1、 International Telecommunication Union ITU-T X.1209TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (12/2010) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cyberspace security Cybersecurity Capabilities and their context scenarios for cybersecurity information sharing and exchange
2、Recommendation ITU-T X.1209 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND
3、 SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.109
4、9 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SEC
5、URITY Cybersecurity X.1200X.1229Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability
6、/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 For further details, please refer to the list of ITU-T Recommendation
7、s. Rec. ITU-T X.1209 (12/2010) i Recommendation ITU-T X.1209 Capabilities and their context scenarios for cybersecurity information sharing and exchange Summary Recommendation ITU-T X.1209 describes high level scenarios and supporting capabilities for cybersecurity information sharing and exchange.
8、This Recommendation provides capabilities important for supporting interoperability between applications for the sharing and exchange of cybersecurity information. Capabilities are described which may be used in scenarios/situations supporting previously independent acting entities to participate in
9、 various coordinated efforts, such as the prevention or halting of targeted behaviour or the coordination of analysis and determination efforts. The goal of the capabilities listed and described is to support more efficient and effective security operations by supporting the interoperable sharing an
10、d exchange of information between trusted parties working together to monitor, maintain and generally manage the security of systems and networks. History Edition Recommendation Approval Study Group 1.0 ITU-T X.1209 2010-12-17 17 Keywords Cybersecurity information, information exchange, information
11、sharing. ii Rec. ITU-T X.1209 (12/2010) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent org
12、an of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the
13、topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are
14、prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendatio
15、n may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used
16、to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectu
17、al Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received no
18、tice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU
19、 2011 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1209 (12/2010) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendati
20、on . 1 4 Abbreviations and acronyms 2 5 Conventions 2 6 Introduction 2 7 Capabilities scenarios . 2 7.1 General scenario . 3 7.2 Operational policies 3 7.3 Regional policies 3 7.4 Exchange format . 3 7.5 Privacy protection . 4 7.6 Access granularity 4 7.7 Source verification 4 7.8 Multichannel distr
21、ibution . 5 7.9 Backwards compatibility 5 8 Capabilities . 5 8.1 Format/encoding capabilities 5 8.2 Transfer/exchange capabilities . 5 8.3 Security capabilities 6 8.4 Policy capabilities . 6 8.5 Vendor neutrality capabilities . 6 9 Applicability of capabilities 7 9.1 Format/encoding capabilities 7 9
22、.2 Transfer/exchange capabilities . 7 9.3 Security capabilities 7 9.4 Policy capabilities . 7 9.5 Vendor neutrality capabilities . 7 Appendix I Introduction to cybersecurity information sharing and exchange 8 Appendix II Related activities . 12 II.1 Common security information 12 II.2 Novel security
23、 information . 12 II.3 Related activities to share security information . 13 Appendix III Related activities . 14 Bibliography. 15 Rec. ITU-T X.1209 (12/2010) 1 Recommendation ITU-T X.1209 Capabilities and their context scenarios for cybersecurity information sharing and exchange 1 Scope This Recomm
24、endation provides capabilities important for supporting interoperability between applications for the sharing and exchange of cybersecurity information. Accordingly, clause 7 contains descriptions of high level use capabilities scenarios which are used to set the context for the capabilities found i
25、n clause 8. To further clarify the purpose of the capabilities, clause 9 contains descriptions of which capabilities are more likely to be needed in which situations. The intended audience for this Recommendation are those involved in authorized security operations. 2 References None. 3 Definitions
26、3.1 Terms defined elsewhere This Recommendation uses the following term defined elsewhere: 3.1.1 cybersecurity b-ITU-T X.1205: Collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies
27、that can be used to protect the cyber environment and organization and users assets. Organization and users assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cybe
28、r environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and users assets against relevant security risks in the cyber environment. The general security objectives comprise the following: availability integrity, which may include au
29、thenticity and non-repudiation confidentiality. 3.2 Terms defined in this Recommendation This Recommendation defines the following term: 3.2.1 cybersecurity information: Structured information or knowledge which may include but is not limited to: the “state“ of equipment, software or network systems
30、; forensics related to incidents or events; parties implementing the information exchange capabilities in terms of cybersecurity; specifications for the exchange of information in terms of cybersecurity, including modules, schemas and assigned numbers; identities and trust attributes for all of the
31、preceding and implementation requirements, guidelines and practices. 2 Rec. ITU-T X.1209 (12/2010) 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: DDoS Distributed Denial of Service FTP File Transfer Protocol HTTP HyperText Transfer Protocol HTTPS Secu
