ITU-T SG 17 Presentation
Geneva, Switzerland
24 September 2007
Robert Shaw <robert.shaw@itu.int>
Head, ICT Applications and Cybersecurity Division
Telecommunication Development Sector
International Telecommunication Union
International
Telecommunication
Union

ƒ In the 21st century, growing dependency on information and communications technologies
(ICTs) that span the globe;
ƒ Rapid growth in ICTs and dependencies led to shift in perception of cybersecurity threats in mid-1990s;
ƒ Growing linkage of cybersecurity and critical information infrastructure protection (CIIP);
ƒ Number of countries began assessment of threats, vulnerabilities and explored mechanisms to redress them;
ƒ In parallel with national consideration, move to international political agenda;
ƒ Necessity to engage with many actors…
September 2007 2

Many Relevant Actors in International
Cybersecurity/CIIP Ecosystem

ITU Cybersecurity Work Programme to Assist Developing Countries
ƒ Most countries have not formulated or implemented a national strategy for cybersecurity and Critical Information
Infrastructure Protection (CIIP)
ƒ Work Programme scopes a set of high level assistance activities
ƒ Under these high level assistance activities, contains set of detailed initiatives planned in the 2007-2009 period by the ITU Development
Sector’s ICT Applications and
Cybersecurity Division
ƒ Extensive synergies with ITU-D
Question 22/1: Securing information and communication networks: Best practices for developing a culture of cybersecurity
ƒ Used to develop detailed operational plan for 2008-2009 www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-cybersecurity-work-programme-developing-countries.pdf
September 2007 4

September 2007 5

Cybersecurity Work Programme to Assist
Developing Countries: High Level Elements
ƒ Assistance related to
Establishment of National
Strategies and Capabilities for
Cybersecurity and Critical
Information Infrastructure
Protection (CIIP)
ƒ Assistance related to
Establishment of appropriate
Cybercrime Legislation and
Enforcement Mechanisms
ƒ Assistance related to establishment of Watch,
Warning and Incident Response
(WWIR) Capabilities
ƒ Assistance related to
Countering Spam and Related
Threats http://www.itu.int/itu-d/cyb/cybersecurity/
September 2007
ƒ Assistance in Bridging Security-
Related Standardization Gap between Developing and
Developed Countries
ƒ Project on Enhancing
Cybersecurity and Combatting
Spam
ƒ Establishment of an ITU
Cybersecurity/CIIP Directory,
Contact Database and Who’s
Who Publication
ƒ Cybersecurity Indicators
ƒ Fostering Regional Cooperation
Activities
ƒ Information Sharing and
Supporting the ITU
Cybersecurity Gateway
ƒ Outreach and Promotion of
Related Activities
6

September 2007 8

Establishment of National Strategies/Capabilities for
Cybersecurity and Critical Information Infrastructure
Protection (CIIP)
ƒ Identification of Best Practices in the Establishment of National
Frameworks for Cybersecurity and CIIP
ƒ Regional Workshops on Frameworks for Cybersecurity and CIIP
ƒ National Cybersecurity/CIIP Readiness Self-Assessment Toolkit
ƒ Online Cybersecurity Experts Forum to Help Developing
Countries Develop Capacity
ƒ Toolkit for Promoting a Culture of Cybersecurity
ƒ Online Training Modules for Cybersecurity Awareness and
Solutions
ƒ References:
¾ http://www.itu.int/ITU-D/cyb/cybersecurity/strategies.html
¾ http://www.itu.int/ITU-D/cyb/events/
¾ http://www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-cybersecurityself-assessment-toolkit.pdf
September 2007 9

September 2007 10

Establishment of Appropriate Cybercrime
Legislation and Enforcement Mechanisms
ƒ Regional Capacity Building Activities on
Cybercrime Legislation and Enforcement
ƒ Publication: Understanding Cybercrime: A
Guide for Developing Countries (end 2007)
ƒ Toolkit for Cybercrime Legislation for
Developing Countries
ƒ Cybersecurity Module in the ITU/InfoDev ICT
Regulation Toolkit
ƒ References
¾ http://www.itu.int/ITU-D/cyb/cybersecurity/legislation.html
September 2007 11

