Rethinking Security and how you can Act on Meaningful Change What the industry recommends to protect your network is NOT working! The industry is stuck in a dysfunctional ecosystem that encourages the cyber-criminal innovation at the cost to business and individual loss throughout the world. We do not need a “Manhattan Project” for the security of the Internet. What we need are tools to help operators throughout the world ask the right question that would lead them to meaningful action. Security empowerment must empower the grassroots and provide the tools to push back on the root cause. This talk will explore these issues, highlight the dysfunction in our “security” economy, and present “take home” tools that would facilitate immediate action.

1. ARE

2. YOU

3. READY

4. FOR

5.
THE

6. NEXT

7. ATTACK?
Reviewing the SP Security Checklist
Barry Greene - bgreene@senki.org

8. Checklist Approach
Checklist are one of the most essential tools for
productivity we have in the industry.
Surprisingly, too few “Internet” and “Telecom”
operators use the checklist approach to optimize their
operations.
What follows is the first in several “check list” designed
for Internet Service Providers, be they Mobile,
traditional Telco, Content, of ISPs.
They can be cut/pasted and used in your organization.
Additions to the checklist are always welcomed.
* Thanks to Stephen Stuart @ Google for pointing out Atul Gawande’s book
Note: If this is new to you, read the book “The Checklist Manifesto” and watch the
TED talk:
http://www.ted.com/talks/atul_gawande_how_do_we_heal_medicine

9. [T]he malware that was used would
have gotten past 90 percent of the Net
defenses that are out there today in
private industry and [would have
been] likely to challenge even state
government,
Joe Demarest, Assistant Director - US
FBI’s Investigation’s Cyberdivision.
Do we have your attention?

10. Our Traditional View of the World
The Internet is not organized based on countries. It is a
group of “Autonomous System Networks” (ASNs) all
interconnected in a Global Network.

11. The Reality of the Internet - No Borders
How does a government enforce the rule of law
where the Internet’s risk are all trans-national?

12. Work on the Right Security Problem
This is nice to know
Who we need to Target
The Good Guys are the Big Part of the Security Problem

13. Threat Vectors have Evolved
Cyber-Criminal Threats
Cyber-Crime is an International Legal
problem that has no short term resolution.
There will always be someplace in the
Political, Patriotic, Protestors
There are always going to be someone,
somewhere, who is upset with society - with
the ability to make their anxiety know
through any network - any where.
Nation State Threats
Post-Snowden, the secret world of nation
state security is now all in the open. Your
network is a valid “Battle Space” for any
Cyber-War.

14. What really happens if I’m attacked?
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

15. The market does not penalize!
http://www.informationisbeautiful.net/
The “market” is forgiving IF you have a
security reaction plan.
A security reaction plan will not prevent
revenue losses, customer churn, and legal
actions, but … organizations do recover
from “big data breaches”

16. Security Threats are a Force of Nature
Think of the current and future
security threats as a force of of the
environment we live in. This is not
new to human society. We have to
live with the issues of nature all the
time.
Like a hurricane, it is not a matter of
if, but when. Even worse, you can
be in a zone where the hurricane,
tornado, flood, earth quake, and
blizzard are all a major risk.
Forces of Nature cannot be stopped - the only thing
you can do is mitigate risk through your design,
preparation, and investment.

17. “Security” Excuses
•LaLaLa if I ignore you may be you will go away.
•It is someone else's problem.
•I don’t know where to start?
•I need to wait for someone to tell me what to do.
•No one has been killed ..... Yet.
•I need more training!
•We cannot afford all the security equipment.
•We need to wait for ISO 27001 Certification.
Reality - there is a lot of “talk” about security, but most
operations just do not care …. until the s!@# hits the fan.

18. Positive Control
Have positive control over all elements in your
network.
Know who is accessing, when they are accessing, and
where they are accessing from. Think beyond TACACS
+. Start asking for Diameter and two factor
authorization with IPv6 only access. Log everything and
expect all there threat vectors probing. Consequences
of neglect is severe.
This is always the #1 issue risk assessors find in
networks! Who is that who logging in? Why does node in
from country X login?

19. VTY ACLs are Critical
Put VTY Access list everywhere, log it, plot in
MRTG/Cati, and create the alert scripts.
The VTY access list trick is on of the key cost effective
tools that consistently delivers key indicators of
attackers probing the network, exploring the network,
or trying to break into the elements of the network.
The only way to make this work effectively is to build
your own script or use tool from companies like
6Connect.
Why is someone trying to telnet into my eNodeB from
another eNodeB? Why are there a increase in “drops” on
my internal SSH?

