0:00:02.008,0:00:05.055 >> Brian: Welcome to the AMA[br]Conference Center in New York City 0:00:05.055,0:00:09.074 and for those following us on[br]line, my name is Brian Cute. 0:00:09.074,0:00:12.082 I am the CEO of Public Interest Registry. 0:00:12.082,0:00:17.005 Public Interest Registry or PIR[br]is the operator of the dot org, 0:00:17.005,0:00:19.007 top level domain on the internet. 0:00:19.007,0:00:25.005 We, along with New York Tech, a New York[br]City based Technology Industry Association 0:00:25.005,0:00:28.075 and the Internet Society, New[br]York Chapter want to welcome you 0:00:28.075,0:00:35.008 to today's event Mitigating DDoS Attacks, Best[br]Practices for an Evolving Threat Landscape. 0:00:35.008,0:00:42.004 For those of you online, today's event is[br]being webcast at the iSock Live Stream Channel 0:00:42.004,0:00:44.098 and on that channel you can also post questions. 0:00:44.098,0:00:50.041 We welcome questions from our online[br]audience to bring into the Q&A session today. 0:00:50.041,0:00:58.001 You can also follow the event at[br]the hashtag DDoS and with that, 0:00:58.001,0:01:01.053 let me introduce today's[br]session, Mitigating DDoS Attacks, 0:01:01.053,0:01:05.048 Best Practices for an Evolving Threat Landscape. 0:01:05.048,0:01:09.009 Distributed denial of service[br]attacks are deliberate attempts 0:01:09.009,0:01:15.013 to make internet connected machines or network[br]resources unavailable to their intended users 0:01:15.013,0:01:20.098 by temporarily or indefinitely[br]interrupting or suspending DNS service. 0:01:20.098,0:01:27.047 Unfortunately DDoS attacks are an all to-common[br]reality across today's internet landscape. 0:01:27.047,0:01:31.087 Examples abound, most recently[br]large-scale attacks have been directed 0:01:31.087,0:01:36.023 at major U.S. banks since September of 2012. 0:01:36.023,0:01:41.007 Online service providers and corporations[br]around the world are often targeted. 0:01:41.007,0:01:46.015 DDoS attacks have been directed against[br]Government websites and it's quite possible 0:01:46.015,0:01:50.001 that some attacks were at[br]least condoned by governments. 0:01:50.001,0:01:55.064 Why a DDoS attack is motivated by criminal[br]intent, like Cyber Extortion or is executed 0:01:55.064,0:01:58.067 as an extreme form of free expression, 0:01:58.067,0:02:03.006 the resulting service interruptions[br]can have wide ranging effects. 0:02:03.006,0:02:08.009 Today's program will explore the motives[br]behind and targets of DDoS attacks. 0:02:08.009,0:02:13.063 We will address ways attacks are carried[br]out, as well as mitigation techniques 0:02:13.063,0:02:16.022 and the importance of collaboration. 0:02:16.022,0:02:23.015 We will also explore the risks of unintended[br]consequences related to DDoS attacks. 0:02:23.015,0:02:26.016 Now before I introduce our esteem panelists, 0:02:26.016,0:02:31.069 I wanted to note that PIR recently[br]conducted a survey in the United States 0:02:31.069,0:02:36.043 to test the public's awareness of[br]DDoS attacks, this very important 0:02:36.043,0:02:39.043 and growing problem on the internet. 0:02:39.043,0:02:42.091 Among the results, we found that 85% 0:02:42.091,0:02:47.007 of the respondents did not[br]know what AD DDoS Attack was. 0:02:47.007,0:02:48.082 0:02:48.082,0:02:53.052 When asked, what would you do if you were made[br]aware that DDoS attacks were taking place? 0:02:53.052,0:02:59.064 Among the very revealing responses[br]were, "Call the geek squad," 0:02:59.064,0:03:04.083 which is a technical service organization[br]that comes to fix your home computer. 0:03:04.083,0:03:10.005 "Call my spouse, or go to Google." 0:03:10.005,0:03:13.094 And while we're very happy to have a Google[br]Representative here on the panel today, 0:03:13.094,0:03:19.091 I think these answers reveal the depth[br]and breadth of misunderstanding and lack 0:03:19.091,0:03:23.023 of awareness about this very[br]important problem in the public. 0:03:23.023,0:03:28.013 So today we're going to try to begin[br]to chip away and provide some awareness 0:03:28.013,0:03:30.063 about the important problem of DDoS attacks 0:03:30.063,0:03:34.015 and how we collectively can[br]address them effectively. 0:03:34.015,0:03:38.019 So with that, let me get on to the[br]introduction of today's panelists. 0:03:38.019,0:03:42.047 Today's panelists represent a[br]variety of organizations that operate 0:03:42.047,0:03:45.008 at various points in the internet ecosystem. 0:03:45.008,0:03:49.051 Their wealth of experiences and[br]insights from industry, government, 0:03:49.051,0:03:55.037 and civil society perspectives should help us[br]better understand the challenges of DDoS attacks 0:03:55.037,0:03:58.093 and identify mitigation practices. 0:03:58.093,0:04:03.033 First, at the far-end, we have Mr. Jeff Greene. 0:04:03.033,0:04:07.082 Jeff serves as a senior policy[br]council at Symantec. 0:04:07.082,0:04:12.077 Jeff focuses on cyber security,[br]identity management, and privacy issues 0:04:12.077,0:04:16.079 and works extensively with industry[br]and government organizations. 0:04:16.079,0:04:21.095 Prior to joining Symantec, Jeff was a[br]senior staffer on both the U.S. Senate, 0:04:21.095,0:04:25.065 and House Homeland Security Committees[br]and before that was an Attorney 0:04:25.065,0:04:28.072 with the Washington D.C. law firm. 0:04:28.072,0:04:30.079 Next we have Ram Mohan. 0:04:30.079,0:04:36.045 Ram is the Executive Vice President and[br]Chief Technology Officer at Afilias Limited. 0:04:36.045,0:04:41.001 Ram oversees key strategic management[br]and technology choices for the Dublin, 0:04:41.001,0:04:44.069 Ireland based provider of[br]internet infrastructure services. 0:04:44.069,0:04:49.083 Ram also serves as a Director and Key Advisor[br]to the Internet Corporation for Assigned Names 0:04:49.083,0:04:56.098 and Numbers or ICANN, The Internet Society,[br]and the Anti-Phishing Working Group. 0:04:56.098,0:05:01.000 Next, we have Dr. Damian Menscher. 0:05:01.000,0:05:06.081 Damian is a Security Engineer at Google[br]where he leads the DDoS Defense Team. 0:05:06.081,0:05:11.074 Damian uses his front-line experience defending[br]today's largest attacks to design defenses 0:05:11.074,0:05:15.025 that will automatically mitigate future attacks. 0:05:15.025,0:05:20.082 He also reduces botnet sizes by directly[br]informing users of infections on their machines 0:05:20.082,0:05:23.041 that are targeted messaging on Google. 0:05:23.041,0:05:25.004 Previously, Damian gained experience 0:05:25.004,0:05:31.085 in large-scale data analysis while completing[br]his PhD in Computational Particle Physics. 0:05:31.085,0:05:33.062 I could barely say that. 0:05:33.062,0:05:35.072 Next is Miguel Ramos. 0:05:35.072,0:05:41.038 Miguel is Senior Product Manager at NewStar[br]Inc, responsible for NewStar site project, 0:05:41.038,0:05:45.008 a leading cloud-based DDoS Mitigation Service. 0:05:45.008,0:05:51.019 Mr. Ramos has extensive experience in[br]product management, marketing and technology. 0:05:51.019,0:05:55.000 Previously Miguel was a Product Manager in[br]charge of hosting and email product lines 0:05:55.000,0:06:00.084 at Network Solutions, a leading domain[br]registrar and online services provider. 0:06:00.084,0:06:05.066 We were also to have Wout[br]DeNatris from the Netherlands. 0:06:05.066,0:06:11.066 Unfortunately Wout is here in New York but came[br]down with a sudden illness of food poisoning. 0:06:11.066,0:06:13.086 We regret deeply that he's[br]not here with us today. 0:06:13.086,0:06:18.006 He was very eager to be here with[br]you and we wish him a swift recovery. 0:06:18.006,0:06:22.019 Next on the panel is Danny McPherson. 0:06:22.019,0:06:26.005 Danny is the Chief Security Officer[br]for Verisign, the trusted provider 0:06:26.005,0:06:31.045 of key internet infrastructure services[br]including two of the root servers, 0:06:31.045,0:06:34.053 and the dot com and dot net name spaces. 0:06:34.053,0:06:38.037 Danny is responsible for strategic[br]direction, research and innovation 0:06:38.037,0:06:40.094 in infrastructure and information security. 0:06:40.094,0:06:45.053 He currently serves on the internet[br]architecture board, ICANN security 0:06:45.053,0:06:51.006 and stability advisory council, the[br]FCCs communication security reliability 0:06:51.006,0:06:55.044 and interoperability council and[br]several other industry forum. 0:06:55.044,0:06:59.093 And finally, on the near-end,[br]we have Miss Jillian York. 0:06:59.093,0:07:06.023 Jillian is a Director for International Freedom[br]of Expression at Electronic Frontier Foundation 0:07:06.023,0:07:11.028 where she specializes in free speech issues[br]and the effects of corporate intermediaries 0:07:11.028,0:07:13.084 on freedom of expression and anonymity, 0:07:13.084,0:07:17.072 as well as the disruptive power[br]of global, online activism. 0:07:17.072,0:07:23.063 Prior to joining EFF, Jillian spent 3 years at[br]Harvard University's Berkman Center for Internet 0:07:23.063,0:07:29.053 and Society, where she worked on several[br]projects including the open net initiative. 0:07:29.053,0:07:32.073 Thank you all for coming,[br]we appreciate your time. 0:07:32.073,0:07:36.078 Now the way we're going to structure[br]today's event and discussion is 0:07:36.078,0:07:42.006 that I will do a first round of introductory[br]remarks from each of the panelists. 0:07:42.006,0:07:45.000 We'll keep it brief and we're[br]basically going to try 0:07:45.000,0:07:49.075 to set the stage, the background[br]on DDoS attacks. 0:07:49.075,0:07:56.011 Now before I get there, I just want to[br]offer a little reaction from the common man. 0:07:56.011,0:07:58.019 "I've been in the industry myself for 10 years. 0:07:58.019,0:08:02.097 I have a familiarity with DDoS[br]attacks and internet infrastructure, 0:08:02.097,0:08:07.065 but in approaching this event and preparing[br]for it, I went on line and pretended 0:08:07.065,0:08:10.006 to be an average guy from Columbus, Ohio. 0:08:10.006,0:08:16.021 What would I find if I'm trying to educate[br]myself online about this serious problem? 0:08:16.021,0:08:23.078 And in doing that, what jumped out to me is an[br]issue of nomenclature, an issue of language, 0:08:23.078,0:08:27.079 an issue of understanding, potentially[br]barriers to understanding and awareness." 0:08:27.079,0:08:33.016 So I'm going to ask Jeff Greene to start[br]painting the picture of what DDoS attacks are 0:08:33.016,0:08:36.029 and while we have a number of[br]brilliant engineers on this panel, 0:08:36.029,0:08:40.078 let me suggest that when one goes online[br]as the average guy from Columbus, Ohio, 0:08:40.078,0:08:51.043 he runs into things such as, dos, DDoS, DRDoS,[br]Smurf attacks, SYN floods, ping of death, 0:08:51.043,0:08:56.068 attacks that are perpetrated by Trojans[br]and Zombies, attacks that are combated 0:08:56.068,0:09:01.004 through techniques like Black-holing,[br]sink-holing, and intrusion protection. 0:09:01.004,0:09:06.002 Our job today is to utilize the expertise[br]of these brilliant folks on our panel 0:09:06.002,0:09:11.029 to help translate all of these very intimidating[br]words around attacks on the internet 0:09:11.029,0:09:13.001 so that we can raise the[br]awareness for the public. 0:09:13.001,0:09:17.047 So, Jeff if you wouldn't[br]mind kicking this off for us. 0:09:17.047,0:09:19.097 >> Jeff: Sure, thanks again for[br]having me and thanks for including me 0:09:19.097,0:09:22.065 with such a great group of folks up here. 0:09:22.065,0:09:28.033 I thought I'd give a little background on[br]what are some trends we're seeing at Symantec 0:09:28.033,0:09:35.047 in DDoS attacks, motivations also, and[br]hopefully set the table for the conversation. 0:09:35.047,0:09:40.054 The first thing I would start by saying is,[br]when you're thinking about a DDoS attack, 0:09:40.054,0:09:44.059 don't conceptualize it as a[br]single event or a siloed activity. 0:09:44.059,0:09:49.087 You really need to think about it as potentially[br]part of a larger effort directed at you 0:09:49.087,0:09:52.001 or directed at an entity organization. 0:09:52.001,0:09:55.064 It can still be a one-off but[br]more often now days, it is not. 0:09:55.064,0:10:01.096 In terms of motives, they can run the gamut, it[br]can be harassment, political, it could mischief, 0:10:01.096,0:10:06.053 you know there's probably still some[br]15-year-old hackers in the basement somewhere. 0:10:06.053,0:10:09.064 It could be someone you know, annoyed, 0:10:09.064,0:10:14.046 frustrated with a particular company[br]or entity and going after them. 0:10:14.046,0:10:16.084 It really runs anything. 0:10:16.084,0:10:22.013 It could extortion, simple "pay me"[br]type activity, or more common now 0:10:22.013,0:10:28.048 or what we're seeing more of what we're calling[br]multi-frank attacks and transitioning to talk 0:10:28.048,0:10:31.006 about some of trends, we'll start there. 0:10:31.006,0:10:36.031 If you folks saw, I think it was in October,[br]Defense Secretary Panetta was talking 0:10:36.031,0:10:40.051 about cyber security and one of the things[br]he mentioned were these frank attacks 0:10:40.051,0:10:46.083 and DDoS is certainly a part of them and has[br]become less of a blunt-force attack to more 0:10:46.083,0:10:50.045 of a sophisticated diversionary[br]attack; I should say it can be. 0:10:50.045,0:10:59.066 The goal, basically being drawing attention and[br]resources away from standard security to focus 0:10:59.066,0:11:03.008 on this response and leaving perhaps[br]yourself open to other activity. 0:11:03.008,0:11:10.054 One example that we talked about at a conference[br]earlier this year, DDoS was a big part of it 0:11:10.054,0:11:16.018 but the DDoS attack happened[br]actually at the end of the activity. 0:11:16.018,0:11:18.095 This particular effort was[br]directed to mid-sized banks. 0:11:18.095,0:11:22.088 It began with spear-phishing and other efforts 0:11:22.088,0:11:25.076 to compromise some IT administrators[br]at the bank. 0:11:25.076,0:11:31.036 Once that is successful, the bad guys will then[br]spend their time figuring out what they need 0:11:31.036,0:11:36.028 and they want and it was at this point[br]that the DDoS attack was launched in one 0:11:36.028,0:11:38.032 of the cases that our folks talked about. 0:11:38.032,0:11:43.064 It was done on a Friday afternoon when staffing[br]was light, nationally resources were directed 0:11:43.064,0:11:49.093 at responding to the denial service attack which[br]then left other activities perhaps unmonitored, 0:11:49.093,0:11:52.057 and that's when the criminal enterprise 0:11:52.057,0:11:57.034 or individual actually began the more[br]sophisticated attack and actually traded a lot 0:11:57.034,0:12:02.067 of information that allowed them to[br]clone ATM Debit and Credit Cards. 0:12:02.067,0:12:08.072 There press reports about one bank having[br]lost 9 million dollars over the next 48 hours. 0:12:08.072,0:12:11.031 So again, the DDoS was a big part of it 0:12:11.031,0:12:16.014 because it had really facilitated the[br]ability to conduct a larger crime. 0:12:16.014,0:12:21.002 Another trend we're seeing is[br]crowd sourcing of DDoS attack. 0:12:21.002,0:12:28.008 You may be familiar with operation payback,[br]which is something that Anonymous was behind. 0:12:28.008,0:12:34.032 Initially started as a response to some[br]antipiracy efforts and worked into a response 0:12:34.032,0:12:39.048 when the wikileaks became[br]very press-worthy in terms 0:12:39.048,0:12:45.029 of some companies responding to the wikileaks. 0:12:45.029,0:12:53.013 So social networking facilitates the crowd[br]sourcing essentially why do you need to go build 0:12:53.013,0:12:58.009 up or acquire your own botnet to[br]engage in attack when you could get 100 0:12:58.009,0:13:01.022 or 1,000 like-minded friends who[br]will happily do that thinking 0:13:01.022,0:13:03.079 that they're doing something[br]for the greater good. 0:13:03.079,0:13:09.024 And I would also suggest that the criminal[br]enterprises are fully aware of this 0:13:09.024,0:13:15.094 and why should they expose themselves or spend[br]their resources if they can gin up some real 0:13:15.094,0:13:20.038 or imagined front by a company they're[br]trying to penetrate and get people 0:13:20.038,0:13:23.069 to unwittingly support their efforts. 0:13:23.069,0:13:27.029 Another trend is application layer attacks. 0:13:27.029,0:13:31.028 More sophisticated, generally[br]you get more bang-for-your-buck, 0:13:31.028,0:13:34.059 you can have more impact with less resources. 0:13:34.059,0:13:37.058 It takes a little more work, but it is something 0:13:37.058,0:13:40.008 that you will see more of,[br]we suspect going forward. 0:13:40.008,0:13:45.005 Two more things, one insider[br]threat, not strictly DDoS 0:13:45.005,0:13:46.076 but it is certainly can be a part of it. 0:13:46.076,0:13:52.001 What we're seeing generally with intrusions is[br]an increasing number of compromised insiders. 0:13:52.001,0:13:55.059 Again, often through use of social[br]media, social media is wonderful. 0:13:55.059,0:13:59.083 So it allows folks to figure[br]out just how to get at someone 0:13:59.083,0:14:02.034 and a compromising insider[br]facilitates the effort and again, 0:14:02.034,0:14:05.038 often the DDoS is part of[br]the culmination of it there. 0:14:05.038,0:14:08.067 Finally I would say it's[br]getting easier than ever. 0:14:08.067,0:14:15.062 There are attack kits, there's malware out there[br]that you can buy, optimized for DDoS attacks. 0:14:15.062,0:14:17.078 As all the attack kits out there, 0:14:17.078,0:14:20.062 they're becoming much easier[br]for less sophisticated users. 0:14:20.062,0:14:24.008 You don't have to have a lot coding[br]expertise to get some of these up and running 0:14:24.008,0:14:29.018 and have yourself an ongoing[br]criminal enterprise. 0:14:29.018,0:14:32.005 So, circling back to where I began, I[br]would say that, you know we're here talking 0:14:32.005,0:14:37.048 about DDoS attacks but I think it's important[br]in this conversation not to put it in a box 0:14:37.048,0:14:41.006 and isolate it from other malicious activities[br]that going on and other vulnerabilities 0:14:41.006,0:14:46.051 and intrusions because the bad guys don't[br]think about it that way so we really, 0:14:46.051,0:14:51.001 as we're talking about responding to[br]it, make sure that we don't do the same. 0:14:51.001,0:14:54.085 >> Brian: Thank you Jeff, so in listening[br]I'm hearing that I have more things 0:14:54.085,0:14:56.084 to be concerned about, more[br]things to be afraid of, 0:14:56.084,0:14:59.079 something called spear-phishing,[br]I'm not sure what that is. 0:14:59.079,0:15:06.007 That this is a broader attack profile against[br]the internet that there's numerous points 0:15:06.007,0:15:13.042 of attack and it's part a simple attack[br]that is designed to provide misdirection 0:15:13.042,0:15:15.018 so a secondary attack can happen. 0:15:15.018,0:15:21.049 So clearly, this is a troubling[br]landscape that I'm trying to sort through. 0:15:21.049,0:15:27.047 Ram, as Afilias Registry Operator on the[br]internet, you provide technical services 0:15:27.047,0:15:30.096 for dot org, on the internet[br]and other top-level domains. 0:15:30.096,0:15:36.066 From the Registry Operators perspective,[br]what is the scope of this problem? 0:15:36.066,0:15:41.032 >> Ram: Thank you Brian and[br]thanks for having me here. 0:15:41.032,0:15:44.004 I guess the very first thing is,[br]if you're a Registry Operator, 0:15:44.004,0:15:49.001 really what you're doing is[br]you're providing a targeted answer 0:15:49.001,0:15:53.003 for where the main names are on the internet. 0:15:53.003,0:15:58.088 You're in a target of directory, to a large[br]extent and that's the biggest job that you do 0:15:58.088,0:16:04.051 as Registry and you get information[br]from people who want to buy domain names 0:16:04.051,0:16:06.054 or who want to get a website going. 0:16:06.054,0:16:09.092 You get information from them,[br]store it into a large database, 0:16:09.092,0:16:15.006 and the biggest thing you do is propagate it[br]instantaneously everywhere around the world. 0:16:15.006,0:16:21.057 And what that means, is that your browser,[br]typing in redcross.org when it's sitting here 0:16:21.057,0:16:28.005 or on your mobile phone, typing in redcross.org[br]when your perhaps in another part of the world, 0:16:28.005,0:16:34.087 they all translate to get to the actual Red[br]Cross site, and that translation is done 0:16:34.087,0:16:36.099 by the registry, by the directory. 0:16:36.099,0:16:45.013 So that makes it a really interesting place to[br]attack because after all if you can compromise 0:16:45.013,0:16:50.015 or if you can take down the[br]authoritative directory for every dot or, 0:16:50.015,0:16:53.064 the main-name in the world, there are[br]more than 10 million dot org domain names. 0:16:53.064,0:16:56.011 There are more than 10 million[br]dot org websites in the world. 0:16:56.011,0:17:03.003 If you can take down the provider who is giving[br]the information that says to every computer 0:17:03.003,0:17:08.062 in the world, hey for a given dot[br]org, which computer should I go to? 0:17:08.062,0:17:09.052 Where should I go to? 0:17:09.052,0:17:15.014 If you can take them down, that's not only[br]a coo, but that also is a global event. 0:17:15.014,0:17:19.098 It gets you noticed, there are many motivations[br]but that's certainly one of them, right? 0:17:19.098,0:17:26.059 And that makes the order of registry, a[br][inaudible] of what we run a regular target. 0:17:26.059,0:17:32.033 Up on the screen you see, this is[br]some data from earlier in the year, 0:17:32.033,0:17:36.009 gives you an idea of the scaling, the[br]kinds of attacks that come through. 0:17:36.009,0:17:46.078 So that's 2012, February and from 2012 February,[br]to 2012 June, this is the number of queries, 0:17:46.078,0:17:53.031 the number of a requests coming into the servers[br]that we run worldwide asking for information 0:17:53.031,0:17:56.004 about a daughter of domain name right. 0:17:56.004,0:18:03.035 And much of this comes from DDoS so, the[br]foundation for DDoS is very simple, right? 0:18:03.035,0:18:09.046 It's a denial of service so all these computers[br]around the world do it, they send a request 0:18:09.046,0:18:16.018 in to our server saying hey, tell me where[br]a particular daughter of domain name is. 0:18:16.018,0:18:21.063 And before you even respond they're gone and[br]they come back again and they say tell me where. 0:18:21.063,0:18:28.005 And they do this hundreds of millions of times[br]in, it used to be a very short timeframe, 0:18:28.005,0:18:31.061 but as you can see here,[br]it's an extended timeframe. 0:18:31.061,0:18:35.047 Now what we saw earlier in the year[br]was in the space of just a few months, 0:18:35.047,0:18:40.093 February through to June, we had[br]a 3X increase, a 3 times increase 0:18:40.093,0:18:44.021 in the total volume coming[br]in in just 4 months-time. 0:18:44.021,0:18:50.044 But, if you look further, if you look in[br]the next screen, that's not the real story. 0:18:50.044,0:18:56.023 That 3X increase that I showed you[br]earlier, so that was up to 2012, 0:18:56.023,0:19:00.028 June but look at what happened[br]from there through to September. 0:19:00.028,0:19:06.096 That was a 9X increase in total volume[br]coming through to the daughter systems. 0:19:06.096,0:19:14.094 In total, from February through to September,[br]that was an 18 times increase in volume. 0:19:14.094,0:19:18.081 Not the data is interesting. 0:19:18.081,0:19:25.078 The real life importance of this is if as a[br]registry provider, if you're not provisioned 0:19:25.078,0:19:31.058 and if you don't have the measures to boot the[br][inaudible] attacks are coming and then be able 0:19:31.058,0:19:35.053 to take appropriate counter measures[br]when such attacks are coming. 0:19:35.053,0:19:42.038 You could just go down and going drinking[br]water means that every single dot org website 0:19:42.038,0:19:47.053 in the world, dot org email address, okay[br]every single thing that depends on dot org, 0:19:47.053,0:19:55.002 sooner or later is not accessible on the[br]internet and it's not happened so far, 0:19:55.002,0:20:00.073 but the gap between what do you[br]provision, and what the scale 0:20:00.073,0:20:02.089 of attacks, and who was attacking you. 0:20:02.089,0:20:06.054 It's a continuous cat and mouse game. 0:20:06.054,0:20:16.019 The other thing that I've wanted for you to[br]know about is the DDoS words coming from, 0:20:16.019,0:20:26.018 it's often coming from your PC that is just on[br]at home, connected to your broadband connection. 0:20:26.018,0:20:29.027 Just sitting there, and you[br]probably don't even know it. 0:20:29.027,0:20:34.064 If you have a good ISB, if you have a good[br]internet provider, they probably have ways 0:20:34.064,0:20:38.095 to track it and many of the internet[br]providers these days are putting in measures 0:20:38.095,0:20:45.021 to understand whether they're a DDoS[br]attack, so whether you're part of a botnet. 0:20:45.021,0:20:48.021 But when we say a zombie,[br]that's really what it is. 0:20:48.021,0:20:56.068 Your computer, your computing device somewhere[br]connected online, has been taken over, 0:20:56.068,0:21:06.031 and you don't know it but it's now part of a[br]global group of computers that can be harnessed 0:21:06.031,0:21:10.074 to attack any given target at a moment's notice. 0:21:10.074,0:21:16.049 And that is pretty scary, it's a[br]pretty impressive feat of engineering, 0:21:16.049,0:21:23.077 but it's scary because pulling together[br]5 million of these is no big deal. 0:21:23.077,0:21:28.079 Pulling together 40 million of these,[br]takes some effort but it's doable. 