Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cybersecurity and Internet Governance

1,658 views

Published on

Cybersecurity and Internet Governance

Published in: Internet
  • Login to see the comments

Cybersecurity and Internet Governance

  1. 1. 1 Kenny Huang, Ph.D. 黃勝雄博士 Executive Council, APNIC Author, RFC3743 IETF Keynote. SITCON 18 Mar 2017 huangksh@gmail.com Cybersecurty and Internet Governance 網路安全與網路治理 亞太網路資訊中心董事
  2. 2. 2 The Internet and Internet Governance(IG) Cybersecurity Cybersecurity vs. IG
  3. 3. 3 The Internet
  4. 4. 4 The Internet
  5. 5. 5 The Internet #1 BlindTrust : we trust parties we don’t event knowexist
  6. 6. 6 The Internet #2 No Ownership: The big companies, not users, own the data.
  7. 7. Internet Governance 7Source : ICANN
  8. 8. Internet Governance Definition 8 IG Definition @ WSIS Tunis 2005 : The development and applicationby governments, the privatesector and civil society, in their respectiveroles, of shared principles,norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet.
  9. 9. Internet Governance Layers 9 Telecom infrastructure (cable, wireless, ...) Protocols, standards and services (DNS, TCP/IP, SSL...) Content and applications (HTML, FTP, XML) Source:Diplo
  10. 10. 10 Internet 1969 Internet 1970 Internet 1977 Internet 1981 ARPANET 1969 -1981
  11. 11. IG Concepts in ARPANET – Technology Track 11 1969 1983 ü System requirements ü Standardization ü Entity for managing technical standards RFC 01 RFC 03 IETF Working Group Steve Crocker RFC 883 RFC 882 ü Domain name concept ü Tree hierarchy ü DNS operation 1984 RFC 1035 RFC 1034 ü DNS delegation ü ccTLD, gTLD ü Single Root 1987 1994 ISC: Paul Vixie BIND UC Berkeley Jon Postel acted as RFC Editor 1969-1998
  12. 12. 12
  13. 13. 13
  14. 14. IG Concepts in ARPANET – Registry Track 14 1969 HOSTS.TXT hostname IPaddress hostname IPaddress hostname IPaddress hostname IPaddress hostname IPaddress hostname IPaddress SRI maintained HOSTS.TXT SRI (StanfordResearch Institute) Jon Postel managed Assigned Number List Copy to other sites 1981 ü Names ü Numbers ü Critical Internet Resources ü Registry operation ü Uniqueness of name – Single Internet
  15. 15. IG Concepts for Architecture and Authority 15 1969 1987 1988 1998 RFC 1035 RFC 1034 18 Sep1998 established 16 Oct1998 passed away Root Zone Operator ü Execute IANA functions ü Root zone governance ü TLD legal issue The IANA functions manage protocol parameters, Internet number resources and domain names. ICANN performs these functions on behalf of the global Internet community.
  16. 16. Root System Model 16 Source : ICANN
  17. 17. 17 Source : ICANNRoot DNS Anycast Root Source :RIPE IETF48 Root Server Operators’ statement (1998 Dec) ü Operatereliably, for thecommon good ofthe Internet ü RecognizeIANA as the sourceofthe root data ü Invest sufficiently to ensureresponsible operation ü Facilitate thetransition, when neededandwith proper notice ü Recognizethe other root server operators ü Multistakeholder ü Recognize IANA ü Single Internet ü Internet as public good
  18. 18. IG Concepts for Number Community 18 1992 20011993 1997 2005 ü Multistakeholder Model ü Self regulation ü Member voting right ü IP address allocation ü Policy development process 1999 ü ASO ICANN Board selection ü Global address policy ü Accountability ü Transparency üGovernance üFinance üPolicy
  19. 19. Critical Information Infrastructure (CII) 19 Internet Numbering Architecture Internet Naming Architecture ü Critical Information Infrastructure Protection
  20. 20. 20 source : http://www.savetheinternet.eu Net Neutrality The principle that Internet service providers should enable access to all content and applications regardless of the source, and without favoring or blocking particular products or websites.
