+ All Categories
Home > Documents > Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information...

Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information...

Date post: 17-Sep-2018
Category:
Upload: lamdieu
View: 230 times
Download: 0 times
Share this document with a friend
23
Noviembre/2009 “OAS Hemispheric Workshop on the Development of a National Framework for Cyber Security” Rio de Janeiro, Brazil November 16 to 20, 2009 Cybersecurity and Critical Information Protection CITEL’s Perspective Clovis Baptista Executive Secretary of CITEL
Transcript
Page 1: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

Noviembre/2009

“OAS Hemispheric Workshop on the Development of a National Framework for Cyber Security”

Rio de Janeiro, BrazilNovember 16 to 20, 2009

Cybersecurity and CriticalInformation Protection

CITEL’s Perspective

Clovis Baptista                                              Executive Secretary of CITEL

Page 2: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

Information and Communication Technologies are now an integral part of our lives. Network and service integration and

convergence is ever increasing.

ICTsICTsAutomotive Industry &

Manufacturing

Automotive Industry &

Manufacturing

Home/workplace

Home/workplace

Stores and services

Stores and services

Energy/electricityEnergy/

electricity

Water/sanitationWater/sanitation

Oil and gasOil and gas

HealthHealth

Banking and finance

Banking and finance

Transportation/air traffic control

Transportation/air traffic control

Public security/law enforcementPublic security/law enforcement

National defenseNational defense

EducationEducation

Life sciences and

biotechnology

Life sciences and

biotechnology

Page 3: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

Internet growth continues unabated

Growth of the information society1991-2007

1270 12851350

955

2678

3331

126312071140

10861053983905846792738689643604572546

1093964

863724

6195023994.4 7 10 21 40 74117 183 277

740

2137

1752

14051162

4903182151459156342316

0

500

1000

1500

2000

2500

3000

3500

1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007

Mill

ions

of u

sers Main Telephone Lines

Internet UsersMobile Subscribers

Source: ITU, 2008, Internet World Statistics, November 10, 2008Notes: Internet Users data 1991-2005 (ITU), 2006 estimate (Internet World Statistics)

Source: CCP.I/1250/08

Page 4: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

New social interaction is increasing ICT and Internet growth

• 20% of online adults have online profiles

• 37% have uploaded photos to the Internet

• 22% have shared their own creations online, such as artwork, photos, stories, or videos

• 14% have their own personal web page

• (the percentages are significantly greater for online young adults)

Source: PEW Internet presentation to University of North Florida, Homo Connectus: The impact of technology on people's everyday lives, November 5th, 2007.

33%

36%

36%

12%

55%

54%

44%

14%

Go tovideo-

sharingsites

Read blogs

Seekinformationat Wikipedia

sites

Downloadpodcasts

All usersYoung adults

Source: CCP.I/1250/08

Page 5: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

Digital device adoption is growing

The PEW Study in the US finds growth of cell phones, TVs, DVD players, iPods, PVRs, etc.

• 88% students own cell phones

• 81% own digital cameras• 63% own MP3 players• 55% own video cameras• 55% own laptops• 27% students own PDA or

Blackberry• 77% students play games

online

Source : Internet Innovation Alliance, “Broadband Fact Book”, July 2007

Source: PEW Internet presentation to University of North Florida, Homo Connectus: The impact of technology on people's everyday lives, November 5th, 2007.

Source: CCP.I/1250/08

Page 6: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

Anything that can be connected and would benefit from being connected will be connected

Source Nortel-2008

Hyperconnectivity is Real andHappening Now: P2P/P2M/M2M

Page 7: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

Huge, Giant: Complex systems, inextricable problems

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

Page 8: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

Challenges of Cyberspace

Legal Framework

PrivacyEnforcement

Page 9: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

The weakest links – across boundaries

Effective security requires that a common and consistent approach be applied to:

• Security management practices• Physical security• Operations security• Business continuity & disaster recover planning• Access control systems & methodology• Cryptography• Telecommunications & network security• Application & systems development methodology• Legal requirements including incident management

Page 10: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

Security threats can be

intentional (attacks) or accidental

Network Security Threats(1)

1C. Pfleeger, Security in Computing, Prentice Hall, 1997.

