Cybersecurity and Vulnerability Assessment

Transcription

1 Cybersecurity and Vulnerability Assessment Wayne Zeuch Vice Chair: Working Group on Deployment of Technologies and Services ITU /CITEL Regional Cybersecurity Workshop for the Americas Salta, Argentina Nov 1, 2010 What is CITEL? It is the Telecommunications advisory body established by the Organization of American States (OAS) General Assembly in Principal forum in the Hemisphere where governments, the private sector and international and regional organizations meet to work together and to achieve common objectives in the telecommunication area. Mission: Facilitate and promote the harmonious and integral development of telecommunications including ICTs in the Americas for the benefit of society. 1

2 3 Cybersecurity and Vulnerability Assessment Terms of Reference: Develop domestic and Regional approaches to network security, deployment strategies, information exchange, and outreach to the public and the private sector: Collect Regional Best Practices, taking into account ongoing activity in the ITU-D (Question 22/1) Review various frameworks and guidelines for their applicability within the Americas Region Identify and evaluate implementation and policy issues relating to standards required for security of existing and future communications networks (wireline and wireless) across the Region This task will draw primarily on the work of ITU-T (especially the security Study Questions of SG 17), other existing standards-setting bodies, including the IETF, and Regional Standard Development Organizations (SDOs) will also be considered, as appropriate. 4 2

3 Cybersecurity and Vulnerability Assessment Terms of Reference (2): Identify, on a timely and ongoing basis, obstacles to implementation of security measures in the networks of the Region. Foster cooperation among OAS Member States on aspects related to network security Help Administrations encourage network and service providers to implement technical standards for secure networks Continue to coordinate the CITEL work on cybersecurity with the other OAS work of CICTE and REMJA Establish liaisons with other standards bodies and industry fora as necessary to advance work on the OAS mandates. 5 DESCRIPTION Provides a formalized means of maintaining an archive of technical, best practices, policy, or regulatory information made available to the OAS Member States and CITEL telecom industry members Documents relevant activities, completed or in progress As a living document, it is updated on an ongoing basis with relevant information from contributions submitted to the Working Groups Increased Cybersecurity awareness by archiving valuable information for the use of the CITEL community and for drafting future CITEL resolutions 6 3

4 Cybersecurity ITU /CITEL Regional Cybersecurity Workshop for the Americas Salta, Argentina Nov 1, 2010 Cybersecurity Provides an archive of Cybersecurity information available to the telecommunications industry and the Member States Highlights ongoing Regional and International cybersecurity strategy activities Addresses aspects relevant to developing national cybersecurity strategies Addresses issues of incident response, public-private partnerships, and the awareness-raising and application of relevant security standards Establishes links with the security standards discussions in the NGN Standards Includes Appendices with national cybersecurity programs and best practices (Dominican Republic, Venezuela, Argentina) 8 4

5 Cybersecurity Appendix 2-1: Dominican Republic Created a regulatory framework that established the High Technology Crime and Misdemeanor Research Department, under the National Police Drafted and introduced bill in the National Congress on high technology crimes and misdemeanors Promoted the development of a cybersecurity culture by: Establishing a cybersecurity commission under the National Commission on the Information and Knowledge-based Society (CNSIC) Establishing a CSIRT within the Dominican Telecommunication Institute (INDOTEL) 9 Cybersecurity Appendix 2-2: Venezuela Venezuela has passed Rulings on Cybersecurity that include: Law on protection of communications privacy Administrative Procedures containing rulings associated with the request of information on mobile service Law on Data Messages and Electronic Signatures and its Regulation Law is applicable to Data Messages and Electronic Signatures regardless of its technological characteristics or any future technological developments Special Law against Informatics Crime Crimes Against Systems Using Information Technology Crimes Against Property Crimes against the privacy of individuals and communications 10 5

