international telecommunication union confidence & security in the use of ict malaysia, 21...
Post on 27-Mar-2015
212 Views
Preview:
TRANSCRIPT
International Telecommunication Union
Confidence & security in the use of ICT Malaysia, 21 August 2003
ICT Security - The ICT Security - The Need for Need for
International International StandardsStandardsreinhard.scholl@itu.int
Deputy to the Director
Telecommunication Standardization BureauInternational Telecommunication Union
www.itu.int/ITU-T
2 Confidence & security in the use of ICT - Malaysia, 21 August 2003
Outline
1. Why ICT security is becoming important
2. The complex world of ICT Security
3. Security standards
[ICT = Information & Communication Technology]
3 Confidence & security in the use of ICT - Malaysia, 21 August 2003
1. Why ICT security is becoming important
4 Confidence & security in the use of ICT - Malaysia, 21 August 2003
Security: Telephony vs. Internet
o Telephone network: Control• Offers basically one service• Network operators control if new service
offered• Clear distinction:
• Interface user – network• Interface network – network
o Internet: “Anarchy” (no negative meaning here)
• Lots of services (many of them not yet imagined …)
• Everyone can set up a new services• All links network – network• Many protocols
5 Confidence & security in the use of ICT - Malaysia, 21 August 2003
A Fundamental Shift is Happening
o Computers & networks are becoming a utility (like water, electricity, gas, telephone)
o Business and personal life are more and more dependent on computers
o Prerequisite: adequate security.o [9/11 terrorist attack confirmed
the already existing trend of emphasizing security]
6 Confidence & security in the use of ICT - Malaysia, 21 August 2003
Basic Security Serviceso Privacy / Confidentiality:
• To know that no 3rd party can read a message exchanged between 2 people
o Authentication:• To know that someone is who he/she
says he/she iso Integrity:
• To know that a message has not been modified in transit
o Non-repudiation:• To know that someone is not able to
deny later that she/he sent a message
7 Confidence & security in the use of ICT - Malaysia, 21 August 2003
Security Applications
o The previous basic security services can be used to build many security applications:
• Digital Signature• Anonymous e-cash• Certified e-mail• Secure elections• Simultaneous contract signing• [add your ideas …]
8 Confidence & security in the use of ICT - Malaysia, 21 August 2003
2. The complex world of ICT security
9 Confidence & security in the use of ICT - Malaysia, 21 August 2003
Some Security Risks
o “Social engineering” attack:• “Amateurs hack systems, professionals
hack people” (Bruce Schneier)• An organizations’ own employees may
pose largest risk:• Incompetence, indifference, misconduct
o New technologies bring new security problems (e.g., WiFi)
o Buggy softwareo Viruseso Malicious hackers braking into systemso Denial of Service attackso …
10 Confidence & security in the use of ICT - Malaysia, 21 August 2003
Non-trivial Insights
o Technology alone can not fix security problems – Technology is necessary but not sufficient
o Security is everyone’s business, not just the business of security experts
o Security decisions must be taken by Management, not by technical staff
o Security is risk management – the art to worry about the right things
11 Confidence & security in the use of ICT - Malaysia, 21 August 2003
Cryptography- the Beauty of Mathematics
o Cryptographic algorithms are “building blocks” to construct secure system
o Dramatic advances in cryptography in the last 30 years:
• Public Key Cryptography (1976)• Microprocessor: cheap computing power• Quantum cryptography (future)
o Reminder: security is more a “people problem” than a technical problem
12 Confidence & security in the use of ICT - Malaysia, 21 August 2003
Secret Key Encryption
Plain text Plain text
encrypt message with decrypt message withsecret key same secret key
cipher text
o Both parties share a single, secret keyo Problem: exchanging keys in complete
secrecy is difficulto Best-known example: DES (Data Encryption
Standard)
13 Confidence & security in the use of ICT - Malaysia, 21 August 2003
Public Key Encryption
Plain text Plain text
encrypt message with decrypt message withpublic (!) key of receiver (!) private key of
receiver cipher text
o Each participant has
• A private key that is shared with no one else, plus
• A public key known to everyoneo Problem: slower than Secret Key Encryptiono Best-known example: RSA
14 Confidence & security in the use of ICT - Malaysia, 21 August 2003
Biometrics: your Body – your Password?
