Transcript The National Importance Of Cyber Security

The National Importance Of Cyber
Security
Lal Dias
Chief Operating Officer
SRI LANKA COMPUTER EMERGENCY READINESS TEAM |
COORDINATION CENTRE
Wednesday, 15th February 2012
1
Agenda

Drivers for adoption of Cyber Security

Security Governance

Threats and potential damage analysis

2
Collaboration and coordination for effective
security

Awareness creation

End Result
Drivers for adoption of Cyber Security
E-Government initiatives (1)




3
Launch of e-Government services
Web Applications such as e-revenue license, visa on-line,
pensions services
Information services Government Information Centre (GIC)
Payment facilities for services (revenue license renewal
fee, paying a spot fine) via web or SMS
Drivers for adoption of Cyber Security
E-Government initiatives (continued)
Security perspective on government services;

Protect confidentiality of citizen information; during storage and
transmission between government organizations

Provide correct information to citizens; maintain integrity of
information



4
Sustained availability of services and information; redundant
infrastructure, robust software platforms, good capacity planning,
protect against intentional and unintentional service outages
Citizens need to be able to trust government applications and
websites; Applications and websites need to be able to identify
citizens remotely – a digital identity is required
Provide facilities to conduct financial transactions securely (Use of
Digital Certificates / prevention of SMS Spoofing)
Drivers for adoption of Cyber Security
On-line Service Delivery (2)
Extensive adoption of electronic commerce as a service
delivery platform;
5

Online banking (number of local and foreign banks)

Shopping (kapruka, greatdeals, etc)

Trading (e-bay)

Social networking sites (Facebook, purchase of credits)
Drivers for adoption of Cyber Security
On-line Service Delivery (continued)
Security perspective on online service delivery;



6
Authenticity of users and application sites needs to be
established beyond a doubt
Financial transactions need to be conducted through a
secure facility
Security as a competitive tool to entice more customers
(use of security tokens, etc) by building confidence
Drivers for adoption of Cyber Security
Critical National Infrastructure Automation (3)


7
National level endeavors and vision to automate critical
national infrastructure for high availability, high quality and
cost effective service delivery: energy, public health,
water, telecommunications, agriculture, transportation,
financial services, security services
Example, Energy sector
 Smart metering
 Remote control (home appliances)
 Smart grid (IPV 6)
Drivers for adoption of Cyber Security
Critical National Infrastructure Automation
(continued)
Security perspective;


8
Automation opens door for remote manipulation by
malicious groups or persons – unauthorized access
Need to prevent potential loss of revenue, damage or
destruction of infrastructure and/or large scale of loss of life
(power outages, water supply contamination, traffic light
manipulation causing pileups, air traffic control
manipulation)
Drivers for adoption of Cyber Security
National ICT Policy (4)


9
Defines ICT activities as a major revenue source for the
country
To be achieved through
 Development of applications (stock exchange
applications, security applications, travel
management applications, other niche applications)
 Outsourcing of ICT functions
 Development of local ICT market and revenue
generation from ISP operations
Drivers for adoption of Cyber Security
National ICT Policy (continued)
Security perspective;


10
Applications need to be developed in a secure, structured
manner with good, internationally accepted security
practices incorporated during the development process.
Developers need to be trained and aware
Outsourcing firms need to structure operations, provide
secure infrastructure and train staff to maintain good
practices and procedures to meet the security
expectations of their customers
Security Governance
Good governance is essential for maintaining a structured approach to
security; measures already introduced (in Sri Lanka) in the form of:

E-government policy (1)
While setting out operational policies for e-government staff, the e-gov
policy addresses up to 16 security requirements, such as:
010204: Migration into electronic format: Data available in
participating government organizations to be collected, inspected,
updated, structured in the required format, and cleansed and its
integrity ensured before being migrated into electronic format.
010207: Electronic records should be maintained in such a manner as
to ensure confidentiality and prevent unauthorized access,
modification, alteration or deletion / removal.
010302: Email addresses of citizens gathered from government web
sites should not be divulged, made available or sold to third parties.
11
Security Governance
High level Information Security Policy (H-POL) for government
organizations (2)

Based on ISO27001 Information Security Management System (ISMS)

Template made available for customization by individual government
organizations

17 security areas are addressed in H-POL:
◦
◦
◦
◦
◦
◦
◦
◦
12
Organizational security
Personnel security
Incident management
Malware protection
E-mail and Internet security
Acceptable use policy
Fraud management
Comms & Ops management
- Acquisition of Hardware
- Acquisition of Software
- Logical Access Control
- Asset classification
- Privacy & outside entities
- Physical security
- Compliance measurement
- BCM
Security Governance
E-Laws (3)

