cybersecurity and critical information protection … · cybersecurity and critical information...
TRANSCRIPT
Noviembre/2009
“OAS Hemispheric Workshop on the Development of a National Framework for Cyber Security”
Rio de Janeiro, BrazilNovember 16 to 20, 2009
Cybersecurity and CriticalInformation Protection
CITEL’s Perspective
Clovis Baptista Executive Secretary of CITEL
Information and Communication Technologies are now an integral part of our lives. Network and service integration and
convergence is ever increasing.
ICTsICTsAutomotive Industry &
Manufacturing
Automotive Industry &
Manufacturing
Home/workplace
Home/workplace
Stores and services
Stores and services
Energy/electricityEnergy/
electricity
Water/sanitationWater/sanitation
Oil and gasOil and gas
HealthHealth
Banking and finance
Banking and finance
Transportation/air traffic control
Transportation/air traffic control
Public security/law enforcementPublic security/law enforcement
National defenseNational defense
EducationEducation
Life sciences and
biotechnology
Life sciences and
biotechnology
Internet growth continues unabated
Growth of the information society1991-2007
1270 12851350
955
2678
3331
126312071140
10861053983905846792738689643604572546
1093964
863724
6195023994.4 7 10 21 40 74117 183 277
740
2137
1752
14051162
4903182151459156342316
0
500
1000
1500
2000
2500
3000
3500
1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007
Mill
ions
of u
sers Main Telephone Lines
Internet UsersMobile Subscribers
Source: ITU, 2008, Internet World Statistics, November 10, 2008Notes: Internet Users data 1991-2005 (ITU), 2006 estimate (Internet World Statistics)
Source: CCP.I/1250/08
New social interaction is increasing ICT and Internet growth
• 20% of online adults have online profiles
• 37% have uploaded photos to the Internet
• 22% have shared their own creations online, such as artwork, photos, stories, or videos
• 14% have their own personal web page
• (the percentages are significantly greater for online young adults)
Source: PEW Internet presentation to University of North Florida, Homo Connectus: The impact of technology on people's everyday lives, November 5th, 2007.
33%
36%
36%
12%
55%
54%
44%
14%
Go tovideo-
sharingsites
Read blogs
Seekinformationat Wikipedia
sites
Downloadpodcasts
All usersYoung adults
Source: CCP.I/1250/08
Digital device adoption is growing
The PEW Study in the US finds growth of cell phones, TVs, DVD players, iPods, PVRs, etc.
• 88% students own cell phones
• 81% own digital cameras• 63% own MP3 players• 55% own video cameras• 55% own laptops• 27% students own PDA or
Blackberry• 77% students play games
online
Source : Internet Innovation Alliance, “Broadband Fact Book”, July 2007
Source: PEW Internet presentation to University of North Florida, Homo Connectus: The impact of technology on people's everyday lives, November 5th, 2007.
Source: CCP.I/1250/08
Anything that can be connected and would benefit from being connected will be connected
Source Nortel-2008
Hyperconnectivity is Real andHappening Now: P2P/P2M/M2M
Huge, Giant: Complex systems, inextricable problems
Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
Challenges of Cyberspace
Legal Framework
PrivacyEnforcement
The weakest links – across boundaries
Effective security requires that a common and consistent approach be applied to:
• Security management practices• Physical security• Operations security• Business continuity & disaster recover planning• Access control systems & methodology• Cryptography• Telecommunications & network security• Application & systems development methodology• Legal requirements including incident management
Security threats can be
intentional (attacks) or accidental
Network Security Threats(1)
1C. Pfleeger, Security in Computing, Prentice Hall, 1997.
Interruption (An Attack on Availability):– Network Becomes Unavailable or Unusable– Examples:
• Malicious Destruction of a Network Element• Erasure of a Software Program or Data File• Cutting of a Communication Facility
Interception (An Attack on Confidentiality):– An Unauthorized Access to an Asset– Examples:
• Unauthorized Data Capture (Data Sniffing)• Discovery of Unprotected WLAN Access Points
Modification (An Attack on Integrity):– An Unauthorized Tampering with an Asset– Examples:
• Changing Network Configuration Information• Changing Data as it is Being Transmitted Across the Network
Fabrication (An Attack on Authenticity):– Unauthorized Creation, Modification, or Deletion of Objects on a
Network– Examples:
• Unauthorized Access to the Network• Insertion of Spurious Messages on the Network• Addition of Records to a Database
X
OAS Mandate*
Cybersecurity and Critical Infrastructure Protection
• CICTE, CITEL, and REMJA each represent a pillar of the Comprehensive Inter-American Cybersecurity Strategy– The multidisciplinary efforts of these bodies support the growth,
development, and protection of the Internet and related information systems, and protect users of those information networks
– The objective: Create and support a culture of cybersecurity
• Ongoing activities:– Coordination and cooperation among the Secretariats of CICTE,
CITEL and the REMJA Group of Government Experts in Cyber crime
– Strengthening coordination among the national authorities and entities, including the national CSIRTs, involved in addressing Cybersecurity issues
* “Adoption of a Comprehensive Inter-American Strategy to Combat Threats to Cybersecurity:A Multidimensional and Multidisciplinary Approach to Creating a Culture of Cybersecurity”, AG/RES. 2004 (XXXIV-O/04), (Adopted at the fourth plenary session held on June 8, 2004of XXXIV Meeting of the General Assembly of the OAS)
Telecommunications advisory body established by the OAS GA in 1994. History goes back to March 1890Brings together representatives of 35 OAS member states and the private sector (120 associates)Main purpose is to promote the sustainable development of telecommunications in the AmericasVery broad combined mandateStrong emphasis on capacity building (20 accredited Regional Training Centers) : > 200 fellowships for telecommunications training courses to be granted in 2009
CITEL in brief
CITEL Cybersecurity Work Plan
• Assess the current work undertaken in the OAS, ITU, and other organizations on issues pertaining to the security and critical infrastructure of communication networks across the region.
