An ITU-T Vision on SPAM



Similar documents
PROPOSAL 20. Resolution 130 of Marrakesh on the role of ITU in information and communication network security

SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security

ICT Security Cybersecurity CYBEX Overview of activities in ITU-T with focus on Study Group 17

Cybersecurity for ALL

Draft ITU-T Recommendation X.805 (Formerly X.css), Security architecture for systems providing end-to-end communications

INTERNATIONAL TELECOMMUNICATION UNION

ITU-T E.118. The international telecommunication charge card

Cryptography and Network Security

Overview of ITU Cybersecurity Activities

Advanced Topics in Distributed Systems. Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech

COSC 472 Network Security

SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security

INTERNATIONAL TELECOMMUNICATION UNION

IoT Prospects of Worldwide Development and Current Global Circumstances

Cryptography and Network Security Chapter 1

Chap. 1: Introduction

ITU-T Y General overview of NGN

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

Content Teaching Academy at James Madison University

Information System Security

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security. Framework of security technologies for home network

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

ITU National Cybersecurity/CIIP Self-Assessment Tool

Telecommunication Origin Identification. Jie Zhang Vice chair, ITU-T SG2

Cryptography and Network Security Overview & Chapter 1. Network Security. Chapter 0 Reader s s Guide. Standards Organizations.

Fundamentals of Network Security - Theory and Practice-

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Network Security Administrator

7. Public Key Cryptosystems and Digital Signatures, 8. Firewalls, 9. Intrusion detection systems, 10. Biometric Security Systems, 11.

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Standards for VoIP in the Enterprise

The global challenge

VOICE OVER IP SECURITY

ITU Cybersecurity Work Programme to Assist Developing Countries

Cloud Computing Standards: Overview and ITU-T positioning

INSTANT MESSAGING SECURITY

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

TELECOMMUNICATION NETWORKS

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Information security controls. Briefing for clients on Experian information security controls

Managing internet security

IY2760/CS3760: Part 6. IY2760: Part 6

The IDA Catalogue. of GENERIC SERVICES. Interchange of Data between Administrations

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

ISO Controls and Objectives

Security Policy JUNE 1, SalesNOW. Security Policy v v

How To Pass A Credit Course At Florida State College At Jacksonville

ISO27001 Controls and Objectives

ITU Global Cybersecurity Agenda (GCA)

Evaluate the Usability of Security Audits in Electronic Commerce

INFORMATION TECHNOLOGY SECURITY STANDARDS

Overview An Evolution. Improving Trust, Confidence & Safety working together to fight the beast. Microsoft's online safety strategy

IBX Business Network Platform Information Security Controls Document Classification [Public]

RESOLUTION 102 (REV. BUSAN, 2014)

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Secure System Solution and Security Technology

-SETTING ORGANIZATIONS

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

redcoal SMS for MS Outlook and Lotus Notes

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Module 7 Security CS655! 7-1!

NETWORK SECURITY ASPECTS & VULNERABILITIES

Security Guidelines for. Next Generation Networks. Office of the Telecommunications Authority

Table of Contents. Introduction. Audience. At Course Completion

SHORT MESSAGE SERVICE SECURITY

The Benefits of SSL Content Inspection ABSTRACT

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Network & Information Security Policy

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

ITU-T E.123. Notation for national and international telephone numbers, addresses and Web addresses

Application Notes. Introduction. Contents. Managing IP Centrex & Hosted PBX Services. Series. VoIP Performance Management. Overview.

Technical Standards for Information Security Measures for the Central Government Computer Systems

This document is a preview generated by EVS

NETWORK SECURITY. Farooq Ashraf. Department of Computer Engineering King Fahd University of Petroleum and Minerals Dhahran 31261, Saudi Arabia

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

How To Understand And Understand The Security Of A Key Infrastructure

Migration Project Plan for Cisco Cloud Security

Chapter 5. Data Communication And Internet Technology

CSCI 4541/6541: NETWORK SECURITY

Transcription:

