ICT Security -The need for International Standards


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

ICT Security -The need for International Standards

  1. 1. ICT Security - The Need for International Standards reinhard . scholl @ itu . int Deputy to the Director Telecommunication Standardization Bureau International Telecommunication Union www.itu.int/ITU-T
  2. 2. Outline <ul><li>Why ICT security is becoming important </li></ul><ul><li>The complex world of ICT Security </li></ul><ul><li>Security standards </li></ul><ul><li>[ICT = Information & Communication Technology] </li></ul>
  3. 3. <ul><li>1. Why ICT security is becoming important </li></ul>
  4. 4. Security: Telephony vs. Internet <ul><li>Telephone network: Control </li></ul><ul><ul><li>Offers basically one service </li></ul></ul><ul><ul><li>Network operators control if new service offered </li></ul></ul><ul><ul><li>Clear distinction: </li></ul></ul><ul><ul><ul><li>Interface user – network </li></ul></ul></ul><ul><ul><ul><li>Interface network – network </li></ul></ul></ul><ul><li>Internet: “Anarchy” (no negative meaning here) </li></ul><ul><ul><li>Lots of services (many of them not yet imagined …) </li></ul></ul><ul><ul><li>Everyone can set up a new services </li></ul></ul><ul><ul><li>All links network – network </li></ul></ul><ul><ul><li>Many protocols </li></ul></ul>
  5. 5. A Fundamental Shift is Happening <ul><li>Computers & networks are becoming a utility (like water, electricity, gas, telephone) </li></ul><ul><li>Business and personal life are more and more dependent on computers </li></ul><ul><li>Prerequisite: adequate security. </li></ul><ul><li>[9/11 terrorist attack confirmed the already existing trend of emphasizing security] </li></ul>
  6. 6. Basic Security Services <ul><li>Privacy / Confidentiality: </li></ul><ul><ul><li>To know that no 3 rd party can read a message exchanged between 2 people </li></ul></ul><ul><li>Authentication: </li></ul><ul><ul><li>To know that someone is who he/she says he/she is </li></ul></ul><ul><li>Integrity: </li></ul><ul><ul><li>To know that a message has not been modified in transit </li></ul></ul><ul><li>Non-repudiation: </li></ul><ul><ul><li>To know that someone is not able to deny later that she/he sent a message </li></ul></ul>
  7. 7. Security Applications <ul><li>The previous basic security services can be used to build many security applications: </li></ul><ul><ul><li>Digital Signature </li></ul></ul><ul><ul><li>Anonymous e-cash </li></ul></ul><ul><ul><li>Certified e-mail </li></ul></ul><ul><ul><li>Secure elections </li></ul></ul><ul><ul><li>Simultaneous contract signing </li></ul></ul><ul><ul><li>[add your ideas …] </li></ul></ul>
  8. 8. <ul><li>2. The complex world of ICT security </li></ul>
  9. 9. Some Security Risks <ul><li>“ Social engineering” attack: </li></ul><ul><ul><li>“ Amateurs hack systems, professionals hack people” (Bruce Schneier) </li></ul></ul><ul><ul><li>An organizations’ own employees may pose largest risk: </li></ul></ul><ul><ul><ul><li>Incompetence, indifference, misconduct </li></ul></ul></ul><ul><li>New technologies bring new security problems (e.g., WiFi) </li></ul><ul><li>Buggy software </li></ul><ul><li>Viruses </li></ul><ul><li>Malicious hackers braking into systems </li></ul><ul><li>Denial of Service attacks </li></ul><ul><li>… </li></ul>
  10. 10. Non-trivial Insights <ul><li>Technology alone can not fix security problems – Technology is necessary but not sufficient </li></ul><ul><li>Security is everyone’s business, not just the business of security experts </li></ul><ul><li>Security decisions must be taken by Management, not by technical staff </li></ul><ul><li>Security is risk management – the art to worry about the right things </li></ul>
  11. 11. Cryptography- the Beauty of Mathematics <ul><li>Cryptographic algorithms are “building blocks” to construct secure system </li></ul><ul><li>Dramatic advances in cryptography in the last 30 years: </li></ul><ul><ul><li>Public Key Cryptography (1976) </li></ul></ul><ul><ul><li>Microprocessor: cheap computing power </li></ul></ul><ul><ul><li>Quantum cryptography (future) </li></ul></ul><ul><li>Reminder: security is more a “people problem” than a technical problem </li></ul>