0:21:28.079,0:21:35.031 And if you have 40 million computers[br]that are just sending a little ping every 0:21:35.031,0:21:40.005 so many milliseconds, asking for[br]information and then just going away, 0:21:40.005,0:21:47.048 that becomes a massive problem and[br]something that you really have to work hard 0:21:47.048,0:21:50.022 to mitigate before it overwhelms you 0:21:50.022,0:21:54.074 because if it becomes a tsunami,[br]it's very hard to overcome. 0:21:54.074,0:21:58.004 >> Brian: Thank you Ram and thank you for[br]giving pictures are worth a million words 0:21:58.004,0:22:02.067 and giving us a sense of the scope of[br]the problem and also in your comments, 0:22:02.067,0:22:07.049 connecting this to the "why should[br]I care" question as an individual 0:22:07.049,0:22:12.047 if all the dot org sites in the world go down,[br]the organization who have that website up, 0:22:12.047,0:22:16.036 whether they're an NGO or not-for-profit[br]trying to do good in their mission 0:22:16.036,0:22:20.075 or whether it's an individual[br]or a company in a dot com, 0:22:20.075,0:22:23.077 having their commercial activities[br]interrupted, that's a very serious impact. 0:22:23.077,0:22:28.005 So as we move through the discussion,[br]connecting the dots to "why should I care", 0:22:28.005,0:22:31.056 the individual at home, and[br]also the interesting thing is 0:22:31.056,0:22:37.057 that I might be an unwitting participant in[br]an attack, my machine on my desk at home, 0:22:37.057,0:22:39.035 and be completely unaware of this. 0:22:39.035,0:22:42.039 I think we're starting to get to[br]those issues of "why I should care". 0:22:42.039,0:22:48.076 So next, let's get to I think,[br]it's Dr. Damian Menscher. 0:22:48.076,0:22:53.067 So we've heard from a Registry Operator[br]now from an online service provider, 0:22:53.067,0:22:57.041 in this case Google, the leading search engine. 0:22:57.041,0:23:03.099 Damian with Google's breadth and depth of[br]technology and reach, this certainly can't be 0:23:03.099,0:23:06.084 that big of a concern for a[br]company the size of Google, right? 0:23:06.084,0:23:09.062 Tell me why I'm wrong. 0:23:09.062,0:23:15.001 >> Damian: Right because we have a team[br]of people that worries about this stuff. 0:23:15.001,0:23:19.007 So, most people don't realize that[br]Google is actually regularly attacked. 0:23:19.007,0:23:24.095 The reasons you'd sort of wonder why[br]would anyone have anything against Google? 0:23:24.095,0:23:27.041 Well it turns out we actually[br]host a lot of user content, 0:23:27.041,0:23:31.097 so blogspy includes random user[br]content from people all over the world. 0:23:31.097,0:23:34.011 Sometimes that's controversial. 0:23:34.011,0:23:38.032 Similarly u-Tube might have[br]a controversial video on it 0:23:38.032,0:23:43.029 and so frequently these sorts[br]of sites do get attacked. 0:23:43.029,0:23:49.000 And it's not just DNSs as previously mentioned,[br]it's you know, we see application layer attacks 0:23:49.000,0:23:54.005 where they'll dispatch the same homepage[br]over and over again at very high rates, 0:23:54.005,0:23:59.007 you know upwards of maybe[br]a million times a second. 0:23:59.007,0:24:03.099 So, you've also probably noticed that we're[br]never actually down so, if you want to talk 0:24:03.099,0:24:06.049 about how we do that, if[br]you go to the first slide. 0:24:06.049,0:24:13.008 So we benefit a lot from economy of scale[br]when you look at most small websites, 0:24:13.008,0:24:16.042 there might be a thousand[br]websites hosted on a single machine 0:24:16.042,0:24:19.003 because they don't get very much traffic. 0:24:19.003,0:24:22.089 We sort of turned that around and we might[br]have a thousand machines hosting one website. 0:24:22.089,0:24:28.089 You know Google.com is a big website,[br]it doesn't fit on a single machine. 0:24:28.089,0:24:32.072 So we do benefit a lot from the economy of scale 0:24:32.072,0:24:36.032 and pooling our defense resources[br]across our various properties. 0:24:36.032,0:24:41.003 But, go to the next slide, you have[br]to be a little bit careful about this 0:24:41.003,0:24:44.058 if you put everything together,[br]you also have some risk. 0:24:44.058,0:24:52.008 So, I wanted to talk briefly about how[br]we deal with this and this also is, 0:24:52.008,0:24:56.017 as Jeff had mentioned, we have to be careful 0:24:56.017,0:24:59.062 that we don't distract our security[br]team when there is a dos attack. 0:24:59.062,0:25:03.096 If we have one team that[br]focuses on all of security, 0:25:03.096,0:25:06.087 then when there's a dos attack we might[br]be looking at that and miss other things. 0:25:06.087,0:25:14.068 So, what we do actually is, go[br]on, we have layered defenses. 0:25:14.068,0:25:18.028 So we have a separate team that[br]focuses on dos attacks so that 0:25:18.028,0:25:21.011 when there's an attack we don't[br]lose sight of the other attacks 0:25:21.011,0:25:24.098 that are happening against us every day. 0:25:24.098,0:25:32.057 And, basically we focus on having layered[br]defenses so; this is a very rough sketch 0:25:32.057,0:25:33.072 of what our network might look like. 0:25:33.072,0:25:37.065 We don't see the internet[br]necessarily as a single cloud. 0:25:37.065,0:25:43.092 We see it as multiple clouds because we[br]peer directly with several major ISPs. 0:25:43.092,0:25:48.004 We go through a layer of[br]load balancing at our network 0:25:48.004,0:25:54.099 so if any particular network device gets[br]overloaded, we can work around that. 0:25:54.099,0:26:01.026 Then we go through a layer of load balancing[br]within our own network to eventually get 0:26:01.026,0:26:05.087 to the backend that are the[br]webservers, serving the actual content. 0:26:05.087,0:26:08.077 And so by doing this, we're[br]able to shift traffic 0:26:08.077,0:26:13.044 around to avoid any damage[br]from the attack traffic. 0:26:13.044,0:26:17.044 We also have many layers of which we[br]can filter out the bad traffic so, 0:26:17.044,0:26:22.064 at the very edge of our network we might be able[br]to filter out some of the more obvious attacks, 0:26:22.064,0:26:30.076 but as you get deeper in or more sophisticated[br]attacks, we filter them at other places. 0:26:30.076,0:26:37.043 Another thing I want to mention though is, this[br]style works really well for a very large company 0:26:37.043,0:26:42.078 like Google, but most of you are probably more[br]interested in how to defend the small site 0:26:42.078,0:26:51.057 and the best advice I have there is that[br]the user comment of going to Google, 0:26:51.057,0:26:54.067 might actually make sense if[br]they host their site on Google, 0:26:54.067,0:26:56.099 they automatically benefit from our defenses. 0:26:56.099,0:26:58.095 They won't even know they're being attacked. 0:26:58.095,0:27:04.053 And we frequently do see cases of[br]organizations that are under a heavy, dos attack 0:27:04.053,0:27:09.085 and they just quickly setup a site on[br]blogger saying, "Hey, we're being attacked. 0:27:09.085,0:27:12.024 We're going to use this for[br]our communication for now." 0:27:12.024,0:27:17.036 That's actually, at one point, the[br]country of Georgia had their ministry 0:27:17.036,0:27:23.095 of foreign affairs host their site on blogger[br]which was entertaining for me to say, like oh, 0:27:23.095,0:27:28.056 what are we going to see as a result of this? 0:27:28.056,0:27:33.062 But the other thing is just making sure that[br]you are pooling your resources with others 0:27:33.062,0:27:40.014 in your organization, there are other cloud[br]based dos mitigation providers that sort 0:27:40.014,0:27:47.053 of aggregate resources from several different[br]clients and can provide good defenses for you. 0:27:47.053,0:27:50.057 >> Brian: Thank you Damian, and love ice. 0:27:50.057,0:27:52.015 It's terrific. 0:27:52.015,0:27:55.086 >> Damian: Also our PR people would[br]want me to say it's not as weak 0:27:55.086,0:27:59.029 as eggs, you know like fortified eggs. 0:27:59.029,0:28:00.076 >> Brian: Boiled eggs. 0:28:00.076,0:28:02.086 [Laughter] No terrific, thank you. 0:28:02.086,0:28:04.075 >> Damian: Each layer is very strong. 0:28:04.075,0:28:08.098 >> Brian: Thank you and you know,[br]fully appreciating your remarks too, 0:28:08.098,0:28:15.023 one thing that jumped out to me is that I[br]think one of the challenges we all share 0:28:15.023,0:28:19.081 in this space is that from the user perspective,[br]and I'm going to try to keep bringing us back 0:28:19.081,0:28:25.058 to the user and the average person at home,[br]is that this problem, there's a low level 0:28:25.058,0:28:30.009 of awareness and one of the reasons is[br]because as very responsible service providers 0:28:30.009,0:28:35.007 like Google and the other's on this panel,[br]you've taken on the challenge and objective 0:28:35.007,0:28:38.002 of staying up and not being[br]taken down by DDoS attack. 0:28:38.002,0:28:44.081 You've been successful to date and as[br]such, users who have their sites on Google, 0:28:44.081,0:28:49.084 the DNS is sometimes thought of like[br]electricity, you know it's just there. 0:28:49.084,0:28:52.014 It's my website is up, the internet is up. 0:28:52.014,0:28:55.004 I only notice it when it goes down. 0:28:55.004,0:28:59.026 I only become aware there's a[br]problem when there's a problem. 0:28:59.026,0:29:03.017 So interesting thought, let's[br]keep coming back to that 0:29:03.017,0:29:05.059 "why should the individual,[br]why should the user care?" 0:29:05.059,0:29:08.042 How do we get this on their[br]radar screen in a meaningful way 0:29:08.042,0:29:10.093 so they can become part of the solution? 0:29:10.093,0:29:14.004 So with that thought let's go to Miguel. 0:29:14.004,0:29:20.011 And Miguel we're going to ask you to[br]focus on specifically corporate responses 0:29:20.011,0:29:25.066 from the perspective of a third-party[br]mitigation service provider. 0:29:25.066,0:29:26.098 >> Miguel: Sure and thank you Brian. 0:29:26.098,0:29:33.013 I'm going to dovetail on some of[br]the things that Damian was saying. 0:29:33.013,0:29:38.019 A lot of organizations and a lot of[br]people don't understand or know about DDoS 0:29:38.019,0:29:42.077 and don't see an issue until[br]it actually happens to them. 0:29:42.077,0:29:46.073 And at that point, a lot of[br]organizations are kind of scrambling, 0:29:46.073,0:29:51.045 trying to figure out what it is that they[br]can potentially do to deal with this issue. 0:29:51.045,0:29:57.042 And they most likely go to Google to try[br]to determine and try to find an answer. 0:29:57.042,0:30:03.018 So, a lot of people don't think about[br]this because they assume that their ISP 0:30:03.018,0:30:07.015 or their hoster is actually going to[br]take care of the problem for them. 0:30:07.015,0:30:13.009 Actually, what tends to happen is that when[br]an organization is under heavy DDoS attack, 0:30:13.009,0:30:17.065 the ISP and the hoster is looking[br]at protecting their own assets 0:30:17.065,0:30:21.023 and will most likely just shut you down. 0:30:21.023,0:30:24.002 And so they might contact you and[br]tell you you're under a DDoS attack 0:30:24.002,0:30:27.015 but they may not help you through it. 0:30:27.015,0:30:33.043 So, there are some things that organizations[br]can do to help mitigate this risk. 0:30:33.043,0:30:37.047 Some organizations look at dealing[br]with the DDoS problem themselves. 0:30:37.047,0:30:39.003 They'll look at buying their own hardware; 0:30:39.003,0:30:42.028 they'll look at provisioning[br]bandwidth, etcetera. 0:30:42.028,0:30:47.003 Unfortunately a lot of organizations don't[br]have the resources to be able to do that. 0:30:47.003,0:30:51.035 And it doesn't necessarily make sense for[br]a lot of organizations because it's sort 0:30:51.035,0:30:56.098 of an arms-race and it's hard to spend[br]your way out of dealing with this problem 0:30:56.098,0:31:01.094 as attacks larger and larger and[br]more complicated and etcetera. 0:31:01.094,0:31:09.061 So, there some third-party options that[br]organizations can look at that I would kind 0:31:09.061,0:31:15.088 of consider to be the infrastructure as a[br]service that can be used on an on-demand basis 0:31:15.088,0:31:19.071 to help organizations deal with[br]DDoS attack when they happen. 0:31:19.071,0:31:26.071 So the idea is simply, you don't necessarily[br]have to over-provision all hardware, 0:31:26.071,0:31:29.042 bandwidth, etcetera to deal with the risk. 0:31:29.042,0:31:36.025 You can potentially use the third-party that has[br]that capacity and capability when you need it. 0:31:36.025,0:31:42.042 And you know at that point you're looking at[br]options like content distribution networks, 0:31:42.042,0:31:47.086 they can potentially help deal with[br]absorbing some of this traffic and keeping 0:31:47.086,0:31:49.078 that traffic away from your network. 0:31:49.078,0:31:55.065 There's also cloud-based providers that[br]specifically focus on the DDoS problem 0:31:55.065,0:31:59.044 and the idea there is if you're under an attack, 0:31:59.044,0:32:03.081 your organization can potentially redirect[br]the traffic over to a cloud-based provider 0:32:03.081,0:32:08.035 that can absorb the traffic that[br]knows how to mitigate and deal 0:32:08.035,0:32:12.083 with [inaudible] service attacks and then[br]sends you basically the clean traffic. 0:32:12.083,0:32:19.029 It's sort of kind of putting a shield in front[br]of your infrastructure on a non-demand basis 0:32:19.029,0:32:21.035 when you're dealing with these attacks. 0:32:21.035,0:32:28.087 So, infrastructure as a service is something[br]that is more affordable for organizations 0:32:28.087,0:32:32.019 and something that organizations are[br]starting to look at more and more 0:32:32.019,0:32:35.086 as a way to deal with this DDoS issue. 0:32:35.086,0:32:38.002 And certainly, there's a lot[br]of information about that 0:32:38.002,0:32:42.008 on Google and it's key to become informed. 0:32:42.008,0:32:46.074 >> Brian: Thanks Miguel, so we're beginning to[br]get a clear picture of the scope of the problem 0:32:46.074,0:32:52.059 from a number of different perspectives and in[br]addition to service providers such as Google 0:32:52.059,0:32:58.025 and Afilias, Verisign and NewStar maintaining[br]their services in a way that keeps them 0:32:58.025,0:33:01.027 up 24/7 and addresses these attacks. 0:33:01.027,0:33:06.034 There are 4 certain organizations[br]specific resources available if needed 0:33:06.034,0:33:11.055 and that's interesting as we're[br]beginning to, after setting the scene, 0:33:11.055,0:33:16.043 now let's transition towards those solutions[br]as mitigation efforts, the services that are 0:33:16.043,0:33:20.066 out there to design specifically[br]to provide additional protection. 0:33:20.066,0:33:28.006 As we transition, Danny I want you to help the[br]audience understand some domestic initiatives 0:33:28.006,0:33:32.054 such as the anti-botnet work[br]undertaken by CSIRC and help us to begin 0:33:32.054,0:33:38.017 to understand how we can begin to collectively[br]come together to address this problem. 0:33:38.017,0:33:39.006 >> Danny: Yes sir thanks Brian. 0:33:39.006,0:33:43.055 So there have been a large number[br]of clamber of efforts between public 0:33:43.055,0:33:50.041 and private sector related to botnet infections,[br]compromised machines, male code proliferation, 0:33:50.041,0:33:55.084 virulence of threats on the internet, just[br]this broad swath of malicious activity. 0:33:55.084,0:34:01.005 It's a nontrivial problem to solve because the[br]ISPs for example, a lot of folks point fingers 0:34:01.005,0:34:05.007 at the ISPs, but the ISPs don't [inaudible][br]systems, their [inaudible] system in particular, 0:34:05.007,0:34:10.044 the broadband ISP user residential[br]consumers that acquire service from the ISP, 0:34:10.044,0:34:14.008 and the ISP shouldn't be looking[br]at their traffic and you know 0:34:14.008,0:34:17.021 and they have privacy concerns or other things. 0:34:17.021,0:34:21.021 So, what sort of controls the capabilities[br]of the ISPs actually add to help them. 0:34:21.021,0:34:24.015 So a number of efforts have[br]been underway actually. 0:34:24.015,0:34:27.082 One such example is the FCC sizerk3, 0:34:27.082,0:34:31.025 working group 7 recently published[br]something called the ABC for ISPs 0:34:31.025,0:34:36.098 and it's basically the anti-botnet code and[br]they develop with a number of other folks 0:34:36.098,0:34:42.006 in the industry monolog messaging and ANIB's[br]working group as well as some publication 0:34:42.006,0:34:48.036 in the IETF and broader participation,[br]actually internationally from folks from Japan, 0:34:48.036,0:34:53.035 Cyber Clean to Australia, Finland,[br]Germany, other folks and it basically talks 0:34:53.035,0:34:58.017 about some fundamental things that ISPs[br]can do to help educate, protect, notify, 0:34:58.017,0:35:02.009 detect malicious threats associated with their[br]consumers and then activity they might take 0:35:02.009,0:35:04.082 to help to clean that problem or sanitize 0:35:04.082,0:35:07.013 or provide a little better[br]hygiene on their infrastructure. 0:35:07.013,0:35:12.077 So, one pointer there is one of the[br]reports, the ABCs again, for ISPs, 0:35:12.077,0:35:20.041 you can find it on the [inaudible] website[br]or the FCC sizerk3, working group 7 webpage 0:35:20.041,0:35:25.037 that you can find easily via Google[br]and so that's certainly one effort. 0:35:25.037,0:35:27.076 One of the fundamental things,[br]going back to the user, 0:35:27.076,0:35:30.000 is there anyone on the receiving[br]end of a DDoS attack? 0:35:30.000,0:35:33.083 What you should definitely be looking at[br]is sort of what enables your business? 0:35:33.083,0:35:37.001 Most of the folks on this panel, you[br]know network is our business all right, 0:35:37.001,0:35:39.068 we're going to focus on providing[br]network services and availability. 0:35:39.068,0:35:44.001 We're absolutely committed to the security and[br]stability of our infrastructure and services, 0:35:44.001,0:35:47.008 but a lot of folks, network[br]enables their business. 0:35:47.008,0:35:52.042 It enables your email or your web[br]presents or your small business 0:35:52.042,0:35:54.057 or your e-commerce or retail site. 0:35:54.057,0:35:59.003 And so irrespective of what[br]it is, you absolutely need 0:35:59.003,0:36:03.054 to consider what the critical network assets[br]are or the critical assets across the board 0:36:03.054,0:36:11.002 to your organization and you identify those, you[br]say what's the impact of an availability issue 0:36:11.002,0:36:16.061 or security issue or a compromise of[br]information impacting those assets? 0:36:16.061,0:36:21.028 And how might I put controls in place to[br]help mitigate that or to at least have a plan 0:36:21.028,0:36:26.077 to respond if there's a DDoS attack or a breach[br]inside my infrastructure, those sorts of things. 0:36:26.077,0:36:31.059 You know one of the things that I've seen in[br]the past, we did this survey for several years, 0:36:31.059,0:36:35.035 a previous employer of mine, and[br]most of the folks that responded 0:36:35.035,0:36:39.063 to this infrastructure security survey didn't[br]actually even have an incident response team 0:36:39.063,0:36:42.072 in place in their organization[br]even if it's an over-lay team, 0:36:42.072,0:36:44.059 much less an incident response plan. 0:36:44.059,0:36:47.084 And if you don't have an incident response plan,[br]you're certainly not going to exercise that 0:36:47.084,0:36:51.072 and so you really don't want to be on the[br]receiving end of something like a DDoS attack 0:36:51.072,0:36:56.064 and not have a book in someone's hand that[br]says this is the phone number I call for my ISP 0:36:56.064,0:37:01.044 or for my national curator for my vendor that[br]provides a certain service or capability to me, 0:37:01.044,0:37:05.058 so I think it sort of starts with those[br]fundamentals, identifying critical assets, 0:37:05.058,0:37:09.043 understanding what the options are to[br]protect the things that are critical to you. 0:37:09.043,0:37:13.067 If it's moving services to cloud infrastructure,[br]acquiring protection services for those, 0:37:13.067,0:37:16.078 putting your own controls in[br]place, but you definitely need 0:37:16.078,0:37:18.014 to consider that in your environment. 0:37:18.014,0:37:19.037 Consider what the impact would be. 0:37:19.037,0:37:23.031 These are a real risk to your[br]business and your operations and so, 0:37:23.031,0:37:27.000 I think fundamentally that's sort of[br]where I would recommend you start, Brian. 0:37:27.000,0:37:32.091 >> Brian: Thanks Danny, so interesting[br]in your comments, you mentioned ISPs, 0:37:32.091,0:37:37.026 we've got registry operators, you've got online[br]service providers, we've got search engines, 0:37:37.026,0:37:43.018 so we really have a number of different[br]service providers in this community 0:37:43.018,0:37:45.094 that helps keep the internet[br]up in a collaborative way. 0:37:45.094,0:37:52.013 The siezerk effort for ISPs in particular[br]sounds interesting and what we want to get 0:37:52.013,0:37:56.053 at a little bit later in the conversation is[br]a cross this community of service providers 0:37:56.053,0:38:00.028 who I assume have different roles and maybe[br]different responsibilities in some ways, 0:38:00.028,0:38:05.057 how do we build on the collaboration that you've[br]begun to speak about and also interestingly, 0:38:05.057,0:38:09.026 you spoke to the organization and[br]what they should have in place. 0:38:09.026,0:38:14.005 Understanding what enables your business, having[br]a plan in place, and the question that raises 0:38:14.005,0:38:18.068 for me is, well how do organizations[br]know they should have these things 0:38:18.068,0:38:20.087 and how do we educate on that front as well? 0:38:20.087,0:38:27.031 So we'll get to that in a little bit, but[br]to round out the panel, thank you all so far 0:38:27.031,0:38:31.038 for shedding some light on the scope and[br]dimensions of the problem and how we can begin 0:38:31.038,0:38:36.054 to address it, but let me now go to Jillian. 0:38:36.054,0:38:42.024 Jillian, what I'd like you to talk about[br]from your perspective is what are some 0:38:42.024,0:38:47.035 of the unintended consequences related[br]to DDoS attacks and in particular, 0:38:47.035,0:38:51.042 help us start thinking about potential[br]over-reactions to DDoS attacks. 0:38:51.042,0:38:57.021 We know that these attacks are of furious[br]in nature, we know that we have a panelist 0:38:57.021,0:39:02.015 of good guys who are doing what they can[br]and doing everything we think they should, 0:39:02.015,0:39:06.097 but tell us about the unintended consequences[br]both from the malicious attack side 0:39:06.097,0:39:12.085 and when a well-intended operator tries to[br]take mitigation techniques against an attack. 0:39:12.085,0:39:20.082 >> Jillian: Sure, so at the beginning of this[br]I think Jeff referred to, actually I'm sorry, 0:39:20.082,0:39:23.084 Brian referred to sometimes[br]these attacks being used as sort 0:39:23.084,0:39:25.052 of an extreme form of free expression. 0:39:25.052,0:39:27.039 I'm not sure I would classify[br]it as free expression, 0:39:27.039,0:39:32.009 but we could say civil disobedience that's[br]been argued by many and an example of this 0:39:32.009,0:39:36.066 that might resonate a little bit better than[br]say the anonymous attacks against Master Card 0:39:36.066,0:39:41.037 and Visa, would be sympathetic[br]people to the Syrian opposition going 0:39:41.037,0:39:43.009 after Syrian Government websites. 0:39:43.009,0:39:45.056 That's something that a lot of[br]people have sympathized with, 0:39:45.056,0:39:50.004 have considered civil disobedience in a[br]scenario where the government has shut 0:39:50.004,0:39:52.061 down the internet sensor,[br]the internet, etcetera. 0:39:52.061,0:40:00.006 And so nevertheless the vast majority of[br]these attacks are malicious, are directed at, 0:40:00.006,0:40:03.009 not just these big companies and the[br]big networks, but also at the little guy 0:40:03.009,0:40:06.006 and that's kind of where my[br]perspective is coming from. 0:40:06.006,0:40:11.074 A few years ago when I was still at the Berkman[br]Center, we did a study that looked attacks 0:40:11.074,0:40:17.045 on human rights websites and independent[br]media website, and 62% of the respondents 0:40:17.045,0:40:23.066 to that study said that they had experienced a[br]DDoS attack at some point and as Damian said, 0:40:23.066,0:40:26.027 Google is sort of at what would[br]you say, the core of the network. 0:40:26.027,0:40:30.013 Google has resources, they[br]have staff, they own fiber, 0:40:30.013,0:40:36.042 but then you've got these[br]other small organizations 0:40:36.042,0:40:38.009 that are what we would say is[br]at the edge of the network. 0:40:38.009,0:40:42.009 These are organizations that not only are[br]they literally at the edge of the network 0:40:42.009,0:40:46.073 but they also lack the funding and[br]the staff to ward-off an attack. 0:40:46.073,0:40:52.087 They often have fairly insecure hosting,[br]their host might jack-up the cost in an effort 0:40:52.087,0:40:58.005 to help them and so if you are using say,[br]I don't want to throw any specific examples 0:40:58.005,0:41:02.047 out there although I have a couple, but if[br]you're using say a shared hosting provider 0:41:02.047,0:41:08.007 such as Rackspace or Bluehost, I'm not[br]speaking of those companies specifically but, 0:41:08.007,0:41:12.002 if you're using one of those, and[br]you are the victim of an attack, 0:41:12.002,0:41:17.015 your provider could kick you off, they[br]could also raise your costs which for many 0:41:17.015,0:41:19.094 of us would be completely unaffordable. 