Network Reliability and Interoperability Council

Focus Group 1B Cybersecurity

Dr. Bill Hancock, CISSP, CISM

Cable & Wireless

FG1B Chair

bill.hancock@cw.com

972-740-7347

Charter of FG1B

• Generate Best Practices for cybersecurity – Telecommunications sector– Internet services

• Propose New Actions (if needed)• Deliverables

– December 2002 – prevention (105 BPs)– March 2003 – recovery (45 BPs)

• Have made all deliverables, complete and on-time

Composition and Organization

• Members include security officers, VPs, directors managers and subject matter experts (SMEs)

• Members also include various U.S. Government agencies such as US DoC, U.S. DoD, U.S. DoJ, FCC, Federal Reserve, etc.

• Group is divided into 8 working teams, each with a team leader volunteer to generate BPs for a given subject area

FG1B Teams

• Fundamentals & Architecture• OAM&P (operations, administration, maintenance and

provisioning)

• AAA (authentication, accounting, audit)• Services• Signaling• Personnel• Users• Incidents

Guidance on Cybersecurity Best Practices

• Current list of best practices (BPs) are constrained by what can be implemented

• Recommended BPs are considered implementable due to expert experience from the team

• Not all BPs are appropriate for all service providers or architectural implementations

• The BPs are not intended for mandatory regulatory efforts• There will continue to exist security conditions that will

require development of technologies and techniques that are not currently practical or available to solve the security issues they create. Focus group is working on recommendations for inclusion in final report.

• This is a moving target that will require continual refinement, additions and improvement

Driving Principles in Cyber Security Best Practices• Capability Minimization

– Allow only what is needed re: services, ports, addresses, users, etc.

– Disallow everything else• Partitioning and Isolation• Defense in Depth

– Aka “belt & suspenders”– Application, host and network defenses

• KISS– Complexity makes security harder

• General IT Hygiene– Backups, change control, privacy, architectures,

processes, etc.• Avoid Security by Obscurity

– A proven BAD IDEA™

The Past

The Present

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

Prevention Best Practices Deliverable (December 2002)

• Composed of 103 best practices for preventing cybersecurity “events”

• Includes– BP number– Title– Best practice for prevention– If any: reference and dependencies on other

BPs– Implementors

Example of Prevention Best Practice for Cybersecurity

Number 6-6-8008

Title Network Architecture Isolation/Partitioning

Preventative Best Practice

Compartmentalization of technical assets is a basic isolation principle of security where contamination or damage to one part of an overall asset chain does not disrupt or destroy other parts of an asset chain. Network Operators and Service Providers should give deliberate thought to and document an Architecture plan that partitions and isolates network communities and information, through the use of firewalls, DMZ or (virtual) private networks. In particular, where feasible, it is suggested the user traffic networks, network management infrastructure network, customer transaction system networks and enterprise communication/business operations networks be separated and partitioned from one another. Special care must to taken to assess OS, protocol and application vulnerabilities, and subsequently hardened and secure systems and applications, which are located in DMZ's or exposed to the open Internet.

Reference ISF SB52, www.sans.org

Dependency  

Implementor NO, SP

Cybersecurity Recovery BPs

• 45 delivered per charter• Most are more technical than preventative

– Some are focused on known issues

• Extensive work on incident response– Some items too extensive for BPs are included

as appendices to the recovery BPs

• Not a one-to-one match to prevention BPs• Not all prevention BPs will stop incidents

due to the nature of technologies used

Real World Application Example: January 25, 2003, “Slammer” Worm Attack

• FG1B Prevention BPs that apply – 6-6-8000 “Disable Unnecessary Services”– 6-6-8008 “Network Architecture Isolation/Partitioning”– 6-6-8015 “Segmenting Management Domains”– 6-6-8020 “Security HyperPatching”– 6-6-8032 “Patching Practices”– 6-6-8034 “Software Patching Policy”– 6-6-8037 “System Inventory Maintenance “– 6-6-8039 “Patch/Fix Verification”– 6-6-8041 “Prevent Network Element Resource Saturation”– 6-6-8071 “Threat Awareness”– 6-6-8074 “Denial of Service Attack – Target”– 6-6-8091 “Validate source addresses”

What “Slammer” Did…

• Originated in Asia at 12:30am 1-25-03• Very small, very high propagation rate• Attacked MS SQL installations

– Patch was available in July 2002– Affected SQL Server and MSDE installs

• Did not affect sites that used general BP concept of “turn it off if not needed”– Sites that disabled UDP 1433 & 1434 did not allow

propagation to network

• Took 3 days to effectively kill it off

Some “Slammer” Lessons• Rapid propagation time

– Code Red in 2001 took many hours (self replication in 37 minutes on average)

– Slammer estimates are 8 minutes (self replication was almost immediate)

• Payload was very small and efficient– From original demo code of the problem written

last July, very compact– Payload was NIL, but easily could have been

very, very UGLY

• Companies that followed appropriate FG1B BPs NOW were unaffected by Slammer

What Does this Mean?

• Prevention of cyberattack is cheaper– Maintain SLAs, avoid penalties– Maintain reliability of connectivity– Reduce manpower costs– Consistent service and delivery– Increase customer satisfaction– Reduce support costs– Reduce negative PR burden– Many others…

Next Steps

• Evangelism efforts for FG1B BPs– Trade shows– Speeches and conferences– Internal efforts– Publications and interviews

• Update of BPs later in 2003– Comments back from ballot efforts– Industry comments– Known need to add a few more

• Preparation for industry survey in 2004 for adoption of FG1B cybersecurity BPs

Network Reliability and Interoperability Council

Focus Group 1B Cybersecurity

Dr. Bill Hancock, CISSP, CISM

Cable & Wireless

FG1B Chair

bill.hancock@cw.com

972-740-7347