Computer Crimes Act no. 24 of 2007
 Makes eight provisions for prosecuting individuals found guilty of
committing a crime using a computer
 Includes, unauthorized access, illegal interception of data, threats to
national security, illegal modification of data or systems
 Provides foundation for conducting investigations and for the use of
electronic evidence

Payment devices Frauds Act no. 30 of 2006
 Credit card fraud, ATM Card fraud crimes prosecuted under this law.
 Several successful prosecutions

Electronic Transactions Act no. 19 of 2006
 Sets foundation for establishment of electronic contracts
 Sets foundation for establishment of digital identities
 Sets foundation for establishment of National Certificate Authorities
13
Security Governance
International standards (4)

ISO27001
 Helps raise confidence in the security measures implemented
in an organization; especially where the business is required to
deal with sensitive information
 Many banks, intellectual property development firms, Internet
data centre of telecom operators, strive to achieve this
standard
 Used actively as a marketing tool

PCI-DSS
 Defines security requirements specific to payment card
industry
14
Security Governance
Security as a matter of national importance (5)



15
Cyber intelligence is gaining in importance for most sovereign
nations. Cyber warfare is heating up globally. Political agendas can
now be pursued through cyber channels, such as Twitter, Facebook
and various underground sites
Sovereign Nations need to be able to identify and intercept
malicious and/or covert communications (encrypted messages
between subversive groups, pornographic content, false alerts)
which may cause instability in society
Cyber espionage is also on the rise.
Governments need to prevent outsiders from listening to sensitive
information and also prevent unauthorized information leakage (e.g.
Wikileaks). Blackberry mail is banned in Saudi/UAE.
Threats & Potential Damage Analysis
Threats to national security from cyber attacks (1)
Example STUXNET and critical infrastructure





16
Famous for slowing down centrifuges in Iranian nuclear
reactors to prevent weaponisation of fissile material
First known cyber weapon to identify and target a specific
subsystem from a specific manufacturer (Siemens)
Other successors launched, such as Dark Star
Sri Lanka not yet at a level of automation that would cause
such serious loss through a cyber missile like STUXNET
However, when developing such systems for the future we
must be mindful of such threats
Threats & Potential Damage Analysis
Cyber espionage (2)
Example GHOSTNET



17
Operated out of mainland China, was used to gather a
large amount of sensitive information from countries in
South Asia, North America and the middle east through
their diplomatic offices
Unauthorized disclosure of sensitive information (thru illegal
interception) embarrassed these Governments
Armed with prior knowledge of intentions of their
counterparts, countries that engage in cyber espionage
have an edge in political maneuvering (“chess game”)
Threats & Potential Damage Analysis
Distributed Denial of Service attacks (3)
Example Estonia




18

In 2007, Estonia, one of the most connected countries in the
world was subjected to a full scale Denial of Service Attack
from Russia as a result of a political clash
Within a few hours, critical infrastructure such as telephony
and financial services were obstructed
Thanks to an excellent incident response effort and plan,
Estonia managed to contain the attack and recover within a
remarkable time frame
Despite the initial attack, Estonia is credited with having
successfully defended its cyberspace. NATO set up it’s Cyber
Defence Centre in Estonia in recognition of this.
Are we in a position to do it?
Threats & Potential Damage Analysis
Threat awareness (4)



It is important to be aware of the threat landscape, not just
locally, but in the region and globally as well. It is also
important to be aware of the threats originating from our own
economy. This is in line with the “cyber clean” project initiated
by APCERT.
Sensor networks, such as the Network Early Warning System
(NEWS) deployed by IMPACT, the security arm of the ITU, and
a host of others such as Shadow Server, Dragon Research
Group, TSUBAME by JPCERT/CC
Sensor networks provide useful information such as:
• The point of origin and destination of attack traffic
• The type of traffic used and the possible type of attack
being launched
• The systems being targeted
19
• Known hosts within our IP Address space that are
attacking other economies and the ISPs they belong to
Collaboration & Coordination for
Effective Security
Adopting a structured approach to security (1)


