Focus Group 1B Cybersecurity

1
Focus Group 1B Cybersecurity Dr. Bill Hancock,
CISSP, CISM Cable Wireless FG1B
Chair bill.hancock_at_cw.com 972-740-7347
2
Purpose of Todays Brief

• Brief discussion of work completed for NRIC by
  FG1B
• Brief discussion of recovery best practices
  delivered on 3-14-03
• Brief discussion on FG1B proposals to NRIC today
• Guidance to NRIC on subsequent work in 2003 by
  FG1B per charter

3
Charter of FG1B

• Generate Best Practices for cybersecurity
• Telecommunications sector
• Internet services
• Propose New Actions (if needed)
• Deliverables
• December 2002 prevention (105 BPs)
• March 2003 recovery (45 BPs)
• Have made all deliverables, complete and on-time

4
Security in the Early Days
The Telegraph Station and Staff at Porthcurno,
1870
5
Security Evolves
The Eastern Telegraph Company demonstrates the
Telephone to Queen Victoria, 1880
6
Things, however, change.
7
The Past
8
The Present
Source http//cm.bell-labs.com/who/ches/map/gall
ery/index.html
9
Difference Between Prevention and Recovery BPs
Prevention
Ballet?
Sumo?
Both!
10
Difference Between Prevention and Recovery BPs

• Recovery

11
Cybersecurity Recovery BPs

• 45 delivered today per charter
• Most are more technical than preventative
• Some are focused on known issues
• Extensive work on incident response
• Some items too extensive for BPs are included as
  appendices to the recovery BPs
• Not a one-to-one match to prevention BPs
• Not all prevention BPs will stop incidents due to
  the nature of technologies used

12
Cybersecurity Prevention BPs

• Edited version provided today
• Three new BPs included (106 total)
• Incorporated changes based on few comments
  returned during December balloting effort

13
Real World Application Example January 25, 2003,
Slammer Worm Attack

• FG1B Prevention BPs that apply
• 6-6-8000 Disable Unnecessary Services
• 6-6-8008 Network Architecture Isolation/Partition
  ing
• 6-6-8015 Segmenting Management Domains
• 6-6-8020 Security HyperPatching
• 6-6-8032 Patching Practices
• 6-6-8034 Software Patching Policy
• 6-6-8037 System Inventory Maintenance
• 6-6-8039 Patch/Fix Verification
• 6-6-8041 Prevent Network Element Resource
  Saturation
• 6-6-8071 Threat Awareness
• 6-6-8074 Denial of Service Attack Target
• 6-6-8091 Validate source addresses

14
What Slammer Did

• Originated in Asia at 1230am 1-25-03
• Very small, very high propagation rate
• Attacked MS SQL installations
• Patch was available in July 2002
• Affected SQL Server and MSDE installs
• Did not affect sites that used general BP concept
  of turn it off if not needed
• Sites that disabled UDP 1433 1434 did not allow
  propagation to network
• Took 3 days to effectively kill it off

15
Some Slammer Lessons

• Rapid propagation time
• Code Red in 2001 took many hours (self
  replication in 37 minutes on average)
• Slammer estimates are 8 minutes (self replication
  was almost immediate)
• Payload was very small and efficient
• From original demo code of the problem written
  last July, very compact
• Payload was NIL, but easily could have been very,
  very UGLY
• Companies that followed appropriate FG1B BPs NOW
  were unaffected by Slammer

16
What Does this Mean to NRIC?

• Prevention of cyberattack is cheaper
• Maintain SLAs, avoid penalties
• Maintain reliability of connectivity
• Reduce manpower costs
• Consistent service and delivery
• Increase customer satisfaction
• Reduce support costs
• Reduce negative PR burden
• Many others

17
Cover Document Contents

• Not required by charter
• Included to preserve historical data
• Included to highlight industry needs that cannot
  be solved by BPs at this time
• Contains
• Charter
• History
• Guidance issues
• General issues and comments
• Proposals

18
Highlights of General Issues

• Current infrastructures built on total trust
  model, which makes security very complex and
  difficult
• Need investment and RD to secure infrastructures
• Potential NRIC work items on infrastructure
  long-term planning for security inclusion in
  future architecture
• Convergence of network types will lead to
  weakened security of traditionally difficult to
  access networks (e.g. analog voice converges to
  VoIP on a data network CDMA cellular converges
  to 3G on shared IP infrastructure)
• Corporate investment in security needs to be
  continued priority and reality

19
Highlights of Proposals

• Improve Signaling Protocol Security
• Accelerate Secure Network Element Technology
  (particularly protection against resource
  saturation attacks)
• Improve the Authentication/Security of BGP
• Improve the Authentication/Security of DNS
• Interoperability Testing
• IPv6 Transition
• Key Management
• PBX and Voicemail security
• Software certification
• Security certification of products and svcs

20
Next Steps

• Evangelism efforts for FG1B BPs
• Trade shows
• Speeches and conferences
• Internal efforts
• Publications and interviews
• Update of BPs later in 2003
• Comments back from ballot efforts
• Industry comments
• Known need to add a few more
• Preparation for industry survey in 2004 for
  adoption of FG1B cybersecurity BPs

21
Focus Group 1B Cybersecurity Dr. Bill Hancock,
CISSP, CISM Cable Wireless FG1B
Chair bill.hancock_at_cw.com 972-740-7347