ITU-T X 1039-2016 Technical security measures for implementation of ITU-T X 805 security dimensions (Study Group 17)《在ITU-T x 805安全方面实施的技术保障措施(研究组17)》.pdf

1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T X.1039 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (10/2016) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Information and network security Network security Technical security measures for implementat

2、ion of ITU-T X.805 security dimensions Recommendation ITU-T X.1039 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499

3、DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management

4、X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IP

5、TV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 PKI related Recommendations X.1340X.1349 CYBERS

6、ECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X

7、.1580X.1589 CLOUD COMPUTING SECURITY Overview of cloud computing security X.1600X.1601 Cloud computing security design X.1602X.1639 Cloud computing security best practices and guidelines X.1640X.1659 Cloud computing security implementation X.1660X.1679 Other cloud computing security X.1680X.1699 For

8、 further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1039 (10/2016) i Recommendation ITU-T X.1039 Technical security measures for implementation of ITU-T X.805 security dimensions Summary Many organizations in developing countries as well as developed countries may have

9、difficulties in implementing the high-level dimensions described in Recommendation ITU-T X.805. Recommendation ITU-T X.1039 is aimed at providing a set of security measures to implement the high-level dimensions. It also provides technical implementation guidance for security measures that can be us

10、ed to improve organizations security response capabilities. A set of security measures described in this Recommendation could assist organizations in managing information security risks and implementing technical dimensions. The audience of this Recommendation includes, but is not limited to, those

11、individuals responsible for implementing an organizations information security dimensions. History Edition Recommendation Approval Study Group Unique ID* 1.0 ITU-T X.1039 2016-10-14 17 11.1002/1000/13059 Keywords Security dimension, security measures, technical implementation guidance. * To access t

12、he Recommendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. ITU-T X.1039 (10/2016) FOREWORD The International Telecommunication Union (ITU) is the United Na

13、tions specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendation

14、s on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval

15、of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“

16、is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance wi

17、th the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is requir

18、ed of any party. INTELLECTUAL PROPERTY RIGHTSITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectua

19、l Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. Howev

20、er, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2017 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the pri

21、or written permission of ITU. Rec. ITU-T X.1039 (10/2016) iii Table of Contents Page 1 Scope . 1 2 References . 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 2 4 Abbreviations and acronyms 2 5 Conventions 3 6 Overview of information security measures . 3

22、7 Information security measures 4 7.1 Access control 4 7.2 Authentication 4 7.3 Non-repudiation 5 7.4 Data confidentiality 6 7.5 Communication security . 6 7.6 Data integrity 8 7.7 Availability . 8 7.8 Privacy 9 Annex A Additional technical implementation guidance . 10 A.1 Secure configuration . 10

23、A.2 Malware protection . 10 A.3 Patch management 11 A.4 Vulnerability management . 11 A.5 Information security incidents management 11 A.6 System development security . 12 A.7 Authentication for information systems and applications 12 A.8 Data leakage prevention . 13 A.9 Operations security . 13 A.1

24、0 Backup and disaster recovery . 13 A.11 Desktop PC and mobile device protection . 13 Appendix I Organizational implementation guidance 15 I.1 Information security policies . 15 I.2 Organization of information security . 15 I.3 Human resources security 16 I.4 Asset management . 17 I.5 Physical and e

25、nvironment security 17 I.6 Supplier relationship 18 Appendix II Level of security assurance . 19 iv Rec. ITU-T X.1039 (10/2016) Page II.1 Level of assurance for entity authentication b-ITU-T X.1254 19 II.2 Level of security assurance 19 Appendix III Guidance on assigning specific level of security a

26、ssurance from the final index . 20 III.1 Methodology for level of security assurance 20 Appendix IV SGSN specific implementation guideline . 21 IV.1 Overview 21 IV.2 Access control dimension for module 1 . 21 IV.3 Availability dimension for module 1 21 IV.4 Non repudiation dimension for module 1 . 2

27、2 IV.5 Authentication dimension for module 1 . 22 IV.6 Data integrity dimension for module 22 IV.7 Privacy and data confidentiality dimension for module 1 22 IV.8 Communication security dimension for module 1 . 22 Bibliography. 23 Rec. ITU-T X.1039 (10/2016) 1 Recommendation ITU-T X.1039 Technical s

28、ecurity measures for implementation of ITU-T X.805 security dimensions 1 Scope This Recommendation provides technical security measures for the implementation of ITU-T X.805 security dimensions, which includes access control, communication security, authentications, and data confidentiality. It also

