Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GSC-13 Draft Presentation Template


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

GSC-13 Draft Presentation Template

  1. 1. Security / Cybersecurity ITU Herbert Bertine, Chairman ITU-T Study Group 17 Submission Date: July 1, 2008 Presentation FOR: GSC13-XXXX-nn DOCUMENT #: Herbert Bertine CONTACT(S): AGENDA ITEM: ITU SOURCE:
  2. 2. Strategic Direction <ul><li>Cybersecurity – one of the top priorities of the ITU </li></ul><ul><li>Plenipotentiary Resolution 140 (2006), ITU’s role in implementing the outcomes of the World Summit on the Information Society – The important moderator/facilitator role of ITU in action line C5 (building confidence and security in the use of ICTs). </li></ul><ul><li>Plenipotentiary Resolution 149 (2006), Study of definitions and terminology relating to building confidence and security in the use of information and communication technologies </li></ul><ul><li>WTSA-04 Resolution 50, Cybersecurity – Instructs the Director of TSB to develop a plan to undertake evaluations of ITU-T “existing and evolving Recommendations, and especially signalling and communications protocol Recommendations with respect to their robustness of design and potential for exploitation by malicious parties to interfere destructively with their deployment” </li></ul><ul><li>WTSA-04 Resolution 51, Combating spam – Instructs the Director of TSB to “prepare urgently a report to the Council on relevant ITU and other international initiatives for countering spam, and to propose possible follow-up actions” - Done </li></ul><ul><li>WTSA-04 Resolution 52, Countering spam by technical means – Instructs relevant study groups “to develop, as a matter of urgency, technical Recommendations, including required definitions, on countering spam” </li></ul>
  3. 3. Highlights of current activities (1) <ul><li>ITU Global Cybersecurity Agenda (GCA) </li></ul><ul><ul><li>A Framework for international cooperation in cybersecurity </li></ul></ul><ul><ul><li>ITU response to its role as sole Facilitator for WSIS Action Line C5 </li></ul></ul><ul><ul><li>Five key work areas : Legal, Technical, Organisational, Capacity Building, International Cooperation </li></ul></ul><ul><ul><li>World renowned Group of High-Level Experts (HLEG) working on global strategies </li></ul></ul><ul><ul><ul><li>GCA/HLEG met 26 June 2008 to agree upon a set of recommendations on all five work areas for presentation to ITU Secretary-General </li></ul></ul></ul><ul><li>ISO/IEC/ITU-T Strategic Advisory Group on Security </li></ul><ul><ul><li>Coordinates security work and identifies areas where new standardization initiatives may be warranted. Portal established. Workshops conducted. </li></ul></ul><ul><li>Identity Management </li></ul><ul><ul><li>Effort jump started by IdM Focus Group which produced 6 substantial reports (265 pages) in 9 months </li></ul></ul><ul><ul><li>JCA –IdM and IDM-GSI established – main work is in SGs 17 and 13 </li></ul></ul><ul><ul><li>First IdM Recommendation – X.1250 , Requirements for global identity management trust and interoperability - now in approval process </li></ul></ul>
  4. 4. <ul><li>Core security (SG 17) </li></ul><ul><ul><li>Approved 14 texts in 2007, 17 so far in 2008, 15 more for action in September 2008 </li></ul></ul><ul><ul><ul><li>Summaries of Recommendations under development are available at: </li></ul></ul></ul><ul><ul><li>Covering frameworks, cybersecurity, countering spam, home networks, mobile, web services, secure applications, ISMS, telebiometrics, etc. </li></ul></ul><ul><ul><li>Work underway on additional topics including IPTV, multicast, and USN security; risk management and incident management; traceback </li></ul></ul><ul><ul><li>Questionnaire issued to developing countries to ascertain their security needs </li></ul></ul><ul><ul><li>Updated security roadmap/database, compendia, manual; strengthened coordination </li></ul></ul><ul><li>Security for NGN </li></ul><ul><ul><li>Y.2701 , Security Requirements for NGN Release 1 - published </li></ul></ul><ul><ul><li>Y.2702 , NGN authentication and authorization requirements – determined </li></ul></ul>Highlights of current activities (2)
  5. 5. Challenges <ul><li>Addressing security to enhance trust and confidence of users in networks, applications and services </li></ul><ul><ul><li>With global cyberspace, what are the security priorities for the ITU with its government / private sector partnership? </li></ul></ul><ul><ul><li>Need for top-down strategic direction to complement bottom-up, contribution-driven process </li></ul></ul><ul><ul><li>Balance between centralized and distributed efforts on security standards </li></ul></ul><ul><ul><li>Legal and regulatory aspects of cybersecurity, spam, identity/privacy </li></ul></ul><ul><ul><li>Address full cycle – vulnerabilities, threats and risk analysis; prevention; detection; response and mitigation; forensics; learning </li></ul></ul><ul><ul><li>Agree uniform definitions of cybersecurity terms and definitions </li></ul></ul><ul><ul><li>Marketplace acceptance of Information Security Management System (ISMS) standards (ISO/IEC 27000-series and ITU-T X.1051) – the security equivalent to ISO 9000-series </li></ul></ul><ul><ul><li>Effective cooperation and collaboration across the many bodies doing cybersecurity work </li></ul></ul><ul><ul><li>PSO help is needed in keeping security database up-to-date </li></ul></ul><ul><ul><li>Informal security experts network – needs commitment </li></ul></ul><ul><ul><li>There is no “silver bullet” for cybersecurity </li></ul></ul>
  6. 6. Next Steps/Actions for ITU-T <ul><li>All Study Groups have proposed Questions for next study period </li></ul><ul><ul><li>Most study groups have Questions concerning security </li></ul></ul><ul><ul><li>Questions are mainly evolution of existing work program </li></ul></ul><ul><ul><li>See Supplemental Information </li></ul></ul><ul><li>The World Telecommunication Standardization Assembly (WTSA) in October 2008 will make decisions on the priorities, work program (Questions) and organization of Study Groups, including security / cybersecurity work </li></ul><ul><li>Meanwhile, the present work program continues under the current structure – See Supplemental Information </li></ul><ul><ul><li>E.g., Study Groups 17 and 13 will each meet in September to approve additional security Recommendations </li></ul></ul><ul><li>A new edition of the ITU-T “Security Manual” is scheduled for October 2008 </li></ul>
  7. 7. Proposed revision to Resolution <ul><li>Resolution GSC-12/19, Cybersecurity </li></ul><ul><ul><li>Add a new Resolves follows: </li></ul></ul><ul><ul><li>5) supply updated information on their security standards work for inclusion in the ICT Security Standards Roadmap, a database of security standards hosted by the ITU-T at: </li></ul></ul>
  8. 8. Supplemental Information <ul><li>Supplemental Information </li></ul><ul><li>Security activities </li></ul><ul><ul><li>ITU General Secretariat </li></ul></ul><ul><ul><li>Telecommunication Standardization Sector (ITU-T) </li></ul></ul><ul><ul><li>Radiocommunication Sector (ITU-R) </li></ul></ul><ul><ul><li>Telecommunication Development Sector (ITU-D) </li></ul></ul><ul><li>Useful web resources </li></ul>
  9. 9. Supplemental Information ITU General Secretariat Corporate Strategy Division
  10. 10. A Framework for International Cooperation in Cybersecurity ITU Global Cybersecurity Agenda
  11. 11. <ul><li>Constant evolution of the nature of cyberthreats </li></ul>Issues and Challenges Major challenge is to develop harmonized and comprehensive global strategies at the international level <ul><li>Vulnerabilities in software and hardware applications and services </li></ul><ul><li>Low entry barriers for cyber-criminals </li></ul><ul><li>Loopholes in current legal frameworks </li></ul><ul><li>Absence of appropriate organizational structures </li></ul><ul><li>Inadequate cooperation among various stakeholders </li></ul><ul><li>Global problem which cannot be solved by any single entity </li></ul><ul><li>(country or organization) </li></ul><ul><li>Increasing sophistication of cybercrime </li></ul>
  12. 12. WSIS and Cybersecurity “ Strengthening the trust framework, including information security and network security, authentication, privacy and consumer protection, is a prerequisite for the development of the Information Society and for building confidence among users of ICTs. “ WSIS Geneva Declaration of Principles, Para 35 “ We reaffirm the necessity to further promote, develop and implement in cooperation with all stakeholders a global culture of cyber-security, as outlined in UNGA Resolution 57/239 and other relevant regional frameworks.” WSIS Tunis Agenda, Para 39 Confidence and security are among the main pillars of the information society
  13. 13. ITU’s Role as WSIS C5 FACILITATOR At the World Summit on the Information Society (WSIS), world leaders and governments entrusted ITU to take the leading role in coordinating international efforts on cyber-security, as the sole Facilitator of Action Line C5, “ Building confidence and security in the use of ICTs” The International Telecommunication Union (ITU) provides the global perspective and expertise needed to meet the challenges, with a track record of brokering agreements between public and private interests on a level playing field ever since its inception in 1865. Third Facilitation Meeting 22-23 May 2008, ITU Headquarters, Geneva
  14. 14. A Global Strategy for Action The strategy for a solution must identify those existing national, regional and international initiatives, work with all relevant players to identify priorities and bring partners together with the goal of proposing global solutions to address the global challenges we face today. <ul><ul><li>A framework for international multi-stakeholder cooperation in cybersecurity </li></ul></ul><ul><ul><li>ITU Response to its role as sole Facilitator for WSIS Action Line C5 </li></ul></ul><ul><ul><li>World renowned Group of High Level Experts (HLEG) to develop global strategies </li></ul></ul><ul><ul><li>Representing main stakeholder groups working towards the same goals </li></ul></ul><ul><ul><li>: Developing harmonized global strategies </li></ul></ul>ITU Global Cybersecurity Agenda (GCA)
  15. 15. GCA Work Areas GCA rests on five pillars or work areas: <ul><ul><li>Legal Measures </li></ul></ul><ul><ul><li>Technical and Procedural </li></ul></ul><ul><ul><li>Measures </li></ul></ul><ul><ul><li>Organizational Structures </li></ul></ul><ul><ul><li>Capacity Building </li></ul></ul><ul><ul><li>International Cooperation </li></ul></ul>1 2 3 4 5
  16. 16. Elaboration of global strategies for 1 the development of a model cybercrime legislation 2 the creation of appropriate national and regional organizational structures and policies on cybercrime 3 the establishment of security criteria and accreditation schemes for software applications and systems 4 the creation of a global framework for watch, warning and incident response 5 the creation and endorsement of a generic and universal digital identity system 6 the facilitation of human and institutional capacity-building 7 international cooperation, dialogue and coordination High-Level Experts Group (GCA/HLEG) High-Level Expert Group (HLEG) provided advice on strategies in all five work areas or pillars <ul><li>A global multi-stakeholder think-tank </li></ul><ul><li>made up of high-level experts from: </li></ul><ul><li>Governments </li></ul><ul><li>Industry </li></ul><ul><li>Regional and international organizations </li></ul><ul><li>Research and academic institutions </li></ul><ul><li>Individual experts </li></ul>