32、re HyperText Transfer Protocol (HTTP over SSL) IPS Intrusion Prevention System 5 Conventions None. 6 Introduction Cyber attacks involving viruses, worms, etc., are shortening their propagation speeds through networks using various techniques, ever evolving into more threatening forms. Various kinds
33、of security solutions including anti-virus, spyware detection, firewall, virtual private network, intrusion detection and protection, etc., have been developed, so that security incidents due to such threatening attacks may be countered by a rapid response system through the taking of effective coun
34、termeasures. Security managers most common line of defense against exploits, viruses, worms and botnets has primarily been in the form of various discussion forums that many security professionals subscribe to. Usually within a couple of days to a week, holes are plugged, vulnerabilities patched and
35、 things can return back to normal. Unfortunately, the exploitation of vulnerabilities by viruses, worms and botnets could propagate across networks very quickly. Within seconds, entire networks can be significantly affected. The exchange of cybersecurity information within a given organization may b
36、e accomplished quickly. However, the exchange of a broad range of information between organizations is not well supported using current methods. The lack of effective communication means may turn each organization into an island of security. Therefore, it is important to share cybersecurity informat
37、ion among many organizations, including telecom operators, telecom service providers and centers of security operations. To make such an information exchange possible, what is needed are: trusted and secure methods for participants to exchange information more quickly, methods to ensure the protecti
38、on of privacy. This Recommendation provides considered scenarios and supporting capabilities for the exchange of cybersecurity information among participants in a secure, trusted and reliable manner. 7 Capabilities scenarios To be able to put the capabilities listed in clause 8 into a proper context
39、 for the understanding of this Recommendation, high level usage scenarios are presented in five different settings to help explain the five logical groups of capabilities which follow. Rec. ITU-T X.1209 (12/2010) 3 7.1 General scenario This general scenario applies to all subsequent scenarios. Scena
40、rio: Information exchange partners share security event and incident related information useful to identify and prevent adversarial attacks on their respective networks. The important aspect of this scenario is that the two parties may collect similar types of data but from different sources and/or
41、in different formats and/or slightly different contents of similar types of data. 7.2 Operational policies This scenario describes a situation where different information exchange partners have different restrictions for access to different elements of information being shared. Scenario: Information
42、 exchange partners have a business agreement to share security event and incident-related information. One important aspect of this scenario is that access to each information exchange partners information may be restricted with access granted based on a pre-existing trust relationship. Another impo
43、rtant aspect is that the trust placed in the information received may be associated with the trust relationship that exists. 7.3 Regional policies This scenario describes a multiple information exchange partner situation where different respective partners have different legal and/or regulatory rest
44、rictions on different elements of the same type of information being shared. Similar to the previous scenario, this scenario also highlights the possibility that one may be allowed to share information that ones self may not actually be allowed to access or view. This scenario differs from the previ
45、ous scenario due to the source of restrictions placed on the exchange of information. The source of restrictions in the previous scenario is operational policies decided by each information exchange partner, while restrictions in this scenario are due to operational policies imposed externally, such
46、 as by regional jurisdictions. Scenario: Two parties operating in different regions may exchange information under different requirements placed on them by the respective regions. The important aspect of this scenario is that in addition to parties having different operational policies, there may al
47、so be policies associated with the region in which the information is exchanged. 7.4 Exchange format Scenario: One information exchange partner delivers information, which includes ports or port ranges involved, to a second partner concerning a troublesome behaviour pattern of traffic. The informati
48、on shared is used to identify instances of a specific attack. The important aspect of this scenario is that the contents of the information exchanged needs to be easily understood by and agreed to by all information exchange partners involved. 4 Rec. ITU-T X.1209 (12/2010) 7.5 Privacy protection The
49、 scenarios included in this clause highlight different privacy related issues, whether the “privacy“ is corporate or personal. In addition, they highlight the need for the ability to ensure the privacy of information exchanges themselves. Scenario: A security operations centre collects information related to a malicious attack against one of its managed networks, systems or more generally, a managed asset. This information is then provided to a network service provider to identify the source or sources of the g
