predisposing conditions security controls vulnerabilities a non- adversarial threat source (with a...

Predisposing Conditions

Security Controls

Vulnerabilities

A Non-Adversarial

Threat Source

(with a rangeof effects)

In the context of…

(with varying pervasiveness)

(planned andimplemented)

(ranging inseverity)

Could Initiate

(with varying likelihood of

initiation)

A Threat Event

Which could

result in


impact)

Adverse Impacts

Creating RISK to users and providers of the DNS – a combination of the nature of the impact and the likelihood

that its effects will be felt

(with varying severity and

range)


Security Controls

Vulnerabilities

An Adversarial Threat Source

(with capability, intent and targeting)





Could Initiate


initiation)

A Threat Event

Which could

result in


impact)

Adverse Impacts




range)


Security Controls

Vulnerabilities

A Non-Adversarial

Threat Source

(with a rangeof effects)





Could Initiate


initiation)

A Threat Event

Which could

result in


impact)

Adverse Impacts




range)

An Adversarial Threat Source

(with capability, intent and targeting)

OR

Threat SourcesNation statesGeo-political groupsInternational governance/regulatory bodies

Vulnerabilities

Managerial Interventions from outside the processPoor inter-organizational communicationsExternal relationships/dependenciesInconsistent or incorrect decisions about relative priorities

of core missions and business functionsLack of effective risk-management activitiesMission/business processes (e.g., poorly defined processes,

or processes that are not risk-aware)Operational

Infrastructure vulnerabilities

Predisposing Conditions that increase risk

ManagerialLegal standing (and relative youth) of ICANNDefinitions of responsibility, accountability, authority

between DNS providersOperational

Diverse operational environments and approaches

Predisposing Conditions The Reduce Risk

ManagerialMechanisms for providing (and receiving) risk assurances,

and establishing trust-relationships, with external entitiesContractual relationships between entities

OperationalDiverse, distributed system architecture and deploymentCulture of collaboration built on personal trust relationshipsDiverse operational environments and approaches

Missing or Insufficient Security Controls

Management ControlsPlanning Risk Assessment Program Management

Operational ControlsAwareness and Training Incident Response

Threat SourcesExternal parties and contractors -- large content and network

providersInternational governance/regulatory bodies

Vulnerabilities

Managerial Interventions from outside the processPoor inter-organizational communicationsExternal relationships/dependenciesInconsistent or incorrect decisions about relative priorities

of core missions and business functionsLack of effective risk-management activitiesMission/business processes (e.g., poorly defined processes,

or processes that are not risk-aware)


Management ControlsPlanning Risk Assessment Program Management

Operational ControlsAwareness and Training

Predisposing Conditions That Reduce Risk

ManagerialMulti-stakeholder, consensus-based decision-making model

OperationalDiverse, distributed system architecture and deploymentEmphasis on resiliency and redundancyCulture of collaboration built on personal trust relationshipsDiverse operational environments and approaches

Predisposing Conditions That Increase Risk

ManagerialLegal standing (and relative youth) of ICANNManagerial vs. operational vs. technical security

skills/focus/resourcesDefinitions of responsibility, accountability, authority

between DNS providers

Threat SourcesBlackout/Energy Failure


ManagerialContractual Relationships Between Entities

OperationalDiverse operational environments and approaches

Vulnerabilities

Managerial Poor inter-organizational communicationsLack of effective risk-management activities

OperationalInfrastructure vulnerabilitiesBusiness continuity vulnerabilities

Non-Adversarial Threat SourcesInfrastructure-Related Sources

Widespread infrastructure failureEarthquakesHurricanesTsunamiBlackout/Energy FailureSnowstorm/blizzard/ice-storm

Predisposing Conditions The Reduce Risk



Management ControlsRisk Assessment

Operational ControlsAwareness and Training Configuration Management Contingency PlanningIncident ResponsePhysical and Environmental Protection

Adversarial Threat SourcesRogue elementsInsiders

Vulnerabilities

Managerial Security architectures (e.g., poor architectural decisions

resulting in lack of diversity or resiliency in organizational information systems)

OperationalInfrastructure vulnerabilitiesInadequate training/awareness

Technical Vulnerabilities


Management ControlsSecurity Assessment and Authorization

Operational ControlsConfiguration Management Incident Response

Technical ControlsIdentification and AuthenticationSystem and Communications Protection


