ict security the need for international standards l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
ICT Security - The Need for International Standards PowerPoint Presentation
Download Presentation
ICT Security - The Need for International Standards

Loading in 2 Seconds...

play fullscreen
1 / 33

ICT Security - The Need for International Standards - PowerPoint PPT Presentation


  • 218 Views
  • Uploaded on

ICT Security - The Need for International Standards reinhard.scholl@itu.int Deputy to the Director Telecommunication Standardization Bureau International Telecommunication Union www.itu.int/ITU-T Outline Why ICT security is becoming important The complex world of ICT Security

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'ICT Security - The Need for International Standards' - ostinmannual


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ict security the need for international standards

ICT Security - The Need for International Standards

reinhard.scholl@itu.int

Deputy to the Director

Telecommunication Standardization Bureau

International Telecommunication Union

www.itu.int/ITU-T

outline
Outline
  • Why ICT security is becoming important
  • The complex world of ICT Security
  • Security standards

[ICT = Information & Communication Technology]

Confidence & security in the use of ICT - Malaysia, 21 August 2003

slide3
1. Why ICT security is becoming important

Confidence & security in the use of ICT - Malaysia, 21 August 2003

security telephony vs internet
Security: Telephony vs. Internet
  • Telephone network: Control
    • Offers basically one service
    • Network operators control if new service offered
    • Clear distinction:
      • Interface user – network
      • Interface network – network
  • Internet: “Anarchy” (no negative meaning here)
    • Lots of services (many of them not yet imagined …)
    • Everyone can set up a new services
    • All links network – network
    • Many protocols

Confidence & security in the use of ICT - Malaysia, 21 August 2003

a fundamental shift is happening
A Fundamental Shift is Happening
  • Computers & networks are becoming a utility (like water, electricity, gas, telephone)
  • Business and personal life are more and more dependent on computers
  • Prerequisite: adequate security.
  • [9/11 terrorist attack confirmed the already existing trend of emphasizing security]

Confidence & security in the use of ICT - Malaysia, 21 August 2003

basic security services
Basic Security Services
  • Privacy / Confidentiality:
    • To know that no 3rd party can read a message exchanged between 2 people
  • Authentication:
    • To know that someone is who he/she says he/she is
  • Integrity:
    • To know that a message has not been modified in transit
  • Non-repudiation:
    • To know that someone is not able to deny later that she/he sent a message

Confidence & security in the use of ICT - Malaysia, 21 August 2003

security applications
Security Applications
  • The previous basic security services can be used to build many security applications:
    • Digital Signature
    • Anonymous e-cash
    • Certified e-mail
    • Secure elections
    • Simultaneous contract signing
    • [add your ideas …]

Confidence & security in the use of ICT - Malaysia, 21 August 2003

slide8
2. The complex world of ICT security

Confidence & security in the use of ICT - Malaysia, 21 August 2003

some security risks
Some Security Risks
  • “Social engineering” attack:
    • “Amateurs hack systems, professionals hack people” (Bruce Schneier)
    • An organizations’ own employees may pose largest risk:
      • Incompetence, indifference, misconduct
  • New technologies bring new security problems (e.g., WiFi)
  • Buggy software
  • Viruses
  • Malicious hackers braking into systems
  • Denial of Service attacks

Confidence & security in the use of ICT - Malaysia, 21 August 2003

non trivial insights
Non-trivial Insights
  • Technology alone can not fix security problems – Technology is necessary but not sufficient
  • Security is everyone’s business, not just the business of security experts
  • Security decisions must be taken by Management, not by technical staff
  • Security is risk management – the art to worry about the right things

Confidence & security in the use of ICT - Malaysia, 21 August 2003

cryptography the beauty of mathematics
Cryptography- the Beauty of Mathematics
  • Cryptographic algorithms are “building blocks” to construct secure system
  • Dramatic advances in cryptography in the last 30 years:
    • Public Key Cryptography (1976)
    • Microprocessor: cheap computing power
    • Quantum cryptography (future)
  • Reminder: security is more a “people problem” than a technical problem

Confidence & security in the use of ICT - Malaysia, 21 August 2003

secret key encryption
Secret Key Encryption

Plain text Plain text



encrypt message with decrypt message with

secret key same secret key

 cipher text

  • Both parties share a single, secret key
  • Problem: exchanging keys in complete secrecy is difficult
  • Best-known example: DES (Data Encryption Standard)

Confidence & security in the use of ICT - Malaysia, 21 August 2003

public key encryption
Public Key Encryption

Plain text Plain text



encrypt message with decrypt message with

public (!) key of receiver (!) private key of receiver

 cipher text

  • Each participant has
    • A private key that is shared with no one else, plus
    • A public key known to everyone
  • Problem: slower than Secret Key Encryption
  • Best-known example: RSA

