... 'Internet Assets', which are online infrastructure tha

1
The ISPs Role in Improving Internet Security

• Exploring the value and incentives for Internet
  Service Providers implementing security
  mechanisms on their residential networks.

2
The Internet MATTERS

• To state the obvious
• We are increasingly reliant on Internet
  Assets, which are online infrastructure that
  supports services essential to our economy or
  government related services.

3
What are we defending?

• Because they do not hold critical data or
  provide an essential services, the security of
  computers on residential networks is often
  ignored in favor of focusing on defending
  high-profile Internet Assets.
• However, the highly interconnected nature of the
  Internet means all connected machines have an
  non-trivial degree of interdependence.

4
Why do residential networks matter? (1)

• Base of Worm/Virus Propagation
• Actively propagating worms and viruses generate
  loads of traffic, overloading critical networks
  and servers and sometimes causing large-scale
  Internet instability. Computers on high-speed
  residential networks contribute significantly to
  critical mass needed for these attacks to spread.
• Distributed Denial of Service (DDOS) Attacks
• High bandwidth DSL or Cable connections give
  DDOS attacks from many residential computers the
  ability to deny world-wide availability of
  Internet assets. The wide-spread nature of these
  sources make the attack extremely difficult to
  deflect.

5
Why do residential networks matter? (2)

• Noise of Scanning and Attacks
• Researchers have detected that a significant
  portion of all Internet traffic is malicious
  attacks or scans caused either by active
  attackers or scanning worms from personal
  computers. This noise makes detecting real
  intrusions significantly more difficult.
• Residential Stepping Stones for Intrusions
• Compromised and hijacked residential computers
  allow malicious users to scan and launch attacks
  without fear of revealing their identity. Even if
  an attack is traced to a host, no real
  attribution or prosecution is possible.

6
The Problem?

• The average user is not, does not want to be,
  and should not need to be a computer security
  expert any more than an airplane passenger wants
  to or should need to be an expert in aerodynamics
  or piloting. This very lack of sophisticated end
  users renders our society at risk to a threat
  that is becoming more prevalent and more
  sophisticated.
• - Dan Geer, et al
• CyberInsecurity The Cost of Monopoly

7
Why are we looking at ISPs?

• The current model of individual users being
  responsible for their own computer security in a
  fend for yourself environment has left the
  Internet in a precarious state.
• Its time to explore new possibilities. As the
  gate-keepers of the Internet, ISPs are
  positioned to potentially play a significant role
  in securing the Internet.

8
What is the goal?

• Explore how the incentives of service providers
  impact what security mechanisms are implemented.
  
• In the end we want be able to answer
• For security mechanism X, what are the
  incentives of Internet service providers?

9
How to do this?

• With a myriad of potential security
  enhancements, we need a structured approach to
  thinking about them.
• This framework needs to get at the key factors
  that impact how service providers view the
  security enhancements.

10
ISP Security Actors
Consumer End-Host
ISP Network Traffic
Asks the question Who implements the security
mechanism?
Actors
Inter-Organizational
11
Security Mechanisms Consumer End-Host

• These are security mechanisms that are provided
  to and operated by individual end-users on their
  personal computers.
• They often represent common good care
  mechanisms already used by security savvy users
  or mandated by corporate IT staffs. These
  mechanisms leverage the ISPs role as trusted
  source of network security knowledge and software
  for the consumer.
• Example Personal Firewall Software

12
Security Mechanisms ISP Network Traffic

• Security mechanisms that monitor record and
  potentially alter the rate/type/content of
  Internet traffic sent to and from end-hosts on
  the network.
• These mechanisms are often more powerful than
  end-host mechanisms and are operated by the ISP
  behind the scenes. These leverage the ISPs role
  as the gatekeeper of all Internet traffic to and
  from customers
• Example Blocking traffic on incoming ports
  known to be malicious.