ManagerialMechanisms for providing (and receiving) risk assurances,

and establishing trust-relationships, with external entitiesContractual relationships between entities

OperationalCulture of collaboration built on personal trust relationshipsDiverse operational environments and approaches


ManagerialManagerial vs. operational vs. technical security

skills/focus/resourcesContractual relationships between entities

OperationalDiverse, distributed system architecture and deploymentEmphasis on resiliency and redundancy

Non-Adversarial Threat SourcesInfrastructure-Related Sources

Key hardware, software or process failure

Vulnerabilities

Managerial Vulnerabilities arising from missing or ineffective security

controls Operational

Malicious or unintentional (erroneous) alteration of root or TLD DNS configuration information


Operational ControlsAwareness and Training Incident ResponseSystem and Information Integrity


ManagerialManagerial vs. operational vs. technical security

skills/focus/resourcesSecurity project and program management skills/capacity

OperationalEmphasis on resiliency and redundancyDiverse operational environments and approaches


OperationalChain of trust single point of failure

TechnicalReliance on immature or custom built DNSSEC technologies

Adversarial Threat SourcesInternational governance/regulatory bodiesNation statesRogue elementsGeo-political groupsExternal parties and contractorsInsidersOrganized crime

Non-Adversarial Threat SourcesIndividual And Organizational Sources

International governance/regulatory bodiesNation statesPrivileged usersKey providers

Root-Related SourcesAlternate DNS rootsRoot scaling (SAC 46)Intentional or accidental results of DNS blocking (SAC 50)

Infrastructure-Related SourcesWidespread infrastructure failureKey hardware failureEarthquakesHurricanesTsunamiBlackout/Energy FailureSnowstorm/blizzard/ice-storm

Capability (Adversarial threat sources)10 -- Very High -- The adversary has a very sophisticated level of expertise, is well-resourced, and can generate opportunities to support multiple successful, continuous, and coordinated attacks.8 -- High -- The adversary has a sophisticated level of expertise, with significant resources and opportunities to support multiple successful coordinated attacks.5 -- Moderate -- The adversary has moderate resources, expertise, and opportunities to support multiple successful attacks.2 -- Low -- The adversary has limited resources, expertise, and opportunities to support a successful attack.1 -- Very Low -- The adversary has very limited resources, expertise, and opportunities to support a successful attack

Intent (Adversarial threat sources)10 -- Very High -- The adversary seeks to undermine, severely impede, or destroy the DNS by exploiting a presence in an organization's information systems or infrastructure. The adversary is concerned about disclosure of tradecraft only to the extent that it would impede its ability to complete stated goals.8 -- High -- The adversary seeks to undermine/impede critical aspects of the DNS, or place itself in a position to do so in the future, by maintaining a presence in an organization's information systems or infrastructure. The adversary is very concerned about minimizing attack detection/disclosure of tradecraft, particularly while preparing for future attacks.5 -- Moderate -- The adversary actively seeks to obtain or modify specific critical or sensitive DNS information or usurp/disrupt DNS cyber resources by establishing a foothold in an organization's information systems or infrastructure. The adversary is concerned about minimizing attack detection/disclosure of tradecraft, particularly when carrying out attacks over long time periods. The adversary is willing to impede aspects of the DNS to achieve these ends.2 -- Low -- The adversary seeks to obtain critical or sensitive DNS information or to usurp/disrupt DNS cyber resources, and does so without concern about attack detection/disclosure of tradecraft.1 -- Very Low -- The adversary seeks to usurp, disrupt, or deface DNS cyber resources, and does so without concern about attack detection/disclosure of tradecraft.

Targeting (Adversarial threat sources)10 -- Very High -- The adversary analyzes information obtained via reconnaissance and attacks to persistantly target the DNS, focusing on specific high-value or mission-critical information, resources, supply flows, or functions; specific employees or positions; supporting infrastructure providers/suppliers; or partnering organizations.8 -- High -- The adversary analyzes information obtained via reconnaissance to target persistently target the DNS, focusing on specific high-value or mission-critical information, resources, supply flows, or functions, specific employees supporting those functions, or key positions.5 -- Moderate -- The adversary analyzes publicly available information to persistantly target specific high-value organizations (and key positions, such as Chief Information Officer), programs, or information.2 -- Low -- The adversary uses publicly available information to target a class of high-value organizations or information, and seeks targets of opportunity within that class.1 -- Very Low -- The adversary may or may not target any specific organizations or classes of organizations.

