Focus Group 1B Cybersecurity Dr. Bill Hancock, CISSP Cable and Wireless America FG1B Chair bill.hancockcw 972-740-734

2. Purpose of Today�s Brief Review of Charter and Architecture of FG1B Explanation of deliverables and work efforts Brief discussion of Prevention Best Practices deliverable for December, 2002 Review work plan and deliverables for March Guidance to NRIC on subsequent deliverables in March 2003 on recovery BPs and additional issues and items related to cybersecurity

3. Charter of FG1B Generate Best Practices for cybersecurity Telecommunications sector Internet services Deliverables December 2002 � prevention March 2003 � recovery New team, limited baseline material

4. Security is Very Complex Security is currently where networking was 15 years ago Many parts & pieces Complex parts Lack of expertise in the industry (60% vacancy with no qualified personnel) No common GUIs Lack of standards Attacks are growing Customers require security from providers

5. As Systems Get Complex, Attackers are Less Sophisticated� Random Incidents from April 2001 This is a sampling of incidents taken from press reports during the month. Four large Internet banks in Britain were attacked by computer hackers, with hundreds of thousands of pounds believed stolen First virus known to attack both Windows and Linux systems appeared Two Russians were indicted on computer-crime charges stemming from a rash of intrusions into the networks of banks, ISPs, and others Chinese crackers declared a week-long �crack attack� Federal officials testified that hackers are succeeding more and more in gaining root privileges on government computers containing sensitive information Malicious crackers used a bug in PDG Shopping Cart to break in to merchant Web sites and steal credit card numbers Survey revealed cyber-terrorists have hacked into one-third of UK�s big companies and public sector organizations Someone broke into Warner Bros. online computer system and sent spam to the company�s newsletter subscribers There are two points to take from this list. One is that this is only the smallest inkling of what�s really going on out there. I only listed a subset of stories that made the news. Most victims of hacking don�t like publicizing the fact that they were attacked, so most attacks never made the news. And most attacks still go unnoticed by the victims. The second point is that this is a normal month. Hacking is a way of life on the Internet. Remember a few years ago, when defacing a Web site made the newspaper? Remember two years ago, when distributed denial-of-service attacks and credit card thefts made the newspaper? Now preprogrammed worms like Code Red all all over the news. After a couple of dozen Code Red variants and other worms designed along similar lines, we'll think of them too as business as usual on the Internet.Random Incidents from April 2001 This is a sampling of incidents taken from press reports during the month. Four large Internet banks in Britain were attacked by computer hackers, with hundreds of thousands of pounds believed stolen First virus known to attack both Windows and Linux systems appeared Two Russians were indicted on computer-crime charges stemming from a rash of intrusions into the networks of banks, ISPs, and others Chinese crackers declared a week-long �crack attack� Federal officials testified that hackers are succeeding more and more in gaining root privileges on government computers containing sensitive information Malicious crackers used a bug in PDG Shopping Cart to break in to merchant Web sites and steal credit card numbers Survey revealed cyber-terrorists have hacked into one-third of UK�s big companies and public sector organizations Someone broke into Warner Bros. online computer system and sent spam to the company�s newsletter subscribers There are two points to take from this list. One is that this is only the smallest inkling of what�s really going on out there. I only listed a subset of stories that made the news. Most victims of hacking don�t like publicizing the fact that they were attacked, so most attacks never made the news. And most attacks still go unnoticed by the victims. The second point is that this is a normal month. Hacking is a way of life on the Internet. Remember a few years ago, when defacing a Web site made the newspaper? Remember two years ago, when distributed denial-of-service attacks and credit card thefts made the newspaper? Now preprogrammed worms like Code Red all all over the news. After a couple of dozen Code Red variants and other worms designed along similar lines, we'll think of them too as business as usual on the Internet.