0:41:19.094,0:41:23.074 And so, when we're looking at the[br]unintended consequences of these, 0:41:23.074,0:41:26.037 I mean I think that there's a[br]couple of different aspects here. 0:41:26.037,0:41:31.022 One is the legal consequences and so[br]I'm not a lawyer and so I should say 0:41:31.022,0:41:37.033 that I should just preface by saying that,[br]but you know these attacks are largely 0:41:37.033,0:41:41.059 by most governments at this point considered[br]hacking and are dealt with as such. 0:41:41.059,0:41:45.015 And so in the U.S. that's governed[br]by the Computer Fraud and Abuse Act 0:41:45.015,0:41:51.015 and in Europe there are other similar[br]conventions, but I think that we need 0:41:51.015,0:41:55.013 to start looking at them as a[br]little bit different, than that. 0:41:55.013,0:41:58.082 I think that you need to look at the sort[br]of the [inaudible] behind the attack, 0:41:58.082,0:42:04.072 we need to look at the consequences of[br]the attack, and I think a great example 0:42:04.072,0:42:09.076 of this is an attack that was conducted against[br]Lufthansa, the German airline back in gosh, 0:42:09.076,0:42:16.054 I'm not going to remember the year, early 2000[br]I believe where a court actually did determine 0:42:16.054,0:42:22.028 that the intent of that attack[br]was not coercion and was there-- 0:42:22.028,0:42:28.013 I'm not a lawyer so I feel like[br]I'm using the wrong language here, 0:42:28.013,0:42:32.002 but it was dealt with as[br]civil disobedience and so. 0:42:32.002,0:42:34.092 But that's actually not my biggest concern. 0:42:34.092,0:42:39.039 My biggest concern is the unintended[br]consequences on these smaller websites 0:42:39.039,0:42:43.002 and so when we look at the[br]consequences on independent human rights 0:42:43.002,0:42:49.067 and independent media websites, generally[br]these sites go off line and are not able 0:42:49.067,0:42:53.046 to quickly get back up and so we've[br]seen attacks that last a week, 6 weeks, 0:42:53.046,0:42:55.045 or where the site goes down entirely. 0:42:55.045,0:42:58.006 And so some of the suggestions that[br]have already been given are excellent 0:42:58.006,0:43:02.005 and I think actually what Damian said in[br]terms of people moving their sites to Google, 0:43:02.005,0:43:06.082 that's actually one of the suggestions that[br]we give is, if you are a small website, 0:43:06.082,0:43:10.097 sometimes you're just better off hosting[br]your site on a provider like Google 0:43:10.097,0:43:14.082 where you have those resources to back you up. 0:43:14.082,0:43:17.026 We've also, my organization along 0:43:17.026,0:43:21.026 with the tactical technology collective has[br]also developed this guide which is really, 0:43:21.026,0:43:23.034 really basic mitigation techniques. 0:43:23.034,0:43:26.039 We're not even talking about the kinds[br]of things that a corporate website 0:43:26.039,0:43:32.032 or even a large-scale organization would[br]use, but the things that your blogger, 0:43:32.032,0:43:35.021 your independent media site might utilize. 0:43:35.021,0:43:39.009 And this is available, I'll share it after,[br]but it's also available in 9 languages. 0:43:39.009,0:43:46.035 And so just to sum up, I would say that[br]we need to think about these attacks, 0:43:46.035,0:43:52.019 not just how they affect major websites, but[br]also how they affect much smaller organizations. 0:43:52.019,0:43:53.012 >> Brian: Thank you. 0:43:53.012,0:43:54.029 So thank you all. 0:43:54.029,0:43:58.053 We've now set the scene, I hope, and provide[br]some baseline understanding of the nature 0:43:58.053,0:44:00.071 of the attacks, the scope of the attacks. 0:44:00.071,0:44:01.098 We have 2 hours. 0:44:01.098,0:44:08.023 What we're going to do is as follows, we're[br]going to leave 30 minutes at the end for Q&A 0:44:08.023,0:44:11.086 from the folks in the room and from online and[br]we're looking forward to all of your questions. 0:44:11.086,0:44:14.022 We're going to have basically 2 sessions now. 0:44:14.022,0:44:20.061 What I'm going to do now is engage in some Q&A[br]with the panelists and we'll have 45 minutes 0:44:20.061,0:44:26.021 for that and then we have in the second session[br]a scenario that we've built that we want 0:44:26.021,0:44:29.035 to rollout in front of our[br]panelist and ask how they, 0:44:29.035,0:44:33.026 in their respective rolls would[br]react to that particular scenario. 0:44:33.026,0:44:38.098 Now I've got about 7 questions or so, we've[br]got 45 minutes so this isn't rapid-fire 0:44:38.098,0:44:43.051 but let's leave about 5 or 6 minutes for[br]a response to each of these questions. 0:44:43.051,0:44:48.025 This is open to anyone on the panel so let's[br]be dynamic, raise your hand, don't be shy 0:44:48.025,0:44:53.091 and we'll kick it off with the first question[br]which is; let's get specific and both 0:44:53.091,0:44:56.063 from your perspective and[br]from a user's perspective. 0:44:56.063,0:45:00.016 What mitigation techniques[br]are available to us today? 0:45:00.016,0:45:05.032 Both you, as a service provider and the user,[br]how do we stop these things at a basic level? 0:45:05.032,0:45:07.085 Who would like to take that on first? 0:45:07.085,0:45:09.018 Ram. 0:45:09.018,0:45:16.007 >> Ram: Brian this is Ram, let me start; if[br]I was a user, one of the things that I'd want 0:45:16.007,0:45:29.076 to do is if I have a good ISP, then they[br]probably have a botnet mitigation kit 0:45:29.076,0:45:35.063 or something like that, that gets installed[br]in my computing devices and if not, 0:45:35.063,0:45:43.015 I would go to my ISP and ask them[br]for a mitigation kit like that. 0:45:43.015,0:45:45.013 There pretty commonly available. 0:45:45.013,0:45:50.035 They're pretty sophisticated and they[br]give you the first order of protection. 0:45:50.035,0:45:57.096 I just also want to point out; having antivirus[br]software in your computer doesn't protect you 0:45:57.096,0:46:03.008 from your computer getting[br]compromised in a DDoS attack. 0:46:03.008,0:46:03.008 >> Brian: That's interesting. 0:46:03.008,0:46:06.052 Most average users would assume[br]that that addresses that problem. 0:46:06.052,0:46:09.015 Tell us why. 0:46:09.015,0:46:12.006 >> Ram: So earlier, let me give you[br]an example, earlier we were hearing 0:46:12.006,0:46:16.091 about spear-phishing right, so[br]I give you a specific example, 0:46:16.091,0:46:20.098 something that actually happened in[br]one the organizations I work with. 0:46:20.098,0:46:29.069 A high-level executive in this company,[br]it's a pretty small company, got an email 0:46:29.069,0:46:35.086 and the email had a very good subject line,[br]you know it's a photograph of their daughter. 0:46:35.086,0:46:41.015 And it said, took this photograph,[br]she looks great 0:46:41.015,0:46:44.062 and even had the daughter's name on it, right? 0:46:44.062,0:46:49.016 And so the executive got the mail, it[br]looked like a legitimate thing and the, 0:46:49.016,0:46:55.006 from address in the email was kind[br]of somebody he ran into in random, 0:46:55.006,0:46:59.003 but there was enough things in the mail[br]that looked like it was real, you know. 0:46:59.003,0:47:04.064 It was the daughter's name was right, there was[br]actually a photograph and so they double-clicked 0:47:04.064,0:47:10.003 and they opened up the photograph and[br]that compromised their machine and ended 0:47:10.003,0:47:13.008 up compromising the network[br]from there on, right? 0:47:13.008,0:47:18.008 Now that was not a virus in the[br]traditional sense of a virus. 0:47:18.008,0:47:23.073 That was something that was custom[br]crafted just for that one individual 0:47:23.073,0:47:30.059 because the person trying to brake-in[br]had a clear idea who this person was, 0:47:30.059,0:47:35.099 they were trying to penetrate, they[br]understood that that person likely had access 0:47:35.099,0:47:41.085 to other important resources inside of the[br]company's corporate network, got through. 0:47:41.085,0:47:48.036 So, they had antivirus on their computer,[br]but this was not the traditional virus, 0:47:48.036,0:47:54.078 this was an attack just aimed[br]at you, individually. 0:47:54.078,0:47:58.093 >> Brian: Thank you and getting back to the[br]botnet protection package from your ISP, 0:47:58.093,0:48:01.051 at a basic level what does that provide? 0:48:01.051,0:48:06.098 We heard the story of how your own computer[br]can become an unwitting zombie participating 0:48:06.098,0:48:11.084 in a botnet attack, is it designed to[br]present that from happening, or other things? 0:48:11.084,0:48:16.085 That was a follow-up for Ram. 0:48:16.085,0:48:19.089 >> Ram: Oh, for me specifically. 0:48:19.089,0:48:26.008 Okay, yeah there are many things that this piece[br]of software or these pieces of software do, 0:48:26.008,0:48:32.095 but often they look at patterns, they look[br]at where the attacks may be coming from. 0:48:32.095,0:48:38.074 They also look at what's happening on your[br]own device and where it's trying to connect to 0:48:38.074,0:48:41.033 and typically you've got certain patterns. 0:48:41.033,0:48:47.067 You go to a certain set of sites or you send[br]emails, you know you connect to a known set 0:48:47.067,0:48:55.034 of places for the most part and if your device[br]has been compromised, often your device is going 0:48:55.034,0:48:59.011 to places that you normally don't go to 0:48:59.011,0:49:04.073 and your ISP typically has an[br]idea of that stored up over time. 0:49:04.073,0:49:05.004 >> Brian: Thank you. 0:49:05.004,0:49:08.089 So let's dig a little bit deeper on that. 0:49:08.089,0:49:14.057 What was in your answer was, how do we[br]identify where this problem is coming from? 0:49:14.057,0:49:19.076 I think it's an important piece of the puzzle[br]here and you and your service provider capacity, 0:49:19.076,0:49:23.078 let's turn deeper on preventative measures. 0:49:23.078,0:49:27.007 How can we identify where these[br]malicious attacks are coming from? 0:49:27.007,0:49:30.067 Is that an easy thing to solve[br]for, or a harder thing to solve 0:49:30.067,0:49:33.084 for from the service provider[br]perspective and also from the user? 0:49:33.084,0:49:35.092 I think Ram just started to touch on that. 0:49:35.092,0:49:37.064 Anybody want to take that on? 0:49:37.064,0:49:40.015 So, Danny? 0:49:40.015,0:49:44.025 >> Danny: Yeah this is Danny, I'll say[br]something about that and then move on to others, 0:49:44.025,0:49:49.045 but one of the things I think I would touch on[br]initially is that if you're on the receiving end 0:49:49.045,0:49:52.009 of even a moderate sized DDoS attack, 0:49:52.009,0:49:56.009 a lot of some of the bigger networks[br]have the capacity to absorb the attack. 0:49:56.009,0:50:00.098 What many ISPs or services in the[br]infrastructure offer is the capability 0:50:00.098,0:50:05.002 to absorb the large-scale bits of[br]malicious traffic and surgically mitigate 0:50:05.002,0:50:07.074 and preserve the availability of the services 0:50:07.074,0:50:10.063 that someone may be concerned[br]with, so that's sort of one aspect. 0:50:10.063,0:50:16.014 From an ISP side, one of the[br]interesting things is that IP is a sort 0:50:16.014,0:50:23.007 of hop-by-hap packet forwarding paradigm[br]for communications networks and anyone, 0:50:23.007,0:50:29.096 largely anyone on the internet can emit a packet[br]in the infrastructure that has a source address 0:50:29.096,0:50:34.000 of anyone else on that infrastructure and so[br]this is known as IP source address booping. 0:50:34.000,0:50:38.011 And it's a common attack factor, it's[br]not the only attack factor and a lot 0:50:38.011,0:50:41.014 of times spotted hosts don't[br]spoof packets at all, 0:50:41.014,0:50:45.025 but trace back in large networks[br]is fairly complex. 0:50:45.025,0:50:49.077 There are a lot of techniques people use[br]from some things like commercial tools 0:50:49.077,0:50:53.075 that do net-flow and flow-based analysis to[br]trace back to the ingress of their network. 0:50:53.075,0:50:57.025 The problem is you then have to have[br]the capability to say, the upstream 0:50:57.025,0:51:00.018 or the adjacent network that[br]attack flows I'm seeing from you. 0:51:00.018,0:51:01.082 Can you trace these back on your network? 0:51:01.082,0:51:04.004 Hope that they have the same[br]capability and so forth. 0:51:04.004,0:51:08.037 And so it's non-trivial when the[br]fact that any sort of advisory 0:51:08.037,0:51:13.043 on the internet has global projection capability[br]and you could be on the receiving end of a lot 0:51:13.043,0:51:16.015 of packet lull as a result of[br]that, right, you know what I mean, 0:51:16.015,0:51:19.000 and these could be broadly[br]distributed or single-source attacks. 0:51:19.000,0:51:23.012 So, tracing these attacks back is one aspect. 0:51:23.012,0:51:28.000 So you would certainly want to trace back[br]flow-based tools other things and then ideally 0:51:28.000,0:51:31.008 if you could find sources that were[br]participating in an attack, then you could try 0:51:31.008,0:51:35.009 and identify command and control[br]infrastructure that's used a command 0:51:35.009,0:51:41.009 or took control those attack sources or those[br]botnet hosts and then you would step back 0:51:41.009,0:51:46.018 from there, but that's an extremely complex[br]thing and unfortunately what most people do, 0:51:46.018,0:51:50.068 and to Jillian's point actually, is that a[br]lot of the controls some people put in place 0:51:50.068,0:51:54.092 through data mitigate DDoS attacks is actually[br]to effectively complete those attacks. 0:51:54.092,0:51:59.002 It's like hey, there's a large-scale attack[br]of 10 gigabytes per second going toward one 0:51:59.002,0:52:07.011 of the smaller hosts on my network so, what[br]an ISP may do is actually say I'm going 0:52:07.011,0:52:10.007 to drop all the traffic towards that[br]destination at the ingress of my network. 0:52:10.007,0:52:13.023 So they do is effectively complete the attack. 0:52:13.023,0:52:16.056 That's why it's so important to have[br]controls in place to be able to identify 0:52:16.056,0:52:20.056 and surgically mitigate those attacks,[br]before the attacks occur, so anyway. 0:52:20.056,0:52:21.057 >> Brian: Thank you, very interesting. 0:52:21.057,0:52:23.066 Anybody else want to pick-up on this point? 0:52:23.066,0:52:24.076 Miguel. 0:52:24.076,0:52:30.016 >> Miguel: Just adding to what Danny is[br]saying, collaboration to try to figure 0:52:30.016,0:52:34.038 out what the attacks those sources[br]are is key and it's not something 0:52:34.038,0:52:37.025 that happens very well currently. 0:52:37.025,0:52:42.098 It's something that the internet community is[br]trying to improve on but we're nowhere near 0:52:42.098,0:52:48.002 where we need to be and to be able to do some[br]of the things that Danny is referring to, 0:52:48.002,0:52:52.033 you kind of have to have backchannel[br]communications between providers. 0:52:52.033,0:52:56.003 You have to be able to have[br]somebody on the inside, 0:52:56.003,0:53:01.093 somewhere that you can share intelligence[br]with and that's something that's difficult. 0:53:01.093,0:53:07.031 The last thing I'll say about[br]it is that sometimes, 0:53:07.031,0:53:16.015 where are who it is that's doing it is not[br]necessarily that important potentially. 0:53:16.015,0:53:20.001 When these things are happening,[br]a lot of people might be focused 0:53:20.001,0:53:25.085 on getting their infrastructure back online,[br]but you do have to temper that with the fact 0:53:25.085,0:53:30.003 that as Jeff was alluding to[br]earlier, this might be something 0:53:30.003,0:53:34.000 that an organization is doing[br]while they're doing something else. 0:53:34.000,0:53:36.065 It could very well be a diversionary tactic. 0:53:36.065,0:53:41.068 >> Brian: Let me pick-up on one point there[br]Miguel, you know you mentioned the collaboration 0:53:41.068,0:53:45.068 between and across network[br]operators being a challenge. 0:53:45.068,0:53:49.092 Is that a resource challenge, it[br]is a communications challenge, 0:53:49.092,0:53:54.007 is it a technical sophistication challenge,[br]because it is understood from Danny's comment 0:53:54.007,0:53:57.091 that this is complex investigation[br]that has to cross a number 0:53:57.091,0:54:00.072 of different network operators[br]to get to the answer. 0:54:00.072,0:54:02.062 What's the issue there? 0:54:02.062,0:54:10.066 >> Miguel: I would say that there's a[br]corporate privacy challenge that a lot 0:54:10.066,0:54:18.006 of organizations don't really want their[br]technical staff or the staff that are dealing 0:54:18.006,0:54:23.089 with this problem to be collaborating with other[br]operators and that's a significant roadblock. 0:54:23.089,0:54:24.074 >> Brian: Thank you. 0:54:24.074,0:54:26.035 Jillian-- oh go ahead Damian? 0:54:26.035,0:54:29.061 >> Damian: I also wanted to say that I[br]think that the 3 things that you mentioned, 0:54:29.061,0:54:32.009 Brian it being resources and technical issues 0:54:32.009,0:54:38.024 and communication are also significant[br]challenges even if you do get 0:54:38.024,0:54:42.031 through the communication barrier[br]to talking to somebody at the ISP, 0:54:42.031,0:54:46.049 they might not have the technical[br]capability to track it further back 0:54:46.049,0:54:50.079 or they might not have the resources to spend[br]time on spending an hour to track it back. 0:54:50.079,0:54:56.046 Just knowing that it will just go to yet[br]another ISP that won't have time to communicate 0:54:56.046,0:54:59.012 with you or track it back or anything. 0:54:59.012,0:55:00.014 >> Brian: Right, thank you. 0:55:00.014,0:55:00.096 Jillian. 0:55:00.096,0:55:03.002 >> Jillian: Sure, I'm just[br]going to make my point again 0:55:03.002,0:55:05.008 to the sort of smaller organizations. 0:55:05.008,0:55:09.073 I think that it's important for them to sort of[br]assess beforehand, before this is even an issue, 0:55:09.073,0:55:12.047 both what their risk is, if they can do that, 0:55:12.047,0:55:16.011 as well as what their priorities[br]are in the event of a DDoS attack. 0:55:16.011,0:55:20.052 And so, for a lot of these organizations[br]that I'm thinking of, I'm thinking of sort 0:55:20.052,0:55:23.057 of the human right sites in embattled countries. 0:55:23.057,0:55:28.072 A lot of times there priority is just to stay[br]up and to keep their content on the internet 0:55:28.072,0:55:32.009 in the event of an attack and sometimes these[br]attacks are coming during say, election periods, 0:55:32.009,0:55:38.051 or periods of protest and so a lot of times[br]what that means is choosing their host wisely, 0:55:38.051,0:55:43.098 so we talked about that a little bit but knowing[br]what their host can do to mitigate an attack, 0:55:43.098,0:55:47.064 but also if they're high-risk,[br]considering a DDoS Resistant Hosting 0:55:47.064,0:55:49.066 or some programs that are starting to come up. 0:55:49.066,0:55:53.085 Some of these are pretty cost prohibitive for[br]smaller organizations but, there are a couple 0:55:53.085,0:55:56.021 that are a little bit more affordable. 0:55:56.021,0:55:57.044 One of them is called Virtual Road. 0:55:57.044,0:56:02.034 It's hosted by the international--[br]I forget the acronym-- IMS-- 0:56:02.034,0:56:04.094 forget that but based in Denmark. 0:56:04.094,0:56:08.061 Another thing is to, you know really[br]easy stuff, keep backups of your site. 0:56:08.061,0:56:11.025 I know that seems so simple,[br]but that's something that a lot 0:56:11.025,0:56:15.055 of these sites are not thinking of and so when[br]there site goes down, it goes down forever. 0:56:15.055,0:56:17.072 And then another thing is[br]just mirroring their site. 0:56:17.072,0:56:21.064 If we're talking about a site that's[br]say in Iran that's going to come 0:56:21.064,0:56:26.025 under attack during elections or something like[br]that, you know making sure that that content is 0:56:26.025,0:56:28.043 up somewhere else can be really important. 0:56:28.043,0:56:32.027 You know URLs don't matter as much as[br]they used to, thanks to social media. 0:56:32.027,0:56:36.008 And so just making sure that that content[br]is still up and available is a lot 0:56:36.008,0:56:41.015 of times more important than actually[br]immediately mitigating the attack. 0:56:41.015,0:56:42.081 >> Brian: Jeff? 0:56:42.081,0:56:46.048 >> Jeff: Real briefly, I would say in[br]particular, if you have limited resources, 0:56:46.048,0:56:49.061 figure out what your purpose[br]in tracking back is. 0:56:49.061,0:56:53.091 If there's a technical side of it and as smarter[br]folks up here may appear to have explained it. 0:56:53.091,0:56:58.049 It's very difficult to get to the end but[br]let's say you get through all those hurdles 0:56:58.049,0:57:03.012 and you find out where it's actually coming[br]from, then you walk into a human problem. 0:57:03.012,0:57:04.073 Do you really care what the motivation is? 0:57:04.073,0:57:10.047 I mean, if your goal is to stay up, you may[br]only want to track back far enough to be able 0:57:10.047,0:57:15.097 to protect yourself and even if you get to the[br]end, you know it's a bunch of computers sitting 0:57:15.097,0:57:21.088 in country x, you'd have to get to those[br]people to figure out is it a nation state act, 0:57:21.088,0:57:24.084 is it a bunch of individuals,[br]is it somehow loosely connected? 0:57:24.084,0:57:29.001 So the track back, you know I would say[br]just from my perspective thinking about this 0:57:29.001,0:57:32.075 when I was up on the hill, there is a techno[br]side, but there's very much the political 0:57:32.075,0:57:36.098 and security side and you get into human[br]litigations there which are even harder 0:57:36.098,0:57:41.076 to track back than some of the techno stuff. 0:57:41.076,0:57:42.091 >> Brian: Thank you Jeff. 0:57:42.091,0:57:45.036 Let me ask a slightly different question. 0:57:45.036,0:57:51.095 When an attack is happening, does it matter what[br]the targeted platform is from your perspective 0:57:51.095,0:57:53.056 and how you react to it, how do you manage it? 0:57:53.056,0:57:58.016 For example if it's an attack against the banks[br]as we've been seeing recently, versus an attack, 0:57:58.016,0:58:02.053 versus a social media site or a small-user site. 0:58:02.053,0:58:07.074 Does the nature of the target affect[br]the way you address the problem, 0:58:07.074,0:58:08.094 try to mitigate the problem? 0:58:08.094,0:58:12.014 Can you give us some dimension on that front? 0:58:12.014,0:58:13.054 0:58:13.054,0:58:16.004 Miguel, do you want to go first? 0:58:16.004,0:58:17.047 >> Danny: Yeah, sure. 0:58:17.047,0:58:20.091 Yeah so what I would say is that if[br]you're trying to mitigate an attack, 0:58:20.091,0:58:23.016 what you're really trying to[br]do is preserve the availability 0:58:23.016,0:58:24.065 of the services that you care about. 0:58:24.065,0:58:29.003 And so you've really got to flip and say you[br]know, I really want to scrub out the bad stuff 0:58:29.003,0:58:30.087 and try and be able to absorb this attack. 0:58:30.087,0:58:34.078 One of the interesting things, when you see[br]numbers thrown around on scale, frequency, 0:58:34.078,0:58:39.006 duration, attack factors, all those things,[br]you might see 10 gigabyte per second attack. 0:58:39.006,0:58:45.008 Well what 10 gigabytes per second attack is on a[br]webserver or on a DNS server is very different. 0:58:45.008,0:58:49.054 That means 10 gigabytes per second[br]of transaction servicing capacity. 0:58:49.054,0:58:54.024 Right, that's basically I've got to be able to[br]process 10 gigabytes per second of DNS packets 0:58:54.024,0:58:59.048 or of web-service packets or SSL packets or[br]whatever the service is you're concerned with 0:58:59.048,0:59:02.024 and that's the only way you can[br]preserve the availability of that. 0:59:02.024,0:59:05.053 So when it gets more and more complex,[br]is when you have more stay-based 0:59:05.053,0:59:08.063 and more complex applications 0:59:08.063,0:59:13.004 that more sophisticated attacks[br]become problematic in that manner. 0:59:13.004,0:59:18.016 So I think it absolutely[br]depends on the attack factor. 0:59:18.016,0:59:22.081 One of the challenges is that sort of[br]commodity, off the shelf routers and firewalls 0:59:22.081,0:59:25.043 and those things don't do[br]application [inaudible] mitigation. 0:59:25.043,0:59:27.014 They don't provide certain capabilities. 0:59:27.014,0:59:30.053 On the other hand, if it's[br]some services it may be simpler 0:59:30.053,0:59:34.054 to simply absorb a high-rate per second attack 0:59:34.054,0:59:38.032 or to just drop bad traffic that's[br]not target a production service. 0:59:38.032,0:59:42.005 So, yeah in short the answer is[br]yes to your question, I think. 0:59:42.005,0:59:44.007 >> Brian: Thank you, Miguel. 0:59:44.007,0:59:47.011 >> Miguel: Danny mentioned[br]that the type of infrastructure 0:59:47.011,0:59:50.009 that is being attacked matters,[br]I absolutely agree. 0:59:50.009,0:59:55.002 The type of organization that is being[br]attacked also plays a factor potentially 0:59:55.002,1:00:00.095 and how you're dealing with the[br]problem of mitigating the attack. 1:00:00.095,1:00:04.039 I think Jeff alluded to the fact[br]earlier that there are attacks 1:00:04.039,1:00:06.033 that are potentially, for example extortion. 1:00:06.033,1:00:11.077 There's activist-type attacks;[br]I'll use the activists' example. 