o Recognize a person upon physiological or behavioral characteristics
• Fingerprint• Face• Voice• Iris
o Currently costs outweigh benefits
15 Confidence & security in the use of ICT - Malaysia, 21 August 2003
Economics & ICT Securityo Perverse incentives explain a lot of
current information insecurity (Ross Anderson, Univ of Cambridge, UK)
o Distributed denial of service attack in 2000:
• Vandals took over computers on low-security University networks and shut down major websites (e.g. Yahoo)
• Shouldn’t Universities bear some liability for the damages to 3rd parties
o Solution: assign legal liabilities to the parties best able to manage the risk (Hal Varian, Univ of California, Berkeley)
16 Confidence & security in the use of ICT - Malaysia, 21 August 2003
Security is Risk Management
o How much money/time to spend on ICT security?
o Balance between cost and risk:• What are the potential security breaches?• What’s the associated loss in each case?• What does it cost to defend in each case?
• Mitigation (e.g. buy technology)• Outsource (s.o. else takes over the risk)• Insurance (passing risk to insurance company)
o Engineers, policymakers, economists, lawyers to forge common approaches
17 Confidence & security in the use of ICT - Malaysia, 21 August 2003
3. Security standards
18 Confidence & security in the use of ICT - Malaysia, 21 August 2003
The Need for Int’l. Security Standards
o Technical standards should be international:
• Ensures interoperability - the whole point of most of the standards
• Economies of scale
o Best practice standards would be very helpful to be international
• Raises awareness
o Regulatory issues & law enforcement is a national (or regional, e.g. European Union) matter
19 Confidence & security in the use of ICT - Malaysia, 21 August 2003
Security in International Standards Organizations
o ISO/IEC:• 17799: “Information technology –
code of practice for information security management” (71 pages; year 2000)
• addresses organizations, companieso IETF:
• Protocols, e.g. IPsec, TLS, SMIME …o ITU: see next slides
20 Confidence & security in the use of ICT - Malaysia, 21 August 2003
ITU Plenipo & WSISo ITU Plenipotentiary Conference 2002:
• “Strengthening the role of ITU in information and communication network security”
o WSIS = World Summit on Information Society; www.itu.int/wsis:
• UN-event• 1st phase: Geneva 10-12 Dec 03;
2nd phase: Tunis 16-18 Nov 05• Target audience: Heads of State + CEOs
+ civil society• Topics include communication network
security
21 Confidence & security in the use of ICT - Malaysia, 21 August 2003
Security in ITU-T Study Groups
o SG 17 = Lead Study Group for Communication System Security:
• Coordination / prioritization of security efforts
• Development of core security Recs.o Existing Recommendations include:
• Security architecture, model, frameworks, and protocols for open systems (X.800-series; X.270 series, jointly with ISO)
• Trusted Third Party Services (X.842/X.843, jointly with ISO)
• Public-key and attribute certificate frameworks (X.509, jointly with ISO)
22 Confidence & security in the use of ICT - Malaysia, 21 August 2003
ITU-T SG 17 Security Focus
o Authentication (X.509, jointly with ISO):• Ongoing enhancements as a result of more
complex uses
o Security Architecture for end-to-end communications:
• Security for management, control and use of network infrastructure, services and applications
o Telebiometrics: biometrics via distance• Model for security and public safety in
telebiometrics
o Security Management:• Risk assessment, identification of assets and
implementation characteristics
o Mobile Security:• For low power, small memory size and small
display devices
23 Confidence & security in the use of ICT - Malaysia, 21 August 2003
ITU-T SG 17: Upcoming Joint Work with ISO / IEC
o “Information Technology – Security techniques – IT network security”
• Part 1: Network security management• Part 2: Network security architecture• Part 3: Securing communications
between networks using security gateways
• Part 4: Remote access• Part 5: Securing communications
between networks using virtual private networks
24 Confidence & security in the use of ICT - Malaysia, 21 August 2003
Security Studies in other ITU-T Study Groups
o Security for multimedia systems and services (SG 16)
o Emergency Telecommunications Services (SG 16)
o IPCablecom project = interactive services over cable TV networks (SG 9)
o Telecommunication networks security requirements (SG 2)
o Framework to support emergency communications (SG 13)
25 Confidence & security in the use of ICT - Malaysia, 21 August 2003
Strengths of ITU-T
o Unique mix of industry & governmento Truly globalo Consensus decisions guarantee wide
acceptanceo Fast procedureso Brand nameo IPR Policyo World-class meeting facilitieso Excellent Secretariat staff