20. Force Vendor Security Partnerships
Use the Vendor Security Checklist with all your
vendors now.
Set up the meetings, have them comply, and push if
non-compliant. Then have these items part of all your
RFPs. Vendors will NOT pay attention to security until
their customers demand security …. or if you take legal
action for liability against the vendors.
Waiting for the dialog is going to create problems when
the s!@# with a specific vendor.
* E-mail and ask for a copy with the Security “RFP” questions.

21. What is the Upgrade Plan?
Every element in your system needs a tested Upgrade
Plan.
Don’t wait for an emergency patch to find out that a major
routers take 6 hours to upgrade! Create the upgrade plan. Write
the MOP for the test as a template. Rest the plan in your lab, or I
the vendor's lab. Table top exercise how you would have a rolling
upgrade through out the entire system. Map the other systems
which are coupled dependencies or collaterally impacted. Once
all of this is done, start working on designs where you can do
these upgrades without the massive service impact.
Your first reaction would be “isn’t this basic?” Start asking
for details and you will be surprised. One vendor thought is
was normal for a router to be upgraded in 4 hours!

22. IPv6 Check = Security
Bring in all your vendors and review the IPv6
Check list.
Don't wait for the next RFP. The Cyber-Criminal and
Nation-State threat vectors both know that IPv6 is the
easy entry for getting into and through a network.
There is way too many 1/2 completed IPv6
deployments with equipment that is not ready (I.e. No
IPv6 security features).
Cyber-Criminals figured out that IPv6 was a
backdoor into a network 5 years ago.

23. Build your Attack Trees
Learn Attack Trees, build your attack trees, explore
all the ways you can break and network.
Once you have your own list of dirty tricks to break your
network, start building reaction plans with the tools you
have in place right now. If brave, get someone to facilitate
a Red Team - Blue Team table top exercise.

24. Write your BGP Policy!
Write your BGP policy down so that your CEO
understands it!
What are you going to send? What are you going to
receive? How are you going to monitor? How are you going
to enforce? How do you manage your customers? The
days when “BGP policy” is in a “Cisco config script” will not
work when the threat environment is so hostile. One of the
barriers to RPKI ROA registration is the lack of proactive
thinking, planning, and documentation around an
operator’s interconnection policy.
You will make important discoveries of “BGP risk” when
you write it down in a way that everyone can understand!

25. Review your DNS Architecture!
Review all of your DNS Architecture to Ensure it is
Resilient.
Several of the major “DNS outages” in 2014 had a root
cause in how they were designed. Do not listen to the
vendors, they would want to sell you a solution that will
put all the DNS functionality into one box, creating
single points of failure.

26. Review your DNS Architecture!
Example: Generic DNS Authoritative
Infrastructure
EXAMPLE.COM Authoritative Module
Zone Updates
Where is
www.example.com?
12
3
3
3

27. Review your DNS Architecture!
Example: Generic DNS Resolver Infrastructure
Customers Users
Where is
www.example.com?
DNS Resolver Cluster
Optional
www.example.com
Optional

28. Review your DNS Architecture!
Example: LTE has Five Separate DNS
“Architectures!”
IMS
E-UTRAN
Operator’s
IP Services
Gxc
(Gx+)
S11
(GTP-C)
S1-U (GTP-U)
S6a
(DIAMETER)
S1-MME
(S1-AP)
S5 (GTP-C,GTP-U)
Gx
(Gx+)
SWx (DIAMETER)
S6b
(DIAMETER)
SGi
Rx+
Tracking Area/APN DNS
Resolver DNS
S10 (GTP-C
Infrastructure DNS
Authoritative
DNS
Roam DNS (ENUM)

29. Where is your “Security Community?”
Proactively build a security community of peers.
The Internet is a network of people! Major security
issues on the Internet are solved by communities of
people who have aligned interest. These communities
take proactive investment. Many times you will be
working with your competitors. Yet, the effort will save
your network. If not tomorrow, then next year or the
year after.
Can you pick up the phone, call several of your peers,
and start working on a security issue that is impacting
everyone?

30. Checklist Summary
Positive Control
VTY ACLs are Critical
Force Vendor Security Partnerships
Every element in your system needs a tested Upgrade Plan.
Bring in all your vendors and review the IPv6 Check list.
Learn Attack Trees, build your attack trees, explore all the ways you can
break and network.
Write your BGP policy down so that your CEO understands it!
Review all of your DNS Architecture to Ensure it is Resilient.
Proactively build a security community of peers.
More to come …..

31. What’s Next?
Commit to do something to prepare your
organization. You do not need to ask permission,
just start doing something …..
Where to get the “Checklist?”
www.senki.org
Barry’s Linkedin Post - http://www.linkedin.com/
in/barryrgreene/ or Twitter: @BarryRGreene
Reach out and Build a Community