1:00:11.077,1:00:15.017 These people that are protesting[br]and attacking your site, 1:00:15.017,1:00:21.001 they're most likely discussing it online, so[br]they're congregating on twitter, on Facebook, 1:00:21.001,1:00:25.029 Payspin, whatever site it is that[br]they're using to IRC relay chip, 1:00:25.029,1:00:31.098 you know internet relay chat rooms,[br]they're discussing attack strategies there. 1:00:31.098,1:00:36.071 So, what kind of an attack it is, and[br]which organization is being attacked, 1:00:36.071,1:00:42.009 it does matter because you do want to factor[br]in how your monitoring social media based 1:00:42.009,1:00:48.091 on the particular attack because it can[br]help you determine what it is that you need 1:00:48.091,1:00:51.069 to do and what you need to focus on. 1:00:51.069,1:00:52.098 1:00:52.098,1:00:54.053 >> Brian: Anyone else? 1:00:54.053,1:00:55.094 1:00:55.094,1:00:58.055 Let me shift gears here. 1:00:58.055,1:01:03.012 I think by now, hopefully we've got a[br]fairly good picture of the dimensions 1:01:03.012,1:01:06.088 of DDoS attacks both from website operator, 1:01:06.088,1:01:10.086 individual user, service[br]provider, civil society. 1:01:10.086,1:01:13.067 It's an important problem. 1:01:13.067,1:01:16.041 It's a growing problem, there's[br]no doubt about that. 1:01:16.041,1:01:19.029 It gets bigger each year,[br]it's a big cat and mouse came, 1:01:19.029,1:01:23.000 we have a hard time identifying[br]the bad guys, tracking them down, 1:01:23.000,1:01:25.081 stopping them from doing what they're doing. 1:01:25.081,1:01:27.078 Who should fix this problem? 1:01:27.078,1:01:29.067 1:01:29.067,1:01:35.006 Private sector, government,[br]how do we fix this problem? 1:01:35.006,1:01:39.022 Collaboration is important, we've heard[br]that but it seems like it's a game 1:01:39.022,1:01:41.056 that we're not necessarily winning. 1:01:41.056,1:01:43.003 Anyone want to take that on? 1:01:43.003,1:01:45.006 Pros and cons, Damian? 1:01:45.006,1:01:46.069 1:01:46.069,1:01:48.043 >> Damian: I'll start off the discussion. 1:01:48.043,1:01:55.085 So I think a lot of the difficulty we have[br]is that nobody feels actually responsible 1:01:55.085,1:02:01.042 so the attacks are often being[br]sourced from compromised machines 1:02:01.042,1:02:04.031 and people are saying well it's not[br]my fault, my machine is compromised. 1:02:04.031,1:02:09.031 You know they don't know it, it's an[br]end user, they don't actually know how 1:02:09.031,1:02:12.057 to secure their machine, they're not even aware 1:02:12.057,1:02:16.027 that there machine is participating[br]in the attack. 1:02:16.027,1:02:19.048 Then it goes from that machine[br]through an ISP and the ISP says well, 1:02:19.048,1:02:24.006 we're just providing network[br]transit to our customers. 1:02:24.006,1:02:26.089 We don't actually look at what that content is. 1:02:26.089,1:02:32.024 And then it might go through multiple[br]ISPs and eventually get to the victim 1:02:32.024,1:02:37.011 who really doesn't have any choice[br]but to just receive this traffic. 1:02:37.011,1:02:43.093 So I think the root issue here is to figure[br]out who you would actually hold responsible 1:02:43.093,1:02:48.069 for these attacks and then maybe figure out[br]in what way they would be held responsible. 1:02:48.069,1:02:52.005 You know clearly, we don't want[br]to hold the home user responsible 1:02:52.005,1:02:58.054 for an attack they weren't aware that they were[br]committing, however, if we could inform them 1:02:58.054,1:03:02.085 and they refuse to fix their machine,[br]maybe after they've had that opportunity 1:03:02.085,1:03:06.086 to fix their machine and they refuse to,[br]or after we inform a hosting provider 1:03:06.086,1:03:10.000 that has compromised webservers[br]that are attacking you. 1:03:10.000,1:03:13.057 If they don't fix those machines after[br]a month and they're still attacking, 1:03:13.057,1:03:16.026 maybe there should be some responsibility there. 1:03:16.026,1:03:20.041 >> Brian: So that's an interesting thought[br]Damian because you all do have terms of service 1:03:20.041,1:03:24.011 and abuse policies that users agree[br]to when they use your service, 1:03:24.011,1:03:25.083 so that's an interesting thought. 1:03:25.083,1:03:30.000 Jeff, I want to throw this to you and I[br]know this is part of your past experience, 1:03:30.000,1:03:34.085 but having been in the Senate and House[br]Committee, can you bring a little bit 1:03:34.085,1:03:37.016 of the government perspective[br]to the question I asked 1:03:37.016,1:03:40.009 of who should be fixing this problem and how? 1:03:40.009,1:03:41.051 >> Jeff: So I guess I would step back 1:03:41.051,1:03:47.047 and say that we can't define[br]this problem as just dos attacks. 1:03:47.047,1:03:50.073 You know you phrase it as, it's[br]not a game of winning, well, 1:03:50.073,1:03:53.009 in my mind it's not a game that will ever end. 1:03:53.009,1:03:58.029 To the extent it's more of a constant[br]race, how far ahead or behind are we 1:03:58.029,1:04:02.035 of the people developing new ways to attack? 1:04:02.035,1:04:08.003 And to my first point about, it's a[br]broader problem, if someone has a computer 1:04:08.003,1:04:12.094 that is being used as part of a botnet[br]for a DDoS attack or something else, 1:04:12.094,1:04:17.028 it's very likely that the folks who are on[br]that computer could do a lot of other things 1:04:17.028,1:04:21.045 with that computer or to that person's[br]identity or steel their banking credentials, 1:04:21.045,1:04:26.007 so it is a much broader problem and I think[br]Damian made a good point is everyone kind 1:04:26.007,1:04:29.048 of pushes it back but at[br]some level it needs to start 1:04:29.048,1:04:34.081 with users taking more control[br]over their computers. 1:04:34.081,1:04:37.062 Not just looking at antivirus[br]but broader protections. 1:04:37.062,1:04:42.097 The government's role from my perspective[br]and that's something that we worked 1:04:42.097,1:04:47.003 on the projects I worked on the hill are[br]much more critical infrastructure focused, 1:04:47.003,1:04:51.043 but if it's true there, I think it's even[br]more true with a much more commercial side. 1:04:51.043,1:04:56.001 It's got to be private sector laden and[br]the government can play a role facilitating 1:04:56.001,1:05:02.049 and educating and punishing and perhaps in some[br]areas where there is significant possibility 1:05:02.049,1:05:06.094 of major national impact requiring[br]some standards, you're not going to do 1:05:06.094,1:05:11.078 that for John Smith who has his[br]computer at home, you're not going to say 1:05:11.078,1:05:15.002 that there is a minimum security[br][inaudible] that you have to have 1:05:15.002,1:05:17.083 in order to log into the internet. 1:05:17.083,1:05:19.085 Were you even to try that, it would never pass. 1:05:19.085,1:05:24.001 But the government can play a[br]significant role educating folks; 1:05:24.001,1:05:29.013 simple things as patching whatever software[br]applications you have, making it the easiest way 1:05:29.013,1:05:30.028 for someone to get into your computer. 1:05:30.028,1:05:33.095 The patch comes out, someone is out there[br]trying to figure out what was patched 1:05:33.095,1:05:36.046 and how can we take advantage[br]of the people who don't patch. 1:05:36.046,1:05:41.045 So the government, I think the role, sort[br]of hopefully I'm answering the question. 1:05:41.045,1:05:43.085 The role the government is going to play is[br]going to depend on what you're talking about. 1:05:43.085,1:05:46.061 If it's an attack on water, electrical,[br]other systems the government is going 1:05:46.061,1:05:49.071 to have a very active role,[br]hopefully ahead of time, protecting 1:05:49.071,1:05:51.089 and assisting in developing protections. 1:05:51.089,1:05:55.032 The government will also have a role in[br]the backend where possible prosecuting, 1:05:55.032,1:05:57.069 investigating and that's[br]where your earlier question 1:05:57.069,1:06:00.087 about does it matter who is being attacked? 1:06:00.087,1:06:04.001 Maybe it shouldn't, but the government is going[br]to be much more focused when you have a series 1:06:04.001,1:06:08.027 of major banks attacked, looking whether[br]there's another type of attack going on 1:06:08.027,1:06:11.076 or there are more laws that[br]apply [inaudible] after that. 1:06:11.076,1:06:18.051 Then if it is, you're attacking someone's speech[br]on block spy, so the government's role is going 1:06:18.051,1:06:23.026 to vary, I think depending upon where you are[br]but ultimately it can't be government lead 1:06:23.026,1:06:28.065 because it will end up being less[br]effective and more [inaudible], in my view. 1:06:28.065,1:06:29.068 >> Brian: Thank you. 1:06:29.068,1:06:37.048 Let me ask for the service providers, you all[br]run services that are globally accessible. 1:06:37.048,1:06:43.087 You all have network footprints[br]that are global to some extent. 1:06:43.087,1:06:48.001 Specifically, engaging with law[br]enforcement which I'm sure you do, 1:06:48.001,1:06:53.061 you all work for law abiding companies who[br]under the proper circumstances collaborate 1:06:53.061,1:06:57.047 with law enforcement to address[br]legitimate concerns. 1:06:57.047,1:07:02.065 What are you seeing in your[br]interactions with law enforcement 1:07:02.065,1:07:05.084 that provides the good seeds for collaboration? 1:07:05.084,1:07:09.062 What do you think might be missing in[br]your interactions with law enforcement? 1:07:09.062,1:07:13.044 I'd like the service providers[br]to address that point. 1:07:13.044,1:07:18.037 Who wants to go first, Ram? 1:07:18.037,1:07:19.036 >> Ram: Let me start. 1:07:19.036,1:07:24.039 One of the things that is striking[br]in interactions with law enforcement, 1:07:24.039,1:07:30.023 one of the fundamentals here is that[br]this is essential a borderless problem 1:07:30.023,1:07:34.036 and law enforcement has a broader problem. 1:07:34.036,1:07:34.095 >> Brian: Okay. 1:07:34.095,1:07:38.045 >> Ram: Not a problem, they have to work 1:07:38.045,1:07:41.055 within the jurisdictions of[br]the borders that they're in. 1:07:41.055,1:07:46.005 So often when you're collaborating[br]and working on uncovering, 1:07:46.005,1:07:52.072 you know somebody is running a botnet that's[br]got some significant problems behind it 1:07:52.072,1:07:56.032 and if you start to do trace-backs,[br]you'll find that the folks 1:07:56.032,1:08:02.047 in law enforcement would rather work[br]with you informally than formally 1:08:02.047,1:08:10.093 because if they go formal, then you go[br]through a method where you then have 1:08:10.093,1:08:17.001 to involve every law enforcement agency at[br]every boarder that is crossed on the internet. 1:08:17.001,1:08:20.024 It's pretty damn easy to cross those boarders. 1:08:20.024,1:08:27.006 So, that's a, I think that's an[br]essential thing and the real-world hasn't 1:08:27.006,1:08:31.041 yet caught-up to that reality online. 1:08:31.041,1:08:39.035 That attacks come from multiple boarders,[br]from across multiple boarders and the morph 1:08:39.035,1:08:50.048 in real-time, depending what the response looks[br]like, and so that's a very significant factor 1:08:50.048,1:08:58.027 when we work for instance on, a year and a[br]half ago, we worked on pulling together part 1:08:58.027,1:09:06.055 of an industry or in a taskforce on child abuse[br]set of sites that were focused on child abuse 1:09:06.055,1:09:17.009 and they were using that to infect the[br]computers of those who had the bad stuff on it 1:09:17.009,1:09:19.099 to make them part of a zombie network. 1:09:19.099,1:09:28.022 And it got very snarled up in various[br]jurisdictions legal restrictions, 1:09:28.022,1:09:34.047 the necessity to preserve evidence,[br]versus the imperative to solve the problem 1:09:34.047,1:09:37.062 and make sure it doesn't become very large. 1:09:37.062,1:09:38.097 >> Brian: Interesting. 1:09:38.097,1:09:42.001 Anyone else, Danny? 1:09:42.001,1:09:44.099 >> Danny: Yeah so I'll point out[br]again, some of the work that you know 1:09:44.099,1:09:48.063 with public/private sector[br]partnerships, I think that's so important. 1:09:48.063,1:09:51.069 Certainly I don't think you're going to[br]regulate your way out of this, right? 1:09:51.069,1:09:58.001 From a controls perspective there are 869[br]things that I have to do in my day job just 1:09:58.001,1:10:01.002 to check boxes and those give me[br]marginally more secure, right, 1:10:01.002,1:10:06.000 82% of IT security span goes towards[br]compliance and regulatory controls 1:10:06.000,1:10:08.073 and then people try and get[br]secure on top of that. 1:10:08.073,1:10:13.088 Those sorts of things are like antivirus[br]software and there's 10 new pieces 1:10:13.088,1:10:17.075 of male-code a second on the[br]internet, yet AV is a frontline defense 1:10:17.075,1:10:23.072 to protect the residential user or maybe even[br]a corporate machine, and so I think education 1:10:23.072,1:10:28.065 of the threat vector, some of the very[br]fundamental stuff like patching systems 1:10:28.065,1:10:33.008 and software and collaboration and information[br]sharing and putting these things in place. 1:10:33.008,1:10:36.033 From a law enforcement perspective,[br]I think that some 1:10:36.033,1:10:40.054 of the most successful stuff we've seen[br]involves multilateral teaming agreements 1:10:40.054,1:10:44.009 and collaboration, those sorts of[br]things where there is some coordination 1:10:44.009,1:10:47.099 and some effort in trying to work together. 1:10:47.099,1:10:51.026 In general though, in particular with[br]DDoS attack we've always seen this sort 1:10:51.026,1:10:56.054 of fragmented response where one ISP on[br]the receiving end, or along the projectory 1:10:56.054,1:11:00.009 of an attack will drop all the traffic[br]towards the destination and cause, 1:11:00.009,1:11:02.033 you know effectively completing[br]the attack for that network, 1:11:02.033,1:11:08.051 and another one will security research will[br]infiltrate the command [inaudible] structure 1:11:08.051,1:11:12.005 and law enforcement may be there and then[br]someone will break one of their connections 1:11:12.005,1:11:16.089 to the C&C infrastructure and all of a[br]sudden, you can't even disable the attack 1:11:16.089,1:11:20.029 because you've got all these headless machines[br]out there that are attacking something 1:11:20.029,1:11:23.018 and depending on where those systems[br]reside and where they're coming from. 1:11:23.018,1:11:28.033 I mean we've seen attacks with[br]attack sources in 100s of countries 1:11:28.033,1:11:30.021 and you're breaking lots of laws. 1:11:30.021,1:11:36.006 I mean just if you were to try and disable[br]an attack if you had the keys to the command 1:11:36.006,1:11:39.023 and control infrastructure, that sort of thing. 1:11:39.023,1:11:43.041 So it's really problematic and there needs[br]to be a lot of collaboration and cooperation 1:11:43.041,1:11:47.056 and I don't think regulations a way,[br]but I do think harmonizing and working 1:11:47.056,1:11:52.001 on the international aspects and the information[br]sharing and collaboration, you know those sort 1:11:52.001,1:11:56.017 of things are the only way we're going[br]to be in a better spot collectively. 1:11:56.017,1:12:00.081 We're playing a lot of wackemall[br]today and I'm not sure it's effective. 1:12:00.081,1:12:05.066 >> Brian: Jillian, let me ask you, from your[br]perspective, from a civil society perspective, 1:12:05.066,1:12:11.003 what more should industry and government[br]in their roles, be doing to address this? 1:12:11.003,1:12:16.035 And what in their collaboration[br]would you hope that they avoid? 1:12:16.035,1:12:20.042 >> Jillian: So in terms of what more,[br]I mean I think it's hard for me to say. 1:12:20.042,1:12:24.097 I mean I think one of the problems[br]here is that as others have mentioned, 1:12:24.097,1:12:30.067 law enforcement is going after the folks[br]who are going after the big targets. 1:12:30.067,1:12:34.043 And I understand that, but it's not really[br]ever going to help these smaller targets. 1:12:34.043,1:12:38.055 I mean you don't see law enforcement going after[br]the perpetrators of small attacks and a lot 1:12:38.055,1:12:41.051 of the attacks that I'm looking at[br]are happening in other countries 1:12:41.051,1:12:44.001 where sometimes the perpetrators[br]are in other countries 1:12:44.001,1:12:49.003 and so from my perspective I'm not[br]thinking so much about U.S. law enforcement, 1:12:49.003,1:12:53.065 but in terms of what people can be doing[br]more about and what they should avoid. 1:12:53.065,1:13:01.007 I think that a lot of it is about raising[br]awareness as folks at the other end 1:13:01.007,1:13:05.039 of the table said in the beginning,[br]I think that making people aware, 1:13:05.039,1:13:09.055 not only of what might be going on in their[br]own systems that they can avoid becoming part 1:13:09.055,1:13:17.072 of a botnet, but also what they can be[br]doing as individuals and as organizations 1:13:17.072,1:13:21.066 to mitigate the potential of DDoS attacks. 1:13:21.066,1:13:24.087 And then as far as industry,[br]I think adding that layer 1:13:24.087,1:13:26.096 of civil society is really important as well. 1:13:26.096,1:13:32.058 Making sure that industry is collaborating[br]with civil society to make more 1:13:32.058,1:13:37.002 of these systems available to[br]the smaller user would be great. 1:13:37.002,1:13:42.012 And as far as what law enforcement[br]should avoid, I think a lot of it 1:13:42.012,1:13:47.028 for me is addressing whether DDoS attack[br]are a useful form of civil disobedience. 1:13:47.028,1:13:51.005 I think it kind of comes down to that and my[br]personal opinion, this is really not the view 1:13:51.005,1:13:53.079 of my organization which does[br]not have a stated view on this, 1:13:53.079,1:13:59.042 but it's just that I don't think it's a[br]particularly useful form of civil disobedience. 1:13:59.042,1:14:04.025 I think that in the United States we have[br]many other paths of recourse to protest 1:14:04.025,1:14:07.045 and then I think that when you look[br]at the example like I gave before, 1:14:07.045,1:14:11.079 attacks against Syrian government[br]websites, it's a bit of a different thing. 1:14:11.079,1:14:19.063 But nonetheless, I think that the effect of[br]these attacks on smaller websites is so great 1:14:19.063,1:14:22.042 that we should really sort of[br]try to look at the whole picture 1:14:22.042,1:14:25.001 and realize how much damage this is doing. 1:14:25.001,1:14:29.049 And so I guess in thinking about that, I[br]think that that should also sort of inform 1:14:29.049,1:14:31.074 where we think about law enforcement. 1:14:31.074,1:14:32.006 >> Brian: Thank you. 1:14:32.006,1:14:32.026 Danny [inaudible]? 1:14:32.026,1:14:35.054 >> Danny: Yeah I just wanted to make[br]one other comment, something she touched 1:14:35.054,1:14:39.005 on which I think is really actually[br]is, one of the things we see a lot 1:14:39.005,1:14:42.009 of is the internet itself[br]is inherently multi-tenant. 1:14:42.009,1:14:47.049 And then you see a lot of, in particular[br]a lot of the smaller folks can aggregate 1:14:47.049,1:14:50.092 and there's these really high tenant[br]densities on certain pieces of infrastructure 1:14:50.092,1:14:55.077 and what ends up happening is that someone[br]on the infrastructure gets attacked 1:14:55.077,1:14:58.033 and there's a lot of collateral[br]damage that everybody is impacted. 1:14:58.033,1:15:01.099 Or a really large attack along[br]a trajectory fills some links 1:15:01.099,1:15:06.049 and not only is the intended target impacted[br]but there's collateral damage to other people 1:15:06.049,1:15:07.078 that utilize that infrastructure. 1:15:07.078,1:15:15.046 And most of the attacks that the folks have been[br]on the receiving end of seeing is that it's hard 1:15:15.046,1:15:20.042 for an attacker to gage how much firepower they[br]actually have and to surgically attack a target 1:15:20.042,1:15:26.000 with a DDoS attack on the internet, usually they[br]sort brute-force flood a whole bunch of traffic 1:15:26.000,1:15:29.069 of a particular type and there[br]is collateral damage in that. 1:15:29.069,1:15:32.087 And that's an important artifact[br]that you're highlighting there 1:15:32.087,1:15:36.046 and if you have high-tenant[br]densities on cloud infrastructure 1:15:36.046,1:15:43.016 or lots of people behind small links then[br]it does have a really devastating impact 1:15:43.016,1:15:46.078 and not just on the target, but maybe on[br]other people that utilize that infrastructure. 1:15:46.078,1:15:49.026 And so I think that's important highlight. 1:15:49.026,1:15:50.048 >> Brian: Thank you. 1:15:50.048,1:15:51.023 Damian? 1:15:51.023,1:15:55.042 >> Damian: Yeah just to follow-up[br]on that, Jillian had mentioned 1:15:55.042,1:15:59.005 that law enforcement doesn't go[br]after the very small attacks. 1:15:59.005,1:16:00.071 They tend to focus on the large attacks. 1:16:00.071,1:16:04.019 But I do see the large attacks[br]as the most damaging, 1:16:04.019,1:16:09.001 largely because of what Danny said[br]of, it causes collateral damage. 1:16:09.001,1:16:12.051 If there's collateral damage on other sites[br]that they have no other way to mitigate, 1:16:12.051,1:16:15.034 they will kill the small[br]victim, they'll completely attack 1:16:15.034,1:16:17.053 by just turning off everything to that site. 1:16:17.053,1:16:23.035 So by basically preventing any very large[br]attacks by having law enforcement focus 1:16:23.035,1:16:28.091 on those we at least give the smaller sites a[br]change of getting some dos mitigation service 1:16:28.091,1:16:35.045 to help them and basically that[br]boundary is probably around 10 gigabyte. 1:16:35.045,1:16:41.047 You know once you get up over 100 gig, there's[br]very few organizations that are going to be able 1:16:41.047,1:16:45.018 to help and most are just[br]going to turn off the site. 1:16:45.018,1:16:49.082 >> Brian: So right now on this issue,[br]it's the rule of the submarine captain 1:16:49.082,1:16:54.022 that is the compartment flooding, and their[br]sailors in there shut it off to save the rest. 1:16:54.022,1:16:55.003 And that's where we are. 1:16:55.003,1:16:59.097 So, this is interesting and I think[br]we've all been very polite so far, 1:16:59.097,1:17:03.085 so allow me to play devil's advocate and put[br]your feet to the fire a little bit folks. 1:17:03.085,1:17:09.003 So what I'm hearing at a high level to pull some[br]threads together, is there is some coordination 1:17:09.003,1:17:14.094 across law enforcement which is key[br]to this solution in collaboration, 1:17:14.094,1:17:17.023 but it's not nearly what it needs to be. 1:17:17.023,1:17:21.037 It itself is a barrier to our[br]ability, at least in the industry, 1:17:21.037,1:17:24.013 to work on these problems with law enforcement. 1:17:24.013,1:17:28.005 We're hearing that there is some collaboration[br]across network operators but not as good 1:17:28.005,1:17:32.075 as it needs to be all the[br]way up and down the stream. 1:17:32.075,1:17:40.039 And some lack of sense of responsibility[br]coloring that part of the puzzle. 1:17:40.039,1:17:46.084 We all in this industry trumpet the fact that[br]the internet is critical global infrastructure. 1:17:46.084,1:17:51.061 We all in this industry trumpet the[br]fact that the infrastructure of nations 1:17:51.061,1:17:58.086 of countries have come to rely on the[br]internet, banking systems, electric grids soon, 1:17:58.086,1:18:04.057 governments have a clear interest in this[br]critical infrastructure and if I listen to all 1:18:04.057,1:18:07.057 of this and piece together,[br]I could come at this from, 1:18:07.057,1:18:11.046 this is a fiddling while Rome burns[br]dynamic going on between industry 1:18:11.046,1:18:14.001 and governments and civil society. 1:18:14.001,1:18:20.037 So, putting your feet back to the fire, what[br]needs to happen in terms of collaboration, 1:18:20.037,1:18:27.065 in concrete terms to break through at the[br]industry level, at the government level 1:18:27.065,1:18:31.007 and across those levels and with[br]the civil society perspective. 1:18:31.007,1:18:32.000 Let's get to it. 1:18:32.000,1:18:37.094 Who wants to take it on? 1:18:37.094,1:18:38.011 Pause. 1:18:38.011,1:18:39.061 >> Ram: Sure I'll jump on the grenade. 1:18:39.061,1:18:47.051 Look I think everyone who is here and everyone[br]who is up here is not part of the problem. 1:18:47.051,1:18:51.008 When you take it to the global[br]level of the impact on society 1:18:51.008,1:18:56.064 and the fiddling while Rome burns and the[br]implication that there's an existential or close 1:18:56.064,1:19:03.054 to a threat to us, everyone up here and I[br]assume because you're here, you all get it. 1:19:03.054,1:19:08.066 The problem we have are the sectors[br]that you mentioned that use technology 1:19:08.066,1:19:15.049 but are not technology sectors and going back[br]to my government experiences, often, not always 1:19:15.049,1:19:23.001 but often, the difficulty in those sectors to[br]get nontechnical executives to spend the money 1:19:23.001,1:19:26.073 or the time to put in place the protections. 1:19:26.073,1:19:33.006 You know Danny, I thought talked earlier[br]about the need of a mitigation plan in place. 1:19:33.006,1:19:36.092 If you're under a major denial service[br]attack and you're then figuring oh, 1:19:36.092,1:19:38.062 how do I deal with a denial service attack? 1:19:38.062,1:19:45.047 You're toast, you need to have things in place[br]ahead of time and that's where going back 1:19:45.047,1:19:49.037 to the question about where the government[br]can play a role, my personal view 1:19:49.037,1:19:52.007 and what we were trying to do on[br]the hill was create an environment 1:19:52.007,1:19:58.013 where the truly critical[br]infrastructure systems are required 1:19:58.013,1:20:00.017 to meet some base-level of security. 