  21. 21. 21 ISP blocking and tiering cases 2004 : ISP Madison River blocking Vanage’s VoIP services 2006 : ISP AOL blocked access to www.dearaol.com 2007 : ISP Comcast blocked BitTorrent 2008 : ISP Tele2 blocked access to thepirateboy.com 2009 : IPRED law to monitor all Swedish web traffic 2010 : Italian ISPs block access to Pirate Boy 資料來源 : Telesperience ISP Traffic Engineering Technique Traffic discrimination is necessary as a routine part of network management
  22. 22. 22 Degree of Enforcement 完全中⽴ (Full Neutrality) 強調網路必須完全中⽴,無任何差別待遇,封 包使⽤FCFS 模式傳輸。主要⽀持者包含學者 Susan P. Crawford (Cardozo Law School; 曾任 FCC 主席)。 資料類別特許的差別待遇 (Allow discrimination based on type of data) 此主張認為網路資料有不同服務需求,例如封 包延遲Latency、或不連續Jitter情況。ISP可以針 對應⽤服務屬性來調整差別待遇。主要⽀持者 包含學者Tim Wu (Columbia University Law School) ⾮阻斷或⾮節流下之個別訊務排序 Individual prioritization with throttling or blocking ISP認為在沒有阻斷(block)或不造成阻塞情況下, ISP可以依不同服務或客⼾需求進⾏訊務排序。 主要⽀持者包含 Comcast, AT&T 不直接強制 (No direct enforcement) 許多國家並沒有網路中⽴相關法律,但可以參 考其他法律來管制,例如反競爭法,美國FCC 在無網路中⽴法之前也是參考市場合理實務提 出管制命令。 ISP 市場競爭度 美國Comcast / Netflix案件中法院裁定 Comcast 違反 網路中⽴主因: ⼤多數網路使⽤者在寬頻(25Mbps) 服務只有單⼀寬頻服務供應商可選擇。在此情境下, ISP差別待遇⾜以影響市場競爭,寬頻 ISP 負有更⼤ 責任維持服務的中⽴性,避免影響網路使⽤者的權 益。 ü Improve connectivity ü neutral Internet exchange and peering
  23. 23. CERT (Computer Emergency Response Team) üCERT was first used in 1988 by CERT CoordinationCenter at CMU. CERT and CSIRT (computer security incident response team) are used interchangeably. üFIRST (Forum of Incident Response and Security Team) is the global associationof CSIRTs üAPCERT Established 2003. Annual events include (1)AGM (2)APCERT Drill 23
  24. 24. 24 ü Allocationand assignment of three sets of uniqueidentifiers of the Internet: domain names, IP addresses, and protocol parameters ü Operation and evolutionof the DNSroot name server system ü Policy development reasonably and appropriately related to these technical functions ü Multistakeholder ü Accountability ü Transparency üGovernance üFinance üPolicy
  25. 25. UN IG Initiatives – Political Track 25 2003 20062005 2010 ü Multistakeholder ü Multilateral ü Inclusion ü Sustainability 2015 Technical Topics üCritical Internet resources üCapacity building üSecurity üAccess üInternationalization
  26. 26. IANA Stewardship Transition 26 US Gov. NTIA Perform IANA Functions ICANN APNIC contracted 5 RIRs (APNIC) Perform IANA Functions ICANN APNIC contracted Before 1 Oct 2016 After 1 Oct 2016 Audit & Review Audit & Review
  27. 27. 27 The Internet and Internet Governance(IG) Cybersecurity Cybersecurity vs. IG
  28. 28. Confidentiality Integrity Availability prevents unauthorized use or disclosure of information safeguards the accuracy and completeness of information authorized users have reliable and timely access to information Goals of Information Security 28
  29. 29. 29 ISO27001 ISO 27001 – a global recognized standard that provides a best practice framework for addressing the entire range of cyber risks ü People, processes, technology ü Systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organization‘s information security to achieve business objectives Key elements of implementing ISO227001 ü Determine the scope of the ISMS ü Consider the context of the organization and interested parties ü Appoint a senior individual responsible for information security ü Conduct a risk assessment – identify risks, threats, and vulnerabilities ü Appoint risk owners for each of the identified risks ü Implement appropriate policies and procedures ü Conduct staff training ü Conduct an internal audit ü Implement continual improvement of the ISMS
  30. 30. Layered Defence 30 1. information security policy 2. awaerness and tranining 3. backups and continuity 4. physical security 5. authentication 6. access controls 7. monitoring 8. firewalls and filtering 9. encryption 10. anti-malware 11. threat intelligence 12. audit and review 13 cyber insurance
  31. 31. 31
  32. 32. DDoS 2005 N x Gbps Source : thousands of devices DDoS 2017 N x Tbps Source: millions of devices 0 200 400 600 800 1000 1200 1400 Gbps 32