September 2007 12

Establishment of Watch, Warning and
Incident Response (WWIR) Capabilities
ƒ Assistance to Developing Countries related to
Establishment of Watch, Warning and Incident
Response (WWIR) Capabilities
ƒ Inventory of Watch, Warning and Incident
Response Capabilities by Region
ƒ Standard Reporting Format for Fraudulent
Online Activities
ƒ References
¾ www.itu.int/ITU-D/cyb/cybersecurity/wwir.html
September 2007 13

Countering Spam and Related Threats
ƒ Survey on Anti-Spam Legislation Worldwide
ƒ Botnet Mitigation Toolkit for Developing Countries
ƒ Pilot Projects for Implementation of Botnet Mitigation Toolkit in ITU Member States (Malaysia, India)
ƒ Joint Activities for StopSpamAlliance.org
ƒ Study on Economics of Spam (with ITU-T Study Group 3)
ƒ Translation of Message Anti-Abuse Working Group Best
Practices Docs
¾ Code of Conduct
¾ MAAWG - Managing Port25
¾ BIAC-MAAWG Best Practices Expansion Document
¾ Anti-Phishing Best Practices for ISPs and Mailbox Providers
¾ MAAWG Sender BCP Version 1.1
& Executive Summary
ƒ References
¾ http://www.itu.int/ITU-D/cyb/cybersecurity/spam.html
¾ http://www.itu.int/ITU-D/cyb/cybersecurity/projects/botnet.html
September 2007 15

Bridging the Security-Related Standardization Gap between Developing and Developed Countries
(Plenipot Resolution 123)
ƒ Joint ITU-D/ITU-T Promotion of ITU-T Study
Group 17 Activities
¾ Joint ITU-T/ITU-D events
ƒ Increased Deployment and Awareness in
Developing Countries of ITU-T Security-
Related Standards
ƒ References
¾ www.itu.int/ITU-D/cyb/cybersecurity/standards.html
September 2007 17

Regional Workshops on Frameworks for Cybersecurity/CIIP
ƒ Hanoi, Vietnam
¾ 28-31 August 2007
ƒ Buenois Aires, Argentina
¾ 16-18 Oct 2007
ƒ Praia, Cape Verde (for West Africa)
¾ 27-29 November 2007
ƒ Egypt
¾ 6-8 May 2008 (with Telecom Africa)
ƒ Thailand
¾ September 2008 (with Telecom Asia?)
ƒ Caribbean, Africa, Bulgaria?
¾ 2008
September 2007 18

Information Sharing through Enhancing the
ITU Cybersecurity Gateway
ƒ Establishment of an ITU Cybersecurity/CIIP Directory
ƒ Establishment of an ITU Cybersecurity/CIIP Contact
Database
ƒ Establishment of Annual Who’s Who in
Cybersecurity/CIIP Publication
ƒ Establishment of an Annual ITU Cybersecurity
Publication
ƒ ITU Cybersecurity Fellowship Programme for Developing
Countries
ƒ Enhancement of the ITU Cybersecurity Gateway
¾ Integration with ICT Eye?
¾ Integration with Microsoft Virtual Earth or Google Earth
ƒ References
¾ http://www.itu.int/cybersecurity/gateway/
September 2007 20

September 2007 21

ƒ Q.22/1: Study Question adopted at World
Telecommunication Development Conference
(WTDC): Securing information and communication networks: best practices for developing a culture of cybersecurity
ƒ Calls for ITU Member States and Sector
Members to create a report on best practices in the field of cybersecurity
ƒ Four-year study cycle
ƒ Pointer to Q.22/1 activities can be found at www.itu.int/ITU-D/cyb/cybersecurity/
September 2007 22

ƒ To survey, catalogue, describe and raise awareness of:
¾ The principal issues faced by national policy makers in building a culture of cybersecurity
¾ The principal sources of information and assistance related to building a culture of cybersecurity
¾ Successful best practices employed by national policy-makers to organize for cybersecurity
¾ The unique challenges faced by developing countries
ƒ To examine best practices for watch, warning, and incident response and recovery capabilities
September 2007 23

ƒ 5 key elements to a good national cybersecurity programme:
¾ A national strategy
¾ A sound legal foundation to deter cybercrime
¾ A national incident management capability
¾ Collaboration between Government and
Industry
¾ A national awareness of the importance of a culture of cybersecurity
ƒ Current draft at
¾ www.itu.int/md/D06-SG01-C-0088/en
September 2007 24