Range of effect (to DNS providers) (Non-adversarial threat sources)10 -- sweeping, involving almost all DNS providers 8 -- extensive, involving most DNS providers (80%?)5 --wide-ranging, involving a significant portion of DNS providers (30%?)3 --limited, involving some DNS providers1 -- minimal, involving few if any DNS providers

Pervasiveness Of Predisposing Conditions That Negatively Impact Risk

10 -- Very High -- Applies to all organizational missions/business functions

8 -- High -- Applies to most organizational missions/business functions

5 -- Moderate -- Applies to many organizational missions/business functions

3 -- Low -- Applies to some organizational missions/business functions

1 -- Very Low -- Applies to few organizational missions/business functions


ManagerialLegal standing (and relative youth) of ICANNMulti-stakeholder, consensus-based decision-making modelManagerial vs. operational vs. technical security

skills/focus/resourcesDefinitions of responsibility, accountability, authority between DNS

providersSecurity project and program management skills/capacityCommon ("inheritable") vs. hybrid vs. organization/system-specific

controlsMechanisms for providing (and receiving) risk assurances, and

establishing trust-relationships, with external entitiesContractual relationships between entities


TechnicalRequirement for public access to DNS informationRequirements for scaling

Pervasiveness Of Predisposing Conditions That Positively Impact Risk

.1 -- Very High -- Applies to all organizational missions/business functions

.3 -- High -- Applies to most organizational missions/business functions

.5 -- Moderate -- Applies to many organizational missions/business functions

.8 -- Low -- Applies to some organizational missions/business functions

1 -- Very Low -- Applies to few organizational missions/business functions

Pervasiveness Of Controls10 -- Controls are missing 8 -- Controls are acknowledged as needed 5 -- Controls are planned or being implemented 2 -- Controls are implemented 1 -- Controls are effective

Controls

Management ControlsSecurity Assessment and Authorization Planning Risk Assessment System and Services Acquisition Program Management

Operational ControlsAwareness and Training Configuration Management Contingency PlanningIncident ResponseMaintenanceMedia ProtectionPhysical and Environmental ProtectionPersonnel SecuritySystem and Information Integrity

Technical ControlsAccess ControlAudit and AccountabilityIdentification and AuthenticationSystem and Communications Protection

Vulnerabilities

Managerial Interventions from outside the processPoor inter-organizational communicationsExternal relationships/dependenciesInconsistent or incorrect decisions about relative priorities of core

missions and business functionsLack of effective risk-management activitiesVulnerabilities arising from missing or ineffective security controls Mission/business processes (e.g., poorly defined processes, or

processes that are not risk-aware)Security architectures (e.g., poor architectural decisions resulting in

lack of diversity or resiliency in organizational information systems)Operational

Infrastructure vulnerabilitiesBusiness continuity vulnerabilitiesMalicious or unintentional (erroneous) alteration of root or TLD DNS

configuration informationInadequate training/awarenessInadequate incident-response

Technical (Under Discussion)IDN attacks (lookalike characters etc. for standard exploitation

techniques)Technical (System And Network)

Recursive vs. authoritative nameserver attacksDDOSEmail/spam

Technical (Identification And Authentication) Data poisoning (MITM, Cache)Name Chaining (RFC 3833)Betrayal by Trusted Server (RFC 3833)Authority or authentication compromisePacket InterceptionMan in the middleEavesdropping combined with spoofed responses

Vulnerability Severity10 -- Very High -- Relevant security control or other remediation

is not implemented and not planned; or no security measure can be identified to remediate the vulnerability.

8 -- High -- Relevant security control or other remediation is planned but not implemented.

5 -- Moderate -- Relevant security control or other remediation is partially implemented and somewhat effective.

2 -- Low -- Relevant security control or other remediation is fully implemented and somewhat effective.

1 -- Very Low -- Relevant security control or other remediation is fully implemented, assessed, and effective.

Threat Events

Zone does not resolve or is not availableZone is not correct or does not have integrity

Likelihood of initiation (by adversarial threat sources)10 -- Very High -- Adversary is almost certain to initiate the

threat-event 8 -- High -- Adversary is highly likely to initiate the threat event 5 -- Moderate -- Adversary is somewhat likely to initiate the

threat event 2 -- Low -- Adversary is unlikely to initiate the threat event 0 -- Very Low -- Adversary is highly unlikely to initiate the threat

event

Likelihood of initiation (by non-adversarial threat sources)10 -- Very high -- Error, accident, or act of nature is almost

certain to occur; or occurs more than 100 times a year. 8 -- High -- Error, accident, or act of nature is highly likely to

occur; or occurs between 10-100 times a year. 5 -- Moderate -- Error, accident, or act of nature is somewhat

likely to occur; or occurs between 1-10 times a year.2 -- Low -- Error, accident, or act of nature is unlikely to occur;

or occurs less than once a year, but more than once every 10 years.

