Network Reliability and Interoperability Council
Focus Group 1B Cybersecurity
Dr. Bill Hancock, CISSP
Cable and Wireless America
FG1B Chair
972-740-7347
Purpose of Today’s Brief
• Review of Charter and Architecture of FG1B• Explanation of deliverables and work efforts• Brief discussion of Prevention Best Practices
deliverable for December, 2002• Review work plan and deliverables for March• Guidance to NRIC on subsequent deliverables in
March 2003 on recovery BPs and additional issues and items related to cybersecurity
Charter of FG1B
• Generate Best Practices for cybersecurity – Telecommunications sector– Internet services
• Deliverables– December 2002 – prevention– March 2003 – recovery
• New team, limited baseline material
Security is Very Complex
• Security is currently where networking was 15 years ago
• Many parts & pieces• Complex parts• Lack of expertise in the
industry (60% vacancy with no qualified personnel)
• No common GUIs• Lack of standards• Attacks are growing• Customers require
security from providers
Network AccessControl Interceptionand Enforcement
Facility
PKI ManagerCentralized
SecurityPolicy Manager
DigitalSignatureInterface
Other SecurityEntity Manager
Token CardManager
OS SecurityManagement
Tools
CertificateAuthorityInterface
Virus Interception& Correction
VPN Session orTunnel
Manager
Single Sign-onTools
Security EventReport
Writer(s)
EncryptionFacilities for
NetworkConnections
Security PolicyDistributor
Cyberwall/FirewallRule Base
ConnectionManager and
Logging
Application ProxyImplementations
Security TrafficEvent Analyzer
ApplicationLogging Facility
VPN IPSec andVPN
ConnectionManager
StatefulInspection
IntrusionLogging
IntrusionPrevention
ApplicationInspection
Security EventLogging
Security IntegrityManager
PacketInspection
Frame Inspection
SecurityFilter Engine
Real-timeFrame
Management
IntrusionDetection
Network
Host-based
Application-based
Authentication
Cryptography
Anti-Virus
Intrusion Detection
Auditing
Security Management
As Systems Get Complex, Attackers are Less Sophisticated…
PASSWORD GUESSING
SELF-REPLICATING CODE
PASSWORD CRACKING
EXPLOITING KNOWN VULNERABILITIES
BURGLARIES
HIJACKINGSESSIONS
NETWORK MANAGEMENT DIAGNOSIS
GUI
AUTOMATED PROBES/SCANS
WWW ATTACKS
DISTRIBUTED
ATTACK TOOLS
STAGED
ATTACK
ATTACKSOPHISTICATION
INTRUDER KNOWLEDGE
LOW
HIGH
1980 1985 1990 1995 2000
DISABLING AUDITS
BACK DOORS
SWEEPERS
SNIFFERS
PACKET SPOOFING
DENIAL OF SERVICE
“STEALTH”/ADVANCED
SCANNING TECHNIQUES
CROSS SITE SCRIPTING
Attack Growth – Security Business is Good and Growing (Unfortunately)
0
10000
20000
30000
40000
50000
60000
70000
80000
90000
100000
1988 - 2002
Attacks
1999 2000 2001 2002
9,859 21,756 52,658 86,000Source: CERT/CC
0
10
20
30
40
50
MIL
LIO
NS
Software Is Too Complex
• Sources of Complexity:– Applications and operating
systems
– Data mixed with programs
– New Internet services
• XML, SOAP, VoIP
– Complex Web sites
– Always-on connections
– IP stacks in cell phones, PDAs, gaming consoles, refrigerators, thermostats
WIN
DO
WS
3.1
(1
992
)
WIN
DO
WS
NT
(19
92
)
WIN
DO
WS
95
(1
995
)
WIN
DO
WS
NT 4
.0
(19
96
)
WIN
DO
WS
98
(1
998
)
WIN
DO
WS
20
00
(2
000
)
3 4
15 16.5
18
35
WIN
DO
WS
XP
(20
01
)
45
Security Must Make Business Sense to Be Adopted
COST OF SECURITYCOUNTERMEASURES
COST OF SECURITYBREACHES
OPTIMAL LEVEL OF SECURITY AT MINIMUM
COST
TOTAL COST
COST ($)
0% SECURITY LEVEL 100%
Composition and Organization
• Members include security officers, VPs, directors managers and subject matter experts (SMEs)
• Members also include various U.S. Government agencies such as US DoC, U.S. DoD, U.S. DoJ, FCC, Federal Reserve, etc.
