Cybersecurity – a review of a talk by Dr. Paul Twomey at the Lowy Institute for International Policy, 8/9/10

I recently heard a recording of a talk on cyber-security by Dr. Paul Twomey delivered at The Lowy Institute, which has implications for many countries/entities. Dr. Twomey is the MD of Argo-Pacific and is a former CEO of ICANN. The slides and MP3 of the talk are behind the link above. Here are my notes from the talk.

• Context: Over 90 per cent of Australian networks that underpin our society are privately controlled and increasingly interconnected to global sources of vulnerability. In the event of financial loss, the boards of these companies are liable. The exception would be where the access layer is fully government owned, as in the NBN (for now or forever if the Greens have their way)

• Coverage: Threat surface of the “3 layers of the Internet”– the physical transit layer, the protocols, and applications layer – all of which were fundamentally designed to be open.

• Trend: As the degree of data digitization increases from email to fully cloud-integrated information based businesses, so does the spectrum of risk. These could manifest as inadvertent events such as the 1000 point drop on the NYSE in May this year when a lynchpin application was taken offline, to coordinated (some state-sponsored) cyber-espionage, ROI-focused cybercrime and “hactivism.”
• Trend: There are state actors that see cyber-warfare as a viable asymmetric response so there will be no “Cyber Arms Control Treaty.” The best we can hope for is a “Geneva Convention” on Cyber-behaviour – e.g no attacking civilian hospitals and electricity grids. But this would apply to state actors only. Non-state actors would likely ignore it.

• Threats: Threats are inside and outside the firewall, and move faster than the response. Compromises occur and the costs are high. Based on 5 years of data, Dr. Twomey estimates it costs $220 per record that is lost in the event of a data breach or an average of $6.6M given the average number of records lost.
• Now: Extortion phishing, pharming, DDOS attacks (e.g. Optus outage in April 2010), loss of IP and sensitive data (Mariposa botnet in 40 major banks), reputational hits (Rio Tinto’s Singapore office shut down for days by large intrusion around the time of Stern Hu’s arrest in China)
• Emerging:  Disruption attacks (e.g. Zombie DDOS attacks on Estonian routers, DNS, and email servers, Data corruption attacks

• Implications for people running networks:
  

1. Consider setting up an Emergency Response Team in the Security Operation Centre (if it doesn’t exist already) which would:
2. Identify and block bots from root DNS servers
3. Blacklist attack computers (Tor is an issue, though)
4. Analyse server logs to identify origin of attacks
5. Close down sites to domestic users only
6. Use (DPI-based) filtering of bogus traffic. Twomey mentions Cisco Guard but there are others pure-play vendors and even GGSN vendors.
7. Create online diversion strategies which divert hackers to attack sites that have already been destroyed or spoof sites. DPI engines can do this, too, at line rates.
8. Be involved in, or at least review the findings of the Cyber Storm exercises to keep abreast of new threats and response measures.
9. Need to design for VoIP (“most insecure protocol”) vulnerabilities and isolate this traffic from a network perspective
10. There is a market for cyber-insurance! Should you be in that business to differentiate your offering and further reinforce it’s secure and reliable message? Already, some companies are offering “100% availability SLAs” (it’s an actuarial SLA not an engineering one but it sounds good to the untrained!)