Requisitos Mínimos de Segurança para CPEs: a Experiência de Construir uma Recomendação Global
Abstract
Due to vulnerabilities in CPEs' embedded software and default configuration, these devices have been the target of several types of abuse. This scenario, that entails additional costs to Internet Service Providers, has been the motivation for several anti-abuse and network operators' working groups to come together and define a set of minimum security requirements for CPEs. This paper is a case study, which describes the process of building these security requirements in a multistakeholder working group, that had the participation of professionals with different expertise areas and from several countries. We also present the main consensus points, that are part of the final recommendations of the working group.References
Desiderá, L. (2018). BCOP Requisitos de Segurança em CPE: Um Pouco de História. IX Fórum 12. Disponível em: https://forum.ix.br/2018/.
Hoepers, C. (2016). Problemas de Seguranc¸a e Incidentes com CPEs e Outros Dispositivos. 20o Fórum de Certificação para Produtos de Telecomunicações Disponível em: https://www.cert.br/docs/palestras/certbr-forum-anatel2016.pdf.
Hoepers, C. (2017). Notable trends in Brazil: BGP hijacking for financial fraud and the evolution of Mirai. 2017 Annual Meeting of CSIRTs with National Responsibility. Disponível em: https://www.cert.br/docs/palestras/certbr-natcsirts2017-1.pdf.
LACNOG/M3AAWG (2019). LACNOG-M3AAWG Joint Best Current Operational Practices on Minimum Security Requirements for Customer Premises Equipment (CPE) Acquisition. Best Current Operational Practices, LACNOG/M3AAWG. https://www.m3aawg.org/CPESecurityBP.
O’Flaherty, C. and Desiderá, L. (2017). Boas Práticas e Cooperação na Luta Contra Abusos de Rede. GTER 43. Disponível em: ftp://ftp.registro.br/pub/gter/gter43/05-LAC-AAWG.pdf.
Vixie, P., King, C., and Spring, J. (2014). Abuse of Customer Premise Equipment and Recommended Actions. Technical Report CERTCC-2014-48, SEI/CMU. https://resources.sei.cmu.edu/asset_files/WhitePaper/2014_019_001_312679.pdf.
Hoepers, C. (2016). Problemas de Seguranc¸a e Incidentes com CPEs e Outros Dispositivos. 20o Fórum de Certificação para Produtos de Telecomunicações Disponível em: https://www.cert.br/docs/palestras/certbr-forum-anatel2016.pdf.
Hoepers, C. (2017). Notable trends in Brazil: BGP hijacking for financial fraud and the evolution of Mirai. 2017 Annual Meeting of CSIRTs with National Responsibility. Disponível em: https://www.cert.br/docs/palestras/certbr-natcsirts2017-1.pdf.
LACNOG/M3AAWG (2019). LACNOG-M3AAWG Joint Best Current Operational Practices on Minimum Security Requirements for Customer Premises Equipment (CPE) Acquisition. Best Current Operational Practices, LACNOG/M3AAWG. https://www.m3aawg.org/CPESecurityBP.
O’Flaherty, C. and Desiderá, L. (2017). Boas Práticas e Cooperação na Luta Contra Abusos de Rede. GTER 43. Disponível em: ftp://ftp.registro.br/pub/gter/gter43/05-LAC-AAWG.pdf.
Vixie, P., King, C., and Spring, J. (2014). Abuse of Customer Premise Equipment and Recommended Actions. Technical Report CERTCC-2014-48, SEI/CMU. https://resources.sei.cmu.edu/asset_files/WhitePaper/2014_019_001_312679.pdf.
Published
2019-09-02
How to Cite
DESIDERÁ, Lucimara; STEDING-JESSEN, Klaus; HOEPERS, Cristine.
Requisitos Mínimos de Segurança para CPEs: a Experiência de Construir uma Recomendação Global. In: WORKSHOP ON REGULATION, CONFORMITY ASSESSMENT AND SAFETY CERTIFICATION, 5. , 2019, São Paulo.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2019
.
p. 17-22.
DOI: https://doi.org/10.5753/wrac.2019.14033.
