Current/Planned ITU-IMPACT Services Anuj Singh/Marco Obiso Burkina Faso October 2013 Planned Offerings – ITU-IMPACT 2014-2016 • Some of the highlights – Anti-Virus Exchange (AVEX) – Child Online Protection Information Exchange (COPX) – Legal Activities – National Cybersecurity Strategy (NCS) – Cyber-drill (ALERT) – Implementing National Computer Incident Response Teams (CIRT) 2 Anti-Virus Exchange Platform AVEX Introduction • • • • A closed access system for exchange of virus information Provides a repository of antivirus signatures and meta information in a reliable and interactive manner. Provide information on virus’s, malwares along with its remedial measures. Provides an set of API for antivirus providers to publish information to the system automatically. 4 AVEX Behind the program • • • • • Information comes into AVEX comes from a trusted network of ITU‐IMPACT industry partners mostly from the AV industry. All the users contributing to the system have to be pre approved by a group of reviewers. AVEX provides an API set which allows the contributors to push information directly to the system from their applications. The information accessibility is decided based on the privileges of the user. ITU‐IMPACT partner countries can query the AVEX database through ESCAPE. 5 AVEX Functionalities • AVEX comes with a host of in built functionalities. Some of the major capabilities built into AVEX include SEARCHABLE MALWARE DATASET ANTIVIRUS VENDOR API AVEX v1.0 AGGREGATION ENGINE ESCAPE INTEGRATION 6 AVEX Future upgrades • Some of the future upgrade would include: IMPROVED API SETS MALWARE SAMPLE REPOSITORIES UPGRADED SEARCH FUNCTIONALITIES HONEYNET INTEGRATION 7 AVEX Benefits • • • • • • Unbiased service for sharing information on malwares along with its respective detection tools, removal tools and characteristics. Facilitates a trusted platform between AV Vendors to share information on latest malwares. Provides ITU‐IMPACT partner countries with an option for accessing the information through the ESCAPE platform. Acts as an aggregator compiling results from multiple providers. Real time updates of virus, malware signatures and blacklists. Real time global service operation statistics. 8 RS1 COP X Child Online Protection Information Exchange Slide 9 RS1 Rishi Singh, 14/6/2013 Problems Current Issues • There is an increasing number of unwanted content on the internet – Child Pornography, Self harm, Radicalisation, Suicide etc. • Hardly any attempts made to collect the list of available objectionable material and distribute it to actionable agencies. • No capabilities/solutions with limited capabilities exist to deter the perpetrators or to decrease objectionable material on the internet. • Majority of the actions taken by organization/agencies are in silos. • Most of the actionable information does not reach the right agencies. 10 Solutions Existing Initiatives And many more…. 11 What is Required? Core Capabilities • Ability to bring multiple organisations together to contribute. • Make information available to all empowered agencies to take action. • Allow distribution of information and capacity building material to agencies: – Law enforcement agencies/Regulatory authorities/Judiciary/Special interest groups • Automation of key routines to ensure speedy delivery. • Consensus of all concerned agencies of the objectionable material. 12 Introduction COPX - Thought Process • A deterrent for offenders. • Developing a global coalition to protect the interest of children online. • Providing a secure platform for information sharing. • Building a centralised repository for COP materials. • Facilitate international collaboration. • Building global acceptance and participation on COP initiatives. 13 COPX International Organizations Others PORTAL DATABASE ITU Regional Centers Country Regulators 14 COPX 15/10/2013 Countries Special Interest Groups Industry Partners Member states International Organisations Special interest groups Consumers IMPACT International Organisations Reviewers ITU Contributors Facilitators Eco System Member states Regulators Law Enforcement Agencies Special Interest Groups 15 15 COPX Facilitators Eco System Contributors 15/10/2013 Reviewers Consumers 16 16 Roles Participating Organisations INTERNATIONAL ORGANISATIONS COUNTRY • Provide inputs to the system • Provide inputs to the system • Take the responsibilities of validating information • Take responsibility over information • Encourage interaction on the platform • Provide statistics and Information • Participate in take down operations • Participate in discussion and information sharing ITU-IMPACT • Provide a secure infrastructure • Facilitate the participation of agencies • Ensure the stability of the platform • Provide translation services to materials. 17 ITU-IMPACT Legal Activity ITU-IMPACT Legal Activity Introduction • It is our goal to make sure that partner countries have a legal framework that enables them deploy maximum cybersecurity. • For that purpose we conduct a legal activity in six steps: Assessment Stakeholder Consultation Drafting Capacity Building Implementation International Cooperation 19 National Cybersecurity Strategy Overview Introduction The Importance of National Cybersecurity Important functions of society rely on Internet and ICTs Internet and ICTs have become essential drivers for economic growth But increased reliance equals increased vulnerabilities and threats Attacker sophistication and professionalism growing Multiple malicious actors target individuals, industries, and governments 33 Introduction The Scope of National Cybersecurity Master plan Cybersecurity policies Initiatives and research Resources Information Handling & Sharing mechanism Risk prioritization Compliance Certification Evaluation of procedures and process Awareness Capacity Building How to approach Acceptance International Cooperation 34 Introduction Motivations for National Cybersecurity Strategies Motivations To Achieve • Enhanced governmental