|
Description
Hackers realize the power of stealing credentials to crack open systems and gain access to critical information. And, because many organizations do an inadequate job of protecting their systems—despite patching, hardening, and firewalls—stealing credentials is an easy hacker target. Many compromises tie directly into issues relating to credential management.
A cornerstone of all security strategies is an organization’s ability to control access to data and systems. Virtually all access controls rely on the use of credentials to validate the identities and permissions of users, applications, and devices.
The roundtable will invite experts who have insights into the way in which the problems of credential management, which have so often proven intractable in practice despite reams of good advice from security professionals, have been addressed in real world environments and scenarios. These insights will come from civil society; the academic community; the financial sector; the technology sector; companies from the DNS and domain name management industry; operating system, browser, and games and apps developers; and social media companies.
The roundtable will focus on the presentation of practical problems faced day to day, well publicized incidents, impacts on reputation and privacy, direct actions efforts taken, and measures to implement practical solutions that incorporate best practices for credential management. practical problems that exist to implement and improve a security and emerging best practices
|
|
Names and affiliations (stakeholder group, organization) of the participants in the proposed workshop
Mr. Ben Butler
Technical Community, USA
Director of IT Security Operations at GoDaddy
Ben Butler is the Director of IT Security Operations at GoDaddy, where he is responsible for the teams that create and maintain systems for security operations, security content, and user administration. He is especially passionate about keeping the internet a safe and enjoyable place for children, and oversees the Digital Crimes Unit, which leads the charge to identify, investigate, report, and remove child abuse content.
Ben brings a perspective from the domain name services industry, specifically the registrar community. Also as the co-author of the background document for the round-table on Registrant Protection: Best Practice Guidelines for Preserving Security and Stability in the Credential Management Lifecycle.
Ms. Merike Kaeo
Technical Community, USA/Estonia
Founder and Chief Network Security Architect of Double Shot Security
Chief Technology Officer, Farsight Security, USA
Merike Kaeo is the Chief Technology Officer at Farsight Security as well as the founder and Chief Network Security Architect of Double Shot Security, a company started in 2000 that focuses on bridging the gap between security policy instantiation, practical architecture development and effective operational deployment. She currently serves on ICANN's Security and Stability Advisory Council, the FCC's Communications Security, Reliability and Interoperability Council's (CSRIC), and several other industry forums. Her international focus often makes Merike an informal liaison between varying technical and operational groups and she is a sought after resource at global conferences including NATO, TERENA, RSA, NANOG, PLNOG, RIPE, APRICOT and SANOG.
Merike has lead security focused strategies at numerous companies including ISC, T-Mobile, Comcast, and Boeing and has held advisory positions in a variety of security start-up companies. From 1993-2000 Merike was employed by Cisco Systems, Inc. where she instigated and lead the company's first security initiative in 1997. She also focused on technical issues relating to network and application performance, routing protocols and large-scale network design. She is the author of 'Designing Network Security', which was translated into 9 languages and is a reference book for many security accreditation programs.
Merike is a member of the IEEE and has been an active contributor in the IETF since 1992. She co-chaired the IP Performance Metrics (IPPM) working group from 2000–2003 and had actively contributed to numerous IETF working groups with a specific focus on operational sanity. She was named an IPv6 Forum Fellow in 2007 for her continued efforts to raise awareness of IPv6 related security paradigms. Merike received her BSEE from Rutgers University and her MSEE from The George Washington University.
Ms. Kaeo has been on ICANN’s Security and Stability Advisory Council (SSAC) since 2010 and the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC) since 2012. She is also a co-author of the background document for the round-table on Registrant Protection: Best Practice Guidelines for Preserving Security and Stability in the Credential Management Lifecycle
Mr. Ted Hardie
Technical Community, USA
Program Lead for the Internet Architecture Board Program on Privacy and Security.
Ted Hardie currently works for Google, putting networks, protocols, and people together in new and optimal ways.Ted first worked in the Internet field in 1988 when he joined the operations staff of the SRI NIC. He later became the technical lead for the NASA NIC, part of the NASA Science Internet project. After leaving NASA, he joined Equinix as its initial Director of Engineering before taking on the role of Director of Research and Development. He was an early-stage executive at Nominum before joining Qualcomm R & D. While he was Qualcomm’s Director of Internet and Wireless, he served the Internet community as a member of the Internet Architecture Board and as an Applications Area Director for the IETF. He served as Trustee of the Internet Society from 2007 to 2010, and as its Treasurer in 2008 to 2010, while Managing Director of Panasonic’s Silicon Valley Wireless Research Lab.