• Review the various frameworks and guidelines on network and cybersecurity and their applicability within the Americas region.
• Foster cooperation among Member States on aspects related to advanced network backbone interconnectivity including traffic exchange points and its level of decentralization.
• Consolidate all relevant information on the CITEL Technical Notebooks on Cybersecurity and Critical Infrastructure Protection
“Cybersecurity” Technical Notebook
• Provides an archive of Cybersecurity information available to the telecommunications industry and the Member States
• Highlights ongoing Regional and International cybersecurity strategy activities
• Addresses aspects relevant to developing national cybersecurity strategies
• Addresses issues of spam, incident response, public-private partnerships, and the awareness-raising and application of relevant security standards
• Includes appendices with national experiences
“Critical Telecommunication InfrastructureProtection” Technical Notebook
• What are the CIs to be protected?• What are the components of a given CI?• What are the threats against which the CIs should be
protected?• What are the impacts (social, economic and/or political)
caused by incidents (natural, accidental or malicious)?• How are investments prioritized to efficiently protect CIs?• How should the CI recovery of a be performed after an
incident?
Critical Infrastructure Protection Strategies
Sharing initiatives adopted by OAS Member States
CITEL’s approach:Identification of Security Standards
One example:v
Security Architecture for Systems Providing End-to-End
Communications(ITU-T Rec. X.805)
ITU-T Recommendation X.805, Security Architecture for Systems Providing End-to-End Communications
Addresses three essential questions:1. What kinds of protection are needed?; against which
threats?2. What are the distinct types of network equipment and
facilities requiring protection?3. What are the distinct types of network activities
requiring protection?
The Security Architecture is intended to address global securitychallenges of Service Providers, enterprises, and consumers.
ITU-T Security ArchitectureEndorsed by CITEL PCC.I in March 2004
ITU-T Recommendation X.805, Security Architecture for Systems Providing End-to-End Communications
– Identifies classes of Security Threats (4) – Describes a Security Architecture consisting of:
• Security dimensions (8)• Security layers (3)• Security planes (3)
– Provides guidance for creating a Security Program: applying Security Dimensions to Security Layers and Planes to protect against Security Threats
– References and enhances prior ITU work on security: CCITT Rec. X.800 (1991), Security Architecture for Open Systems Interconnection for CCITT Applications
ITU-T Security Architecture
Acce
ss C
ontro
l
Infrastructure Security
Applications Security
Services Security
End User Plane
Control Plane
Management Plane
THREATS
8 Security Dimensions
ATTACKSData
Con
fiden
tialit
y
Com
mun
icat
ion
Secu
rity
Data
Inte
grity
Avai
labi
lity
Priv
acy Interruption
Fabrication
InterceptionModification
Auth
entic
atio
n
Non-
repu
diat
ion
VULNERABILITIES
Security Architecture for EndSecurity Architecture for End--toto--End Network SecurityEnd Network Security
ITU-T Security Architecture
Summary• CITEL is utilizing workshops and Technical Notebooks to
increase awareness of Cybersecurity and CIP issues and to assess best practices and strategies in order to increase security and mitigate the effects of cyber crime and fraud
• CITEL is utilizing Standards Coordination Documents to increase awareness of relevant security standards and to endorse the use of those standards in the Region
• Continued cooperation within the Americas Region and continued input from its members on Cybersecurity and CIP experiences and strategies will allow CITEL to remain focused on the most relevant security issues so as to provide recommendations for the Region and provide value to other bodies internationally
Protecting our Infrastructure
Threat Resolution and Prevention
Infrastructure Threat Detection
Infrastructure Threat Identification
Infrastructure Threat
Reaction & Containment
Collaboration & Seamless Information
Flow
The right information to the right person at the
right time in context
Clovis Baptista
Executive Secretary
Inter‐American Telecommunication Commission (CITEL)
E‐mail: [email protected]
Thank you for your attention!Thank you for your attention!
23
Organization of American StatesOrganization of American States
Inter-American Telecommunication CommissionInter-American Telecommunication Commission
Access Management
Authentication
Non-repudiation
Data Confidentiality
Communication Security
Integrity
Availability
Privacy
• Limit and Control Access to Network Elements, Services, and Applications.
• Techniques Include: ACL, Firewall, IDS, Password, Security Token, RBAC.
• Prevent the Denial of an Activity on the Network or Transmission Through a Network.
• Techniques Include: System Logs, Digital Signatures, Asymmetrical Encryption.
• Ensure Information Only Flows from the Source to the Destination.
• Techniques Include: VPN, MPLS, L2TP, Source Path Routing.
• Ensure network elements, services and application are available to legitimate users.
• Techniques Include: Reliable network design, IDS, network redundancy, and disaster recovery.
• Ensure Proof of Identity of the Claimed Entity (Person, Device, Application).
• Techniques Include: Shared Secret, PKI, Digital Signature, Digital Certificate.
• Ensure the Confidentiality of Data to Prevent Unauthorized Viewing.
• Techniques Include: Encryption.
• Ensure that Data is Received as Sent or Retrieved as Stored.
• Techniques Include: MD5, Digital Signature, Anti-Virus Software.
• Ensure that confidential information of end user, network element, and network architecture is not disclosed to unauthorized entity.
• Techniques Include: Encryption, Service Level agreement, etc.
Security Dimensions
Security Dimensions are not limited to the network, but extend to applications and end-user information as well