  17. 17. Argentina Brazil Cameroon Canada China Egypt Estonia Germany Japan India Indonesia Italy Malaysia Morocco Portugal Republic of Lithuania Russian Federation Saudi Arabia South Africa Switzerland United States <ul><li>Ecole Polytechnique Fédérale de Lausanne </li></ul><ul><li>(EPFL), Switzerland </li></ul><ul><li>Information Security Institute, Australia </li></ul><ul><li>Moscow Technical University of </li></ul><ul><li>Communications, Russian Federation </li></ul><ul><li>African Telecommunication Union (ATU) </li></ul><ul><li>Asia Pacific Economic Cooperation </li></ul><ul><li>Telecommunications (APECTEL) </li></ul><ul><li>Commonwealth Telecommunications </li></ul><ul><li>Organisations (CTO) </li></ul><ul><li>Council of Europe </li></ul><ul><li>Department of Economic and </li></ul><ul><li>Social Affairs (DESA) </li></ul><ul><li>European Information and Network </li></ul><ul><li>Security Agency (ENISA) </li></ul><ul><li>International Criminal Police </li></ul><ul><li>Organization (Interpol) </li></ul><ul><li>Organisation for Economic Co-operation </li></ul><ul><li>and Development (OECD) </li></ul><ul><li>Organisation International de la Francophonie </li></ul><ul><li>Society for the Policing of Cyberspace (POLCYB) </li></ul><ul><li>UMTS Forum </li></ul><ul><li>United Nations Institute for Training </li></ul><ul><li>and Research (UNITAR) </li></ul><ul><li>United Nations Office on Drugs and Crime </li></ul><ul><li>Authentrus </li></ul><ul><li>BITEK International Inc. </li></ul><ul><li>Cybex </li></ul><ul><li>Cisco </li></ul><ul><li>Garlik </li></ul><ul><li>Intel Corporation </li></ul><ul><li>Microsoft Corporation </li></ul><ul><li>Télam S.E. </li></ul><ul><li>VeriSign, Inc. </li></ul><ul><li>Stein Schjolberg, Chief Judge, </li></ul><ul><li>Moss Tingrett Court, Norway </li></ul><ul><li>Solange Ghernaouti-Helie, </li></ul><ul><li>HEC-Université de Lausanne, Switzerland </li></ul><ul><li>Sy Goodman, Georgia Institute of Technology, </li></ul><ul><li>United States </li></ul><ul><li>Nabil Kisrawi, Chairman of WG-Def, </li></ul><ul><li>Syrian Republic </li></ul><ul><li>Bruce Schneier, Security Technologist, </li></ul><ul><li>Unites States </li></ul><ul><li>Marco Gercke, Professor, Cologne University, </li></ul><ul><li>Germany </li></ul>GCA/HLEG Members Diversity of Participation
  18. 18. GCA/HLEG Leveraging expertise for international consensus On a Global level, from government, international organizations to industry For a Harmonised approach to build synergies between initiatives Through Comprehensive strategies on all levels Legal Measures e.g. Cybercrime legislation (Council of Europe), Moss Tingrett Court Norway, Cybex Technical and Procedural Measures e.g. Software (Microsoft) , hardware (Intel), Networking (CISCO), Security Apps/Services (Verisign), Global Standards and Development (ITU) Organisational Structures e.g. Ecole Polytechnique Fédérale de Lausanne (EPFL), Forum of Incident Response and Security Teams, OECD Capacity Building e.g. United Nations Institution for Training and Research (UNITAR), European Network and Information Security Agency (ENISA) International Cooperation e.g. Interpol, United Nations Office on Drug and Crime (UNODC) GCA/HLEG is building synergies with existing initiatives and working with stakeholders in these five key areas: 1 2 3
  19. 19. HLEG <ul><li>The HLEG work is an ongoing dynamic process with information-sharing and interaction relating to the elaboration of Global Strategies to meet the goals of the GCA and the ITU role as sole facilitator for WSIS Action Line C.5. </li></ul><ul><li>Three meetings held: </li></ul><ul><ul><li>First Meeting of the HLEG held on 5 October 2007 </li></ul></ul><ul><ul><li>Second Meeting of the HLEG held on 21 May 2008 </li></ul></ul><ul><ul><li>Third Meeting of the HLEG held on 26 June 2008 </li></ul></ul><ul><li>Chairman's Report: </li></ul><ul><ul><li>The results of the work of the HLEG, including recommendations, the views expressed during the meeting and additional information about the previous work of the HLEG are contained in the Chairman’s report which will be available at: </li></ul></ul>
  20. 20. GCA Sponsorship Programme – Join us! <ul><li>This Sponsorship programme – will ensure that all relevant stakeholders are aware of HLEG’s valuable work, will increase also a global understanding about how to work together to implement effective strategies. It will then be up to the stakeholders themselves – within their respective mandates and capabilities – to translate these strategies into concrete actions. </li></ul><ul><li>GCA Sponsors will help to promote the goals of this initiative around the world by participating in high-profile business activities including publications, pubic campaigns, an annual conference and other events. In addition to the opportunity to meet with high-level decision makers, Sponsors also stand to enhance their image and credibility with their stakeholders. </li></ul>
  21. 21. Dr Óscar Arias Sánchez Nobel Peace Laureate, President of the Republic of Costa Rica, Patron of the Global Cybersecurity Agenda. &quot;The world must take action. It must stand united. This is not a problem any one nation can solve alone&quot;
  22. 22. Conclusions The threats to global cybersecurity demand a global framework! The magnitude of this issue calls for a coordinated global response to ensure that there are no safe havens for cybercriminals. ITU will act as a catalyst and facilitator for these partners to share experience and best practice, so as to step up efforts for a global response to cybercrime. In this way, working together, we can create a cyberspace that is somewhere safe for people to trade, learn and enjoy. Dr Hamadoun I. Touré Secretary-General, ITU Towards a global Cyberpeace…
  23. 23. ITU Global Cybersecurity Agenda & ITU Activities in Cybersecurity: Email: [email_address] For More information on:
  24. 24. Supplemental Information <ul><li>ITU-T Telecommunication Standardization Sector </li></ul>
  25. 25. <ul><li>SG 17, Security, Languages and Telecommunication Software </li></ul><ul><ul><li>Lead Study Group on Telecommunication Security </li></ul></ul><ul><li>SG 2, Operational Aspects of Service Provision, Networks and Performance </li></ul><ul><li>SG 4, Telecommunication Management </li></ul><ul><li>SG 5, Protection Against Electromagnetic Environment Effects </li></ul><ul><li>SG 9, Integrated Broadband Cable Networks and Television and Sound Transmission </li></ul><ul><li>SG 11, Signalling Requirements and Protocols </li></ul><ul><li>SG 13, Next Generation Networks </li></ul><ul><li>SG 15, Optical and Other Transport Network Infrastructures </li></ul><ul><li>SG 16, Multimedia Terminals, Systems and Applications </li></ul><ul><li>SG 19, Mobile Telecommunication Networks </li></ul>ITU-T ITU-T Security and Cybersecurity Activities
  26. 26. ITU-T SG 17 <ul><li>ITU-T Study Group 17 Security, Languages and Telecommunication Software </li></ul><ul><li>Q.4/17, Communications Systems Security Project </li></ul><ul><li>Q.5/17, Security Architecture and Framework </li></ul><ul><li>Q.6/17, Cyber Security </li></ul><ul><li>Q.7/17, Security Management </li></ul><ul><li>Q.8/17, Telebiometrics </li></ul><ul><li>Q.9/17, Secure Communication Services </li></ul><ul><li>Q.17/17, Countering Spam by Technical Means </li></ul><ul><li>Q.2/17, Directory Services, Directory Systems and Public-key/Attribute Certificates </li></ul>
  27. 27. SG 17 – Q.4/17: Communications Systems Security Project <ul><li>ITU-T SG 17 Question 4 </li></ul><ul><li>Communications Systems Security Project </li></ul><ul><li>Overall Security Coordination and Vision </li></ul><ul><li>Outreach and promotional activities </li></ul><ul><ul><ul><li>ICT Security Standards Roadmap </li></ul></ul></ul><ul><ul><ul><li>Security Compendium </li></ul></ul></ul><ul><ul><ul><li>ITU-T Security manual </li></ul></ul></ul><ul><li>Focus Group on Security Baseline For Network Operators </li></ul>
  28. 28. SG 17 – Q.4/17 results achieved <ul><li>Successful workshop organized at start of Study Period to consider future direction of security standards </li></ul><ul><li>Security Standards Roadmap developed – includes security standards from ITU, ISO/IEC, IEEE, IETF, ATIS, ETSI, OASIS, 3GPP </li></ul><ul><li>Security Compendium and Security Manual maintained and updated </li></ul><ul><li>Security Baseline for Network Operators developed </li></ul>
  29. 29. SG 17 – Q.4/17 challenges <ul><li>Overall shortage of participants and contributors </li></ul><ul><li>Roadmap issues/challenges: </li></ul><ul><ul><li>Taxonomy (always a challenge!) </li></ul></ul><ul><ul><li>Finding out about new standards and when to post them </li></ul></ul><ul><ul><li>Appearance of the database </li></ul></ul><ul><ul><li>Need to develop a short guide to the update process </li></ul></ul>
  30. 30. SG 17 – Q.4/17 progress since GSC-12 <ul><li>Security Roadmap </li></ul><ul><li>The listing of standards has been converted to a searchable database </li></ul><ul><li>Further updating is planned to ease navigation </li></ul><ul><li>A new section (Part 5) has been added on (non-proprietary) Best Practices </li></ul>
  31. 31. SG 17 – Q.4/17 focus for next study period <ul><li>Will continue to be primary SG contact for security coordination issues </li></ul><ul><li>Will maintain and update outreach material </li></ul><ul><ul><li>Security Manual </li></ul></ul><ul><ul><li>Security Roadmap </li></ul></ul><ul><ul><li>Security Compendium </li></ul></ul><ul><li>Responsibilities will be limited to coordination and outreach – no Recommendations </li></ul>
  32. 32. SG 17 – Q.5/17: Security Architecture and Framework <ul><li>ITU-T SG 17 Question 5 </li></ul><ul><li>Security architecture and framework </li></ul><ul><li>Scope </li></ul><ul><li>Strategic direction </li></ul><ul><li>Challenges </li></ul><ul><li>Major activities and accomplishments </li></ul><ul><li>Actions for the next study period </li></ul>
  33. 33. SG 17 – Q.5/17 scope Recommendation X.805 has been a foundation of Q.5/17 security studies and shaped the scope of its work X.1034, X.1035 X.1036 X.1031 Supplement to X.800-X.849, Guidelines for implementing system and network security
  34. 34. SG 17 – Q.5/17 scope (continued) <ul><li>Q.5/17 has developed Recommendations that further develop the concepts of X.805 and provide guidance on their implementation </li></ul><ul><li>X.1031 , Security architecture aspects of end users and networks in telecommunications - provides guidance on applying the concepts of the X.805 architecture for distributing the security controls between the telecommunication networks and the end user’s equipment. </li></ul><ul><li>X.1034 , Guidelines on Extensible Authentication Protocol based Authentication and Key Management in a Data Communication Network and X.1035 , Password-Authenticated Key Exchange Protocol (PAK) - specify protocols and procedures that support functions of the Authentication security dimension . </li></ul><ul><li>X.1036 , Framework for creation, storage, distribution and enforcement of policies for network security further develops the concept of the security policy described in X.805. </li></ul><ul><li>Supplement to X.800-X.849 , Guidelines for implementing system and network security provides guidelines for implementing system and network security utilizing the concepts of X.805 and other security Recommendations and standards. </li></ul>
