Phone companies and ISPs in the US have convinced a top advisory panel to hold back the American government from forcing a set of basic IT cybersecurity standards on them. The Federal Communications Commission (FCC) set up a group of experts to figure out if the communications industry should be forced to adapt 20 "critical …
Now the US government wants private industry to do their dirty work
After spending BILLIONS of dollars trying to secure their IT infrastructure, and failing, the US Government wants to foist the costs on to ISPs and, in turn, the general public.
Let them kill the failure known as the F35 and put the money in to protection that works.
Astonishing, that the list of 20 controls was FOUO/Classified!
(This is long, and not really catering to the "sound-bite-minded"...)
I read the first 16 pages, and when I looked at the list 2-3 times, it increasingly seemed reminiscent of what any sysadmin taking Netware System Administration from 1996 might conjure up.
When I was a temp assigned to a Lockheed office in Sunnyvale, I was assigned to work in a "cage" (more of an inventory control room, not a sensitive area like other DOD contractors' "cages"). When not roaming doing installs of Win95, updaing .dot files, or removing the "I love you" crap, or installing or tweaking Resumex, etc., I was in my cage playing with Lotus Approach. I was teaching myself databases, and decided to enhance my inventory of what I was told to inventory. I thus included EVERYTHING that contained an ID, serial number, MAC hardware address, or other form of info that would help my various managers not only monitor costs, but monitor how much junk or obsolete hardware was sitting around, what types the hardware were, to whom they were assigned, how old they were, how many times they'd been looked at or suspected as trouble hardware, what OS version and so on were on what machines, in which rooms, on what tables, and more. All the NICs, hard drives, mice, keyboards, CRTs, modems (only a very few people in that building of around 80 people had a modem, hehehe), and sos on were in my database.
Theoretically, this would form the basis for implementing a secure and robust IT filter system to monitor traffic, employees, entry and exit of information, and more, not just relying on the then-available MS server and domain related monitoring tools. Netware and other tools of the day were in place, too. But, I only did that to maximize my non-programming use of Lotus Approach, learning to create forms, views, charts, reports, and master-detail views to get at relationships between hardware and assignment.
Later, when seting up an Internet Cafe business plan, I did something similar, starting out with the intent to create a receipts tracker in the event I were ever audited, I ended up creating a prototype fraud-sleuthing database. That's just playing around.
I don't see how that list of 20 items would be so useful to obscure. Security through obscurity at the highest of levels - in a security-conscious working group! Those individual items are everything any due-diligence IT manager of even 1999 would pursue, and it would have been casual conversation in those IT trainers we were sent to for something like $99 to $400 per day.
Am I overreacting?
It seems to me that the top users among the commercial entitiess are just trying to avoid spending money. If they all follow the typical topology, layers, protocols, filtering, and other standards, and implement dynamic access controls that tie in with customers and customer's plans, a boatload of attacks could have been prevented over the last 15 years -- or would have spurred the attackers of the time frame to innovate around the 20 measusres/controls. To their credit, though, the ATTBIs and Comcasts of the early 2000 inadvertently helped with security in some limited way: via the use of their "branded" IE browser CDs, they could keystroke or otherwise monitor their customers and detect early signs of malicious or hijack activity, and by manipulating the routers they provided, could deprive the customer of exceeding the 3-count limit of devices.
But, when I figured out their game, and figure they just wanted to extract more money for no work, or to limit me, I my own routers and switches and attached all my test machines on my side of the demarc and defied them to do a damned thing about it. I wasn't increasing bandwith, since I only had two hands and was not using automated process on all 8 or 9 machines, and what happened on my side of the demarc that was not a disruption to the network outside was NONE of THEIR damned business. They also hated that I used Linux, and no IE disk they customized was going to run on my LAN. So, I regularly was on their shitlist and regulary had connectivity issues, invariably being blamed on some drunk driver slamming into a green service box off the freeway. Liars. Or so I think they were being.
But, though that list was "secret" or FOUO for around 2 years doesn't mean that most companies lacked any of their own intelligence to implement the same effects. They probably just didn't want to spend the money.
Re: Astonishing, that the list of 20 controls was FOUO/Classified!
" They probably just didn't want to spend the money."
That's my instinct too.
But (correct me if I'm wrong) isn't most of this data automatically collectable through asset management and network management systems
A warm-up act for Eadon
It doesn't take 20 principles to be secure - just one will give you 99% of the total: don't install the crippling cancer that is Microsoft Windows!
Of course with the slush money being pumped in by big corporations you can't expect the govt to follow plain common-sense, but soon enough open source will sweep the govt away too :-)
MICROSOFT FAIL! US GOVT FAIL!
(thank you, thank you, give yourselves a hand, truly you've been a wonderful audience [takes out an onion...] )
Re: A warm-up act for Eadon
I'd opened up the "Reply" page, intending to lambast you for acting like Eadon, then I read the heading on your post and realized you meant to. I figured it'd be a shame to waste the one click it took me to get to the "Reply" page, so here is my comment anyways.
