Geneva, Switzerland, 15-16 September 2014 ITU-T CYBEX standards for cybersecurity and data protection Youki Kadobayashi, NICT Japan Rapporteur, ITU-T Q.4/17.

Slides:

Advertisements

Similar presentations

h Protection from cyber attacks is achieved by acting on several levels: first, at the physical and material, placing the server in a place as safe as.

Advertisements

Its a new digital world with new digital dangers….

Tony Rutkowski Yaana Technologies Georgia Tech Q.4/17 Rapporteur

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.

<<Date>><<SDLC Phase>>

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

OPM Cybersecurity Competencies by Occupation (Technical Competencies) Information Technology Management Series Electronics Engineering.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Advanced Security Center Overview Northern Illinois University.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Geneva, Switzerland, 4 December 2014 ITU-T Study Group 17 activities in the context of digital financial services and inclusion: Security and Identity.

8 Systems Analysis and Design in a Changing World, Fifth Edition.

Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.

Vulnerability Assessments

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

© 2011 The MITRE Corporation. All rights Reserved. Approved for Public Release: Distribution Unlimited You’re Not Done (Yet) Turning Securable.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Copyright 2013 FUJITSU LIMITED. AGENDA Mitigation Considerations 4. Data Security – Examples and Application 2. Data Security Life-Cycle 1 1. Data Management.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Software Assurance Automation throughout the Lifecycle OWASP AppSec USA 2011 September 23 rd 2011.

SEC835 Database and Web application security Information Security Architecture.

Security Management prepared by Dean Hipwell, CISSP

A Framework for Automated Web Application Security Evaluation

A Security Review Process for Existing Software Applications

WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.

Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University,

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.

 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

Engineering Essential Characteristics Security Engineering Process Overview.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security Automation May 26th, Security Automation: the challenge “Tower of Babel” – Too much proprietary, incompatible information – Costly – Error.

Advanced Accounting Information Systems Day 23 Operating Systems Security October 16, 2009.

Building Secure Web Applications With ASP.Net MVC.

COMP1321 Digital Infrastructures Richard Henson University of Worcester April 2013.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools.

Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.

MD5 & Hash Encryption By Alex Buzak. Overview Purpose of MD5 and Hash Encryptions Examples MD5 Algorithm Explanation of Possible Security Risks Practical.

SANS Top 25 Most Dangerous Programming Errors Catagory 1: Insecure Interaction Between Components These weaknesses are related to insecure ways.

E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.

COMP1321 Digital Infrastructure Richard Henson February 2016.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

ITU-T CYBEX standards for cybersecurity information dissemination and exchange Youki Kadobayashi, Ph.D. NICT Japan / Rapporteur, ITU-T SG17 Q.4 ITU-T SG17.

Vulnerability / Cybersecurity Research Discussion Dwayne Melancon, CISA Chief Technology Officer and VP of Research & Development.

COMP2322 Networks in Organisations Richard Henson University of Worcester April 2016.

1/27 ITU-T CYBEX standards for cybersecurity information dissemination and exchange Odessa, Ukraine, June 2016 Martin Euchner Adviser, ITU-T ITU.

CS457 Introduction to Information Security Systems

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Theodore Lawson CSCE548 Student Presentation, Topic #2

A Security Review Process for Existing Software Applications

I have many checklists: how do I get started with cyber security?

Risk Assessment = Risky Business

CS2S562 Secure Software Development

How to Mitigate the Consequences What are the Countermeasures?

Presentation transcript:

Geneva, Switzerland, September 2014 ITU-T CYBEX standards for cybersecurity and data protection Youki Kadobayashi, NICT Japan Rapporteur, ITU-T Q.4/17 ITU Workshop on “ICT Security Standardization for Developing Countries” (Geneva, Switzerland, September 2014)

Capacity building with ITU-T cybersecurity standards Geneva, Switzerland, September 2014 Existing process-oriented standards, as well as checklist standards, should be complemented with detailed knowledge-base of cybersecurity, because: Cyber-risks are highly volatile Chain reactions are typical – difficult to estimate the risk without considering technical detail You’ll need to communicate the detail ITU-T provides knowledge-base standards

Knowledge base of vulnerabilities Geneva, Switzerland, September 2014 CVE: Common Vulnerability Enumeration A structured means to exchange information on security vulnerabilities and exposures and provides a common identifier for publicly-known problems. Standardized as ITU-T Recommendation X.1520 National databases: U.S. NIST NVD Japan JVN R. Martin, “Managing Vulnerabilities in Networked Systems”, IEEE Computer, 34(11), Nov 2001.