0 -- Very Low -- Error, accident, or act of nature is highly unlikely to occur; or occurs less than once every 10 years.

Likelihood of impact 10 -- Very High -- If the threat event is initiated or occurs, it is almost certain

to have adverse impacts. 8 -- High -- If the threat event is initiated or occurs, it is highly likely to have

adverse impacts. 5 -- Moderate -- If the threat event is initiated or occurs, it is somewhat likely

to have adverse impacts. 2 -- Low -- If the threat event is initiated or occurs, it is unlikely to have

adverse impacts. 0 -- Very Low -- If the threat event is initiated or occurs, it is highly unlikely to

have adverse impacts.

DSSA default value

Adverse ImpactsHarm To Nations And The World; E.G.

Damage to a critical infrastructure sectorLoss of government continuity of operations.Relational harms.Damage to trust relationships with other governments or with nongovernmental entities.Damage to national reputation (and hence future or potential trust relationships).Damage to current or future ability to achieve national objectives.

Harm To Individuals; E.G.

Identity theft (only applies to "loss of integrity" threat-event)Loss of Personally Identifiable Information (only applies to "loss of integrity" threat-event)Injury or loss of lifeDamage to image or reputation.

Harm To Assets; E.G.

Damage to or of loss of information assets.Loss of intellectual property (only applies to "loss of integrity" threat-event)Damage to or loss of physical facilities.Damage to or loss of information systems or networks.Damage to or loss of information technology or equipment.Damage to or loss of component parts or supplies.

Harm To Operations/Organizations; E.G.

Inability to perform current missions/business functions.- In a sufficiently timely manner.- With sufficient confidence and/or correctness.- Within planned resource constraints.

Inability, or limited ability, to perform missions/business functions in the future.- Inability to restore missions/business functions.- In a sufficiently timely manner.- With sufficient confidence and/or correctness.- Within planned resource constraints.

Harms (e.g., financial costs, sanctions) due to noncompliance.- With applicable laws or regulations.- With contractual requirements or other requirements in other binding agreements.

Direct financial costs.Damage to trust relationships or reputation

- Damage to trust relationships.- Damage to image or reputation (and hence future or potential trust relationships).Relational harms

Range of Impact10 -- Very Broad -- The effects of the threat event are sweeping, involving

almost all consumers of the DNS 8 -- Broad -- The effects of the threat event are extensive, involving most of the

consumers of the DNS 5 -- Moderate -- The effects of the threat event are substantial, involving a

significant portion of the consumers of the DNS 2 -- Low -- The effects of the threat event are limited, involving some

consumers of the DNS but involving no critical resources. 0 -- The effects of the threat event are minimal or negligible, involving few if

any consumers of the DNS and involving no critical resources. .

Severity10 -- Very Severe -- The threat event could be expected to have multiple severe

or catastrophic adverse effects on organizational operations, organizational assets, individuals, other organizations, or the world. And in all cases there would be significant problems for registrants and users in the zone.

8 -- High -- The threat event could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the world.

5 -- Moderate -- The threat event could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals other organizations, or the world.

2 -- Low -- The threat event could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals other organizations, or the world.

0 -- Very Low -- The threat event could be expected to have a negligible adverse effect on organizational operations, organizational assets, individuals other organizations, or the world.

DSSA default value

• Incident response– Provide initial response to an

incident– Communicate incidents– Conduct impact assessments– Detect security events (through

monitoring, advisories, reports of suspicious activity, etc.)

– Provide incident resolution and countermeasures

– Conduct investigations

• Technical Practices– Electronic mail security– Network security – Operating system security– Data security– Application security– Security for public servers– Wireless network security– Personal computers and electronic devices

• Technology management– Routers– Vulnerability assessment systems– Configuration management systems– Patch management systems– Firewall systems– Backup & recovery– Intrusion detection and log-analysis

systems– Wireless access points

• Security Management– Overall management and

direction– Security strategy and alignment

within overall IT strategy– Program management– Security metrics– Policy– Guidelines and standards

• Risk Management– Developing and maintaining an

inventory of systems (determining contents, owner, maintainer, location, etc.)