  35. 35. SG 17 – Q.5/17 strategic direction <ul><li>Development of a comprehensive set of Recommendations for providing standard security solutions for telecommunications in collaboration with other Standards Development Organizations and ITU-T Study Groups. </li></ul><ul><li>Studies and development of a trusted telecommunication network architecture that integrates advanced security technologies. </li></ul><ul><li>Maintenance and enhancements of Recommendations in the X.800-series and X.103x-series. </li></ul><ul><li>Coordination of studies on NGN security (with Question 15/13) </li></ul>
  36. 36. SG 17 – Q.5/17 c hallenges <ul><li>Authentication and key agreement is one of the most complex and challenging security procedures. Question 5/17 has developed Recommendations that contribute to the standards solutions for authentication and key management </li></ul><ul><li>X.1034 , Guidelines on Extensible Authentication Protocol based Authentication and Key Management in a Data Communication Network </li></ul><ul><ul><li>Establishes a framework for the EAP-based authentication and key management for securing the link layer in an end-to-end data communication network. </li></ul></ul><ul><ul><li>Provides guidance on selection of the EAP methods. </li></ul></ul><ul><li>X.1035 , Password-Authenticated Key Exchange Protocol (PAK) </li></ul><ul><ul><li>Specifies a protocol, which ensures mutual authentication of both parties in the act of establishing a symmetric cryptographic key via Diffie-Hellman exchange. </li></ul></ul>
  37. 37. SG 17 – Q.5/17 m ajor accomplishments <ul><li>Recommendations developed by Q.5/17: </li></ul><ul><ul><li>X.1031 , Security architecture aspects of end users and networks in telecommunications </li></ul></ul><ul><ul><li>X.1034 , Guidelines on Extensible Authentication Protocol based Authentication and Key Management in a Data Communication Network </li></ul></ul><ul><ul><li>X.1035 , Password-Authenticated Key Exchange Protocol (PAK) </li></ul></ul><ul><ul><li>X.1036 , Framework for creation, storage, distribution and enforcement of policies for network security </li></ul></ul><ul><li>A Supplement developed by Q.5/17 </li></ul><ul><ul><li>Supplement to X.800 - X.849 series Guidelines for implementing system and network security </li></ul></ul><ul><li>Other technical documents prepared by Q.5/17 </li></ul><ul><ul><li>In response to the WTSA Resolution 50 , Question 5/17 has prepared Guidelines for designing secure protocols using ITU-T Recommendation X.805. </li></ul></ul><ul><li>Major coordination activity conducted by Q.5/17 </li></ul><ul><ul><li>Question 5/17 has coordinated security studies with Question 15 of SG 13, NGN Security ensuring alignment of the standards work in both groups. </li></ul></ul>
  38. 38. SG 17 – Q.5/17 actions for next study period <ul><li>How should a comprehensive, coherent communications security solution be defined? </li></ul><ul><li>What is the architecture for a comprehensive, coherent communications security solution? </li></ul><ul><li>What is the framework for applying the security architecture in order to establish a new security solution? </li></ul><ul><li>What is the framework for applying security architecture in order to assess (and consequently improve) an existing security solution? </li></ul><ul><li>What are the architectural underpinnings for security? </li></ul><ul><li>What new Recommendations may be required for providing security solutions in the changing environment? </li></ul><ul><li>How should architectural standards be structured with respect to existing Recommendations on security? </li></ul><ul><li>How should architectural standards be structured with respect to the existing advanced security technologies? </li></ul><ul><li>How should the security framework Recommendations be modified to adapt them to emerging technologies and what new framework Recommendations may be required? </li></ul><ul><li>How are security services applied to provide security solutions? </li></ul>
  39. 39. SG 17 – Q.6/17: Cyber Security <ul><li>ITU-T SG 17 Question 6 </li></ul><ul><li>Cyber Security </li></ul><ul><li>Motivation </li></ul><ul><li>Scope </li></ul><ul><li>Challenges </li></ul><ul><li>Highlights of activities </li></ul><ul><li>Actions for Next Study Period </li></ul><ul><li>Collaboration with SDOs </li></ul>
  40. 40. SG 17 – Q.6/17 motivation <ul><li>Network connectivity and ubiquitous access is central to today’s IT systems </li></ul><ul><li>Wide spread access and loose coupling of interconnected IT systems and applications is a primary source of widespread vulnerability </li></ul><ul><li>Threats such as: denial of service, theft of financial and personal data, network failures and disruption of voice and data telecommunications are on the rise </li></ul><ul><li>Network protocols in use today were developed in an environment of trust </li></ul><ul><li>Most new investments and development is dedicated to building new functionality and not on securing that functionality </li></ul><ul><li>An understanding of cybersecurity is needed in order to build a foundation of knowledge that can aid in securing the networks of tomorrow </li></ul>
  41. 41. SG 17 – Q.6/17 scope <ul><li>Definition of Cybersecurity </li></ul><ul><li>Security of Telecommunications Network Infrastructure </li></ul><ul><li>Security Knowledge and Awareness of Telecom Personnel and Users </li></ul><ul><li>Security Requirements for Design of New Communications Protocol and Systems </li></ul><ul><li>Communications relating to Cybersecurity </li></ul><ul><li>Security Processes – Life-cycle Processes relating to Incident and Vulnerability </li></ul><ul><li>Security of Identity in Telecommunication Network </li></ul><ul><li>Legal/Policy Considerations </li></ul><ul><li>IP traceback technologies </li></ul><ul><li>Authentication Assurance </li></ul>
  42. 42. SG 17 – Q.6/17 challenges <ul><li>How should the current Recommendations be further enhanced for their wide deployment and usage? </li></ul><ul><li>How to harmonize common IdM data models across the ITU </li></ul><ul><li>How to define and use the term Identity within the ITU </li></ul><ul><li>How to detect and predict future threats and risks to networks </li></ul><ul><li>How to harmonize various IdM solutions </li></ul><ul><li>What are the best strategies to improve Cybersecurity </li></ul><ul><li>How to maintain a living list of IdM terms and definition and use it informally across the ITU </li></ul>
  43. 43. SG 17 – Q.6/17 highlights of activities Completed Recommendations * Currently in the approval process Common Alerting Protocol (CAP 1.1) X.1303 Requirements for global identity management trust and interoperability X.1250* Guidelines for Internet Service Providers and End-users for Addressing the Risk of Spyware and Deceptive Software X.1207 A vendor-neutral framework for automatic checking of the presence of vulnerabilities information update X.1206 Overview of Cybersecurity X.1205 Title No.
  44. 44. SG 17 – Q.6/17 highlights of activities (2) Recommendations under development ITU-T X.eaa | ISO/IEC xxxx, Information technology – Security techniques – Entity authentication assurance This Recommendation | International Standard provides a framework for entity authentication assurance which is the quantification of the risks that an entity is who or what he/she/it claims to be. In other words, entity authentication assurance is a measure of the confidence or risks associated with the authentication process and mechanisms. ITU-T X.gopw, Guideline on preventing worm spreading in a data communication network This Recommendation describes worm and other malicious codes spreading patterns and scenarios in a data communication network. The Recommendation provides guidelines for protecting users and networks from such malicious codes.
  45. 45. SG 17 – Q.6/17 highlights of activities (3) Recommendations under development ITU-T X.idif, User Control enhanced digital identity interchange framework This Recommendation defines a framework that covers how global interoperable digital identity interchange can be achieved and how an entity’s privacy is enhanced by providing an entity more control over the process of identity interchange. In addition, the Recommendation defines the general and functional requirements of the framework that should be satisfied. Based on the requirements, a framework is defined with basic functional building blocks for identity interchange and enhancing entity control. ITU-T X.idm-dm, Common identity data model This Recommendation develops a common data model for identity data that can be used to express identity related information among IdM systems.
  46. 46. SG 17 – Q.6/17 actions for next study period <ul><li>Enhance current Recommendations to accelerate their adoption </li></ul><ul><li>Work with SG 2 in Trusted Service Provider Identifier (TSPID) </li></ul><ul><li>Collaborate with Questions 5, 7, 9, 17/17 and with SG 2 in order to achieve better understanding of various aspects of network security </li></ul><ul><li>Collaborate with IETF, OASIS, ISO/IEC JTC1, Liberty Alliance and other standardization bodies on Cybersecurity </li></ul><ul><li>Work with OASIS on maintaining the OASIS Common Alerting Protocol V1.1 (ITU-T Recommendation X.1303) </li></ul><ul><li>Study new Cybersecurity issues – How should ISPs deal with botnets, evaluating the output of appropriate bodies when available. </li></ul><ul><li>Study technical aspects of Traceback techniques </li></ul><ul><li>Joint work is ISO/JTC1 SC 27 on Entity Authentication Assurance </li></ul><ul><li>Progress work with Liberty Alliance on Identity Authntication Frameworks </li></ul><ul><li>Working with SG 4 and SG 13 on common IdM Data Models. </li></ul><ul><li>Developing frameworks for User control enhanced digital identity interchange framework </li></ul><ul><li>Developing guideline on protection for personally identifiable information in RFID application </li></ul><ul><li>Developing r equirements for security information sharing framework </li></ul><ul><li>Developing guideline on preventing worm spreading in a data communication network </li></ul><ul><li>Maintaining the IdM Lexicon document </li></ul>
  47. 47. SG 17 – Q.6/17 collaboration with other SDOs <ul><li>ISO/IEC JTC 1/SC 27 </li></ul><ul><li>IEC/TC 25 </li></ul><ul><li>IETF </li></ul><ul><li>IEEE </li></ul><ul><li>Liberty Alliance </li></ul><ul><li>OASIS </li></ul><ul><li>W3C </li></ul><ul><li>3GPP </li></ul><ul><li>ETSI/TISPAN </li></ul>
  48. 48. SG 17 – Q.7/17: Security management <ul><li>ITU-T SG 17 Question 7 </li></ul><ul><li>Security management </li></ul><ul><li>Scope </li></ul><ul><li>Challenges </li></ul><ul><li>Highlights of activities </li></ul><ul><li>Actions for Next Study Period </li></ul><ul><li>Collaboration with SDOs </li></ul>
  49. 49. SG 17 – Q.7/17 scope For telecommunications organizations, information and the supporting processes, facilities, networks and communications medias are all important business assets. In order for telecommunications organizations to appropriately manage these business assets and to correctly continue the business activity, Information Security Management is extremely necessary. The scope of this question is to provide GUIDELINES and BASELINES of Information Security Management to be appropriately applied for telecommunications organizations. Studies related on this issue can be a little bit extended to cover the following items: - information security management guidelines (baseline) - information incident management guidelines - risk management and risk profiles guidelines - assets management guidelines - policy management guidelines - information security governance - etc.