International Telecommunication Union Aspectos Jurídicos del Comercio Electrónico An ITU-T Vision on SPAM Sesión 9 Telecommunication Standardization Bureau Simão Campos Counsellor, ITU-T Study Group 16 1 AntiSpam Forum 2004 CABASE / AMDIA Buenos Aires, Argentina, 3 June 2004 Overview Information about ITU High-level directives Understanding the problem Towards a standards-based solution Some existing ITU-T foundational standards Some additional ITU Resources Conclusion About ITU Additional Slides 3 4 ITU Structure ITU-T Study Groups www.itu.int/itu-t/ Radiocommunication Sector (ITU-R / BR) Study Groups www.itu.int/itu-r/ Strategic Planning Unit (SPU) Secretary General Telecommunication Standardization Sector (ITU-T / TSB) Study Groups www.itu.int/itu-t/ Telecom Telecommunication Development Sector (ITU-D / BDT) Study Groups www.itu.int/itu-d/ The International Telecommunication Union is an international organization within the United Nations System where governments and the private sector coordinate global telecom networks and services SG 2 Operational aspects of service provision, networks and performance SG 3 Tariff and accounting principles including related telecommunications economic and policy issues SG 4 Telecommunication management, including TMN SG 5 Protection against electromagnetic environment effects SG 6 Outside plant SG 9 Integrated broadband cable networks and television and sound transmission SG 11 Signalling requirements and protocols SG 12 End-to-end transmission performance of networks and terminals SG 13 Multi-protocol and IP-based networks and their internetworking SG 15 Optical and other transport networks SG 16 Multimedia services, systems and terminals SG 17 Data networks and telecommunication software SSG Special Study Group "IMT-2000 and beyond" TSAG Telecommunication Standardization Advisory Group 5 6 1

ITU-T Study Group 17 Lead Study Group for Communication System Security Coordination/prioritization of security efforts Development of core security Recommendations Manage the ITU-T Security Project Maintain Compendia on Security-related Recommendations and Security Definitions Network / Protocol perspective Existing Recommendations include Security architecture, model, frameworks, and protocols for open systems (X.800- & X.270-series) Trusted Third Party Services (X.842/X.843) Public-key and attribute certificate frameworks (X.509) Security architecture for end-to-end communications (X.805) ITU-T Study Group 2 Lead SG on Service Definition, Numbering, Routing and Global Mobility Users perspective principles of service provision, definition and operational requirements of service emulation; numbering, naming, addressing requirements and resource assignment routing and interworking requirements; human factors operational aspects networks and associated performance requirements interworking between traditional and evolving telecommunication networks; Existing Recommendations include E.408 (ex-e.sec.1): Telecommunication networks security requirements >> E.409 (ex-e.sec.2): Incident organization and security incident handling >> Handbook on IP Policy (under development) >> 7 8 ITU Plenipotentiary Conference 2002 Resolution 130 - Strengthening the role of ITU in information and communication network security High level directives resolves 1 to review ITU's current activities in information and communication network security; 2 to intensify work within existing ITU study groups in order to: a) reach a common understanding on the importance of information and communication network security by studying standards on technologies, products and services with a view to developing recommendations, as appropriate; b) seek ways to enhance exchange of technical information in the field of information and communication network security, and promote cooperation among appropriate entities; c) report on the result of these studies annually to the ITU Council. 9 10 Two Phases: Geneva, 10 12 December 2003 Tunis, 16 18 November 2005 Website www.itu.int/wsis/ Phase 1 Output Documents: Declaration of Principles Plan of Action URL: >> http://www.itu.int/wsis/documents/doc_multi.asp?lang=en&id=1161 1160 Declaration of Principles Build confidence and security in the use of ICTs (Sec.5, pg.5, para.35, 36, 37) Strengthening the trust framework Prevention of cybercrime/misuse of ICT Fight SPAM (unsolicited electronic messages) 11 12 2

Plan of Action (Action Line C5) Cooperation of all stakeholders (gov ts, civil society, private sector) Guidelines, legislation, share good practices User education (privacy, etc) National legal instruments for formal recognition of electronic documents (e.g. authentication) Strengthen real-time incident handling and response Development of secure and reliable applications Contributions to the intergov l agencies working groups (e.g. ITU) Understanding the problem 13 14 A Taxonomy Vulnerabilities, Threats and Risks General Guidance/Architecture Network perspective ( SG 17) Users perspective ( SG 2) System/Application-Specific ( SGs 4, 9, 11, 13, 15, 16, SSG) Secure Infrastructure End-to-end security Vulnerability: something to be exploited threat model (e.g. SS7) design (e.g. Ambiguities in BGP4 parameters) implementation (e.g. SNMP & ASN.1) configuration (e.g. 802.11b WiFi) Threat: people willing to exploit a vulnerability (hackers, criminals, terrorists, etc) Risk: the consequences of such an exploitation (data loss, fraud, loss of public confidence, etc) While threats change over time, security vulnerabilities exist throughout the life of a protocol Risks must be continuously reassessed!!! 15 16 SPAM: a security risk (among other things ) Security vulnerabilities Threat analysis Implementation Configuration combined with a security threat (abusive e-mailers, virus creators, etc) produces a security risk: SPAM Towards a standards-based solution 17 18 3