13
Security Mechanisms Inter-Organizational

• Other security mechanisms are not contained
  within a single ISP network, but instead focus on
  how ISPs interact with each other or other
  organizations such as law enforcement.
• These mechanism leverage the common need of the
  ISP community as a whole to improve the security
  of their networks.
• Example Coordination to shutdown DDOS attacks
  originating in another ISP.

14
Is this enough?

• Knowing who is implementing a security mechanism
  is a helpful tool in identifying incentives, but
  is it enough?
• No. Since we are considering mechanisms that
  impact overall Internet security, we cannot look
  at ISP security enhancements as a monolithic
  group.

15
ISP Security Methods
Protect Customers From Attacks
Detect and Stop Malicious Outgoing Attacks
Asks the question What is the goal of this
security mechanism? This is independent of the
actors involved.
Methods
Improve Network Transparency
16
Security MechanismsProtecting Customers from
Attacks

• Attempts by ISPs to recognize and drop
  threatening incoming traffic or block common
  avenues of attack for hackers, viruses and worms
  in order to decrease the likelihood of an
  computer on their networks being successfully
  compromised.
• This customer protection is the most common
  notion of ISP based security.
• Example Intrusion Detection Software to
  recognize and block incoming attacks.

17
Security MechanismsBlocking Outgoing Attacks

• Includes mechanisms to detect computers on the
  ISP network that are sending traffic deemed to be
  attacks either as a result of a malicious user
  or because the hosts have been compromised by a
  hacker or worm. Once detected this behavior is
  either stopped, blocked, or throttled.
• Example Scanning network for likely compromised
  hosts and blocking all out-bound traffic from
  these hosts until the computers have been
  cleaned.

18
Security MechanismsImproving Network-Use
Transparency

• Improving the transparency of the network to
  help service providers monitor, trace and record
  traffic with greater ease and accuracy. This
  will allow easier recognition of attacks, and
  increase the chances that an attack can be traced
  close to its source, and potentially an
  individual for prosecution.
• Example ISPs keep call records of IP to IP
  mapping each computer a customer has
  sent/received traffic to/from, with information
  describing the type and quantity of traffic.

19
Developing a Structure to Analyze ISP Incentives

• We now have two different means of classifying
  ISP security mechanisms, the Actor and Method
  schemes.
• We want to develop a framework that will give us
  a useful tool to cluster security mechanisms into
  common groups and use this to analyze how
  incentives apply to ISPs without having to look
  at each security enhancement individually.

20
The Cluster Framework using a 3x3 Matrix

• The Actor and Method schemes are independent.
• As a result, a 3 x 3 matrix can be used to
  combine them into a single system for grouping
  and analyzing potential security enhancements.
• This matrix allows us to place each security
  mechanism into a CLUSTER with similar
  enhancements

Method
A c t o r
21
The Two Frameworks Together

• Each cluster contains an example of a potential
  security enhancement which falls within this
  category

22
Understand ISP Incentives

• The task from here
• We will explore the positive and negative
  incentives ISPs have relating to security
  mechanisms and outline which clusters these
  incentives apply to.
• In the end, we will be able to take a security
  mechanism, identify its cluster, and then use our
  exploration of the incentives to find what
  considerations impact the ISP when deciding
  whether to implement this enhancement.

23
Assigning Incentives to Clusters
Trans- parency Block Outgoing Traffic Protect
Customers

• For example An ISP may have an incentive to
  increase revenue by charging for security
  services. Logically, the main security
  enhancements that can be charge for are in the
  Customer end-host protect Customer cluster,
  since these changes are more visible to and
  provide extra value to the customer.

End-host Network Traffic Inter- Organ.

• This corresponds to the upper-left corner cluster
  on the matrix. For each discussed incentive, we
  visually highlight the clusters that apply.
  Negative incentives are in red, positive
  incentives in green.

24
Negative Incentives of ISPs

• Since few of the discussed security mechanisms
  are implemented on a widespread scale, we begin
  by outlining the negative incentives which have
  given us todays ISP security environment.
• Negative incentives are forces causing service
  providers to be less likely to implement a given
  security enhancement

25
Negative Incentive Employee Time

• Being a business, ISPs want to minimize the
  number of employees it needs for operation. The
  two main employee areas to consider for this work
  are network operations staff and customer service
  staff.