Ms. Audrey L Plonk
Private Sector, USA
Director, Global Cybersecurity and Internet Governance Policy, Intel Corporation
Audrey L. Plonk is a global security and Internet policy specialist at Intel Corporation. A member of Intel’s security and privacy policy team, Audrey leads global policy efforts on topics such as cybersecurity, critical infrastructure protection and encryption. She works with the team to integrate privacy and security into product development and also focuses on Internet policy issues.
Audrey was previously a consultant to the Information Technology Association of America (now TechAmerica), covering for the vice president of information security and global public policy. She worked as a consultant for the U.S. Department of Homeland Security’s National Cyber Security Division from 2003 to 2006, primarily focusing on international security policy issues in their International Affairs Division. While a U.S. delegate to the Organisation for Economic Co-operation and Development (OECD), Audrey worked closely with the Working Party on Information Security and Privacy (WPISP) and eventually accepted a post in Paris for the OECD Secretariat focusing on security issues for WPISP. She served as liaison to the Asia-Pacific Economic Cooperation Telecommunications and Information Working Group, the International Telecommunication Union and the Internet Governance Forum.
Mr. Mark Svancarek
Private Sector, USA
Engineering Group Customer and Partner Experience, Microsoft
Mark as worked at Microsoft since 1993 and has held various roles in hardware, software and online services throughout the company. He holds eight U.S. patents. He is presently a Principal Program Manager for corporate IPv6 and Universal Acceptance Engineering efforts, and focuses on aspects which impact customer and partner satisfaction.
Mr. Bill Woodcock
Technical Community, USA
Bill Woodcock is the executive director of Packet Clearing House, the international non-governmental organization that builds and supports critical Internet infrastructure, including Internet exchange points and the core of the domain name system.
Mr. Cédric Laurant
Civil Society, Mexico
Global Data Privacy Attorney & Public Policy Expert
Cédric Laurant is a data privacy lawyer and public policy expert who works on European and international projects in the areas of US and EU privacy and data protection, online and consumer privacy, Internet law, e-commerce, social media, telecommunications, information governance and information security for international organizations, governments, private companies, trade associations, public interest organizations and NGOs. With more than 15 years of experience under his belt in those fields, he handles legal research and public policy projects, government affairs and public advocacy missions, and offer technical assistance, training and capacity-building services.
Cedric is the co-founder of the Mexican civic association SonTusDatos. He is with the law firm of Dumont Bergman Bider & Co. in Mexico City.
|
|
Key Issues raised (1 sentence per issue):
Best Practices for Preserving Security and Stability in the Credential Management Lifecycle
Attacks that compromise registrant data and/or the Domain Name System (DNS) settings of domain names continue to be a significant problem for registrars and registries, as well as for the registrants themselves and the users of their sites. The roundtable discussed specific best practice guidelines that will help enhance the security of the DNS and the systems that support them. The discussion included best practices, addressing the entire credential management lifecycle.
Publishing data about security breaches.
The roundtable recommend that statistics about the number of breaches and the high- level causes of the breaches be published. The roundtable commented that data on and about breachers can be appropriately anonymized, and still be a useful way to provide better information as to the nature of the threat landscape.
Security breaches
The session defined security breach as ‘any unauthorized access to or disclosure of registrant account information or registration data.’
Stronger authentication practices, specifically the use of multi-factor authentication should be used.
Global Training programs should be supported.
ICANN together with other stakeholders should facilitate global hands-on training programs with the goal to enable parties to learn practical operational practices for preserving security and stability of the credential management lifecycle. .
Re-using the Same Username/Password Combination is poor practice.
Phishing and Spear Phishing Attacks are used to steal access to high-value credentials that allow access to critical systems.
Credentials must be protected at all stages of this lifecycle, from creation to destruction. Each phase of the lifecycle has its own challenges, requirements, and recommendations. The roundtable discussed each phase as it is practiced by registrars and registries today: designing, creating, distributing, storing, changing, renewing, transferring, revoking, recovering, and destroying.
There are practical improvements that can be made to all stages of the credential management lifecycle.
Attacks cannot be completely prevented, so design should include risk assessment and incident response plans.
|