|
Technical and Procedural
Measures
ICTs
are a vital tool in information societies. However, they continue to be
exploited by malevolent users and this phenomenon is becoming intrinsically
linked to organized crime on the Internet. Vulnerabilities in software
applications are purposely sought out in order to create malware that will
enable unauthorized access and modification, thus compromising integrity,
authenticity and confidentiality of the ICT networks and systems. With the
increasing sophistication of malware, these threats cannot be overestimated
and they could have dire consequences if critical information
infrastructures are affected.
ITU Standardization Work
ITU’s Standardization Sector (ITU-T) holds a unique position in the field of
standardization: its work brings together the private sector and governments
to coordinate work and promote the harmonization of security policy and
security standards on an international scale.
Standards development bodies have a vital role to play in addressing
security vulnerabilities in protocols. As well as many key security
Recommendations, ITU has developed overview security requirements, security
guidelines for protocol authors, security specifications for IP-based
systems it defines (NGN, H.323, IPCableCom, etc), guidance on how to
identify cyber threats and countermeasures to mitigate risks. ITU also
provides the international platform for the development of the protocols
that protect current and Next-Generation Networks (NGN). ITU’s work
addresses security aspects in NGN architecture, quality of service, network
management, mobility, billing and payment for NGN. ITU’s work on secure
communication services reviews enhancements to security specifications for
mobile end-to-end data communications and considers security requirements
for web services and application protocols.
In
the move to Internet Protocol (IP)-based services, ITU’s H.235.x series
Recommendations on “H.323 Security” defines the security infrastructure and
services (including authentication and privacy) for use by the H.300-Series
IP multimedia systems (such as VoIP and videoconferencing) in point-to-point
and multipoint applications. The H.235.x standards provide privacy to
service providers and enterprises, whilst ensuring interoperability of
multimedia products. The identity of users communicating through IP media is
correctly authenticated and authorized using H.235.x, protecting their
communications against different critical security threats.
Real-time multimedia encryption adds a further layer of security, guarding
against call interception. ITU’s J.170 “IPCablecom Security Specification”
defines security requirements for IPCablecom architecture enabling cable TV
operators to deliver secure two-way capability in the provision of a variety
of IP services, including VoIP.
ITU’s work on security covers a broad range of activities in security from
network attacks, theft or denial of service, theft of identity,
eavesdropping, telebiometrics for authentication, security for emergency
telecommunications and telecommunication network security requirements.
ITU’s X.805 Recommendation defines the security architecture for systems
providing end-to-end communications that can provide end-to-end network
security. This Recommendation allows operators to pinpoint vulnerable points
in a network and address them. ITU’s security framework extends this with
guidelines on protection against cyber attacks.
The
results of ITU’s work are evident: one of the most important security
standards in use today is X.509, an ITU-developed Recommendation for
electronic authentication over public networks. X.509 is the definitive
reference for public-key certificates and designing applications related to
public key infrastructure (PKI). The elements defined within X.509 are
widely used in securing connections between web-browsers and servers to
agreeing the encryption key that protects the information exchanged and
providing the digital signatures that enable e-commerce transactions. Public
key certificates are also used to authenticate and protect e-mail – an
electronic document with a digital certificate supported by an X.509
certificate is widely recognized as the most credible form of electronic
document. ITU’s work on electronic authentication has helped enable
jurisdictions around the world to recognize e-mail as legal documents and to
accord legal status to electronic signatures.
Recently, ITU-T X.1205 “Overview of Cybersecurity” was approved. It provides
a definition of cybersecurity and a taxonomy of security threats. It
discusses the nature of the cybersecurity environment and risks, possible
network protection strategies, secure communications techniques and network
survivability (even under attack).
Currently, all ITU study groups conduct security-related activities and
review security questions as part of their work, while the telecommunication
standardization sector’s Study Group 17 acts as the overall lead study group
on telecommunication security and identity management. In 2002, ITU agreed
to cooperate with other standards development organizations in setting
standards for security, monitoring security work carried out around the
world and considering best practices and effective solutions. ITU hosts a
regular joint security workshop inviting non-member attendees to contribute
to a roadmap for future work and coordination between other standards
development organizations.
ITU-T Study Group 17
Study Group 17 is the lead study group on telecommunications security and
identity management. It is responsible for studies relating to security,
including cybersecurity, countering spam and identity management and handles
security guidance and the coordination of security related work across all
ITU-T study groups. Its role as the lead study group on work related to
security was confirmed by the ITU-T World Telecommunication Standardization
Assemblies (WTSA) in 2000, 2004 and 2008, in close collaboration with ISO/IEC,
as a tripartite joint action. WTSA-08 added to Study Group 17 the lead study
group role for identity management. Study Group 17 has approved over one
hundred Recommendations on security for communications, mainly in the X
series of Recommendations, either by itself, or jointly with ISO/IEC or
other relevant organizations. It regularly updates the manual on “Security
in telecommunications and information technology” as an overview of security
issues and the deployment of ITU-T Recommendations for secure
telecommunications across all ITU-T Study Groups (the third manual was
issued in August 2006, the fourth edition is scheduled for publication later
in 2009).
Study Group 17 also electronically publishes a Security Compendium on its
website containing a catalogue of approved ITU-T Recommendations related to
security and presenting an extract of security definitions from ITU-T and
other sources. The role of Study Group 17 was confirmed and reinforced by
various Resolutions adopted at the WTSA-08 in Johannesburg:
-
Resolution 50 on “Cybersecurity” guiding ITU-T work to build
Recommendations sufficiently robust to prevent exploitation by malicious
parties;
-
Resolution 52 on “Countering and combating spam”, seeking to integrate
the technical means to combat spam into the work of ITU-T study groups
and SG 17 Recommendations.
