ITUT Workshop on New challenges for Telecommunication Security

ITU-T Workshop on “New challenges for Telecommunication Security Standardizations" Geneva, 9(pm)-10 February 2009 International collaboration for national public networks security Antonio Guimaraes, ITU-T SG-17 vice-chairman Anatel (Brazil) Geneva, 9(pm)-10 February 2009 International Telecommunication Union

Contents Ø WTSA-08 results concerning security and collaboration: Ø Resolution 50 Ø Resolution 52 Ø Resolution 58 Ø Security Baseline for national public networks operators: Ø operator policy Ø technical tools Ø collaboration Ø ITU role in organizing collaboration and coordination: Ø capacity building Ø information exchange Ø strategy and practical issues International Geneva, 9(pm)-10 February 2009 Telecommunication Union 2

Cybersecurity – Resolution 50 Considering: Ø inherent security properties in PSTN (hierarchical struct. , management); Ø in IP nets, separation between user and system components is reduced; Ø converged legacy networks with IP networks are more vulnerable; Ø new cyberattacks are emerging and having serious impacts; Ø ITU-T and JTC 1 (ISO/IEC) have significant published materials and ongoing works on cybersecurity. Resolves: Ø ITU-T should work closely with ITU-D, particularly in Q. 22/1; Ø use as a framework ITU-T Recs. (X. 805, X. 1205), ISO/IEC products/standards and deliverables from other organizations; Ø global, consistent and interoperable processes for sharing incident-response related information should be promoted; . International Geneva, 9(pm)-10 February 2009 Telecommunication Union 3

Countering/combating spam – Res. 52 Recognizing that : Ø "Declaration of Principles" of WSIS states in 37 that: "Spam is a significant and growing problem for users, networks and the Internet as a whole”. Ø spamming is used for criminal, fraudulent or deceptive activities; Ø technical work is carried in SG 17 (Recs. X. 1231, X. 1240, X. 1241). Resolves to instruct the relevant study groups: Ø to support ongoing work, in particular in SG 17, related to countering spam (e. g. , e-mail) and to accelerate their work in order to address existing and future threats; Ø to continue collaboration with relevant organizations (e. g. IETF)), in order to continue developing technical Recs. , exchange best practices and disseminating information through joint workshops, training sessions, etc. , International Geneva, 9(pm)-10 February 2009 Telecommunication Union 4

Creation of CIRTs - Resolution 58 Noting: Ø the increasing attacks and threats on ICT nets through computers; Ø the high level of interconnectivity of networks could be affected by attacks from less-prepared nations; Ø the work carried out on this subject by ITU-D, under Q. 22/1; Ø importance of computer emergency preparedness in all countries. Instructs TSB, in collaboration with TDB : Ø to support the creation of national computer incident response teams (CIRTs), where needed and are currently absent; Ø to collaborate with experts for establishment of national CIRTs; Ø to facilitate collaboration between national CIRTs, such as exchange of information, within an appropriate framework. Geneva, 9(pm)-10 February 2009 International Telecommunication Union 5

Security baseline for network operators Geneva, 9(pm)-10 February 2009 International Telecommunication Union 6

Policy baseline – legal and regulatory Network operators must : Ø have info. security provisions compliant with legal and regulatory requirements of the jurisdiction of business activity; Ø meet the requirements of local jurisdiction, related to cooperation with the law enforcement agencies. It is recommended that: Ø operator adopts a security policy based on recognized best practices (such as [b-ISO/IEC 27002] and [b-ITU-T X. 1051]) and risk assessment, that meets the demands of business activity, compliant with national legislation and that is in accordance with the internal network operator procedures. International Geneva, 9(pm)-10 February 2009 Telecommunication Union 7

Policy baseline – contracts Network operators must: Ø make aware its personnel and the external participants (users, interconnected operators and other interested parties) of the requirements of security policy It is recommended that: Ø the security policy has a clause dedicated to delimitation of responsibility within the operator's personnel, between the operator and its partners, and between the operator and its customers. Ø information security requirements that must be followed by personnel are included in the labor contracts of all employees dealing with publicly-accessible information. Ø network operators work collaboratively to address risks and vulnerabilities. Geneva, 9(pm)-10 February 2009 International Telecommunication Union 8

Policy baseline – implementation Operators must : Ø implement security facilities which should address the reduction of risk; Ø make the cost of such measures reflect the value of the assets protected and the potential damage. It is recommended that: Ø measures implemented to protect an operator's resources or the resources of its customers, should not result in harmful consequences for third parties in an information exchange, nor should any side effects of their deployment cause damage or inconvenience that exceeds the impact of the risk being mitigated. Geneva, 9(pm)-10 February 2009 International Telecommunication Union 9