6 Cybersecurity Appendix 2-3: Argentina Created ArCERT in 1999 to boost computer security in the private sector and address computer incidents on national networks Project CSIRT-CABASE started in 2008 by the Argentine Chamber of Databases and Online Services (CABASE) created a CSIRT as an associate body of ArCERT to deal with public and private security incidents forge collaboration between the public and private sector maintains databases of security vulnerabilities and incidents experienced by member organizations Provides information secuity advisory services and provides training Promotes coordination among organizations on prevention, detection, management 11 Critical Telecommunications Infrastructure Protection ITU /CITEL Regional Cybersecurity Workshop for the Americas Salta, Argentina Nov 1,

7 Critical Telecommunication Infrastructure Protection (CTIP) Motivation The number of vulnerabilities in critical infrastructures tends to grow as the interdependencies between the infrastructures increase, both in number and complexity Dissemination of telecommunication networks into all infrastructures, and the increasing reliance of the critical infrastructures upon them, brings with it certain impacts that cannot be neglected Interruption of these services can threaten human life, destroy property, and destroy or corrupt information, possibly interrupting the work of governments and corporations Strategies Key National CTIP Issues, Policies, Strategies Brazil (Information Security Steering Committee, CERT.br, Security Incident Response Team, CTIP Methodologies) Venezuela (SUSCERTE, VENCERT, CENIF) 13 Critical Infrastructure Protection Strategies Sharing initiatives adopted by OAS Member States What are the CIs to be protected? What are the components of a given CI? What are the threats against which the CIs should be protected? What are the impacts (social, economic and/or political) caused by incidents (natural, accidental or malicious)? How are investments prioritized to efficiently protect CIs? How should the CI recovery of a be performed after an incident? 14 7

8 Strategies: Brazil Information Security Steering Committee (Comitê Gestor de Segurança da Informação-CGSI) CERT.br CERT.br is responsible for receiving, reviewing, and responding to computer security incident reports and activity related to networks connected to the Brazilian Internet Security Incident Response Team (Centro de Atendimento a Incidentes de Segurança-CAIS) Focus is on Brazil s National Education and Research Network (RNP) Provides incident response services Disseminates information on network security Tests and recommends security tools Recommends policies for RNP, PoPs, and RNP backbone 15 Brazil Methodology for Critical Infrastructure Identification (MI 2 C) 16 8

9 Methodologies for CTIP Brazil CTIP, 17 Strategies: Venezuela Superintendence of Electronic Certification Services (SUSCERTE), seeks to implement a Data Transmission Risk Management model that includes procedures, methods, and policies Data Transmission Incident Response Center (VENCERT ) Prevention, detection, and management of incidents occurring on state information systems and information systems of entities managing the nation s critical infrastructure National Forensic Information Technology Center (CENIF) Develops procedures for gathering, analyzing, and introducing electronic evidence, and its admissibility requirements 18 9

10 Strategies: Venezuela Data Transmission Risk Management (Objectives) Develop a system to classifydata transmission assets in the Venezuelan state Define a data transmission risk management model, together with its processes, mechanisms, and regulations Establish the minimum data transmission security requirements to be used in state agencies and entities Design a mechanism to provide technical assistance to state agencies in incorporating data transmission risk policies, procedures, and controls and data transmission risk management 19 Summary CITEL continues to address Cybersecurity and Critical Telecommunications Infrastructure Protection and has initiated new work in several key areas is coordinating with its Regional OAS partners (CICTE, REMJA) and is partnering with the ITU and other international bodies to utilize the widest available experience and best practices to address security issues for the Americas Region CITEL is not only collecting experiences and data on Cybersecurity from its members, but is also actively engaged in discussions of national strategies and best practices, leading to policy recommendations for the Americas Region 20 10

11 Summary (2) CITEL is utilizing workshops and s to increase awareness of cybersecurity issues and to assess best practices and strategies in order to increase security and mitigate the effects of cyber crime Continued cooperation within the Americas Region and continued input from its members on cybersecurity experiences and strategies will allow CITEL to remain focused on the most relevant security issues so as to provide recommendations for the Region and provide value to other bodies internationally 21 g{tç~ léâ4 Marian Gordon Rapporteur: Cybersecurity and Vulnerability Assessment 22 Wayne Zeuch Vice Chair: Working Group on Deployment of Technologies and Services Rapporteur: Standards, Conformance, and Interoperability waynezeuch@aol.com citel@oas.org 11