6. Attack Growth � Security Business is Good and Growing (Unfortunately)

7. Software Is Too Complex Sources of Complexity: Applications and operating systems Data mixed with programs New Internet services XML, SOAP, VoIP Complex Web sites Always-on connections IP stacks in cell phones, PDAs, gaming consoles, refrigerators, thermostats The Complexity of Modern Software Six Reasons Why Complex Products are Insecure: More security bugs Modularity Interconnectedness Difficulty of understanding Difficulty of Analysis Difficulty of Testing For a detailed essay on complexity and security, see: http://www.counterpane.com/crypto-gram-0003.html#SoftwareComplexityandSecurity Buffer overflows�the problem that just won�t go away�serve as an excellent example of the problem. Buffer overflows were first identified in the 1960s They were first used to attack networked computers in the 1970s The Morris Worm used buffer overflows: 1989 Today, buffer overflows are the most common way to attack systems (two-thirds of all CERT advisories) The Complexity of Modern Software Six Reasons Why Complex Products are Insecure: More security bugs Modularity Interconnectedness Difficulty of understanding Difficulty of Analysis Difficulty of Testing For a detailed essay on complexity and security, see: http://www.counterpane.com/crypto-gram-0003.html#SoftwareComplexityandSecurity Buffer overflows�the problem that just won�t go away�serve as an excellent example of the problem. Buffer overflows were first identified in the 1960s They were first used to attack networked computers in the 1970s The Morris Worm used buffer overflows: 1989 Today, buffer overflows are the most common way to attack systems (two-thirds of all CERT advisories)

8. Security Must Make Business Sense to Be Adopted The Business Case for Security Perfect security is much too expensive, and not worth it No security causes breaches that are much too expensive, and not worth it Adequate security, at a reasonable cost, is worth it Ability to offer new services Ability to expand into new markets Ability to attract, and retain, customers The Business Case for Security Perfect security is much too expensive, and not worth it No security causes breaches that are much too expensive, and not worth it Adequate security, at a reasonable cost, is worth it Ability to offer new services Ability to expand into new markets Ability to attract, and retain, customers

9. Composition and Organization Members include security officers, VPs, directors managers and subject matter experts (SMEs) Members also include various U.S. Government agencies such as US DoC, U.S. DoD, U.S. DoJ, FCC, Federal Reserve, etc. Group is divided into 8 working teams, each with a team leader volunteer to generate BPs for a given subject area

10. FG1B Teams Fundamentals & Architecture OAM&P (operations, administration, maintenance and provisioning) AAA (authentication, accounting, audit) Services Signaling Personnel Users Incidents

11. Delivery Plan for FG1B Cybersecurity Best Practices December 2002 � Preventative BPs Excel document for Industry comment and improvement March 2003 � Recovery BPs Excel document for Industry comment and improvement New, improved version of prevention BPs Early 2003 � Final Report (date TBD) Cover document with cybersecurity topics that clarify the offerings, issues that require research and additional work, strategic issues in cybersecurity, implementation guidance and related topics Prevention and recovery BPs

12. Guidance on Cybersecurity Best Practices Current list of best practices (BPs) are constrained by what can be implemented Recommended BPs are considered implementable due to expert experience from the team Not all BPs are appropriate for all service providers or architectural implementations The BPs are not intended for mandatory regulatory efforts There will continue to exist security conditions that will require development of technologies and techniques that are not currently practical or available to solve the security issues they create. Focus group is working on recommendations for inclusion in final report. This is a moving target that will require continual refinement, additions and improvement

13. Driving Principles in Cyber Security Best Practices Capability Minimization Allow only what is needed re: services, ports, addresses, users, etc. Disallow everything else Partitioning and Isolation Defense in Depth Aka �belt & suspenders� Application, host and network defenses KISS Complexity makes security harder General IT Hygiene Backups, change control, privacy, architectures, processes, etc. Avoid Security by Obscurity A proven BAD IDEA�

14. Prevention Best Practices Deliverable (December 2002) Composed of 103 best practices for preventing cybersecurity �events� Includes BP number Title Best practice for prevention If any: reference and dependencies on other BPs Implementors

15. Example of Prevention Best Practice for Cybersecurity

16. Next Steps Publish preventative cybersecurity best practices for Industry comment and improvement, following NRIC Council acceptance of December 2002 cybersecurity deliverables. Refinement of recovery BPs for March 2003 deliverable Creation of March 2003 cover document with: General cybersecurity recommendations Strategic cybersecurity issues Technology issues that require resolution for future BPs Additional refinement and addition of BPs for prevention and recovery as reviews are completed by NRIC membership