Securing Critical Internet Infrastructure

Securing Critical Internet Infrastructure Albert Daniels albert.daniels@icann.org ICANN Manager for Stakeholder Engagement - Caribbean

Agenda Recent trends in Cybersecurity in the Caribbean o Mechanics of Breaches o Latin America and Caribbean Targets o Best Practice Recommendations DNSSEC and Securing Critical Internet Infrastructure

Latin American and Caribbean Cyber Security Trends (Published June 2014) OAS Symantec AMERIPOL APWG ICANN LACNIC Microsoft

2013 was the year of the Mega Breach Proliferation of financially motivated cyber breaches Many breaches in Latin America and the Caribbean to gain access to sensitive data A 62% rise from 2012 Eight of these exposed more than 10 million identities each Imposing significant expenditure of time and financial resources for response, recovery and added protection

Best Practice Guidelines for Enterprise (1) Employ defense-in-depth strategies Monitor for network incursion attempts, vulnerabilities, and brand abuse Antivirus on endpoints is not enough Secure your websites against Man in The Middle attacks and malware infection Protect your private keys Use encryption to protect sensitive data

Best Practice Guidelines for Enterprise (2) Ensure all devices allowed on company networks have adequate security protections Implement removable media policy Be aggressive in your updating and patching Enforce an effective password policy Ensure regular backups are available Restrict email attachments Ensure that you have infection and incident response procedures in place Educate users on basic security protocols

Country Specific Reports - Caribbean Details on National Situation Antigua & Barbuda Barbados Belize Dominica Dominican Republic Grenada Guyana Haiti Jamaica St. Kitts & Nevis St. Vincent & the Grenadines Suriname Trinidad and Tobago

Why DNSSEC?

DNS Basics DNS converts names (www.bncr.fi.cr) to numbers (201.220.29.26)..to identify services such as www and e-mail..that identify and link customers to business and visa versa

lamb@xtcn.c om +1-202-709-5262 VoIP DNS is a part of all IT ecosystems US-NSTIC effort OECS ID effort Smart Electrical Grid mydomainname.

Where DNSSEC fits in..but CPU and bandwidth advances make legacy DNS vulnerable to MITM attacks DNS Security Extensions (DNSSEC) introduces digital signatures into DNS to cryptographically protect contents With DNSSEC fully deployed a business can be sure a customer gets un-modified data (and visa versa)

The Bad: DNSChanger - Biggest Cybercriminal Takedown in History 4M machines, 100 countries, $14M Nov 2011 http://krebsonsecurity.com/2011/11/malware-click-fraud-kingpinsarrested-in-estonia/

The Internet s Phone Book - Domain Name System (DNS) www.majorbank.se=? 1.2.3.4 Get page Login page Username / Password Account Data DNS Resolver ISP www.majorbank.se = 1.2.3.4 DNS Server webserver www @ 1.2.3.4 Majorbank (Registrant) DNS Hierarchy root se com majorbank.se www.majorbank.se

Caching Responses for Efficiency www.majorbank.se=? 1.2.3.4 Get page Login page Username / Password Account Data DNS Resolver www.majorbank.se = 1.2.3.4 DNS Server webserver www @ 1.2.3.4

The Problem: DNS Cache Poisoning Attack www.majorbank.se=? 5.6.7.8 Get page Login page Username / Password Error DNS Resolver www.majorbank.se = 1.2.3.4 DNS Server Attacker www.majorbank.se = 5.6.7.8 Attacker webserver www @ 5.6.7.8 Password database

Argghh! Now all ISP customers get sent to attacker. www.majorbank.se=? 5.6.7.8 DNS Resolver www.majorbank.se = 1.2.3.4 DNS Server Get page Login page Username / Password Error Attacker webserver www @ 5.6.7.8 Password database