Predetermined strategies and procedures for
effectively handling security incidents need to be
implemented and drilled
For example, in the event of a phishing attack:
•
•
•
•
20
Who should the incident be reported to?
What parties should be engaged to identify and
take down the phishing site?
What are the measures to be taking to contain the
damage caused by the incident until the site is
disabled?
What are the acceptable timeframes for resolving
the incident?
Collaboration & Coordination for
Effective Security
Adopting a structured approach to security (2)
Contingency plans for national level disasters caused by
cyber attacks






21
Same as before, but on a larger scale
For example, Distributed Denial of Service attack as in
Estonia
How would ISPs continue to provide connectivity for
critical operations if the regular links are congested?
What is our critical infrastructure?
How would government information services continue to
operate if servers are compromised?
Have we simulated such scenarios and seen if the
contingency plans work?
Collaboration & Coordination for
Effective Security
Adopting a structured approach to security (3)
Creation of sector-based silos for security




22
Works on the concept that each industry operates its own
unique technology environment
Therefore, no one security body such as Sri Lanka CERT can
dedicate enough resources to learn security vulnerabilities and
mitigation techniques of specialized systems
Sector-based CSIRTs such as the Bank CSIRT will be dedicated
to addressing security issued within the Finance industry, Telco
industry, Military, etc
Functions:
•
Introduction and enforcement of baseline security standards
•
Providing incident reponse services
•
Providing vulnerability alerts
•
Telco CSIRT: Hosting Content filtration system, SMS firewall,
Sharing compromised host information with ISPs to “clean
local cyber space”
Collaboration & Coordination for
Effective Security
Adopting a structured approach to security (4)



Security training and certification is expensive
Organizations find it difficult to retain skilled security
professionals
Measures need to be taken and finances need to be
made available to retain security professionals who
contribute to various security disciplines such as:
•
•
•
•
23
Penetration testing
Incident response
Risk Management
Audit
Collaboration & Coordination for
Effective Security
The role of international collaboration


There is a general uncertainty about info required
for resolving cross-border incidents
Need directory of contacts from all over the globe
Formal contact need to be established between
peer organizations (e.g. cert to cert)
• Formal service level agreements need to be
established between peers to ensure effectiveness
of security measures
Only then can we guarantee complete resolution of
incidents to our constituents
A role for FIRST and APCERT
•

24

Collaboration & Coordination for
Effective Security
The role of international collaboration

Challenges and successes in international cooperation to
tackle security incidents
•
•
•
•
25
Success!: Establishment of links with commercial
organization to disable fake social networking and
electronic mail accounts
Success!: Establishment of contacts to disable phishing sites
Challenge: Need to enforce a formal procedure whereby
strict timelines are defined for disabling fake accounts and
phishing sites. The importance of these timelines is well
understood by ISPs, banks and other affected parties.
For example, blocking of a host originating Denial of Service
traffic within 4 hours, disabling a phishing site within 12 hours,
Removing a fake Facebook account in 24 hours.
Awareness Creation
Awareness creation among state sector employees;

Spreading the word in information security policies
•
•
•
•
•
•
•

•
•
26
E.g. Entering and leaving the premises
What they can say to customers and other third parties
What websites they can access at work
What devices they are or are not allowed to use
Need for non-disclosure agreements
Penalties for non-compliance
Promoting good security practices


Make employees understand what the policy means to them at an
operational level
Encourage employees to nurture good security practices
intrinsically
Continues practicing security at home
Teach good security practices to friends and family
Penalties and laws must be used as motivators to adopt good
security practices
Awareness creation
Awareness creation among general public
Protection of children

•
•
•

Safe use of online transaction facilities
•
•
27
Online safety program for schools underway
Monthly online safety bulletin (Cyber Guardian)
Educating parents on techniques to restrict
children’s activities online such as net nanny and
parental control settings
Educating users on identifying secure web sites
Identification and prevention of social engineering
is a major part of efforts. Phishing mails, scams, etc
are social engineering attacks
End Result
Trust & success




28
Whether it be for government citizen services or for commercial
purposes, Increased trust in online services and data security,
translates to financial success and increased adoption of
technology
Once security is identified as a contributor to financial success
and increased ICT adoption, demand for security functions will
increase and in turn help sustain a competent security skill set
Improved global reputation as a competent and secure ICT
hub, will also help sustain the goals of the national ICT Policy
Establishment of digital identities, such as through the use of
digital certificates, will help transform cyber space into a true
living space for citizens where they can meet friends, bank,
work and relax
Thank You
Sri Lanka CERT|CC
e-mail: [email protected] Website: www.cert.gov.lk
29