ƒ Based on Q.22/1 Framework
ƒ Focused at national management and policy level
ƒ Intended to assist countries to:
¾ understand existing approach
¾ compare to best practices
¾ identify areas for attention
¾ prioritize national efforts
September 2007 25

ƒ Looks at organizational issues for each element of the Framework
¾ The people
¾ The institutions
¾ The relationships
¾ The policies
¾ The procedures
ƒ Toolkit now in draft form
¾ www.itu.int/md/D06-SG01-C-0122/en
September 2007 26

ƒ Necessary elements of substantive, procedural and mutual assistance law
ƒ Allows national authorities to review their domestic situation related to the goals and actions identified in:
¾ UN General Assembly Resolution 55/63 (2000)
ƒ http://www.un.org/Depts/dhl/resguide/gares1.htm
¾ Council of Europe’s Convention on Cybercrime (2001)
ƒ http://www.coe.int/T/E/Com/Files/Themes/Cybercrime/
ƒ Survey adapted from work in APEC-TEL Working Group
¾ http://www.apectelwg.org/e-securityTG/Resources.htm
.
¾ See www.itu.int/ITU-D/cyb/cybersecurity/legislation.html
September 2007 27

ƒ
¾ Vietnam (2007)
¾ Argentina (TBC 2007)
¾ Ghana (2007)
ƒ
September 2007 28

September 2007 29

ƒ What is a Botnet?
¾ A collection of infected and compromised computing devices harnessed together and remotely controlled for malicious purposes
ƒ How powerful is a Botnet?
¾ Like supercomputers created through distributed computing systems
ƒ e.g., BOINC: used for SETI@Home, Atomic Physics
ƒ People agree to donate spare computing resources
¾ Botnets: a special case of distributed computing
ƒ Without consent of computer owner (a zombie)
ƒ Hijacking of computing resources
September 2007 30

ƒ Botnets are a worldwide menace, widely used by spammers and cyber criminals
ƒ Use of botnets for cybercrime has increased and become more refined since 2002-3 when first mass mailer worms such as Sobig and Sober were released
September 2007 31

ƒ 2007 generation botnets such as Zhelatin (Storm
Worm) are particularly aggressive using advanced techniques such as fast-flux networks and striking back with denial of service (DDOS) attacks against security researchers or vendors trying to mitigate botnet
¾ "Fast-flux service networks are a network of compromised computer systems with public DNS records that are constantly changing, in some cases every few minutes.
These constantly changing architectures make it much more difficult to track down criminal activities and shut down their operations.“
ƒ Honeynet Project & Research Alliance
September 2007 32

September 2007
Source: Wired Magazine
33

ƒ Virus Writers, Botherders, Clients
¾ Virus writer writes malware, infects computers to create botnet
¾ Botherder operates the botnet
“command and control” (C&C)
¾ Clients hire botnets to distribute spam, launch
Distributed Denial of Service (DDoS) attacks, to conduct identity theft
ƒ Highly developed underground channels of communication
¾ “Secret” forums/chat rooms that shift location
¾ Access on a need to know basis, new entrants may need to be vouched for by existing participant
September 2007 34

ƒ Botherders now offer “service level agreements” to clients
¾ Guaranteed replacement of botnet in case anti-virus researchers release fix for malware or botnet is taken down
ƒ Organized crime involved in all stages of ecosystem
¾ Employ virus writers to create malware
¾ Carry out spam campaigns, espionage, ID theft, cyber-attacks
¾ Laundering of money stolen from victims
September 2007 35

ƒ C&C centers harder to trace
¾ Originally hosted on public IRC channels
¾ Now encrypted, access restricted C&C software
ƒ C&C centers may be hosted on botnets
¾ Increased redundancy
¾ Makes takedown harder
ƒ New “headless” single use botnets
¾ No centralized control or C&C required
ƒ new generation of P2P botnets
¾ Instructions embedded into malware
¾ New malware and botnet created for a new task
¾ Cannot stop botnet by taking down its C&C
September 2007 36