Re: A warm-up act for Eadon
The irony is, of course, that you two are actually doing the same thing as him - commenting on something that's barely tangentially connected to the topic to get your own opinion out. The only difference is that you don't badmouth Microsoft, you do it with Eadon. In other words, you go one worse by getting personal.
I personally think one should always be hesitant to write people off, and he does actually manage the occasional good comment. No, I won't defend him if he's a tool (I've scolded him too), but I do think we should attempt to preserve a degree of civility.
Re: A warm-up act for Eadon
Actually I'm far from writing him off, often having a strong sympathy with his message but wincing at the "Carthago delenda est" deployment of it. But at least some of the time this seems to be done theatrically with wry humour, which is what I was driving for here too.
ISP's, Telco's and moiles say "We're *special*"
And indeed they are.
They are the global facilitators for the transmission and dissemination of spam and malware.
Now they can argue they are merely pipes like the US Mail. But that goes out the window if they do packet filtering (with or without DPI)
As for the rest of these recommendations how many of these shouldn't be SOP for all infrastructure.
Now the question is do they apply to company servers, PCs and mobiles or all devices on the network?
Re: ISP's, Telco's and moiles say "We're *special*"
I'm not so sure what moiles are when they're at home, but if you actually look at the details, many of these "critical controls" are only relevant to enterprise networks (including government departments and the like). For example, there is a global recommendation of default/deny for protocols and ports without an identified business need. An ISP can hardly do that (nor can any enterprise that wants to encourage innovation, but of course that would never concern government departments, would it?).
So the ISPs, Telcos and moiles probably are special.
Re: ISP's, Telco's and mobiles say "We're *special*"
"I'm not so sure what moiles are when they're at home"
They are a mis-spelling of mobiles for which I apologize.
"but if you actually look at the details, many of these "critical controls" are only relevant to enterprise networks "
Given most of a countries information travels over internet, landline or mobile phone networks I'd call them all ""enterprise."
I think there is a fundamental misunderstanding here.
Unlike gas, electricity and water networks there are two groups of users of the corporations computers.
Internal staff IE staff, who have some kind of job on the network.
Customers who do not but use them (but work through them) to talk to each other, web servers, other servers on the internet etc.
I would suggest that most of these rules apply to the the servers and PCs used by internal staff.
I'd suggest the computers they use and manage and the way they use them can be controlled.
As for the users, well how about ISPs opening an account with a minimal set of open sockets and notifying the customer by email when their machine wants to open non default sockets? Or how about an email on how many emails you sent this month.
I don't believe ISP's, telco's and mobile companies are that special and I do beleive they can do more to stop botnets generating the tidal wave of crap they do without DPI.
I didnt see BIOS/CMOS/UEFI lock-down controls or the lifetime of power sources(e.g. batteries) or much physical security mentioned... e.g. protecting users from themselves, on social media and otherwise on a more physical level.
I didnt see driver configuration (the one device which has wifi with AP mode by default) --- that would make a bridge! :-/
The Wifi Distribution Service/Wifi Protected Setup configuration for wireless networks wasnt mentioned.
I didnt specifically see prevention of booting/use of or monitoring use of boot discs, or Wake on technologies or deployment services (WDS) on the networks :-/
Other than this... shouldnt the competent be already doing this kind of stuff? One would assume they have sufficient amounts of people to achieve this?
These 20 controls are common sense and obvious and should be required for ANY company or government to implement that is in any way connection to the internet. It worries me these telcos can't or won't implement it. Most likely it was just the legal department talking, to prevent litigation by customers for not implementing it. Anyway, they suck.
Security checks are not appropriate for ISPs?
translation: We can't be bothered and it would cost money to impliment ...
Whatever you do..
.. get me back my cabinet with the Mark IV Chubb dial lock.
I'm going to have to get me one of those for at home - mainly because I don't think anything less will keep the kids off my biscuits :)
Maybe... *my* guess is (in some cases) the companies are being cheap and not implementing basic common sense. But, I'm guessing in OTHER cases, this type of security is a done deal, they just don't want to have to file ream after ream of paperwork (yes, on PAPER) to the gummint to prove it.
Maybe it's just me...
...but it seems like there's an easy solution to getting industry to use best security practices: Just make it impossible for them to collect "damages" in legal cases involving computer intrusion, while allowing THEIR customers to collect damages from THEM for downtime/identity theft, etc. as a result from that intrusion.
Making the cost of not securing their systems an INternal cost, rather than an EXternality, would -- to paraphrase Samuel Johnson -- "concentrate their minds wonderfully."
- 20 Freescale staff on vanished Malaysia Airlines flight MH370
- Neil Young touts MP3 player that's no Piece of Crap
- Review Distro diaspora: Four flavours of Ubuntu unpacked
- Fee fie Firefox: Mozilla's lawyers probe Dell over browser install charge
- Sysadmins and devs: Do these job descriptions make any sense?