1:20:00.017,1:20:04.045 Not a technology specific but more[br]if you're talking about computers 1:20:04.045,1:20:07.083 that control big machines,[br]water pumps, electric grids, 1:20:07.083,1:20:09.086 those shouldn't be connected to the internet. 1:20:09.086,1:20:11.013 A lot of them are. 1:20:11.013,1:20:17.091 Some of them are connected with open connections[br]using default passwords available through, 1:20:17.091,1:20:19.083 no offense, Google searches. 1:20:19.083,1:20:26.046 So, what needs to happen, I think is some[br]impetus, some general understanding of the type 1:20:26.046,1:20:33.071 of threat that the country faces both in[br]the digital realm and in the physical realm. 1:20:33.071,1:20:40.074 But again, I think going back to what I said[br]earlier a lot of it starts with the individual 1:20:40.074,1:20:45.013 and I used to be very skeptical as to[br]whether we could actually get most people 1:20:45.013,1:20:50.029 to do basic hygiene things on their computer[br]and then one of the things that we also covered, 1:20:50.029,1:20:54.057 the committee worked on was swine flu and[br]as soon as big bird told everyone to cough 1:20:54.057,1:20:58.085 into their elbows, you have a fast majority[br]of American's, you see people coughing 1:20:58.085,1:21:00.001 or sneezing into their elbows now. 1:21:00.001,1:21:04.058 We change behavior very quickly and I[br]think there can be an education campaign 1:21:04.058,1:21:11.038 that could change enough behavior to help stop[br]the problem, but without some type of push, 1:21:11.038,1:21:14.089 I think that we're all going to[br]keep trying to do what we can, 1:21:14.089,1:21:18.016 but the people who need to[br]make the changes may not. 1:21:18.016,1:21:20.008 >> Brian: Ram, thank you. 1:21:20.008,1:21:25.083 >> Miguel: Thank you, so I'm a bit[br]of a skeptic on these push-measures. 1:21:25.083,1:21:31.014 Folks do push-measures, governments do[br]push-measures all the time and decades go by 1:21:31.014,1:21:35.036 and the basic problems don't get resolved. 1:21:35.036,1:21:38.084 One thing that does seem to work is events. 1:21:38.084,1:21:40.093 Events result in consequences. 1:21:40.093,1:21:47.076 Michael Angelo, the virus got people to install[br]antivirus software, Y2K got people to focus 1:21:47.076,1:21:53.081 on mitigation measures, 9/11[br]caused a series of responses 1:21:53.081,1:21:58.038 and the Georgian Cyber War[br]caused another set of responses. 1:21:58.038,1:22:04.063 We don't really have a global cyber event,[br]I'm not asking for one, but I'm just saying 1:22:04.063,1:22:09.068 that if you just look at human behavior and[br]you want to affect human behavior and you want 1:22:09.068,1:22:15.035 to get individuals, governments, civil[br]society, public sector, everybody together 1:22:15.035,1:22:22.027 and the private sector together, you[br]need to have something to unify around. 1:22:22.027,1:22:30.028 The threat today doesn't feel real to me until[br]I get attacked and if my friend got attacked, 1:22:30.028,1:22:33.099 I kind of have some sympathy about[br]it but I kind of shrug my shoulders 1:22:33.099,1:22:36.024 and say, "Ain't going to happen to me." 1:22:36.024,1:22:43.059 And there is not the unifying[br]sense of impending doom. 1:22:43.059,1:22:48.083 >> Danny: Can I just, I agree with everything[br]Ram said from the skepticism to the kind 1:22:48.083,1:22:53.069 of work I was also trying to also do the[br]need for an event and we would tell a lot 1:22:53.069,1:22:58.001 of the skeptics who came in is, look you[br]have Congress trying to act proactively. 1:22:58.001,1:23:01.077 It may not fix everything now but when[br]something happens there will be better systems 1:23:01.077,1:23:03.002 in place to respond to it. 1:23:03.002,1:23:06.044 But more importantly, you want[br]government to act proactively 1:23:06.044,1:23:11.008 because when government acts reactively, it acts[br]stupidly and that's why there is a strong effort 1:23:11.008,1:23:17.034 to get some type of performance-based,[br]nontechnology specific standards 1:23:17.034,1:23:21.006 that are limited to really critical stuff in[br]place, so hopefully some things will improve 1:23:21.006,1:23:25.098 and if something happens, we have the framework[br]that is not so regimented that the attempt 1:23:25.098,1:23:28.002 to fix the problem actually enhances it. 1:23:28.002,1:23:32.061 But I'm ultimately, because I'm a cynic[br]I don't think we're going to do anything 1:23:32.061,1:23:39.001 until we have something blowup and[br]that's unfortunate to say the least. 1:23:39.001,1:23:41.044 >> Brian: Danny, oh Damian thank you. 1:23:41.044,1:23:47.058 >> Damian: Sure, yes I also sort of[br]agree with the cyber event being needed. 1:23:47.058,1:23:56.006 Not needed but, [Laughter] if you look[br]at history, we've seen that there's 1:23:56.006,1:24:00.042 like an email worm or virus that comes[br]out approximately once every 6 months 1:24:00.042,1:24:04.054 because that's how long it takes people[br]to forget and start being stupid again. 1:24:04.054,1:24:07.033 And you know click on everything they see but, 1:24:07.033,1:24:09.051 you know once every 6 months[br]everyone gets infected, 1:24:09.051,1:24:11.055 everyone is like oh yeah, I shouldn't do that. 1:24:11.055,1:24:13.061 Fortunately no major damage has been caused. 1:24:13.061,1:24:17.075 Nobody has ever actually-- there[br]haven't been any large-scale cases 1:24:17.075,1:24:19.034 where people have lost data. 1:24:19.034,1:24:24.004 I see this as very similar[br]to how diseases spread. 1:24:24.004,1:24:28.088 If you killed the person instantly,[br]like if someone gets infected 1:24:28.088,1:24:32.021 and you format their hard drive right[br]away, they don't have time to spread. 1:24:32.021,1:24:36.068 They don't have time to pass it on to others[br]and so most of the malware that we've seen 1:24:36.068,1:24:39.022 so far has been fairly benign[br]and that allows it to spread, 1:24:39.022,1:24:41.087 but it also means it doesn't cause much damage. 1:24:41.087,1:24:47.079 I also wanted to say, I think right[br]now laws largely favor the attacker. 1:24:47.079,1:24:54.023 There's a lot of constraints on information[br]sharing, all of the jurisdiction issues, 1:24:54.023,1:24:59.004 and that also means that[br]there's a very slow response. 1:24:59.004,1:25:04.035 If somebody goes to law enforcement, law[br]enforcement might have to sit on it for weeks 1:25:04.035,1:25:07.086 or months before they can actually[br]take action against the attacker, 1:25:07.086,1:25:09.057 if they can even get to the attacker. 1:25:09.057,1:25:15.041 So, some things might need to change[br]in laws to allow the defenders 1:25:15.041,1:25:19.033 to keep up with the pace of the attacks. 1:25:19.033,1:25:23.002 And it's also important to note, you know[br]sometimes the attacker would actually know how 1:25:23.002,1:25:28.005 to shut down the attack, it's just they're[br]not legally able to and so there are a lot 1:25:28.005,1:25:32.001 of inherent delays in the system. 1:25:32.001,1:25:32.085 >> Brian: Thank you, Miguel. 1:25:32.085,1:25:35.022 >> Miguel: Just adding to that,[br]it's worth noting that there's 1:25:35.022,1:25:39.013 such a stigma associated[br]with security incidence. 1:25:39.013,1:25:43.066 Organizations are very unwilling to[br]admit that something has happened. 1:25:43.066,1:25:45.085 They don't want to admit so publically. 1:25:45.085,1:25:52.047 They really, they don't want to collaborate[br]and to be effective, a lot of operators have 1:25:52.047,1:25:55.006 to work, as I mentioned earlier, they[br]have to work through back-channels, 1:25:55.006,1:25:59.073 people they know where the person[br]that you're potentially collaborating 1:25:59.073,1:26:08.047 with would probably get slapped if other people[br]were aware of this collaboration taking place. 1:26:08.047,1:26:15.021 So, that needs to get formalized,[br]potentially more formal protocols 1:26:15.021,1:26:17.029 for collaboration need to be developed. 1:26:17.029,1:26:24.043 And from an international perspective,[br]governments need to do a better job at. 1:26:24.043,1:26:28.029 They haven't caught up to the[br]fact that this is a big issue. 1:26:28.029,1:26:35.008 So, some examples where we, as an[br]operator, we're seeing attacks happening 1:26:35.008,1:26:41.075 on small government websites, Syria's[br]as an example, and you actually want 1:26:41.075,1:26:45.088 to lend your resources and[br]expertise to help these people, 1:26:45.088,1:26:50.061 but because of their own[br]roadblocks, legislation, 1:26:50.061,1:26:55.002 etcetera they actually can't receive the help 1:26:55.002,1:26:57.043 that you are potentially[br]looking at offering them. 1:26:57.043,1:27:04.006 So we've been in situations where we've[br]seen protest attacks during elections, 1:27:04.006,1:27:09.017 for example in smaller countries, and[br]we are willing to help them but then, 1:27:09.017,1:27:13.064 these governments have restrictions[br]on where their data is etcetera while 1:27:13.064,1:27:16.088 at the same time they don't[br]have the infrastructure to deal 1:27:16.088,1:27:21.062 with this problem themselves, but they're[br]handcuffing themselves, so all of that has 1:27:21.062,1:27:24.003 to change for us to be able[br]to be more effective. 1:27:24.003,1:27:25.022 >> Brian: Danny? 1:27:25.022,1:27:30.083 >> Danny: Yeah I think some of this sort[br]of the tragedy of the common sort of thing, 1:27:30.083,1:27:32.057 the sheep on the commons I guess if you will. 1:27:32.057,1:27:36.013 And what's the impact on[br]me or the investment on me? 1:27:36.013,1:27:41.044 Actually the Internet Security Alliance did[br]something not long ago called a CFO's Guide 1:27:41.044,1:27:45.064 to Cyber Risk and in that document they[br]introduced the notion of a digital immigrant 1:27:45.064,1:27:52.033 and they're talking about someone that didn't[br]grow up digital native or wasn't prolific 1:27:52.033,1:27:56.009 with electronic devices and the[br]internet and the capabilities of those 1:27:56.009,1:27:59.013 and they were discussing how in many places, 1:27:59.013,1:28:02.026 they're the ones that control the purse[br]strings or control the investments. 1:28:02.026,1:28:06.006 Like people don't have problems investing in[br]fire suppression systems but if you ask about a, 1:28:06.006,1:28:09.064 DDoS mitigation capability, well[br]nobody is going to invest in that 1:28:09.064,1:28:14.022 until they've been attacked right, or[br]unless you're a very savvy organization 1:28:14.022,1:28:16.017 or have a lot of the right folks that do that. 1:28:16.017,1:28:21.052 And then people even question those investments[br]after a long time of not being attacked. 1:28:21.052,1:28:27.044 So I think definitely looking at what enables[br]your business again or whatever size business, 1:28:27.044,1:28:30.024 because it's all relative[br]right, I mean we've seen things 1:28:30.024,1:28:34.001 from animal rights activists attacking zoos, 1:28:34.001,1:28:42.022 to Jersy Joe's a local sports memorabilia[br]being attacked by a guy across the street 1:28:42.022,1:28:44.034 for a gold watch and a pair of tennis shoes. 1:28:44.034,1:28:46.071 And that's a decade old, right? 1:28:46.071,1:28:49.089 And so, I think understanding what[br]the impact of these things are 1:28:49.089,1:28:51.059 in your business is extremely important. 1:28:51.059,1:28:56.034 I think understanding the constraints[br]today as well, this is a global problem. 1:28:56.034,1:29:02.068 The internet is loosely interconnected network[br]of networks and largely provides any kind 1:29:02.068,1:29:04.025 of activity and that's a fantastic thing. 1:29:04.025,1:29:08.046 You know the fact that you can launch[br]DDoS attack might be considered a success 1:29:08.046,1:29:12.095 of that substraight or that[br]infrastructure, right I don't know. 1:29:12.095,1:29:17.086 And so you certainly don't want[br]over-pivot either and compromise privacy, 1:29:17.086,1:29:22.097 you're a regulator, put controls in place[br]that might impact that global platform. 1:29:22.097,1:29:28.047 That's something important as well, so[br]I think that's why industry partnership, 1:29:28.047,1:29:32.062 private sector with halook and things[br]like information sharing and saying look, 1:29:32.062,1:29:36.006 these things are impacting[br]real people, real organizations 1:29:36.006,1:29:40.091 and law enforcement government needs to go[br]after that and accommodate those as appropriate. 1:29:40.091,1:29:44.007 But at the same time, I think we do have[br]to be careful about over-pivoting as well. 1:29:44.007,1:29:47.007 >> Brian: Thanks, Jillian. 1:29:47.007,1:29:49.029 1:29:49.029,1:29:53.029 >> Jillian: Sure, you know I think I'll just[br]give the civil society perspective what we can 1:29:53.029,1:29:54.002 be doing better. 1:29:54.002,1:29:59.035 For example, my organization has come under[br]several DDoS attacks at different points 1:29:59.035,1:30:04.073 and we do have a big enough team in place[br]to try mitigate those pretty quickly 1:30:04.073,1:30:06.007 and we've mostly been able[br]to do that successfully. 1:30:06.007,1:30:11.083 But I think there's actually a pretty[br]strong lack of information sharing 1:30:11.083,1:30:15.082 across my type of NGO or NGOs in general. 1:30:15.082,1:30:18.048 I'll give you an example of this, and[br]I don't mean to pick on this group, 1:30:18.048,1:30:21.007 but I think it's perfect[br]and quite public example. 1:30:21.007,1:30:25.053 Avaz, which I'm sure you're familiar with, a[br]few months back they came under DDoS attack 1:30:25.053,1:30:29.067 and their first reaction was to send a message[br]out to their members asking for donations. 1:30:29.067,1:30:33.068 But what they didn't do is they didn't[br]share any of the details of the attack, 1:30:33.068,1:30:35.066 not that they necessarily needed to publically 1:30:35.066,1:30:38.063 but they actually straight-up[br]refused to share the details. 1:30:38.063,1:30:42.066 We have a group of technologists who had[br]been asking for that information and I think 1:30:42.066,1:30:46.015 that sometimes that information is actually[br]quite helpful for organizations to share 1:30:46.015,1:30:50.007 with each other so that we can[br]understand what type of attacks our allies 1:30:50.007,1:30:55.052 and friends are coming under and therefore what[br]types of attacks we might be at greater risk of. 1:30:55.052,1:30:59.098 And so I think that that's a really[br]good example of how not to respond. 1:30:59.098,1:31:07.015 In the end they still didn't want to share, and[br]we said okay, fine but I think that just sort 1:31:07.015,1:31:10.076 of going and asking for donations[br]and not kind of collaborating 1:31:10.076,1:31:14.052 with other civil site organization is not[br]a particularly helpful way of responding 1:31:14.052,1:31:18.099 and we'd be much better off if[br]we were clearer with each other. 1:31:18.099,1:31:19.066 >> Brian: Thank you. 1:31:19.066,1:31:21.033 So thank you for that. 1:31:21.033,1:31:23.016 I'm going to draw this part to a close. 1:31:23.016,1:31:27.087 Some takeaways for me in the[br]last round of questions is 1:31:27.087,1:31:32.017 that clearly there are some structural[br]barriers to the level of collaboration 1:31:32.017,1:31:35.056 that everyone seems to believe is[br]important to addressing the problem, 1:31:35.056,1:31:39.032 both at the government level,[br]and at the operator level. 1:31:39.032,1:31:46.002 I guess the understanding at senior management[br]level that investments in the security aspect 1:31:46.002,1:31:49.054 of their business are as critical[br]as any other to their business 1:31:49.054,1:31:51.075 and have to be central to their planning. 1:31:51.075,1:31:56.021 And at the government level, clearly[br]existing legislative structures 1:31:56.021,1:32:01.082 and collaborative barriers between governments[br]need to be broken down if we can get 1:32:01.082,1:32:04.046 to the place where we can be more aggressively 1:32:04.046,1:32:06.099 and effectively collaborating[br]to address the problem. 1:32:06.099,1:32:11.006 So, we all knew that we weren't going to solve[br]this problem with today's panel and I want 1:32:11.006,1:32:15.011 to thank you all for giving us a lot[br]to think about and those are some 1:32:15.011,1:32:18.028 of the takeaways that I've gotten for myself. 1:32:18.028,1:32:26.066 So now, let's take a breath and for the next 35[br]minutes or so, try to have a little bit of fun, 1:32:26.066,1:32:30.064 make it a little bit more dynamic for the[br]panelists by running through a scenario 1:32:30.064,1:32:34.045 and then we'll have 30 minutes at the end[br]where we want to hear Q&A again from folks 1:32:34.045,1:32:36.057 in the room and from the folks online. 1:32:36.057,1:32:41.011 So, shift your mindset now on[br]the panel, we're going to walk 1:32:41.011,1:32:44.073 through a scenario of a DDoS attack. 1:32:44.073,1:32:49.097 What I'd like you to think about[br]is what your specific role would be 1:32:49.097,1:32:55.091 within the scenario and how would you react? 1:32:55.091,1:33:02.009 What would be the things that would be important[br]to you in addressing your part of the problem? 1:33:02.009,1:33:04.059 There's a clear understanding[br]and appreciation for the fact 1:33:04.059,1:33:10.038 that good security also means not divulging[br]all of your good effective practices. 1:33:10.038,1:33:14.013 So I'm not asking you to say anything[br]that you wouldn't want to say publically. 1:33:14.013,1:33:15.068 Let's get that clear. 1:33:15.068,1:33:20.047 But I want you to take this on as a[br]real-time event and then in your proper role, 1:33:20.047,1:33:24.097 tell the audience what's important to[br]you, what do you need, and in a direction 1:33:24.097,1:33:31.062 of how would you see or design a best[br]practices reaction to this scenario. 1:33:31.062,1:33:34.003 So let's start this part of the program. 1:33:34.003,1:33:39.006 So the scenario we've developed is as follows. 1:33:39.006,1:33:45.086 The citizens of small country A,[br]let's call it the Kingdom of Genovia, 1:33:45.086,1:33:48.084 my 14-year-old daughter insisted that I do that. 1:33:48.084,1:33:54.011 Kingdom of Genovia has been criticizing[br]an economic embargo put in place 1:33:54.011,1:34:04.045 by a regional Hodgeman, let's call it Mordor,[br]against its neighbor, a small country Gilder. 1:34:04.045,1:34:10.009 The citizens of Genovia who have a long[br]standing alliance with Gilder are very upset 1:34:10.009,1:34:12.079 about Mordor's embargo against Gilder. 1:34:12.079,1:34:17.015 Condemnations include mass rallies as well 1:34:17.015,1:34:22.024 as increasingly critical posts[br]on blogs and social media sites. 1:34:22.024,1:34:27.007 While the government of Genovia itself[br]shows no public support for the protestors, 1:34:27.007,1:34:31.013 neither does it criticize them for[br]exercising their freedom of expression rights, 1:34:31.013,1:34:35.002 fueling speculation that it[br]actually condones the protests 1:34:35.002,1:34:38.099 and may even be behind some of them. 1:34:38.099,1:34:43.018 Large-scale DDoS attacks begin against Genovia. 1:34:43.018,1:34:46.089 They are aimed primarily at the social[br]media sites posting the criticisms 1:34:46.089,1:34:50.072 but also at Genovia's financial sector. 1:34:50.072,1:34:57.085 Researchers indicate that the attacks are coming[br]from botnets of comprised end-user machines. 1:34:57.085,1:35:03.057 The financial attacks are perceived to[br]be an attempt to weaken Genovia's economy 1:35:03.057,1:35:08.007 because the core issue, after all is an embargo[br]and that the financial sector has showed itself 1:35:08.007,1:35:14.066 to susceptible to other kinds of[br]security incidence and breaches. 1:35:14.066,1:35:19.048 Traces show the attacks originating[br]primarily in Mordor. 1:35:19.048,1:35:23.091 Some of which could be locations[br]under government control. 1:35:23.091,1:35:27.049 Some however, appear to come[br]from unrelated countries. 1:35:27.049,1:35:31.002 Mordor predictably, denies any responsibility. 1:35:31.002,1:35:37.003 With those facts, in your respective[br]roles and responsibilities, 1:35:37.003,1:35:42.069 start off with what's important to you[br]in your given role and then we'll move 1:35:42.069,1:35:44.041 on to what actions you might take. 1:35:44.041,1:35:50.093 Jeff, do you want to tee it up? 1:35:50.093,1:35:56.032 >> Jeff: I guess the first thing, you know I'm[br]being the least technical guy up here I think, 1:35:56.032,1:36:03.098 you're going to want to really figure out, you[br]know you talked about the attacks originating 1:36:03.098,1:36:08.098 from Mordor, but does that mean[br]the commanding control is there? 1:36:08.098,1:36:11.002 Are the machines all over the place? 1:36:11.002,1:36:18.019 If you're going to respond, you need to figure[br]out first what is your first goal in responding? 1:36:18.019,1:36:21.038 Are you going to try to stabilize[br]your systems or are you going to try 1:36:21.038,1:36:26.022 to somehow get attribution[br]and then seek retribution? 1:36:26.022,1:36:33.015 So, I guess my first council would be look at[br]what you have in place to respond and figure 1:36:33.015,1:36:34.048 out what your ultimate goals are. 1:36:34.048,1:36:37.089 You need to know what you're driving[br]at so you're not wasting resources, 1:36:37.089,1:36:47.059 pursuing answers to questions that don't[br]help you achieve your ultimate goal. 1:36:47.059,1:36:50.009 >> Brian: Thank you, Ram. 1:36:50.009,1:36:51.075 >> Ram: Four things. 1:36:51.075,1:36:55.094 One, get contact lists together[br]because you know people 1:36:55.094,1:36:58.089 but there are other people involved[br]here, so you've got to get that. 1:36:58.089,1:37:01.089 That's in some ways the top thing. 1:37:01.089,1:37:04.065 Second is to setup an analysis stream work. 1:37:04.065,1:37:13.019 Once you identify the scope of the problem, then[br]you need a framework in which to actually work 1:37:13.019,1:37:16.091 as new data comes in and you need a structure. 1:37:16.091,1:37:19.069 So create a structure for it. 1:37:19.069,1:37:27.034 Third thing is to begin working with upstream[br]providers, folks who are connecting you 1:37:27.034,1:37:29.065 and connecting others to the internet. 1:37:29.065,1:37:36.037 Start working with them because you need to[br]have information sharing and also the ability 1:37:36.037,1:37:42.094 to take mitigation measures, to[br]take steps if and when you have to. 1:37:42.094,1:37:51.008 And the fourth is to setup alerts based[br]on pattern recognition or traffic analysis 1:37:51.008,1:37:54.099 that your analytical team is already doing. 1:37:54.099,1:37:58.022 Those are the first four things to do. 1:37:58.022,1:38:01.016 >> Brian: Thank you, Damian. 1:38:01.016,1:38:08.008 >> Damian: So the first thing I would ask about[br]this would be what style of attack is this? 1:38:08.008,1:38:13.005 Depending on some attacks can be[br]spoofed with the sources, some cannot. 1:38:13.005,1:38:19.071 So if the sources are definitively like, you[br]know they're definitively coming from Mordor 1:38:19.071,1:38:25.004 or you know what these sources are, that[br]can help a lot more than if it's an attack 1:38:25.004,1:38:28.052 where you don't really know where[br]it's coming from, you just know-- 1:38:28.052,1:38:32.079 you don't know which machine[br]it's coming from in Mordor. 1:38:32.079,1:38:36.004 You know that it's just coming from[br]that country in general, maybe. 1:38:36.004,1:38:40.005 And I think that's the key[br]thing to focus on here. 1:38:40.005,1:38:44.061 I mean, I agree with what other's said,[br]but I think it's important to start 1:38:44.061,1:38:50.023 by understanding the details of the[br]attack, figuring out what you actually know 1:38:50.023,1:38:54.052 and versus what you are assuming[br]or guessing about the attack. 1:38:54.052,1:39:01.093 And then I would also start thinking about[br]what type of collateral damage is acceptable. 1:39:01.093,1:39:08.073 If you really only care about financial services[br]in Genovia being accessible to people living 1:39:08.073,1:39:15.054 in Genovia, they could at the boarder of their[br]country, just block all traffic from Mordor and 1:39:15.054,1:39:19.043 yet people who happen to be on[br]vacation to Mordor might not be able 1:39:19.043,1:39:22.004 to access their bank account,[br]and that would be pretty bad. 1:39:22.004,1:39:28.001 But you could at least partition the[br]problem and keep your own country up. 1:39:28.001,1:39:31.037 >> Brian: Thanks for that point and just[br]to note, people on vacation in Mordor 1:39:31.037,1:39:34.046 to my understanding, no one walks into Mordor. 1:39:34.046,1:39:35.087 Miguel, please. 1:39:35.087,1:39:40.053 >> Miguel: I might actually repeat some of[br]the things that my colleagues here have said. 1:39:40.053,1:39:45.043 From the perspective of an operator[br]that focuses on mitigation and defense, 1:39:45.043,1:39:50.023 I would probably start by[br]looking at the affected entities. 1:39:50.023,1:39:56.001 Get a good scope on what the[br]targets are, what's being affected. 1:39:56.001,1:39:59.048 Move to start looking at determining[br]what the attack vectors are 1:39:59.048,1:40:01.064 that are being used for this particular attack. 1:40:01.064,1:40:06.053 You can do this in a variety of ways[br]and then I'd probably start focusing 1:40:06.053,1:40:12.029 on starting the mitigation techniques and[br]the defense against these affected systems. 