Focus Group 1B Cybersecurity

1
Focus Group 1B Cybersecurity Dr. Bill Hancock,
CISSP, CISM Cable Wireless FG1B
Chair bill.hancock_at_cw.com 972-740-7347
2
Charter of FG1B

• Generate Best Practices for cybersecurity
• Telecommunications sector
• Internet services
• Propose New Actions (if needed)
• Deliverables
• December 2002 prevention (105 BPs)
• March 2003 recovery (45 BPs)
• Have made all deliverables, complete and on-time

3
Composition and Organization

• Members include security officers, VPs, directors
  managers and subject matter experts (SMEs)
• Members also include various U.S. Government
  agencies such as US DoC, U.S. DoD, U.S. DoJ, FCC,
  Federal Reserve, etc.
• Group is divided into 8 working teams, each with
  a team leader volunteer to generate BPs for a
  given subject area

4
FG1B Teams

• Fundamentals Architecture
• OAMP (operations, administration, maintenance
  and provisioning)
• AAA (authentication, accounting, audit)
• Services
• Signaling
• Personnel
• Users
• Incidents

5
Guidance on Cybersecurity Best Practices

• Current list of best practices (BPs) are
  constrained by what can be implemented
• Recommended BPs are considered implementable due
  to expert experience from the team
• Not all BPs are appropriate for all service
  providers or architectural implementations
• The BPs are not intended for mandatory regulatory
  efforts
• There will continue to exist security conditions
  that will require development of technologies and
  techniques that are not currently practical or
  available to solve the security issues they
  create. Focus group is working on
  recommendations for inclusion in final report.
• This is a moving target that will require
  continual refinement, additions and improvement

6
Driving Principles in Cyber Security Best
Practices

• Capability Minimization
• Allow only what is needed re services, ports,
  addresses, users, etc.
• Disallow everything else
• Partitioning and Isolation
• Defense in Depth
• Aka belt suspenders
• Application, host and network defenses
• KISS
• Complexity makes security harder
• General IT Hygiene
• Backups, change control, privacy, architectures,
  processes, etc.
• Avoid Security by Obscurity
• A proven BAD IDEA

7
The Past
8
The Present
Source http//cm.bell-labs.com/who/ches/map/gall
ery/index.html
9
Prevention Best Practices Deliverable (December
2002)

• Composed of 103 best practices for preventing
  cybersecurity events
• Includes
• BP number
• Title
• Best practice for prevention
• If any reference and dependencies on other BPs
• Implementors

10
Example of Prevention Best Practice for
Cybersecurity
11
Cybersecurity Recovery BPs

• 45 delivered per charter
• Most are more technical than preventative
• Some are focused on known issues
• Extensive work on incident response
• Some items too extensive for BPs are included as
  appendices to the recovery BPs
• Not a one-to-one match to prevention BPs
• Not all prevention BPs will stop incidents due to
  the nature of technologies used

12
Real World Application Example January 25, 2003,
Slammer Worm Attack

• FG1B Prevention BPs that apply
• 6-6-8000 Disable Unnecessary Services
• 6-6-8008 Network Architecture Isolation/Partition
  ing
• 6-6-8015 Segmenting Management Domains
• 6-6-8020 Security HyperPatching
• 6-6-8032 Patching Practices
• 6-6-8034 Software Patching Policy
• 6-6-8037 System Inventory Maintenance
• 6-6-8039 Patch/Fix Verification
• 6-6-8041 Prevent Network Element Resource
  Saturation
• 6-6-8071 Threat Awareness
• 6-6-8074 Denial of Service Attack Target
• 6-6-8091 Validate source addresses

13
What Slammer Did

• Originated in Asia at 1230am 1-25-03
• Very small, very high propagation rate
• Attacked MS SQL installations
• Patch was available in July 2002
• Affected SQL Server and MSDE installs
• Did not affect sites that used general BP concept
  of turn it off if not needed
• Sites that disabled UDP 1433 1434 did not allow
  propagation to network
• Took 3 days to effectively kill it off

14
Some Slammer Lessons

• Rapid propagation time
• Code Red in 2001 took many hours (self
  replication in 37 minutes on average)
• Slammer estimates are 8 minutes (self replication
  was almost immediate)
• Payload was very small and efficient
• From original demo code of the problem written
  last July, very compact
• Payload was NIL, but easily could have been very,
  very UGLY
• Companies that followed appropriate FG1B BPs NOW
  were unaffected by Slammer

15
What Does this Mean?

• Prevention of cyberattack is cheaper
• Maintain SLAs, avoid penalties
• Maintain reliability of connectivity
• Reduce manpower costs
• Consistent service and delivery
• Increase customer satisfaction
• Reduce support costs
• Reduce negative PR burden
• Many others

16
Next Steps

• Evangelism efforts for FG1B BPs
• Trade shows
• Speeches and conferences
• Internal efforts
• Publications and interviews
• Update of BPs later in 2003
• Comments back from ballot efforts
• Industry comments
• Known need to add a few more
• Preparation for industry survey in 2004 for
  adoption of FG1B cybersecurity BPs

17
Focus Group 1B Cybersecurity Dr. Bill Hancock,
CISSP, CISM Cable Wireless FG1B
Chair bill.hancock_at_cw.com 972-740-7347