ARE����������� ������������������  YOU����������� ������������������  READY����������� ������������������  FOR����������� ������������������  THE����������� ������������������  NEXT����������� ������������������  ATTACK?Reviewing the SP Security Checklist Barry Greene - bgreene@senki.org

Checklist ApproachChecklist are one of the most essential tools for productivity we have in the industry.

Surprisingly, too few “Internet” and “Telecom” operators use the checklist approach to optimize their operations.

What follows is the first in several “check list” designed for Internet Service Providers, be they Mobile, traditional Telco, Content, of ISPs.

They can be cut/pasted and used in your organization.

Additions to the checklist are always welcomed.

* Thanks to Stephen Stuart @ Google for pointing out Atul Gawande’s book

Note: If this is new to you, read the book “The Checklist Manifesto” and watch the TED talk:

http://www.ted.com/talks/atul_gawande_how_do_we_heal_medicine

"[T]he malware that was used would have gotten past 90 percent of the Net defenses that are out there today in private industry and [would have been] likely to challenge even state government,"

Joe Demarest, Assistant Director - US FBI’s Investigation’s Cyberdivision."

Do we have your attention?

Our Traditional View of the World

The Internet is not organized based on countries. It is a group of “Autonomous System Networks” (ASNs) all

interconnected in a Global Network.

The Reality of the Internet - No Borders

How does a government enforce the rule of lawwhere the Internet’s risk are all trans-national?

Work on the Right Security Problem

This is nice to know

Who we need to Target

The Good Guys are the Big Part of the Security Problem

Threat Vectors have Evolved

Cyber-Criminal ThreatsCyber-Crime is an International Legal

problem that has no short term resolution. There will always be someplace in the

Political, Patriotic, Protestors There are always going to be someone,

somewhere, who is upset with society - with the ability to make their anxiety know

through any network - any where.

Nation State ThreatsPost-Snowden, the secret world of nation state security is now all in the open. Your network is a valid “Battle Space” for any Cyber-War.

What really happens if I’m attacked?http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

The market does not penalize!

http://www.informationisbeautiful.net/

The “market” is forgiving IF you have a security reaction plan.

A security reaction plan will not prevent revenue losses, customer churn, and legal actions, but … organizations do recover from “big data breaches”

Security Threats are a Force of Nature

Think of the current and future security threats as a force of of the environment we live in. This is not new to human society. We have to live with the issues of nature all the time.

Like a hurricane, it is not a matter of if, but when. Even worse, you can be in a zone where the hurricane, tornado, flood, earth quake, and blizzard are all a major risk.

Forces of Nature cannot be stopped - the only thing you can do is mitigate risk through your design,

preparation, and investment.

“Security” Excuses•LaLaLa if I ignore you may be you will go away. •It is someone else's problem. •I don’t know where to start? •I need to wait for someone to tell me what to do. •No one has been killed ..... Yet. •I need more training! •We cannot afford all the security equipment. •We need to wait for ISO 27001 Certification.

Reality - there is a lot of “talk” about security, but most operations just do not care …. until the s!@# hits the fan.

Positive ControlHave positive control over all elements in your network.

Know who is accessing, when they are accessing, and where they are accessing from. Think beyond TACACS+. Start asking for Diameter and two factor authorization with IPv6 only access. Log everything and expect all there threat vectors probing. Consequences of neglect is severe.

This is always the #1 issue risk assessors find in networks! Who is that who logging in? Why does node in

from country X login?

VTY ACLs are CriticalPut VTY Access list everywhere, log it, plot in MRTG/Cati, and create the alert scripts.

The VTY access list trick is on of the key cost effective tools that consistently delivers key indicators of attackers probing the network, exploring the network, or trying to break into the elements of the network. The only way to make this work effectively is to build your own script or use tool from companies like 6Connect.

Why is someone trying to telnet into my eNodeB from another eNodeB? Why are there a increase in “drops” on

my internal SSH?

Force Vendor Security Partnerships

Use the Vendor Security Checklist with all your vendors now.

Set up the meetings, have them comply, and push if non-compliant. Then have these items part of all your RFPs. Vendors will NOT pay attention to security until their customers demand security …. or if you take legal action for liability against the vendors.

Waiting for the dialog is going to create problems when the s!@# with a specific vendor.

