DSSA Report
+ - Definition of "the DNS" used by the DSSA working group
Charter says the WG is to work on: "The actual level, frequency and severity of threats to the DNS.... The DSSA‐WG should limit its activities to considering issues at the root and top level domains within the framework of ICANN’s coordinating role in managing Internet naming and numbering resources as stated in its Mission and in its Bylaws."
+ - "The DNS" for the purposes of this analysis
+ - Actual level, frequency and severity of threats to the DNS, plus current efforts and activities to mitigate these.
+ - Threat events - what happens?
Zone does not resolve or is not available
+ - Zone is incorrect or does not have integrity
The third leg of the traditional "availability, integrity, confidentiality" triad may drop out, as the DNS does not contain confidential information??
+ - Adverse impacts - what is the harm?
In the worst case there would be broad harm/consequence/impact to operations, assets, individuals, other organizations and the world if any of these threat-events occur. And in all cases there would be significant problems for registrants and users in the zone.
Since the potential impact values for confidentiality, integrity, and availability may not always be the same in different contexts/circumstances, the "high water" concept is used to determine the impact level. Thus, a low-impact system is defined as an information system in which all three of the security objectives are low. A moderate-impact system is an information system in which at least one of the security objectives is moderate and no security objective is greater than moderate. And finally, a high- impact system is an information system in which at least one security objective is high. It is our conclusion that the DNS is a high-impact system because the goals for integrity and availability are high.
+ - Likelihood of impact - will threat events result in adverse impacts if they happen?
NOTE: All threat events in this iteration of the analysis will have "Very High" impact on users of the zone and, depending on circumstances, will also have "Very High" impact worldwide.
+ - Scale
+ - Vulnerabilities – severe and widespread?
Interventions from outside the process
Poor inter-organizational communications
External relationships/dependencies
Inconsistent or incorrect decisions about relative priorities of core missions and business functions
Lack of effective risk-management activities
Vulnerabilities arising from missing or ineffective security controls
Mission/business processes (e.g., poorly defined processes, or processes that are not risk-aware)
Security architectures (e.g., poor architectural decisions resulting in lack of diversity or resiliency in organizational information systems)
IPv6 -- Spammers hopping from IP to IP -- causing huge numbers of lookups -- volume related threats (perhaps unintentional) -- also may break normal DNS caching (which assumes repeated requests for the same thing)
Issues around reverse DNS for SMTP servers
Botnets
Collateral damage
Load
Generate packets which match the transport protocol parameters, predict ID based on previous traffic, etc.
+ - Predisposing conditions – pervasive?
A condition that exists within an organization, a mission/business process, enterprise architecture, or information system including its environment of operation, which contributes to (i.e., increases or decreases) the likelihood that one or more threat events, once initiated, result in undesirable consequences or adverse impact to organizational operations and assets, individuals, other organizations, or the world.
Legal standing (and relative youth) of ICANN
Multi-stakeholder, consensus-based decision-making model
Managerial vs operational vs technical security skills/focus/resources
Definitions of responsibility, accountibility, authority between DNS providers
Security project and program management skills/capacity
Common ("inheritable") vs hybrid vs organization/system-specific controls
Mechanisms for providing (and receiving) risk assurances, and establishing trust-relationships, with external entities
Contractual relationships between entities
+ - Controls and mitigation – effective and deployed?
The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
+ - Sources of specific lists
4. National Institute of Standards and Technology Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009.
5. National Institute of Standards and Technology Special Publication 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans, June 2010.
Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.
While the risk management approach established by NIST originally focused on managing risk from information systems (as required by FISMA and described in NIST Special Publication 800-39), the approach is being expanded to include risk management at the organizational level. A forthcoming version of NIST Special Publication 800- 39 will incorporate ISO/IEC 27001 to manage organizational information security risk through the establishment of an ISMS.
The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security.
Security Assessment and Authorization
Planning
Risk Assessment
System and Services Acquisition
Program Management
The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by people (as opposed to systems).
Awareness and Training
Configuration Management
Contingency Planning
Incident Response
Maintenance
Media Protection
Physical and Environmental Protection
Personnel Security
System and Information Integrity
Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.
Access Control
Audit and Accountability
Identification and Authentication
System and Communications Protection
+ - Threat sources – how broad is range of impact, what are their capabilities, how strong is their intent, are they targeting the DNS?
+ - Non-adversarial (what is their range of effect?)
+ - Adversarial threat sources (what are their capabilities, how strong is their intent, are they targeting the DNS)?
+ - Initiation or occurance – what is the likelihood that a threat-event will happen?
Very High -- the error, accident or act of nature is almost certain to occur, or occurs more than 100 times a year (10)
High -- the error, accident or act of nature is highly likely to occur, or occurs between 10-100 times a year (8)
Moderate -- the error, accident or act of nature is somewhat likely to occur, or occurs between 1-10 times a year (5)
Low -- the error, accident or act of nature is unlikely to occur, or occurs less than once a year but more that once every 10 years (2)
Very low -- the error, accident or act of nature is highly unlikely to occur, or occurs less than once every 10 years (0)
+ - Risk - what are the high-risk scenarios (those with high overall threat, harm, likelihood)?
This is a combination of the scores of all the parts of the "compound sentence" -- high-risk scenarios will have high scores
+ - Risk models
+ - Adversarial risk model (the one in the update slide deck)
An ADVERSARIAL THREAT SOURCE (with a range of capability, intent and targeting)...
+ - In the context of...
could initiate (with varying LIKELIHOOD OF INITIATION) a THREAT EVENT,
that could result in ADVERSE IMPACTS (which have RISK, which is in turn a combination of the nature of the impact and the likelihood that its effects will be felt)
+ - Non-adversarial risk model (build out, based on the adversarial one -- pretty similar, just fewer threat-sources)
A NON-ADVERSARIAL THREAT SOURCE (with a range of effects)...
