150 likes | 347 Views
Purpose of Today's Brief. Review of Charter and Architecture of FG1BExplanation of deliverables and work effortsBrief discussion of Prevention Best Practices deliverable for December, 2002Review work plan and deliverables for MarchGuidance to NRIC on subsequent deliverables in March 2003 on rec
E N D
2. Purpose of Todays Brief Review of Charter and Architecture of FG1B
Explanation of deliverables and work efforts
Brief discussion of Prevention Best Practices deliverable for December, 2002
Review work plan and deliverables for March
Guidance to NRIC on subsequent deliverables in March 2003 on recovery BPs and additional issues and items related to cybersecurity
3. Charter of FG1B Generate Best Practices for cybersecurity
Telecommunications sector
Internet services
Deliverables
December 2002 prevention
March 2003 recovery
New team, limited baseline material
4. Security is Very Complex Security is currently where networking was 15 years ago
Many parts & pieces
Complex parts
Lack of expertise in the industry (60% vacancy with no qualified personnel)
No common GUIs
Lack of standards
Attacks are growing
Customers require security from providers
5. As Systems Get Complex, Attackers are Less Sophisticated Random Incidents from April 2001
This is a sampling of incidents taken from press reports during the month.
Four large Internet banks in Britain were attacked by computer hackers, with hundreds of thousands of pounds believed stolen
First virus known to attack both Windows and Linux systems appeared
Two Russians were indicted on computer-crime charges stemming from a rash of intrusions into the networks of banks, ISPs, and others
Chinese crackers declared a week-long crack attack
Federal officials testified that hackers are succeeding more and more in gaining root privileges on government computers containing sensitive information
Malicious crackers used a bug in PDG Shopping Cart to break in to merchant Web sites and steal credit card numbers
Survey revealed cyber-terrorists have hacked into one-third of UKs big companies and public sector organizations
Someone broke into Warner Bros. online computer system and sent spam to the companys newsletter subscribers
There are two points to take from this list. One is that this is only the smallest inkling of whats really going on out there. I only listed a subset of stories that made the news. Most victims of hacking dont like publicizing the fact that they were attacked, so most attacks never made the news. And most attacks still go unnoticed by the victims.
The second point is that this is a normal month. Hacking is a way of life on the Internet. Remember a few years ago, when defacing a Web site made the newspaper? Remember two years ago, when distributed denial-of-service attacks and credit card thefts made the newspaper? Now preprogrammed worms like Code Red all all over the news. After a couple of dozen Code Red variants and other worms designed along similar lines, we'll think of them too as business as usual on the Internet.Random Incidents from April 2001
This is a sampling of incidents taken from press reports during the month.
Four large Internet banks in Britain were attacked by computer hackers, with hundreds of thousands of pounds believed stolen
First virus known to attack both Windows and Linux systems appeared
Two Russians were indicted on computer-crime charges stemming from a rash of intrusions into the networks of banks, ISPs, and others
Chinese crackers declared a week-long crack attack
Federal officials testified that hackers are succeeding more and more in gaining root privileges on government computers containing sensitive information
Malicious crackers used a bug in PDG Shopping Cart to break in to merchant Web sites and steal credit card numbers
Survey revealed cyber-terrorists have hacked into one-third of UKs big companies and public sector organizations
Someone broke into Warner Bros. online computer system and sent spam to the companys newsletter subscribers
There are two points to take from this list. One is that this is only the smallest inkling of whats really going on out there. I only listed a subset of stories that made the news. Most victims of hacking dont like publicizing the fact that they were attacked, so most attacks never made the news. And most attacks still go unnoticed by the victims.
The second point is that this is a normal month. Hacking is a way of life on the Internet. Remember a few years ago, when defacing a Web site made the newspaper? Remember two years ago, when distributed denial-of-service attacks and credit card thefts made the newspaper? Now preprogrammed worms like Code Red all all over the news. After a couple of dozen Code Red variants and other worms designed along similar lines, we'll think of them too as business as usual on the Internet.
6. Attack Growth Security Business is Good and Growing (Unfortunately)
7. Software Is Too Complex Sources of Complexity:
Applications and operating systems
Data mixed with programs
New Internet services
XML, SOAP, VoIP
Complex Web sites
Always-on connections
IP stacks in cell phones, PDAs, gaming consoles, refrigerators, thermostats The Complexity of Modern Software
Six Reasons Why Complex Products are Insecure:
More security bugs
Modularity
Interconnectedness
Difficulty of understanding
Difficulty of Analysis
Difficulty of Testing
For a detailed essay on complexity and security, see:
http://www.counterpane.com/crypto-gram-0003.html#SoftwareComplexityandSecurity
Buffer overflowsthe problem that just wont go awayserve as an excellent example of the problem.