  12. 12. Secret Key Encryption <ul><li>Plain text Plain text </li></ul><ul><li>   </li></ul><ul><li>encrypt message with decrypt message with </li></ul><ul><li>secret key same secret key </li></ul><ul><li>   cipher text </li></ul><ul><li>Both parties share a single, secret key </li></ul><ul><li>Problem: exchanging keys in complete secrecy is difficult </li></ul><ul><li>Best-known example: DES (Data Encryption Standard) </li></ul>
  13. 13. Public Key Encryption <ul><li>Plain text Plain text </li></ul><ul><li>   </li></ul><ul><li>encrypt message with decrypt message with </li></ul><ul><li>public (!) key of receiver (!) private key of receiver </li></ul><ul><li>   cipher text </li></ul><ul><li>Each participant has </li></ul><ul><ul><li>A private key that is shared with no one else, plus </li></ul></ul><ul><ul><li>A public key known to everyone </li></ul></ul><ul><li>Problem: slower than Secret Key Encryption </li></ul><ul><li>Best-known example: RSA </li></ul>
  14. 14. Biometrics: your Body – your Password? <ul><li>Recognize a person upon physiological or behavioral characteristics </li></ul><ul><ul><li>Fingerprint </li></ul></ul><ul><ul><li>Face </li></ul></ul><ul><ul><li>Voice </li></ul></ul><ul><ul><li>Iris </li></ul></ul><ul><li>Currently costs outweigh benefits </li></ul>
  15. 15. Economics & ICT Security <ul><li>Perverse incentives explain a lot of current information in security (Ross Anderson, Univ of Cambridge, UK) </li></ul><ul><li>Distributed denial of service attack in 2000: </li></ul><ul><ul><li>Vandals took over computers on low-security University networks and shut down major websites (e.g. Yahoo) </li></ul></ul><ul><ul><li>Shouldn’t Universities bear some liability for the damages to 3 rd parties </li></ul></ul><ul><li>Solution: assign legal liabilities to the parties best able to manage the risk (Hal Varian, Univ of California, Berkeley) </li></ul>
  16. 16. Security is Risk Management <ul><li>How much money/time to spend on ICT security? </li></ul><ul><li>Balance between cost and risk: </li></ul><ul><ul><li>What are the potential security breaches? </li></ul></ul><ul><ul><li>What’s the associated loss in each case? </li></ul></ul><ul><ul><li>What does it cost to defend in each case? </li></ul></ul><ul><ul><ul><li>Mitigation (e.g. buy technology) </li></ul></ul></ul><ul><ul><ul><li>Outsource (s.o. else takes over the risk) </li></ul></ul></ul><ul><ul><ul><li>Insurance (passing risk to insurance company) </li></ul></ul></ul><ul><li>Engineers, policymakers, economists, lawyers to forge common approaches </li></ul>
  17. 17. <ul><li>3. Security standards </li></ul>
  18. 18. The Need for Int’l. Security Standards <ul><li>Technical standards should be international: </li></ul><ul><ul><li>Ensures interoperability - the whole point of most of the standards </li></ul></ul><ul><ul><li>Economies of scale </li></ul></ul><ul><li>Best practice standards would be very helpful to be international </li></ul><ul><ul><li>Raises awareness </li></ul></ul><ul><li>Regulatory issues & law enforcement is a national (or regional, e.g. European Union) matter </li></ul>
  19. 19. Security in International Standards Organizations <ul><li>ISO/IEC: </li></ul><ul><ul><li>17799: “Information technology – code of practice for information security management” (71 pages; year 2000) </li></ul></ul><ul><ul><li>addresses organizations, companies </li></ul></ul><ul><li>IETF: </li></ul><ul><ul><li>Protocols, e.g. IPsec, TLS, SMIME … </li></ul></ul><ul><li>ITU: see next slides </li></ul>
  20. 20. ITU Plenipo & WSIS <ul><li>ITU Plenipotentiary Conference 2002: </li></ul><ul><ul><li>“ Strengthening the role of ITU in information and communication network security” </li></ul></ul><ul><li>WSIS = World Summit on Information Society; www. itu . int / wsis : </li></ul><ul><ul><li>UN-event </li></ul></ul><ul><ul><li>1 st phase: Geneva 10-12 Dec 03; </li></ul></ul><ul><ul><li>2 nd phase: Tunis 16-18 Nov 05 </li></ul></ul><ul><ul><li>Target audience: Heads of State + CEOs + civil society </li></ul></ul><ul><ul><li>Topics include communication network security </li></ul></ul>