1:40:12.029,1:40:20.001 As Damian said earlier, I'd look at prioritizing[br]and trying to determine or trying to gauge 1:40:20.001,1:40:27.062 which affected resources are acceptable[br]collateral damage which are priorities and need 1:40:27.062,1:40:33.000 to be available and need to be in place. 1:40:33.000,1:40:38.095 I'd be sharing information as much as possible[br]with both, the public and private sector, 1:40:38.095,1:40:42.079 the operators in question that manage[br]the assets that are being attacked. 1:40:42.079,1:40:46.001 So definitely start reaching out to people. 1:40:46.001,1:40:49.066 Another thing that I would be doing[br]is heavily monitoring social media. 1:40:49.066,1:40:59.007 Typically with an attack on Mordor, let's[br]say and suspected political motivations 1:40:59.007,1:41:02.004 for the attack, I would be looking at[br]Facebook, I'd be looking at Twitter, 1:41:02.004,1:41:04.084 I'd be looking at internet relay chat rooms. 1:41:04.084,1:41:10.042 Anywhere where these attackers could potentially[br]congregate to organize, I'd be monitoring that 1:41:10.042,1:41:14.001 and I'd be trying to agleam[br]as much information as I can 1:41:14.001,1:41:16.097 from that activity that is going on online. 1:41:16.097,1:41:19.028 So those are some of the[br]things that I'd be doing. 1:41:19.028,1:41:21.007 >> Brian: Thank you, Danny. 1:41:21.007,1:41:26.084 >> Danny: So yeah I guess there's both a luxury[br]in going last and not having much [inaudible], 1:41:26.084,1:41:29.025 but there are a few things[br]I could offer actually. 1:41:29.025,1:41:31.056 I think these guys are all[br]spot-on with a lot of this. 1:41:31.056,1:41:35.084 I think it certainly, whatever[br]detection capabilities you have for this, 1:41:35.084,1:41:40.073 whether it was a phone call, hopefully[br]not, or an alert or some capability, 1:41:40.073,1:41:43.097 engage your incident response[br]capability which you should have now 1:41:43.097,1:41:45.082 because you've been alerted to that. 1:41:45.082,1:41:49.024 And the figure out what controls[br]for that sort of attack factor, 1:41:49.024,1:41:51.002 right, exactly as these guys have said. 1:41:51.002,1:41:56.081 You certainly want to continue with continuous[br]monitoring and make sure that other devices, 1:41:56.081,1:42:02.023 other things aren't impacted in particular[br]with sort of multi-vector attacks, 1:42:02.023,1:42:05.092 especially such as this which we[br]have seen empirically in the past. 1:42:05.092,1:42:10.081 One of the things that you have to be really[br]careful about and we've actually seen this 1:42:10.081,1:42:15.015 in the past and learned from that, is Genovia[br]should have learned from is that you've got 1:42:15.015,1:42:19.001 to be really careful about what kind of[br]controls you put in place for attacks as well 1:42:19.001,1:42:22.072 because you may say, I'm going to bring[br]everything back into my organization, 1:42:22.072,1:42:25.056 under control and then I'll[br]turn my internet access back up 1:42:25.056,1:42:27.073 or inside my nation, or whatever it is. 1:42:27.073,1:42:31.082 And we've literally seen this at the[br]national level and so you decide you're going 1:42:31.082,1:42:35.028 to break all your connectivity and then you[br]realize you don't have a root name server, 1:42:35.028,1:42:37.091 or you realize your CCTLD is hosted in Mordor. 1:42:37.091,1:42:42.048 Or you realize that your emails over[br]there, your authentication service, 1:42:42.048,1:42:47.054 your CA that issues your searcher there[br]or, some other resource that you need. 1:42:47.054,1:42:49.054 So you really need to numerate those things 1:42:49.054,1:42:53.077 and understand what enables your[br]business before these attacks occur. 1:42:53.077,1:42:59.064 I think I use this statement in the past[br]but kind of goes back to Mike Tyson's, 1:42:59.064,1:43:03.095 "Everyone's got a plan until they[br]get hit," sort of mentality, right. 1:43:03.095,1:43:07.089 And so I think that if you haven't done[br]this and you're on the receiving end 1:43:07.089,1:43:14.036 of a large-scale attack, it could be really[br]problematic so certainly absorbing an attack 1:43:14.036,1:43:18.089 and then refining your controls and mitigating[br]as surgically as possible and then trying 1:43:18.089,1:43:22.029 to move those controls further and further[br]upstream and then collaborate as much 1:43:22.029,1:43:25.096 as possible is pretty much what you can do today 1:43:25.096,1:43:30.017 and then protect any forensics information[br]associated with that for whatever it is 1:43:30.017,1:43:32.098 that you might intend to[br]do with that information. 1:43:32.098,1:43:34.019 >> Brian: Thank you, Jillian. 1:43:34.019,1:43:36.097 >> Jillian: There is almost[br]nothing left for me to add here. 1:43:36.097,1:43:39.028 It is the great thing about going last. 1:43:39.028,1:43:44.036 But since you did ask what my organization[br]might do, I suspect that after the leaks 1:43:44.036,1:43:47.051 to the Mordor times come out that Mordor[br]government officials had something to do 1:43:47.051,1:43:50.024 with the attacks, we would probably[br]condemn the government of Mordor 1:43:50.024,1:43:55.087 for having double standards-- no[br]I'm just kidding, sort of, but yeah, 1:43:55.087,1:44:00.012 nothing that I can add from[br]a technical perspective. 1:44:00.012,1:44:04.012 >> Brian: Okay, well from-- you know what I'm[br]going to reverse order here, so you'll go first 1:44:04.012,1:44:08.029 and Jeff you're going to have to[br]deal with Danny's problem next. 1:44:08.029,1:44:14.043 So this is good and very helpful in terms of[br]the first priorities, the first analytical 1:44:14.043,1:44:19.001 and reaction priorities from your[br]perspectives very clear and interesting-- 1:44:19.001,1:44:22.008 not interesting but a lot of[br]consistency across the board there. 1:44:22.008,1:44:29.034 Now let's take it from the point of view[br]of, if this were an ideal scenario in terms 1:44:29.034,1:44:35.058 of effective mitigation techniques, effective[br]collaboration with network operators, 1:44:35.058,1:44:39.062 effective collaboration with[br]government law enforcement resources. 1:44:39.062,1:44:46.006 Walk us through how you would get to that good[br]outcome from that perspective and Jillian, 1:44:46.006,1:44:48.082 from your own point of view, kick it off. 1:44:48.082,1:44:50.008 >> Jillian: I'm not sure[br]I can kick that one off. 1:44:50.008,1:44:56.005 Like I said, this is a wonderful[br]and probably very likely scenario 1:44:56.005,1:45:00.006 but it's also it's not the level at which[br]we're generally dealing with these things 1:45:00.006,1:45:03.042 and so I'd actually love it if[br]somebody else wants to kick it off 1:45:03.042,1:45:04.047 and I'll keep thinking through that. 1:45:04.047,1:45:07.003 >> Brian: All right, Danny, you're first up. 1:45:07.003,1:45:10.068 >> Danny: Wow, an ideal scenario[br]is that it's not my problem anymore 1:45:10.068,1:45:16.015 and so having the capability to either certainly[br]stop these things from being launched at me 1:45:16.015,1:45:19.073 with some sort of capability or[br]collaboration with law enforcement, 1:45:19.073,1:45:24.026 other folks which in this case[br]might be very problematic so, 1:45:24.026,1:45:28.018 at the sort of ultimate ingress point of[br]your network, putting controls in place 1:45:28.018,1:45:34.004 that minimize collateral damage or even scope[br]the distribution of reachability information 1:45:34.004,1:45:36.084 in a certain place on the[br]infrastructure, that sort of thing 1:45:36.084,1:45:39.009 so that you have some sustainable[br]controls in place 1:45:39.009,1:45:46.035 and you're not continuously simply filling links[br]and absorbing that and causing collateral damage 1:45:46.035,1:45:48.097 to other services or people[br]that may use those links. 1:45:48.097,1:45:55.074 It's really problematic if there inter-media[br]networks with other eyeballs or content 1:45:55.074,1:45:58.019 or other things that you may or[br]may not want on your infrastructure 1:45:58.019,1:46:01.079 and so if it's an adjacent[br]network, it's a lot simpler, right, 1:46:01.079,1:46:06.042 it simply if you've done your homework[br]before and then simply shut those links off 1:46:06.042,1:46:12.071 and you may be fine, but if I'm a[br]smaller network and this is someone, 1:46:12.071,1:46:18.046 somewhere that's nonadjacent to me, it could be[br]much more problematic because I may have to work 1:46:18.046,1:46:22.083 with them to push controls further and further[br]upstream and that's about their capabilities, 1:46:22.083,1:46:26.054 the lulls, what sort of technical[br]or legal framework 1:46:26.054,1:46:29.001 that they operate under,[br]time scales and other things. 1:46:29.001,1:46:38.035 And so, it's sort of all relative to perspective[br]and why the broad variance of attack factors 1:46:38.035,1:46:42.032 that occur today, why it's so problematic[br]to just get your cookie cutter out 1:46:42.032,1:46:46.084 and say this is a solution for that[br]and so, it's nontrivial I think, 1:46:46.084,1:46:49.096 so it entirely depends on[br]vectors and other things. 1:46:49.096,1:46:52.093 I'm not sure if I said anything[br]that was actually useful, but-- 1:46:52.093,1:46:54.097 >> Brian: That's fine, Miguel please. 1:46:54.097,1:46:59.000 >> Miguel: In an ideal scenario[br]where information is being shared, 1:46:59.000,1:47:05.038 where we've quickly been able to determine what[br]the attack vector is, we are looking at ensuring 1:47:05.038,1:47:08.041 that we can put really precise filters in place 1:47:08.041,1:47:12.077 to lob off attack traffic while[br]letting good traffic through. 1:47:12.077,1:47:15.002 It's easier said than done a lot of the time. 1:47:15.002,1:47:19.018 As I said, it's in an ideal[br]situation we understand the attack, 1:47:19.018,1:47:25.023 and we can put the right mitigation[br]strategies in place to deal with it. 1:47:25.023,1:47:31.084 So in that ideal situation, most likely[br]we should be able to get to availability 1:47:31.084,1:47:34.072 within minutes if people[br]are cooperating correctly 1:47:34.072,1:47:37.012 and we have the information that we need. 1:47:37.012,1:47:41.052 The problem is that we don't[br]live in an ideal world 1:47:41.052,1:47:45.096 and beyond that, attackers are smart, right? 1:47:45.096,1:47:54.007 So they try one thing and then you[br]scramble and get the sites available again 1:47:54.007,1:47:58.001 and put the right mitigation strategy in place, 1:47:58.001,1:48:01.017 but then potentially they might[br]start trying something else. 1:48:01.017,1:48:05.068 You know if that's not being effected, they'll[br]go route B and then potentially will go right 1:48:05.068,1:48:14.041 to route C, so it's a cat and mouse game and[br]it's far from ideal and it's starting over again 1:48:14.041,1:48:18.051 in some sense in terms of putting together[br]another mitigation strategy to deal 1:48:18.051,1:48:23.023 with the new attack vector or signature[br]that comes in and unfortunately, 1:48:23.023,1:48:29.066 the ideal scenarios never happen and[br]attackers have gotten smart and they know how 1:48:29.066,1:48:34.003 to [inaudible] it up and do the damage,[br]and put the damage that they need 1:48:34.003,1:48:36.004 to for the people that are unprepared. 1:48:36.004,1:48:38.004 >> Brian: Thank you, Damian just let[br]me interject before you go there. 1:48:38.004,1:48:44.098 So hearing Danny and Miguel,[br]clearly understanding that again, 1:48:44.098,1:48:49.076 the problem of the upstream operator and[br]what their sophistication capabilities are 1:48:49.076,1:48:55.053 in helping you diagnose the problem across[br]networks, if you will you pointed out. 1:48:55.053,1:48:58.043 And also the clear understanding[br]of needing to kind 1:48:58.043,1:49:02.007 of secure your resources and[br]prevent collateral damage. 1:49:02.007,1:49:09.035 But Damian, Ram, Jeff, bring in also how do[br]we work effectively with law enforcement? 1:49:09.035,1:49:13.097 What can they do to help, what can[br]you do together and the good scenario 1:49:13.097,1:49:19.067 when it works well with the upstream[br]provider, what does that look like? 1:49:19.067,1:49:23.087 >> Damian: Yes I'll start by saying[br]without bringing in law enforcement, 1:49:23.087,1:49:28.021 ideally you would be able to work directly with[br]the network operator, they do want to track it 1:49:28.021,1:49:32.053 through their network and[br]stop the attack upstream. 1:49:32.053,1:49:39.034 There are situations as Miguel was[br]saying; sometimes it's a little tricky. 1:49:39.034,1:49:45.072 In this case we don't know if the[br]government of Mordor is behind these attacks. 1:49:45.072,1:49:50.068 So, it's sticking with the scenario[br]it's never going to be entirely idea 1:49:50.068,1:49:56.003 because you don't necessarily want to tell[br]the ISP in Mordor what your fingerprint 1:49:56.003,1:50:01.038 of the attack is which maybe would help them[br]filter it because they might just turn around 1:50:01.038,1:50:04.057 and tell the government, the government[br]will modify the attack to not match 1:50:04.057,1:50:07.042 that fingerprint anymore and then you're[br]in bigger trouble than you were before. 1:50:07.042,1:50:15.024 So, depending on how paranoid you want[br]to be, I'm a security person so I'm paid 1:50:15.024,1:50:21.049 to be paranoid but, you have to be a little[br]cautious about what information you're sharing. 1:50:21.049,1:50:26.044 Try to share information that's[br]useful for stopping the attack but, 1:50:26.044,1:50:30.006 not sharing everything you know about[br]the attack so you can still trace it. 1:50:30.006,1:50:38.021 In terms of law enforcement since we're[br]in the U.S., U.S. CERT is a good resource. 1:50:38.021,1:50:41.054 They have contacts at CERTs. 1:50:41.054,1:50:44.026 CERT is Computer Emergency Response Team. 1:50:44.026,1:50:48.092 They have contacts at CERTs at every[br]other country and so that's very helpful 1:50:48.092,1:50:51.028 because they're sort of a central point. 1:50:51.028,1:50:56.025 They might be able to recognize that[br]you're not the only victim of an attack, 1:50:56.025,1:51:01.092 so they might be able to correlate events[br]that you perhaps were not aware of. 1:51:01.092,1:51:04.009 And they can also assist with language issues. 1:51:04.009,1:51:09.087 You know it's very difficult for me[br]personally to email an ISP in Asia 1:51:09.087,1:51:15.009 because I don't speak any of the Asian languages[br]whereas U.S. CERT probably has the ability 1:51:15.009,1:51:19.069 to handle that translation a little bit better 1:51:19.069,1:51:23.098 than Google Translate which[br]is my fallback option. 1:51:23.098,1:51:24.009 [Laughter] 1:51:24.009,1:51:26.092 >> Brian: Thank you, Ram. 1:51:26.092,1:51:34.067 >> Ram: Thanks, so in this ideal scenario[br]perhaps one of the things that have to be worked 1:51:34.067,1:51:38.025 on is the formation of an[br]alliance for data sharing. 1:51:38.025,1:51:43.077 Especially identifying who the next[br]Genovia might be and you go work 1:51:43.077,1:51:49.094 out who those next Genovia's might be and[br]this kind of an alliance cannot be government 1:51:49.094,1:51:56.093 to governments, it's got to be public, private,[br]a combination of that and that takes time to do 1:51:56.093,1:51:59.001 but this is the time to start[br]doing it [inaudible]. 1:51:59.001,1:52:04.069 The second, you know we're talking about this[br]ideal scenario and there is rapid availability. 1:52:04.069,1:52:08.083 The attack happened, mitigation[br]happened, everything came back 1:52:08.083,1:52:14.091 but remember this might simply Mordor[br]profiling you for a bigger attack to come 1:52:14.091,1:52:20.058 and they've now learned how you countered it[br]and their building counter-measures right now 1:52:20.058,1:52:23.046 for your counters and that's likely to happen 1:52:23.046,1:52:27.067 if this is really a serious[br]act coming up against you. 1:52:27.067,1:52:33.005 So, you may leave everything[br]on the floor at this time 1:52:33.005,1:52:37.035 and you may just get killed[br]really online the next time. 1:52:37.035,1:52:46.028 On the third is law enforcement, this is a case[br]where most often this is a source less crime, 1:52:46.028,1:52:51.034 there is no one to prosecute, there's no[br]one to really go after for the most part. 1:52:51.034,1:52:58.046 Most of the people along the way are in[br]transit and are trying to help to some extent. 1:52:58.046,1:53:02.072 They're just doing their job passing[br]packets along, passing information along 1:53:02.072,1:53:09.075 and they got coopted into something that[br]was initially beyond their understanding 1:53:09.075,1:53:13.046 and eventually beyond their[br]ability to solve individually. 1:53:13.046,1:53:19.026 So you have to start to change a little bit of[br]law enforcement's mindset of who are we going 1:53:19.026,1:53:25.093 after because this is not so much about[br]a counter attack, this is often much more 1:53:25.093,1:53:33.008 about prevention and you have to start[br]thinking about the online equivalence 1:53:33.008,1:53:42.069 of a neighborhood watch and one doesn't[br]really exist in any coordinated way today. 1:53:42.069,1:53:43.033 >> Brian: Thanks, Jeff. 1:53:43.033,1:53:46.009 >> Jeff: I definitely like going last. 1:53:46.009,1:53:50.053 I have more time to think about what I'm going[br]to say and I bounced around with a few ideas 1:53:50.053,1:53:52.074 but you know they say don't fight the scenario 1:53:52.074,1:53:54.072 but I was always the kid[br]who fought the scenario. 1:53:54.072,1:53:58.067 So I guess I would start kind of where[br]Damian went, if you're an ideal scenario 1:53:58.067,1:54:06.039 that means Mordor is helping and helping[br]you willingly and with no ill intent 1:54:06.039,1:54:09.017 in actually wanting to stop their[br]own citizens who [inaudible] 1:54:09.017,1:54:11.038 and probably something they believe in. 1:54:11.038,1:54:16.017 Which leads me to point two, I think Ram hit[br]well, if everything is really going that well, 1:54:16.017,1:54:20.084 that's when you should really start being[br]scared because things never go that well. 1:54:20.084,1:54:23.064 So question everything that worked[br]and try to figure out why it worked 1:54:23.064,1:54:27.002 and is someone just letting you think it worked? 1:54:27.002,1:54:33.048 In terms of what does it look like to be[br]successful on the legal and governmental side, 1:54:33.048,1:54:36.034 there are a lot of things you need to work. 1:54:36.034,1:54:39.073 Governments that are willing to share[br]information, that have relationships, 1:54:39.073,1:54:42.099 that trust each other, but then[br]even beyond that you need laws 1:54:42.099,1:54:47.001 that will allow the information sharing both[br]between the private sector and the government 1:54:47.001,1:54:49.074 within each country and then[br]between the various governments. 1:54:49.074,1:54:52.017 But then you also need laws[br]that protect the privacy 1:54:52.017,1:54:56.083 of the individuals whose information is[br]being shared and assuming you have all that 1:54:56.083,1:55:00.081 and you get the information that allows[br]you to find the actual source of the crime 1:55:00.081,1:55:05.045 which as Ram said is very difficult, you[br]actually have both resources and laws 1:55:05.045,1:55:11.079 that allow prosecution and not in medieval ways[br]of people who are doing these types of acts. 1:55:11.079,1:55:18.017 So going back to, you really need[br]to figure out what your end-goal is 1:55:18.017,1:55:22.064 out of this before you figure[br]out, it would be great 1:55:22.064,1:55:24.033 if you'd actually prosecute the people doing it. 1:55:24.033,1:55:27.049 It would be better if you could get[br]all your systems back up really quickly 1:55:27.049,1:55:32.005 and try to develop better relationships[br]to prevent them in the future. 1:55:32.005,1:55:33.059 >> Brian: So Jeff, just picking[br]up at that point, 1:55:33.059,1:55:38.002 this will be the last round then we'll[br]turn it over to Q&A for the audience 1:55:38.002,1:55:41.014 and Ram mentioned the notion of an alliance. 1:55:41.014,1:55:45.011 Danny the scizrick work that[br]mentioned at the FCC. 1:55:45.011,1:55:52.029 Very interesting industry, government but[br]clearly, just uniquely ISP focused in terms 1:55:52.029,1:55:58.002 of best practices or a potential code[br]of conduct if you will in that exercise. 1:55:58.002,1:56:04.086 Where is this collaboration happening today or[br]the seeds of this collaboration between industry 1:56:04.086,1:56:10.021 and government specifically that[br]clearly has to be globally oriented. 1:56:10.021,1:56:13.055 That has to be cross-cutting across boundaries. 1:56:13.055,1:56:16.038 Where is that happening, where should it begin 1:56:16.038,1:56:19.099 to happen more deeply and[br]how can we make that happen? 1:56:19.099,1:56:21.009 I'll open to the entire panel. 1:56:21.009,1:56:23.001 Danny. 1:56:23.001,1:56:32.018 >> Danny: So yeah there are a lot of national[br]level stuff that I mentioned certainly as some 1:56:32.018,1:56:37.009 of the countries that blazing the trail[br]there from Australia, to Germany, to Finland, 1:56:37.009,1:56:43.094 to the U.S. I mean some of the work that[br]the FCC and others have done which is 1:56:43.094,1:56:46.011 about educating folks and sharing information. 1:56:46.011,1:56:51.054 A lot of this as you'll notice, even though[br]these scenarios comes back to international laws 1:56:51.054,1:56:58.056 or even national laws or disclosure laws or fair[br]disclosure laws, right I mean what is the extent 1:56:58.056,1:57:03.057 of where I can share information and who I can[br]get help from and where can we get collaboration 1:57:03.057,1:57:07.081 from a nation state versus send in a[br]snatch team or not do anything, right? 1:57:07.081,1:57:14.002 And so, what are the kinds of capabilities that[br]you have, and then you'd really like to operate 1:57:14.002,1:57:18.019 in meet space and prosecute people that[br]have real impacts on real businesses 1:57:18.019,1:57:22.055 and break walls internationally,[br]but how do you balance 1:57:22.055,1:57:26.002 that internationally with[br]the privacy for example? 1:57:26.002,1:57:30.006 I mean that's a tough balance because if you[br]can attribute every transaction on the internet, 1:57:30.006,1:57:34.058 then no one has any privacy or[br][inaudible] and what does that mean 1:57:34.058,1:57:36.015 for censorship or for other things. 1:57:36.015,1:57:39.066 So all these sort of things together is, 1:57:39.066,1:57:43.076 it is definitely needs more[br]leadership from the government. 1:57:43.076,1:57:46.003 I think they've certainly[br]done a humungous amount, 1:57:46.003,1:57:51.039 and from local law enforcement folks[br]we work with, to national level folks, 1:57:51.039,1:57:54.009 and certainly Jeff and some[br]of the places he'd been. 1:57:54.009,1:57:57.074 A lot of the folks looking for ways[br]to collaborate and to put frameworks 1:57:57.074,1:58:05.054 in place allowing information sharing and enable[br]in a sort of protections of private sector 1:58:05.054,1:58:11.004 and industry and you know that the government's[br]got your back for this and that they're going 1:58:11.004,1:58:15.035 to pull the levers and turn the[br]steam valves they to make sure 1:58:15.035,1:58:18.099 that if someone is attacking someone on[br]this infrastructure and have an impact 1:58:18.099,1:58:24.054 that it's having a real impact and[br]represent their citizens wherever they are. 1:58:24.054,1:58:28.004 So I think it sort of goes all the way back[br]to that from the international perspective 1:58:28.004,1:58:32.008 because of the projection capability[br]that advisories have on the internet 1:58:32.008,1:58:39.028 and there are a lot of alliances, a lot are[br]private sector, public sector, partnerships, 1:58:39.028,1:58:42.056 everything from internet security alliance,[br]online trust alliance, stop bad ware. 1:58:42.056,1:58:44.089 I mean there's no shortage. 1:58:44.089,1:58:49.051 I mean a lot of the outreach that we[br]talked about, the work that [inaudible] 1:58:49.051,1:58:53.097 and anti-phishing working group and[br]some of the other folks have done. 1:58:53.097,1:59:00.017 So I think that a lot of this is happening but[br]it certainly, the industry level leadership 1:59:00.017,1:59:05.071 with the recognition by governments[br]that they're captive to this. 1:59:05.071,1:59:07.072 We're all sort of captive to[br]this and the only way we're going 1:59:07.072,1:59:10.004 to get there is if we collaborate. 1:59:10.004,1:59:12.054 >> Brian: Thanks, anybody else? 1:59:12.054,1:59:13.075 1:59:13.075,1:59:17.002 >> You know there are many more[br]acronyms we could throw out there 1:59:17.002,1:59:21.019 about the various public/private[br]collaboration partnerships. 1:59:21.019,1:59:23.041 Some doing great work, some doing work. 1:59:23.041,1:59:29.015 [Laughter] But I want to get back to[br]something I think Miguel touched on earlier 1:59:29.015,1:59:34.007 about information sharing and the need to share[br]information and most folks who would go ahead 1:59:34.007,1:59:35.057 and share will get slapped down for it. 1:59:35.057,1:59:43.021 There are two reasons for it, one[br]corporate strategic secret issues, 1:59:43.021,1:59:45.055 but also the lawyers will[br]often slap you down because, 1:59:45.055,1:59:47.003 well can we really share that information. 