INTERNATIONAL ISO/IEC STANDARD 18028-1

More documents

Recommendations

Info

IS0/IEC18028-1:2006(E)Examples of the risks in the context of some types of radio network are shown in the paragraphs below.The security risks associated with GSM include the facts that:— A5/x algorithms and Comp128-1 are weak,— generally GSM encryption is turned off,— SIM cloning is a reality.The security risks associated with 3G include the facts that the:— phones are liable to electronic attack, including the insertion of malicious code, for example viruses,— opportunities for attack are high because phones are often always on,— service could be subject to eavesdropping,— radio network could be jammed,— insertion of false base stations is possible,— gateways could be subject to unauthorized access,— service could be subject to attack and unauthorized access via the Internet,— introduction of spam is possible,— management systems could be subject to unauthorized access via RAS,— service could be attacked via lost or stolen engineering support equipment, including laptops.UMTS is a key member of the global family of 3G mobile technologies and provides significant capacity andbroadband capabilities to support greater numbers of voice and data customers It uses a 5 MHz channelcarrier width to deliver significantly higher data rates and increased capacity, providing optimum use of radioresources, especially for operators who have been granted large, contiguous blocks of spectrum - typicallyranging from 2x10 MHz up to 2x20 MHz -to reduce the cost of deploying 3G networks.GPRS is an essential first step towards third generation mobile networks, by enhancing the GSM networkfunctionalities. GPRS is a specification for data transfer on GSM networks, which allows both packet switchedand circuit switched traffic to exist in the GSM infrastructure. GPRS utilizes up to eight 9.05Kb or 13.4KbTDMA timeslots, for a total bandwidth of 72.4Kb or 107.2Kb. GPRS supports both TCP/IP and X.25communications. EDGE enabled GSM networks are able to implement EGPRS , an enhanced version ofGPRS, which increases the bandwidth of each timeslot to 60Kb. GPRS enables an 'always-on' Internetconnection which is a potential security issue. A GPRS network provider will usually try to elevate the securityof the link by providing a firewall between the GPRS network and the Internet, but this should be configured toallow valid services to work, and hence may be exploited by third parties.CDPD is a specification for supporting wireless access to the Internet and other public packet-switchednetworks over cellular telephone networks. CDPD supports TCP/IP and CLNP. CDPD utilizes the RC4 streamcipher with 40 bit keys for encryption. CDPD is defined in the IS-732 standard. The algorithm is not strong andcan be decrypted by a brute force attack.CDMA, a form of spread-spectrum, is a family of digital communication techniques that have been used formany years. The core principle of spread spectrum is the use of noise-like carrier waves, which havebandwidths much wider than that required for simple point-to-point communication for the same data rate.Digital coding technology allows CDMA to prevent eavesdropping, whether intentional or accidental. CDMAtechnology splits sound into small bits that travel on a spread spectrum of frequencies. Each small bit ofconversation (or data) is identified by a digital code known only to the CDMA phone and the base station. Thismeans that virtually no other device can receive the call. Since there are millions of code combinationsavailable for any call, it protects against eavesdropping.34 © ISO/IEC 2006 - All rights reserved
ISO/IEC18028-1:2006(E)13.2.5.3 Security ControlsThere are a number of technical security controls to manage the risks from identified threats to radio networks,including those for:— secure authentication,— encryption with effective algorithms,— protected base stations,— firewalls,— malicious code (virus, trojans, etc.) protection,— anti-spam.13.2.6 Broadband Networking13.2.6.1 BackgroundBroadband networking is a group of technologies which allow individual subscribers high speed access to anInternet point-of-presence. Currently, there are four main technologies:— 3G,— Cable,— Satellite,— DSL.For DSL, there are two main types. There is asymmetric (ADSL), where the upload speed from the user islower (quarter to half of the download speed, and symmetric (SDSL), where the upload and download speedsare the same. In either case, the download speed is typically from 128 kbps to 2-8 Mbps, depending on theproduct. Cable and satellite technologies also have similar types of product.The main reasons for adopting broadband technologies is that they are a high-speed, always on technologyavailable more cheaply that conventional communications. All technologies allow access to the Internet andhence span only from the Internet to the subscriber's premises. Use of the Internet as a universal carrierallows links to other sites to be constructed speedily and cheaply, perhaps with the deployment of VPNs forsecure links.13.2.6.2 Security RisksBroadband is simply an 'always on' high-speed link between a subscriber and the Internet. These featuresmake the subversion of a broadband-connected system a valuable proposition for hackers, and lead directlyto the following risks:— disclosure, modification or deletion of information, as a result of unauthorized remote access,— propagation of malicious code,— upload/download and execution of unauthorized code,— identity theft,— mis-configuration of client systems,— introduction of software vulnerabilities,— network congestion,— DoS.© ISO/IEC 2006 - All rights reserved 35
Page 1 and 2: INTERNATIONAL ISO/IECSTANDARD 18028
Page 3 and 4: ISO/IEC18028-1:2006(E)ContentsPageF
Page 5 and 6: ISO/IEC 18028-1:2006(E)ForewordISO
Page 7 and 8: INTERNATIONAL STANDARDISO/IEC 18028
Page 9 and 10: ISO/IEC FDIS 18028-1:2006(E)3.2.9de
Page 11 and 12: ISO/IEC FDIS 18028-1:2006(E)3.2.30n
Page 13 and 14: ISO/IEC FDIS 18028-1:2006(E)4 Abbre
Page 15 and 16: ISO/IEC FDIS 18028-1:2006(E)5 Struc
Page 17 and 18: ISO/IEC FDIS 18028-1:2006(E)An exam
Page 19 and 20: ISO/IEC FDIS 18028-1:2006(E)— det
Page 21 and 22: ISO/IEC FD1S 18028-1:2006(E)8 Consi
Page 23 and 24: ISO/IEC FDIS 18028-1:2006(E)9.4 Net
Page 25 and 26: ISO/IEC 18028-1:2006(E)© ISO/IEC 2
Page 27 and 28: ISO/IEC18028-1:2006(E)Table 2 — I
Page 29 and 30: IS0/IEC18028-1:2006(E)A conceptual
Page 31 and 32: ISO/IEC 18028-1:2006(E)Using the se
Page 33 and 34: ISO/IEC 18028-1:2006(E)13 Identify
Page 35 and 36: ISO/IEC 18028-1:2006(E)These Securi
Page 37 and 38: ISO/IEC 18028-1:2006(E)13.2.3 Wide
Page 39: ISO/IEC 18028-1:2006(E)— flawed S
Page 43 and 44: ISO/IEC 18028-1:2006(E)With all sec
Page 45 and 46: ISO/IEC18028-1:2006(E)• uncertain
Page 47 and 48: ISO/IEC 18028-1:2006(E)— IDS shou
Page 49 and 50: ISO/IEC18028-1:2006{E)— exploitat
Page 51 and 52: ISO/IEC 18028-1:2006(E)The content
Page 53 and 54: ISO/IEC18028-1:2006(E)— web-based
Page 55 and 56: ISO/IEC 18028-1:2006(E)13.4.4 Netwo
Page 57 and 58: ISO/IEC18028-1:2006(E)13.6.5 Secure
Page 59 and 60: ISO/IEC 18028-1:2006(E)use rules to
Page 61 and 62: IS0/IEC18028-1:2006(E)Where it is i
Page 63 and 64: IS0/IEC18028-1:2006(E)13.10.5.2 Sec
Page 65 and 66: IS0/IEC18028-1:2006(E)Bibliography[

INTERNATIONAL ISO/IEC STANDARD 18028-1

Create successful ePaper yourself

Delete template?

Save as template?