What to do? Pragmatism Learned-lessons for a comprehensive framework X.400 SMTP Foundational standards Protocol requirements Standardizers & Implementors Best practices Users perspective New or revised standards Transitional measures Clarify role of different players: ICT industry; governments; users (merchants; ISPs; private persons) Learned-lessons Security considerations are a must! Understand SMTP vulnerabilities; e.g. Lack of authentication mechanisms (positive identification of the sender) (Eric Allman, creator of sendmail, et alii) No mechanism for an inbound host to selectively refuse a message (J.Postel, RFC706, 1975) Consider solutions already available in other frameworks e.g. ITU-T Rec. X.400 & X.500 Collect the best of existing Best Practices Players: all 19 20 A way forward Roles of Government Pragmatic, multi-pronged approach Educate users for safe use of existing systems Identify relevant existing or new Foundational Standards Standards: a technical specification developed in an open environment, through a consensus-based decision process!!! Standardizers & Implementors: agree on Foundational standards; agree on specific Standards Governments: identify actions that can help solve the problem (executive and legislative actions) Implementors: closely apply the agreed Standards Users and User Groups: strive to adhere to defined standards and disseminate Best Practices Legislative Create new or adapt existing national legislation to curb abuses and ensure protection of consumer s rights Executive Public education initiatives X.509 Public key Infrastructure / Digital Signature Example: Spanish government http://www.cert.fnmt.es/ >> Joint activity between regulators: Sharing skills, knowledge, experience Where legislation exists, joint enforcement Multilateral frameworks for international cooperation (ITU BDT: drafting group of 6 countries; Dec.2004) 21 22 Roles of Users Flock together Share experiences Develop Best Practices Participate in the debate, contribute to the next steps influence the standardizers Learn about secure practices Recognize that the problem is beyond only Spam Irrelevant information & information overload Need of change in paradigm / practices: (Opt-in) distribution channels (RSS) Electronic collaboration tools / distributed workspaces Instant messaging Some existing ITU-T foundational standards 23 24 4

Three Layers VULNERABILITIES Three Planes X.805 - Security Architecture for End-to-End Communications Security Layers Applications Security * * * Services Security Infrastructure Security End User Plane Control Plane Management Plane Access Control Authentication Non-repudiation Data Confidentiality Communication Security Data Integrity Availability Privacy THREATS Destruction Corruption Removal Disclosure Interruption ATTACKS 8 Security Dimensions SecMan_F.1 * Conventional Security dimensions New concepts in X.805 (extra slides) Vulnerabilities can exist in each Layer, Plane and Dimension 72 Security Perspectives (3 Layers 3 Planes 8 Dimensions) 25 X.400 Message handling system and service overview First approved: 1984 (now in its version 5) Defines Message Handling System (MHS) elements of service for User Agent (UA)-to-UA [Mail Client] Message Transfer Agent (MTA)-to-MTA, UA-to-MTA, and UA-to-Message Storage (MS) [Mail Server] Application Layer security services: confidentiality, integrity, authentication, non-repudiation and access control 26 X.509 OSI/The Directory: Publickey and attribute certificate frameworks 1st edition in 1988; 5th in preparation Written to satisfy multiple needs Extensibility allows organizations to enhance as needed Good cooperation between ITU, ISO, and IETF In products such as securing browser traffic and signing executable code Laws enabling electronic/digital signature Some additional ITU Resources 27 28 ITU Resources ITU-T Recommendations http://www.itu.int/rec/recommendation.asp?type=series&parent=t-rec >> ITU Activities on Countering Spam http://www.itu.int/osg/spu/spam/ >> ITU SPU newslog on Spam http://www.itu.int/osg/spu/newslog/categories/spam/ >> Virtual Conference on Regulatory Cooperation on Spam (30/Mar/2004) http://www.itu.int/itu-d/treg/events/seminars/virtual-events/spam/ >> Conclusions ITU WSIS Thematic Meeting on Countering Spam (Geneva, 7-9/Jul/2004) http://www.itu.int/osg/spu/spam/meeting7-9-04/ >> (template for a multilateral MoU for a framework & future collaborative action) 29 30 5

