ITU-T Newslog - Security

Joint Coordination Activity on Child Online Protection established

Mon, 14 May 2012 07:09:31 GMT

ITU has established a new Joint Coordination Activity on Child Online Protection (JCA-COP) to coordinate the COP work across ITUs sectors and Study Groups as well as cooperate with outside stakeholders engaged in COP. ITU-T Study Group 17 is the parent group to JCA-COP, and will leverage its well-developed network of ICT security stakeholders to harmonize these different elements to ensure a unified approach to the creation of global COP standards.

JCA-COP is chaired by Ashley Heineman of the National Telecommunications and Information Administration (NTIA), USA.

In keeping with its Terms of Reference, JCA-COP will coordinate the COP work already underway within ITU-T (particularly that of SGs 2, 9, 13, 15, 16 and 17), and will liaise with ITU-R, ITU-D and ITUs Council Working Group on COP.

JCA-COP seeks to study and understand the composition of the COP ecosystem as it relates to the most relevant stakeholders, and technical, legal or regulatory questions. It will act as the first point of contact for any organization interested in ITU-Ts work on COP, and will also actively pursue means of collaborating with external bodies working in the field.

JCA-COPs internal coordination mandate is thus accompanied by an external research and outreach capacity; to be carried out in a globally-inclusive manner. Cooperation and collaboration with external bodies is always crucial to ITU-Ts standardization work, and it will ensure that ITUs forthcoming COP standards are agreed, and consequently implemented, on an international basis.

More information:

      SG 17s homepage
      The brand-new JCA-COP homepage
      ITU's Child Online Protection (COP) initiative, the ITU Secretariat framework for COP activities across ITU-T, ITU-R and ITU-D.

ITU joins SDOs from China, Japan and Korea to enhance cooperation

Fri, 16 Mar 2012 08:00:07 GMT

Following the signing of a Memorandum of Understanding between ITU and the four standardisation bodies of China, Japan and Korea (CJK) last year, see press release here Malcolm Johnson, Director of the ITUs Telecommunication Standardization Bureau, led a delegation from the ITU Secretariat to the eleventh CJK Meeting (CJK-11) 14-16 March at the Seagaia Convention Centre in Miyazaki Prefecture, Japan. The Indian standards body GISFI also attended the meeting as an observer as it has requested to join the MoU.

The meeting addressed global ICT standardization questions of common interest to the regions key standards bodies: ARIB, CCSA, TTA and TTC.

In his opening speech Johnson noted that CJK governments together account for 15 per cent of the total financial contributions received by ITU from Member States, and private entities from these nations account for 20 per cent of the contributions ITU-T receives from the private sector. Moreover, CJK makes a significant number contribution to ITU meetings: 38 percent more contributions in 2011 than in 2009.

Full speech can be seen here.

CJK meetings seek to maintain and improve the commitment to mutual understanding and cooperation, and recognise the imperative of coordinated international standards for the sound progression of each of the countries ICT industries. The meeting identified the following topics as candidates for collaboration under the MoU: M2M and Dynamic Spectrum Access; Future IMT; smart grid; cloud computing and security; and the work on environment and climate change.

The Deputy Director of ITUs Radiocommunication Bureau, Fabio Leite, also participated in the meeting stressing the importance of collaboration with ITUs Radiocommunication Sector (ITU-R), in particular on M2M access networks where there is a clear need for interoperability between radio-based systems.

Using telecommunication to transfer biometric information

Thu, 27 Oct 2011 12:52:11 GMT

ITU has approved a new protocol to relay biometric information, connecting medical practitioners with the real-time medical data of patients in remote locations. Study Group 17s Recommendation ITU-T X.1080.1 is the first in a suite of e-health and telemedicine recommendations and supports interactions between a patients local medical facility and a remote medical centre.

e-Health technologies have great potential to bridge the service provision inequalities between developed and developing nations, as well as between urban and rural communities. ITU-T X.1080.1 takes into account work in other standards bodies and recognizes and identifies data formats and interactions using Abstract Notation One (ASN.1) object identifiers (OIDs and OID-IRIs). It also provides security features in the form of Cryptographic Message Syntax (CMS), which enables both integrity and encryption.

ITU-T X.1080.1 is designed to provide wide-area communication supporting all health-related activities, where the communication can be usefully undertaken as structured messages. From this base, the X.1080 series will develop into a set of recommendations addressing physical, chemical, biological, culturological and psychological diagnoses, interventions and prescriptions. It aims to remove the need for a co-location of medical practitioners and patients, and will support both multi-party (for audit and training purposes) and one-to-one interaction.

The remaining five parts of the X.1080 series, dealing with the identification of physiological quantities and units, are being constructed in close collaboration with ISO/TC 12, and IEC/TC 25.

Framework for exchange of info on cybersecurity

Tue, 03 May 2011 14:28:22 GMT

ITU has adopted a suite of global technical standards that provide a common framework for exchanging information on cybersecurity. The suite is known as CYBEX and provides for enhancing protection for all kinds of ICT systems, equipment, and software.

CYBEX focuses on the structured exchange of cybersecurity information and provides coherent common specifications allowing different operators, systems, and security communities to communicate vital cybersecurity information to each other, enhance protection, and identify and understand attacks . CYBEX is an important element in ITUs array of standards improving confidence and security in the use of ICTs.

The first three standards of this suite of standards (known as ITU-T X.1500 Recommendations) consist of: (1) an overview of the model for trusted exchange of cybersecurity information; (2) the exchange of vulnerability information; and (3) "weighing" of vulnerabilities.

ITUs security study group (ITU-T Study Group 17) has started new work entitled continuous security monitoring using CYBEX techniques. The work will focus on the use of CYBEX standards by enterprises and network operators to enhance their individual and collective cybersecurity and reduce their risks. Experts say the complexity of existing network infrastructures, equipment, software, and services renders enterprises constantly vulnerable and subject to compromise. The work may also be applicable to cloud computing, virtualization and Smart Grid electrical power management environments.