  33. 33. DDoS As A Service 33 Source:tripwire,May 26 2016 400,000 Bots for Rent Source : bleepingcomputer,Nov 24 2016
  34. 34. Operation of a DDoS attack 34 attacker computers real users target serversInternet SERVICE OFFLINE out of resources
  35. 35. Protection: Technology vs. Insurance 35 FIRST PARTY COVERAGE üdamage to digital assets übusiness interruption ücyber extortion üprivacy breach expenses THIRD PARTY COVERAGE ü privacy liability ü network security liability ü internet media liability ü regulatory liability ü contractual liability Cyber Liability Insurance is inexepensive effective coverage. Coverage limits starting at $100,000 with annual premiums starting as low as $250 1. Key companies include: AIG, Marsh, Allianz 2. False sense of security 3. Growth of market and risk will increase insurance premium 1. Greater protection from threats 2. Insurance driving implementation of technology solutions to comply with policy requirement
  36. 36. Cyber War Case - Afghanistan • Two-way cyber war measures • Cyber offensive capability • Cyber dependence : • Degree to which a nationrelies upon cyber-controlled systems • Cyber defensivecapability • “We have the most bandwidth running though our society and are moredependent on that bandwidth. We arethe most vulnerable.“– former Admiral McConnell. • Afghanistan 2001 • US had conducted a cyber war plan, but no targets for cyber warriors,that gives Afghanistan an advantage. • If Afghanistan had any offensive cyber capability,the cyber war would have shifted in different way 36
  37. 37. Cyber War Case - China • Offense vs. defense • US has the most sophisticatedoffensive capability,but it can’t make up its weaknesses in defensiveposition. Cyber defense trainings areoffensivefocus. • China cyber warriors aretaskedwithboth offense and defense in cyberspace. • China advantagesin cyber war • Ownership: Internet in China is like an intranet of a company. Government is the only serviceprovider • Censorship • Great Firewall of China provides security advantages • The technology that Chinese use to screen emails/message provide the infrastructure to stop malware • Install software on all computers to keep children from gaining access to pornography – Give China control over every desktop in the country. • Critical infrastructure:For electric power system,US relies on automationcontrolledsystem,but China requirea largedegree of manual control. 37
  38. 38. Cyber War Strength 38 US Cyber Offense: 8 Cyber Dependence : 2 Cyber Defense: 1 Total : 11 Russia Cyber Offense: 7 Cyber Dependence : 5 Cyber Defense: 4 Total : 16 China Cyber Offense: 5 Cyber Dependence : 4 Cyber Defense: 6 Total : 15 Iran Cyber Offense: 4 Cyber Dependence : 5 Cyber Defense: 3 Total : 12 North Korea Cyber Offense: 2 Cyber Dependence : 9 Cyber Defense: 7 Total : 18 Source:Richard Clarke,2010
  39. 39. DDoS vs. Cyberwar 39 Cyberwar initiated country Counterpart country Internet DMZ 1. DDoS can only attack DMZ zone. DMZ was built for that purpose. 2. DDoS attacks are compelling. The targets can be easily identified. It gives enemy an advantage of increasing defensive capability, or relaxing cyber dependence.
  40. 40. Cryptography 40 encrypt decrypt encrypt decrypt Hello Hello$7@# ciphertext Symmetric Cryptography Hello Helloa@xf ciphertext Asymmetric Cryptography Public key exchange A A B B
  41. 41. Browser SSL Connection 41 1. Server sends a copy ofits asymmetric public key 2. Browser creates a symmetric session key and encrypt it with the server’s public key 3. Server decrypts the asymmetric public with its private key to get the symmetric session key 4. Server and Browser now encrypt and decrypt alltransmitted data with the symmetric session key. This allowa secure channel because only the Browser and the Server knowthe symmetric session key. Symmetric key 128/256 bit (fast); PKI key 1024/2048 bit (slow) Most secure communication systems (SSL; SSH; VPN..) use symmetric key encryption 1 2 3 4
  42. 42. Certificate Issuing Process 42 Return to User CSR certificate signing request