  50. 50. SG 17 – Q.7/17 strategic direction s Policy Assets Personnel Physical Operational Security Access Controls Incident Management BCP Compliant Organizational Security Systems Security Vulnerability Handling Announcement Alert Handling Incident Handling Other Incident Management X.1051 Information Security Management Guidelines Policy Mang. Risk Mang. Asset Mang. Incident Mang. Maintenance Mang. Event Mang. Other Managements Risk Management & Risk Profiles Practical Implementation Methodologies Assets Management Methodology * * * Information Security Governance X.sim: Security Incident Mang. X.rmg Framework X.ismf Based on the proposals from NSMF Baseline
  51. 51. SG 17 – Q.7/17 challenges <ul><li>How should information assets in telecommunications systems be identified and managed? </li></ul><ul><li>How should information security policy for telecommunications systems be identified and managed? </li></ul><ul><li>How should specific management issues for telecommunications organizations be identified? </li></ul><ul><li>How should information security management system (ISMS) for telecommunications organizations be properly constructed by using the existing standards (ISO/IEC and ITU-T)? </li></ul><ul><li>How should measurement of information security management in telecommunications be identified and managed? </li></ul><ul><li>How should an information security governance framework be identified and managed? </li></ul><ul><li>How should the small and medium telecommunications organizations be managed and applied for security? </li></ul>
  52. 52. SG 17 – Q.7/17 highlights of achievements Recommendations * Currently under development Information Security Management Framework for Telecommunications X.ismf* Security incident management guidelines for telecommunications X. sim* Risk management and risk profile guide X. rmg* Information security management guideline for telecommunications organizations based on ISO/IEC 27002 X.10 51 Title No.
  53. 53. SG 17 – Q.7/17 actions for next study period <ul><li>Review the existing management Recommendations/Standards in ITU-T and ISO/IEC management standards as for assets identification and security policy management. </li></ul><ul><li>Study and develop a methodology of assets identification and policy management for telecommunications based on the concept of information security management (X.1051) . </li></ul><ul><li>Study and develop information security management framework for telecommunications based on the concept of information security management (X.1051). </li></ul><ul><li>Study and develop security management guidelines for small and medium telecommunications based on the concept of information security management (X.1051). </li></ul><ul><li>Study and develop a methodology to construct information security management system (ISMS) for telecommunications organizations based on the existing standards (ISO/IEC and ITU-T). </li></ul><ul><li>Study and develop an information security governance framework for telecommunications that encompasses information technology and information security management. </li></ul>
  54. 54. SG 17 – Q.7/17 collaboration with SDOs <ul><li>ISO/IEC JTC 1/SC27 </li></ul><ul><li>ETSI </li></ul><ul><li>TTC </li></ul><ul><li>NIST </li></ul>
  55. 55. SG 17 – Q.8/17: Telebiometrics <ul><li>ITU-T SG 17 Question 8 </li></ul><ul><li>Telebiometrics </li></ul><ul><li>Scope </li></ul><ul><li>Strategic Direction </li></ul><ul><li>Challenges </li></ul><ul><li>Highlights of activities </li></ul><ul><li>Actions for Next Study Period </li></ul><ul><li>Collaboration with SDOs </li></ul>
  56. 56. SG 17 – Q.8/17 scope Biometric Sensors Matching Application Yes/No Score NW Extraction NW NW:Network NW NW Decision NW Storage Acquisition (capturing) Safety conformity Digital key / Secure protocol / Authentication infrastructure / System mechanism / Protection procedure
  57. 57. SG 17 – Q.8/17 strategic direction Safety in interaction with sensors Authentication infrastructure Biometric Digital key BioAPI interworking protocol System mechanism among Client/Server/TTP Protection procedures Security and Protection for telebiometric application systems
  58. 58. SG 17 – Q.8/17 challenges <ul><li>How should security countermeasures be assessed for particular applications of telebiometrics? </li></ul><ul><li>How can identification and authentication of users be improved by the use of interoperable models for safe and secure telebiometric methods? </li></ul><ul><li>What mechanisms need to be supported to ensure safe and secure manipulation of biometric data in any application of telebiometrics, e.g., telemedicine or telehealth? </li></ul><ul><li>How should the current Recommendations be further enhanced for their wide deployment and usage? </li></ul>
  59. 59. SG 17 – Q.8/17 highlights of activities Approved Recommendations Telebiometrics authentication infrastructure X.10 89 Telebiometrics digital key – A framework for biometric digital key generation and protection X.1088 Telebiometrics system mechanism – Part 1: General biometric authentication protocol and system model profiles on telecommunication systems X.10 84 BioAPI Interworking Protocol X.10 83 Telebiometrics related to human physiology X.10 82 Title No.
  60. 60. SG 17 – Q.8/17 actions for next study period <ul><li>Enhance current Recommendations to accelerate their adoption to various telebiometric applications and populate the telebiometric database. </li></ul><ul><li>Review the similarities and differences among the existing telebiometrics Recommendations in ITU-T and ISO/IEC standards. </li></ul><ul><li>Study and develop security requirements and guidelines for any application of telebiometrics. </li></ul><ul><li>Study and develop requirements for evaluating security, conformance and interoperability with privacy protection techniques for any application of telebiometrics. </li></ul><ul><li>Study and develop requirements for telebiometric applications in a high functionality network. </li></ul><ul><li>Study and develop requirements for telebiometric multi-factor authentication techniques based on biometric data protection and biometric encryption. </li></ul><ul><li>Study and develop requirements for appropriate generic protocols providing safety, security, privacy protection, and consent “for manipulating biometric data” in any application of telebiometrics, e.g., telemedicine or telehealth. </li></ul><ul><li>Prepare a manual on telebiometrics. </li></ul>
  61. 61. SG 17 – Q.8/17 collaboration with other SDOs <ul><li>ISO/IEC JTC 1/SCs 17, 27 and 37 </li></ul><ul><li>ISO/TC 68 and TC 12 </li></ul><ul><li>IEC/TC 25 </li></ul><ul><li>IETF </li></ul><ul><li>IEEE </li></ul><ul><li>International Bureau of Weight and Measurement (BIPM) </li></ul>
  62. 62. <ul><li>ITU-T SG 17 Question 9 </li></ul><ul><li>Secure Communication Services </li></ul><ul><li>Focus </li></ul><ul><li>Position of each topic </li></ul><ul><li>Strategic direction </li></ul><ul><li>Challenges </li></ul><ul><li>Major achievements </li></ul><ul><li>Security work proposed for next study period </li></ul>SG 17 – Q.9/17: Secure communication services
  63. 63. SG 17 – Q.9/17 focus <ul><li>Develop a set of standards of secure application services, including </li></ul><ul><ul><li>Mobile security </li></ul></ul><ul><ul><li>Home network security </li></ul></ul><ul><ul><li>Web Services security </li></ul></ul><ul><ul><li>Secure application services </li></ul></ul><ul><ul><li>NID/USN security Under study </li></ul></ul><ul><ul><li>Multicast security Under study </li></ul></ul><ul><ul><li>IPTV security Under study </li></ul></ul>
  64. 64. SG 17 – Q.9/17 position of each topic Mobile Terminal Mobile Network Mobile security Home network security Secure application services /Web Services security Home Network IPTV security/Multicast security Content Provider STB Home Gateway Application Server Client Ubiquitous Sensor Network Home Network USN security NID security NID reader NID tag USN gateway USN Application Server NID Application Server Core Open Network
  65. 65. SG 17 – Q.9/17 strategic direction <ul><li>For developing the draft Recommendations on IPTV security matters: </li></ul><ul><ul><li>Participate the ITU-T IPTV-GSI event (January – December, 2008) to develop them being consistent with relevant Recommendations being developed by other Questions </li></ul></ul><ul><ul><li>Propose X.iptvsec-1 (Requirements and architecture for IPTV security matter) for consent by September 2008, to meet urgent market need </li></ul></ul><ul><ul><li>Based on X.iptvsec-1, continue to study a set of possible draft Recommendations which complement X.iptvsec-1 technologically </li></ul></ul><ul><li>Continue to develop a set of draft Recommendations in domain-specific areas: </li></ul><ul><ul><li>Mobile network, Home network, (mobile) Web Services, application services, NID/USN service, IPTV service multicasting service, etc. </li></ul></ul><ul><li>Continue to adopt or update the mature standards (i.e., SAML, XACML) developed by other SDOs, especially by OASIS, in the area of Web Services security </li></ul><ul><li>Develop a common text of X.usnsec-1 (Security framework for USN) with ISO/IEC JTC 1/SC 6 (as of June 2008) </li></ul><ul><li>Keep maintaining liaison activities with 3GPP, 3GPP2, JTC 1/SC 6, 25, 27 to develop the relevant draft Recommendations </li></ul>
  66. 66. SG 17 – Q.9/17 challenges <ul><li>For the domain-specific draft Recommendations, it needs to strengthen the coordination work with other relevant Questions/SDOs to develop them to be consistent with their work. </li></ul><ul><li>During this Study period, Q.9/17 has been focused on the security framework for various domain-specific networks. However, from now on it should be emphasized to develop the pragmatic draft Recommendations which have significant impact on industry for the domain-specific networks with the collaboration with industries, other relevant SDOs and network/service providers. </li></ul><ul><li>For developing the draft Recommendations on IPTV security matters, the various detailed work items should continue to be identified in the future . </li></ul>
  67. 67. SG 17 – Q.9/17 major achievements <ul><li>Mobile security </li></ul><ul><ul><li>X.1123, G eneral security value added service (policy) for mobile data communication , Approved 2007 </li></ul></ul><ul><ul><li>X.1124, Authentication architecture in mobile end-to-end data communication, Approved 2007 </li></ul></ul><ul><ul><li>X.1125, Correlative reacting system in mobile network, Approved 2007 </li></ul></ul><ul><li>NID security </li></ul><ul><ul><li>X.1171, Framework for Protection of Personally Identifiable Information in Networked ID Services, Consented 2008 </li></ul></ul><ul><li>Home network security </li></ul><ul><ul><li>X.1111, Framework for security technologies for home network, Approved 2007 </li></ul></ul><ul><ul><li>X.1112, Certificate profile for the device in the home network, Approved 2007 </li></ul></ul><ul><ul><li>X.1113, Guideline on u ser authentication mechanisms for home network service, Approved 2007 </li></ul></ul><ul><ul><li>X.homesec-4 Authorization framework for home network, to be consented 2008 </li></ul></ul><ul><li>USN security </li></ul><ul><ul><li>X.usnsec-1 Requirement and Framework for Ubiquitous Sensor Network , New work item in 2007 </li></ul></ul>