* E-mail and ask for a copy with the Security “RFP” questions.

What is the Upgrade Plan?Every element in your system needs a tested Upgrade Plan.

Don’t wait for an emergency patch to find out that a major routers take 6 hours to upgrade! Create the upgrade plan. Write the MOP for the test as a template. Rest the plan in your lab, or I the vendor's lab. Table top exercise how you would have a rolling upgrade through out the entire system. Map the other systems which are coupled dependencies or collaterally impacted. Once all of this is done, start working on designs where you can do these upgrades without the massive service impact.

Your first reaction would be “isn’t this basic?” Start asking for details and you will be surprised. One vendor thought is

was normal for a router to be upgraded in 4 hours!

IPv6 Check = SecurityBring in all your vendors and review the IPv6 Check list.

Don't wait for the next RFP. The Cyber-Criminal and Nation-State threat vectors both know that IPv6 is the easy entry for getting into and through a network. There is way too many 1/2 completed IPv6 deployments with equipment that is not ready (I.e. No IPv6 security features).

Cyber-Criminals figured out that IPv6 was a backdoor into a network 5 years ago.

Build your Attack TreesLearn Attack Trees, build your attack trees, explore all the ways you can break and network.

Once you have your own list of dirty tricks to break your network, start building reaction plans with the tools you have in place right now. If brave, get someone to facilitate a Red Team - Blue Team table top exercise.

Write your BGP Policy!Write your BGP policy down so that your CEO understands it!

What are you going to send? What are you going to receive? How are you going to monitor? How are you going to enforce? How do you manage your customers? The days when “BGP policy” is in a “Cisco config script” will not work when the threat environment is so hostile. One of the barriers to RPKI ROA registration is the lack of proactive thinking, planning, and documentation around an operator’s interconnection policy.

You will make important discoveries of “BGP risk” when you write it down in a way that everyone can understand!

Review your DNS Architecture!

Review all of your DNS Architecture to Ensure it is Resilient.

Several of the major “DNS outages” in 2014 had a root cause in how they were designed. Do not listen to the vendors, they would want to sell you a solution that will put all the DNS functionality into one box, creating single points of failure.

Review your DNS Architecture!Example: Generic DNS Authoritative Infrastructure

EXAMPLE.COM Authoritative Module

Zone Updates

Where is www.example.com?

12

3

3

3

Review your DNS Architecture!Example: Generic DNS Resolver Infrastructure

Customers & Users Where is

www.example.com?

DNS Resolver Cluster

Optional

www.example.com

Optional

Review your DNS Architecture!Example: LTE has Five Separate DNS “Architectures!”

IMS

E-UTRAN Operator’s IP Services

Gxc (Gx+)

S11 (GTP-C)

S1-U (GTP-U)

S6a (DIAMETER)

S1-MME (S1-AP)

S5 (GTP-C,GTP-U)

Gx (Gx+)

SWx (DIAMETER)

S6b (DIAMETER)

SGi

Rx+

Tracking Area/APN DNS

Resolver DNS

S10 (GTP-C

Infrastructure DNS

Authoritative DNS

Roam DNS (ENUM)

Where is your “Security Community?”

Proactively build a security community of peers.

The Internet is a network of people! Major security issues on the Internet are solved by communities of people who have aligned interest. These communities take proactive investment. Many times you will be working with your competitors. Yet, the effort will save your network. If not tomorrow, then next year or the year after.

Can you pick up the phone, call several of your peers, and start working on a security issue that is impacting

everyone?

Checklist SummaryPositive Control

VTY ACLs are Critical

Force Vendor Security Partnerships

Every element in your system needs a tested Upgrade Plan.

Bring in all your vendors and review the IPv6 Check list.

Learn Attack Trees, build your attack trees, explore all the ways you can break and network.

Write your BGP policy down so that your CEO understands it!

Review all of your DNS Architecture to Ensure it is Resilient.

Proactively build a security community of peers.

More to come …..

What’s Next?Commit to do something to prepare your organization. You do not need to ask permission, just start doing something …..

Where to get the “Checklist?”

www.senki.org

Barry’s Linkedin Post - http://www.linkedin.com/in/barryrgreene/ or Twitter: @BarryRGreene

Reach out and Build a Community