Study Group 17 is also working on the implementation of WTSA-08 Resolution
58 on “Encourage the creation of national Computer Incident Response Teams,
particularly for developing countries”.
ICT Security Standards Roadmap promoting collaboration between international
standards bodies
The
Roadmap was launched by ITU Study Group 17, and became a joint effort in
January 2007, when the European Network and Information Security Agency (ENISA)
and the Network and Information Security Steering Group (NISSG) joined the
initiative. The ICT Security Standards Roadmap promotes the development of
security standards by highlighting existing standards, current work and
future standards among key standards development organizations. The Roadmap
informs users about security standards. It contains five parts:
Part 1: ICT Standards Development Organizations and Their Work
outlines the structure of the Roadmap and describes the different standards
organizations, their structure and the work they are undertaking in security
standards (including ITU, ISO, IEC, IETF, OAIS, ATIS, ETSI, IEEE, 3GPP and
3GPP2), complete with links to existing glossaries of security.
Part 2: Approved ICT Security Standards
provides a database summarizing the catalogue of approved standards. It
contains guidance on how to use the database, a taxonomy, as well as a list
of acronyms and abbreviations.
Part 3: Security standards under development
summarizes standards under development by ITU and ISO/IEC (rather than
existing standards). It will also describe the inter-relationships between
the work of standardization bodies. This catalogue is also being developed
as a database.
Part 4: Future needs and proposed new security standards
will
outline future areas of work in security standards, where gaps have been
identified or proposals made for new standards work.
Part 5: Best practices
was added to the Roadmap in May 2007, as a repository of security related
best practices contributed by members and stakeholders. The Roadmap will
include the work of other standards organizations in future editions. It is
being transformed into a database format.
ITU Radiocommunications
Radio spectrum global frequency management is increasingly important for
building confidence and security and creating an enabling environment in the
use of ICTs. Wireless applications, such as 3G, are becoming an integral
part of daily life, and the global use and management of frequencies require
a high level of international cooperation.
ITU’s Radiocommunication Sector (ITU-R) mission is to ensure, rational,
equitable, efficient and economical use of the radio-frequency spectrum by
all radiocommunication services, including those using satellite orbits, and
to carry out studies and adopt Recommendations on radiocommunication
matters. It plays a pivotal role in facilitating complex intergovernmental
negotiations needed to develop legal binding agreements between sovereign
states in an increasingly ‘unwired’ world.
International radiocommunication provisions are embodied in the ITU Radio
Regulations (treaty status) that incorporates the decisions of
the World Radiocommunication Conferences (WRCs) and in world and regional
plans adopted for different space and terrestrial services. ITU Radio
Regulations agreements apply to frequencies ranging from 9 kHz to 400 GHz
and include information on how radio frequency is shared around the globe.
WRCs
are held every 3 to 4 years to update the international treaty governing the
use of the radio-frequency spectrum (where some 40 different radio services
compete for allocations for spectrum) and the geostationary-satellite and
non-geostationary-satellite orbits.
ITU-R specializes in developing radio standards, including spectrum
identification and harmonization applicable to national, regional and
international broadband network infrastructure including the capacity to
countries and their citizens for new ICT-based services through satellite
systems. ITU-R ensures interference-free operations of radiocommunication
systems and facilitates any new developments and the continuation of
satellite services in a safe way.
Safeguarding quality of service against degradation or denial of service is
vital for the secure functioning of networks in data transmission and
service provision and many of the Radiocommunication Sector (ITU-R)’s latest
Recommendations on generic requirements and the protection of
radiocommunications against interference are relevant for security.
ITU’s work in radiocommunication standardization continues, matching the
constant evolution in modern telecommunication networks. ITU established
clear security principles for IMT-2000 (3G) networks (Recommendation ITU-R
M.1078 and Recommendations M.1223, M.1457, M.1645 are also relevant). ITU
recommended early on that the security provided by mobile broadband IMT-2000
(3G) networks should be comparable to contemporary fixed networks. ITU has
also issued recommendations on security issues in network management
architecture for digital satellite systems (Recommendation ITU-R S.1250) and
performance enhancements of transmission control protocol over satellite
networks (Recommendation ITU-R S.1711).
IMPACT Global Response Centre
As
part of the ITU’s collaboration with the International Multilateral
Partnership Against Cyber Threats (IMPACT), the Global Response Centre (GRC)
plays a pivotal role in realizing the GCA objective of putting technical
measures in place to combat new and evolving cyber-threats. The two prime
highlights of the GRC are NEWS (Network Early Warning System) and
ESCAPE (Electronically Secure Collaboration Application Platform for
Experts). The GRC is designed to be the foremost cyber threat resource
centre in the world. Working with leading partners including academia and
governments, the Centre will provide the global community with a real-time
aggregated early warning system. NEWS will help countries identify cyber
threats early on and provide critical guidance on what measures to take to
mitigate them. The GRC will also provide ITU Member States with access to
specialized tools and systems, including the recently-developed ESCAPE
platform. ESCAPE is an electronic tool that enables authorized cyber-experts
across different countries to pool resources and collaborate with each other
remotely, yet within a secure and trusted environment. By pooling resources
and expertise from many different countries on short notice, ESCAPE will
enable individual nations and the global community to respond immediately to
cyber-threats, especially during crisis situations.
|
