Presentation is loading. Please wait.

Presentation is loading. Please wait.

GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012 Overview and System Security to Security Testing Company:NEC Corporation Author(s):Anand R. Prasad,

Published byBlaise Skinner Modified over 8 years ago

Similar presentations

Presentation on theme: "GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012 Overview and System Security to Security Testing Company:NEC Corporation Author(s):Anand R. Prasad,"— Presentation transcript:

1 GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012 Overview and System Security to Security Testing Company:NEC Corporation Author(s):Anand R. Prasad, Chairman Security & Privacy Working Group Contact:anand@bq.jp.nec.com Purpose:Discussion Document#:GISFI_SP_201206244

2 GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012 Purpose Start relationship between mobile operators and GISFI This workshop on network security requirements is to –Share initial information and –Bring common understanding Next step is to have regular meetings and/or workshops –Preferably during GISFI meetings –Separately, just before or after a GISFI meeting

3 GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012 GISFI Security & Privacy WG Tasks Work on security, privacy, legal intercept and algorithms Perform threat analysis and identify requirements Develop –recommendations regarding the above –security and privacy solutions –legal intercept solutions Bring Indian requirements to international bodies Activities Network security testing requirements of India Proposed new topics –Identity management –Unsolicited communication –Child security in cyber space Inter-WGs –Internet-of-things –Service Oriented Networks –Future Radio Networks

4 GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012 Security Testing Requirements Companies should fulfill ISO 27k security guidelines Highest level of security from design, development, deployment, maintenance to running of all comm. products and networks Security testing of all products and network based on Indian guidelines set as per Common Criteria (ISO 15408) where testing: –performed by Indian labs from 1 April 2013 onwards – yearly –labs will be accredited by Indian government –test result will be certified by Indian government –only “type” testing will be done Products/network should fulfill Indian security requirements, implementation should comply with common security considerations and implemented as per standard specification (e.g. 3GPP)

5 GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012 Impacts and Gaps Impact of requirements Technical skills growth Security awareness Vendors will see delay in sales and increase in product cost Operator cost will increase impacting rural deployment Potential trade impact Gaps Lab: Accreditation and certification method Common criteria –CC level –PP & STs – certify? who? Specification details Relation with CCRA, 3GPP etc. Acceptable level of risk Define safe to connect How to test existing network CC: Common Criteria PP: Protection Profile ST: Security Target

6 GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012 Testing Related Duration of testing: Longer time to wait will impact business Periodicity of testing: Given product can have monthly software or firmware update Timing of testing: Before purchase will mean impact on vendors while after purchase could mean issues for operators/service providers Volume of testing, number of points: Type approval, extent/depth of testing to be performed and level of value-chain to be touched Human resource: Initially sufficient people will not be available to perform security tests. Steps to perform test and develop resources should be a concern Cost of testing: Cost of testing will lead to impact on market. Responsibility of accidents: Vendors pay for the accidents due to certified products? Security threats / attacks are maturing with time thus there should be consideration from long-term perspective Confidentiality and intellectual property: How can the testing “person” be certified? Also issue regarding escrow.

7 GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012 S&P Work Item Following deliverables are expected: Requirement analysis and proposals (Framework) Complete security together with terminology definitions and proposals Policy study and proposals Security architecture in mobile communication systems: Comparison and proposals for India Monitoring Proposals for security testing Planning to liaise with 3GPP and CCRA

8 GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012 Market Trend: Over-The-Top Services (OTT) and Cyber Attacks Over-the-top services NodeB WLAN AP X-CSCF HSS/ AAA RNC PDG MSC xGSN eNodeB H(e)NBGW H(e)NB MME S/PGW Advertisement 1.OTT is the killer app  Impact: -Loss of profit source and no new source of profit -Increase in CAPEX & OPEX Market trend : Moving towards services  Mobile operator becoming part of “the Internet”  OTT services is the killer app  Cyber attack is increasing 2.Cyber attacks is increasing  Impact: -Increase in CAPEX & OPEX -Dissatisfied customers

9 GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012 Security Considerations Over-the-top services NodeB WLAN AP X-CSCF HSS/ AAA RNC PDG MSC xGSN eNodeB H(e)NBGW H(e)NB MME S/PGW 1.Overloading of network (DoS / DDoS) Overloading network with botnets, malware, home made terminals etc. 2.Finding network topology (privacy) 3.Network element attacks 4.Protocol attack 5.Subscriber privacy issues 6.Fraudulent charging Analyzing network to find network topology Attacking specific network elements Protocol weaknesses used to perform attack OAM attack, spoofing etc. used to get subscriber private data and cause fraudulent charging  Several attacks are possible on mobile network  Newer services bring new business opportunities and also threats  Complete system security consideration is necessary

