8. Checklist Approach
Checklist are one of the most essential tools for
productivity we have in the industry.
Surprisingly, too few “Internet” and “Telecom”
operators use the checklist approach to optimize their
operations.
What follows is the first in several “check list” designed
for Internet Service Providers, be they Mobile,
traditional Telco, Content, of ISPs.
They can be cut/pasted and used in your organization.
Additions to the checklist are always welcomed.
* Thanks to Stephen Stuart @ Google for pointing out Atul Gawande’s book
Note: If this is new to you, read the book “The Checklist Manifesto” and watch the TED
talk:
http://www.ted.com/talks/atul_gawande_how_do_we_heal_medicine
9. [T]he malware that was used would
have gotten past 90 percent of the Net
defenses that are out there today in
private industry and [would have
been] likely to challenge even state
government,
Joe Demarest, Assistant Director - US
FBI’s Investigation’s Cyberdivision.
Do we have your attention?
10. Our Traditional View of the World
The Internet is not organized based on countries. It is a
group of “Autonomous System Networks” (ASNs) all
interconnected in a Global Network.
11. The Reality of the Internet - No Borders
How does a government enforce the rule of law
where the Internet’s risk are all trans-national?
12. Work on the Right Security Problem
The Good Guys are the Big Part of the Security Problem
13. Threat Vectors have Evolved
Cyber-Criminal Threats
Cyber-Crime is an International Legal
problem that has no short term resolution.
There will always be someplace in the
world that is a harbor for cyber-criminal
activity.
Political, Patriotic, Protestors
(P3)
There are always going to be someone,
somewhere, who is upset with society - with
the ability to make their anxiety know
through any network - any where.
Nation State Threats
Post-Snowden, the secret world of nation
state security is now all in the open. Your
network is a valid “Battle Space” for any
Cyber-War.
14. Security Threats are a Force of Nature
Think of the current and future
security threats as a force of of the
environment we live in. This is not
new to human society. We have to
live with the issues of nature all the
time.
Like a hurricane, it is not a matter of
if, but when. Even worse, you can
be in a zone where the hurricane,
tornado, flood, earth quake, and
blizzard are all a major risk.
Forces of Nature cannot be stopped - the only thing
you can do is mitigate risk through your design,
preparation, and investment.
15. “Security” Excuses
•LaLaLa if I ignore you may be you will go away.
•It is someone else's problem.
•I don’t know where to start?
•I need to wait for someone to tell me what to do.
•No one has been killed ..... Yet.
•I need more training!
•We cannot afford all the security equipment.
•We need to wait for ISO 27001 Certification.
Reality - there is a lot of “talk” about security, but most
operations just do not care …. until the s!@# hits the fan.
16. Positive Control
Have positive control over all elements in your
network.
Know who is accessing, when they are accessing, and
where they are accessing from. Think beyond TACACS+.
Start asking for Diameter and two factor authorization with
IPv6 only access. Log everything and expect all there
threat vectors probing. Consequences of neglect is
severe.
This is always the #1 issue risk assessors find in networks!
Who is that who logging in? Why does node in from
country X login?
17. VTY ACLs are Critical
Put VTY Access list everywhere, log it, plot in
MRTG/Cati, and create the alert scripts.
The VTY access list trick is on of the key cost effective
tools that consistently delivers key indicators of attackers
probing the network, exploring the network, or trying to
break into the elements of the network. The only way to
make this work effectively is to build your own script or
use tool from companies like 6Connect.
Why is someone trying to telnet into my eNodeB from
another eNodeB? Why are there a increase in “drops” on
my internal SSH?
18. Force Vendor Security Partnerships
Use the Vendor Security Checklist with all your
vendors now.
Set up the meetings, have them comply, and push if non-
compliant. Then have these items part of all your RFPs.
Vendors will NOT pay attention to security until their
customers demand security …. or if you take legal action
for liability against the vendors.
Waiting for the dialog is going to create problems when
the s!@# with a specific vendor.
* E-mail and ask for a copy with the Security “RFP” questions.
19. What is the Upgrade Plan?
Every element in your system needs a tested Upgrade
Plan.
Don’t wait for an emergency patch to find out that a major routers
take 6 hours to upgrade! Create the upgrade plan. Write the MOP
for the test as a template. Rest the plan in your lab, or I the
vendor's lab. Table top exercise how you would have a rolling
upgrade through out the entire system. Map the other systems
which are coupled dependencies or collaterally impacted. Once
all of this is done, start working on designs where you can do
these upgrades without the massive service impact.
Your first reaction would be “isn’t this basic?” Start asking
for details and you will be surprised. One vendor thought is
was normal for a router to be upgraded in 4 hours!
20. IPv6 Check = Security
Bring in all your vendors and review the IPv6
Check list.
Don't wait for the next RFP. The Cyber-Criminal and
Nation-State threat vectors both know that IPv6 is the
easy entry for getting into and through a network. There
is way too many 1/2 completed IPv6 deployments with
equipment that is not ready (I.e. No IPv6 security
features).
Cyber-Criminals figured out that IPv6 was a
backdoor into a network 5 years ago.
21. Build your Attack Trees
Learn Attack Trees, build your attack trees, explore
all the ways you can break and network.
Once you have your own list of dirty tricks to break your
network, start building reaction plans with the tools you
have in place right now. If brave, get someone to facilitate
a Red Team - Blue Team table top exercise.
22. Write your BGP Policy!
Write your BGP policy down so that your CEO
understands it!
What are you going to send? What are you going to
receive? How are you going to monitor? How are you going
to enforce? How do you manage your customers? The days
when “BGP policy” is in a “Cisco config script” will not work
when the threat environment is so hostile. One of the
barriers to RPKI ROA registration is the lack of proactive
thinking, planning, and documentation around an operator’s
interconnection policy.
You will make important discoveries of “BGP risk” when
you write it down in a way that everyone can understand!
23. Review your DNS Architecture!
Review all of your DNS Architecture to Ensure it is
Resilient.
Several of the major “DNS outages” in 2014 had a root
cause in how they were designed. Do not listen to the
vendors, they would want to sell you a solution that will
put all the DNS functionality into one box, creating
single points of failure.
24. Review your DNS Architecture!
Example: Generic DNS Authoritative Infrastructure
25. Review your DNS Architecture!
Example: Generic DNS Resolver Infrastructure
26. Review your DNS Architecture!
Example: LTE has Five Separate DNS
“Architectures!”
27. Where is your “Security Community?”
Proactively build a security community of peers.
The Internet is a network of people! Major security
issues on the Internet are solved by communities of
people who have aligned interest. These communities
take proactive investment. Many times you will be
working with your competitors. Yet, the effort will save
your network. If not tomorrow, then next year or the
year after.
Can you pick up the phone, call several of your peers,
and start working on a security issue that is impacting
everyone?
28. Checklist Summary
Positive Control
VTY ACLs are Critical
Force Vendor Security Partnerships
Every element in your system needs a tested Upgrade Plan.
Bring in all your vendorsand review the IPv6 Check list.
Learn Attack Trees, build your attack trees, explore all the ways you can
break and network.
Write your BGP policy down so that your CEO understandsit!
Review all of your DNS Architecture to Ensure it is Resilient.
Proactively build a security community of peers.
More to come …..
29. What’s Next?
Commit to do something to prepare your
organization. You do not need to ask permission,
just start doing something …..
Where to get the “Checklist?”
www.senki.org
Barry’s Linkedin Post -
http://www.linkedin.com/in/barryrgreene/ or
Twitter: @BarryRGreene
Reach out and Build a Community