Cloud progress comes with call for greater interoperability

Thu, 14 Apr 2011 23:28:42 GMT

ITUs Focus Group on Cloud Computing met last week with increased industry support for standards to support worldwide interoperability. Cloud security was also a key topic on the agenda of the group and especially relevant given that subscribing to a cloud model involves complete outsourcing of services and data. The meeting identified these two topics, intercloud relationships and security, as important study items for ITU-T to take forward.

The Focus Group met at the same time as Google vice president, Vint Cerf addressed US National Institute of Standards and Technology's third cloud computing workshop in Gaithersburg, US telling them that cloud interoperability and security remain serious concerns (see here).

Industry experts forming the Focus Group have completed a survey of standards organizations focusing on cloud and begun the process of identifying gaps that can be filled and where that work can be done. The meeting also saw the appointment of a new Vice-chairman: Olivier Colas, Microsoft.

Technical Specifications from the Focus Group are expected by end 2011. The group has identified 15 active organisations in Cloud Computing and established official liaisons with other SDOs including ISO, DMTF, CSA, NIST. The Focus Group has identified several work items to be developed within ITU-T including; the cloud ecosystem; security; cloud architecture; cloud networking; inter-cloud relationships; eco-friendly cloud; accessibility; cloud terminal and cloud management.

Standards need to protect children online

Fri, 04 Mar 2011 10:57:26 GMT

Standardization experts are being asked to examine security-related guidelines/standards on child online protection issues.

The recent Telecommunication Standardization Advisory Group (TSAG) meeting invited experts in ITUs security standardization group (Study Group 17) to examine issues including:

The development of interoperable standards and related recommendations to protect children online. The aim would be to develop a widely shared approach which could be promoted across the whole industry.
Evaluating what options and possibilities exist for real global coordinated and consistent action to protect children online. Attention should be given to the elaboration of those capabilities (e.g. watch and warning and incident management) that would facilitate the gathering of threats and information sharing among different players.
Identifying the commonalities that span the different industry sectors (broadcasters, Internet, mobile) with the purpose of developing Codes of Conduct, or code of practices to help ITU Member States collaborate more effectively with the private sector/industry.
Establish cooperative arrangements between government and the private sector/industry for sharing information and developing specific capabilities aimed at mitigating the risks and extending the potential of ICT usage by children.

ITUs Child Online Protection (COP) initiative was launched in November 2008 as a multi-stakeholder effort to bring together partners from all sectors of the global community to ensure a safe online experience for children everywhere.

SG17 is expected to play a major role in technical aspects on COP, given that security, cybersecurity and identity management are already now being recognized as key fields of potential interest. Several SG17 work items (in ITU parlance Questions) are relevant, and experts from membership are encouraged to contribute.

New challenges in providing confidence and security in the use of ICT

Mon, 10 Jan 2011 16:22:41 GMT

A meeting of ITU-Ts Security Study Group (Study Group 17) at the end of 2010 saw several new standards (ITU-T Recommendations) approved and progress in several important areas. Immediately prior to the main Study Group meeting a workshop, Addressing security challenges on a global scale, open to members and non-members alike attracted 115 participants from 29 countries. Also open to external experts an Identity Summit succeeded as a new tool to add value to technical discussions in SG17.

Some of the new ITU-T Recommendations facilitate the interconnection of security and management systems and to exchange cyber security information, such as of security events and of security attack incidents. The standards specify how this information can be shared across organizations for enhanced security preparedness and broader and better risk mitigation against vulnerabilities, to allow vulnerability databases and other capabilities to be linked together, and to facilitate the comparison of security tools and service.

In detail, Recommendation ITU-T X.1209 identifies real-life scenarios where cybersecurity information can be exchanged across organizations. The standard specifies the principal technical and organizational capabilities necessary for systems in terms of cyber security information exchange. Related new work includes draft Recommendation ITU-T X.1500 which surveys the various candidate techniques for cyber information exchange, and draft Recommendation ITU-T X.1520 which identifies the high-level requirements for enumerating common vulnerabilities.

Also during December meeting two new Recommendations were approved (X.1243 and X.1245) that counter spam and other unsolicited communications though an interactive gateway system. In addition the use and application of the extended validation certificates as put forward in new draft Recommendation ITU-T X.1261 will provide enhanced and superior security to users on the Internet with a trustworthy confirmation of the identity of the entity that controls the website or other services that the users are accessing.

Two new draft Recommendations have been matured (X.1311 and X.1312) that address the security aspects of ubiquitous sensors in networks an emerging area of smart internetworked sensors and devices that are expected to increasingly permeate daily life. The new Recommendations identify the specific and typical security threats and specify appropriate security requirements. Draft Recommendation ITU-T X.1312 follows one promising approach where various security functions and security mechanisms are aggregated within a common middleware component of those sensors. Radio frequency identification (RFID) enabled devices are an early incarnation of such ubiquitous sensors where new Recommendation ITU-T X.1275 gives guidelines to vendors and service providers of RFID enabled devices how to protect the privacy of the users his/her specific personally identifiable information (PII).

Study Group 17 also saw new and ongoing security and identity management standardization work in the area of cloud computing and virtual service platforms where challenging security problems remain to be solved and standardized. Another new interesting area of standardization work seeks to define an information security management reference model for small and medium telecommunication organizations.

A series of tutorials were given at the SG17 meeting and presentations can be downloaded here. Topics included: An update on ICANN activities relating to Security, Stability and Resiliency; Open Identity Trust Frameworks: A Market Solution to Online Identity Trust; Creating a Multilingual Communication Standard for Cross-Border ODR; X.500/LDAP as resolution system and as support provider for RFID; Cybersecurity Information Exchange techniques and their importance for emerging networks.

Cybersecurity Information Exchange Framework (CYBEX): Update

Thu, 22 Apr 2010 14:16:43 GMT

Aprils meeting of ITU-Ts cybersecurity group (SG 17) saw a presentation on progress on the six months of work on the Cybersecurity Information Exchange Framework (CYBEX).

CYBEX imports more than twenty best of breed standards for platforms developed over the past several years by government agencies and industry to enhance cybersecurity. These platforms capture and exchange information about the security "state" of systems and devices, about vulnerabilities, about incidents such as cyber attacks, and related knowledge "heuristics." The Framework pulls these platforms together in a coherent way to provide for 1) locking down on-line systems to minimize vulnerabilities, 2) capturing incident information for analysis when network harmful incidents occur, and 3) facilitating evidence for enforcement action if necessary.