Interruption (An Attack on Availability):– Network Becomes Unavailable or Unusable– Examples:

• Malicious Destruction of a Network Element• Erasure of a Software Program or Data File• Cutting of a Communication Facility

Interception (An Attack on Confidentiality):– An Unauthorized Access to an Asset– Examples:

• Unauthorized Data Capture (Data Sniffing)• Discovery of Unprotected WLAN Access Points

Modification (An Attack on Integrity):– An Unauthorized Tampering with an Asset– Examples:

• Changing Network Configuration Information• Changing Data as it is Being Transmitted Across the Network

Fabrication (An Attack on Authenticity):– Unauthorized Creation, Modification, or Deletion of Objects on a

Network– Examples:

• Unauthorized Access to the Network• Insertion of Spurious Messages on the Network• Addition of Records to a Database

X

Page 11: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

OAS Mandate*

Cybersecurity and Critical Infrastructure Protection

• CICTE, CITEL, and REMJA each represent a pillar of the Comprehensive Inter-American Cybersecurity Strategy– The multidisciplinary efforts of these bodies support the growth,

development, and protection of the Internet and related information systems, and protect users of those information networks

– The objective: Create and support a culture of cybersecurity

• Ongoing activities:– Coordination and cooperation among the Secretariats of CICTE,

CITEL and the REMJA Group of Government Experts in Cyber crime

– Strengthening coordination among the national authorities and entities, including the national CSIRTs, involved in addressing Cybersecurity issues

* “Adoption of a Comprehensive Inter-American Strategy to Combat Threats to Cybersecurity:A Multidimensional and Multidisciplinary Approach to Creating a Culture of Cybersecurity”, AG/RES. 2004 (XXXIV-O/04), (Adopted at the fourth plenary session held on June 8, 2004of XXXIV Meeting of the General Assembly of the OAS)

Page 12: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

Telecommunications advisory body established by the OAS GA in 1994. History goes back to March 1890Brings together representatives of 35 OAS member states and the private sector (120 associates)Main purpose is to promote the sustainable development of telecommunications in the AmericasVery broad combined mandateStrong emphasis on capacity building (20 accredited Regional Training Centers) : > 200 fellowships for telecommunications training courses to be granted in 2009

CITEL in brief

Page 13: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

CITEL Cybersecurity Work Plan

• Assess the current work undertaken in the OAS, ITU, and other organizations on issues pertaining to the security and critical infrastructure of communication networks across the region.

• Review the various frameworks and guidelines on network and cybersecurity and their applicability within the Americas region.

• Foster cooperation among Member States on aspects related to advanced network backbone interconnectivity including traffic exchange points and its level of decentralization.

• Consolidate all relevant information on the CITEL Technical Notebooks on Cybersecurity and Critical Infrastructure Protection

Page 14: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

“Cybersecurity” Technical Notebook

• Provides an archive of Cybersecurity information available to the telecommunications industry and the Member States

• Highlights ongoing Regional and International cybersecurity strategy activities

• Addresses aspects relevant to developing national cybersecurity strategies

• Addresses issues of spam, incident response, public-private partnerships, and the awareness-raising and application of relevant security standards

• Includes appendices with national experiences

Page 15: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

“Critical Telecommunication InfrastructureProtection” Technical Notebook

• What are the CIs to be protected?• What are the components of a given CI?• What are the threats against which the CIs should be

protected?• What are the impacts (social, economic and/or political)

caused by incidents (natural, accidental or malicious)?• How are investments prioritized to efficiently protect CIs?• How should the CI recovery of a be performed after an

incident?

Critical Infrastructure Protection Strategies

Sharing initiatives adopted by OAS Member States

Page 16: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

CITEL’s approach:Identification of Security Standards

One example:v

Security Architecture for Systems Providing End-to-End

Communications(ITU-T Rec. X.805)

Page 17: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

ITU-T Recommendation X.805, Security Architecture for Systems Providing End-to-End Communications

Addresses three essential questions:1. What kinds of protection are needed?; against which

threats?2. What are the distinct types of network equipment and

facilities requiring protection?3. What are the distinct types of network activities

requiring protection?