Confidence & security in the use of ICT - Malaysia, 21 August 2003

biometrics your body your password
Biometrics: your Body – your Password?
  • Recognize a person upon physiological or behavioral characteristics
    • Fingerprint
    • Face
    • Voice
    • Iris
  • Currently costs outweigh benefits

Confidence & security in the use of ICT - Malaysia, 21 August 2003

economics ict security
Economics & ICT Security
  • Perverse incentives explain a lot of current information insecurity (Ross Anderson, Univ of Cambridge, UK)
  • Distributed denial of service attack in 2000:
    • Vandals took over computers on low-security University networks and shut down major websites (e.g. Yahoo)
    • Shouldn’t Universities bear some liability for the damages to 3rd parties
  • Solution: assign legal liabilities to the parties best able to manage the risk (Hal Varian, Univ of California, Berkeley)

Confidence & security in the use of ICT - Malaysia, 21 August 2003

security is risk management
Security is Risk Management
  • How much money/time to spend on ICT security?
  • Balance between cost and risk:
    • What are the potential security breaches?
    • What’s the associated loss in each case?
    • What does it cost to defend in each case?
      • Mitigation (e.g. buy technology)
      • Outsource (s.o. else takes over the risk)
      • Insurance (passing risk to insurance company)
  • Engineers, policymakers, economists, lawyers to forge common approaches

Confidence & security in the use of ICT - Malaysia, 21 August 2003

slide17
3. Security standards

Confidence & security in the use of ICT - Malaysia, 21 August 2003

the need for int l security standards
The Need for Int’l. Security Standards
  • Technical standards should be international:
    • Ensures interoperability - the whole point of most of the standards
    • Economies of scale
  • Best practice standards would be very helpful to be international
    • Raises awareness
  • Regulatory issues & law enforcement is a national (or regional, e.g. European Union) matter

Confidence & security in the use of ICT - Malaysia, 21 August 2003

security in international standards organizations
Security in International Standards Organizations
  • ISO/IEC:
    • 17799: “Information technology – code of practice for information security management” (71 pages; year 2000)
    • addresses organizations, companies
  • IETF:
    • Protocols, e.g. IPsec, TLS, SMIME …
  • ITU: see next slides

Confidence & security in the use of ICT - Malaysia, 21 August 2003

itu plenipo wsis
ITU Plenipo & WSIS
  • ITU Plenipotentiary Conference 2002:
    • “Strengthening the role of ITU in information and communication network security”
  • WSIS = World Summit on Information Society; www.itu.int/wsis:
    • UN-event
    • 1st phase: Geneva 10-12 Dec 03;

2nd phase: Tunis 16-18 Nov 05

    • Target audience: Heads of State + CEOs + civil society
    • Topics include communication network security

Confidence & security in the use of ICT - Malaysia, 21 August 2003

security in itu t study groups
Security in ITU-T Study Groups
  • SG 17 = Lead Study Group for Communication System Security:
    • Coordination / prioritization of security efforts
    • Development of core security Recs.
  • Existing Recommendations include:
    • Security architecture, model, frameworks, and protocols for open systems (X.800-series; X.270 series, jointly with ISO)
    • Trusted Third Party Services (X.842/X.843, jointly with ISO)
    • Public-key and attribute certificate frameworks (X.509, jointly with ISO)

Confidence & security in the use of ICT - Malaysia, 21 August 2003

itu t sg 17 security focus
ITU-T SG 17 Security Focus
  • Authentication (X.509, jointly with ISO):
    • Ongoing enhancements as a result of more complex uses
  • Security Architecture for end-to-end communications:
    • Security for management, control and use of network infrastructure, services and applications
  • Telebiometrics: biometrics via distance
    • Model for security and public safety in telebiometrics
  • Security Management:
    • Risk assessment, identification of assets and implementation characteristics
  • Mobile Security:
    • For low power, small memory size and small display devices

Confidence & security in the use of ICT - Malaysia, 21 August 2003

itu t sg 17 upcoming joint work with iso iec
ITU-T SG 17: Upcoming Joint Work with ISO / IEC
  • “Information Technology – Security techniques – IT network security”
    • Part 1: Network security management
    • Part 2: Network security architecture
    • Part 3: Securing communications between networks using security gateways
    • Part 4: Remote access
    • Part 5: Securing communications between networks using virtual private networks

Confidence & security in the use of ICT - Malaysia, 21 August 2003

security studies in other itu t study groups
Security Studies in other ITU-T Study Groups
  • Security for multimedia systems and services (SG 16)
  • Emergency Telecommunications Services (SG 16)
  • IPCablecom project = interactive services over cable TV networks (SG 9)
  • Telecommunication networks security requirements (SG 2)
  • Framework to support emergency communications (SG 13)

