Endpoint

4/26/2017
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What Role Should ISPs Play in Cybersecurity?

There are many actions ISPs could do to make browsing the Web safer, but one thing stands out.

For well over a decade, the security industry has debated what role Internet service providers (ISPs) should take in cybersecurity. Should they proactively protect their customers with upstream security controls and filters (e.g., intrusion prevention systems, IP/URL blacklists, malware detection, etc.), or are customers responsible for their own security?

ISPs can have a much wider impact on overall state security because of their advantageous position in the network (that is, acting as our doorway to the Internet). Still, there are good arguments against ISPs taking too much of a security role — many of which I agree with. Ultimately, I believe there is one thing IPSs must do to improve everyone’s security, but before we get into that, let me start with the arguments against ISPs taking too strong of a role.

1. Badly managed security controls can disrupt business or legitimate activities. If you’ve ever used an intrusion detection or prevention solution, you know they occasionally have false positives. These false positives can block legitimate traffic from paying customers. Although a normal business can manage these, doing so for thousands if not tens of thousands of customers would be a logistic nightmare.

2. Some security can invade privacy. Many security controls not only monitor where you go on the Internet but also deeply analyze the content of your traffic and log all activity for later forensic analysis. This opens up the possibility of ISPs using this data for other reasons (although technically, they could be doing this anyway). Still, giving ISPs access to more information about people’s Web browsing worries Internet privacy supporters.

3. Certain security comes off as censorship. What’s the difference between an inappropriate site and a dangerous site? Sometimes that's a gray area. Sometimes a website you want to visit may have had a malicious ad on it in the past and been blacklisted. Would you accept ISPs blocking it? Many kinds of ISP controls would feel like censorship because they take away freedom of choice.

4. ISPs can’t take liability for your mistakes. Simply put, we can’t hold ISPs liable for our security because they can’t control their customers. Even if an organization has the best security controls in the world, its people can still do dumb things that get them infected. For ISPs to get involved in security at all, we have to allow them to do so without liability for all our security issues.

5. Where does ISPs security stop? Should ISPs just monitor our traffic for known bad stuff? Should they firewall us? Should they enable intrusion prevention to block exploits? Should they filter bad sites? Should they scan our networks for vulnerabilities and block devices that haven’t been patched? Setting up regulations to keep ISPs from going too far down this slippery slope would be another serious logistical challenge.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

As far as preventative security controls go, I think ISPs can offer optional security services, but ultimately should leave it to their customers to decide whether to protect themselves or not. However, there is one thing all ISPs should do to protect everyone today: block IP address spoofing.

IP address spoofing is a very old and simple attack in which a malicious computer sends a network packet with a false source IP address. IP spoofing offers limited value in normal attacks, because when you send packets claiming to be from another computer, that other computer gets the replies, not you. However, IP spoofing does play a big role in one type of attack: distributed denial-of-service (DDoS) attacks. A reflective DDoS attack sends queries to particular services pretending to be the IP address of its victim. Those services will send large replies back to the victim, overwhelming them with traffic.

By definition, ISPs have full knowledge of the public IP addresses we all receive, and know which ones belong on their networks. With this information, IP spoofing is dead simple to detect and block.

In fact, for decades there have been common Internet standards and best common practices that detail exactly how network providers can prevent IP address spoofing by configuring routing devices to validate source addresses and block spoofed traffic. Some examples include RFC 2827, BCP 38, and the updated BCP 84. Most network gear, from routers to security appliances, offer simple features and filters to do just that. If all ISPs followed these long-held best practices, they could greatly lessen certain types of DDoS attacks, without adversely affecting their customers’ networks.

The good news is that many ISPs already do this. According to the Center for Applied Internet Data Analysis (CAIDA), around 70% of IP space is unspoofable, meaning many ISPs must be doing some filtering. The problem is that if even a few ISPs continue to allow spoofing, attackers can leverage those stragglers against others. If there is one thing we need to demand of all our ISPs, it’s to implement this one well-known common best practice.

So, while I don’t believe that ISPs should get too involved in security for the reasons listed above, IP spoofing is a network operator problem that could be easily fixed if the industry required all ISPs to follow best practices. Let’s make BCP 38 and 84 mandatory. 

Related Content:

 

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.