1、 International Telecommunication Union ITU-T X.1207TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (04/2008) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security Guidelines for telecommunication service providers for addressing the risk of spyware and potential
2、ly unwanted software Recommendation ITU-T X.1207 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS Services and facilities X.1X.19 Interfaces X.20X.49 Transmission, signalling and switching X.50X.89 Network aspects X.90X.149 Maintenance X.150X
3、.179 Administrative arrangements X.180X.199 OPEN SYSTEMS INTERCONNECTION Model and notation X.200X.209 Service definitions X.210X.219 Connection-mode protocol specifications X.220X.229 Connectionless-mode protocol specifications X.230X.239 PICS proformas X.240X.259 Protocol Identification X.260X.269
4、 Security Protocols X.270X.279 Layer Managed Objects X.280X.289 Conformance testing X.290X.299 INTERWORKING BETWEEN NETWORKS General X.300X.349 Satellite data transmission systems X.350X.369 IP-based networks X.370X.379 MESSAGE HANDLING SYSTEMS X.400X.499DIRECTORY X.500X.599 OSI NETWORKING AND SYSTE
5、M ASPECTS Networking X.600X.629 Efficiency X.630X.639 Quality of service X.640X.649 Naming, Addressing and Registration X.650X.679 Abstract Syntax Notation One (ASN.1) X.680X.699 OSI MANAGEMENT Systems Management framework and architecture X.700X.709 Management Communication Service and Protocol X.7
6、10X.719 Structure of Management Information X.720X.729 Management functions and ODMA functions X.730X.799 SECURITY X.800X.849 OSI APPLICATIONS Commitment, Concurrency and Recovery X.850X.859 Transaction processing X.860X.879 Remote operations X.880X.889 Generic applications of ASN.1 X.890X.899 OPEN
7、DISTRIBUTED PROCESSING X.900X.999 TELECOMMUNICATION SECURITY X.1000 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1207 (04/2008) i Recommendation ITU-T X.1207 Guidelines for telecommunication service providers for addressing the risk of spyware and potentially
8、unwanted software Summary Recommendation ITU-T X.1207 provides guidelines for telecommunication service providers (TSPs) for addressing the risks of spyware and potentially unwanted software. This Recommendation promotes best practices around principles of clear notices and users consents and contro
9、ls for TSP web hosting services. This Recommendation develops and promotes best practices to users on personal computer (PC) security, including use of anti-spyware, anti-virus, personal firewall and security software updates on client systems. Source Recommendation ITU-T X.1207 was approved on 18 A
10、pril 2008 by ITU-T Study Group 17 (2005-2008) under the WTSA Resolution 1 procedure. Keywords Deceptive software, internet safety, potentially unwanted software, spyware. ii Rec. ITU-T X.1207 (04/2008) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency
11、in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to
12、standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations
13、is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness t
14、o indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g. interoperability or applicability) and compliance with the Recommendation is ac
15、hieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTU
16、AL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether
17、 asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cauti
18、oned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2008 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of I
19、TU. Rec. ITU-T X.1207 (04/2008) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Definitions 1 4 Abbreviations and acronyms 1 5 Conventions 2 6 Overview 2 7 Objectives . 3 8 Deceptive software and spyware 3 9 Why deceptive software and spyware matter . 3 10 Recommendations 4 11 Guidance for telecommuni
20、cation service providers (TSPs) . 4 11.1 Manage information security risk in the business 4 11.2 Safety and security requirements for web hosting services 6 11.3 Safety and security guidance for end-users 7 Appendix I Additional resources 9 I.1 Online security and anti-spyware references 9 I.2 Sampl
21、e list of incident escalation contacts. 10 Bibliography. 11 Rec. ITU-T X.1207 (04/2008) 1 Recommendation ITU-T X.1207 Guidelines for telecommunication service providers for addressing the risk of spyware and potentially unwanted software 1 Scope This Recommendation forms part of the set of guidance
22、developed in ITU-T to improve the state of cybersecurity. It covers the baseline safety and security practices requirements for the telecommunication service providers (TSPs) and end-users, focusing on addressing the issue of spyware and other potentially unwanted software, which may be malicious an
23、d/or deceptive. Telecommunication service providers (TSPs), in the context of this Recommendation, refers to TSPs that are providing internet-related services, in particular, web hosting services to business organizations and internet access to end-users. 2 References None. 3 Definitions The term sp
24、yware has been used loosely to include numerous forms of software that exhibit certain privacy-intrusive behaviours that are uncalled for by the end-users. To ensure consistent use of the term and a common understanding, a working definition of spyware and related deceptive software is therefore pro
25、vided here. 3.1 deceptive software: Software which performs activities on a users computer without: 1) first notifying the user as to exactly what the software will do on the users computer; or 2) asking the user whether he consents to the software doing these things. Examples of deceptive software
26、include programs which hijack user configurations, or programs which cause endless pop-up advertisements which cannot be easily clicked out of by the user. 3.2 potentially unwanted software: Potentially unwanted software refers to various forms of deceptive software, including malicious software suc
27、h as viruses, worms and trojans, and non-malicious software that exhibit the characteristics of deceptive software and spyware. 3.3 spyware: Spyware is defined in this Recommendation as a particular type of deceptive software that collects personal information from a users computer. The personal inf
28、ormation may include matters such as websites most frequently visited or more sensitive information such as passwords. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: CERT Computer Emergency Response Team CIRT Computer Incident Response Team ICT Inform