The presentation noted a close collaborative relationship with the Forum of Incident Response and Security Teams (FIRST) - a global organization for coordination and cooperation among Computer Emergency Response Teams.

A wiki-based initial compilation of discovered CIRTs and related agencies and bodies to the SG17 website at:
http://www.itu.int/ITU-T/studygroups/com17/nfvo/index.html

See previous newslog entry for more information on CYBEX.

Addressing security challenges on a global scale: Workshop

Thu, 22 Apr 2010 14:13:19 GMT

ITU-Ts Study Group 17 will hold a workshop Addressing security challenges on a global scale in Geneva, 6 (afternoon)-7 December 2010. The event will focus on how ITU and other standards developing organizations (SDOs) address the main challenges of information and communication security.

A call for abstracts with a deadline for 15 June 2010 has been issued with suggested topics including:

   Emerging applications of PKI
   Collaboration for ICT security standardization
   Developing countries challenges
   Cloud computing: Threat or opportunity
   The cloud in the telecom space
   Identity in the cloud
   Smart grid security
   Assurance, making cybersecurity measurable
   Identity management (IdM)
   CIRTs, sharing of information
   Security awareness
   IPv6 Security
   Telebiometrics standardization
   Meeting regulatory obligations

The workshop is also expected to provide a good opportunity to overview new areas of security studies including Smart Grid and Cloud Computing.

SG 17 aims to hold a similar workshop on annual basis from now on.

ITU-T Study Group 17, work in progress and new work

Thu, 22 Apr 2010 14:06:11 GMT

The recent meeting of ITU-Ts, Study Group 17, saw record attendance with a much increased number of delegates from developing countries. The groups work programme contains more than sixty work items on topics as diverse as identity management (IdM), IPTV security, object identifiers (OID), formal languages and cybersecurity.

Among the work areas that achieved significant progress at the April meeting were directory services, IdM, and IPTV security.

The heavily deployed directory assistance protocol Recommendation ITU-T E.115 was revised at this meeting. E.115 is used for directory assistance information exchange among service providers. E.115 also gives a description of the principles and procedures to be followed in interconnecting different national computerized directory assistance services.

A key standard (ITU-T Recommendation) on IdM was approved. The Baseline IdM Terms and Definitions is considered one of the basic texts for IdM and provides a solid basis for ensuring interoperability between various emerging IdM solutions.

Other work in the IdM field continues apace with new work items proposed on an open identity trust framework; discovery of identity management information; baseline capabilities and mechanisms of identity management for mobile applications and environment and an identity management roadmap.

Also in the field, EVCert, an important tool in the fight against spam is considered likely for first stage approval (consent/determination) at the next meeting of SG 17. EVCert is a product of the CA Browser Forum and is a digital certificate based specification combined with an array of processes and protocols for significantly enhanced organization/provider trust and related transport layer encryption. Approval as an ITU standard (ITU-T Recommendation) will push EVCert forward as the principal global specification for organization/provider trust. EVcert enables special features in web browsers or other compliant programs.

In IPTV security, work progressed in several areas including a key management framework for secure IPTV services; an algorithm selection scheme for service and content protection (SCP) descrambling and a service and content protection (SCP) interoperability scheme.

New work is considered in several new areas:

    Work will start to develop a new standard outlining the basic rules necessary to build national revenue assurance protection systems. The proposal to start the work notes that last year fraud in telecommunication networks decreased revenue of telecommunication companies by 12-15 per cent.

    A new work item on reducing spam in mobile networks focusing on SMS/MMS was proposed and agreed.

    In the area of cloud computing work will progress in two new areas. Firstly the collection of security requirements and a proposed framework outlining the cloud based telecom environment. In addition security guidelines for cloud computing will be developed to help service providers deploy cloud computing.

Technology Watch Report: Biometrics and Standards

Mon, 07 Dec 2009 14:44:13 GMT

A new ITU-T Technology Watch Report titled Biometrics and Standards surveys biometric recognition as a key form of authentication made possible by powerful information and communication technologies (ICT).

Biometrics are used in forensics (e.g., for criminal investigations), government applications (more than 60 countries issue electronic passports containing biometric information) and commercial applications. The latter category includes deployments in the banking sector (secure access to ATMs, credit cards, e-Business), with other sectors gaining momentum. For instance, social-networking websites including Facebook and Picasa have integrated face recognition algorithms to make it easier to search and display all photos featuring ones friends. Biometric systems embedded in cars of a vehicle fleet can help to identify the driver, adjust seat, rear mirrors, and steering wheel to meet individual preferences.

Technologies commonly used in biometrics include recognition of fingerprints, faces, vein patterns, irises, voices and keystroke patterns.

The Report discusses the advantages of biometric authenticators over their knowledge- and possession-based counterparts, describes different physiology- and behavior-related biometric traits and how they are used in biometric systems. A choice of biometric recognition applications is highlighted, and an overview of standardization work in the field of biometrics is given.

"Biometrics and Standards" can be downloaded here.

The authors welcome your feedback on this Report and all other publications of the Technology Watch series. We invite all interested parties to submit paper proposals for future Technology Watch Reports. The Technology Watch secretariat can be contacted at tsbtechwatch@itu.int.

Security standards group chalks two key achievements

Thu, 08 Oct 2009 09:15:24 GMT

A September meeting of the ITUs security standards group saw progress in key areas including identity management and a cybersecurity information exchange. The meeting - of ITU-Ts Study Group 17 saw record attendance signalling the importance attached to ITUs cybersecurity work in the global ICT community.

A key achievement was the establishment of a Cybersecurity Information Exchange which enables a global communications infrastructure for cybersecurity. The framework imports best-of-breed standards from government agencies and industry. Experts say that it promotes better interoperobility including convergence on a common set of open standards.

Malcolm Johnson, Director of the Telecommunication Standardization Bureau (TSB), ITU: It is essential that cybersecurity and telecoms infrastructure protection communities worldwide are able to exchange information on network digital forensics and vulnerabilities. The Framework will, for the first time, provide for this exchange globally.