  43. 43. 43 CA1 CA2 CA3 CA4 Alice Bob Certificate pointing from issuer to Root CA directly trusted by relying parties Sub-CA Hierarchical PKI Architecture Mesh PKI Architecture CA1 CA2 CA3 CA1 CA2 CA2 CA1 CA1 CA3 CA3 CA1 CA1 CA3 CA3 CA1 Alice Bob Charlie Certificate pointing from issuer to Trusted CA point for Alice CA Cross Certificate Doug Finance Bob HR Dept Charlie Account Bridge PKI Architecture Bridge CA Alice Public Key Infrastructure Architecture
  44. 44. 44 Certificate Authority vs. IG Authority It can be done by deploying DNSSEC and DANE and give up CA's and X.509certificate hierarchies. CA can issue a cert for any domain name and instead use DNSSEC and DANE
  45. 45. OECD CIIP (Critical InformationInfrastructure Protection) 45 üInformation components supporting the critical infrastructure üInformation infrastructure supporting essential components of government business üInformation infrastructure essential to the national economy US Systems and assets, whether physical or virtual to the US that the incapacity of destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. CIIP Directive (EU) 2016/1148 ANNEX II : IXP、Root DNS、TLD Registry EU
  46. 46. ETSI Lawful Intercept Model 46 administration function IRI mediation function content mediation function IRI : intercept related Information CC : content of communication INI internal network interface IIF internal interception function HI3 content of communication Network Internal Functions HI2 Intercept related information HI1 administrative information NWO/AP/SvP Domain LEMF Law Enforcement Monitoring Facility network operator / access provider / service provider HI: handover interface (ETSI)
  47. 47. Backend Operator Potential Registry-LEA Implementation 47 TLD Registry Data Escrow Agent (ICANN approved) Contractual Compliance Finance System EBERO Law Enforcement Agency Jurisdictional Considerations invoice Data Escrow Alerts gTLD Failover Design (Kenny Huang, 2015)
  48. 48. Internet Routing Security - Detour 48 A path that originates in one country, cross international boundaries and returns back to origin country
  49. 49. BGP Routing 49 AS 4134 China Telecom AS 7018 AT&T AS 3356 Level 3 AS 2828 X0 Comm. AS 6167 Verizon AS 22394 Verizon Customer Provider Peer Peer legend 3356, 6167, 22394 66.174.161.0/24 6167, 22394 66.174.161.0/24 22394 66.174.161.0/24
  50. 50. China Telecom hijacks Verizon Wireless 50 AS 4134 China Telecom AS 7018 AT&T AS 3356 Level 3 AS 2828 X0 Comm. AS 6167 Verizon AS 22394 Verizon 4134, 22724, 22724 66.174.161.0/24 3356, 6167, 22394 66.174.161.0/24 AS 22724 China Telecom Apr, 2010 Prefix Hijacks China Telecom announced 50,000 prefixes (15% routes)
  51. 51. Pakistan Telecom hijacks YouTube 51 AS 18174 Allied Bank AS 58467 Lahore Stock AS 18173 Age Khan AS 3491 PCCW AS 3327 Linux Telecom AS 25462 RETN Ltd AS 36561 YouTube 17557 208.65.153.0/24 3491, 17557 208.65.153.0/24 36451 208.65.153.0/22 AS 17557 Pakistan Telecom Feb 2008 Subprefix Hijacks
  52. 52. Moratel Leaks a Route to PCCW 52 AS 23947 Moratel AS 3491 PCCW AS 4436 nLayer AS 15169 Google 3491, 23947, 15169 8.8.8.0/24 15169 8.8.8.0/24 23947, 15169 8.8.8.0/24
  53. 53. 53 The Internet and Internet Governance(IG) Cybersecurity Cybersecurity vs. IG
  54. 54. Why Bother Internet Governance 54 Jurisdiction Law Organization Rules International Law / Treaty Internet Governance Multistakeholder Standard Technology Architecture Policy Procedure Best Practices Cooperation Coordination IG Regime
  55. 55. Code is Law 55
  56. 56. Cybersecurity Attributes Recap 56 Confidentiality pPhishing pPacket sniffing pPasswordattack Integrity pMITM (Man-in- The-Middle) pIP spoofing Availability pDDoS pSYN flooding
  57. 57. DNSKEY root DS .taipei DNSKEY .taipei DS 101.taipei DNSKEY 101.taipei root TLD : .taipei SLD: .101.taipei ISP recursive resolver 1 user makes request for a .taipei domain 2 ISP resolver verifies the root’s DS key 3 root points the ISP to the .taipei TLD and gives the ISP the .taipei DS key 4 ISP verifies .taipei’s DS key 5 .taipei points the ISP to the 101.taipei SLD and give the ISP the 101.taipei DS key. 6 ISP verifies 101.taipei’s SLD DS key 7 Requested SLD information is retrieved and sent back to ISP 8 ISP sends SLD information back to user 9 User access trusted 101.taipei domain 1 8 2 3 4 5 6 7 User stub resolver 9 Secure Name Space - DNSSEC 57