  68. 68. SG 17 – Q.9/17 major achievements (2) <ul><li>Multicast Security </li></ul><ul><ul><li>X.mcsec-,1 Security Requirement and Framework in Multicast communication , New work item in 2007 </li></ul></ul><ul><li>IPTV security </li></ul><ul><ul><li>X.iptvsec-1, Functional Requirements and architecture for IPTV security aspects , New work item in 2008 </li></ul></ul><ul><ul><li>X.iptvsec-2, Requirement and mechanism for Secure Transcodable Scheme New work item in 2008 </li></ul></ul><ul><ul><li>X.iptvsec-3, Key management framework for secure IPTV communications , New work item in 2008 </li></ul></ul><ul><li>Web Services security </li></ul><ul><ul><li>X.1143, Security architecture for message security in mobile Web Services, Approved 2007 </li></ul></ul><ul><li>Secure applications services </li></ul><ul><ul><li>X.1151, Guideline on strong password authentication protocols, Approved 2007 </li></ul></ul><ul><ul><li>X.1152, Secure end-to-end data communication techniques using Trusted Third Party services, Consented 2008 </li></ul></ul><ul><ul><li>X.1161, Framework for secure peer-to-peer communications, Consented 2008 </li></ul></ul><ul><ul><li>X.1162, Security architecture and operations for peer-to-peer network, Consented 2008 </li></ul></ul>
  69. 69. SG 17 – Q.9/17 work for next study period Q.9/17 for current Study Period <ul><li>Mobile Security </li></ul><ul><li>Home network security </li></ul><ul><li>NID/USN security </li></ul><ul><li>Multicast security </li></ul><ul><li>IPTV security </li></ul><ul><li>Web Service security </li></ul><ul><li>Secure application security </li></ul><ul><li>Mobile Security </li></ul><ul><li>Home network security </li></ul><ul><li>NID/USN security </li></ul><ul><li>Multicast security </li></ul><ul><li>IPTV security, etc. </li></ul><ul><li>Web Service security </li></ul><ul><li>Secure application service, etc. </li></ul>Q.O/17 for Next Study Period Q.P/17 for Next Study Period Secure Communication Service Security aspects for ubiquitous telecommunication service Secure application services <ul><li>Divide Q.9/17 into two Questions: Q.O/17 and Q.P/17, considering the enormous workloads. </li></ul>
  70. 70. SG 17 – Q.17/17: Countering spam by technical means <ul><li>ITU-T SG 17 Question 17 </li></ul><ul><li>Countering spam by technical means </li></ul><ul><li>Scope </li></ul><ul><li>Strategic direction </li></ul><ul><li>Challenges </li></ul><ul><li>Highlights of activities </li></ul><ul><li>Actions for next study period </li></ul><ul><li>Collaboration with SDOs </li></ul>
  71. 71. SG 17 – Q.17/17 s cope <ul><li>Develop a set of standards for countering spam by technical means, including: </li></ul><ul><ul><li>General technical strategies and protocols for countering spam </li></ul></ul><ul><ul><li>Guidelines, frameworks and protocols for countering email spam, IP multimedia spam, SMS spam and other new types of spam </li></ul></ul>
  72. 72. SG 17 – Q.17/17 s trategic direction Technologies involved in countering email spam (X.1240) Framework Recommendations IP multimedia application area (X.fcsip) Technical framework for countering email spam (X.1241) Overall aspects of IP multimedia application spam (X.1244) Technology Recommendations: Interactive countering spam gateway system (X.tcs-1) etc. Technical means for countering email spam (X.tcs) TBD Technical strategies on countering spam (X.1231) SMS spam Filtering System Based on Users’ Rules (X.ssf)
  73. 73. SG 17 – Q.17/17 c hallenges <ul><li>What risks does spam pose to the telecommunication network? </li></ul><ul><li>What technical factors associated with the telecommunication network contribute to the difficulty of identifying the sources of spam? </li></ul><ul><li>How can new technologies lead to opportunities to counter spam and enhance the security of the telecommunication network? </li></ul><ul><li>Do advanced telecommunication network technologies (for example, SMS, instant messaging, VoIP) offer unique opportunities for spam that require unique solutions? </li></ul><ul><li>What technical work is already being undertaken within the IETF, in other fora, and by private sector entities to address the problem of spam? </li></ul><ul><li>What telecommunication network standardization work, if any, is needed to effectively counter spam as it relates to the stability and robustness of the telecommunication network? </li></ul>
  74. 74. SG 17 – Q.17/17 h ighlights of activities Approved Recommendations * Currently in approval process Overall aspects of IP multimedia application spam X.1244 * Technical framework for countering email spam X.1241 Technologies involved in countering email spam X.1240 Technical Strategies on Countering Spam X.1231 Title No.
  75. 75. SG 17 – Q.17/17 a ctions for next study period <ul><li>Act as the lead group in ITU-T on technical means for countering spam </li></ul><ul><li>Establish effective cooperation with the relevant ITU Study Groups, other standard bodies and appropriate consortia and fora. </li></ul><ul><li>Identify and examine the telecommunication network security risks introduced by the constantly changing nature of spam. </li></ul><ul><li>Develop a comprehensive and up-to-date resource list of the existing technical measures for countering spam in a telecommunication network that are in use or under development. </li></ul><ul><li>Determine whether new Recommendations or enhancements to existing Recommendations, including methods to combat delivery of spyware, worm, phishing, and other malicious contents via spam and combat compromised networked equipment including botnet delivering spam. </li></ul><ul><li>Provide regular updates to the Telecommunication Standardization Advisory Group and to the Director of the Telecommunication Standardization Bureau to include in the annual report to Council. </li></ul>
  76. 76. SG 17 – Q.17/17 c ollaboration with SDOs <ul><li>Standardization bodies : </li></ul><ul><ul><li>IETF </li></ul></ul><ul><ul><li>ISO/IEC JTC 1 </li></ul></ul><ul><li>Other bodies : </li></ul><ul><ul><li>OECD </li></ul></ul><ul><ul><li>MAAWG. </li></ul></ul>
  77. 77. SG 17 – Q.2/17 - X.500 security aspects <ul><li>ITU-T SG 17 Question 2 </li></ul><ul><li>Directory Services, Directory Systems and Public-key/Attribute Certificates </li></ul><ul><li>X.509 as basis for other specifications </li></ul><ul><ul><li>Certificates </li></ul></ul><ul><ul><li>Public-Key Infrastructure (PKI) </li></ul></ul><ul><ul><li>Privilege Management Infrastructure (PMI) </li></ul></ul><ul><li>Protecting directory information </li></ul><ul><ul><li>User authentication </li></ul></ul><ul><ul><li>Access control </li></ul></ul><ul><ul><li>Data privacy protection </li></ul></ul>
  78. 78. SG 17 – Q.2/17 - X.509 applicability <ul><li>Secure Socket Layer (SSL) </li></ul><ul><li>The IETF Internet X.509 Public Key Infrastructure (PKIX) activity </li></ul><ul><li>The IETF Secure / Multipurpose Internet Mail Extensions (S/MIME) activity </li></ul><ul><li>The ETSI Electronic Signatures and Infrastructures (ESI) activity </li></ul><ul><li>Etc. </li></ul>The X.509 specification is the base for many other specifications:
  79. 79. SG 17 – Q.2/17 - X.509 applicability (2) <ul><li>Secure e-mail </li></ul><ul><li>Online banking </li></ul><ul><li>Medical electronic journals </li></ul><ul><li>Online public service </li></ul><ul><li>Etc. </li></ul>The X.509 specification is the base for: In short: The whole electronic world
  80. 80. SG 17 – Q.2/17 - Public-Key Infrastructure (PKI) <ul><li>PKI is an infrastructure for managing certificates. It consists of one or more Certification Authorities for issuing certificates in a secure way following a set of policies. </li></ul><ul><li>It includes maintaining information about certificates been revoked. </li></ul><ul><li>Directories are major components of the infrastructure. </li></ul>
  81. 81. SG 17 – Q.2/17 - Privilege Management Infrastructure (PMI) <ul><li>PMI is an infrastructure for managing authorization using attribute certificates. It consists of one or more Attribute Authorities for issuing attribute certificates in a secure way. </li></ul><ul><li>It includes maintaining information about attribute certificates been revoked. </li></ul><ul><li>Directories are major components of the infrastructure. </li></ul><ul><li>Recent development - (PMI) has been extended to allow privileges obtained in one domain to be used in an other domain (federation of privileges). </li></ul>
  82. 82. SG 17 – Q.2/17 - Protecting Directory Information <ul><li>Authentication of users </li></ul><ul><li>None </li></ul><ul><li>Name </li></ul><ul><li>Name + password </li></ul><ul><li>Name + protected password </li></ul><ul><li>Strong authentication based on X.509 </li></ul>
  83. 83. SG 17 – Q.2/17 - Protecting Directory Information <ul><li>Access control </li></ul><ul><li>Access control is about right-to-know (Who may do what based on level of authentication) </li></ul><ul><li>X.500 has comprehensive access control features </li></ul><ul><li>X.500 is the only directory specification having these features </li></ul>
  84. 84. SG 17 – Q.2/17 - Protecting Directory Information <ul><li>Data Privacy Protection </li></ul><ul><li>Data Privacy Protection is about right-to-know and need-to-know. </li></ul><ul><li>Protection against malicious searches </li></ul><ul><li>Protection against data trawling </li></ul><ul><li>Minority protection </li></ul>
  85. 85. SG 17 – Q.2/17 - New security extension work <ul><li>Password lifetime </li></ul><ul><li>Maintain password history (avoid reuse) </li></ul><ul><li>Password quality </li></ul><ul><li>Password warnings </li></ul><ul><li>Error signalling </li></ul><ul><li>Etc. </li></ul>Password policy, that is rules for administration of password to increase directory security: Part of next X.500 edition (2011-2012)
  86. 86. ITU-T SG 2 <ul><li>ITU-T Study Group 2 </li></ul><ul><li>Operational aspects of service provision, networks and performance </li></ul>
  87. 87. SG 2 – Scope of security study <ul><li>Operational aspects such as prevention and detection of: </li></ul><ul><ul><li>Fraud </li></ul></ul><ul><ul><li>Misuse </li></ul></ul><ul><li>Corresponding operational measures </li></ul><ul><li>Security requirements </li></ul>
  88. 88. SG 2 – Accomplishment <ul><li>Recommendations: </li></ul><ul><ul><li>E.156 Guidelines for ITU-T action on reported misuse of E.164 number resources   </li></ul></ul><ul><ul><li>E.408 Telecommunication networks security requirements </li></ul></ul><ul><ul><li>E.409 Incident organization and security incident handling: Guidelines for telecommunication organizations </li></ul></ul><ul><ul><li>Numerous Recommendations on operational aspects of network management </li></ul></ul><ul><ul><li>    </li></ul></ul>
  89. 89. ITU-T SG 4 <ul><li>ITU-T Study Group 4 </li></ul><ul><li>Telecommunication management </li></ul>
  90. 90. SG 4 – Scope of security study <ul><li>Security of management plane </li></ul><ul><li>Management of security for telecommunications management </li></ul><ul><li>Protocols of securities for management </li></ul>
  91. 91. SG 4 – Strategic direction <ul><li>Establishment of interface Recommendations among security function groups or entities for management of security (Enhancement of M.3410) </li></ul><ul><li>Study on use of IdM in management plan </li></ul><ul><li>Study on the management of IdM </li></ul><ul><li>Continuation of protocol profiling for security management </li></ul>
  92. 92. SG 4 – Challenges <ul><li>Fill the gap in security on management plane and management of its security </li></ul><ul><li>Collaboration with ATIS TMOC and ETSI TISPAN on the subject </li></ul>
  93. 93. SG 4 – Accomplishment <ul><li>Consent of Recommendation M.3410 </li></ul><ul><ul><li>Guidelines and Requirements for Security Management Systems to Support Telecommunications Management </li></ul></ul>