Without progressing on this Exchange, experts say there is a risk that no coherent common specifications will emerge, with different countries unable to communicate cybersecurity information to each other.

The Cybersecurity Information Exchange focuses on platforms that capture and exchange information about the security state of systems and devices, vulnerabilities, incidents such as cyber attacks, and related knowledge heuristics. It pulls these platforms together to facilitate their global interoperability and use. It does so in a framework that allows for continual evolution to accommodate the significant activities and specification evolution occurring in numerous cybersecurity forums.

Global organization of incident/emergency computer response teams FIRST contributed its vulnerability enumeration standard to the framework. An agreement was reached to hold joint workshops and ITU and FIRST will work together to implement the first comprehensive web-based directory of cybersecurity organizations and centers worldwide.

The recent meeting of ITU-Ts Study Group 17 also saw approval of a core global identity management (IdM) standard Recommendation ITU-T X.1250. The agreement signals the start of work on implementation protocols for essential capabilities like trust mechanisms and identity assurance interoperability.

Arkadiy Kremer, Chairman of Study Group 17, said: Global acceptance of identity management solutions is paramount. The agreement that we have reached here signals an important milestone from where the worlds service providers and users can profit from international standards for IdM capabilities. Industry has put significant weight behind this activity and an IdM framework for global interoperability is emerging.

The term IdM is understood as "management by providers of trusted attributes of an entity such as a subscriber, a device, or a provider." IdM promises to reduce the need for multiple user names and passwords for each online service used, while maintaining privacy of personal information. A global IdM solution will help diminish identity theft and fraud. Further, IdM is one of the key enablers for a simplified and secure interaction between customers and services such as e-commerce.

ITU-T X.1250 gives the ability to enhance exchange and trust in the identities used by telecommunication/ICT networks and services. The definitions and need for identity management trust are highly context dependent and often subject to very different policies and practices in different countries. The trust capabilities include the protection and control of personally identifiable information.

Also agreed was X.1251, a framework for users of digital identity. The standard defines a framework to enhance user control and exchange of their digital identity related information. Two other important Recommendations were progressed to the first stage of approval: X.1252 and X.1275. X.1252 provides a collection of terms and definitions used in identity management (IdM) and it sets the stage for common definition for the whole industry. While, X.1275 provides guidelines and best practices regarding radio frequency identification (RFID) procedures that can be used by service providers to gain the benefits of RFID while attempting to protect personally identifiable information.

Also at the SG 17 meeting new correspondence groups designed to kickstart work in the areas of security for cloud computing, e-health and grid computing were started.

Experts chart anti DoS and spam methodologies

Wed, 24 Sep 2008 15:18:14 GMT

Cybersecurity experts in ITU-Ts Study Group 17 are exploring available methodologies to mitigate denial of service (DoS) attacks and short message service (SMS) spam by determining the origin of electronic communications when this becomes necessary. The work will also better enable settlements for carrying traffic over IP networks, and provide consumer protection from cyber crimes such as stalking and child pornography.

Specifically the group is working on a new Recommendation ITU-T Trace back use case and capabilities (temporarily designated X.tb-ucc). The work is in its early stages and collecting use cases and methodologies from which technical needs will be determined.

Currently there are many ways to find out the origin of network traffic, but it is possible to spoof source addresses. The new work will examine the diverse R&D accomplished over the past several years in many research institutions and consider the needs for operators and users for a trusted means of determining the source of traffic.

For example, telecoms operators are keen to find trusted trace back mechanisms where phantom traffic could be costing them millions of dollars a year. SMS and VOIP (voice over IP) traffic often comes from Internet gateways, and operators may claim a right to charge the originators for delivering it. Consumers are also seeking trusted CallerID capabilities globally that constitute one form of trusted traceback.

Many companies and institutions have provided input material.

Experts anticipate that the resulting Recommendation should describe a broad array of use-cases, as well as generally support the very substantial body of existing legal, regulatory, and industry business requirements for traceback worldwide, including the protection of personal information. The implementation in individual countries is as always subject to requirements specific to national jurisdiction.

ITU experts enable risk management strategies with new standards

Mon, 21 Apr 2008 13:13:54 GMT

Six new standards enabling a more secure ICT environment have been approved by ITU. Experts say that the standards represent an important achievement reflecting the needs of business in establishing risk management strategies and the protection of consumers.

Three ITU-T Recommendations cover a definition of cybersecurity, a standardized way for vendors to supply security updates and guidelines on spyware. While the other three focus on countering the modern day plague of spam by providing a toolbox of technical measures to help consumers and service providers.

Malcolm Johnson, Director, ITU Telecommunication Standardization Bureau: In the real non-virtual world risk management is well understood and so the infrastructure has been developed to protect against theft, fraud and other kinds of attack. The virtual world should be no different. And standards can provide the backbone for this risk-management infrastructure.

Standards give businesses the systematic approach to information security that they need to keep network assets safe. The adoption of multiple proprietary approaches is, experts agree, an inherently more vulnerable approach.

Recommendations on spam are a direct response to a call from the World Telecommunication Standardization Assembly (WTSA), the quadrennial event that defines study areas for ITU-T. Members asked that ITU-T define technical measures to tackle this plague of the digital world following growing global concern at additional costs and loss of revenue to Internet service providers, telecoms operators and business users.

Herb Bertine, Chairman of ITU-Ts Study Group 17 that looks at cybersecurity: ITU-T is in a unique position given its international scope and the fact that it brings together the private sector and governments to coordinate work on standards and influence the harmonization of security practices worldwide.

The Recommendations in brief

ITU-T Rec. X.1205 establishes a definition of cybersecurity noting that this understanding is needed in order to build a foundation of knowledge that can aid securing the networks of tomorrow. Network protocols, it says, were developed in an environment of trust but today cybersecurity threats are growing. ITU-T Rec. X.1205 provides a classification of security threats from an organizations point of view. It gives a layered approach to security enabling organizations to create multiple levels of defence against threats.