Conclusions: Problem recognition The social problems and network congestion caused by Internet SPAM are well recognized In the future, as the line between Internet appliances and telecommunications devices blur, there are opportunities for even greater misuse Action is needed, but the problem is complex Conclusions: Key factors for success and challenges Understand existing vulnerabilities Take advantage of learned lessons and adopt a pragmatic, multi-pronged approach: patches & fixes for the short-term look for a mid- & long-term solution Develop a set of global and compatible open, consensus-based Standards Solutions need to consider national sovereignty & cost aspects Partnership between all players Rethink paradigms & practices to minimize information overload 31 32 simao.campos@itu.int (T) +41-22-730-6805 (F) +41-22-730-5853 ITU / Place des Nations CH1211 Geneva 20 Switzerland Thank You! Simão Ferraz de Campos Neto joined the ITU-TSB in 2002 and is the Counsellor for ITU-T Study Group 16, where standardization work takes place on multimedia services, protocols, systems, terminals and media coding. He was the Coordinator in TSB of the 2003 ITU-T Informal Forum Summit, and has also organized several workshops (IP and Multimedia in Satellites, Telecommunications for Disaster Relief and recently on Standardization in E-health). Prior to joining ITU in 2002, Mr Campos worked as a scientist in COMSAT Laboratories performing standards representation and quality assessment for digital voice coding systems. A Senior Member of the IEEE, Mr Campos authored several academic papers and position papers, and served in the review committee of several IEEE-sponsored conferences. He was the editor of the first edition of the TSB Security Manual. Mr Campos received in 1993 an MSc on Telecommunications from the State University of Campinas, Brazil, and a BSc in Electronic Engineering from the same university in 1986. 33 International Telecommunication Union Supplemental Material ITU-T Security Blocks Some X-series Recommendations Overview of Technical Solutions Detailed ITU Structure AntiSpam Forum 2004 CABASE / AMDIA Buenos Aires, Argentina, 3 June 2004 ITU-T Security Building Blocks Security Architecture Framework X.800 Security architecture X.802 Lower layers security model X.803 Upper layers security model X.805 Security architecture for systems providing end-to-end communications X.810 Security frameworks for open systems: Overview X.811 Security frameworks for open systems: Authentication framework X.812 Security frameworks for open systems: Access control framework X.813 Security frameworks for open systems: Non-repudiation framework X.814 Security frameworks for open systems: Confidentiality framework X.815 Security frameworks for open systems: Integrity framework X.816 Security frameworks for open systems: Security audit and alarms framework Protocols X.273 Network layer security protocol X.274 Transport layer security protocol Security in Frame Relay X.272 Data compression and privacy over frame relay networks Security Techniques X.841 Security information objects for access control X.842 Guidelines for the use and management of trusted third party services X.843 Specification of TTP services to support the application of digital signatures Directory Services and Authentication X.500 Overview of concepts, models and services X.501 Models X.509 Public-key and attribute certificate frameworks X.519 Protocol specifications Network Management Security M.3010 Principles for a telecommunications management network M.3016 TMN Security Overview M.3210.1 TMN management services for IMT-2000 security management M.3320 Management requirements framework for the TMN X-Interface M.3400 TMN management functions Systems Management X.733 Alarm reporting function X.735 Log control function X.736 Security alarm reporting function X.740 Security audit trail function X.741 Objects and attributes for access control Facsimile T.30 Annex G Procedures for secure Group 3 document facsimile transmission using the HKM and HFX system T.30 Annex H Security in facsimile Group 3 based on the RSA algorithm T.36 Security capabilities for use with Group 3 facsimile terminals T.503 Document application profile for the interchange of Group 4 facsimile documents T.563 Terminal characteristics for Group 4 facsimile apparatus Televisions and Cable Systems J.91 Technical methods for ensuring privacy in long-distance international television transmission J.93 Requirements for conditional access in the secondary distribution of digital television on cable television systems J.170 IPCablecom security specification Multimedia Communications H.233 Confidentiality system for audiovisual services H.234 Encryption key management and authentication system for audiovisual services H.235 Security and encryption for H-series (H.323 and other H.245-based) multimedia terminals H.323 Annex J Packet-based multimedia communications systems Security for H.323 Annex F (Security for simple endpoint types) H.350.2 Directory services architecture for H.235 H.530 Symmetric security procedures for H.323 mobility in H.510 Some ITU-T X-series Recommendations 35 36 6