Buffer overflows were first identified in the 1960s
They were first used to attack networked computers in the 1970s
The Morris Worm used buffer overflows: 1989
Today, buffer overflows are the most common way to attack systems (two-thirds of all CERT advisories)
The Complexity of Modern Software
Six Reasons Why Complex Products are Insecure:
More security bugs
Modularity
Interconnectedness
Difficulty of understanding
Difficulty of Analysis
Difficulty of Testing
For a detailed essay on complexity and security, see:
http://www.counterpane.com/crypto-gram-0003.html#SoftwareComplexityandSecurity
Buffer overflowsthe problem that just wont go awayserve as an excellent example of the problem.
Buffer overflows were first identified in the 1960s
They were first used to attack networked computers in the 1970s
The Morris Worm used buffer overflows: 1989
Today, buffer overflows are the most common way to attack systems (two-thirds of all CERT advisories)
8. Security Must Make Business Sense to Be Adopted The Business Case for Security
Perfect security is much too expensive, and not worth it
No security causes breaches that are much too expensive, and not worth it
Adequate security, at a reasonable cost, is worth it
Ability to offer new services
Ability to expand into new markets
Ability to attract, and retain, customers
The Business Case for Security
Perfect security is much too expensive, and not worth it
No security causes breaches that are much too expensive, and not worth it
Adequate security, at a reasonable cost, is worth it
Ability to offer new services
Ability to expand into new markets
Ability to attract, and retain, customers
9. Composition and Organization Members include security officers, VPs, directors managers and subject matter experts (SMEs)
Members also include various U.S. Government agencies such as US DoC, U.S. DoD, U.S. DoJ, FCC, Federal Reserve, etc.
Group is divided into 8 working teams, each with a team leader volunteer to generate BPs for a given subject area
10. FG1B Teams Fundamentals & Architecture
OAM&P (operations, administration, maintenance and provisioning)
AAA (authentication, accounting, audit)
Services
Signaling
Personnel
Users
Incidents
11. Delivery Plan for FG1B Cybersecurity Best Practices December 2002 Preventative BPs
Excel document for Industry comment and improvement
March 2003 Recovery BPs
Excel document for Industry comment and improvement
New, improved version of prevention BPs
Early 2003 Final Report (date TBD)
Cover document with cybersecurity topics that clarify the offerings, issues that require research and additional work, strategic issues in cybersecurity, implementation guidance and related topics
Prevention and recovery BPs
12. Guidance on Cybersecurity Best Practices Current list of best practices (BPs) are constrained by what can be implemented
Recommended BPs are considered implementable due to expert experience from the team
Not all BPs are appropriate for all service providers or architectural implementations
The BPs are not intended for mandatory regulatory efforts
There will continue to exist security conditions that will require development of technologies and techniques that are not currently practical or available to solve the security issues they create. Focus group is working on recommendations for inclusion in final report.
This is a moving target that will require continual refinement, additions and improvement
13. Driving Principles in Cyber Security Best Practices Capability Minimization
Allow only what is needed re: services, ports, addresses, users, etc.
Disallow everything else
Partitioning and Isolation
Defense in Depth
Aka belt & suspenders
Application, host and network defenses
KISS
Complexity makes security harder
General IT Hygiene
Backups, change control, privacy, architectures, processes, etc.
Avoid Security by Obscurity
A proven BAD IDEA
14. Prevention Best Practices Deliverable (December 2002) Composed of 103 best practices for preventing cybersecurity events
Includes
BP number
Title
Best practice for prevention
If any: reference and dependencies on other BPs
Implementors
15. Example of Prevention Best Practice for Cybersecurity
16. Next Steps Publish preventative cybersecurity best practices for Industry comment and improvement, following NRIC Council acceptance of December 2002 cybersecurity deliverables.
Refinement of recovery BPs for March 2003 deliverable
Creation of March 2003 cover document with:
General cybersecurity recommendations
Strategic cybersecurity issues
Technology issues that require resolution for future BPs
Additional refinement and addition of BPs for prevention and recovery as reviews are completed by NRIC membership