Trans- parency Block Outgoing Traffic Protect
Customers
End-host Network Traffic Inter- Organ.
26
Negative Incentive Infrastructure Costs

• Some network traffic security enhancements will
  require replacing or improving the ISP's current
  infrastructure. Some changes may simple require
  additional capacity for current infrastructure,
  but many security improvements are themselves new
  pieces of the network hardware sold by network
  security companies.

Trans- parency Block Outgoing Traffic Protect
Customers
End-host Network Traffic Inter- Organ.
27
Negative Incentive Software Licensing/Developmen
t Costs
Trans- parency Block Outgoing Traffic Protect
Customers

• End-host or network based protection schemes may
  require that ISPs either develop or license
  commercial software for each customer, leading to
  significant expenses. This is particularly
  difficult for small providers.

End-host Network Traffic Inter- Organ.
28
Negative Incentive Disrupting Legitimate
Customer Use
Trans- parency Block Outgoing Traffic Protect
Customers

• Since network traffic or behavior is difficult
  to classify as strictly malicious well meaning
  security mechanisms may well have unintended
  consequences that prohibit a form of legitimate
  network use by a customer.

End-host Network Traffic Inter- Organ.
29
Negative Incentive Carrier-only Responsibility

• Currently ISPs are not liable either in the case
  that a computer on their network is compromised
  or an attack originates from their network.
• Some operators fear that providing security for
  customers may create implied liability.

Trans- parency Block Outgoing Traffic Protect
Customers
End-host Network Traffic Inter- Organ.
30
Negative Incentive Increased Network Complexity
Trans- parency Block Outgoing Traffic Protect
Customers

• Network complexity is the enemy of network
  reliability, which is a top priority for
  operators. Security features can add complexity,
  leading to increased network problems.

End-host Network Traffic Inter- Organ.
31
Negative Incentive Consumer Complexity
Trans- parency Block Outgoing Traffic Protect
Customers

• A major selling point for Internet service is
  the simplicity with which it operates. Security
  mechanisms often require additional work on
  behalf of the user, increasing complexity.

End-host Network Traffic Inter- Organ.
32
Negative Incentive Consumer Privacy
Trans- parency Block Outgoing Traffic Protect
Customers

• Many of the mechanisms described here require a
  degree of monitoring and record-keeping related
  to an individuals computer and Internet traffic.
  Users may object to these techniques on privacy
  grounds.

End-host Network Traffic Inter- Organ.
33
Negative Incentive Global Instead of Local
Benefit
Trans- parency Block Outgoing Traffic Protect
Customers

• Many enhancements that improve overall Internet
  security provide little actual value to the ISP
  implementing the change. It is bad business to
  invest money and resources for changes that help
  your competition more than they help you.

End-host Network Traffic Inter- Organ.
34
Positive Incentives of ISPs

• The following section will outline the positive
  incentives of ISPs. These are forces causing
  service providers to be more likely to implement
  a given security enhancement

35
Positive Incentive General Customer Satisfaction

• While ISPs are not required to protect customer
  machines, the safety of an end-users computer may
  impact their overall satisfaction with the ISP,
  decreasing time spent with customer service, and
  improving customer retention.

Trans- parency Block Outgoing Traffic Protect
Customers
End-host Network Traffic Inter- Organ.
36
Positive Incentive Network Utilization

• Compromised hosts and incoming scans/attacks
  often generate massive amounts of traffic as a
  result of scanning or denial-of-service (DOS)
  attacks.
• This traffic uses up the finite amount of
  bandwidth and ISP has (or alternatively, is
  charged for), decreasing their overall quality of
  service or increasing bandwidth costs.

Trans- parency Block Outgoing Traffic Protect
Customers
End-host Network Traffic Inter- Organ.
37
Positive Incentive Improved Network Monitoring
Ability
Trans- parency Block Outgoing Traffic Protect
Customers

• The sheer volume and noise associated with
  malicious traffic (incoming and outgoing) make it
  difficult for ISPs to effectively monitor and
  control their network.

