ISP Archives - rud.is

Tag Archives: ISP

WEIS 2011 :: Keynote :: Dr Christopher Greer

2011-06-14 – 09:16
Posted in Information Security, WEIS 2011
Tagged America, Assistant Director, Christopher Greer, Cyberspace, federal government, http, Information Technology R&D, Internet Protocol, IPv6, ISP, Linux, Microsoft, Office of Science & Technology Policy, Office of Science and Technology Policy, senate, Twitter, United States, US Federal Reserve, White House
Leave a Comment

Dr Greer [cgreer at ostp.eop.gov] is Assistant Director, Information Technology R&D, Office of Science & Technology Policy, The White House

Opening: “The expertise of the attendees is greatly needed.”

He provided a broad overview of the goals & initiatives of the federal government as they relate to domestic & international cybersecurity. Greer went through the responsibilities of various agencies and made it clear that this is a highly distributed effort across all sectors of government.

He emphasized the need for a close partnership with private sector to accomplish these goals and also the criticality of not just coming up with plans but also implementing those plans.

It really was a high-level overview and – as I point out in the twitter transcript – would have been cooler if Dr Greer did a deep-dive on 2-3 items vs do a survey. He did set the tone pretty well – we are in challenging times that are changing rapidly. We’re still fighting the fights of 5-10 years ago but are working to provide a framework for keeping pace with cybercrimminals. The government is “doing stuff”, but it’s all useless without translating thousands of pages of legal mumbo jumbo into practical, actionable activities.

The 10 minute post-talk Q&A was far better than the actual preso.

Twitter transcript:

#weis2011 Obama: "America's economic prosperity in 21st cent will depend on cybersecurity" :: sec begets growth but underscores threats, too


#weis2011 one time we never expected every individual to need an IP address, now even refrigerators have one. #IPv6
#weis2011 IPv6 need exacerbated by mobile, mobile apps themselves have great benefit, but also introduces new threat vector.
#weis2011 OSTP runs phishing tests 3x year #spiffy
#weis2011 POTUS Strategy: Catalyze brkthrus for natnl priorities, promote mkt-based innov; invest in building blocks of american innovation
#weis2011 policy review (2009) themes: lead frm top;build cap for dig natin;share resp for cybersec;effective info sharing/irp; encrge innov
#weis2011 pimping the International Strategy For Cyberspace release recently  http://1.usa.gov/jZXIdE 
#weis2011 key "norms" in ISC report: upholding fundamental freedoms (esp speech), global interoperability & cybersecurity due diligence
#weis2011 Greer shifting to talking about legis;  OSTP has been wrkng to promote good bills esp for natnl data breach rprting & penalties

#weis2011 computer fraud & abuse act is *25 years old*. We need new regulations to help fight 21st century crime < 25 years! yikes! #weis2011 FISMA shifting from compliance-based to proactive protection-based; mentioned EINSTEIN IDS/ISP #wes2011 pimping http://csrc.nist.gov/nice/ education & awareness efforts #weis2011 pimping fed trusted ID initiative http://www.nist.gov/nstic/ ; password are $ & failing; multiple accts are real & problematic #weis2011 (pers comment) the audience knows much of what Greer is saying, surprised he's giving such a broad overview vs 2/3 deep dives #weis2011 (pers comment) the efforts for fed cybesec seem waaay to disjoint & distributed to truly be effective. #weis2011 pimping fed trusted ID initiative http://www.nist.gov/nstic ; password are $ & failing; multiple accts are real & problematic #weis2011 pimping http://www.nitrd.gov/ CSIA, SSG & SCORE < much alphabet soup in fed cybersec…the letters didn't help senate.gov today #weis2011 results of many research efforts are both near & just over the horizon, but all useless if not put into effective practice #weiss2011 impt to work with priv sector on economics of legis&policy choices (immunity/liability/safe hrbr/incentives/disclosure/audit) #weis2011 need to understand market factors incentivizing hackers (valuation/cost-ben/risk-decision making/criminal markets) #weis2011 (pers comment) another poke at Microsoft when talking about server security. Major hacks of late were linux/apache/solaris. #lame #weis2011 Cyber insurance is a possibility if we can develop good quant-based risk assessment/management frameworks #weis2011 cgreer@ostp.eop.gov #weis2011 q:"where will cybersec be in 10yrs?" -cyberspace will be more resilient & trustworthy; hardening sys&nets useless w/o educatng ppl #weis2011 by 2021 we will have solved all the cybersecurity issues of 2005 < wise man #weis2011 q:"the US spends > than rest of wrld combined on cybersec but it's still just pennies. will this change?" :: it's in the proposals

