MONTEVIDEO, Uruguay & SAN FRANCISCO–(BUSINESS WIRE)–New best practices recommendations for ISPs issued by LACNOG and M3AAWG
this month define basic security criteria for home routers and other
customer premise equipment (CPE) and are expected to help protect the
internet against common attacks, especially DoS attacks arising from the
abuse of these devices. The guidelines will strengthen internet service
providers’ security efforts by identifying requirements for the hardware
devices connected to their networks that are susceptible to exploitation
when basic safeguards are ignored.
The best practices document, LACNOG-M3AAWG Joint Best Current
Operational Practices on Minimum Security Requirements for Customer
Premises Equipment (CPE) Acquisition, is being translated into multiple
languages for use by ISPs worldwide. It was published by the Latin
American and Caribbean Network Operators Group and the Messaging,
Malware and Mobile Anti-Abuse Group, and is available at www.lacnog.net/docs/lac-bcop-1
or with current translations at https://www.m3aawg.org/published-documents.
The recommended security settings and functionality are based on
industry experience and are essential in deterring Denial of Service
(DoS) attacks that make use of vulnerable network infrastructure
devices, Internet of Things (IoT) devices, and malware infections. A
Table of Requirements is provided to help ISPs customize security
recommendations for their networks in a concise format they can provide
to CPE manufacturers.
Worldwide Effort to Strengthen Online Protection
The document is currently being translated into Portuguese, Spanish,
French, German, and Japanese, with other languages expected to follow.
The translated best practices will be useful worldwide as a tool for
ISPs to set requirements for secure defaults on the customer premise
equipment they will connect to their networks, according to the
document’s editor, Lucimara Desiderá, chair of the Latin American and
Caribbean Anti-Abuse Working Group (LAC-AAWG) and security analyst at
CERT.br (the Brazilian National Computer Emergency Response Team).
“Latin American computer security incident response teams have
identified the lack of CPE security as a severe problem in attacks for
the past several years. These new best practices will make it easier for
ISPs to negotiate with CPE vendors to ensure the equipment they connect
to their networks meet minimal security requirements, which will help
reduce the number and intensity of attacks on the internet overall, and
as a result, the negative impact they cause on ISPs’ operations,”
The guidelines cover documentation and vendor contact information,
software security, remote updates and device management functionality,
default configuration preferences, and support policies related to
security fixes. Among the recommendations:
Passwords should not be hardcoded into the firmware, must be
changeable, and vendors should not use the same default password for
There needs to be a mechanism for periodic remote software updates,
including a method to verify the authenticity of a downloadable update
The equipment should be restrictively configured rather than
As an example of the scope of the problem, the Mirai malware responsible
for several major website attacks contains a table of more than 60
common factory default user names and passwords it references to log in
and infect home security cameras, home routers and other IoT devices.
The new guidelines would make the login table ineffective, according to M3AAWG
Chairman of the Board Severin Walker.
Walker said, “M3AAWG collaboration with LACNOG and its LAC
Working Group on this document was a priority, in part, because of our
ongoing work with regional network operator and incident response groups
to address global threats to secure communications. It was also
important because we need to continue evolving our members’ focus on the
security of IoT, mobile and other consumer devices in order to help
prevent the increasingly larger attacks originating from them.”
The best practices document was developed by LACNOG
and issued at the LACNIC 31 meeting in the Dominican Republic on May 8.
It is based on the expertise of LACNOG’s working groups LAC-AAWG
and the BCOP
Working Group, in cooperation with M3AAWG members, its
Senior Technical Advisors, and the M3AAWG Technical Committee.
is the Latin American and Caribbean Network Operators Group that is
structured around a Board, Program Committee, and Working Groups. It
provides an environment for network operators and any interested parties
to exchange experiences and knowledge through mailing lists, working
groups, and annual meetings. LACNOG also promotes local Network
Operators Groups (NOGs) and peering forums, the development and adoption
of best practices, and technical training activities and tutorials.
About the Messaging, Malware and Mobile Anti-Abuse Working Group
The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)
is where the industry comes together to work against bots, malware,
spam, viruses, denial-of-service attacks, and other online
exploitation. M3AAWG (www.m3aawg.org)
members represent more than two billion mailboxes from some of the
largest network operators worldwide. It leverages the depth and
experience of its global membership to tackle abuse on existing networks
and new emerging services through technology, collaboration, and public
policy. It also works to educate global policy makers on the technical
and operational issues related to online abuse and
messaging. Headquartered in San Francisco, Calif., M3AAWG
is driven by market needs and supported by major network operators and
M3AAWG Board of Directors and Sponsors: 1
& 1 Internet SE; Adobe Systems Inc.; AT&T Comcast; Endurance
International Group; Facebook; Google, Inc.; LinkedIn; Mailchimp;
Marketo, Inc.; Microsoft Corp.; Orange; Proofpoint; Rackspace; Return
Path, Inc.; SendGrid, Inc.; Vade Secure; Valimail; VeriSign, Inc.; and
Verizon Media (Yahoo & AOL).
M3AAWG Full Members: Agora,
Inc.; Broadband Security, Inc.; Campaign Monitor; Cisco Systems, Inc.;
CloudFlare, Inc.; dotmailer; eDataSource Inc.; ExactTarget, Inc.; IBM;
iContact; Internet Initiative Japan (IIJ); Liberty Global; Listrak;
Litmus; McAfee; Mimecast; Oracle Marketing Cloud; OVH; Spamhaus; Splio;
Symantec; USAA; and Wish.
A complete member list is available at http://www.m3aawg.org/about/roster.
Linda Marcus, APR