Cybersecurity

Essentials for
Broadband
Service Providers
By: Russell Saffell, MPS, IAS, CHS-IV, CHPP
Director of Member Security & Critical Infrastructure Protection
Internet vs. Cyberspace
INTERNET
Single, interconnected, worldwide system of
computer networks that share:
 The Internet Architecture Board (IAB)
specified protocol suite
 The name and address spaces managed
by the Internet Corp. for Assigned Names
and Numbers (ICANN)
CYBERSPACE
A global domain within the information
environment consisting of an inter-dependent
network of information technology
infrastructures, including:
 The internet, telecommunications networks
 Computer systems
 Embedded processors and controllers
Source: CSRIC IV, Working Group 4 Final Report-
Cybersecurity Risk Management and Best Practices, Internet Society
Source: CSRIC IV, Working Group 4 Final Report:
Cybersecurity Risk Management and Best Practices, Beecham Research
What is Cybersecurity?
Cybersecurity is “the collection of tools, policies,
security concepts, security safeguards, guidelines, risk
management approaches, actions, training, best
practices, assurance and technologies that can be
used to protect the cyber environment and organization
and user’s assets.”
~International Telecommunications Union~
What Does Cybersecurity Look Like?
In Short Cyber Security is:
 Security Architecture
 Secure Operating Systems
 Security By Design
 Secure Coding
 Secure Environment
 Secure People
Open Security Architecture (OSA)
Design Principals
 Securing Operating Systems

Stage and
Isolate the Only Install Validate all
Carefully
System on a the Overall Install all Patches
Evaluate the
Protected Installation Minimum Boot Critical Before
Integrity &
Network in & Necessary Process Updates & Deploying
Source of
a Test Hardening for the Must Also Security System in
any Device
Environmen Desired Be Secure Patches Production
Driver Code
t System Environmen
t
 Securing Operating Systems

If Already
Deployed in
Production, Configure Install
Configure
Remove all Users, Groups, Additional
Resource Security Testing
Unnecessary & Security
Controls
Services, Authentication Controls
Applications, &
Protocols
Secure by Design & Secure Coding
This refers to the software you run on your systems.
 Was it developed with security in mind?

 Were best practices used during the SDLC to mitigate vulnerabilities?

 Defects, Bugs, and Logic Flaws are most common vulnerabilities

 Some common software design flaws include: buffer overflows, integer

overflows and format string vulnerabilities *(C and C++)

 Server/Client Architecture is vulnerable to Man in the Middle Attacks if

special care is not given to secure coding practices, encryption and hashing
 NO!
So should we just lock the
internet access down and manage
all cybersecurity controls
for our customers?
What is the Number One Priority for a
Broadband Service Provider (BSP)?

Quality
Customer Service
BSP Cybersecurity Traps
• Breach of Privacy:
What are you monitoring?
Just your customer’s internet traffic, meta-data etc.?
The content of your customer’s internet packet traffic?
Are you maintaining customer’s internet logs or content?
For how long?
For what purpose?
Did all your customer’s have to sign a release of information authorizing this?
Is this the same for both residential and business customers?
• Is any of this okay?
BSP Cybersecurity Traps
• Are you Blacklisting Certain Websites & IP Addresses?
What is the criteria for a website to be blacklisted?
Inappropriate vs Dangerous sites.
Are sites black listed indefinitely, or are they revisited and reclassified if found
to be no longer dangerous?
What if a site was blacklisted because it had some malicious adware on it that has since
been removed by the site owner?
• What About Freedom of Choice?
• Is this not Censorship?
BSP Cybersecurity Traps
• What About False Positives?
Intrusion detection and prevention controls can often block legitimate traffic
How can this impact your customers?

Safe
? Danger
BSP Suggested Responsibilities
Offer optional cafeteria style cybersecurity services

DDoS Mitigation
Block IP Address Spoofing
Follow Common Internet Standards and Best Practices for configuring routing
devices to validate source addresses and block spoofed traffic:
RFC-2827
BCP 38
BCP 84
Most security appliances and routers now offer filters as part of their configuration
options.
High-Level Cybersecurity in Practice
Must Include:
Policies and Procedures
Awareness Education Program
Vendor Products and Services Vetting Process
Continuing Education for Cybersecurity Practitioners
Legal/Regulatory Compliance
Risk Assessment and Management
Continuous Planning, Training, and Testing
Physical Security of all Technical Infrastructure
3 Types of Security Access Controls

PHYSICAL
LOGICAL
HUMAN
10 Principles of Security = IR(M)P²D⁵R
Identify Risks
Mitigate Prepare
Protect Deter
Detect Delay
Deny Defend
Recover
 Understanding Risk