Example: vulnerabilities of widely used software for data protection purposes Geneva, Switzerland, September 2014 CVE entries for MySQL CVE entries for OpenSSL

Ongoing Proliferation of CVE 143 CVE-compatible products and services Geneva, Switzerland, September 2014 U.S. NIST NVD Japan IPA JVN

CPE: common naming of IT assets Geneva, Switzerland, September 2014 CPE: Common Platform Enumeration A structured method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets. URI for IT assets, primarily software Standardized as ITU-T Recommendation X.1528 cpe:/o:microsoft:windows_2003 cpe:/a:adobe:reader:8.1

Taxonomy of vulnerabilities Geneva, Switzerland, September 2014 CWE: Common Weakness Enumeration Group same kind of vulnerabilities into a weakness, and give it a distinct number Provides common names for publicly known problems in the commercial or open source software Intended for security tools and services that can find weaknesses in source code and operational systems Helps better understand and manage software weaknesses related to architecture and design Standardized as ITU-T Recommendation X.1524

CWE top 25 ‎ Prioritized list of dangerous software errors Intended to minimize software vulnerability and data breach Any software for data protection needs serious consideration of these failure modes, among others Useful for: Procurement Development, etc. RankScoreIDName [1]93.8CWE-89Improper Neutralization of Special Elements used in an SQL Command [2]83.3CWE-78Improper Neutralization of Special Elements used in an OS Command [3]79CWE-120Buffer Copy without Checking Size of Input [4]77.7CWE-79Improper Neutralization of Input During Web Page Generation [5]76.9CWE-306Missing Authentication for Critical Function [6]76.8CWE-862Missing Authorization [7]75CWE-798Use of Hard-coded Credentials [8]75CWE-311Missing Encryption of Sensitive Data [9]74CWE-434Unrestricted Upload of File with Dangerous Type [10]73.8CWE-807Reliance on Untrusted Inputs in a Security Decision [11]73.1CWE-250Execution with Unnecessary Privileges [12]70.1CWE-352Cross-Site Request Forgery (CSRF) [13]69.3CWE-22Improper Limitation of a Pathname to a Restricted Directory [14]68.5CWE-494Download of Code Without Integrity Check [15]67.8CWE-863Incorrect Authorization [16]66CWE-829Inclusion of Functionality from Untrusted Control Sphere [17]65.5CWE-732Incorrect Permission Assignment for Critical Resource [18]64.6CWE-676Use of Potentially Dangerous Function [19]64.1CWE-327Use of a Broken or Risky Cryptographic Algorithm [20]62.4CWE-131Incorrect Calculation of Buffer Size [21]61.5CWE-307Improper Restriction of Excessive Authentication Attempts [22]61.1CWE-601URL Redirection to Untrusted Site [23]61CWE-134Uncontrolled Format String [24]60.3CWE-190Integer Overflow or Wraparound [25]59.9CWE-759Use of a One-Way Hash without a Salt Geneva, Switzerland, September 2014

Quantification of vulnerabilities facilitates prioritization during vulnerability management Geneva, Switzerland, September 2014 CVSS: common vulnerability scoring system Base metrics: constant over time and across user environments Temporal metrics: reflects vulnerability landscape Environmental metrics: reflects user environments Standardized as ITU-T X.1521

Knowledge base of attack patterns Geneva, Switzerland, September 2014 CAPEC: Common Attack Pattern Enumeration and Classification Dictionary of attack patterns, solutions & mitigations Facilitates communication of incidents, issues, as well as validation techniques and mitigation strategies Standardized as ITU-T Recommendation X.1544

CAPEC example: SQL injection Summary, how it works, solutions and mitigations Geneva, Switzerland, September 2014

Vulnerability assessment Geneva, Switzerland, September 2014 OVAL: Language for the open definition of vulnerabilities and for the assessment of a system state A standard for assessment and reporting of machine state of computer systems. OVAL includes a language to encode system details, and an assortment of content repositories held throughout the community. Standardized as ITU-T Recommendation X.1526

Major ITU-T standards for cybersecurity Definitions, knowledge base standards Geneva, Switzerland, September 2014 X.1205, Overview of Cybersecurity X.1251, A framework for user control of digital identity X.1252, Baseline identity management terms and definitions X.1254, Entity authentication assurance framework X.1500, Overview of cybersecurity information exchange X.1520, Common vulnerabilities and exposures X.1521, Common vulnerability scoring system X.1524, Common weakness enumeration X.1526, Language for the open definition of vulnerabilities and for the assessment of a system state X.1528, Common platform enumeration X.1544, Common attack pattern enumeration and classification X.1546, Malware attribute enumeration and characterization

Improving cybersecurity and data protection throughout IT infrastructure lifecycle Geneva, Switzerland, September 2014 Development CWE X.1524 CAPEC X.1544 Deployment CVE X.1520 CVSS X.1521 Assessment OVAL X.1526 CPE X.1528 Knowledge bases, compatible products, informed communities and ITU-T Recommendations are already helping diverse organizations to protect their IT infrastructures and customers

Summary Geneva, Switzerland, September 2014 ITU-T cybersecurity standards provide critical instruments to deal with rapidly changing and diversifying cybersecurity phenomena, directly contributing to data protection Enumeration standards provides effective means of communication across businesses, government agencies as well as communities Cyber-risks are highly volatile and manifests through unexpected combination of components, that requires careful examination of technical risks through knowledge- base standards