29、ation and Communication Technology ISMS Information Security Management System ISMS-T Information Security Management System Requirements for Telecommunications ISV Independent Software Vendor 2 Rec. ITU-T X.1207 (04/2008) SQL Structured Query Language TSP Telecommunication Service Provider URI Unif
30、orm Resource Identifier 5 Conventions None. 6 Overview The proliferation of the Internet has enabled new businesses and brought about many benefits to consumers at home and in the workplace. With the inherent openness of the Internet, and the interconnectivity and speed of access that it provides, i
31、t has also grown to be an effective platform for businesses and consumers communications, as well as mass commercial marketing purposes. In recent years, this openness and ease of communication and connectivity have increasingly being exploited by cyber criminals and rogue businesses through the use
32、 of various forms of malicious software for financial gains and other criminal purposes. One of the safety and security challenges that are growing in significance is that of spyware and deceptive software, which are capable of compromising personal information, causing significant lost of productiv
33、ity and undermining end-users confidence and trust in legitimate businesses on the Internet. Telecommunication service providers (TSPs) are often looked up to by various parties, in particular, regulators and enterprise customers, to provide safe and secure Internet services to the end-users (includ
34、ing consumers and enterprise users). When websites hosted in TSP networks and found to be hosting malicious contents, including spyware or deceptive software, and affecting the safety and security of end-user computer systems, TSPs are looked upon for assistance to address the issues, and any prolon
35、ged or frequent recurrences of such incidents would impact the trust and confidence of the TSP in providing safe and secure services. This would translate into customer dissatisfaction and result in migration of customers to other TSPs. From a regulatory perspective, regulators in many countries are
36、 increasingly demanding assurances from TSPs of the security and safety measures they have taken, and requesting TSPs to do more in assisting consumers and end-users in safe and secure Internet computing. In view of these changes in the Internet safety and security landscape, it is important for TSP
37、s to adopt a set of standards of best practices that could be recognized across the industry as a minimum baseline1that would ensure the safe and secure provision of Internet services hosted through the TSP and also promote relevant practices to the end-users subscribing to their networks. Implement
38、ation of the baseline standard will also allow TSPs to demonstrate to regulators and end-users its conformance to industry best practices and to enhance, if not maintain, regulators and end-users confidence and trust over the safety and security of the TSP network and services. _ 1There is currently
39、 no such baseline, and this guideline Recommendation is a step towards providing such a minimum baseline. Rec. ITU-T X.1207 (04/2008) 3 7 Objectives The objectives of this Recommendation are to: 1) Promote best practices around the principles of clear notices, user consents and user controls for web
40、 hosting services; and 2) Promote security best practices (via telecommunication service providers) to home users on safe and secure use of personal computers and the Internet, including the use of anti-virus, anti-spyware, personal firewall and automated security updates. 8 Deceptive software and s
41、pyware The common element, shared by all deceptive software programs (including spyware), that distinguish them from legitimate applications is their lack of notice and choice at the user level. Importantly, it is commonly noted that with proper disclosure, user authorization and control, many of th
42、e software tasks performed by deceptive software/spyware, can provide benefits to users. For example, such programs may facilitate personalization, enable user-approved configuration changes and deliver approved advertising which in turn can subsidize the cost of a highly-valued service such as e-ma
43、il. In short, deceptive software is not predominantly a technology problem but largely a problem arising from deceptive or fraudulent behaviour. At both a global and a local level, deceptive software and spyware has become one of the top-tier issues for government, industry and consumers in that the
44、y go beyond the parameters of an ICT policy issue. While deceptive software obviously uses the Internet and the computer as its medium, it is fundamentally a consumer protection problem that stems from deceptive behaviour. 9 Why deceptive software and spyware matter At the consumer level, such softw
45、are degrades the computing and/or online experience of the user (sometimes to the point of rendering the computer unusable) and creates a sense of frustration and a perception that the user is not “in control“. It is not an exaggeration to suggest that at the residential consumer level in particular
46、 there is a significant proportion of users for whom deceptive software threatens to completely undermine the extraordinary benefits available from the Internet and from computing per se. While deceptive software is clearly having a substantial impact on consumers it is also a major problem for many
47、 ICT companies. At one level, many customers misattribute their computer operating problems to software manufacturers and developers, which detracts from their reputation and customer perceptions of their products. Clearly, problems arising from deceptive software also result in millions of dollars
48、being spent on unnecessary support calls in both software and hardware sectors. As noted in clause 6 above, TSPs are not spared from dealing with the challenges due to spyware and deceptive software, due to their hosting of websites that may be used directly by rogue businesses and cyber criminals t
49、o host them directly, and their subscribers experiencing the adverse impact directly, and hence calling on the TSP for support and assistance. On top of that, it is a common expectation of regulators and end-users that TSPs implement adequate safety and security measures that counter such problems. When TSPs relinquish the responsibility to deal with such challenges, their reputation and end-users confidence and trust would naturally be undermined. 4 Rec. ITU-T X.1207 (04/2008) 10 Recommendations The most effective way