Network Reliability and Interoperability Council

Focus Group 1B Cybersecurity

Dr. Bill Hancock, CISSP

Cable and Wireless America

FG1B Chair

bill.hancock@cw.com

972-740-7347

Purpose of Today’s Brief

• Review of Charter and Architecture of FG1B• Explanation of deliverables and work efforts• Brief discussion of Prevention Best Practices

deliverable for December, 2002• Review work plan and deliverables for March• Guidance to NRIC on subsequent deliverables in

March 2003 on recovery BPs and additional issues and items related to cybersecurity

Charter of FG1B

• Generate Best Practices for cybersecurity – Telecommunications sector– Internet services

• Deliverables– December 2002 – prevention– March 2003 – recovery

• New team, limited baseline material

Security is Very Complex

• Security is currently where networking was 15 years ago

• Many parts & pieces• Complex parts• Lack of expertise in the

industry (60% vacancy with no qualified personnel)

• No common GUIs• Lack of standards• Attacks are growing• Customers require

security from providers

Network AccessControl Interceptionand Enforcement

Facility

PKI ManagerCentralized

SecurityPolicy Manager

DigitalSignatureInterface

Other SecurityEntity Manager

Token CardManager

OS SecurityManagement

Tools

CertificateAuthorityInterface

Virus Interception& Correction

VPN Session orTunnel

Manager

Single Sign-onTools

Security EventReport

Writer(s)

EncryptionFacilities for

NetworkConnections

Security PolicyDistributor

Cyberwall/FirewallRule Base

ConnectionManager and

Logging

Application ProxyImplementations

Security TrafficEvent Analyzer

ApplicationLogging Facility

VPN IPSec andVPN

ConnectionManager

StatefulInspection

IntrusionLogging

IntrusionPrevention

ApplicationInspection

Security EventLogging

Security IntegrityManager

PacketInspection

Frame Inspection

SecurityFilter Engine

Real-timeFrame

Management

IntrusionDetection

Network

Host-based

Application-based

Authentication

Cryptography

Anti-Virus

Intrusion Detection

Auditing

Security Management

As Systems Get Complex, Attackers are Less Sophisticated…

PASSWORD GUESSING

SELF-REPLICATING CODE

PASSWORD CRACKING

EXPLOITING KNOWN VULNERABILITIES

BURGLARIES

HIJACKINGSESSIONS

NETWORK MANAGEMENT DIAGNOSIS

GUI

AUTOMATED PROBES/SCANS

WWW ATTACKS

DISTRIBUTED

ATTACK TOOLS

STAGED

ATTACK

ATTACKSOPHISTICATION

INTRUDER KNOWLEDGE

LOW

HIGH

1980 1985 1990 1995 2000

DISABLING AUDITS

BACK DOORS

SWEEPERS

SNIFFERS

PACKET SPOOFING

DENIAL OF SERVICE

“STEALTH”/ADVANCED

SCANNING TECHNIQUES

CROSS SITE SCRIPTING

Attack Growth – Security Business is Good and Growing (Unfortunately)

0

10000

20000

30000

40000

50000

60000

70000

80000

90000

100000

1988 - 2002

Attacks

1999 2000 2001 2002

9,859 21,756 52,658 86,000Source: CERT/CC

0

10

20

30

40

50

MIL

LIO

NS

Software Is Too Complex

• Sources of Complexity:– Applications and operating

systems

– Data mixed with programs

– New Internet services

• XML, SOAP, VoIP

– Complex Web sites

– Always-on connections

– IP stacks in cell phones, PDAs, gaming consoles, refrigerators, thermostats

WIN

DO

WS

3.1

(1

992

)

WIN

DO

WS

NT

(19

92

)

WIN

DO

WS

95

(1

995

)

WIN

DO

WS

NT 4

.0

(19

96

)

WIN

DO

WS

98

(1

998

)

WIN

DO

WS

20

00

(2

000

)