X.805 is a Multi Part Standard Joint Project with ISO/IEC JTC 1/SC 27, Information technology Security techniques IT network security Part 1: Network security management Part 2: Network security architecture (X.805) Part 3: Securing communications between networks using security gateways Part 4: Remote access Part 5: Securing communications across networks using virtual private networks 37 Three Layers VULNERABILITIES Three Planes X.805 - Security Architecture for End-to-End Communications Security Layers Applications Security * * * Services Security Infrastructure Security End User Plane Control Plane Management Plane Access Control Authentication Non-repudiation Data Confidentiality Communication Security Data Integrity Availability Privacy THREATS Destruction Corruption Removal Disclosure Interruption ATTACKS 8 Security Dimensions SecMan_F.1 * Conventional Security dimensions New concepts in X.805 (next slide) Vulnerabilities can exist in each Layer, Plane and Dimension 72 Security Perspectives (3 Layers 3 Planes 8 Dimensions) 38 X.805 Security Dimensions X.805 differentiates Privacy (association of users to their action) /Confidentiality (eavesdropping, tampering, etc) Communication security dimension ensures that information flows only between authorized end points (information is not diverted or intercepted between these end points) Access Control security: prevention of unauthorized access to resources. It is related but beyond authentication. Availability dimension: avoid network interruption (includes network restoration, disaster recovery, etc) X.402 MHS Overall architecture Security procedures and Object Identifiers for use in MHS protocols to implement Application Layer services related to: confidentiality, integrity, authentication, non-repudiation and access control 39 40 X.500 OSI/The Directory: Overview of concepts, models and services Procedures for interconnection of information processing systems to provide directory services and its security features Alternative: LDAP X.509 Specifies Public-key certificate binds name of entity to a public key if certificate issuer trusted then the entity can be authenticated by the use of the associated private key Attribute certificate asserts an entity s privileges, i.e. its right, to access information or services replaces the need for managing rights in the asset holding system 41 42 7

X.509 is widely used Public-key certificates are widely deployed prevents the classic man-in-the-middle attack used in Secure Sockets Layer (SSL) to secure browser traffic protect email content and authenticates source replacing notarized signatures in some areas Initial products did not need to be pure e.g. early, and some current, browsers do not check certificate revocation status Some attribute certificate implementations are being studied Example: Spain s Fabrica Nacional de Moneda y Timbre Public Certificate Programme http://www.cert.fnmt.es/ceres.htm >> Overview of Technical Solutions 43 44 What is Spam? (1) What is Spam? (2) No universally-agreed definition Term generally describes unsolicited electronic communications over personal computers or mobile handsets Objective is usually to market commercial products or services But also the method of choice for delivery of viruses Scam mail by fraud artists to deceive users into releasing privileged information (credit card numbers, account info, etc) One of the major plagues affecting today's digital world Efficiency loss Other hidden costs But it is beyond only Spam Irrelevant information & information overload Need of change in paradigm / practices: (Opt-in) distribution channels (RSS) Electronic collaboration tools / distributed workspaces Instant messaging 45 46 Overview of Technical Solutions At the source email server Three stages for implementing measures against Spam: At the source email server At the destination email server At the end user email client Source rate limiting Limit how many emails can be sent from the source email server within a given timeframe Authentication Source server provides mechanisms whereby the destination email server, or the end-user email client can verify that the email is indeed sent out by the source email server and/or by the claimed user Payment Server mechanism to charge the user for sending out email via the source email server Hard cash or virtual cash (e.g. CPU cycles in a challengeresponse system) 47 48 8

At the destination server At the end user email client Destination rate limiting Limit how many emails can be received by the destination email server within a given timeframe Destination reputation system Destination email server determines whether to admit an incoming email based on the known (bad or good) reputation of the source email server Based on earlier behavior mail servers (blacklist/ whitelist) Checksum approach Server keeps a hash of every received message and a frequency count of the number of hits of that hash High counts indicate mass mailing Local tables (large sites) or distributed tables (small & medium sites) Static filtering approach Simple, constant rules (e.g. Outlook, procmail) Adaptive filtering approach Dynamic rules (e.g. Bayesian filters) Reputation system (end-user client) Messages classified according to earlier behavior of source mail servers (based on black & white lists) Challenge-response system as possible second criteria 49 50 Structure of ITU (detailed) Plenipotentiary Conference Radiocommunication Sector Telecommunication Standardization Sector Development Sector Council World/Regional Conferences Radiocommunication Assembly World Telecommunication Standardization Assembly (WTSA) World/Regional Conferences World Conferences on International Telecommunications Radio Regulations Board Study Groups Study Groups Study Groups Coordination Committee Secretary-General Deputy Secretary-General Director Advisory Group Director Advisory Group Director Advisory Group General Secretariat Bureau Bureau Bureau 51 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information