  94. 94. SG 4 – Next steps <ul><li>Enhancement of M.3016 series Recommendations for security of management plane </li></ul><ul><li>Enhancement of M.3410 Recommendation for management of security for telecommunications management </li></ul><ul><li>Enhancement of Q.811 and Q.812, management protocol profiles from security subject perspective </li></ul>
  95. 95. SG 4 – Questions <ul><li>What security mechanisms and protocols are required to support security of management for NGNs? </li></ul><ul><li>What management mechanisms and protocols are required to support management of security for NGNs? </li></ul><ul><li>What use of Service-Oriented Architecture concepts should be applied in specifying protocol and security Recommendations? </li></ul><ul><li>What collaboration inside and outside the ITU-T is needed to develop protocol and security functions? </li></ul>
  96. 96. ITU-T SG 5 <ul><li>ITU-T Study Group 5 </li></ul><ul><li>Protection against electromagnetic environment effects </li></ul>
  97. 97. SG 5 – Scope <ul><li>To provide guidance on the protection of Telecommunications and Data Centres against disruption of service and/or physical damage due to: </li></ul><ul><ul><li>Natural EM phenomena </li></ul></ul><ul><ul><ul><li>Lightning, Electrostatic Discharge (ESD) </li></ul></ul></ul><ul><ul><li>Interactions with the RF Spectrum </li></ul></ul><ul><ul><ul><li>Electromagnetic Compatibility (EMC) </li></ul></ul></ul><ul><ul><li>Man-Made/Malicious Electromagnetic threats </li></ul></ul><ul><ul><ul><li>High-altitude EM Pulse (HEMP); </li></ul></ul></ul><ul><ul><ul><li>High-Power EM weapons (HPEM); </li></ul></ul></ul><ul><li>To provide guidance on the protection of electronic data from interception via EM means </li></ul>
  98. 98. SG 5 – Strategic direction <ul><li>Do not reinvent the wheel </li></ul><ul><ul><li>Reference existing K-Series Recommendations wherever possible </li></ul></ul><ul><ul><ul><li>Lightning, ESD, EMC </li></ul></ul></ul><ul><ul><li>Develop effective liaisons with other International Standardization Organizations to exploit additional expertise </li></ul></ul><ul><ul><ul><li>Liaison with IEC TC 77 – Electromagnetic Compatibility (EMC) – SC 77C – High Power Transient Phenomena – provided expertise in HEMP and HPEM </li></ul></ul></ul><ul><ul><ul><li>Liaison with National Institute of Information and Communications Technology (NICT) of Japan – provided expertise on EM interception of data </li></ul></ul></ul><ul><ul><li>Apply existing expertise to the telecommunications and data centre domain </li></ul></ul>
  99. 99. SG 5 – Challenges <ul><li>Knowledge management </li></ul><ul><ul><li>Liaisons with other bodies has granted access to rich veins of existing expertise </li></ul></ul><ul><ul><li>This has taken time to assimilate and present within the context of a telecommunications and data centre </li></ul></ul><ul><li>EM intercept </li></ul><ul><ul><li>Previously officially secret in some regions (i.e. previously known as TEMPEST within the US) </li></ul></ul>
  100. 100. SG 5 – Recent accomplishments <ul><li>A document set is planned </li></ul><ul><li>K.sec – basic introduction that references the following: </li></ul><ul><ul><li>K.hemp </li></ul></ul><ul><ul><li>K.hpem </li></ul></ul><ul><ul><li>K.leakage </li></ul></ul><ul><ul><li>K.sec_miti </li></ul></ul><ul><ul><li>Existing K-series Recommendations on lightning </li></ul></ul><ul><ul><li>Existing K-series Recommendations on EMC </li></ul></ul><ul><li>Steady progress has been made on developing the document set </li></ul>
  101. 101. SG 5 – Next steps/actions Development of document set continues with the following timing 2011 Mitigation methods against EM security threats K.secmiti 2009 Test method and requirements against information leak through unintentional EM emission K.leakage 2008 Application of requirements against HPEM to telecommunication systems K.hpem 2008 Application of requirements against HEMP to telecommunication systems K.hemp 2011 Guide for the application of electromagnetic security requirements - Basic Recommendation K.sec Timing Title of the Recommendation Document
  102. 102. ITU-T SG 9 <ul><li>ITU-T Study Group 9 </li></ul><ul><li>Integrated broadband cable networks and television and sound transmission </li></ul>
  103. 103. SG 9 – Scope of security work <ul><li>Security requirements are spread across multiple questions: </li></ul><ul><ul><li>Improve the security of conditional access systems used for television subscription, pay-per-view and similar services distributed to the home by cable television (Q3) </li></ul></ul><ul><ul><li>Security, conditional access, protection against unauthorized copying, protection against unauthorized redistribution requirements to be supported by an universal integrated receiver or set-top box for the reception of cable television and other services (Q5) </li></ul></ul><ul><ul><li>Security requirements and protocols associated with high-speed bidirectional data facilities intended to support, among other payloads, those utilizing Internet Protocols (IP) exploiting the broadband capacity provided by hybrid fiber/Coaxial (HFC) digital cable television systems (Q8) </li></ul></ul><ul><ul><li>Security requirements and protocols for Voice over IP/Video over IP applications in IP-based cable television networks (Q9)  </li></ul></ul><ul><ul><li>Extend the security requirements for entertainment video delivery associated with cable network video service onto the home network (Q10) </li></ul></ul><ul><li>Provide all the security requirements for the network elements and services offered by cable operators </li></ul>
  104. 104. SG 9 – Strategic direction for security for Cable Networks Network Elements Home Networking – Devices and Applications - Link privacy for cable modem implementations J.125 - Third generation Transmission systems – security services J.222.3 - IP Cablecom security specification J.170 - IP Cablecom 2 architecture including securityJ.360 - Security features based on 3G mobile telecom system as modified for Cable J.366.7 - IMS network domain security specification J.366.8 - Generic authentication architecture specification J.366.9 - A Residential Gateway to support delivery of cable data services J.192 - Requirements for next generation set-top boxes J.193 - High level requirements for DRM Bridge for Cable access Network to home network J.197 - Next generation set-top box architecture J.290 - IPTV requirements for secondary distribution J.700
  105. 105. SG 9 – Challenges for cable networks security <ul><li>Authentication, privacy, access control and content protection both on the access network and the bridge to home network are key considerations for multi-media applications/services </li></ul><ul><li>Security requirements for network elements in the access networks determine how the applications (voice, video and data) are transmitted securely to authenticated users/subscribers </li></ul><ul><li>Security requirements for network elements in the home network such as residential gateway and set-top boxes meet the access control for the user </li></ul>
  106. 106. SG 9 – Major accomplishments <ul><ul><li>Approved 2 security requirements Recommendations: </li></ul></ul><ul><ul><ul><li>“ Link Privacy for cable modems” (J.125) </li></ul></ul></ul><ul><ul><ul><li>“ Third generation transmission systems” (cable Modem and Cable Modem Termination System, J.222.3) </li></ul></ul></ul><ul><ul><li>Approved “IPTV requirements for secondary distribution” (J.700) </li></ul></ul><ul><ul><li>Approved the Recommendation on “Component definition and interface specification for next generation set-top box” (J.293) </li></ul></ul>
  107. 107. SG 9 – Security work for next study period <ul><li>Security studies for the next study period will be continued in the following questions: </li></ul><ul><li>Cable television delivery of digital services and applications that use Internet Protocols (IP) and/or packet-based data </li></ul><ul><li>Voice and video applications over cable TV networks </li></ul><ul><li>Functional requirements for a universal integrated receiver or set-top box for the reception of cable television and other services </li></ul><ul><li>The extension of cable-based services over broadband in Home Networks </li></ul><ul><li>Security requirements for IPTV interfaces for secondary distribution (identified in J.700) </li></ul>
  108. 108. ITU-T SG 11 <ul><li>ITU-T Study Group 11 </li></ul><ul><li>Signalling Requirements and Protocols </li></ul>
  109. 109. SG 11 – Scope of security work <ul><li>Each Question of SG11 has to consider security aspects to develop protocol Recommendations used for network control signalling, based on the general requirements developed by other SGs, such as SG 2, SG 13, SG 17 and SG 19. </li></ul><ul><li>Q.7/11, entitled as “ Signalling and control requirements and protocols to support attachment in NGN environments”, has specific requirements for authentication and authorization of users and terminals. </li></ul>
  110. 110. SG 11 – Strategic direction <ul><li>Security consideration has been incorporated within the text for each Question of SG11. </li></ul><ul><li>Various security arrangements are embedded within the protocols defined at various reference points, by reusing existing mechanisms defined by other organization (e.g., IETF and 3GPP). </li></ul><ul><li>Strengthen the coordination on security issues across SGs, as well as among Questions within SG 11 by proposing a dedicated new Question on security coordination for the next study period. </li></ul>
  111. 111. SG 11 – Challenges for secure protocols <ul><li>Design interface protocols which have various security mechanisms based on Recommendations / specifications developed by SG 17 and other SDOs. </li></ul><ul><li>Special attention should be drawn to the interface between legacy telephone networks and emerging NGN. </li></ul><ul><li>It would also be necessary to guide actual protocol implementations so that there will be no security holes, for example, by defining implementers’ guides. </li></ul>
  112. 112. SG 11 – Recent accomplishments <ul><li>24 Recommendations and 6 Supplements have been approved so far, regarding NGN protocols with security mechanisms embedded. </li></ul><ul><li>The following two Recommendations have been approved at the January 2008 SG11 meeting in Q.7/11 in Network attachment control protocol work: </li></ul><ul><ul><li>Q.3201, “EAP-based security signalling protocol architecture.” Note - EAP: Extensible Authentication Protocol </li></ul></ul><ul><ul><li>Q.3202.1, “Authentication protocols for interworking among 3GPP, WiMax and WLAN in NGN.” </li></ul></ul>
  113. 113. SG 11 – Security work for next study period <ul><li>New Question on security coordination </li></ul><ul><li>What is the content of an appropriate policy for the consideration of protocol security in the work of the Study Group? </li></ul><ul><li>What are the means to assure that such a policy is being followed in practice? </li></ul><ul><li>What exceptions to the general policy are permissible in the case of specific Recommendations? </li></ul><ul><li>What is the impact of security-related work in other groups on the work of protocol security within this Study Group at the policy level? </li></ul><ul><li>What are the means by which technical developments in protocol security achieved in other groups may be communicated to interested Questions in this Study Group, and the reverse? </li></ul>
  114. 114. ITU-T SG 13 <ul><li>ITU-T Study Group 13 </li></ul><ul><li>Next Generation Networks </li></ul>