ƒ Self-propagating: infected hosts infect other hosts
¾ Infection vectors include email, P2P networks, open shared network folders, Skype, visiting infected website
¾ Newer malware spreads faster than older generations
ƒ Spread resembles global pandemic (SARS, Bird Flu)
¾ Can similar threat models/mitigation mechanism theories be applied?
ƒ Analysis, Detection and Removal more difficult
¾ Self-destruct mechanisms to destroy data if malware removed
¾ “Droppers” malware download more payload onto compromised host
¾ Encryption and debuggers / Virtual Machine (VM) traps to prevent forensic analysis
September 2007 37

ƒ Send spam
¾ Most visible use of botnets
¾ Botnets can host entire spam campaign
ƒ Including DNS servers, website hosting, spam sending
ƒ Content can change location from PC to PC, country to country, in minutes
¾ “Take” from a spam run can be reused
ƒ 419 scam artists now buying lists of compromised accounts from botherders, using these to spam
¾ But spam is just the tip of the iceberg
September 2007 38

What else can you do with a Botnet?
ƒ Attack a country’s Internet infrastructure
¾ Estonia DDoS attacks
ƒ Extortion/Blackmail
¾ Threaten to DDoS/cripple e-commerce websites
ƒ Identity theft and Industrial Espionage
¾ Steal credit cards, passwords, etc. from infected PCs
¾ Use computing power of a botnet to break into secured networks and steal data, credit cards
ƒ Stock “Pump and Dump” scams
¾ Use spam from botnet PCs to advertise stock
¾ Trade in this stock using online share trading accounts from infected PCs, artificially boost prices
September 2007 39

ITU Botnet Mitigation Project inspired by
Australian Internet Security Initiative (AISI)
ƒ Australian Communications and Media Authority (ACMA) partnership with 25 Australian ISPs
¾ ACMA collects data on IPs emitting malware
ƒ Identifies IPs operated by participating Australian ISPs
ƒ Notifies ISP responsible for affected IPs
¾ ISPs undertake to mitigate malware activity from infected
IPs on their networks
ƒ Notify infected customers
ƒ Change security and filtering policies as necessary
ƒ AISI project working internationally to fight botnets and has agreed to extend
AISI to other ITU Member States
September 2007 40

ƒ Identify nodal coordination agency for a nationwide botnet mitigation strategy
¾ Multi-stakeholder, Multi-pronged Approach (like OECD spam toolkit)
¾ Public-Private Partnership
¾ Make best possible use of existing initiatives and structures
ƒ Infrastructure for botnet scanning, measurement and mitigation
¾ Capacity building on tools and techniques to track botnets
¾ Identification of trusted interlocuters (e.g., international security and AV research community, CERT teams) for incident reporting
September 2007 41

ƒ Detection and takedown of botnet hosts and related infrastructure
¾ Infected PCs (automate as far as possible), C&C hosts, domains registered for botnet, payment gateways used by botnets, etc
ƒ Build awareness of security best practices for ISPs, e-commerce sites
ƒ Promote general Internet safety through end-user awareness programmes, engagement of civil society for assistance and grassroots penetration
September 2007 42

ƒ Framework for national botnet related policy, regulation and enforcement
ƒ Multi-stakeholder international cooperation and outreach
¾ Phase 1 (2007): Downloadable toolkit/guidelines for
ITU Member States
¾ Phase 2 (2008/2009): Targeted national/regional pilot initiatives
ƒ Malaysia (MCMC), India (CERT-IN)
¾ Cooperation with other partners?
ƒ LAP, APEC-TEL, OECD, MAAWG, APWG, Interpol,
ENISA, CERT/CC?
September 2007 43

ƒ ITU-D ICT Applications and Cybersecurity Division
¾ www.itu.int/itu-d/cyb/
ƒ ITU National Cybersecurity/CIIP Self-Assessment Toolkit:
Background & Approach
¾ www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-cybersecuritynational-self-assessment-toolkit.pdf
ƒ ITU Botnet Project Website
¾ www.itu.int/ITU-D/cyb/cybersecurity/projects/botnet.html
ƒ ITU Botnet Mitigation Toolkit Overview
¾ www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-botnet-mitigationtoolkit.pdf
ƒ Regional Workshops on Frameworks for Cybersecurity and
Critical Information Infrastructure Protection
¾ www.itu.int/ITU-D/cyb/events/
September 2007 44

Helping the World Communicate
September 2007 45