1:59:47.003,1:59:53.015 That's an area where I think we need change[br]and we need it soon is changing the laws 1:59:53.015,1:59:58.032 that limit the ability of companies who want to[br]share information with other companies, ECPA, 1:59:58.032,2:00:04.048 Electronic Communication Privacy Act, antitrust[br]laws, all these don't need to be gutted, 2:00:04.048,2:00:07.087 they need to be reformed and[br]frankly we got to a very weird place 2:00:07.087,2:00:10.004 in the [inaudible] legislative cycle[br]this year where you had the head 2:00:10.004,2:00:15.086 of the national security agency and you had[br]privacy groups all saying this is something we 2:00:15.086,2:00:18.001 need to do and here's the framework[br]that we all think actually can work. 2:00:18.001,2:00:23.013 It based our own idea of sharing cyber[br]security information narrowly defined 2:00:23.013,2:00:25.087 for cyber security purposes, narrowly defined, 2:00:25.087,2:00:30.031 but Congress in its infinite[br]wisdom got you have the NSA 2:00:30.031,2:00:34.051 and the privacy groups essentially[br]agreeing, so Congress chose not to act. 2:00:34.051,2:00:38.062 And that is something that I think is not[br]going to solve the problem but would be a step 2:00:38.062,2:00:41.042 in the right direction to[br]allow information sharing 2:00:41.042,2:00:43.044 and maybe breakdown some of those barriers. 2:00:43.044,2:00:49.057 Make it happen 5, 10, 15, minutes an hour[br]soon, sooner or even won't happen at all 2:00:49.057,2:00:53.000 so that's something that within all these[br]groups there are still these limitations 2:00:53.000,2:00:57.077 that are illegal and need to[br]be changed by the politicians. 2:00:57.077,2:00:59.004 >> Brian: Thanks, Damian. 2:00:59.004,2:01:03.062 >> Damian: I wanted to mention there are[br]some ways that collaboration can occur 2:01:03.062,2:01:09.016 without needing to necessarily involve[br]lawyers or worry about user privacy. 2:01:09.016,2:01:14.011 Some of the attacks that we see there's[br]just sharing information and about the fact 2:01:14.011,2:01:17.009 that we're seeking an attack,[br]the size of the attack, 2:01:17.009,2:01:19.007 the type of the attack can be helpful to others. 2:01:19.007,2:01:27.041 So as a recent example the dos attacks[br]that hit the banks recently hit us actually 2:01:27.041,2:01:32.025 about a week before it started hitting all[br]of the banks and we sent a quick heads-up 2:01:32.025,2:01:38.008 to a security list of people[br]just letting them know, 2:01:38.008,2:01:41.005 hey we're getting this surprisingly[br]large attack. 2:01:41.005,2:01:44.036 This is a bit unusual; this[br]is what it looks like. 2:01:44.036,2:01:47.035 You might want to watch out, be prepared. 2:01:47.035,2:01:51.076 Unfortunately two days later, we wrote[br]back and said it just doubled in size, 2:01:51.076,2:01:56.014 but there are things that you[br]can do to give out information. 2:01:56.014,2:02:00.038 We're not giving out necessarily like[br]the IP addresses that it's coming 2:02:00.038,2:02:05.025 from because we have talk to lawyers[br]about the privacy implications of that, 2:02:05.025,2:02:09.088 but even just the basic information about the[br]type of attack that you're getting and the size 2:02:09.088,2:02:16.013 and maybe the general area of the world it's[br]coming from can be very helpful to others. 2:02:16.013,2:02:19.089 >> Brian: Thanks, any last remarks? 2:02:19.089,2:02:22.054 Okay, thank you panelists[br]very much for playing along 2:02:22.054,2:02:25.056 and for the great information[br]you provide with us so far. 2:02:25.056,2:02:30.029 So let's get to the real important folks here[br]today, the audience both here and online. 2:02:30.029,2:02:35.068 At least for the next 30 minutes, we'll[br]have an open mic in the middle of the room. 2:02:35.068,2:02:40.015 I think we have some questions[br]from online, so if you would, 2:02:40.015,2:02:49.066 please [inaudible] we have--[br][Pause]-- it doesn't work? 2:02:49.066,2:02:50.076 2:02:50.076,2:02:55.014 Why don't you come up and use this[br]microphone if you would to pose your question. 2:02:55.014,2:02:56.012 [Pause] 2:02:56.012,2:03:03.002 >> David: I'm David Thaumenal [phonetic][br]President of The Internet Society of New York 2:03:03.002,2:03:07.061 and just as we have software as a[br]service and infrastructure as a service, 2:03:07.061,2:03:13.025 there's now crime-ware as a service so if I'm a[br]bad person, rather than going to all the trouble 2:03:13.025,2:03:16.073 of actually attacking somebody[br]I don't like on the internet, 2:03:16.073,2:03:23.012 I can actually pay a service[br]provider to do it for me 2:03:23.012,2:03:29.057 and they're using a commercial business model[br]so I can have warranties, guarantees of quality 2:03:29.057,2:03:33.031 of service, support contracts[br]and everything else. 2:03:33.031,2:03:41.006 So my question is wouldn't it make sense[br]for whether it's industry or law enforcement 2:03:41.006,2:03:49.077 or whatever to focus on identifying these[br]crime-ware service providers infiltrating them, 2:03:49.077,2:03:55.024 targeting them, purchasing their[br]software and reverse engineering it 2:03:55.024,2:04:01.095 to disable it, that type of thing? 2:04:01.095,2:04:05.088 >> Brian: Anyone on the panel want to take that? 2:04:05.088,2:04:12.007 >> Danny: Absolutely in if you go back[br]to the scenario of an ideal world, 2:04:12.007,2:04:16.071 but a lot of these are happening offshore in[br]countries that aren't particularly mendable 2:04:16.071,2:04:23.005 to working with our law enforcement[br]to arrest or prosecute. 2:04:23.005,2:04:28.095 Reverse engineering I think goes on, but the[br]problem is that the software morph so quickly 2:04:28.095,2:04:33.039 that the signatures old as soon as you know it. 2:04:33.039,2:04:37.035 And there are other efforts, other[br]techniques for protecting against it 2:04:37.035,2:04:41.029 and I think that's actively underway, but[br]in terms of infiltrating, breaking up, 2:04:41.029,2:04:44.067 prosecuting, they'd just go somewhere else. 2:04:44.067,2:04:50.009 >> So I was going to add just there[br]is one aspect to this certainly lots 2:04:50.009,2:04:53.064 of folks are looking at when you try to[br]move it back to meet space and the place 2:04:53.064,2:04:57.095 where law enforcement usually operates[br]in a more productive way and better 2:04:57.095,2:05:04.031 than most information security folks and there[br]has been a lot more work on follow the money 2:05:04.031,2:05:07.094 and use that angle for the[br]attribution side of this. 2:05:07.094,2:05:12.082 I mean some of the recent things you may[br]have seen from spam campaigns to phishing 2:05:12.082,2:05:15.032 and mal-code distribution[br]and those sorts of things. 2:05:15.032,2:05:20.026 Some recent work actually by Steph and[br]Savage and some of the folks at UCSB 2:05:20.026,2:05:25.028 and was particularly enlightening in that[br]area for those of you that haven't seen that. 2:05:25.028,2:05:28.087 And I know that law enforcement is certainly[br]taking note and very good at those kind 2:05:28.087,2:05:37.072 of things and so, I suspect that[br]being aware of that and seeing more 2:05:37.072,2:05:40.005 on that side I would follow the[br]money and work on the attribution 2:05:40.005,2:05:45.003 and the prosecution associated with malicious[br]activity, that sort is certainly something 2:05:45.003,2:05:49.029 that we're going to see more of[br]from a prosecution perspective. 2:05:49.029,2:05:53.027 >> Brian: And the FBI has had[br]some big take downs recently. 2:05:53.027,2:05:57.058 There was one in [inaudible][br]early this year, late last year. 2:05:57.058,2:05:59.068 >> Last year. 2:05:59.068,2:06:00.039 >> Brian: Thank you. 2:06:00.039,2:06:02.022 I've got two questions from online, 2:06:02.022,2:06:05.062 I'll go to one of them first[br]and then come back to the room. 2:06:05.062,2:06:09.072 From Vanda [phonetic] the reality[br]that people don't think it will happen 2:06:09.072,2:06:11.074 with them is a fact here too. 2:06:11.074,2:06:18.003 So how can I convince people that they[br]need to take preventative measures? 2:06:18.003,2:06:19.023 2:06:19.023,2:06:20.072 Jillian? 2:06:20.072,2:06:25.088 >> Jillian: Sure, so I don't know[br]what "here" means in that sentence 2:06:25.088,2:06:30.052 but nonetheless I would say in[br]thinking about how to convince people, 2:06:30.052,2:06:36.098 there is a wealth of information on what sort[br]of attacks occurred and who they've targeted 2:06:36.098,2:06:40.013 and one of the things that this[br]Berkman Center study found was 2:06:40.013,2:06:43.091 that there's really no associated[br]ideology with attacks. 2:06:43.091,2:06:49.088 There's one example where some[br]conservative Muslim groups outside 2:06:49.088,2:06:52.077 of the U.S. were attacking[br]U.S. Conservative website. 2:06:52.077,2:06:57.096 The U.S. Conservative Groups were then attacking[br]these Muslim websites outside the U.S. And so on 2:06:57.096,2:07:02.053 and so forth and sort of in a circle[br]and so, anyone can be a victim. 2:07:02.053,2:07:07.019 Any type of group, any type ideology and[br]so I think that's where we start looking 2:07:07.019,2:07:13.032 at previous attacks and educating people[br]about those various desperate targets, 2:07:13.032,2:07:15.013 that's another way that we can raise awareness. 2:07:15.013,2:07:20.023 And then like I said just sort of thinking[br]about risk assessments not an easy thing 2:07:20.023,2:07:26.009 in these cases and like I said with having[br]desperate ideologies be the target of attacks, 2:07:26.009,2:07:31.059 it's not easy to really assess what[br]your actual risk is and so to assume 2:07:31.059,2:07:34.097 that you could potentially be a target[br]of an attack is the first thing. 2:07:34.097,2:07:41.071 But then to sort of weigh your risk and figure[br]out what you might want to think about in terms 2:07:41.071,2:07:44.099 of what's important to you[br]and keeping your site up. 2:07:44.099,2:07:46.065 >> Brian: Sure, Miguel. 2:07:46.065,2:07:49.032 >> Miguel: Thank you Brian. 2:07:49.032,2:07:55.077 What the question refers to is sort of how[br]to make the business case for protection 2:07:55.077,2:07:58.065 or mitigation against this kind of a threat. 2:07:58.065,2:08:04.033 Danny actually talked about some of these[br]things previously in the conversation in terms 2:08:04.033,2:08:08.047 of really evaluating your[br]infrastructure and your needs and kind 2:08:08.047,2:08:13.077 of asking yourself some basic questions. 2:08:13.077,2:08:20.043 What would it mean to you if your, let's[br]say for example your website was down? 2:08:20.043,2:08:24.027 What are some of the things that could[br]potentially happen if that was the case 2:08:24.027,2:08:26.086 and what would the impact to you be 2:08:26.086,2:08:30.037 if your infrastructure was[br]down for 12 hours for example? 2:08:30.037,2:08:33.096 I'll use some private sector examples[br]to just kind of illustrate this. 2:08:33.096,2:08:37.085 Maybe obviously there's potentially[br]the revenue component. 2:08:37.085,2:08:39.041 Maybe you're making money off your website 2:08:39.041,2:08:46.012 so there's some tangible result[br]in terms of not having revenue. 2:08:46.012,2:08:51.051 But from a customer service perspective for[br]example, what happens if your website is 2:08:51.051,2:08:53.015 down for a certain amount of time? 2:08:53.015,2:08:58.016 Maybe your call center gets[br]flooded, gets into code red. 2:08:58.016,2:09:03.012 People are waiting an hour-and-a-half[br]to have the phone answered. 2:09:03.012,2:09:07.006 Maybe your email boxes start getting flooded[br]and maybe it's going to take weeks potentially 2:09:07.006,2:09:11.043 to dig yourself out of that hole. 2:09:11.043,2:09:17.039 Another thing to kind of think about is,[br]as you make the business case for this 2:09:17.039,2:09:25.088 or to have some kind of a plan to mitigate the[br]attacks is how long would it actually take you 2:09:25.088,2:09:30.049 to get your core infrastructure or the[br]infrastructure you need to be online, 2:09:30.049,2:09:34.052 back online if something like this happened? 2:09:34.052,2:09:38.008 Potentially it would take you a[br]significant amount of time just to figure 2:09:38.008,2:09:44.058 out what's actually happening let alone figuring[br]out what the path is going to be in terms 2:09:44.058,2:09:47.084 of what the best strategy is to deal[br]with the problem when it happens. 2:09:47.084,2:09:51.088 And then on top of that, after that[br]is once you actually know what to do, 2:09:51.088,2:09:55.002 actually putting the plan[br]in place to do what needs 2:09:55.002,2:09:57.077 to be done to get the threat under control. 2:09:57.077,2:10:01.037 So when you start asking yourself[br]some of these fundamental questions 2:10:01.037,2:10:04.054 and it's not just a private[br]sector thing where you're worried 2:10:04.054,2:10:08.022 about your revenue potentially[br]or your brand equity. 2:10:08.022,2:10:11.015 You know the public sector faces this as well 2:10:11.015,2:10:14.007 because it obviously, there's[br]some tangible stuff. 2:10:14.007,2:10:20.096 It looks really bad when a government website[br]is down or a free speech NGO website is down. 2:10:20.096,2:10:23.098 So there are fundamental questions[br]that you can start asking yourself 2:10:23.098,2:10:28.072 and when you start asking yourself[br]these question and really look 2:10:28.072,2:10:31.089 at what the impact is going to[br]be, both short-term and long-term, 2:10:31.089,2:10:34.014 you really have to think about[br]the long-term impact too. 2:10:34.014,2:10:40.056 At that point you start to look at that[br]and the business case for DDoS protection 2:10:40.056,2:10:45.088 or for having a plan in place to deal[br]with this particular issue if it happens, 2:10:45.088,2:10:50.012 it starts to become quite apparent that[br]this something that is worth doing. 2:10:50.012,2:10:54.082 >> Brian: Sounds like good common[br]sense, anybody else, yeah, Damian. 2:10:54.082,2:11:01.002 >> Damian: So I want to highlight like in[br]addition to just the business financial impact, 2:11:01.002,2:11:03.066 there is a very strong PR impact to going down. 2:11:03.066,2:11:09.045 We saw user comments during the bank[br]attacks, you know comments and articles 2:11:09.045,2:11:13.015 of our users saying things like, if[br]my bank can't handle a dos attack, 2:11:13.015,2:11:16.038 how do I trust that they[br]know how to secure my money? 2:11:16.038,2:11:20.009 They're completely unrelated things but[br]the average person doesn't understand that 2:11:20.009,2:11:24.073 and so there can be a significant PR impact[br]to your organization if it goes down even 2:11:24.073,2:11:29.013 if it doesn't directly affect[br]them like with banking yes, 2:11:29.013,2:11:32.065 some people couldn't do online banking[br]for a day, ATMs were still fine. 2:11:32.065,2:11:40.007 Like there was no actual real risk there but I[br]also want to point out that I think the going 2:11:40.007,2:11:43.065 down is actually a viable option. 2:11:43.065,2:11:48.003 We're all talking about it as if[br]the ultimate goal is to stay online, 2:11:48.003,2:11:52.039 but economically that might[br]not make sense for you and even 2:11:52.039,2:11:54.077 from a PR standpoint it may not make sense. 2:11:54.077,2:11:59.022 If you're a human rights organization and[br]you can get an article in New York Times 2:11:59.022,2:12:02.069 about how you went down due to a dos attack, 2:12:02.069,2:12:04.096 that's the best publicity[br]you can possibly imagine. 2:12:04.096,2:12:09.002 Nobody is thinking about human[br]rights until they see this article. 2:12:09.002,2:12:16.065 So, it's something to keep in mind, staying up[br]at all costs isn't necessarily the end goal. 2:12:16.065,2:12:17.069 >> Brian: Yeah, Danny. 2:12:17.069,2:12:21.078 >> Danny: So I was going to add a little[br]bit to both of what they said actually, 2:12:21.078,2:12:24.058 and to Vanda's question, how[br]do sort of get ahead of these. 2:12:24.058,2:12:27.047 One of the comments that I made[br]earlier is somewhere between 80% 2:12:27.047,2:12:31.082 and 85% of IT securities span[br]goes toward regulatory compliance. 2:12:31.082,2:12:36.004 Things you have to do just to check boxes[br]like these fire suppression systems right, 2:12:36.004,2:12:42.053 and this is the sort of thing where most of the[br]traditional controls that are on our network, 2:12:42.053,2:12:48.023 the 100s and 100s that we have are about keeping[br]private information private and more and more 2:12:48.023,2:12:50.096 so many organizations, particularly[br]for internet facing services, 2:12:50.096,2:12:54.041 the availability of those services,[br]as opposed to just the confidentiality 2:12:54.041,2:12:58.048 of the data contained therein[br]is more and more of an issue 2:12:58.048,2:13:02.018 and so making sure you understand[br]that, to Miguel's point. 2:13:02.018,2:13:07.066 Risk management 101, basic business resilience[br]says take the asset, take what one minute 2:13:07.066,2:13:14.008 of downtime with that asset may cost you,[br]talk about how long a particular outage may be 2:13:14.008,2:13:17.017 and then you come up with[br]your single lost expectancy 2:13:17.017,2:13:19.008 and then take how many times this[br]may occur in a year something known 2:13:19.008,2:13:25.024 as annualize loss expectancy and you[br]multiply annualize rate of occurance 2:13:25.024,2:13:27.007 with single loss expectancy[br]and you know in a year, 2:13:27.007,2:13:30.033 this much downtime could cost you[br]this much in your organization. 2:13:30.033,2:13:34.002 And if you don't do that, and then say okay[br]what are we willing to invest in proactively 2:13:34.002,2:13:40.008 to get residual risk to some level[br]that we [inaudible] or go buy insurance 2:13:40.008,2:13:42.044 or ignore it and hope that it doesn't happen. 2:13:42.044,2:13:44.065 And so you really need to think about this. 2:13:44.065,2:13:49.084 Actually, I'll reference again the[br]internet security lines documents. 2:13:49.084,2:13:53.079 It's a little hefty but it's a really great[br]read for folks asking just that question. 2:13:53.079,2:13:59.009 It's a CFO's guide to cyber risk and it sort[br]of talks about some of these sorts of things. 2:13:59.009,2:14:04.076 I definitely recommend that you have a[br]look at that and try to get ahead of it. 2:14:04.076,2:14:06.004 So, I'm done now so-- 2:14:06.004,2:14:08.068 >> Brian: Okay do we have other[br]questions from inside the room? 2:14:08.068,2:14:10.018 Please, okay. 2:14:10.018,2:14:18.014 >> You were talking about the PR aspect of[br]it and I took Jill's comment to heart earlier 2:14:18.014,2:14:22.004 about she doesn't think it's[br]a good idea and we know 2:14:22.004,2:14:27.093 that Pirate Bay went anonymous[br][inaudible] the whole Pirate Bay came 2:14:27.093,2:14:33.002 out against it saying they were for free[br]speech and this was against it and I wonder 2:14:33.002,2:14:40.007 about how much embarrassment and the moral[br]argument and basically if you've got governments 2:14:40.007,2:14:43.023 who are doing it, can there be kind[br]of treaties between governments 2:14:43.023,2:14:46.034 that say this is not acceptable behavior. 2:14:46.034,2:14:50.053 And in the activist world,[br]also the same kind of thing 2:14:50.053,2:14:57.075 so [inaudible] technical solutions[br]are where social solutions? 2:14:57.075,2:15:01.062 >> Jillian: Sure so I'll just give my quick[br]two cents because I'm actually more curious 2:15:01.062,2:15:03.065 to hear others responses to this. 2:15:03.065,2:15:08.081 So using our example of Mordor and not getting[br]into real life, let's say that the governor 2:15:08.081,2:15:12.044 of Mordor was partly behind[br]the attacks against Genovia. 2:15:12.044,2:15:17.058 And so in cases like that,[br]it's really difficult. 2:15:17.058,2:15:21.072 I'm assuming that Mordor also[br]prosecutes citizens for hacking 2:15:21.072,2:15:27.052 and for their own DDoS perpitrations and[br]so it's really difficult to look at that 2:15:27.052,2:15:31.023 and say that Mordor has any[br]moral ground to stand 2:15:31.023,2:15:34.006 on when it does prosecute its own[br]citizens for being behind those attacks. 2:15:34.006,2:15:37.066 And I think that we have seen,[br]I'm sure you're aware of them, 2:15:37.066,2:15:39.007 real life examples where this exists. 2:15:39.007,2:15:42.092 Where you know governments are doing one thing[br]with one hand and something with the other. 2:15:42.092,2:15:50.005 But to the point about [inaudible] example[br]is a great one and I agreed with them 2:15:50.005,2:15:53.059 and I think John Perry Barlow one of the[br]founders of [inaudible] said the same thing 2:15:53.059,2:15:57.097 that DDoS attacks are essentially[br]an attack on free expression. 2:15:57.097,2:16:00.033 I do agree with that. 2:16:00.033,2:16:05.044 Like I said I think that there are some[br]circumstances where it's much more difficult 2:16:05.044,2:16:09.098 to condemn and those are circumstances[br]where you're up against a government 2:16:09.098,2:16:15.054 that is stifling its own citizens free[br]expression and so you're getting into sort 2:16:15.054,2:16:21.033 of irregular warfare, online warfare in those[br]cases, but generally speaking I do think 2:16:21.033,2:16:26.014 that it would be a lot easier if[br]we all viewed this as something 2:16:26.014,2:16:28.031 that was not morally acceptable[br]in terms of free expression. 2:16:28.031,2:16:32.056 It would certainly be a lot easier[br]to go after the actual bad guys. 2:16:32.056,2:16:34.047 >> Brian: Others, Jeff? 2:16:34.047,2:16:39.069 >> Jeff: I would say I think that[br]there are things that can be improved 2:16:39.069,2:16:43.031 through international cooperation,[br]potentially international treaties. 2:16:43.031,2:16:47.081 There's a pretty healthy debate over[br]whether that's even possible and enforceable 2:16:47.081,2:16:51.034 and I think we at least have to try. 2:16:51.034,2:16:55.025 Maybe some of that will filter down[br]into day-to-day conduct with people, 2:16:55.025,2:16:59.049 but people still commit crimes all[br]the time even though they're illegal 2:16:59.049,2:17:05.046 so I think there's a limitation to how far[br]that will go to stop the groups that think 2:17:05.046,2:17:08.025 that they're above the law or independent of law 2:17:08.025,2:17:11.089 or have a separate obligation[br]that's different to it. 2:17:11.089,2:17:16.042 But I think you will see more[br]effort in the future to try 2:17:16.042,2:17:23.092 out some negotiated agreements remains to[br]be seen if they're actually verifiable. 2:17:23.092,2:17:25.098 >> Brian: We have an interesting[br]question from online. 2:17:25.098,2:17:27.006 I know we've got another[br]couple from in the room. 2:17:27.006,2:17:29.059 This one is from Mikey. 2:17:29.059,2:17:37.029 What about a global simulation of cyber event[br]with a goal of beginning to build a global, 2:17:37.029,2:17:40.006 who can I call for immediate[br]help type mechanism? 2:17:40.006,2:17:46.072 I know that in certain countries table[br]top exercises take place with a number 2:17:46.072,2:17:50.024 of different participants that create[br]scenarios, what about this idea 2:17:50.024,2:17:53.002 of a global simulated cyber event? 2:17:53.002,2:17:55.008 Is the feasible, would that be helpful? 2:17:55.008,2:17:59.086 2:17:59.086,2:18:01.029 Ram-- oh sorry, Danny. 2:18:01.029,2:18:11.083 >> Ram: I was just going to; I think[br]it was Miguel that quoted Mike Tyson. 2:18:11.083,2:18:19.082 All the simulations are great but reality is[br]often very different so, we'd have to think 2:18:19.082,2:18:22.065 about whether the simulation[br]is actually helpful. 2:18:22.065,2:18:25.031 Certainly it helps to get people to be aware 2:18:25.031,2:18:29.039 of who they should be contacting[br]and who to work with. 2:18:29.039,2:18:34.092 But the real life scenario is[br]probably going to be fairly different. 2:18:34.092,2:18:36.076 >> Brian: Fair enough, Danny. 2:18:36.076,2:18:38.044 >> Danny: Yeah this is working now. 2:18:38.044,2:18:43.063 I would just add there are some multinational[br]simulations today, everything from cyber storm 2:18:43.063,2:18:47.009 to you name it, lots of national[br]level exercises, 2:18:47.009,2:18:50.014 international exercises that sort of thing. 2:18:50.014,2:18:54.026 I think from a global scale[br]perspective, we have those every day, 2:18:54.026,2:18:57.037 [Laughter] so I'm not sure we actually need one. 2:18:57.037,2:19:03.073 Certainly we're on the receiving[br]end of a lot of love and so I think 2:19:03.073,2:19:17.003 that exercising [audio issue] and[br]understanding those sorts of things, 2:19:17.003,2:19:22.096 but [audio issue] final turn of attack vectors. 2:19:22.096,2:19:25.088 >> Brian: Okay in the room, I[br]think we have at least 3 more. 2:19:25.088,2:19:28.076 Okay come on up to the mic-- oh[br]is that one working now Joley? 2:19:28.076,2:19:29.004 >> Joley: No. 2:19:29.004,2:19:31.002 >> Brian: Okay come on up to the mic please 2:19:31.002,2:19:33.092 and if you'd introduce yourself[br]before the question please. 2:19:33.092,2:19:41.036 >> My name is Anthony Bargese [phonetic] and[br]I'm from John J College of Criminal Justice. 2:19:41.036,2:19:48.065 You guys covered some of the parties that[br]DDoS and users and also the government, 2:19:48.065,2:19:54.096 and also the providers and how[br]to be responsible and proactive. 2:19:54.096,2:20:00.044 But what about software vendors or some of[br]the vendors that are putting their products 2:20:00.044,2:20:06.032 out there with all these security holes[br]and that's where it starts and ends 2:20:06.032,2:20:08.066 with the NS providers, the ISP providers 2:20:08.066,2:20:18.011 who sometimes host these command[br]control servers for these DDoS attack. 2:20:18.011,2:20:21.022 Should there be a change[br]of mentality on their side? 2:20:21.022,2:20:29.057 I know that Google does something that's[br]called bug bounties; they offer you money 2:20:29.057,2:20:32.027 if you find a bug on their software. 