  115. 115. SG 13 – Scope of NGN security work in Q.15 <ul><li>Conduct NGN Security studies to develop network architectures that: </li></ul><ul><ul><li>Provide for maximal network and end-user resources protection </li></ul></ul><ul><ul><li>Allow for highly-distributed intelligence end-to-end </li></ul></ul><ul><ul><li>Allow for co-existence of multiple networking technologies </li></ul></ul><ul><ul><li>Provide for end-to-end security mechanisms </li></ul></ul><ul><ul><li>Provide for security solutions that apply over multiple administrative domains </li></ul></ul><ul><ul><li>Provide for secure Identity Management </li></ul></ul><ul><ul><li>Provide for security solutions for IPTV that are cost-effective and have acceptable impact on the performance, quality of service, usability, and scalability </li></ul></ul><ul><li>Provide security guidance on NGN security to all Questions of SG 13 and other Study Groups </li></ul>
  116. 116. SG 13 – Strategic direction for NGN security Y.2701 is built on application of the concepts of X.805 to Y.2201 , NGN requirements and Y.2012 , NGN Functional Require- ments and Architecture Y.2702 NGN Authentication and Authorization Requirements Y.2701 Security Requirements for NGN Release 1 NGN Security Mechanisms NGN Certificate Management NGN AAA Y.2701 is a base for development of the detailed Recommendations on NGN Security NGN IdM Framework Identity Management has evolved into a separate topic of the NGN security work NGN IdM Use cases NGN IdM Requirements NGN IdM Mechanisms <ul><li>IdM Framework defines the concepts of the IdM </li></ul><ul><li>IdM Use cases is a base for deriving the IdM requirements </li></ul><ul><li>IdM Mechanisms provide support for the requirements </li></ul>
  117. 117. SG 13 – Challenges for NGN security <ul><li>Authentication is one of the most complex and challenging procedures in NGN security. The following study items of SG 13 are focused on various aspects of authentication: </li></ul><ul><ul><li>Y.2702 , NGN Authentication and Authorization Requirements </li></ul></ul><ul><ul><li>NGN Security Mechanisms </li></ul></ul><ul><ul><li>NGN Certificate Management </li></ul></ul><ul><ul><li>NGN Authentication Authorization and Accounting </li></ul></ul><ul><ul><li>NGN IdM Requirements </li></ul></ul><ul><ul><li>NGN IdM Mechanisms </li></ul></ul>
  118. 118. SG 13 – Major security accomplishments <ul><li>Question 15/13 has: </li></ul><ul><ul><li>Achieved determination of the draft ITU-T Recommendation Y.2702 , NGN Authentication and Authorization Requirements </li></ul></ul><ul><ul><li>Defined the direction for the studies of Identity Management (IdM) for NGN and started development of four ITU-T Recommendations on IdM </li></ul></ul><ul><ul><li>Provided security expertise to other Questions and Study Groups through active participation in NGN-GSI and IdM-GSI </li></ul></ul><ul><ul><li>Continued productive collaboration with ITU-T SG 17 - Lead Study Group on Telecommunication Security and started joint (with Q.6/17) development of Recommendation X.idm-dm, Identity Data Model </li></ul></ul><ul><ul><li>Initiated a liaison exchange with 3GPP SA 3 aimed at harmonization of the standards on media security </li></ul></ul>
  119. 119. SG 13 – Security work for next study period <ul><li>Security studies for the next study period will address: </li></ul><ul><li>What new Recommendations or guidance to other Study Groups are needed to standardize identification of NGN threats and vulnerabilities ? </li></ul><ul><li>What are the security requirements of NGN to effectively counter these threats ? </li></ul><ul><li>What new Recommendations are necessary to enable comprehensive, end-to-end security in NGN that span across multiple heterogeneous administrative domains ? </li></ul><ul><li>What new Recommendations or guidance are necessary to enable attachment of terminals in a secure fashion , including Authentication, Authorization, and Accounting ( AAA ) considerations, to NGN? </li></ul><ul><li>How to define security architecture of Identity Management in NGN? </li></ul><ul><li>What are security requirements to Identity Management in NGN? </li></ul><ul><li>What new Recommendations are needed for supporting security requirements of Identity Management in NGN? </li></ul><ul><li>What new Recommendations are needed for supporting secure interoperability among different Circles of Trusts (CoT) in NGN? </li></ul><ul><li>What new NGN Recommendations are needed for supporting security requirements of IPTV ? </li></ul>
  120. 120. <ul><li>ITU-T Study Group 15 </li></ul><ul><li>Optical and Other Transport Network Infrastructures </li></ul>ITU-T SG 15
  121. 121. SG15 is responsible for the development of standards on optical and other transport network infrastructures, systems, equipment, optical fibres, and their management and the corresponding control plane technologies to enable the evolution toward intelligent transport networks. This encompasses the development of related standards for the customer premises, access, metropolitan and long haul sections of communication networks. This responsibility includes security-related aspects, including encryption, protection and restoration, and security management. SG 15 - Responsibilities
  122. 122. SG 15 – Security related work in SG 15 Management and control of transport systems and equipment Security requirements for managing the transport network/system/equipment and the supporting management communication network and signalling communication network 14/15 Transport network architectures Architecture aspects, including security-related issues 12/15 Optical fibres and cables for the access network to and in buildings and homes Safety and reliability requirements 10/15 Transport equipment and network protection/restoration Security requirements for equipment functions and protection switching processes for transport networks 9/15 Characteristics of optical systems for terrestrial transport networks Safety and reliability requirements 6/15 Transceivers for customer access and in-premises networking systems on metallic conductors Example: Notching out frequency bands used by amateur radio etc. 4/15 General characteristics of optical transport networks OTN planning security aspects 3/15 Optical systems for fibre access networks Example: Link level encryption 2/15 Coordination of Access Network Transport standards Access Network Transport planning security aspects 1/15 Topic and security-related issues Question
  123. 123. SG 15 – Major security accomplishments The common transport equipment management requirements Recommendation G.7710/Y.1701 (7/2007) has added M.3016 Series (2005) as normative reference for management plane security requirements.   The requirements in G.7710/Y.1701, including the security requirements, continue to be the base for managing technology-specific transport equipment, including EoT in G.8051/Y.1345 (10/2007) and T-MPLS in G.8151/Y.1374 (10/2007).
  124. 124.   Will continue to study security requirements for managing transport network/system/equipment and their control plane and revise the recommendations are necessary   G.806 (Generic Equipment Functions) will be revised and security requirements will be included. SG 15 – Security work for next study period
  125. 125. <ul><li>ITU-T Study Group 16 </li></ul><ul><li>Multimedia terminals, systems and applications </li></ul>ITU-T SG 16
  126. 126. SG 16 – Q.25/16, M ultimedia security in NGN <ul><li>Study Group 16 concentrates on m ultimedia systems. </li></ul><ul><li>Q.25/16 focuses on the application-security issues of MM applications in existing and next generation networks </li></ul><ul><li>Standardizes multimedia security </li></ul><ul><li>So far Q.25/16 has been standardizing MM-security for the “1st generation MM/pre-NGN systems”: </li></ul><ul><ul><li>H.323/H.248-based systems </li></ul></ul>
  127. 127. SG 16 – Evolution of H.235 1997 1998 1999 2000 2001 2002 Initial Draft H.323V2 H.323V4 H.235V1 approved Core Security Framework Engineering Consolidation Improvement and Additions 1st Deployment 2003 H.235V2 Annex D Annex E approved Annex F H.530 consent H.235V3+ Annex I Security Profiles Annex D Annex E started 2004 H.235V3 Amd1 + Annex H H.235V3 Amd1 H.235 Annex G H.323V5 1996 2005 H.235V4 H.235.0 ~ H.235.9 approved Reorganization H.323V1 H.323V6 2006
  128. 128. SG 16 – H.235 V4 sub-series Recommendations <ul><li>Major restructuring of H.235v3 Amd1 and annexes in stand-alone sub-series Recommendations </li></ul><ul><li>H.235.x sub-series specify scenario-specific MM-security procedures as H.235-profiles for H.323 </li></ul><ul><li>Some new parts added </li></ul><ul><li>Some enhancements and extensions </li></ul><ul><li>Incorporated corrections </li></ul><ul><li>Approved in September 2005 </li></ul>
  129. 129. SG 16 – H.323 Security Recommendations (1) <ul><li>H.235.0 “Security framework for H-series (H.323 and other H.245-based) multimedia systems” </li></ul><ul><ul><li>Overview of H.235.x sub-series and common procedures with baseline text </li></ul></ul><ul><li>H.235.1 &quot;Baseline Security Profile” </li></ul><ul><ul><li>Authentication & integrity for H.225.0 signaling using shared secrets </li></ul></ul><ul><li>H.235.2 &quot;Signature Security Profile” </li></ul><ul><ul><li>Authentication & integrity for H.225.0 signaling using X.509 digital certificates and signatures </li></ul></ul>
  130. 130. SG 16 – H.323 Security Recommendations (2) <ul><li>H.235.3 &quot;Hybrid Security Profile&quot; </li></ul><ul><ul><li>Authentication & integrity for H.225.0 signaling using an optimized combination of X.509 digital certificates, signatures and shared secret key management; specification of an optional proxy-based security processor </li></ul></ul><ul><li>H.235.4 &quot;Direct and Selective Routed Call Security&quot; </li></ul><ul><ul><li>Key management procedures in corporate and interdomain environments to obtain key material for securing H.225.0 call signaling in GK direct-routed/selective routed scenarios </li></ul></ul>enhanced extended
  131. 131. SG 16 – H.323 Security Recommendations (3) <ul><li>H.235.5 &quot;Framework for secure authentication in RAS using weak shared secrets&quot; </li></ul><ul><ul><li>Secured password (using EKE/SPEKE approach) in combination with Diffie-Hellman key agreement for stronger authentication during H.225.0 signaling </li></ul></ul><ul><li>H.235.6 &quot;Voice encryption profile with native H.235/H.245 key management&quot; </li></ul><ul><ul><li>Key management and encryption mechanisms for RTP </li></ul></ul><ul><ul><li>Amendment 1 ( June 2008 ) added support for cipher key lengths of 192 and 256 bit to AES </li></ul></ul>enhanced modified
  132. 132. SG 16 – H.323 Security Recommendations (4) <ul><li>H.235.7 &quot;Usage of the MIKEY Key Management Protocol for the Secure Real Time Transport Protocol (SRTP) within H.235&quot; </li></ul><ul><ul><li>Usage of the MIKEY key management for SRTP </li></ul></ul><ul><li>H.235.8 &quot;Key Exchange for SRTP using Secure Signalling Channels&quot; </li></ul><ul><ul><li>SRTP keying parameter transport over secured signaling channels (IPsec, TLS, CMS) </li></ul></ul><ul><li>H.235.9 &quot; Security Gateway Support for H.323 &quot; </li></ul><ul><ul><li>Discovery of H.323 Security Gateways (SG = H.323 NAT/FW ALG) and key management for H.225.0 signaling </li></ul></ul>NEW NEW
  133. 133. SG 16 – Other MM-SEC results <ul><li>H.350.2 (2003) “H.350.2 Directory Services Architecture for H.235” </li></ul><ul><ul><li>An LDAP schema to represent H.235 elements (PWs, certificates, ID information) </li></ul></ul><ul><li>H.530 (2002) “Symmetric security procedures for H.323 mobility in H.510” + Cor.1 (2003) </li></ul><ul><ul><li>Authentication, access control and key management in mobile H.323-based corporate networks </li></ul></ul><ul><li>H.460.22 (2007) “Security protocol negotiation” + Cor.1 (2008) </li></ul><ul><ul><li>Negotiate security protocols (IPsec or TLS or others) for H.323 signaling </li></ul></ul>