Metricon: Automated Incident Reporting

2011-02-14 – 14:16
Posted in Information Security, Metrics, Risk
Tagged broadband, cellular telephone, Conficker, Finland, finnish networks, internet access, ISP, Speaker
Leave a Comment

Speaker: Juhaniu Eronen

“The Autoreporter Project” – Background

Goal: make finland mostly harmless to the rest of the internet

(that’s actually in the law – Protection of Privacy in Electronic Comms/Finland)

/me: I’ll need to put some verbiage around this tonight to give you a good picture of what Juhaniu was conveying…really good description of their charter, goals, challenges, successes

What’s a “finnish” system:

any autonomous systems in finnish soil, operated or owned by finnish orgs
.fi .ax domains
+358 telephone prefix
other networks owned by finnish orgs
finnish banks/brands/CC

Telcos mandated to report infosec incidents as well as major faults affecting users, networks or provider ability to operate

FICORA

Regulation for finnish security providers: Basic security of facilities & processes, Business continuity, spam blocking

Setup mandatory reporting for ISPs
Establish CERT-FI

Issues

Problem: Finland cleans up its own house, but they still end up getting attacked!

Problem: Most incidents are out of scope in mandated reporting

Problem: Establishing CERT-FI – no ownership or visibility of network; 3 ppl that in theory are expected to be there 7×24!

Huge increase in incidents [reported] from 2002-2006. It’s a pretty graph, but it really shows that the CERT-FI workforce increased and that processes were honed

How many incidents affect finnish networks?

How are we compared to neighbors (would love to take a data-driven jab at swedes).

So, workforce, regulatory and other constraints & need for actionable data == make automated system.

2006: created automated system to capture incident reports (mostly malware) from various monitoring projects around the globe.

Daily reports, e-mailed, CSV format pre-defined agreed-upon subjects. digitally signed. reported incidents in body.

How CERT-FI handles abuse:

detection
reports (e-mail/phone/fax) – Funny story: one woman printed out all the spam she received and sent to CERT-FI, until asked not to anymore.
Scraping feeds, normalizing/correlating data
Finding owners
-Map bad events to netblocks
-maintain contact list (& contact prefs!)
-manage customer expectations
Report out stats, trends, chronic cases
Assist in incident response

There are dozens of projects, data sources, blacklists etc but they vary in format (even timestamps), purpose, channel (IRC, http, ftp)

data is frequently missed due to downtime, system availability
info integrity is difficult to gauge
bugs in feeds data & reporting
wildly differing frequency of updates (realtime to monthly)
taxonomies are diverse
detail level not discrete

Ensuring Focus of CERT-FI

What are we not seeing?
What should I prepare for?
Who is the target of damage & who is just collateral
Can the data/sources be trusted?

[side-talk: CERT-FI manages intake and the privacy laws make it difficult to delegate collection to the ISPs]

[side-talk: 5.5 mill population of finland, very high # of folks with internet access, everyone has a cell phone. internet considered a basic human right]

CERT-FI shows ISP incident graphs in comparison to other ISPs. /me: the embarrassment factor is a good motivator

interesting: conficker is still a problem

CERT-FI autoreporter can actually report out incidents per broadband customer (trending)

Abusehelper: http://code.google.com/p/abusehelper/wiki/README

Abuse Helper is toolkit for CERT and Abuse teams. It is a modular, (hopefully) scalable and robust framework to help you in your abuse handling.

With Abuse Helper you can:

Retrieve Internet Abuse Handling related information via several sources which are
- near-real-time (such as IRC)
- periodic (such as Email reports), or
- request/response (such as HTTP).

You can then aggregate that information based on different keys, such as AS numbers or country codes
Sent out reports in different formats, via different transports and using different timings

Abuse Helper features include:

Fully modular (you can utilize different readers, parsers, transports, splitters, combiners in a pipe-like manner)
Scalable: you can distribute the work to different machines and different geolocations
Observable: you can use your favourite XMPP client to observe the bots at work

Great overall presentation for the rationale to report incidents outside your org