  21. 21. Security in ITU-T Study Groups <ul><li>SG 17 = Lead Study Group for Communication System Security: </li></ul><ul><ul><li>Coordination / prioritization of security efforts </li></ul></ul><ul><ul><li>Development of core security Recs. </li></ul></ul><ul><li>Existing Recommendations include: </li></ul><ul><ul><li>Security architecture, model, frameworks, and protocols for open systems (X.800-series; X.270 series, jointly with ISO) </li></ul></ul><ul><ul><li>Trusted Third Party Services (X.842/X.843, jointly with ISO) </li></ul></ul><ul><ul><li>Public-key and attribute certificate frameworks (X.509, jointly with ISO) </li></ul></ul>
  22. 22. ITU-T SG 17 Security Focus <ul><li>Authentication (X.509, jointly with ISO): </li></ul><ul><ul><li>Ongoing enhancements as a result of more complex uses </li></ul></ul><ul><li>Security Architecture for end-to-end communications: </li></ul><ul><ul><li>Security for management, control and use of network infrastructure, services and applications </li></ul></ul><ul><li>Telebiometrics: biometrics via distance </li></ul><ul><ul><li>Model for security and public safety in telebiometrics </li></ul></ul><ul><li>Security Management: </li></ul><ul><ul><li>Risk assessment, identification of assets and implementation characteristics </li></ul></ul><ul><li>Mobile Security: </li></ul><ul><ul><li>For low power, small memory size and small display devices </li></ul></ul>
  23. 23. ITU-T SG 17: Upcoming Joint Work with ISO / IEC <ul><li>“ Information Technology – Security techniques – IT network security” </li></ul><ul><ul><li>Part 1: Network security management </li></ul></ul><ul><ul><li>Part 2: Network security architecture </li></ul></ul><ul><ul><li>Part 3: Securing communications between networks using security gateways </li></ul></ul><ul><ul><li>Part 4: Remote access </li></ul></ul><ul><ul><li>Part 5: Securing communications between networks using virtual private networks </li></ul></ul>
  24. 24. Security Studies in other ITU-T Study Groups <ul><li>Security for multimedia systems and services (SG 16) </li></ul><ul><li>Emergency Telecommunications Services (SG 16) </li></ul><ul><li>IPCablecom project = interactive services over cable TV networks (SG 9) </li></ul><ul><li>Telecommunication networks security requirements (SG 2) </li></ul><ul><li>Framework to support emergency communications (SG 13) </li></ul>
  25. 25. Strengths of ITU-T <ul><li>Unique mix of industry & government </li></ul><ul><li>Truly global </li></ul><ul><li>Consensus decisions guarantee wide acceptance </li></ul><ul><li>Fast procedures </li></ul><ul><li>Brand name </li></ul><ul><li>IPR Policy </li></ul><ul><li>World-class meeting facilities </li></ul><ul><li>Excellent Secretariat staff </li></ul>
  26. 26. <ul><li>Backup Slides on ITU-T </li></ul><ul><li>(not to be shown in talk) </li></ul>
  27. 27. ITU-T Structure <ul><li>Workshops </li></ul><ul><li>Focus Group </li></ul><ul><li>Joint Group </li></ul><ul><li>Project Team </li></ul>
  28. 28. ITU-T Study Groups <ul><li>SG 2 Operational aspects of service provision, networks and performance </li></ul><ul><li>SG 3 Tariff and accounting principles including related telecommunications economic and policy issues </li></ul><ul><li>SG 4 Telecommunication management, including TMN </li></ul><ul><li>SG 5 Protection against electromagnetic environment effects </li></ul><ul><li>SG 6 Outside plant </li></ul><ul><li>SG 9 Integrated broadband cable networks and television and sound transmission   </li></ul><ul><li>SG 11 Signalling requirements and protocols </li></ul><ul><li>SG 12 End-to-end transmission performance of networks and terminals </li></ul><ul><li>SG 13 Multi-protocol and IP-based networks and their internetworking </li></ul><ul><li>SG 15 Optical and other transport networks </li></ul><ul><li>SG 16 Multimedia services, systems and terminals </li></ul><ul><li>SG 17 Data networks and telecommunication software </li></ul><ul><li>SSG Special Study Group &quot;IMT-2000 and beyond&quot; </li></ul><ul><li>TSAG Telecommunication Standardization Advisory Group </li></ul>