VULNERABILIT
RIS
ASSET/TARGET THREAT
Place, person, Terrorist, or
Y
Psychological,
K
Potential for loss or
system, equipment criminal technical/logical, damage by threat/s
or infrastructure group/individuals, or physical which detects or
that you are trying or imminent natural characteristic that accesses
to protect hazard with the can leave the asset vulnerabilities which
ability to impact the unprotected or expose the asset
target exploitable
 Calculating Risk
RIS
LIKELIHOOD vs. IMPACT =
K
Likelihood Impact (Consequence)
Rare (Very Low) E Insignificant (Low – NO Business Impact) 1
Unlikely (Low) D Minor (Low – Minor Business Impact, some loss of confidence) 2
Moderate (Medium) C Moderate (Medium – Business is Interrupted, loss of confidence) 3
Likely (High) B Major (High – Business is Disrupted, major loss of confidence) 4
Almost Certain (Very High) A Catastrophic (High – Business cannot continue) 5
 Qualifying Likelihood
How to Qualify Likelihood Rating
Skill (High Skill Level Required » Low or No Skill Level Required) 1=High Skill, 5=No Skill
Ease of Access (Very Difficult to Do » Very Simple to Do) 1=Very Difficult, 5=Very Simple
Incentive (High Incentive » Low Incentive) 1=Low Incentive, 5=High Incentive
Resource (Requires Expensive or Rare Equipment » No Resources Required) 1=Rare/Expensive, 5=No Resources
TOTAL (Add Rating and Divide by 4) 1=E 2=D 3=C 4=B 5=A
Categorizing Risks
Impact (Consequence)
Insignificant Minor Moderate Major Catastrophic
Likelihood 1 2 3 4 5
A (Almost Certain) H H E E E
B (Likely) M H H E E
C (Possible) L M H E E
D (Unlikely) L L M H E
E (Rare) L L M H H

E Extreme Risk: Immediate action required to mitigate the risk or decide not to proceed.
H High Risk: Action should be taken to compensate the risk.
M Moderate Risk: Action should be taken to monitor the risk
L Low Risk: Routine acceptance of the risk
Managing Risk Avoidance

4 methods for managing risk

Avoidance
Transfer RIS
Mitigation Transfer
Acceptance K
Mitigation

Acceptance
 Mitigation vs. Preparedness
• Mitigation & Preparedness Go Hand & Hand
Mitigation is the effort to reduce loss of life and property by
lessening the impact of disasters and real world events. (DHS)
 = Individual Actions
 = Limits Loss
Preparedness is a continuous cycle of planning, organizing,
training, equipping, exercising, evaluating, and taking corrective
action in an effort to ensure effective coordination during
incident response. (DHS)
 = Cycle of individual actions ensuring readiness to respond.
 Preparedness
• Knowledge + Experience
Planning, Training and Exercises
Real world events
 Hot-Wash, Lessons Learned
 Revise & Adjust
 Implement new controls and
mitigation strategies.

Repeat!
 Administrative Functions
• Policies:
Physical Security/Access Control
Cybersecurity
Training
Risk Assessment & Assignment
Delegation of Authority & Order of Succession
Incident Reporting
Privacy and Information Handling
Public Information & Media Relations
 Subject Matter Expert Functions
• Plans, Procedures, Guidelines & Methodologies:
Security & Cybersecurity Plans
Training Plans
Risk Assessment Methodology
Emergency Operations Plans
Hazard Mitigation Plans
Disaster Recovery Plans
Continuity of Operations/Services & Resilience Plans
SOP & SOG for Critical Functions (with checklists)
 Security Awareness Critical Training
Cybersecurity Awareness for All Employees
Emergency Operations
Information Privacy
Media Relations
Cybersecurity Awareness Critical Training
Basic Network Security Offered to
Basic System Security
Internet Safety Tips All Customers
Responsible Use
 Deterrence
• Deterrence is the art of getting inside a would-be criminal’s head and
psychologically making them believe that the probability of success is less than
desirable, thereby eliminating the risk.
• Also to remove temptation from the equation. If a would-be criminal never sees
a valuable target, then there are no social-tendencies leading to potential
criminal activity.
• To accomplish this there are several actions you can take including:
The use of Overt Multi-Layered Security.
Compartmentalized Access: The principle of least privilege; to limit the access of
individuals to only those areas where their job function requires.
Deterrence
Administrative Methods
Security Policy
Employee screening (insider threat)
Security signage
Prohibit non-critical storage and staging
Annual security program and vulnerability assessments
Armed (vetted) Security Guards
Neighbor awareness security program
Deterrence
Systems, & Technologies
Employees trained to spot Social Engineering Attacks
Motion activated lighting and video surveillance
Limited access smart locks and access card systems/readers
Security fencing to include solutions with blast and ballistic resistance
Environmental and physical vehicle barriers
Security lighting to include motion activated strobe illumination
Robust cybersecurity program
 Detection
• The purpose of detection is to identify suspicious behavior of unauthorized and
authorized individuals prior to any unlawful activity taking place and recognizing
and timely reporting unlawful activity as it occurs. This may include:
Parameter Surveillance Detection & Counter Surveillance.
Serious negative changes in mood of an employee (hostility, depression,
desperation, etc.).
Monitoring logs of access, and identifying irregularities.
Audit trails and logs
Reporting suspicious activity (see something, say something).
Alarm System with Law Enforcement Dispatch.
• These are more covert actions, and may require the use of
hidden cameras, and employee and community training
Additional Detection Systems
System Intrusion Detection
External/internal video analytic systems
External/internal motion sensing systems
External seismic detection systems
Glass break sensors
Fence climbing/tampering sensors
UAV detection systems
 Delay
• Through the use of physical and technological obstacles, an intruder’s
objective can be seriously delayed. This will allow detection and
defense to have more time.
• This may happen if your measures designed to deter are inadequate,
or if a would-be criminals resolve is great enough to motivate them to
assume the risk of being caught.
• Some additional delay measures (both overt and covert) include:
Interior locking doors, no interior signage, & confusing building design.
Locked gates, motion lights and cameras, roving armed security and or/dogs inside parameter.
Strong Passwords, Encryption, Honey-Pots
 Deny
• Ultimately we want to deny any unauthorized access, while
not prohibiting or restricting authorized access. This is
generally accomplished by utilizing access controls:
Card/Code & Biometric Access.
No piggy-backing.
Armed gate and front desk security.
ID card verification (either by a verification system or security personnel).
Escort all visitors.
Implementation of strong policies, plans, procedures, and training.
 Deny (Cont.)
• Cyber related controls to deny unauthorized access to
information systems include (but are not limited to):
Air Gapped Critical Systems
Updated Antivirus Software
Role Based Security.
Layered Cybersecurity Controls.
Intrusion Detection & Prevention Systems.
Heavily protected Network Access Points.
Updated Software, Firmware, and Security Patches.
Strong Passwords and 2-Factor Authentication.
 Defend (Physical)
Defense is also referred to as
response. This is where
security personnel, apprehend
the culprit/s. Law enforcement
has to get involved during this
phase.
 Defend (Cyber)
• Cyber related controls to Defend against unauthorized access to
information systems include (but are not limited to):
Cybersecurity Awareness Training

