Three questions every CxO should ask their ISP

Posted on

Here is a question for all the CxOs. Why, as an accountable CxO, are you not asking your ISPs for the security basics?

This week, the industry has yet another reflection amplification Denial of Service Attack vulnerability. memcached on port 11211 UDP & TCP being exploited walks through the details of this week’s attack vector. As seen in Akamai Technologies “memcached-fueled 1.3 Tbps Attacks,” the size of these attack are saturating links on the Internet. This is not the first or the last of these massive DOS attacks. The irony is that these attacks are easily prevented with operationally cost-effective Best Common Practices (BCPs) in ISPs, Telcos, Mobile Operators, and other large network organizations.

As the industry was working to mitigate this memcached DOS reflection vulnerability, three questions kept repeating with each Operator:

  1. Why is this ISP/Telco/Mobile Operator not deploying Exploitable Port Filters? Don’t they know that these have proven to be critical to protecting their network?
  2. Why is this ISP/Telco/Mobile Operator not deploying Source Address Validation (SAV)/BCP 38 or doing the checks to make sure there is no spoofing?
  3. Why are these ISP/Telco/Mobile Operator customers not asking “what steps are being taken to protect their network?”

The last question is the perplexing question. When talking to Operators why they are never pushed for deploying essential security BCPs like the Exploitable Port Filters, they respond with “our customers never push us to deploy.” “If we do not get asked, then there is no point to push to prioritize security BCPs.”

This is a shock. CEOs, CIOs, CISOs in all part of the industry are expressing their concerns for the increased security risk on the Internet. Today’s Internet/Telecom is a “cyberwar zone,” in a world where criminal activity is rampant, and in a world where there are no checks against online corporate espionage. It would only be logical for the CxO to ask their Operator to list out in details what security practices are deployed to help protect their business, their peers on the same network, and the rest of the Internet.

If my current job today was as a CIO, a CISO, Head of Operations, Head of Planning, or a CIO, I would be asking my upstream ISPs the following questions:

Q1. Are you deploying Exploitable Port Filtering or Rate Limiting on the edge of your network to keep the well-known exploit ports blocked? Can you provide a list? How fast can you update this list (like when something like memcached happens)?

Q2. Are you deploying Source Address Validation (SAV) and BCP 38 so that no one connecting to your network can spoof an IPv4 or IPv6 source address? Have you deployed monitors in your network as part of the Internet’s Spoofer Project? If you are not doing this, why should my organization trust you as a Telco or ISP that my business depends?

Q3. If I was attacked with a DOS attack, can you deploy the basic BGP Remote Triggered Black Hole (RTBH) filtering to help us respond to an attack? Are you deploying samples Netflow/IPFIX on your gateways to help us track who & what is attacking our network?

Will there be pushback from your Operator? There should not be any push back. These should be Frequently Asked Question (FAQ). In my past roles, these have been questions I have to ask my Operators when bought Internet connectivity. They are also questions I was asked when I was asked when I provided Internet connectivity (for the latter, I would have ready PDFed answers to make life easier). Questions like these from customers of the ISP should be welcomed. They illustrate the interest in the security of their network, the ISP’s network, and the Internet.

These three questions start the conversation. They will immediately provide attitude insight into your ISP, Telco, Mobile Operator, or another connected network. The industry shares BCPs which are cost-effective to deploy. The challenge is NOT technology. The challenge is the attitude.

CxOs, have the conversation. Check your upstream Internet & Telecommunications provider’s attitude.

Originally posted on Medium: Three questions every CxO should ask their ISP

Need Security Advice?

If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at bgreene@senki.org. Start with the Operator’s Security Toolkit. It is the no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.