Information Technology Sector Baseline Risk Assessment Table of Contents EXECUTIVE SUMMARY .........................................................................................................................................4 1 INTRODUCTION TO INFORMATION TECHNOLOGY SECTOR CRITICAL INFRASTRUCTURE PROTECTION ............................................................................................................................................................9 1.1. PARTNERING FOR SECURITY...........................................................................................................................9 1.2. IT SECTOR PROFILE......................................................................................................................................11 2 RISK MANAGEMENT APPROACH, METHODOLOGY, AND PROCESS ............................................13 2.1. ASSESSING RISK AT A SECTOR-LEVEL ..........................................................................................................13 2.2. IDENTIFYING CRITICAL FUNCTIONS..............................................................................................................14 2.3. DEVELOPING ATTACK TREES .......................................................................................................................16 2.4. IDENTIFYING AND MEASURING RISK ............................................................................................................17 2.4.1 Analyzing Threats ................................................................................................................................17 2.4.2 Assessing Vulnerabilities .....................................................................................................................18 2.4.3 Evaluating Consequences....................................................................................................................19 2.5. DEVELOPING THE BASELINE RISK PROFILE ..................................................................................................19 3 IT SECTOR BASELINE RISK PROFILE .....................................................................................................21 3.1. PRODUCE AND PROVIDE IT PRODUCTS AND SERVICES .................................................................................21 3.1.1 Produce and Provide IT Products and Services Attack Tree and Risk Profile....................................23 3.1.2 Mitigations...........................................................................................................................................28 3.2. PROVIDE DOMAIN NAME RESOLUTION SERVICES ........................................................................................30 3.2.1 Domain Name Resolution Services Attack Tree and Risk Profile........................................................31 3.2.2 Mitigations...........................................................................................................................................37 3.3. PROVIDE IDENTITY MANAGEMENT AND ASSOCIATED TRUST SUPPORT SERVICES .......................................40 3.3.1 Identity Management Attack Tree and Risk Considerations................................................................42 3.3.2 Mitigations...........................................................................................................................................47 3.4. PROVIDE INTERNET-BASED CONTENT, INFORMATION, AND COMMUNICATIONS SERVICES...........................49 3.4.1 Provide Internet-based Content, Information, and Communication Services Attack Tree and Risk Profile ..................................................................................................................................................49 3.4.2 Mitigations...........................................................................................................................................53 3.5. PROVIDE INTERNET ROUTING, ACCESS, AND CONNECTION SERVICES .........................................................55 3.5.1 Internet Routing, Access, and Connection Services Attack Tree and Risk Profile...............................55 3.5.2 Mitigations...........................................................................................................................................62 3.6. PROVIDE INCIDENT MANAGEMENT CAPABILITIES........................................................................................64 3.6.1 Incident Management Attack Tree and Risk Profile ............................................................................66 3.6.2 Mitigations...........................................................................................................................................70 3.7. DEPENDENCIES AND INTERDEPENDENCIES ...................................................................................................72 3.7.1 Critical IT Sector Function Interdependencies....................................................................................72 3.7.2 IT Sector Dependencies .......................................................................................................................74 4 RISK MANAGEMENT CONSIDERATIONS ...............................................................................................76 APPENDIX 1—ACRONYMS ..................................................................................................................................79 APPENDIX 2—GLOSSARY....................................................................................................................................82 APPENDIX 3—IT SECTOR RISK ASSESSMENT METHODOLOGY DETAILS..........................................84 August 2009 Page i Information Technology Sector Baseline Risk Assessment List of Figures Figure 1: Critical IT Sector Functions............................................................................................................4 Figure 2: IT Sector’s High Consequence Risks ............................................................................................7 Figure 3: Benefits of Public-Private Sector Collaboration...........................................................................10 Figure 4: IT Sector Risk Assessment Methodology....................................................................................14 Figure 5: Critical IT Sector Functions and Descriptions..............................................................................16 Figure 6: IT Sector Risk Assessment Methodology Vulnerability Factors ..................................................19 Figure 7: IT Sector Products and Services Value Chain ............................................................................23 Figure 8: Produce and Provide IT Products and Services Attack Tree ......................................................24 Figure 9: Notional scenario applied to the Produce and Provide IT Products and Services Attack Tree... 26 Figure 10: Relative Risks to the Produce and Provide IT Products and Services Function.......................28 Figure 11: Sample DNS Query ...................................................................................................................30 Figure 12: DNS Hierarchy...........................................................................................................................31 Figure 13: Provide Domain Name Resolution Services Attack Tree (Summary) .......................................32 Figure 14: Notional scenario applied to the Provide Domain Name Resolution Services Attack Tree ...... 34 Figure 15: Relative Risks to the Provide Domain Name Resolution Services Function.............................37 Figure 16: Provide Identity Management and Associated Trust Support Services Function Attack Tree.. 42 Figure 17: Internet-based Content, Information, and Communications Services Attack Tree (Summary). 50 Figure 18: Relative Risks to the Provide Internet-based Content, Information, and Communication Services Function........................................................................................................................................53 Figure 19: Internet Routing, Access, and Connection Services Function Attack Tree Summary ..............56 Figure 20: Notional scenario applied to the Provide Internet Routing, Access, and Connection Services Attack Tree..................................................................................................................................................57 Figure 21: Internet connections between AS and backbone networks......................................................59 Figure 22: Relative Risks to the Provide Internet Routing, Access and Connection Services Function .... 61 Figure 23: Incident Management Lifecycle .................................................................................................65 Figure 24: Provide Incident Management Capabilities Function Attack Tree (Summary)..........................67 Figure 25: Notional scenario applied to the Provide Incident Management Capabilities Attack Tree........68 August 2009 Page ii Information Technology Sector Baseline Risk Assessment Figure 26: Relative Risks to the Provide Incident Management Capabilities Function ..............................70 Figure 27: Cross-Functional Dependencies and Interdependencies..........................................................73 Figure 28: IT Sector Risks of Concern........................................................................................................77