Strong Cybersecurity Policies.

Implemented, trained on, and tested plans and procedures.

Random Internal and 3rd party Assessments/Audits w/Penetration Testing.

24/7 Cybersecurity Monitoring.

Cyber Emergency Response Team (contracted or employed).

The Truth About Cybersecurity
There is no such thing as impenetrable cybersecurity.
From the moment that a new cybersecurity control is developed
there is someone developing a way to defeat it.

Cybersecurity measures can be expensive.

Cybersecurity measures need to be routinely updated.

People are your greatest asset and your weakest link.

5 Emotional Traps
1. Hopelessness – There’s nothing we can do.

2. Infallibility – It will never happen here.

3. Inescapability – If it’s unavoidable, why even try to prevent.

4. Invulnerability – It can’t happen to me/us.

5. Inevitability – If it’s going to happen anyway, why prepare.

Why Should I Care about Cybersecurity?
Cyber-criminals/terrorists don’t want you to care!

You are more likely to be attacked in cyberspace than if

you went camping next to an Al Qaeda or ISIS stronghold!

You have already been impacted by cyber attacks!

You are the first line of defense against cyber threats

to an entire community!
Why Security Matters
Security is always seen as too much until the day it’s not enough.
~ William Webster, former FBI Director
• The impact of having no or inadequate security controls when
something happens is, almost always, more costly than even
the long-term price of the security controls implemented.
• Even if you have insurance to cover the brunt of the costs
associated with a loss, the replacement of critical assets can
often take a long time; (how valuable is time?)
• You have a responsibility to your customers.
 Additional Risks
• Security Risks are only one of the many types of risks that you face!
Other Risks include:
Animal Attack
Natural Hazards
Pandemic
Equipment Failure
CBRNE
Supply Chain or Distribution Disruption
Operator Error or Employee Negligence
 Where Should You Focus Your Efforts?
• This is where you return to the Risk Assessment
Methodology:

LIKELIHOOD vs. IMPACT

Questions to Ask Yourself or Manager
• Are our systems all patched?
• Are our security controls properly configured?
• Are our systems up to date?
• Is our equipment and infrastructure all secure from physical and environmental risks?
• Are we using multi-factor authentication for both physical and logical access to critical systems?
• Is access to and management of critical systems compartmentalized?
• Are we promoting cybersecurity awareness for our employees and customers?
• Are we keeping up with emerging threats and technologies?
• Are we conducting routine audits with penetration testing?
• Are we secure and prepared?
What Else Can You Do?
• Build Strong Relationships with other professionals in your field.

Join my
Cybersecurity Taskforce
What Else Can You Do?
If you see Something,
Say Something!
If you can Fix it,
FIX IT!
What Else Can You Do?
• Use your resources:

www.iamu.org/security
 Russell Saffell
Director of Member Security & Critical Infrastructure Protection
[email protected]
(515)289-1999