework for IMT2000 networks
-
- Q.1702 Long-term vision of network aspects for systems beyond
IMT-2000
-
- Q.1703 Service and network capabilities framework of network
aspects for systems beyond IMT-2000
140. SG 19Strategic directions
- Mainly derived from Q.1702 and Q.1703
-
- Q.1702 indicates the following objectives to provide network
security among heterogeneous inter-connected networks:
-
-
- Comprehensive, cross-provider security infrastructure
support
-
-
- Well-defined and conducted routine system risk analysis
-
-
- Robust system intrusion monitoring and response system to
control damage
-
-
- Low overhead security protocols to accommodate wireless
bandwidth limitation
-
-
- Provide seamless security across heterogeneous access
technologies
141. SG 19Strategic directions
- Mainly derived from Q.1702 and Q.1703
-
- Rec. Q.1703 specifies that at least the following security
services should be provided:
-
-
- Integrity: contents as received are exactly as sent
-
-
- Confidentiality: user data is kept secret from unintended
listeners
-
-
- Non-repudiation: prevent denying a transmission was
initiated
-
-
- Mutual authentication: assurance that a participant is who he
claims to be
-
-
- Authorization: control user access to various network
resources
142. SG 19 Security challenges
- To address security concerns arising due to:
-
- Migration from circuit switching to Packet switching (using IP
in wireless networks)
-
- Fixed Mobile Convergence (FMC): access & services across
heterogeneous networks (GSM, WiFi, PSTN, WiMAX, etc.) with the
usage of IP
- To define a security framework applicable across heterogeneous
networks
143. SG 19Major security accomplishments
- Q.1707/Y.2804 (02/2008) Generic Framework of Mobility
Management for NGNs
-
- Designed to ensure that MM functions can interwork with the
relevant authentication and security protocols.
- Q.1742-series IMT2000 references to ANSI-41 evolved core
network with cdma2000 access
-
- References to 3GPP security specifications
-
-
- S.S0078: Common Security Algorithms
-
-
- S.R0082: Enhanced Packet Data Air Interface Security
-
-
- S.R0083: Broadcast-Multicast Service Security Framework
-
-
- S.S0114: Security Mechanisms using GBA
-
-
- S.S0110: IP-Based Location Services Security Framework
-
-
- S.R0086: IMS Security Framework.
144. SG 19Major security accomplishments (2)
- Q.1762/Y.2802 Fixed-mobile convergence general
requirements
-
- Notes need for uniform authorization mechanism
-
- FMC may contain access-specific or -dependent parts but the
procedure for handling these is uniform
- Q.1763 FMC service using legacy PSTN or ISDN as the fixed
access network for mobile network users
-
- Authentication through a fixed network