2:20:32.027,2:20:39.006 Should this be applied across the[br]board for all the software vendors 2:20:39.006,2:20:41.081 and of these providers of products? 2:20:41.081,2:20:43.059 >> Brian: [inaudible] 2:20:43.059,2:20:47.036 >> Damian: I guess I have to start. 2:20:47.036,2:20:57.000 So we do find-- what he was referring to is[br]Google has a program where we actually pay 2:20:57.000,2:21:03.054 for people to find bugs in our[br]products so for security critical bugs. 2:21:03.054,2:21:08.071 So we found that there's a lot of college[br]kids or independent security researchers 2:21:08.071,2:21:12.032 who are very interested in[br]looking for security holes 2:21:12.032,2:21:19.018 and when they previously basically had no[br]option but they could give it to us privately, 2:21:19.018,2:21:24.004 hope that we'd fix it or to[br]whatever vendor of the software was. 2:21:24.004,2:21:28.057 It could be Microsoft or Adobe,[br]and hope that they would fix it, 2:21:28.057,2:21:34.007 but then if the company could just[br]take no action and they could just wait 2:21:34.007,2:21:38.004 and let this vulnerability remain[br]and eventually this kid might say, 2:21:38.004,2:21:42.077 the security researcher would[br]say why am I waiting on this? 2:21:42.077,2:21:46.063 Everyone is vulnerable to this thing[br]and they would publish this exploit 2:21:46.063,2:21:51.019 and then you could see lots[br]of attacks targeting that. 2:21:51.019,2:21:58.073 So what Google has done is basically start[br]offering money for bugs to compensate their time 2:21:58.073,2:22:04.052 in finding them so, if you compromise, if[br]you find a vulnerability in Google Chrome, 2:22:04.052,2:22:10.034 the web browser, we'll pay you for information[br]on that vulnerability with the agreement 2:22:10.034,2:22:13.085 that you're going to keep it quiet until[br]we fix it which could take a few days. 2:22:13.085,2:22:22.047 And that way we're able to protect everyone[br]and also compensate the security researcher. 2:22:22.047,2:22:25.015 >> Brian: Interesting, Miguel. 2:22:25.015,2:22:29.072 >> Miguel: The thing that kind of complicates[br]this a little bit also is that there is a lot 2:22:29.072,2:22:36.056 of the internet runs on open source software[br]which is it gets a little bit more difficult 2:22:36.056,2:22:40.096 to be able to put these mechanisms in place. 2:22:40.096,2:22:47.011 With the recent bank attacks,[br]we saw vulnerabilities exploited 2:22:47.011,2:22:51.038 with open source content management[br]systems that are widely deployed 2:22:51.038,2:22:55.053 like a [inaudible] etcetera at word press. 2:22:55.053,2:23:02.041 These are open source software that is[br]out there that is used significantly 2:23:02.041,2:23:05.003 and so it gets a little bit harder. 2:23:05.003,2:23:11.071 Unfortunately it's difficult for operators[br]necessarily to control the content that is 2:23:11.071,2:23:18.008 on their system, especially the shared hosting[br]operators etcetera and it's hard to push people 2:23:18.008,2:23:24.061 to update their software and as for[br]software developers, as much as they'll try 2:23:24.061,2:23:29.057 to make things as secure as they can, there's[br]always going to be some kind of a bug, 2:23:29.057,2:23:37.031 you can't get it all and it's the fact that[br]there's so much open source software out there, 2:23:37.031,2:23:41.031 it's not like you can point a[br]figure and you are responsible. 2:23:41.031,2:23:43.046 It's quite difficult to do. 2:23:43.046,2:23:45.016 >> Brian: Yeah, Ram. 2:23:45.016,2:23:46.025 2:23:46.025,2:23:53.089 >> Ram: You know one thing that software[br]manufacturers and the developers of software, 2:23:53.089,2:23:59.023 some of them have to start thinking about[br]and changing their mindset is due to come 2:23:59.023,2:24:04.024 to the understanding that many of the devices 2:24:04.024,2:24:09.065 on which the software is running are[br]always on and they're always online. 2:24:09.065,2:24:15.072 There's still a lot of software that[br]does not incorporate automatic updating 2:24:15.072,2:24:18.089 and regular downloads of patches. 2:24:18.089,2:24:24.055 That should be the baseline, that should be[br]the very fundamental thing and that's the kind 2:24:24.055,2:24:29.093 of thing that ought to be taught in schools[br]for folks learning how to write code. 2:24:29.093,2:24:35.021 It's not enough to just learn to do the[br]code, but to have that mechanism in there. 2:24:35.021,2:24:38.096 It ought to be trivial and[br]it ought to become regular. 2:24:38.096,2:24:45.002 Unfortunately, it's more the exception than[br]the norm today and I think if you'd get 2:24:45.002,2:24:51.008 to that point that will solve some[br]part of the problem significantly. 2:24:51.008,2:24:52.038 >> Brian: Danny. 2:24:52.038,2:24:56.067 >> Danny: So yeah I think I would be[br]remiss in not mentioning Versign's, 2:24:56.067,2:25:00.032 I Defense Vulnerability Contribution Program[br]as well and we do something very similar 2:25:00.032,2:25:06.008 for any vulnerability that fall within a very[br]broad spectrum that are multivendor and try 2:25:06.008,2:25:10.016 and do responsible disclosure[br]associated with those. 2:25:10.016,2:25:15.079 To the topic in general, I think bounties are[br]certainly valuable things in general for people 2:25:15.079,2:25:21.017 that want to apply exploits in a positive way[br]and contribute in a positive way to industry. 2:25:21.017,2:25:25.016 I think anybody that's paying[br]attention certainly realizes a lot 2:25:25.016,2:25:30.007 of the commercial vendors while they're[br]always going to be a long way to go, 2:25:30.007,2:25:34.061 are leaps and bounds from where[br]we were with worm able systems 2:25:34.061,2:25:40.048 or even patch management systems of that[br]we were vulnerable of a few years ago. 2:25:40.048,2:25:43.008 And so I think Microsoft is an[br]example, but lots of others as well, 2:25:43.008,2:25:50.036 and so I think we are making progress[br]but, secure coding practices, application, 2:25:50.036,2:25:53.052 software security, those things and all[br]the fundamentals are certainly thing 2:25:53.052,2:25:56.097 that we're going to have to[br]continue to do a much better job at. 2:25:56.097,2:25:59.018 >> Brian: Thank you, I know we've[br]got two more questions in the room. 2:25:59.018,2:26:06.004 Go here first and then please identify yourself. 2:26:06.004,2:26:08.001 >> [Inaudible] New York Technology Council. 2:26:08.001,2:26:10.075 I was wondering if you could[br]put this perspective. 2:26:10.075,2:26:17.038 Are DDoS attacks the one thing we should be[br]focusing, are there other like SYN floods, 2:26:17.038,2:26:24.077 other attacks that are similar in nature that[br]there should be conferences on and keep you 2:26:24.077,2:26:30.001 up at night or is this where[br]most of your energy goes? 2:26:30.001,2:26:38.074 >> Ram: Yeah this, the single biggest[br]thing that keeps me up at night. 2:26:38.074,2:26:48.007 Lots of other things end up becoming part[br]of this much larger stream and it used to be 2:26:48.007,2:26:53.047 that it was a dos attack and then it became a[br]DDoS attack and then you had command and control 2:26:53.047,2:26:59.077 and then you have crowd sourced, it's evolving,[br]it's not the same beast as was many years ago. 2:26:59.077,2:27:04.086 So the definitions from multiple[br]years ago, is not what it is today. 2:27:04.086,2:27:12.005 What really scares me about this is the[br]asymmetric nature of the ability for an attacker 2:27:12.005,2:27:18.000 to mount a significant attack in a very[br]short amount of time and keep it sustained 2:27:18.000,2:27:23.022 for a long period of time and really[br]drain you on the responding side 2:27:23.022,2:27:28.034 of your critical attention resources. 2:27:28.034,2:27:33.067 That really worries me and I think you[br]look at SYN floods or any of those things; 2:27:33.067,2:27:39.029 those kind of are subsumed into[br]the larger scale of this phenomenon 2:27:39.029,2:27:47.043 that left unchecked I think has[br]a significant negative impact. 2:27:47.043,2:27:48.068 >> Brian: Anyone else? 2:27:48.068,2:27:49.003 Yes Jillian. 2:27:49.003,2:27:53.008 >> Jillian: Yeah just I actually[br]agree with what Ram just said. 2:27:53.008,2:27:58.099 I would add to that to say just say,[br]and if you're thinking about the scale, 2:27:58.099,2:28:01.016 the most recent stat that I[br]have off the top of my head is 2:28:01.016,2:28:08.075 that in 2010 Arbor Networks was detecting[br]roughly 1300 attacks per day and I guessing 2:28:08.075,2:28:13.055 that it's much higher than that, the real[br]number and so I do think this is a big concern 2:28:13.055,2:28:15.017 because of the impact that it has. 2:28:15.017,2:28:22.012 I mean there are certainly plenty of other[br]types of attacks but the sort of inability 2:28:22.012,2:28:28.035 to protect oneself, coupled with everything that[br]Ram just said, makes this a much bigger issue 2:28:28.035,2:28:33.083 than some of the other things[br]that we're looking at. 2:28:33.083,2:28:38.068 >> Danny: I was going to add that DDoS[br]the two primary vectors volumetric, 2:28:38.068,2:28:41.092 in other words attacks are getting[br]bigger, more frequent, longer duration, 2:28:41.092,2:28:47.002 so forth but the sophistication of those as well[br]where the right query string could drive a lot 2:28:47.002,2:28:50.038 of backend transactions on the right[br]piece of [inaudible] those sorts of things 2:28:50.038,2:28:55.045 from a denial service perspective[br]is the availability side 2:28:55.045,2:28:57.007 of the information security [inaudible]. 2:28:57.007,2:29:03.036 The other two sides are the integrity[br]of the information on the infrastructure 2:29:03.036,2:29:08.013 and the confidentiality and[br]I think certainly for anyone 2:29:08.013,2:29:13.068 in the information security field[br]persistent attackers, advance attackers, 2:29:13.068,2:29:19.091 even general attackers and mobile devices[br]and bring your own device and sort 2:29:19.091,2:29:24.006 of a squishy perimeter and soft[br]under belly inside an enterprise 2:29:24.006,2:29:25.027 or at Starbucks or whatever. 2:29:25.027,2:29:29.068 All those things for information leakage[br]and so forth certainly is something 2:29:29.068,2:29:33.016 that you should be concerned with as well[br]but the availability side for a lot of folks 2:29:33.016,2:29:37.086 that are in the network services business is[br]a very big piece of that but also the sort 2:29:37.086,2:29:42.095 of more concerted attackers that might want[br]to control the right keyboard as opposed 2:29:42.095,2:29:47.093 to simply disabling is also something[br]that has some pretty far reaching effects. 2:29:47.093,2:29:48.057 >> Brian: Damian. 2:29:48.057,2:29:51.092 >> Damian: So I wanted to say[br]from a defender standpoint, 2:29:51.092,2:29:57.064 yeah DDoS is sort of the largest concern[br]right now but from a global view, 2:29:57.064,2:30:02.033 I think dos attacks are really a symptom of a[br]larger problem which is that there are a lot 2:30:02.033,2:30:04.031 of infected machines on the internet. 2:30:04.031,2:30:09.071 I think at one point I heard an ISP say is they[br]estimated 10% of their customers are infected. 2:30:09.071,2:30:15.082 So when you take that into account, if we could[br]actually stop having so many infected machines 2:30:15.082,2:30:18.056 on the internet or so many[br]vulnerable machines at least, 2:30:18.056,2:30:23.058 then that would largely reduce[br]the scope of these dos attacks 2:30:23.058,2:30:26.019 and for that we basically[br]need what Ram was saying 2:30:26.019,2:30:29.025 of automatic updates have[br]to be the normal thing. 2:30:29.025,2:30:33.051 You should never have any client side[br]software that doesn't automatically update. 2:30:33.051,2:30:34.059 Brian: Thanks, Miguel. 2:30:34.059,2:30:41.004 Miguel: Just adding to one thing that Damian[br]is saying, I absolutely agree with all of that 2:30:41.004,2:30:47.035 in terms of automatic updates and especially for[br]end user computers which form a significant part 2:30:47.035,2:30:50.001 of the botnet paradigm these days. 2:30:50.001,2:30:54.016 When it comes to enterprises, it[br]gets a little bit more difficult. 2:30:54.016,2:31:06.008 I think as much as I would love to say[br]automatically update my production software, 2:31:06.008,2:31:11.052 unfortunately, especially for a large-scale[br]operators, they're running infrastructure 2:31:11.052,2:31:15.054 that services a lot of people, you[br]don't really know what's going to happen 2:31:15.054,2:31:19.021 when you make an update potentially and[br]that has to be very carefully controlled, 2:31:19.021,2:31:20.086 it's got to be regression tested. 2:31:20.086,2:31:27.005 It's got to go through extensive QA and are we[br]ever going to get to a point where it's going 2:31:27.005,2:31:34.011 to be easy for enterprises to be[br]able to push out security fixes? 2:31:34.011,2:31:40.028 The idealist in me says I hope so, but I'm[br]skeptical that that's going to be the case 2:31:40.028,2:31:47.045 because the day-to-day aspects of ensuring[br]business operations, continuity and making sure 2:31:47.045,2:31:52.078 that assets are available are most likely for[br]the foreseeable future, going to trump the need 2:31:52.078,2:31:55.055 to push out updates as quickly as possible. 2:31:55.055,2:31:58.067 Brian: Actually we do have two more questions. 2:31:58.067,2:32:01.052 This gentleman here first and we do[br]have time for two more questions. 2:32:01.052,2:32:06.092 So will you come up please? 2:32:06.092,2:32:07.042 >> I am [inaudible]. 2:32:07.042,2:32:10.083 I run a software company called QCD Systems. 2:32:10.083,2:32:13.026 So the question is actually[br]very similar to the previous one 2:32:13.026,2:32:15.067 but I'll go a little more in detail. 2:32:15.067,2:32:21.072 So when it comes to security, [inaudible][br]security off of just data itself. 2:32:21.072,2:32:25.021 So there's an attack to intellectual[br]property and then we've heard of cases 2:32:25.021,2:32:28.074 that intellectual property got[br]stolen [inaudible] of that. 2:32:28.074,2:32:32.008 Movie companies always have their trailers[br]leaked and pieces of movies leaked, 2:32:32.008,2:32:35.015 so that's one kind of attack out there. 2:32:35.015,2:32:38.002 Then there's other things;[br]like the phishing kind of thing 2:32:38.002,2:32:39.081 like [inaudible] scams and all that. 2:32:39.081,2:32:43.025 I'm talking about things that[br]effect users and companies. 2:32:43.025,2:32:50.007 And then there's also the risk that your[br]bank account may have been compromised, 2:32:50.007,2:32:53.009 your passwords might have been[br]stolen or is easy to guess. 2:32:53.009,2:32:58.071 So in the scheme of all these different things,[br]where will you place the denial of service 2:32:58.071,2:33:02.077 for a company or for a consumer because[br]they have plenty of things to deal 2:33:02.077,2:33:05.008 with right now when it comes to security? 2:33:05.008,2:33:11.026 So I was just trying to get a perspective[br]on where this distributed denial service, 2:33:11.026,2:33:16.079 where it fits into the larger scheme of things[br]and how relevant it is and the other part is 2:33:16.079,2:33:19.053 where do you see things going[br]let's say five years from now? 2:33:19.053,2:33:23.042 Is this going to be the single biggest thing[br]to worry about or do we have other things also 2:33:23.042,2:33:26.076 that we should be concerned about? 2:33:26.076,2:33:27.086 2:33:27.086,2:33:29.012 >> Brian: Thanks. 2:33:29.012,2:33:29.004 Danny. 2:33:29.004,2:33:34.038 >> Danny: I would just say that you[br]know for your organization it's going 2:33:34.038,2:33:36.014 to be specific to your organization. 2:33:36.014,2:33:38.086 You're going to say here's our[br]risk tolerance for these things, 2:33:38.086,2:33:43.038 for these internet facing properties,[br]this information security or data privacy 2:33:43.038,2:33:47.084 or data retention, or digital rights management,[br]whatever it is you're concerned with. 2:33:47.084,2:33:51.085 I don't think that there's a one size fits[br]all, I think it's all about risk management 2:33:51.085,2:33:53.078 for your organization because[br]if you don't have a lot 2:33:53.078,2:33:56.066 of internet facing services,[br]it may not be a problem. 2:33:56.066,2:33:59.006 More than likely you have some things today. 2:33:59.006,2:34:01.094 You wouldn't be here if you weren't[br]relying on the internet in some way 2:34:01.094,2:34:03.068 so what does that mean to your business? 2:34:03.068,2:34:07.088 As opposed to some piece of information[br]from either your personal bank records 2:34:07.088,2:34:12.058 or your corporate information being actually[br]traded to the wrong person what would that mean? 2:34:12.058,2:34:17.006 So I think it all goes back to what are[br]the critical assets your organization, 2:34:17.006,2:34:21.003 what enables those and how do[br]you balance risk to those assets? 2:34:21.003,2:34:22.008 >> Brian: Yeah, Ram. 2:34:22.008,2:34:29.000 >> Ram: So the way I advise folks or provide[br]some suggestion is, you really have to think 2:34:29.000,2:34:32.027 about this and look at it as a matrix. 2:34:32.027,2:34:35.078 You have to think about, which is[br]further to what Danny is saying, 2:34:35.078,2:34:41.038 you have to worry about confidentiality,[br]or integrity, or availability and you have 2:34:41.038,2:34:45.002 to figure out which of those[br]matter more for you. 2:34:45.002,2:34:51.023 You can't have one versus the other, in many[br]cases you want to have all of the above, 2:34:51.023,2:34:57.043 but you have to decide which of those matter[br]more for you, and then devote your time, 2:34:57.043,2:35:00.052 effort and resources towards that. 2:35:00.052,2:35:03.094 But picking just one, just[br]having great availability, 2:35:03.094,2:35:09.082 DDoS mitigation ensure availability[br]but if you have a site that is running 2:35:09.082,2:35:12.021 on software has not been updated and is prone 2:35:12.021,2:35:15.085 to buffer overflow attacks then[br]all the availability is going 2:35:15.085,2:35:18.073 to be fantastic for you to get hacked. 2:35:18.073,2:35:23.045 [Laughter] So you have to figure out[br]where it is on the spectrum and devote it. 2:35:23.045,2:35:31.054 One reality is that no matter what the budget[br]that is allocated, if you're a corporation, 2:35:31.054,2:35:34.034 if you're an entity, the[br]budget that is allocated to it, 2:35:34.034,2:35:40.048 it seems that it remains the[br]same, it suddenly doesn't reduce 2:35:40.048,2:35:44.005 and you simply reallocate the pie depending 2:35:44.005,2:35:49.043 on what you think your biggest[br]vulnerability is, your biggest risk is. 2:35:49.043,2:35:50.019 >> Brian: Anybody else, Jeff. 2:35:50.019,2:35:54.067 >> Jeff: I would just say you know you asked[br]about what's important to a crump company 2:35:54.067,2:35:56.075 or [inaudible], I mean it totally depends. 2:35:56.075,2:36:01.073 I think Brian talked about some guy from[br]Ohio, more likely to have a problem, 2:36:01.073,2:36:04.088 it may be inconvenienced by DDoS because[br]they can't get to whatever website, 2:36:04.088,2:36:06.079 but they're more likely to[br]have their computer compromised 2:36:06.079,2:36:08.051 or identity stolen or other activity. 2:36:08.051,2:36:14.071 That's going to hit them deeper and for a[br]longer period so it's totally situational. 2:36:14.071,2:36:19.005 In terms of where we going in 5 years, 2:36:19.005,2:36:24.051 my guess is that we'll see new[br]nefarious uses for the same old tools. 2:36:24.051,2:36:29.029 There's some new stuff out there but[br]it's a lot of variations on a theme 2:36:29.029,2:36:35.041 and just find a new creative bad ways[br]to use them for bad purposes or profit. 2:36:35.041,2:36:40.066 So I think the down service attacks are here to[br]stay but how they're used will probably morph 2:36:40.066,2:36:45.012 and change and cycle back,[br]what's old is new again. 2:36:45.012,2:36:46.001 >> Brian: Miguel. 2:36:46.001,2:36:48.088 >> Miguel: The thing that troubles me a[br]little bit about the future when it comes 2:36:48.088,2:36:55.008 to DDoS attack is that there is because[br]it's been in the news a little bit more 2:36:55.008,2:36:59.097 because it's been publicized a little[br]bit more, you look at what happened 2:36:59.097,2:37:04.024 on the bank attacks lately, there's kind[br]of a blueprint now that is out there 2:37:04.024,2:37:09.007 that people can potentially follow[br]to launch these large-scale attacks. 2:37:09.007,2:37:14.054 You've got what happened with the banks[br]recently it's at least at a high level, 2:37:14.054,2:37:22.007 its public knowledge how it was sort of done[br]from a high level, that information is out there 2:37:22.007,2:37:26.026 and those attacks kind of[br]proved yes, it's possible. 2:37:26.026,2:37:31.064 They provide a blueprint for people to[br]follow for doing it again and the fact 2:37:31.064,2:37:35.075 that that was done scares the heck out of me. 2:37:35.075,2:37:38.067 >> Brian: Thank you and we have one[br]final question from the room, please. 2:37:38.067,2:37:41.079 [Pause] 2:37:41.079,2:37:46.003 >> Hi, it's Lucas from [inaudible]. 2:37:46.003,2:37:51.068 Just following up similarly to the previous[br]question, based on the trends that you've seen 2:37:51.068,2:37:56.007 to date, where do you see these attacks heading[br]both from like an attacker perspective as well 2:37:56.007,2:37:57.047 as from a mitigation perspective? 2:37:57.047,2:38:02.017 Do you see one side winning[br]the cat versus mouse game? 2:38:02.017,2:38:03.056 2:38:03.056,2:38:05.072 >> Brian: Great question, Damian? 2:38:05.072,2:38:11.036 >> Damian: Yeah so attacks are basically growing[br]exponentially I think if you look at most 2:38:11.036,2:38:16.082 of the data on this you'll see that the size[br]of the attacks roughly doubles every year. 2:38:16.082,2:38:22.048 I have graphs that track this back[br]like 8 years and it's kind of scary 2:38:22.048,2:38:26.059 that it's actually continuing, that exponential[br]growth but I think it's important to realize 2:38:26.059,2:38:31.061 that that's just the internet is[br]growing exponentially as the consumers, 2:38:31.061,2:38:35.003 as the end users, bandwidth[br]increases, their home, 2:38:35.003,2:38:41.026 the website bandwidth is also increasing so,[br]you can kind of keep up but I think that a lot 2:38:41.026,2:38:47.057 of what we're going to run into is a very small[br]website, you know especially the types of sites 2:38:47.057,2:38:51.088 that Jillian is worried about are[br]simply too small to possibly survive. 2:38:51.088,2:38:56.033 So they're going to be forced to combined[br]their resources and pool with others 2:38:56.033,2:39:00.087 so what I expect is probably going to happen[br]over the next five years is we're going 2:39:00.087,2:39:05.018 to start seeing organizations[br]consolidate into larger and larger pools 2:39:05.018,2:39:08.044 until eventually we're going to have[br]only like maybe five organizations 2:39:08.044,2:39:12.012 that offer DDoS mitigation[br]in the cloud as a service. 2:39:12.012,2:39:16.055 It's just my guess of where the world is headed. 2:39:16.055,2:39:16.082 >> Brian: Ram. 2:39:16.082,2:39:23.012 >> Ram: And my fear is that we get at that[br]point and then they get too big to fail. 2:39:23.012,2:39:26.062 >> Brian: Well, with that thought,[br]we're going to bring this to a close. 2:39:26.062,2:39:27.071 [Laughter] Well done. 2:39:27.071,2:39:32.015 Fear and loathing in New York. 2:39:32.015,2:39:37.091 Public Interest Registry of the New York[br]Technology Council, Internet Society 2:39:37.091,2:39:39.083 and the Internet Society's New York Chapter want 2:39:39.083,2:39:42.047 to offer our sincere thanks[br]to the panelist today. 2:39:42.047,2:39:45.049 Thank you so much for your time, your dedication 2:39:45.049,2:39:50.038 to helping us understand this really critical[br]issue and also to thank the audience here 2:39:50.038,2:39:52.063 and the audience online for following along. 2:39:52.063,2:39:57.064 We hope that today's event has been[br]helpful and that the participants come away 2:39:57.064,2:40:02.072 with a greater appreciation of the scope[br]of this problem, steps that should be taken 2:40:02.072,2:40:08.019 to mitigate DDoS attacks, and the potential[br]for significant unintended consequences. 2:40:08.019,2:40:11.097 DDoS is a serious issue in[br]today's interconnect world, 2:40:11.097,2:40:15.017 one that is not just going[br]to fade away as we've heard. 2:40:15.017,2:40:20.008 Fortunately there are resources available to[br]help us confront the myriad of challenges. 2:40:20.008,2:40:25.095 I would like to specifically thank Joley[br]McFee [phonetic] from iSoc, New York, 2:40:25.095,2:40:30.025 Eric Grimmelman [phonetic] from New York Tech[br]and Paul Brigner [phonetic] from iSoc here 2:40:30.025,2:40:33.058 for helping us make this happen in a real sense. 2:40:33.058,2:40:40.053 Along those lines, we at PIR intend to make[br]the recording of this event available online 2:40:40.053,2:40:45.016 at our website and our social media sites[br]and push that out and we're also going 2:40:45.016,2:40:49.023 to post additional background[br]materials and encourage anyone 2:40:49.023,2:40:52.005 to recommend other helpful tools and information 2:40:52.005,2:40:54.096 like the CFF Guideline to[br]keeping your site alive. 2:40:54.096,2:40:57.065 So again thank you to everyone[br]for joining us today. 2:40:57.065,2:40:59.005 Thank you so much. 2:40:59.005,2:41:01.005 [ Applause ] 2:41:01.005,9:59:59.000