– Mapping information and systems into security categories

– Conducting assessments of systems– Analyzing risks, identifying gaps/

mitigation/repair-actions

• Compliance Monitoring– Measure progress and

compliance in the following areas;

• incident response• practices• technology• management• risk-management

• Operational Practices– Training and awareness– Certification and accreditation– Legal and regulatory compliance– Securing external contractors– Rewards and sanctions– Acceptable use– Business continuity

DSSA scope, as compared with security management overall

Risk Planning

Assume the risk

Avoid the risk

Transfer the risk

Limit the risk

Assess

Mitigate

Monitor

DNRMF scope – Risk Management Framework

Compliance and Activity-Monitoring

DSSA scope – risk assessment

Education, Training,

Awareness

Standards, Tools,Techniques

Monitoring

RiskPlanning

Other stuff – including front-line mitigation…

GlueRegional or segment focus

Constituencies

EdgeOrganization-focused risk

Providers/Consumers

CoreEcosystem-wide

Collaborative

Risk Assessment

DSSA

Identify threats

Identify vulnerabilities

Describe predisposing

conditions

1) Build scenarios

Analyze controls

2) Identify gaps

Determine likelihood

Analyze impact

Determine risk

3) Evaluate risk

STRATEGICCross-community collaboration

Gaps in policy, management, or leadership splits the root

“Reductive” forces (security, risk-mitigation, control

through rules, etc.) splits the root

Ecosystem-wide

“Regional” or “segment” focus

Provider or organization-focused risk

CORE

GLUE

EDGE

LONG-TERM IMMEDIATE

Need: coordination, fast

response

Need:models, tools,

support, direction

TACTICALDNS providers are at the forefront

Risk Scenario Topic List

Attacks exploiting technical vulnerabilities of the DNS bring down the root or a

major TLDInadvertent technical mishap

brings down the root or a major TLD

Widespread natural disaster brings down the root or a

major TLD


“Reductive” forces (security, risk-mitigation, control through rules,

etc.) splits the root

Ecosystem-wide



CORE

GLUE

EDGE

LONG-TERM


response

Need:models, tools,

support, direction








major TLD


Ecosystem-wide



CORE

GLUE

EDGE

LONG-TERM


response

Need:models, tools,

support, direction


Widespread natural disaster brings down the root or a major TLD












Ecosystem-wide



CORE

GLUE

EDGE

LONG-TERM IMMEDIATE


response

Need:models, tools,

support, direction



Attacks exploiting technical vulnerabilities of the DNS bring down the root or a major TLD

Inadvertent technical mishap brings down the root or a

major TLD


major TLD





Ecosystem-wide



CORE

GLUE

EDGE

LONG-TERM IMMEDIATE


response

Need:models, tools,

support, direction


Inadvertent technical mishap brings down the root or a major

TLD



major TLD


major TLD






major TLD

Ecosystem-wide



CORE

GLUE

EDGE

LONG-TERM IMMEDIATE


response

Need:models, tools,

support, direction


Inadvertent technical mishap brings down the root or a

major TLD


major TLD




Ecosystem-wide



CORE

GLUE

EDGE


response

Need:models, tools,

support, direction

1. Refine tools by doing one in detailBuild and validate

the tools

2. Broaden participation to

finish assessmentDemo the tools,

focus on broadening participation and

reducing cycle time



LONG-TERM IMMEDIATE





major TLD



Note: Sensitivity, attribution and release to public are determined

by info-provider

Sensitive Not sensitive

Not attributed to source (transmitted through trusted 3rd party or

summaries of Type 1 developed by sub-group)

Type 2: Distributed to sub-

groups only. (Info-providers

determine ultimate distribution)

Info-provider authorizes

release

Type 3: Distributed to DSSA and

public (“sanitized” info from sub-

groups and other non-attributed information)

Attributed to source Type 1: Distributed to sub-

groups only (under NDA, most-

protected)

Confidential info must

never pass through this path. This is

the exposure of information we’re trying to prevent.

Type 4: Distributed to DSSA and

public

predisposing conditions security controls vulnerabilities a non- adversarial threat source (with a...

Documents

varying severity

varying pervasiveness

threat event

non adversarial threat

range of effects

range slide