  29. 29. Lead Study Groups <ul><li>SG 2 service definition, numbering and routing </li></ul><ul><li>SG 4 TMN </li></ul><ul><li>SG 9 integrated broadband cable and television networks </li></ul><ul><li>SG 11 intelligent networks </li></ul><ul><li>SG 12 Quality of Service and performance </li></ul><ul><li>SG 13 IP related matters, B-ISDN, Global Information Infrastructure and satellite matters </li></ul><ul><li>SG 15 access network transport and optical technology </li></ul><ul><li>SG 16 multimedia services, systems and terminals and on e-business and e-commerce </li></ul><ul><li>SG17 frame relay, communication system security, languages and description techniques </li></ul><ul><li>SSG IMT 2000 and beyond and for mobility </li></ul>
  30. 30. IP project study areas <ul><li>Integrated architecture </li></ul><ul><li>Impact to telecommunications access infrastructures of access to IP applications </li></ul><ul><li>Interworking between IP based network and switched-circuit networks, including wireless based networks </li></ul><ul><li>Multimedia applications over IP </li></ul><ul><li>Numbering and addressing </li></ul><ul><li>Transport for IP-structured signals </li></ul><ul><li>Signalling support, IN and routing for services on IP-based networks </li></ul><ul><li>Performance </li></ul><ul><li>Integrated management of telecom and IP-based networks </li></ul><ul><li>Security aspects </li></ul>
  31. 31. Other areas to consider <ul><li>IP-based networks and their interconnection with telecommunication networks; </li></ul><ul><li>IP cablecom project; </li></ul><ul><li>establishment of GII; </li></ul><ul><li>IMT-2000 and mobility; </li></ul><ul><li>e-business and e-commerce; </li></ul><ul><li>reform of accounting rates and tariff studies; </li></ul><ul><li>MEDIACOM-2004 project and related multimedia activities; </li></ul><ul><li>security aspects of networks and services; </li></ul><ul><li>optical transport network; </li></ul><ul><li>access networks enhancements with xDSL techniques; </li></ul><ul><li>numbering and routing; </li></ul><ul><li>network performances and quality of services; </li></ul><ul><li>protocols for new services and intelligent networks . </li></ul>
  32. 32. ITU-T Series (A-L) <ul><li>Organization of the work of ITU-T </li></ul><ul><li>Means of expression: definitions, symbols, classification </li></ul><ul><li>General telecommunication statistics </li></ul><ul><li>General tariff principles </li></ul><ul><li>Overall network operation, telephone service, service operation and human factors </li></ul><ul><li>Non-telephone telecommunication services </li></ul><ul><li>Transmission systems and media, digital systems and networks </li></ul><ul><li>Audiovisual and multimedia systems </li></ul><ul><li>Integrated services digital network </li></ul><ul><li>Transmission of television, sound programme and other multimedia signals </li></ul><ul><li>Protection against interference </li></ul><ul><li>Construction, installation and protection of cables and other elements of outside plant   </li></ul>
  33. 33. ITU-T Series (M-Z) <ul><li>TMN and network maintenance: international transmission systems, telephone circuits, telegraphy, facsimile and leased circuits </li></ul><ul><li>Maintenance: international sound programme and television transmission circuits </li></ul><ul><li>Specifications of measuring equipment </li></ul><ul><li>Telephone transmission quality, telephone installations, local line networks </li></ul><ul><li>Switching and signalling </li></ul><ul><li>Telegraph transmission </li></ul><ul><li>Telegraph services terminal equipment </li></ul><ul><li>Terminals for telematic services </li></ul><ul><li>Telegraph switching </li></ul><ul><li>Data communication over the telephone network </li></ul><ul><li>Data networks and open system communications </li></ul><ul><li>Global information infrastructure and Internet protocol aspects </li></ul><ul><li>Languages and general software aspects for telecommunication systems </li></ul>