• Group is divided into 8 working teams, each with a team leader volunteer to generate BPs for a given subject area
FG1B Teams
• Fundamentals & Architecture• OAM&P (operations, administration, maintenance and provisioning)
• AAA (authentication, accounting, audit)• Services• Signaling• Personnel• Users• Incidents
Delivery Plan for FG1B Cybersecurity Best Practices
• December 2002 – Preventative BPs– Excel document for Industry comment and improvement
• March 2003 – Recovery BPs– Excel document for Industry comment and improvement– New, improved version of prevention BPs
• Early 2003 – Final Report (date TBD)– Cover document with cybersecurity topics that clarify the
offerings, issues that require research and additional work, strategic issues in cybersecurity, implementation guidance and related topics
– Prevention and recovery BPs
Guidance on Cybersecurity Best Practices
• Current list of best practices (BPs) are constrained by what can be implemented
• Recommended BPs are considered implementable due to expert experience from the team
• Not all BPs are appropriate for all service providers or architectural implementations
• The BPs are not intended for mandatory regulatory efforts• There will continue to exist security conditions that will require
development of technologies and techniques that are not currently practical or available to solve the security issues they create. Focus group is working on recommendations for inclusion in final report.
• This is a moving target that will require continual refinement, additions and improvement
Driving Principles in Cyber Security Best Practices
• Capability Minimization– Allow only what is needed re: services, ports, addresses, users, etc.– Disallow everything else
• Partitioning and Isolation• Defense in Depth
– Aka “belt & suspenders”– Application, host and network defenses
• KISS– Complexity makes security harder
• General IT Hygiene– Backups, change control, privacy, architectures, processes, etc.
• Avoid Security by Obscurity– A proven BAD IDEA™
Prevention Best Practices Deliverable (December 2002)
• Composed of 103 best practices for preventing cybersecurity “events”
• Includes– BP number– Title– Best practice for prevention– If any: reference and dependencies on other BPs– Implementors
Example of Prevention Best Practice for Cybersecurity
Number 6-6-8008
Title Network Architecture Isolation/Partitioning
Preventative Best Practice
Compartmentalization of technical assets is a basic isolation principle of security where contamination or damage to one part of an overall asset chain does not disrupt or destroy other parts of an asset chain. Network Operators and Service Providers should give deliberate thought to and document an Architecture plan that partitions and isolates network communities and information, through the use of firewalls, DMZ or (virtual) private networks. In particular, where feasible, it is suggested the user traffic networks, network management infrastructure network, customer transaction system networks and enterprise communication/business operations networks be separated and partitioned from one another. Special care must to taken to assess OS, protocol and application vulnerabilities, and subsequently hardened and secure systems and applications, which are located in DMZ's or exposed to the open Internet.
Reference ISF SB52, www.sans.org
Dependency
Implementor NO, SP
Next Steps• Publish preventative cybersecurity best practices for
Industry comment and improvement, following NRIC Council acceptance of December 2002 cybersecurity deliverables.
• Refinement of recovery BPs for March 2003 deliverable
• Creation of March 2003 cover document with:– General cybersecurity recommendations– Strategic cybersecurity issues– Technology issues that require resolution for future BPs
• Additional refinement and addition of BPs for prevention and recovery as reviews are completed by NRIC membership