Technical tools baseline - principles Basic orientations: Ø deploy hardware and software according to the terms of license agreement; Ø install updates and patches in a timely manner as recommended; Ø bring to the notice of users information about applicable patches and updates. Best practices: Ø have accounts for access to the interfaces of communication hardware management (group accounts not recommended). Ø do not use default passwords (set by the manufacturer) to authorize access to any communication hardware/ software; Ø protect network management system information by confidentiality and integrity mechanisms or by using network segments physically isolated from service domains. Geneva, 9(pm)-10 February 2009 International Telecommunication 10 Union

Technical tools baseline – procedures Message labelling: Ø inspected packages can be labelled, so that interconnected operators know that outgoing address is correct; Ø for all incoming messages, mark messages with unsolicited information. Recommendations for counteracting spam : Ø operators should filter spam within their own network; Ø e-mail servers must have the ability to limit the amount of outgoing messages from one user within a unit of time (e. g. protecting against spam or denial of service attacks). Ø ability to delay the delivery of outgoing messages by such sender, until the server administrator confirmation is obtained. Geneva, 9(pm)-10 February 2009 International Telecommunication 11 Union

Technical tools baseline – filters It is recommended for all network operators: Ø to install anti-spoofing filters at the points of interconnection with other networks (operators) and end-users; Ø these filters prevent the transmission of packages with the outgoing addresses from external networks or multicast addresses, as well as receiving packages with such addresses or with reserved or incorrect addresses. Anti-virus and anti-spam: Ø network operators and public information server owners must deploy regularlyupdated anti-viral software. Ø is recommended to have facilities for detecting infected messages, marking and optionally deleting them; Ø each e-mail information server must be enabled with spam-detection; Geneva, 9(pm)-10 February 2009 International Telecommunication 12 Union

Technical tools baseline – inspection Data traffic analysis: Ø operators can deploy automated discovery of statistical traffic anomalies; Ø such traffic anomaly analysis can be used for counteraction to DDo. S attacks. Recommendations Ø the operator should deploy technical and organizational measures that allow him to determine the source of a violation (e. g. , a Do. S attacks) and to block (de-activate) the attacks; Ø regularly-updated intrusion detection and prevention services (IDS/IPS) can be applied to handle selective realtime contextual traffic analysis for the traffic received from users and other operators. Geneva, 9(pm)-10 February 2009 International Telecommunication 13 Union

Technical tools baseline – logs Security logs: Ø personnel activities on the communication facility should be logged; Ø the logs of detected incidents must be stored for a time long enough to facilitate the investigation of incidents. Ø technical correlation tools can be deployed to assess information from all available security logs. Critical information: Ø operators must assure the confidentiality of transmitted and/or stored information related to management and billing systems, personal user data and information about services provided to users. Geneva, 9(pm)-10 February 2009 International Telecommunication 14 Union

Technical tools baseline – settings Security settings: Ø operators should offer the capability to selectively block or filter traffic, at the request of the user. Ø routine control facilities can be used for configuration and maintenance of the security settings of communication facilities and management network elements (including firewalls, routers and servers). Best practices: Ø operators should use approved best security practices (such as [b-ISO/IEC 27002] and [b-ITU-T X. 1051]) whenever developing applications and services for end-users (for example, when offering self-service capabilities). Geneva, 9(pm)-10 February 2009 International Telecommunication 15 Union

Technical tools baseline – users Security mechanisms: Ø security mechanisms and other parameters beyond default security mechanisms shall be configurable (static for NNI interface and may be negotiated for UNI interfaces); Ø the security mechanism negotiation shall have a certain minimum level to be defined by the security domain; e. g. , avoid bidding-down attacks. Users decision: Ø users shall be able to reject communications that do not comply with their minimum security policy. Geneva, 9(pm)-10 February 2009 International Telecommunication 16 Union

Collaboration baseline - interaction Recognizing risks: Ø the operators should help customers (end-users) and service providers recognize risks that arise from the use of network services. Actions to be taken: Ø it would be advisable to establish national interoperator bodies, to work with government branches in the security and integrity of public networks operation; Ø these bodies would have facilities to identify all users and other operators involved in the interactions on the network, to prevent illegal acts (such as child pornography); Ø the operators should inform users about fundamental risks that arise from the network and about counter-measures against these risks, aimed at the reduction of damages. Geneva, 9(pm)-10 February 2009 International Telecommunication 17 Union