The Security Architecture is intended to address global securitychallenges of Service Providers, enterprises, and consumers.

ITU-T Security ArchitectureEndorsed by CITEL PCC.I in March 2004

Page 18: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

ITU-T Recommendation X.805, Security Architecture for Systems Providing End-to-End Communications

– Identifies classes of Security Threats (4) – Describes a Security Architecture consisting of:

• Security dimensions (8)• Security layers (3)• Security planes (3)

– Provides guidance for creating a Security Program: applying Security Dimensions to Security Layers and Planes to protect against Security Threats

– References and enhances prior ITU work on security: CCITT Rec. X.800 (1991), Security Architecture for Open Systems Interconnection for CCITT Applications

ITU-T Security Architecture

Page 19: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

Acce

ss C

ontro

l

Infrastructure Security

Applications Security

Services Security

End User Plane

Control Plane

Management Plane

THREATS

8 Security Dimensions

ATTACKSData

Con

fiden

tialit

y

Com

mun

icat

ion

Secu

rity

Data

Inte

grity

Avai

labi

lity

Priv

acy Interruption

Fabrication

InterceptionModification

Auth

entic

atio

n

Non-

repu

diat

ion

VULNERABILITIES

Security Architecture for EndSecurity Architecture for End--toto--End Network SecurityEnd Network Security

ITU-T Security Architecture

Page 20: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

Summary• CITEL is utilizing workshops and Technical Notebooks to

increase awareness of Cybersecurity and CIP issues and to assess best practices and strategies in order to increase security and mitigate the effects of cyber crime and fraud

• CITEL is utilizing Standards Coordination Documents to increase awareness of relevant security standards and to endorse the use of those standards in the Region

• Continued cooperation within the Americas Region and continued input from its members on Cybersecurity and CIP experiences and strategies will allow CITEL to remain focused on the most relevant security issues so as to provide recommendations for the Region and provide value to other bodies internationally

Page 21: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

Protecting our Infrastructure

Threat Resolution and Prevention

Infrastructure Threat Detection

Infrastructure Threat Identification

Infrastructure Threat

Reaction & Containment

Collaboration & Seamless Information

Flow

The right information to the right person at the

right time in context

Page 22: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

Clovis Baptista

Executive Secretary

Inter‐American Telecommunication Commission (CITEL)

E‐mail: [email protected]

Thank you for your attention!Thank you for your attention!

Page 23: Cybersecurity and Critical Information Protection … · Cybersecurity and Critical Information Protection ... North Florida, Homo Connectus: The impact of technology on people's

23

Organization of American StatesOrganization of American States

Inter-American Telecommunication CommissionInter-American Telecommunication Commission

Access Management

Authentication

Non-repudiation

Data Confidentiality

Communication Security

Integrity

Availability

Privacy

• Limit and Control Access to Network Elements, Services, and Applications.

• Techniques Include: ACL, Firewall, IDS, Password, Security Token, RBAC.

• Prevent the Denial of an Activity on the Network or Transmission Through a Network.

• Techniques Include: System Logs, Digital Signatures, Asymmetrical Encryption.

• Ensure Information Only Flows from the Source to the Destination.

• Techniques Include: VPN, MPLS, L2TP, Source Path Routing.

• Ensure network elements, services and application are available to legitimate users.

• Techniques Include: Reliable network design, IDS, network redundancy, and disaster recovery.

• Ensure Proof of Identity of the Claimed Entity (Person, Device, Application).

• Techniques Include: Shared Secret, PKI, Digital Signature, Digital Certificate.

• Ensure the Confidentiality of Data to Prevent Unauthorized Viewing.

• Techniques Include: Encryption.

• Ensure that Data is Received as Sent or Retrieved as Stored.

• Techniques Include: MD5, Digital Signature, Anti-Virus Software.

• Ensure that confidential information of end user, network element, and network architecture is not disclosed to unauthorized entity.

• Techniques Include: Encryption, Service Level agreement, etc.

Security Dimensions

Security Dimensions are not limited to the network, but extend to applications and end-user information as well


Recommended