ITU-T Rec. X.1206 is designed to make it easier for systems administrators to manage patches/updates from multiple software vendors. The work was driven by concerns that the number of different methodologies used to deliver software updates was becoming a headache for companies. The Rec. gives a vendor-neutral framework for automatic notification of security related information and dissemination of updates.

ITU-T Rec. X.1207 gives guidelines enabling users to identify spyware and for vendors to avoid their products being mistakenly identified as such. The Recommendation promotes best practices around principles of clear notices, and users consents and controls. Authors of the Recommendation say that it develops and promotes best practices to users on PC security, including use of anti-spyware, anti-virus, personal firewall, and security updates of software on client systems.

ITU-T Rec. X.1231 sets out the requirements for combating spam and will serve as the startpoint for all further anti-spam standardization work. It gives an overview of methodologies to counter spam and describes the general characteristics of spam whether for e-mail, SMS, VoIP or other emerging forms of spam. It also outlines key ways to counter spam, and a hierarchical model to establish an efficient and effective anti-spam strategy.

ITU-T Rec. X.1240 is aimed at end users and focusing just on e-mail spam, brings together various mature spam combating technologies in order that users can select the most appropriate.

ITU-T Rec. X.1241 promotes greater cooperation between service providers in tackling spam. In particular the document provides a framework enabling a communication methodology for alerts on identified spam.

Identity work enters new phase

Tue, 16 Oct 2007 14:55:33 GMT

Following completion of four deliverables by The Focus Group on Identity Management, ITU-T's Study Group 17 has recommended to the Telecommunication Standardization Advisory Group (TSAG) that a Global Standards Initiative on Identity Management (IdM-GSI) is established. If the December meeting of TSAG initiates the IdM-GSI and the related Joint Coordination Activity (JCA), a meeting has already been planned for January 2008 to enter into a new phase of work on IdM based on these groups and existing ITU-T studies.

The four IdM deliverables have been transferred to relevant Study Groups via Study Group 17 and also to ISO/IEC JTC 1/SC 27 for further consideration and possible development as ITU-T Recommendations and a potential common text with ISO/IEC on entity authentication assurance. Indeed work on three new ITU-T Recommendations and the ITU-T/ISO common text standard has already begun.

The term IdM is understood as "management by providers of trusted attributes of an entity such as a subscriber, a device, or a provider." IdM promises to reduce the need for multiple user names and passwords for each online service used, while maintaining privacy of personal information. A global IdM solution will help diminish identity theft and fraud. Further, IdM is one of the key enablers for a simplified and secure interaction between customers and services such as e-commerce. A key issue for the Focus Group was to provide interoperability between existing solutions.

Herb Bertine, Chairman of Study Group 17, lead Study Group on security in ITU-T said: We are very pleased with the productivity and efficiency of the Focus Group. We now have the building blocks to enter the important next phase where the worlds service providers can profit from international standards for IdM services. Clearly identity management is an important topic and one that industry has put significant weight behind in order to turn out standards that will provide an IdM framework for global interoperability.

The deliverables were supplied to a meeting of ITU-Ts Study Group 17. Essentially IdM-GSI will be an umbrella title for IdM work that will be distributed across all Study Groups. A joint coordination activity (JCA) will ensure that there is no duplication of work, oversee strategic/planning issues and work assignments and develop a roadmap for the development of a global ID management standards. IdM-GSI will enhance harmonization, in collaboration with other bodies, among the different approaches to IdM frameworks and capabilities worldwide.

The publicly available deliverables are:

Report on Identity Management Ecosystem and Lexicon
Report on Identity Management Use Cases and Gap Analysis
Report on Requirements for Global Interoperable Identity Management
Report on Identity Management Framework for Global Interoperability

The first meeting of IdM-GSI including the JCA-IdM is planned to be held during the January 2008 NGN-GSI event in Seoul, Korea.

New online tool charts cybersecurity standards developments

Thu, 07 Jun 2007 09:42:21 GMT

Press release here.

Call for IPTV papers

Thu, 05 Apr 2007 12:46:47 GMT

Two vice chairs of ITU-Ts IPTV Focus Group will guest edit an upcoming issue of IEEE Communications Magazine. Chae-Sub Lee, of ETRI, Korea and Simon Jones, of BT, UK will edit the issue for publication February 2008.

A call for papers has been issued on the broad topic IPTV Systems, Standards and Architectures. Papers are solicited on topics including IPTV standards progress, architecture for IPTV systems, deployment challenges, performance considerations, content management and security. Articles should be tutorial in nature, further guidelines can be found here.

Online identity work will solve key security issues

Mon, 05 Mar 2007 10:16:08 GMT

The first steps towards a globally harmonized approach to identity management (IdM) have been taken during a meeting bringing together, for the first time, the worlds key players in the IdM space.

IdM promises to reduce the need for multiple user names and passwords for each service used, while maintaining privacy of personal information. A global IdM solution will help diminish identity theft and fraud. Further, IdM is one of the key enablers for a simplified and secure interaction between customers and services such as e-commerce.

Experts at the meeting concurred that interoperability between existing IdM solutions will provide significant benefits such as increased trust by users of on-line services as well as cybersecurity, reduction of SPAM and seamless nomadic roaming between services worldwide.

Abbie Barbir, chairman of the Focus Group on Identity Management (FG IdM): Our main focus is on how to achieve the common goals of the telecommunication and IdM communities. Nobody can go it alone in this space, an IdM system must have global acceptance. There was a very positive feeling at the meeting that we can achieve this and crucially we saw a great level of participation from all key players.

The meeting of the FG IdM brought together developers, software vendors, standards forums, manufacturers, telcos, solutions providers and academia from around the world to share their knowledge and coordinate their IdM efforts. Interoperability among solutions so far has been minimal. One conclusion of attendees is that cooperation is crucial and that players cannot exist in isolation. The spirit of the meeting was that everyone will gain by providing an open mechanism that will allow different IdM solutions to communicate even as each IdM solution continues to evolve. Such a trust metric does not exist today experts say.

Work will continue online and during Focus Group meetings in April, May, and July. An analysis of what IdM is used for will be followed by a gap analysis between existing IdM frameworks now being developed by industry fora and consortiums. These gaps should be addressed before the interworking and interoperability between the various solutions can be achieved. The aim is to provide the basis for a framework which can then be conveyed to the relevant standard bodies including ITU-T Study Groups. The document will include details on the requirements for the additional functionality needed within next generation networks (NGN).