3 4

15 16.5

18

35

WIN

DO

WS

XP

(20

01

)

45

Security Must Make Business Sense to Be Adopted

COST OF SECURITYCOUNTERMEASURES

COST OF SECURITYBREACHES

OPTIMAL LEVEL OF SECURITY AT MINIMUM

COST

TOTAL COST

COST ($)

0% SECURITY LEVEL 100%

Composition and Organization

• Members include security officers, VPs, directors managers and subject matter experts (SMEs)

• Members also include various U.S. Government agencies such as US DoC, U.S. DoD, U.S. DoJ, FCC, Federal Reserve, etc.

• Group is divided into 8 working teams, each with a team leader volunteer to generate BPs for a given subject area

FG1B Teams

• Fundamentals & Architecture• OAM&P (operations, administration, maintenance and provisioning)

• AAA (authentication, accounting, audit)• Services• Signaling• Personnel• Users• Incidents

Delivery Plan for FG1B Cybersecurity Best Practices

• December 2002 – Preventative BPs– Excel document for Industry comment and improvement

• March 2003 – Recovery BPs– Excel document for Industry comment and improvement– New, improved version of prevention BPs

• Early 2003 – Final Report (date TBD)– Cover document with cybersecurity topics that clarify the

offerings, issues that require research and additional work, strategic issues in cybersecurity, implementation guidance and related topics

– Prevention and recovery BPs

Guidance on Cybersecurity Best Practices

• Current list of best practices (BPs) are constrained by what can be implemented

• Recommended BPs are considered implementable due to expert experience from the team

• Not all BPs are appropriate for all service providers or architectural implementations

• The BPs are not intended for mandatory regulatory efforts• There will continue to exist security conditions that will require

development of technologies and techniques that are not currently practical or available to solve the security issues they create. Focus group is working on recommendations for inclusion in final report.

• This is a moving target that will require continual refinement, additions and improvement

Driving Principles in Cyber Security Best Practices

• Capability Minimization– Allow only what is needed re: services, ports, addresses, users, etc.– Disallow everything else

• Partitioning and Isolation• Defense in Depth

– Aka “belt & suspenders”– Application, host and network defenses

• KISS– Complexity makes security harder

• General IT Hygiene– Backups, change control, privacy, architectures, processes, etc.

• Avoid Security by Obscurity– A proven BAD IDEA™

Prevention Best Practices Deliverable (December 2002)

• Composed of 103 best practices for preventing cybersecurity “events”

• Includes– BP number– Title– Best practice for prevention– If any: reference and dependencies on other BPs– Implementors

Example of Prevention Best Practice for Cybersecurity

Number 6-6-8008

Title Network Architecture Isolation/Partitioning

Preventative Best Practice

Compartmentalization of technical assets is a basic isolation principle of security where contamination or damage to one part of an overall asset chain does not disrupt or destroy other parts of an asset chain. Network Operators and Service Providers should give deliberate thought to and document an Architecture plan that partitions and isolates network communities and information, through the use of firewalls, DMZ or (virtual) private networks. In particular, where feasible, it is suggested the user traffic networks, network management infrastructure network, customer transaction system networks and enterprise communication/business operations networks be separated and partitioned from one another. Special care must to taken to assess OS, protocol and application vulnerabilities, and subsequently hardened and secure systems and applications, which are located in DMZ's or exposed to the open Internet.

Reference ISF SB52, www.sans.org

Dependency  

Implementor NO, SP

Next Steps• Publish preventative cybersecurity best practices for

Industry comment and improvement, following NRIC Council acceptance of December 2002 cybersecurity deliverables.

• Refinement of recovery BPs for March 2003 deliverable

• Creation of March 2003 cover document with:– General cybersecurity recommendations– Strategic cybersecurity issues– Technology issues that require resolution for future BPs

• Additional refinement and addition of BPs for prevention and recovery as reviews are completed by NRIC membership