Securing The Phone Book - DNS Security Extensions (DNSSEC) www.majorbank.se=? 1.2.3.4 Get page Login page Username / Password Account Data DNS Resolver with DNSSEC Attacker s record does not validate drop it www.majorbank.se = 1.2.3.4 DNS Server with Attacker DNSSEC www.majorbank.se = 5.6.7.8 webserver www @ 1.2.3.4

The Business Case for DNSSEC Cyber security is becoming a greater concern to enterprises, government, and end users. DNSSEC is a key tool and differentiator. DNSSEC is the biggest security upgrade to Internet infrastructure in over 20 years. It is a platform for new security applications (for those that see the opportunity). DNSSEC infrastructure deployment has been brisk but requires expertise. Getting ahead of the curve is a competitive advantage.

DNSSEC - Where we are Deployed on 462/654 TLDs (29 July 2014 70%.com.hr.es.in.af.ee.lb.bg.tm.cz.nl.uk.de.jp.cn.ru.рф.my مليسيا.asia.tw 台灣,.kr 한국.net,.org,.post, +gtlds) Root signed** and audited > 86% of domain names could have DNSSEC Required in new gtlds. Basic support by ICANN registrars Growing ISP support*. 3 rd party signing solutions*** Growing S/W H/W support: NLNetLabs, ISC, Microsoft, PowerDNS, Secure64? openssl, postfix, XMPP, mozilla: early DANE support IETF standard on DNSSEC SSL certificates (RFC6698) Growing support from major players (Apple iphone/ipad, Google 8.8.8.8, ) * COMCAST /w 20M and others; most ISPs in SE,CZ. AND ~12% of resolvers validate using DNSSEC **Int l bottom-up trust model /w 21 TCRs from: TT, BF, RU, CN, US, SE, NL, UG, BR, Benin, PT, NP, Mauritius, CZ, CA, JP, UK, NZ *** Partial list of registrars: https://www.icann.org/en/news/in-focus/dnssec/deployment

DNSSEC: So what s the problem? Not enough IT departments know about it or are too busy putting out other security fires. When they do look into it they hear old stories of FUD and lack of turnkey solutions. Registrars*/DNS providers see no demand leading to chicken-and-egg problems. *but required by new ICANN registrar agreement

What you can do For Organizations / Companies: o Sign your corporate domain names o Just turn on validation on corporate DNS resolvers For Users: o Ask ISP to turn on validation on their DNS resolvers For All: o Take advantage of ICANN, ISOC and other organizations offering DNSSEC education and training

Game changing Internet Core Infrastructure Upgrade More has happened here today than meets the eye. An infrastructure has been created for a hierarchical security system, which can be purposed and re purposed in a number of different ways... Vint Cerf (June 2010)

Too many CAs. Which one can we trust? DNSSEC to the rescue. CA Certificate roots ~1482 DNSSEC root - 1 Content security Commercial SSL Certificates for Web and e-mail DANE and other yet to be discovered security innovations, enhancements, and synergies Content security Free SSL certificates for Web and e-mail and trust agility Network security IPSECKEY RFC4025 Securing VoIP Domain Names Crossorganizational and trans-national identity and authentication E-mail security DKIM RFC4871 Login security SSHFP RFC4255 https://www.eff.org/observatory http://royal.pingdom.com/2011/01/12/internet-2010-in-numbers/

ICANN DNSSEC Deployment @Root Multi-stakeholder, bottom-up trust model* /w 21 crypto officers from around the world Broadcast Key Ceremonies and public docs SysTrust audited FIPS 140-2 level 4 HSMs Root DPS DNSSEC Practice Statement *Managed by technical community+icann

http://www.flickr.com/photos/kjd/sets/721576243020456 98/ Photos: Kim Davies

Photos: Kim Davies

DNSSEC: Internet infrastructure upgrade to help address today s needs and create tomorrow s opportunity.

Securing Critical Internet Infrastructure Albert Daniels albert.daniels@icann.org ICANN Manager for Stakeholder Engagement - Caribbean