ITU-T has a long history of innovation in this field, with key work on trusted, interoperable identity framework standards including Recommendation X.509 that today serves as the primary public key technical mechanism for communications security across all telecom and internet infrastructures.

Cybersecurity defined

Mon, 08 Jan 2007 09:13:03 GMT

Study Group 17 has initiated the approval process for a standard providing an overview of cybersecurity. The work establishes a definition of cybersecurity that is wide enough in scope to cover various and sometimes inconsistent definitions.

The Recommendation (X.1205) provides a taxonomy of security threats from an organizations point of view. Cybersecurity threats and vulnerabilities including the most common hackers tools of the trade are presented. Threats are discussed at various network layers.

Various Cybersecurity technologies to remedy threats are discussed including: routers, firewalls, antivirus protection, intrusion detection systems, intrusion protection systems, secure computing and audit and monitoring. Network protection principles such as defense in depth, access management with application to Cybersecurity are also discussed. Risk management strategies and techniques are discussed including the value of training and education in protecting the network. In addition examples for securing various networks based on the discussed technologies are also discussed.

ID management group aims to bring harmony

Mon, 08 Jan 2007 09:11:55 GMT

Following ITU-Ts Workshop on Digital Identity for NGN Geneva, 5 December 2006 a decision has been made to set up a Focus Group on Identity Management (IdM) under the parentage of Study Group 17.

Digital identity refers to the online representation of a users or network elements identity and the identity of those that the user or network element interacts with. It does not mean the positive validation of a person. Information regarding device identities is becoming an increasingly valuable commodity, and as a consequence, its protection and management are vital to a healthy and inclusive digital world.

There are different approaches for representing identities and different identity management frameworks. The lack of a common view on digital identity and its management has so far resulted in incompatible applications.

The Focus Group will explore mechanisms that allow different frameworks to interoperate together. Experts said there is a need to identify current gaps in proposed solutions. For example, IdM solutions that involve the telecom network level and in general lower layers have not been addressed sufficiently, they said. The Focus Group will act as a platform for an exchange of information in order to bring about necessary harmonisation.

All standards organizations and developer forums involved in identity management worldwide, including institutes, forums, companies, experts and individuals regardless of whether ITU members or not are encouraged to participate.

The first meeting of the FG IdM is scheduled to take place at ITU Headquarters, in Geneva , from 13 to 16 February 2007.

Survey to assess security preparedness

Fri, 17 Nov 2006 15:31:27 GMT

The Focus Group on Security Baseline for Network Operators has issued a survey, results from which will be used in preparation of a new ITU-T Recommendation Security Baseline for Network Operators. Participants are asked about their level of preparedness in case of various security threats.

Once approved the Recommendation will show the readiness and ability of operators to collaborate and coordinate counteraction against security threats arising from interconnected networks.

The Security Baseline will allow network operators to assess their network and information security posture in terms of what security standards are available, which of these standards should be used to meet particular requirements, when they should be used, and how they should be applied. It will also identify security Recommendations and standards to support evaluation of operators network security and information security. Development of the first draft of the Recommendation will begin towards the end of 2006.

The online survey is aimed at network and service providers a deadline of 24 November 2006 has been set for responses.

ITU-T Hosts Digital ID Event

Fri, 17 Nov 2006 08:15:35 GMT

ITU-T will hold a Workshop on Digital Identity for NGN Geneva , 05 December 2006.

In the last few years, the need for digital identity has risen as a strong driving force behind network architecture design, service provisioning, and content handling, billing and charging. Digital identity is expected to be a powerful tool for users to access unlimited digital resources via a limited number of trusted relationships, and for providers to offer these resources across the different layers of communication systems, administrative domains and even legal boundaries. However, the lack of a common view on digital identity across these different layers has so far resulted in independently developed and therefore often inconsistent identity management frameworks as well as incompatible applications.

Key challenges towards the development of a more consistent approach are to tackle the conflicting requirements of privacy, identification and security. This workshop, a Joint ITU-T/EU IST Daidalos Project Workshop, intends to investigate different approaches, analyze gaps in todays standards, identify future challenges and find common goals which will provide direction to the work currently being undertaken in the different projects and standards development organizations (SDOs).

ITU Will Host Broadband Europe Conference, December

Tue, 07 Nov 2006 08:18:59 GMT

ITU-T will host the annual Broadband Europe conference 11-14 Dec 2006.

BBEurope is an annual event which was initiated by the FP6-BREAD-project (broadband for all in Europe : a multi-disciplinary approach), part of the "BroadBand for All"-strategic objective of the European Commission.

Peter Van Daele, Project Leader BREAD: The concept of Broadband For All refers to a situation in which broadband is not only available to every citizen, but is actually used by all of them. In that respect it is a more demanding concept than the traditional universal service obligation in telephony, which merely stipulates the availability, at certain conditions, of a given service. The usage of information and communication technologies via broadband infrastructures by all citizens is a policy objective because it is considered to be a key component of transforming Europe into a knowledge-based society, thus enhancing economic growth and increasing employment.

The BREAD project has amongst its objectives to develop a holistic vision encompassing technical, as well as economical and regulatory aspects. Another important aspect is of identifying roadblocks on European, national/regional level and share visions and best practices on national level to EU level.

BBEurope brings together on an international level all the BroadBand players, researchers, service providers, content providers, operators, manufacturers, policy makers, standardisation bodies, professional organisations.

A diverse agenda will cover topics including NGN, IPTV, wireless access, powerline, security, QoS, and broadband in rural areas. The event will conclude with a panel discussion titled: Future Perspectives in Broadband. A full preliminary programme is available from the events website, with the call for papers ending November 10 when a programme committee will make a final selection of the papers.

Vote for the most influential standards work from ITU-T

Mon, 05 Jun 2006 07:05:08 GMT

As part of celebrations for the 50^th anniversary of ITU-T, you are invited to vote for the most influential standards work from ITU-T.

