170 likes | 183 Views
Focus Group 1B Cybersecurity Dr. Bill Hancock, CISSP, CISM Cable & Wireless FG1B Chair bill.hancock@cw.com 972-740-7347. Charter of FG1B. Generate Best Practices for cybersecurity Telecommunications sector Internet services Propose New Actions (if needed) Deliverables
E N D
Focus Group 1B Cybersecurity Dr. Bill Hancock, CISSP, CISM Cable & Wireless FG1B Chair bill.hancock@cw.com 972-740-7347
Charter of FG1B • Generate Best Practices for cybersecurity • Telecommunications sector • Internet services • Propose New Actions (if needed) • Deliverables • December 2002 – prevention (105 BPs) • March 2003 – recovery (45 BPs) • Have made all deliverables, complete and on-time
Composition and Organization • Members include security officers, VPs, directors managers and subject matter experts (SMEs) • Members also include various U.S. Government agencies such as US DoC, U.S. DoD, U.S. DoJ, FCC, Federal Reserve, etc. • Group is divided into 8 working teams, each with a team leader volunteer to generate BPs for a given subject area
FG1B Teams • Fundamentals & Architecture • OAM&P (operations, administration, maintenance and provisioning) • AAA (authentication, accounting, audit) • Services • Signaling • Personnel • Users • Incidents
Guidance on Cybersecurity Best Practices • Current list of best practices (BPs) are constrained by what can be implemented • Recommended BPs are considered implementable due to expert experience from the team • Not all BPs are appropriate for all service providers or architectural implementations • The BPs are not intended for mandatory regulatory efforts • There will continue to exist security conditions that will require development of technologies and techniques that are not currently practical or available to solve the security issues they create. Focus group is working on recommendations for inclusion in final report. • This is a moving target that will require continual refinement, additions and improvement
Driving Principles in Cyber Security Best Practices • Capability Minimization • Allow only what is needed re: services, ports, addresses, users, etc. • Disallow everything else • Partitioning and Isolation • Defense in Depth • Aka “belt & suspenders” • Application, host and network defenses • KISS • Complexity makes security harder • General IT Hygiene • Backups, change control, privacy, architectures, processes, etc. • Avoid Security by Obscurity • A proven BAD IDEA™
The Present Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
Prevention Best Practices Deliverable (December 2002) • Composed of 103 best practices for preventing cybersecurity “events” • Includes • BP number • Title • Best practice for prevention • If any: reference and dependencies on other BPs • Implementors
Cybersecurity Recovery BPs • 45 delivered per charter • Most are more technical than preventative • Some are focused on known issues • Extensive work on incident response • Some items too extensive for BPs are included as appendices to the recovery BPs • Not a one-to-one match to prevention BPs • Not all prevention BPs will stop incidents due to the nature of technologies used
Real World Application Example: January 25, 2003, “Slammer” Worm Attack • FG1B Prevention BPs that apply • 6-6-8000 “Disable Unnecessary Services” • 6-6-8008 “Network Architecture Isolation/Partitioning” • 6-6-8015 “Segmenting Management Domains” • 6-6-8020 “Security HyperPatching” • 6-6-8032 “Patching Practices” • 6-6-8034 “Software Patching Policy” • 6-6-8037 “System Inventory Maintenance “ • 6-6-8039 “Patch/Fix Verification” • 6-6-8041 “Prevent Network Element Resource Saturation” • 6-6-8071 “Threat Awareness” • 6-6-8074 “Denial of Service Attack – Target” • 6-6-8091 “Validate source addresses”
What “Slammer” Did… • Originated in Asia at 12:30am 1-25-03 • Very small, very high propagation rate • Attacked MS SQL installations • Patch was available in July 2002 • Affected SQL Server and MSDE installs • Did not affect sites that used general BP concept of “turn it off if not needed” • Sites that disabled UDP 1433 & 1434 did not allow propagation to network • Took 3 days to effectively kill it off
Some “Slammer” Lessons • Rapid propagation time • Code Red in 2001 took many hours (self replication in 37 minutes on average) • Slammer estimates are 8 minutes (self replication was almost immediate) • Payload was very small and efficient • From original demo code of the problem written last July, very compact • Payload was NIL, but easily could have been very, very UGLY • Companies that followed appropriate FG1B BPs NOW were unaffected by Slammer
What Does this Mean? • Prevention of cyberattack is cheaper • Maintain SLAs, avoid penalties • Maintain reliability of connectivity • Reduce manpower costs • Consistent service and delivery • Increase customer satisfaction • Reduce support costs • Reduce negative PR burden • Many others…
Next Steps • Evangelism efforts for FG1B BPs • Trade shows • Speeches and conferences • Internal efforts • Publications and interviews • Update of BPs later in 2003 • Comments back from ballot efforts • Industry comments • Known need to add a few more • Preparation for industry survey in 2004 for adoption of FG1B cybersecurity BPs
Focus Group 1B Cybersecurity Dr. Bill Hancock, CISSP, CISM Cable & Wireless FG1B Chair bill.hancock@cw.com 972-740-7347