Collaboration baseline – prevention Operators must have the ability : Ø to determine the jurisdiction (i. e. , the territory or state) in which a publicly-available information network resource is located. Ø to obtain information about the owner (administrator) of a publicly-available information network resource for purposes of incident investigation or resolution. Leakage of information: Ø It is recommended that the operator promptly inform all affected parties in the event of leakage of a user's data, or the data of an interconnected operator. Geneva, 9(pm)-10 February 2009 International Telecommunication 18 Union

Collaboration baseline - incidents Recognizing risks: Ø personnel responsible for the information security of corporate resources shall be appointed by enterprise users (legal entities); Ø such employees should have sufficient qualifications and authority to counteract security threats. Treatment of incidents: Ø the operator should have a round-the-clock incident response team (IRT), use an outsourced IRT or a National-CSIRT ; Ø operator's IRT must be accessible via phone and e-mail for authorized customers or interconnected operators, in accordance with the operator's policy or service agreement; Ø incidents should be investigated based on the best practices. Geneva, 9(pm)-10 February 2009 International Telecommunication 19 Union

Collaboration baseline – follow up Notification of vulnerabilities : Ø inform users about threats relating to the use of services and information resources; Ø educate the users about settings in the edge network equipment; Ø notification should also be sent to equipment manufacturers. Service level agreement: Ø stipulate, in service level agreement, a clause on procedures for informing users about discovered vulnerabilities in hardware or software that can cause negative consequences to them, mainly those respecting their privacy; Ø the agreement should contain a comprehensive statement of security requirements, should they be violated, it will cause the suspension or termination of communication services. Geneva, 9(pm)-10 February 2009 International Telecommunication 20 Union

ITU’s role in organizing cooperation Geneva, 9(pm)-10 February 2009 International Telecommunication 21 Union

ITU’s role – WSIS and GCA Implementing WSIS action line C. 5: Ø a fundamental role of ITU, according to WSIS and the 2006 ITU Plenipotentiary Conference is to build confidence and security in the use of information and communication technologies (ICTs). Ø Heads of states and government and other global leaders participating in WSIS as well as ITU Member States entrusted ITU to take concrete steps towards limiting the threats and insecurities related to the information society. Global Cybersecurity Agenda : Ø on 17 May 2007, ITU launched the CGA to provide a framework within which the international response to the growing challenges to cybersecurity can be coordinated and addressed in response to its role as Facilitator for action line C. 5; Geneva, 9(pm)-10 February 2009 International Telecommunication 22 Union

ITU’s role – capacity building Capacity building: Ø experts’ training is highly important because people are the weakest link in cybersecurity; Ø training and a high level of user awareness is thus one of the key challenges today. International collaboration and coordination: Ø people are the main actors - they develop the systems, they elaborate the policies and strategies to secure transactions; Ø security threats information exchange: cyberthreat issues are global (countries cannot easily close their borders to incoming cyberthreats); Ø time and geography, as well as the location of victims, are no longer barriers to where and when these attacks are launched by cybercriminals. Geneva, 9(pm)-10 February 2009 International Telecommunication 23 Union

ITU’s role – cooperation Knowledge sharing: Ø best practices and information exchange, including reports on strategy and practical issues of security standardization, evaluation and implementation. Functions available in GCA: Ø the Discussion Forum aimed at exchanging views and ideas on the different work areas, follow the discussion threads, and respond to specific items that have been posted; Ø the Wiki area, providing post and upload resources, links and articles on cybersecurity, in the different work areas of GCA; Ø the Documents area, allowing upload written contributions and documents - all outcome documents resulting from the work of GCA will be posted in this area; Ø the Chat area meant to engage in on-line talks with the other logged-on users. Geneva, 9(pm)-10 February 2009 International Telecommunication 24 Union

ITU’s role – cybersecurity gateway Sections: Ø information sharing of national approaches, good practices and guidelines; Ø developing watch, warning and incident response capabilities; Ø technical standards and industry solutions; Ø harmonizing national legal approaches, international legal coordination and enforcement; Ø privacy, data and consumer protection. For citizens, governments, business and international organizations. Geneva, 9(pm)-10 February 2009 International Telecommunication 25 Union

ITU’s role – security standards Generalizing the recommendations on various aspects of security (from different SDOs) for telecom operators. Geneva, 9(pm)-10 February 2009 ITU-T Study Group 17: Ø SG-17 is the leading study group for activities on telecommunication security; Ø SG-17 produces materials that can be of interest and use to developing countries when identifying practical security solutions; Ø an example of this is the newly revised “ICT Security Standards Roadmap”. Ø this roadmap captures networkrelated security work of not only ITU-T but also of ISO/IEC, IETF and consortia groups as part of their out International -reach activities Telecommunication Union 26

Thank you ! Antonio Guimaraes ateixeira@anatel. gov. br Geneva, 9(pm)-10 February 2009 International Telecommunication 27 Union