ITU work is behind many of the worlds most prevalent information and communications technologies. Choose here from our shortlist which you think has best shaped the ICT world of today, or feel free to suggest your own idea.

Standards for Single Sign-On Given Consent at ITU-T Meeting

Thu, 11 May 2006 07:44:29 GMT

The Security Assertion Markup Language (SAML) and Extensible Access Control Markup Language (XACML) authored by OASIS (Organization for the Advancement of Structured Information Standards) have been consented as internationally recognised ITU-T Recommendations. The announcement is the first result of the formal relationship between the standardization sector of ITU and OASIS.

The standards (ITU-T Recommendations X.1141 (SAML) and X.1142 (XACML)) address the concern of how to allow safe single sign-on, a system that enables a user to authenticate once and gain access to the resources of multiple software systems. While solutions existed in this space, all were proprietary, and therefore not addressing the problem on a global level.

SAML and XACML are designed to control access to devices and applications on a network. The need for standards in this area has become more of an issue as business networks increasingly use the public Internet.

SAML addresses authentication and provides a mechanism for transferring authentication and authorization decisions between cooperating entities, XACML leverages this information to determine access to resources by focusing on the mechanism for arriving at those authorization decisions.

An additional feature of SAML is that it allows organizations to communicate information without any change to their own internal security architectures.

ICT Security Standards Roadmap

Wed, 25 Jan 2006 16:16:44 GMT

This ICT Security Standards Roadmap has been developed to assist in the development of security standards by bringing together information about existing standards and current standards work in key standards development organizations.

In addition to aiding the process of standards development, the Roadmap will provide information that will help potential users of security standards, and other standards stakeholders, gain an understanding of what standards are available or under development as well as the key organizations that are working on these standards.

The Roadmap is in four parts:

Part 1: ICT Standards Development Organizations and Their Work

Part 1 contains information about the Roadmap structure and about each of the listed standards organizations, their structure and the security standards work being undertaken. In addition it contains information on terminology by providing links to existing security glossaries and vocabularies.
Part 2: Approved ICT Security Standards

Part 2 contains a summary catalogue of approved standards.
Part 3: Security standards under development

Part 3 is structured with the same taxonomy as Part 2 but contains work in progress, rather than standards that have already been approved and published. Part 3 will also contain information on inter-relationships between groups undertaking the work and on potential overlaps between existing projects.
Part 4: Future needs and proposed new security standards

Part 4 is intended to capture possible future areas of security standards work where gaps or needs have been identified as well as areas where proposals have been made for specific new standards work.

It is important to note that the Roadmap is a work-in-progress. It is intended that it be developed and enhanced to include other standards organizations as well as a broader representation of the work from organizations already included. It is hoped that standards organizations whose work is not represented in this version of the Roadmap will provide information to ITU-T about their work so that it may be included in future editions.

In the near future provision will be made to allow each organization to manage its own data within the Roadmap. This will enable more timely updating of the information.

More on the ICT Security Standards Roadmap

World's Standards Leaders Meet in France

Thu, 15 Sep 2005 08:01:36 GMT

Leaders from the leading national and regional telecommunications and radio standards organizations and a delegation from ITU consisting of both high-level secretariat staff and Study Group chairs met 28 August - 2 September, at The Tenth Global Standards Collaboration meeting (GSC-10).

The mission of the GSC is to exchange information between participating standards organizations to facilitate collaboration and to support the process of global telecommunication standardization in the ITU. The event was hosted by ETSI in Sophia Antipolis, France.

Participants at GSC-10 included the Australian Communications Industry Forum (ACIF), Association of Radio Industries and Businesses (ARIB) of Japan, the European Telecommunications Standards Institute (ETSI), the Alliance for Telecommunications Industry Solutions (ATIS) and Telecommunications Industry Association (TIA) from the US, the China Communications Standards Association (CCSA), the Telecommunication Technology Committee (TTC) of Japan, the Telecommunications Technology Association (TTA) of Korea, the ICT Standards Advisory Council of Canada (ISACC), and the International Telecommunication Union (ITU).

Guests and observers included representatives from the American National Standards Institute (ANSI), the Asia Pacific Telecommunity (APT), the Open Mobile Alliance (OMA) and: the Sector Board 4 of International Electrotechnical Commission (IEC).

Specific resolutions on the following topics were agreed at the meeting:

Next-Generation Networks
Mapping Standards for "Systems Beyond IMT 2000"
Cybersecurity
Home Networking
Emergency Communications
Broadband Services in Rural and Remote Areas
Open Standards
Facilitating Liaison in relation to Measurement Methodologies for Assessing Human Exposure to RF Energy
Wireless access including RLANs, Ad-Hoc Networking and Broadband Wireless Access
Supporting Automotive Crash Notification ("ACN") by Public Wireless Communications Networks
Radio Microphones and Cordless Audio Devices
RFID Systems, Services and Networking
Public Protection & Disaster Relief
Ultra Wide Band
Intellectual Property Rights Policies
User Interest Working Group

Other areas discussed were:

Location-based Services
Internet Protocol over Wireless
Software defined radio & Cognitive radio
Digital Broadcasting including mobile multimedia applications
Satellite services

ITU maintains a repository of documents relating to this and all past GSC meetings.

APT Meeting Looks at Spam

Fri, 09 Sep 2005 12:07:36 GMT

The recent Asia Pacific Telecommunity (APT) Symposium on Network Security and SPAM presented background information, detailed the current situation, new developments and steps ahead on network security and fighting spam in the Asia-Pacific region.

TSB presented highlights of ITU-T work on security, also detailing the level of participation of the AP region in Study Group 17, the ITU-T group that looks at security issues. Mr Jianyong Chen (ITU-T SG 17 Vice Chair from China ) also attended the event and made a detailed presentation on current SG 17 work. He also chaired two sessions. In addition TSB presented the results of the ITU WSIS Thematic Meeting on Cybersecurity held in Geneva , 28 June 1 July 2005.

The meeting was organized in three full-day sessions and was attended by some 70 representatives from the Asia-Pacific area. The first day was dedicated to cybersecurity, the second to countering spam, and the third to cooperation initiatives. The complete set of presentations at the meeting can be downloaded here.

