[Ssr2-review] ICANN SSR answers

Mon Apr 8 22:19:55 UTC 2019

Dear Scott, dear Noorul,

The below answer in highlight has been added to the Q&A Google doc: https://docs.google.com/document/d/14eJwDGP-LvS9ltTmZoh1i19Fi0_pB2nJ4JYMsS7lsco/edit?usp=sharing [docs.google.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_document_d_14eJwDGP-2DLvS9ltTmZoh1i19Fi0-5FpB2nJ4JYMsS7lsco_edit-3Fusp-3Dsharing&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=VuRMFw6YascG5ysc1jEHBZgGTtD6QSLrFmqdvMx5FM8&m=hxj2juBnL5SI2_a2ShzX2n6QIksiETU2ES0QpYAdac8&s=2ccPlHIHQA6bJ48H2PKPem1o_nHyeaJbMNxUNcVNbg8&e=>. Please let us know if you have any questions.

Review Team volunteers: Scott, Noorul
Workstream: ICANN SSR
Topic 4: Perform an assessment of how effectively ICANN has implemented its Security Incident Management and Response Processes to reduce (pro-active and reactive) the probability of DNS-related incidents.

Outstanding questions: 3

Per ICANN org answer to a previous question: ”ICANN Org employs network segmentation strategies designed to reduce the risk of pivoting activity by an attacker. Administrative access to critical services (particularly those managed by IANA) have restrictions beyond internal network access. Periodic network penetration testing is conducted by independent service providers against ICANN Org network defenses, simulating attacks from both outside the network and attempted lateral movement from within the network. The results are used to prioritize network security Improvements.

Q: “ICANN Org employs network segmentation strategies designed to reduce the risk of pivoting activity by an attacker.” Are these segmentation strategies implemented now, how are they implemented?
Q: “Administrative access to critical services (particularly those managed by IANA) have restrictions beyond internal network access.” What are those restrictions, and are they on the same network (topology, in detail -- diagram)?
Q: “Periodic network penetration testing is conducted by independent service providers against ICANN Org network defenses, simulating attacks from both outside the network and attempted lateral movement from within the network.”

  *   Are industry best practices followed? Please report and link to which ones.
  *   Are penetration testers being rotated on a regular basis? If there is evidence relating to these processes, please provide a link? Is there version control, is there a permanent link?
Q: “The results are used to prioritize network security Improvements”. Can you provide details on how these findings feed into improvements? Are there any reports on this? Is there version control, is there a permanent link?

A: For all 4 items above we manage these strategies proactively and appropriately, taking into account best practices, and we respond to the information learnt in a proactive and professional manner given the resources available to us. Given the specificity of the questions related to highly sensitive areas we will not be disclosing detailed information from documents, processes, findings, and improvements even under NDA. ICANN Org would like to understand how these very detail orientated questions fall into the scope of the SSR2, but given the level of detail that we are able to provide in any event, we are responding as able.

--
Jennifer Bryce
Senior Reviews Coordinator
Internet Corporation for Assigned Names and Numbers (ICANN)

Email: jennifer.bryce at icann.org
Skype: jennifer.bryce.icann
www.icann.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20190408/40804d15/attachment.html>