End-host Network Traffic Inter- Organ.
38
Positive Incentive Legal Requirements
Trans- parency Block Outgoing Traffic Protect
Customers

• While current legal requirements are limited
  sharing customer information and network access
  to law enforcement, the possibility exists that
  they could be required at any cluster in the
  matrix.

End-host Network Traffic Inter- Organ.
39
Positive Incentive Service Differentiation /
Revenue Sources

• If security enhancements are protective and
  relatively simple to understand, adding these
  mechanisms can be sold to customers for an
  increased monthly fee, or used to provide a
  higher perceived quality of service than other
  ISPs

Trans- parency Block Outgoing Traffic Protect
Customers
End-host Network Traffic Inter- Organ.
40
Positive Incentive Improving Network clean-up /
outages

• A bad worm/virus outbreak can lead to service
  degradation and large clean-up costs. Thus,
  certain types of prevention/monitoring may be
  valuable to the ISP to reduce later costs.

Trans- parency Block Outgoing Traffic Protect
Customers
End-host Network Traffic Inter- Organ.
41
Positive Incentive Concerns about Image in ISP
community

• ISPs that pay no attention to network security
  and as a result host many machines used to launch
  attacks draw widespread criticism from more
  conscientious portions of the ISP community.
  This is especially true for large tier 1
  providers who often top worst offender lists of
  ISPs.

Trans- parency Block Outgoing Traffic Protect
Customers
End-host Network Traffic Inter- Organ.
42
Hypothetical Worm Port Blocking

• Lets say a new worm begins to spread on TCP
  port 445. Because we are consider with overall
  Internet security, we would like ISP X to block
  outgoing traffic on this port to slow the spread
  of the worm. What are the incentives of the ISP
  in this case?

43
Hypothetical Worm Port Blocking

• This security mechanism falls in the ISP
  Network Traffic and Block outgoing attacks
  cluster of our framework.
• We can look at our incentive analysis and see
  which factors will potentially influence the
  ISPs decision

Trans- parency Block Outgoing Traffic Protect
Customers
End-host Network Traffic Inter- Organ.
44
Hypothetical Worm Port Blocking

• Examine each potential negative incentive in
  this cluster, find those that directly apply
• Employee Time
• Infrastructure Costs
• Disruption of Legitimate Use
• Network Complexity
• Consumer Privacy

45
Hypothetical Worm Port Blocking

• Examine each potential positive incentive in
  this cluster, find those that directly apply
• Improve network monitoring abilities
• Decrease Network Load
• Concerns about image in ISP community
• Importantly, Whats not here?
• Benefit for customers

46
Final Observation ISP Security Incentive
Inversion

• ISPs have begun implementing more of the
  security mechanisms in the Protect Customers
  From Attacks category of the Method scheme,
  however, this is the category that has the LEAST
  overall impact at protecting key Internet Assets.
• Furthermore, ISPs have little incentive to
  detect and block outgoing attacks or improve
  transparency as to help law enforcement to catch
  and prosecute Internet criminals. These are the
  categories with the greatest potential to help
  overall Internet security.
• Recognizing this incentive inversion is
  central to understanding the issues surrounding
  ISP based security mechanisms.

47

• Observations most of the activity has been in
  the protect customers and data section,
  naturally. Note, this is the category with the
  least value for the Internet as a whole (the
  impact is indirect for the real Internet Assets).
  
• Much less of a reason to block outgoing attacks,
  though this is highly desirable since attacks are
  thwarted much more easily near the source.
• End-user solutions are inherently weak Run by
  users who may not configure them correctly.
  Difficult to detect malicious behavior because
  they can be circumvented. Finally, the protect
  stuff that we dont REALLY care about.
• Potential on collaboration to develop train on
  ISP security tools is great, collaboration so far
  has been minimal. This is especially important
  for smaller ISPs.
• Fundamental collective action problem stops solid
  potential enhancements. Either make it in their
  best interest, or require it across the board