Six new standards enabling a more secure ICT environment have been approved by ITU. Experts say that the standards represent an important achievement reflecting the needs of business in establishing risk management strategies and the protection of consumers.
Three ITU-T Recommendations cover a definition of cybersecurity, a standardized way for vendors to supply security updates and guidelines on spyware. While the other three focus on countering the modern day plague of spam by providing a toolbox of technical measures to help consumers and service providers.
Malcolm Johnson, Director, ITU Telecommunication Standardization Bureau: “In the real – non-virtual – world risk management is well understood and so the infrastructure has been developed to protect against theft, fraud and other kinds of attack. The virtual world should be no different. And standards can provide the backbone for this risk-management infrastructure.”
Standards give businesses the systematic approach to information security that they need to keep network assets safe. The adoption of multiple – proprietary – approaches is, experts agree, an inherently more vulnerable approach.
Recommendations on spam are a direct response to a call from the World Telecommunication Standardization Assembly (WTSA), the quadrennial event that defines study areas for ITU-T. Members asked that ITU-T define technical measures to tackle this plague of the digital world following growing global concern at additional costs and loss of revenue to Internet service providers, telecoms operators and business users.
Herb Bertine, Chairman of ITU-T’s Study Group 17 that looks at cybersecurity: “ITU-T is in a unique position given its international scope and the fact that it brings together the private sector and governments to coordinate work on standards and influence the harmonization of security practices worldwide.”
The Recommendations in brief
ITU-T Rec. X.1205 establishes a definition of cybersecurity noting that this understanding is needed in order to build a foundation of knowledge that can aid securing the networks of tomorrow. Network protocols, it says, were developed in an environment of trust but today cybersecurity threats are growing. ITU-T Rec. X.1205 provides a classification of security threats from an organization’s point of view. It gives a layered approach to security enabling organizations to create multiple levels of defence against threats.
ITU-T Rec. X.1206 is designed to make it easier for systems administrators to manage patches/updates from multiple software vendors. The work was driven by concerns that the number of different methodologies used to deliver software updates was becoming a headache for companies. The Rec. gives a vendor-neutral framework for automatic notification of security related information and dissemination of updates.
ITU-T Rec. X.1207 gives guidelines enabling users to identify spyware and for vendors to avoid their products being mistakenly identified as such. The Recommendation promotes best practices around principles of clear notices, and user’s consents and controls. Authors of the Recommendation say that it develops and promotes best practices to users on PC security, including use of anti-spyware, anti-virus, personal firewall, and security updates of software on client systems.
ITU-T Rec. X.1231 sets out the requirements for combating spam and will serve as the startpoint for all further anti-spam standardization work. It gives an overview of methodologies to counter spam and describes the general characteristics of spam whether for e-mail, SMS, VoIP or other emerging forms of spam. It also outlines key ways to counter spam, and a hierarchical model to establish an efficient and effective anti-spam strategy.
ITU-T Rec. X.1240 is aimed at end users and focusing just on e-mail spam, brings together various mature spam combating technologies in order that users can select the most appropriate.
ITU-T Rec. X.1241 promotes greater cooperation between service providers in tackling spam. In particular the document provides a framework enabling a communication methodology for alerts on identified spam.