26 Confidence & security in the use of ICT - Malaysia, 21 August 2003
Backup Slides on ITU-T(not to be shown in talk)
27 Confidence & security in the use of ICT - Malaysia, 21 August 2003
ITU-T StructureWORLD TELECOMMUNICATIONSTANDARDIZATION ASSEMBLY
TELECOMMUNICATIONSTANDARDIZATIONADVISORY GROUP
STUDY GROUP
WORKINGPARTY
R
STUDY GROUP STUDY GROUP
WORKINGPARTY
WORKINGPARTY
R R R
R = RAPPORTEUR GROUP
• Workshops• Focus Group• Joint Group• Project Team
28 Confidence & security in the use of ICT - Malaysia, 21 August 2003
ITU-T Study Groups
o SG 2 Operational aspects of service provision, networks and performance
o SG 3 Tariff and accounting principles including related telecommunications economic and policy
issues o SG 4 Telecommunication management, including TMN o SG 5 Protection against electromagnetic environment effects o SG 6 Outside plant o SG 9 Integrated broadband cable networks and television and sound
transmission o SG 11 Signalling requirements and protocols o SG 12 End-to-end transmission performance of networks and terminals o SG 13 Multi-protocol and IP-based networks and their internetworking o SG 15 Optical and other transport networks o SG 16 Multimedia services, systems and terminals o SG 17 Data networks and telecommunication softwareo SSG Special Study Group "IMT-2000 and beyond" o TSAG Telecommunication Standardization Advisory Group
29 Confidence & security in the use of ICT - Malaysia, 21 August 2003
Lead Study Groups
o SG 2 service definition, numbering and routing o SG 4 TMN o SG 9 integrated broadband cable and television networkso SG 11 intelligent networks o SG 12 Quality of Service and performanceo SG 13 IP related matters, B-ISDN, Global Information
Infrastructure and satellite matterso SG 15 access network transport and optical technologyo SG 16 multimedia services, systems and terminals and on
e-business and e-commerceo SG17 frame relay, communication system security,
languages and description techniqueso SSG IMT 2000 and beyond and for mobility
30 Confidence & security in the use of ICT - Malaysia, 21 August 2003
IP project study areas
o Integrated architectureo Impact to telecommunications access infrastructures
of access to IP applicationso Interworking between IP based network and switched-
circuit networks, including wireless based networkso Multimedia applications over IPo Numbering and addressingo Transport for IP-structured signalso Signalling support, IN and routing for services on IP-
based networkso Performanceo Integrated management of telecom and IP-based
networkso Security aspects
31 Confidence & security in the use of ICT - Malaysia, 21 August 2003
Other areas to consider
o IP-based networks and their interconnection with telecommunication networks;
o IP cablecom project;o establishment of GII;o IMT-2000 and mobility;o e-business and e-commerce;o reform of accounting rates and tariff studies;o MEDIACOM-2004 project and related multimedia
activities;o security aspects of networks and services;o optical transport network;o access networks enhancements with xDSL techniques;o numbering and routing;o network performances and quality of services;o protocols for new services and intelligent networks.
32 Confidence & security in the use of ICT - Malaysia, 21 August 2003
ITU-T Series (A-L)
A. Organization of the work of ITU-TB. Means of expression: definitions, symbols, classificationC. General telecommunication statisticsD. General tariff principlesE. Overall network operation, telephone service, service
operation and human factorsF. Non-telephone telecommunication servicesG. Transmission systems and media, digital systems and
networksH. Audiovisual and multimedia systemsI. Integrated services digital networkJ. Transmission of television, sound programme and other
multimedia signalsK. Protection against interferenceL. Construction, installation and protection of cables and
other elements of outside plant
33 Confidence & security in the use of ICT - Malaysia, 21 August 2003
ITU-T Series (M-Z)M. TMN and network maintenance: international
transmission systems, telephone circuits, telegraphy, facsimile and leased circuits
N. Maintenance: international sound programme and television transmission circuits
O. Specifications of measuring equipmentP. Telephone transmission quality, telephone installations,
local line networksQ. Switching and signallingR. Telegraph transmissionS. Telegraph services terminal equipmentT. Terminals for telematic servicesU. Telegraph switchingV. Data communication over the telephone networkX. Data networks and open system communicationsY. Global information infrastructure and Internet protocol
aspectsZ. Languages and general software aspects for
telecommunication systems
top related