Three questions every CxO should ask their ISP

Barry Greene
Mar 1, 2018 · 3 min read
Image for post
Image for post

Here is a question for all the CxOs. Why, as an accountable CxO, are you not asking your ISPs for the security basics?

This week, the industry has yet another reflection amplification Denial of Service Attack vulnerability. memcached on port 11211 UDP & TCP being exploited walks through the details of this week’s attack vector. As seen in Akamai Technologies “memcached-fueled 1.3 Tbps Attacks,” the size of these attack are saturating links on the Internet. This is not the first or the last of these massive DOS attacks. The irony is that these attacks are easily prevented with operationally cost-effective Best Common Practices (BCPs) in ISPs, Telcos, Mobile Operators, and other large network organizations.

As the industry was working to mitigate this memcached DOS reflection vulnerability, three questions kept repeating with each Operator:

  1. Why is this ISP/Telco/Mobile Operator not deploying Exploitable Port Filters? Don’t they know that these have proven to be critical to protecting their network?
  2. Why is this ISP/Telco/Mobile Operator not deploying Source Address Validation (SAV)/BCP 38 or doing the checks to make sure there is no spoofing?
  3. Why are these ISP/Telco/Mobile Operator customers not asking “what steps are being taken to protect their network?”

The last question is the perplexing question. When talking to Operators why they are never pushed for deploying essential security BCPs like the Exploitable Port Filters, they respond with “our customers never push us to deploy.” “If we do not get asked, then there is no point to push to prioritize security BCPs.”

This is a shock. CEOs, CIOs, CISOs in all part of the industry are expressing their concerns for the increased security risk on the Internet. Today’s Internet/Telecom is a “cyberwar zone,” in a world where criminal activity is rampant, and in a world where there are no checks against online corporate espionage. It would only be logical for the CxO to ask their Operator to list out in details what security practices are deployed to help protect their business, their peers on the same network, and the rest of the Internet.

If my current job today was as a CIO, a CISO, Head of Operations, Head of Planning, or a CIO, I would be asking my upstream ISPs the following questions:

Q1. Are you deploying Exploitable Port Filtering or Rate Limiting on the edge of your network to keep the well-known exploit ports blocked? Can you provide a list? How fast can you update this list (like when something like memcached happens)?

Q2. Are you deploying Source Address Validation (SAV) and BCP 38 so that no one connecting to your network can spoof an IPv4 or IPv6 source address? Have you deployed monitors in your network as part of the Internet’s Spoofer Project? If you are not doing this, why should my organization trust you as a Telco or ISP that my business depends?

Q3. If I was attacked with a DOS attack, can you deploy the basic BGP Remote Triggered Black Hole (RTBH) filtering to help us respond to an attack? Are you deploying samples Netflow/IPFIX on your gateways to help us track who & what is attacking our network?

Will there be pushback from your Operator? There should not be any push back. These should be Frequently Asked Question (FAQ). In my past roles, these have been questions I have to ask my Operators when bought Internet connectivity. They are also questions I was asked when I was asked when I provided Internet connectivity (for the latter, I would have ready PDFed answers to make life easier). Questions like these from customers of the ISP should be welcomed. They illustrate the interest in the security of their network, the ISP’s network, and the Internet.

These three questions start the conversation. They will immediately provide attitude insight into your ISP, Telco, Mobile Operator, or another connected network. The industry shares BCPs which are cost-effective to deploy. The challenge is NOT technology. The challenge is the attitude.

CxOs, have the conversation. Check your upstream Internet & Telecommunications provider’s attitude.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store