Editor’s note: This post was originally published in April 2017 and has been revamped and updated for accuracy and comprehensiveness.
Security threats are an ongoing challenge for IT professionals and consumers alike. While it is important for customers to take adequate measures to protect themselves, Internet Service Providers are primed to take the lead.
Network abuse is an ever-challenging issue, and customers are often unaware of the threats out there.
Here’s what measurements network providers should put in place to protect their customers and also their own network reputation.
1. Communication Processes and Policies
Communication is the most significant security-related policy that service providers must adhere to. According to RFC 2142, all accounts that are at risk of abuse must have an abuse@ mail account when contacting customers. i.e. abuse@domain. In addition, service providers are required to ensure that contact registries in Whois are up-to-date. We also recorded a short #askabusix session on that topic, which you can see here.
Network and Service providers also need to ensure that they share information with relevant organizations, such as law enforcement agencies, in light of a security incident. This requires communication processes and policies so that customers can be informed of the threat, what actions they should take, and what is being done by the service provider to get that issue resolved. X-ARF is meanwhile the industry standard for sharing network abuse reports. To learn more about how you can report and therefore also mitigate abuse, take a look at this video.
See also: Cyber Security Is An ISP’s Top Priority
2. An Acceptable Policy Should Be Agreed To By All Customers
All customers, new and existing, need to be bound by an Acceptable Use Policy (AUP). Network abusers typically target hosts with no existing or poorly written AUPs to further threaten the service provider when they try to take action against them, making it highly important that AUPs are reviewed and updated regularly.
The AUP contract determines the guidelines that customers must obey when connected to the network, including what kind of traffic is permitted, and what sanctions will be imposed if the AUP is violated.
Any violations of the AUP will show up on abuse reports, enabling abuse desk managers to identify categories of abuse that are frequently seen so that they can update the AUP.
AbuseHQ, a SaaS abuse management platform, prioritizes abuse reports into meaningful categories and a unified format. This makes it possible to identify the source of network abuse, handle threats immediately, and update AUPs timeously.
3. Ensuring That Network Infrastructure Is Sufficiently Protected
While no system is ever 100% foolproof, network providers must do all they can to ensure that the network infrastructure is resistant to security threats, and not easily hijacked.
Security and abuse managers need to be vigilant when determining which routing destination is most trustworthy if more than one rooting choice is available. This requires them to ensure that only authorized customers make updates to their routing registry. When assessing a registry to identify whether a breach has occurred, emphasis should be placed where excessive routing updates occur.
Network abusers typically use covert methods to hide their IP address and location and use other systems and computers to launch an attack. A Network Ingress Filtering process, which starts at the customer’s end and ensures that no data packets have a source address outside of your network’s address range, allows you to detect and block the attack and then take steps to protect the customer. AbuseHQ filters network abuse cases at the inbound processing phase, which allows you to save and share filters with your team and enact on that data.
4. Infrastructure System Management
Different network and service providers have different system management processes and policies, and these can influence the risk of attack. Industry norms place importance on keeping separate systems for mail, news, and web-hosting, which ensures access is restricted while strong authorization processes are required over an encrypted link.
Mail infrastructure should prevent attackers from unauthorized mail relaying. By applying non-relay rules, potential attackers are forced into the open. RFC 2505 provides a detailed best-practices approach when implementing SMTPs and Mail Transfer Agents (MTAs) to make their infrastructure capable of handling spam.
In addition, mail submission (recipient) systems should authenticate through the AUTH SMTP extension as it is more resilient to spoofing and can be upgraded as authentication processes change. A best practice approach is to use Mail Submit (port 587) over SMTP (port 25) to differentiate inbound local delivery and relay messages that customers send.
However, more service providers are using both SMTP AUTH and the Mail Submit port and should advise that customers use both. This practice protects service providers from spammers and helps identify which customers are affected.
Taking the lead in securing the network is no easy feat. However, putting processes in place during onboarding phases and regularly reviewing all technical and legal processes can go a long way towards limiting network abuse.
Luckily, Abusix’s AbuseHQ seamlessly integrates into existing infrastructures to offer the insight necessary to identify and shut down network abuse before it compromises your security. To find out more about how AbuseHQ can help abuse desks perform at their optimum, talk to our team.