29、 provides examples for applying the set of technical security measures to the organizations with practical levels of information security dimensions, etc. in the appendices. It is not intended to cover all security measures, but to focus on several technical issues. This Recommendation is applicable

30、 to all type of telecommunication organizations, including those in the developing countries. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the

31、editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently

32、valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T X.805 Recommendation ITU-T X.805 (2003), Security architecture for systems providing end-to-end communications

33、. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 access control b-ITU-T X.800: The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner. 3.1.2 authentication b-ITU-T X.12

34、54: Provision of assurance in the identity of an entity. 3.1.3 authorization b-ITU-T X.1254: The granting of rights, which includes the granting of access based on access rights. 3.1.4 availability b-ITU-T X.800: The property of being accessible and useable upon demand by an authorized entity. 3.1.5

35、 confidentiality b-ITU-T X.800: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes. 3.1.6 data integrity b-ITU-T X.800: The property that data has not been altered or destroyed in an unauthorized manner. 3.1.7 firewall b-ISO/IEC 27033

36、-1: Type of security barrier placed between network environments consisting of a dedicated device or a composite of several components and techniques through which all traffic from one network environment traverses to another, and vice versa, and only authorized traffic, as defined by the local secu

37、rity policy, is allowed to pass. 2 Rec. ITU-T X.1039 (10/2016) 3.1.8 intrusion detection b-ISO/IEC 27039: Formal process of detecting intrusions, generally characterized by gathering knowledge about abnormal usage patterns, as well as what, how, and which vulnerability has been exploited to include

38、how and when it occurred. 3.1.9 intrusion detection system b-ISO/IEC 27039: Information systems used to identify that an intrusion has been attempted, is occurring, or has occurred. 3.1.10 intrusion prevention system b-ISO/IEC 27039: Variant on intrusion detection systems that are specifically desig

39、ned to provide an active response capability. 3.1.11 privacy b-ITU-T-X.800: The right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed. NOTE Because this term relates to the right of individu

40、als, it cannot be very precise and its use should be avoided except as a motivation for requiring security. 3.1.12 security gateway b-ISO/IEC 27033-1: Point of connection between networks, or between subgroups within networks, or between software applications within different security domains intend

41、ed to protect a network according to a given security policy. 3.1.13 repudiation b-ITU-T X.800: Denial by one of the entities involved in a communication of having participated in all or part of the communication. 3.1.14 threat b-ISO/IEC 27000: Potential cause of an unwanted incident, which may resu

42、lt in harm to a system or organization. 3.2 Terms defined in this Recommendation None. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: 2FA Two-Factor Authentication ACL Access Control Lists AES Advanced Encryption Standard ATM Automatic Teller Machine

43、CEO Chief Executive Officer DDoS Distributed Denial of Service DHCP Dynamic Host Configuration Protocol DMZ Demilitarized Zone FTP File Transfer Protocol GGSN Gateway General packet radio service (GPSR) Support Node GPRS General Packet Radio Service HIDS Host Based Intrusion Detection System HTTP Hy

44、pertext Transport Protocol HTTPS Hypertext Transport Protocol Secure ICT Information Communication Technology IDPS Intrusion Detection and Prevention System Rec. ITU-T X.1039 (10/2016) 3 IDS Intrusion Detection System IP Internet Protocol IPS Intrusion Prevention Systems IPSec Internet Protocol Secu

45、rity IPSG IP Source Guard ISP Internet Service Provider MFA Multi-Factor Authentication NIDS Network Based Intrusion System OS Operating system OSI Open System Interconnection PC Personal Computer PII Personally Identifiable Information PIN Personal Identification Number RPC Remote Procedure Call SF

46、A Single Factor Authentication SGSN Serving GPRS Support Node SMB Server Message Block SNMP Simple Network Management Protocol TFA Three-Factor Authentication TLS Transport Layer Security VPN Virtual Private Network 5 Conventions None. 6 Overview of information security measures A security measures

47、is a means of managing risk, and includes policies, procedures, guidelines, practices or organisational structures, which can be of an administrative, technical, management, or legal nature. A security dimension is a set of security measures designed to address a particular aspect of the network sec

48、urity. The security dimensions, defined in ITU-T X.805 are: access control; authentication; non-repudiation; data confidentiality; communication security; data integrity; availability; and privacy. 4 Rec. ITU-T X.1039 (10/2016) A set of technical implementation guidance for each dimension should be

49、defined and implemented by organizations. This Recommendation presents a technical implementation guideline, which provides a set of security measures for each dimension, for mitigating the most common threats. Deploying these security measures can assist an organisation in protecting against the most common forms of cyber-attack emanating from the external network. Organisations implementing these security measures can benefit by gaining confidence