  134. 134. SG 16 – Q.5/16 (H.300 NAT/FW traversal) results <ul><li>H.460.18 (2005) “Traversal of H.323 signalling across FWs and NATs” </li></ul><ul><ul><li>H.323 protocol enhancements and new client/server proxies to allow H.323 signalling protocols traverse NATs & FWs; H.323 endpoints can remain unchanged </li></ul></ul><ul><li>H.460.19 (2005) “NAT & FW traversal procedures for RTP in H.323 systems” </li></ul><ul><ul><li>Uses multiplexed RTP media mode and symmetric RTP in conjunction with H.460.18 as a short-term solution </li></ul></ul>
  135. 135. SG 16 – More Q.5/16 results <ul><li>Technical Paper (2005) “Requirements for Network Address Translator and Firewall Traversal of H.323 Multimedia Systems” </li></ul><ul><ul><li>Documentation of scenarios and requirements for NAT & FW traversal in H.323 </li></ul></ul><ul><li>Technical Paper (2005) “Firewall and NAT traversal Problems in H.323 Systems” </li></ul><ul><ul><li>An analysis of scenarios and various problems encountered by H.323 around NAT & FW traversal </li></ul></ul><ul><li>H-Series Supplement 10 (2008) “Proxy-aided NAT/FW Traversal Scheme for H.323 Multimedia Systems” </li></ul><ul><ul><li>Describe proxy-aided NAT/firewall traversal mechanism as a NAT traversal solution for H.323 multimedia systems </li></ul></ul>
  136. 136. SG 16 – New security items under current study <ul><li>MM security aspects of Advanced Multimedia Systems (AMS) under Q.12/16 </li></ul><ul><ul><li>Security consideration in the third generation MM system with a decomposed and distributed architecture </li></ul></ul><ul><li>Security aspects of IPTV system under Q.13/16 </li></ul><ul><ul><li>Content protection related metadata </li></ul></ul>
  137. 137. SG 16 – Summary <ul><li>Multimedia systems and applications as being studied by SG16 face important security challenges: </li></ul><ul><ul><li>MM-security and NAT/FW traversal </li></ul></ul><ul><li>Q.25/16 and Q.5/16 are addressing these issues and have provided various Recommendations </li></ul><ul><li>The work continues in the scope of NGN-Multimedia Security </li></ul><ul><li>Security considerations are key part of draft new Question B7/16 “Advanced functions for H.300-series systems and beyond” </li></ul><ul><ul><li>Other Questions will also address the topic within their areas of competence </li></ul></ul>
  138. 138. ITU-T SG 19 <ul><li>ITU-T Study Group 19 </li></ul><ul><li>Mobile Telecommunication Networks </li></ul>
  139. 139. SG 19 – Scope of security work <ul><li>Scope: IMT-2000 Family Member Networks </li></ul><ul><li>Broad requirements for security are covered in the following ITU-T Recommendations: </li></ul><ul><ul><li>Q.1701 “Framework for IMT‑2000 networks” </li></ul></ul><ul><ul><li>Q.1702 “Long-term vision of network aspects for systems beyond IMT-2000” </li></ul></ul><ul><ul><li>Q.1703 “Service and network capabilities framework of network aspects for systems beyond IMT-2000” </li></ul></ul>
  140. 140. SG 19 – Strategic directions <ul><li>Mainly derived from Q.1702 and Q.1703 </li></ul><ul><ul><li>Q.1702 indicates the following objectives to provide network security among heterogeneous inter-connected networks: </li></ul></ul><ul><ul><ul><li>Comprehensive, cross-provider security infrastructure support </li></ul></ul></ul><ul><ul><ul><li>Well-defined and conducted routine system risk analysis </li></ul></ul></ul><ul><ul><ul><li>Robust system intrusion monitoring and response system to control damage </li></ul></ul></ul><ul><ul><ul><li>Low overhead security protocols to accommodate wireless bandwidth limitation </li></ul></ul></ul><ul><ul><ul><li>Provide seamless security across heterogeneous access technologies </li></ul></ul></ul>
  141. 141. SG 19 – Strategic directions <ul><li>Mainly derived from Q.1702 and Q.1703 </li></ul><ul><ul><li>Rec. Q.1703 specifies that at least the following security services should be provided: </li></ul></ul><ul><ul><ul><li>Integrity: contents as received are exactly as sent </li></ul></ul></ul><ul><ul><ul><li>Confidentiality: user data is kept secret from unintended listeners </li></ul></ul></ul><ul><ul><ul><li>Non-repudiation: prevent denying a transmission was initiated </li></ul></ul></ul><ul><ul><ul><li>Mutual authentication: assurance that a participant is who he claims to be </li></ul></ul></ul><ul><ul><ul><li>Authorization: control user access to various network resources </li></ul></ul></ul>
  142. 142. SG 19 – Security challenges <ul><li>To address security concerns arising due to: </li></ul><ul><ul><li>Migration from circuit switching to Packet switching (using IP in wireless networks) </li></ul></ul><ul><ul><li>Fixed Mobile Convergence (FMC): access & services across heterogeneous networks (GSM, Wi‑Fi, PSTN, WiMAX, etc.) with the usage of IP </li></ul></ul><ul><li>To define a security framework applicable across heterogeneous networks </li></ul>
  143. 143. SG 19 – Major security accomplishments <ul><li>Q.1707/Y.2804 (02/2008) “Generic Framework of Mobility Management for NGNs” </li></ul><ul><ul><li>Designed to ensure that MM functions can interwork with the relevant authentication and security protocols. </li></ul></ul><ul><li>Q.1742-series “IMT‑2000 references to ANSI-41 evolved core network with cdma2000 access” </li></ul><ul><ul><li>References to 3GPP security specifications </li></ul></ul><ul><ul><ul><li>S.S0078: Common Security Algorithms </li></ul></ul></ul><ul><ul><ul><li>S.R0082: Enhanced Packet Data Air Interface Security </li></ul></ul></ul><ul><ul><ul><li>S.R0083: Broadcast-Multicast Service Security Framework </li></ul></ul></ul><ul><ul><ul><li>S.S0114: Security Mechanisms using GBA </li></ul></ul></ul><ul><ul><ul><li>S.S0110: IP-Based Location Services Security Framework </li></ul></ul></ul><ul><ul><ul><li>S.R0086: IMS Security Framework. </li></ul></ul></ul>
  144. 144. SG 19 – Major security accomplishments (2) <ul><li>Q.1762/Y.2802 “Fixed-mobile convergence general requirements” </li></ul><ul><ul><li>Notes need for uniform authorization mechanism </li></ul></ul><ul><ul><li>FMC may contain access-specific or -dependent parts but the procedure for handling these is uniform </li></ul></ul><ul><li>Q.1763 “FMC service using legacy PSTN or ISDN as the fixed access network for mobile network users” </li></ul><ul><ul><li>Authentication through a fixed network access provides for same security mechanism as in the mobile network </li></ul></ul><ul><ul><li>Refers to 3GPP TS 33.102 / ETSI TS 133.102 which address UMTS 3G security and security architecture </li></ul></ul>
  145. 145. SG 19 – Major security accomplishments (3) <ul><li>Working Draft Q.FMC-IMS “Fixed mobile convergence with a common IMS session control domain” as of 14 May 2008 </li></ul><ul><ul><li>Mobile access in mobile networks faces an increased level of security threats compared to stationary access in fixed networks </li></ul></ul><ul><ul><li>Nomadic and wireless access in fixed networks utilize the mobile world security framework (TS 33.203) for IMS access, with the IMS Subscriber Identity Module (ISIM) as a key component </li></ul></ul><ul><ul><li>References IMS security (3GPP TR 33.978) and authentication mechanisms (ETSI TS 187.003) </li></ul></ul>
  146. 146. SG 19 – Security work for next study period <ul><li>F/19 : Convergence of existing and evolving IMT and fixed networks </li></ul><ul><ul><li>FMC cannot be studied in isolation </li></ul></ul><ul><ul><li>Has to take into account the ongoing work on NGN scenarios, services, architecture, mobility, security and QoS, and on mobile network technologies outside of ITU-T </li></ul></ul><ul><ul><li>Study of specific FMC scenarios and solutions requires a solid understanding of mobile network technologies and close liaison with mobile network SDOs </li></ul></ul>
  147. 147. SG 19 – Specific actions member organizations of GSC should take <ul><li>Aim for globally consistent end-user security support </li></ul><ul><ul><li>Identify FMC security requirements for uniform authentication and authorization mechanisms (i.e., authentication and authorization combined) </li></ul></ul><ul><ul><li>Network specific requirements for T-SPID </li></ul></ul>
  148. 148. Supplemental Information <ul><li>ITU-D </li></ul><ul><li>Telecommunication Development Sector </li></ul>
  149. 149. ITU-D <ul><li>ITU-D Cybersecurity Activities: Two Main Pillars </li></ul><ul><li>ITU-D Study Group 1 Question 22/1: Securing information and communication networks: Best practices for developing a culture of cybersecurity </li></ul><ul><ul><li>Developing a Framework for Organizing National Cybersecurity Efforts </li></ul></ul><ul><li>ITU-D Programme 3 ITU Cybersecurity Work Programme to Assist Developing Countries. Example activities include: </li></ul><ul><ul><li>Assistance related to Establishment of National Strategies and Capabilities for Cybersecurity and Critical Information Infrastructure Protection (CIIP) </li></ul></ul><ul><ul><li>Assistance related to Establishment of appropriate Cybercrime Legislation and Enforcement Mechanisms </li></ul></ul><ul><ul><li>Assistance related to establishment of Watch, Warning and Incident Response (WWIR) Capabilities </li></ul></ul><ul><ul><li>Assistance related to Countering Spam and Related Threats, Establishment of an ITU Cybersecurity/CIIP Directory, Contact Database and Who’s Who Publication </li></ul></ul><ul><ul><li>Cybersecurity Indicators </li></ul></ul><ul><ul><li>Fostering Regional Cooperation Activities </li></ul></ul>
  150. 150. Supplemental Information <ul><li>ITU-R </li></ul><ul><li>Radiocommunication Sector </li></ul>
  151. 151. ITU-R <ul><li>ITU-R Cybersecurity Activities </li></ul><ul><li>Radio spectrum global frequency management is increasingly important for building confidence and security and creating an enabling environment in the use of ICTs. ITU-R plays a central role in facilitating complex intergovernmental negotiations needed to develop legally binding agreements between sovereign states in an increasingly ‘unwired’ world. </li></ul><ul><li>ITU-R activities related to cybersecurity </li></ul><ul><ul><li>Recommendation ITU-R M.1457 “Security mechanism incorporated in IMT-2000” </li></ul></ul><ul><ul><li>Recommendation ITU-R S.1711 “Performance enhancements of transmissions control protocol over satellite” </li></ul></ul><ul><ul><li>Recommendation ITU-R M.1645 “Framework and overall objectives of the future development of IMT-2000 and systems beyond IMT-2000” </li></ul></ul><ul><ul><li>Recommendation ITU-R M.1223 “Evaluation of security mechanism for IMT-2000”ITU-R </li></ul></ul><ul><ul><li>Recommendation ITU-R S.1250 “Network management architecture for digital satellite systems forming part of SDH transport networks in the fixed-satellite service” </li></ul></ul><ul><ul><li>Recommendation ITU-R M.1078 “Security principles for IMT-2000” </li></ul></ul>
  152. 152. Some useful web resources <ul><li>ITU-T Home page </li></ul><ul><li>Study Group 17 </li></ul><ul><ul><ul><li>e-mail: [email_address] </li></ul></ul></ul><ul><li>LSG on Security </li></ul><ul><li>Security Roadmap </li></ul><ul><li>Security Manual </li></ul><ul><li>Cybersecurity Portal http://www. itu . int / cybersecurity / </li></ul><ul><li>Cybersecurity Gateway http://www. itu . int / cybersecurity /gateway/index.html </li></ul><ul><li>Recommendations http://www. itu . int /ITU-T/publications/recs.html </li></ul><ul><li>ITU-T Lighthouse http://www. itu . int /ITU-T/lighthouse/index. phtml </li></ul><ul><li>ITU-T Workshops </li></ul>