10 GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012 Mobile Systems Security Comparison GSMGPRSUMTSSAE/LTE Security servicesCiphering User authentication Equivalent to wired Ciphering User authentication Ciphering & integrity Mutual auth. Ciphering & integrity Mutual auth. AuthenticationAuthentication: 3 valuesUMTS-AKA: 5 valuesEPS-AKA: 5 values KeysDerivation of a ciphering key after auth.Derivation of CK & IKSeparate keys for each purpose Key lengthShared key 128 bits for authentication Derived 64 bits out of which 54 used for ciphering Shared key 128 bits for authentication Derived 64 bits for ciphering 128 bits Key handlingChanged on authenticationChanged on each handover & more AlgorithmA5/1 / 2 /3; specification is confidential. A5/3 is based on Kasumi GPRS Encryption Algorithm (GEA): GEA0, GEA1, GEA2 and GEA3 Kasumi from Rel. 4SNOW 3G, AES and ZUC Security end-pointBTSSGSNRNC / SGSNeNB for UP & RRC MME for NAS Network securityNoneNone initiallyMAPsec and IPsecIPsec

11 GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012 Designing Security Determine the assets Determine the threats and risks to each asset  set security requirements Design and implement countermeasures for the threats and residual risks  economical Monitor, manage and update the implementation Deter, detect and react against any attack

12 GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012 Common Criteria Testing PPSTDocumentation Design Review Code Review Product Test Certification 9 ~ 24 months

13 GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012 Security Test Lab Accreditation & Certification TEC/DOT & CCRA,3GPP Security Test Lab Vendors / Operators 1.Vendors/operators request security testing 0.Security test labs accredited by CCRA taking care of Indian needs as per TEC 2.Send security test results for certification 3.Result: Certified or not certified 4.Result: Certified or not certified CCRA: Common Criteria Recognition Arrangement DOT: Department of Telecommunications TEC: Telecommunications Engineering Centres

14 GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012 Finally A balance need to be found between what is needed and what can be done regarding the Indian national security requirements –Should be acceptable to all, particularly operators Current national requirements have gaps GISFI is working on several topics related to security testing requirements GISFI proposes Indian mobile operators to work together on network security testing requirements

15 GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012

16 GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012 Core Network (CN) Radio Access Network (RAN) User Equipment (UE) Service (or service provider) Subscriber Identity Module (SIM) Internet Local break-out Foreign Network

17 GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012 Legacy Service Layer Service Control e.g. IMS NGMN PS core Enablers Other Radio Access Networks e.g. WiFi NGMN Radio Access Network External Networks like PSTN, Internet etc. CS core UTRANGERAN

Download ppt "GISFI_SP_201206244Operator-GISFI Workshop 22 June, 2012 Overview and System Security to Security Testing Company:NEC Corporation Author(s):Anand R. Prasad,"

Similar presentations

Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
LTE Security. Agenda Intro … Intro … The LTE System Radio Side (LTE – Long Term Evolution/Evolved UTRAN - EUTRAN) – Improvements in spectral efficiency,

LTE Security. Agenda Intro … Intro … The LTE System Radio Side (LTE – Long Term Evolution/Evolved UTRAN - EUTRAN) – Improvements in spectral efficiency,
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS ANFOV - Milano, 14 November 2007 Autore:Paolo DE LUTIIS Telecom Italia Security.

World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS ANFOV - Milano, 14 November 2007 Autore:Paolo DE LUTIIS Telecom Italia Security.
How secure are 802.11b Wireless Networks? By Ilian Emmons University of San Diego.

How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
Doc.: IEEE 802.11-04/0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.

Doc.: IEEE /0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.
G53SEC 1 Mobile Security GSM, UTMS, Wi-Fi and some Bluetooth.

G53SEC 1 Mobile Security GSM, UTMS, Wi-Fi and some Bluetooth.
Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.

Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
GLOBAL ICT STANDARDISATION FORUM FOR INDIA (GISFI) Prof. Dr. Ramjee Prasad, CTiF, Aalborg University Fellow IEEE, FIET, FIETE, FWWRF - Founding Chairman,

GLOBAL ICT STANDARDISATION FORUM FOR INDIA (GISFI) Prof. Dr. Ramjee Prasad, CTiF, Aalborg University Fellow IEEE, FIET, FIETE, FWWRF - Founding Chairman,
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.

NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.
Introduction to ICANN’s new gTLD program. A practical example: the Dot Deloitte case. Jan Corstens, Partner, Deloitte WIPO Moscow, 9 Dec 2011.

Introduction to ICANN’s new gTLD program. A practical example: the Dot Deloitte case. Jan Corstens, Partner, Deloitte WIPO Moscow, 9 Dec 2011.
GISFI_SP_201203183GISIF#8, 26-28, March 20121 Proposals for Activity on Network Security Requirement of India Company:NEC Corporation, Chair Security &

GISFI_SP_ GISIF#8, 26-28, March Proposals for Activity on Network Security Requirement of India Company:NEC Corporation, Chair Security &
Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.

Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.

Similar presentations

Ads by Google