Confidence & security in the use of ICT - Malaysia, 21 August 2003

strengths of itu t
Strengths of ITU-T
  • Unique mix of industry & government
  • Truly global
  • Consensus decisions guarantee wide acceptance
  • Fast procedures
  • Brand name
  • IPR Policy
  • World-class meeting facilities
  • Excellent Secretariat staff

Confidence & security in the use of ICT - Malaysia, 21 August 2003

slide26
Backup Slides on ITU-T

(not to be shown in talk)

Confidence & security in the use of ICT - Malaysia, 21 August 2003

itu t structure
ITU-T Structure

Workshops

Focus Group

Joint Group

Project Team

Confidence & security in the use of ICT - Malaysia, 21 August 2003

itu t study groups
ITU-T Study Groups
  • SG 2 Operational aspects of service provision, networks and performance
  • SG 3 Tariff and accounting principles including related telecommunications economic and policy issues
  • SG 4 Telecommunication management, including TMN
  • SG 5 Protection against electromagnetic environment effects
  • SG 6 Outside plant
  • SG 9 Integrated broadband cable networks and television and sound transmission  
  • SG 11 Signalling requirements and protocols
  • SG 12 End-to-end transmission performance of networks and terminals
  • SG 13 Multi-protocol and IP-based networks and their internetworking
  • SG 15 Optical and other transport networks
  • SG 16 Multimedia services, systems and terminals
  • SG 17 Data networks and telecommunication software
  • SSG Special Study Group "IMT-2000 and beyond"
  • TSAG Telecommunication Standardization Advisory Group

Confidence & security in the use of ICT - Malaysia, 21 August 2003

lead study groups
Lead Study Groups
  • SG 2 service definition, numbering and routing
  • SG 4 TMN
  • SG 9 integrated broadband cable and television networks
  • SG 11 intelligent networks
  • SG 12 Quality of Service and performance
  • SG 13 IP related matters, B-ISDN, Global Information Infrastructure and satellite matters
  • SG 15 access network transport and optical technology
  • SG 16 multimedia services, systems and terminals and on e-business and e-commerce
  • SG17 frame relay, communication system security, languages and description techniques
  • SSG IMT 2000 and beyond and for mobility

Confidence & security in the use of ICT - Malaysia, 21 August 2003

ip project study areas
IP project study areas
  • Integrated architecture
  • Impact to telecommunications access infrastructures of access to IP applications
  • Interworking between IP based network and switched-circuit networks, including wireless based networks
  • Multimedia applications over IP
  • Numbering and addressing
  • Transport for IP-structured signals
  • Signalling support, IN and routing for services on IP-based networks
  • Performance
  • Integrated management of telecom and IP-based networks
  • Security aspects

Confidence & security in the use of ICT - Malaysia, 21 August 2003

other areas to consider
Other areas to consider
  • IP-based networks and their interconnection with telecommunication networks;
  • IP cablecom project;
  • establishment of GII;
  • IMT-2000 and mobility;
  • e-business and e-commerce;
  • reform of accounting rates and tariff studies;
  • MEDIACOM-2004 project and related multimedia activities;
  • security aspects of networks and services;
  • optical transport network;
  • access networks enhancements with xDSL techniques;
  • numbering and routing;
  • network performances and quality of services;
  • protocols for new services and intelligent networks.

Confidence & security in the use of ICT - Malaysia, 21 August 2003

itu t series a l
ITU-T Series (A-L)
  • Organization of the work of ITU-T
  • Means of expression: definitions, symbols, classification
  • General telecommunication statistics
  • General tariff principles
  • Overall network operation, telephone service, service operation and human factors
  • Non-telephone telecommunication services
  • Transmission systems and media, digital systems and networks
  • Audiovisual and multimedia systems
  • Integrated services digital network
  • Transmission of television, sound programme and other multimedia signals
  • Protection against interference
  • Construction, installation and protection of cables and other elements of outside plant

Confidence & security in the use of ICT - Malaysia, 21 August 2003

itu t series m z
ITU-T Series (M-Z)
  • TMN and network maintenance: international transmission systems, telephone circuits, telegraphy, facsimile and leased circuits
  • Maintenance: international sound programme and television transmission circuits
  • Specifications of measuring equipment
  • Telephone transmission quality, telephone installations, local line networks
  • Switching and signalling
  • Telegraph transmission
  • Telegraph services terminal equipment
  • Terminals for telematic services
  • Telegraph switching
  • Data communication over the telephone network
  • Data networks and open system communications
  • Global information infrastructure and Internet protocol aspects
  • Languages and general software aspects for telecommunication systems

Confidence & security in the use of ICT - Malaysia, 21 August 2003