  58. 58. ICANN DNSSEC vs. Cybersecurity 58 ConfidentialityX IntegrityX Availability Stakeholders 1.ICANN, gTLD& ccTLD operators 2.Root operators 3.IETF Phishing Man-in-The-Middle
  59. 59. Secure Internet Routing - RPKI 59 APNIC 8.0.0/8 Level 3 8.8.8.8/24 Google 66.174.0.0/16 Verizon Wireless 66.174.0.0/24 AS22394 66.174.0.0/16 AS6167 8.0.0.0/9 AS3356 ROA 8.8.8.0/24 AS15169 cert legend PRKI : Resource PublicKey Infrastructure
  60. 60. RIR’s RPKI vs. Cybersecurity 60 Confidentiality IntegrityX Availability Stakeholders 1.RiRs (e.g. APNIC) 2.ISPs 3.IETF 4.LEA (Law Enforcement Agent) IP spoofing Route hijacking
  61. 61. Secure Communication : Technology 61 RFC 7457 Summarizing Known Attacks on TransportLayer Security (TLS)and Datagram (DTLS) RFC 2409 The Internet Key Exchange (IKE) RFC 3526 More Modular Exponential(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) RFC 7258 PervasiveMonitoring Is an Attack RFC 7525 Recommendations for SecureUseofTransport Layer Security (TLS)and Datagram Transport Layer Security (DTLS) RFC 4307 CryptographicAlgorithm for Usein the Internet Key ExchangeVersion 2 (IKEv2) Remove support for DH1024 Proposed DH1024 Proposed DH 2048
  62. 62. IETF Technologies vs. Cybersecurity 62 ConfidentialityX IntegrityX Availability Stakeholders 1.IETF 2.Developers 3.LEA (Law Enforcement Agent) Strong cryptography Enforced Internet encryption
  63. 63. Secure Internet Root 63 a b c ….. k l m …..Site1 Siten …..Host1 Hostn Sites (uniquelocation and BGP route) Root letters (uniqueIP anycast address) Servers (internal load balancing) User Recursive resolver Horizontal distribution Multiple letters Multiple operators Vertical distribution Multiple sites Multiple servers
  64. 64. Impact of The Attack 64 1. The Root DNS handles the situation well 2. Resilience of the Root DNS is not an accident, but the consequence of fault tolerant design and good engineering 3. True diversity is the key to avoid collateral damage
  65. 65. Root vs. Cybersecurity 65 Confidentiality Integrity AvailabilityX Stakeholders 1.Root operators 2.IETF Divergent model Robust and resilient Infrastructure
  66. 66. Cybersecurity Future Evolution 66 Prevention, 80% Monitoring, 15% Response, 5% Prevention, 33% Monitoring, 33% Response, 33% NOW FUTURE Source : RSA Conference 2016 Singapore
  67. 67. source: Into the Gray Zone: Active Defense by the Private Sector against Cyber Threats Cybersecurity Phased Strategy Defense 防禦 Diverge 分歧 Attack攻擊 67
  68. 68. Potential Cooperation for Cybersecurity and Internet Governance 68 Case : Crypto–Ransomware Source : EUROPOL
  69. 69. 69 Check Whois database, Found In Romania Traceroute, ends up in Netherlands 1 2 It’s not useful French Cyber Investigator Source : EUROPOL
  70. 70. 70 MLAT* from French to Romania 1 month later, Romania LE goes to the indicated company 3 4 MLAT: Mutual Legal Assistance Treaty Source : EUROPOL
  71. 71. 71 Scenario 1 : Romania company cooperate Found server is in Germany Second MLAT from French to Germany 5 6 Scenario 2 : Romania company uncooperative, victim of ID theft 5 Source : EUROPOL
  72. 72. 72 1 month later, Germany LE goes to seize the server 7 To late !! Decryption keys have been moved to another server .. 8 Source : EUROPOL
  73. 73. LEA and RIRs Cooperation 73 Question? ü How can we ensure that IP addresses are announced in the country where they are actually registered? ü Can the RIR database reflect the location of an ISP handling an IP address? Internet Policy Proposal ü Require registration of all IP sub-allocation to downstream ISPs to entire chain of sub-allocations are accurately reflected in WHOIS ü NOT disclose end-user information but instead focus on downstream ISP providing connectivity to the end-user Source : EUROPOL
  74. 74. Cybersecurity and IG Landscape 74 Cybersecurity
  75. 75. Users Public Safety Regulators Operators Vendors Software CERTs Cybersecurity and IG ECO System 75
  76. 76. 76

×