ICANN 51: DNS Risk Framework
âą1 gostouâą638 visualizaçÔes
Denunciar
Compartilhar
Baixar para ler offline
The ICANN staff is moving forward with implementation of the Risk Framework as prepared by Westlake Governance and presented at the London ICANN meeting. ICANN staff will give an overview of the methodology that they intend to apply to investigate the twenty three identified risks and to define related mitigations mechanisms. The session will be held jointly between ICANN's Enterprise Risk department and the Identifier Systems Security, Stability and Resiliency group.
Mais conteĂșdo relacionado
Destaque
Destaque(9)
Similar a ICANN 51: DNS Risk Framework
Similar a ICANN 51: DNS Risk Framework(20)
![Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]](https://cdn.slidesharecdn.com/ss_thumbnails/dnssec-final1425360815-150318234332-conversion-gate01-thumbnail.jpg?width=768&fit=bounds)
Mais de ICANN
Mais de ICANN(20)
Ăltimo
Ăltimo(20)
ICANN 51: DNS Risk Framework
- 1. Text DNS Risk Framework Update #ICANN51 14 October 2014 John Crain & Jacks Khawaja Chief SSR Officer; Enterprise Risk Director
- 2. Agenda Text âą History âą Moving Forward #ICANN51
- 4. Defined Resiliency Model Text ASSETS
- 5. Text
- 6. 23 Risks Defined Text
- 7. Text Moving Forward #ICANN51
- 8. Numbers Text âą Examining Risk o Typically, step 1 = identify assets o Impractical to identify all individual elements of DNS âą Our Approach Categorize assets by sphere of influence #ICANN51
- 9. WTexth ere can ICANN: Implement Directly Influence Indirectly Influence ?
- 10. Text Assets directly controlled by ICANN âą Assets that ICANN directly manages or contracts to third parties (Example: XXX, XXX) âą ICANNâs own corporate infrastructure âą External-facing services such as websites and request management systems âą DNS infrastructure of L.root-servers.net âą Others? #ICANN51
- 11. Text Assets directly influenced by ICANN âą Assets that ICANN can influence through contractual agreements (Example: Service Level Agreements, etc.) âą Registries or registrars are guided by contracts that include Service Level Agreements âą It is their remit as the asset owners to decide how they meet those SLAs and how to implement mitigation of their risks #ICANN51
- 12. Text âą The Internet is a ânetwork of networksâ and each operator of a network or service is ultimately responsible for their own risk management âą ICANN and the community can indirectly influence these through outreach and awareness efforts âą ISOCâs Deploy360 is an excellent example of this #ICANN51 Assets outside ICANNâs realm
- 13. Text SSR-001 DDOS (Example) #ICANN51
- 14. SSR001 Description (abridged) Text âą User or organization deprived of service(s) or resource(s) they would normally have âą Distributed denial-of-service (DDoS) attack: o Multitude of systems (compromised or otherwise) are used to attack a single target o Flood of incoming messages to the target system essentially forces it to shut down. This can take two forms: Â§ï§ Resource Depletion Â§ï§ Resource Disruption #ICANN51
- 15. What is the Risk? Text âą This risk discusses the probability that parts of the DNS could be disabled for a sustained period âą To ascertain the likelihood or the effect of such an attack, itâs important to first define the assets that are affected. This is also critical to understanding who owns the risk and who is able to best mitigate such risks #ICANN51
- 16. Look at DNS Assets from Both Sides Text âą Publish the data on the authoritative servers (root servers, TLD servers, and registrants servers) âą Query the data on the recursive servers (ISPâs, corporations, and DNS service providers) #ICANN51
- 17. Text Assets directly controlled by ICANN Authoritative âą ICANN: o Operates L.root-servers.netICANN runs some infrastructure for TLDs (ARPA, int.) o Runs its own network DNS infrastructure Recursive âą ICANN runs its own recursive servers for staff âą Risks to these are covered in ICANNâs ERM #ICANN51
- 18. Text Assets directly influenced by ICANN Authoritative âą ICANN has an advisory committee (RSSAC) that provides Service Level Recommendations for root servers âą (Upcoming RSSAC002) âą ICANN has contracts in place with many, but not all TLDs. Those contracts contain SLAs Recursive âą ?? #ICANN51
- 19. Text Authoritative âą Registrantsâ DNS services Recursive âą ISPs, corporations, homes and DNS service providers âą Should the community work together to influence these? âą We have SSAC and RSSAC that provide advice #ICANN51 Assets outside ICANNâs realm
- 20. Can We Tackle the Root Causes? Text There are many efforts underway to reduce the severity of DDoS attacks o Source Address Validation (BCP38) o Open Resolver project o Botnet dismantling o Others Should ICANN staff and community members play a more active role? #ICANN51
- 21. Going Forward Text âą For each of the 23 risks, we will: o Document assets o Identify existing mitigation strategies that are in place o Suggest areas where new or improved mitigation plans may be considered âą How do we involve community expertise? o Dedicated workshops? o Working Groups? o Other suggestions? #ICANN51
- 22. GDD + Related Sessions Text Wednesday, 15 October o GDD Service Delivery, Customer Service & #ICANN51 Service Level Agreements o Universal Acceptance Thursday, 16 October o DNSSEC Key Rollover Workshop o Thick WHOIS Implementation (Working Session) o Deploying the IETFâs WHOIS Replacement
- 23. Text Engage with ICANN on Web & Social Media twitter.com/icann facebook.com/icannorg linkedin.com/company/icann gplus.to/icann weibo.com/icannorg flickr.com/photos/icann youtube.com/user/ICANNnews icann.org