Scaling up Internet Security (was: Scaled Back Cybersecuruty)

Wed Jan 15 10:49:01 UTC 2003

> > i've had absolutely no luck getting the source isp's to care about
> > the problems i've seen at my home firewall in recent weeks.

> hehe... I know the feeling. With DShield, we try hard to send out
> correlated and filtered reports in a standardized format to valid
> 'contact' addresses. There are some success stories, but more misses
> than hits overall. 

I think these efforts would get a lot of attention if there were two 
changes to the notification procedure:

1. The notice started by saying "This is a notice according to the 
procedures of the ISP-ISAC which operates in coordination with the FBI's 
NIPC(National Infrastructure Protection Center)". Of course before you can 
put this notice in your email the industry would first have to create the 
ISP-ISAC (see http://www.nipc.gov/infosharing/infosharing6.htm for background) and the ISAC would have to agree on some basic procedures 
for notifying other ISPs when network abuse occurs. But this is not rocket 
science and I think a half-dozen of the larger ISPs could kick this off 
with some kind of a BOF at NANOG.

2. If the email notice doesn't get a response, follow it up with a letter 
on paper to the company concerned and include another letter explaining 
the benefits of being an active participant in the ISAC (Information 
Sharing and Analysis Center). The paper letter could be addressed to the 
legal department because this really is a compliance issue. In other words 
the time could come when companies who do not comply with industry 
standards for cooperation in addressing network abuse will find themselves 
facing lawsuits. If you can get a company's legal department to agree that 
participation in an ISAC is a good way to cover their ass, then you will 
find it a lot easier to get inter-company cooperation.

The other ISACs can be of use too. Imagine that you have a DDOS in 
progress and you can track it back to a number of compromised servers. 
Some of them are colocated so the ISP-ISAC would directly notify the 
hosting companies concerned. Some of them belong to companies who appear 
to be in the financial services industry so you notify the FS-ISAC about 
those ones. Some of the servers appear to be suffering from security holes 
that are introduced by using default install options for the O/S so you 
notify the IT-ISAC about those ones.

Before long the members of the FS-ISAC are requiring their business 
partners to secure their Internet servers, the OS vendors are tightening 
up baseline OS security and the hosting companies are securing or shutting 
down compromised servers. The press reports on all of this activity and 
managers in all types of businesses and organizations start asking 
searching questions about the security of their own infrastructure. Or 
maybe the FS-ISAC gets all bank managers to ask questions about security 
as part of their regular business review meetings with customers. 

All of this requires an ISAC dedicated to the purpose of analyzing and 
stamping out network abuse.

--Michael Dillon