+ - In the context of...
could INITIATE (with varying likelihood) a THREAT EVENT,
which could result in ADVERSE IMPACTS (which have RISK, which is a combination of the nature of the impact and the likelihood that its effects will be felt)
+ - Analysis approach -- develop and evaluate risk scenarios using a "compound-sentence" risk model
Maybe build the sentences, then evaluate the components sometimes? seems like a two-way approach might work -- build then evaluate, evaluate then build
Define a process that more specialized teams can use in the future to build more, or go into more depth
+ - Identify gaps in current response to DNS issues
Pay special attention to the "Controls" portion of the analysis -- missing or inadequate managerial, operational or technical controls should be highlighted
Much of this may have to wait until next phase -- when we go deep
May find a number of organizational-response topics in SSR-RT report
+ - Possible additional risk mitigation activities that would assist in closing those gaps
Use the same diagram, but change the underlying pyramid
Go back to the AC/SOs at the end of the first pass for instruction on what to do in the next phase (build a proposal for next-phase towards the end of this one)
Come up with a good name for the report -- preliminary/summary/phase-1/
+ - Picture of adversarial risk model (the one in the update slide deck)
An ADVERSARIAL THREAT SOURCE (with a range of capability, intent and targeting)...
+ - In the context of...
could INITIATE (with varying likelihood) a THREAT EVENT,
that could result in ADVERSE IMPACTS (which have RISK, which is in turn a combination of the nature of the impact and the likelihood that its effects will be felt)
+ - Picture of non-adversarial risk model (build out, based on the adversarial one -- pretty similar, just fewer threat-sources)
A NON-ADVERSARIAL THREAT SOURCE (with a range of effects)...
+ - In the context of...
could INITIATE (with varying likelihood) a THREAT EVENT,
which could result in ADVERSE IMPACTS (which have RISK, which is a combination of the nature of the impact and the likelihood that its effects will be felt)
Threat events - what happens?
Adverse impacts - what is the harm?
Vulnerabilities – severe and widespread?
Predisposing conditions – pervasive?
Controls and mitigation – effective and deployed?
Threat sources – how broad is range of impact, what are their capabilities, how strong is their intent, are they targeting the DNS?
Initiation – what is the likelihood that a threat-event will happen?
Risk - how bad is the impact and how likely is it that it will be felt?
Threat events - what happens?
Adverse impacts - what is the harm?
Vulnerabilities – severe and widespread?
Predisposing conditions – pervasive?
Controls and mitigation – effective and deployed?
Threat sources – how broad is range of impact, what are their capabilities, how strong is their intent, are they targeting the DNS?
Initiation – what is the likelihood that a threat-event will happen?
Risk - how bad is the impact and how likely is it that it will be felt?
TASK 1-1: Identify the purpose of the risk assessment in terms of the information the assessment is intended to produce and the decisions the assessment is intended to support.
TASK 1-2: Identify the scope of the risk assessment in terms of organizational applicability, time frame supported, and architectural/technology considerations.
TASK 1-3: Identify the specific assumptions and constraints under which the risk assessment is conducted.
TASK 1-4: Identify the sources of threat, vulnerability, and impact information to be used in the risk assessment.
TASK 1-5: Define (or refine) the risk model to be used in the risk assessment.
TASK 2-1: Identify and characterize the threat sources of concern to the organization, including the nature of the threats and for adversarial threats, capability, intent, and targeting characteristics.
TASK 2-2: Identify potential threat events, relevance to the organization, and the threat sources that could initiate the events.
TASK 2-3: Identify vulnerabilities and predisposing conditions that affect the likelihood that threat events of concern result in adverse impacts to the organization.
TASK 2-4: Determine the likelihood that threat events of concern result in adverse impacts to the organization, considering: (i) the characteristics of the threat sources that could initiate the events; (ii) the vulnerabilities and predisposing conditions identified; and (iii) organizational susceptibility reflecting safeguards/countermeasures planned or implemented to impede such events.
TASK 2-5: Determine the adverse impacts to the organization from threat events of concern considering: (i) the characteristics of the threat sources that could initiate the events; (ii) the vulnerabilities and predisposing conditions identified; and (iii) organizational susceptibility reflecting the safeguards/countermeasures planned or implemented to impede such events.
TASK 2-6: Determine the risk to the organization from threat events of concern considering: (i) the impact that would result from the events; and (ii) the likelihood of the events occurring.
TASK 3-1: Conduct ongoing monitoring of the factors that contribute to changes in risk to organizational operations and assets, individuals, other organizations, or the world.
TASK 3-2: Update existing risk assessment using the results from ongoing monitoring of risk factors.
3-1 -- Monitor risk factors
To quickly and accurately assess the actual level and severity of existing and emerging threats to the DNS
To evolve/engage/empower a community of mutual trust and support to share ideas and resources
To provide tools, models and best practices that assist the diverse community of DNS providers assess their own situation in an effective and appropriate way
Favor the edge -- Vest authority, perform functions, and use resources in the smallest or most local part that includes all relevant and affected parties.
Open membership -- to any who subscribe to purpose and principles
Self organize -- for any activity consistent with purpose and principles
Decision-making -- representative of all, dominated by none -- consensus where possible
Resolve conflict creatively
Draw out, rather than compel, action
Freely exchange information unless it's confidential or materially reduces competitive position
Individuals and organizations who see the purpose and principles as their own
Provide a recognizable "doorway" for participants to enter (and depart)
Is the current ICANN structure (AC/SOs) the best way to describe the "groupings" of participants? Are there any stakeholders missing?
Determine what interests have to be balanced in order to create an organization trusted by all