The meeting invited AP countries to step-up their capability building initiatives and encouraged APT to increase its collaboration on network security and spam with international organizations working in the area, ITU-T in particular.

Security for IP Media Reviewed

Wed, 24 Aug 2005 07:33:13 GMT

A suite of ten new standards that provide security for IP media communications such as VoIP or videoconferencing got an update at the last meeting of ITU-Ts Study Group 16.

The security framework outlined in the H.235 series of ITU-T Recommendations provides the protocols necessary for these media to be authorised and routed. Equipment using these standards can deliver connectivity without compromising security.

With the help of the Recommendations, users communicating through IP media are authenticated and authorized so that their communications are protected against various security threats. Real-time multimedia encryption adds a further layer of security, protecting against call interception. The security countermeasures are designed to thwart service fraud, avoid service misuse and detect malicious message tampering. H.235 also gives the ability to provide a greater level of security using public key infrastructure (PKI) certificates.

Additionally, two new security profiles were added to provide [H.235.8] key exchange using the secure real-time transport protocol (SRTP) in H.323 networks and [H.235.9] to allow discovery of security gateways in the signalling path between communicating H.323 entities, in order to preserve signalling integrity and privacy.

Firewall Traversal Problem Solved

Wed, 24 Aug 2005 07:31:10 GMT

Standards that may accelerate the adoption of VoIP in corporate environments and resolve an issue that has slowed down the adoption of videoconferencing have been completed by ITU-T.

The standards from ITU-Ts multimedia Study Group (Study Group 16) provide a robust and easy to implement solution that will allow any H.323 based system communicating on an IP network to more easily communicate across the boundary imposed by NAT or firewalls (FW).

Videoconferencing and VoIP have long been plagued with problems when trying to work across network address translation (NAT) and firewall boundaries. Despite previous attempts to address the issue, no standardized way of dealing with the problem has emerged until now.

Without the ITU solution many network managers and operators have found that the only way to allow inbound VoIP calls in a firewall-protected environment is to leave a permanent hole from the outside world, open a range of port numbers for VoIP use, or locate devices outside of the firewall. Clearly, these solutions violate even the most basic security policies.

Recommendation H.460.18 enables H.323 devices to exchange signalling and establish calls, even when they are placed inside a private network behind NAT/FW devices. These extensions, when used together with Recommendation H.460.19, which defines NAT/FW traversal for media, enable upgraded H.323 endpoints to traverse NAT/FW installations with no additional equipment on the customer premises. Alternatively, the H.460.18 and H.460.19 functionality may be implemented in a proxy server, so that unmodified H.323 endpoints can also benefit from it.

Work on the related Recommendation H.248.37 was also finished at the Study Group meeting. Session border controllers (SBCs) are becoming an important part of the Internet infrastructure, and some SBCs are being split into media gateway controller (MGC) and media gateway (MG) components. One important function of a SBC is to perform network address and port translation (NAPT). H.248.37 allows the MGC to instruct a MG to latch to an address provided by an incoming Internet Protocol (IP) application data stream, rather than the address provided by the call/bearer control. This enables the MG to open a pinhole for data flow, and hence allow connections to be established.

As well as these ITU-T Recommendations, Study Group 16 will shortly publish two technical papers on the topic: The Requirements for Network Address Translator and Firewall Traversal of H.323 Multimedia Systems and Firewall and NAT traversal Problems in H.323 Systems.

Technical Tutorials Given at Recent ITU-T Meeting

Wed, 22 Jun 2005 10:25:50 GMT

Two technical sessions were given at the last meeting of Study Group 5 in Geneva . Study Group 5 is the ITU-T group that looks at protection against electromagnetic environment effects. Technical sessions are tutorials on a specific subject that aim to provide background for the preparation of new standards (ITU-T Recommendations) on these topics.

The first session was on security, and was presented by William Radasky, Chairman of IEC SC 77C (high power transient phenomena). Radaskys lectures dealt with electromagnetic threats such as high power electromagnetic phenomena and its effect on systems and mitigation methods. This will help SG5 prepare recommendations to protect telecommunication systems against malicious man-made high power transient phenomena. Radasky also detailed IECs work which will help ITU-T experts avoid duplication of their work.

The second session was on home networking and was in collaboration with Study Group 9. The SG 9 contribution was in the areas of architecture, transport technology, security, quality of service and management of home networks. SG 5s contributions were in the areas of electromagnetic compatibility (EMC), electromagnetic security and electromagnetic emission issues in the home environment.

Workshop on "New Horizons for Security Standardization"

Wed, 22 Jun 2005 07:36:05 GMT

Workshop on "New Horizons for Security Standardization"
Geneva, 3 - 4 October 2005

Introduction

An ITU-T workshop - New Horizons for Security Standardization - will take place at ITU Headquarters, in Geneva, 3 - 4 October 2005, prior to a meeting of Study Group 17.

Objectives

The overall objectives of the workshop are to help address information and communications security issues and promote increased cooperation between organizations engaged in security standardization work. Consideration will also be given to issues of adoption and implementation of security standards. In particular, the workshop will:

seek to find out from stakeholders (e.g., network operators, system developers, users etc.) what are their primary security concerns/issues?
determine where ITU-T and other standards development organizations (SDOs) can most effectively play a role in helping address the issues (i.e., which issues are amenable to a standards solution?);
identify which SDOs are working on these issues or are best equipped to do so; and
agree on next steps for security standardization.

More

Cybersecurity II Confirmed

Thu, 12 May 2005 17:39:20 GMT

Following the success of the Cybersecurity Symposium held in Florianópolis, Brazil, October 2004, ITU has decided to hold another event.

Cybersecurity Symposium II will be held on the first day of the Russian Association for Networks and Services (RANS) conference - Security and Trust for Infocommunication Networks Deployment, Moscow.

The symposium will highlight the importance of cybersecurity as an essential part of information and communication technologies (ICT). There will be discussion on international cooperation, which is increasingly becoming the decisive issue in coordinating the efforts of state institutions and business for the harmonized development of normative, legal, technological and organizational aspects of an effective cybersecurity infrastructure. Additionally there will be a review of the necessary standards development.