co-ordination at policy and operational levels Strategic level Organisational level Operational level • Reinforced public-private co-operation • Improved international co-operation • Benefits of the economic aspects of cybersecurity • Benefits of a multi stakeholder dialogue 35 National Cybersecurity Strategy Scope and Vision National Cybersecurity Strategy Legal & Regulatory Technical & Procedural Capacity Building Cooperation Policy & Compliance Government security Protection of Critical Infrastructure Response Mechanism National Coordination Awareness Fight against cybercrime Private Sector Cooperation International Cooperation Education Research and Development Forensic Capabilities Risk Management 36 National Cybersecurity Strategy Structure National Cybersecurity Strategy Legal & Regulatory Technical & Procedural Capacity Building Cooperation Policy & Compliance NCA National Cybersecurity Agency National CIRT CNIIP CoE Forensics Centre Research Centre Certification Centre 37 National Cybersecurity Strategy Assessment Methodology Five day on-site assessment and workshop exercise by two IMPACT experts with the purpose to: • Review the current ICT and cybersecurity readiness and requirements of the country. • Review the cybersecurity stakeholders in the country. • Analyse the capabilities of setting up a National Cybersecurity Agency with the subsequent National CIRT, CNIIP CoE, Forensics Centre, Research Centre, and Certification Centre. • Propose an organisational structure for the NCS. • Propose an initial roadmap for the NCS. • Conduct trainings for capacity building in operation, maintenance, and coordination of the NCA with relevant agencies. 38 National Cybersecurity Strategy Assessment Methodology The Assessment Report will include: Proposals: Reviews: • ICT and Cybersecurity readiness • Project governance framework including identification of members of Steering Committee and Advisory Groups • Identification of cybersecurity stakeholders • Scope, vision, and timeframe of the NCS • Risk assessment approach Identification of cybersecurity actors and critical sectors • Initial project roadmap and priorities • Evaluation framework for the NCS • 39 Cyber Drill (ALERT) Applied Learning for Emergency Response Teams 41 Cyber Drill ITU Regional Forum on Cybersecurity Introduction • Three-day event. • First day, workshops on current issues such as: • Botnets, Mobile Security, Child Online Protection, etc. • Next two days, • Cyber drill -- ALERT (Applied Learning for Emergency Response Team). • A cyber attack simulation in a controlled environment – no live systems are attacked. Objectives • Capacity building • To enhance communication and incident response capabilities. • To maintain and strengthen international cooperation between partner countries and to ensure a continued collective efforts against cyber threats. 42 43 Cyber Drill Milestones and Plan for 2013 • Designed to maintain and strengthen international cooperation between partner countries and ensure a continued collective efforts against cyber threats and exercises designed to enhance communication and incident response capabilities. • The cyber drill simulation runs through a scenario with each participating country divided into two roles, representing a player and an observer. • Over 57 countries have participated in the Cyber drills conducted by ITU-IMPACT. • Cyber drills conducted: Dec 2011 – Asia Region July 2012 – Arab Region Oct 2012 – Europe & CIS Region Aug 2013 – Americas Region Planned Cyber drills • Arab Region 4th quarter 2013 • Asia-Pacific Region 4th quarter 2013 44 Cyber Drill Target ALERT Participants Ten national Computer Incident Response Teams (CIRT). Minimum three or maximum four technically competent participants from each country’s CIRT, divided into two roles: Player and Observer. Player This mandatory role requires the participant to have technical knowledge as well skills to use the tools to perform incident analysis on the scenarios. Observer This optional role requires the participant to have management and communication skills in order to observe and assist the players in his team as well as communicate with other participating teams (as part of international cooperation) during the drill. Participating Team Player #1 Player #2 Player #3 Optional (Player #4/Observer) 45 COMPUTER INCIDENT RESPONSE TEAMS (CIRTs) CIRTs Introduction • A CIRT assists partner countries in preventing and handling cyber threats by acting as a single point of contact for reporting security incidents as well as providing a platform for information sharing. • ITU-IMPACT provides CIRT services to its partner countries. CIRT SERVICES READINESS ASSESSMENT CIRT AUDIT CIRT IMPLEMENTATION 51 CIRT Readiness Assessment Objectives • Provides an overall view on the functions of the CIRT. • To assess the countries readiness towards establishing a CIRT. • To provide the participants with an overall experience of a CIRT functionality. • 5 days comprehensive exercise. • Mainly dealing with the practical approach with introductions and briefings on incident handling and operation methodologies. 52 CIRT Implementation CIRT Implementation Introduction • To assist the government to establish its national CIRT and further develop its cybersecurity capabilities. • To serve as a trusted, central coordination point of contact for cybersecurity. • To build up the incident response capability at identifying, defending, responding and managing cyber threats. 54 CIRT Implementation Implementation Roadmap Phase 1 6 months Phase 2 6-12 months Phase 3 National CIRT 55 CIRT Implementation Phase 2 Overview Phase 2 of CIRT Implementation will be focusing on proactive services: NATIONAL CIRT PHASE 1 Incident Response Framework CIRT Mailing List Incident Management System (RTIR) CIRT Portal Reactive Services Proactive Services Security Assessment Framework Security Assessment Framework Centralised Log Management • Intrusion Detection System (NIDS & HIDS) Network Security Monitoring Network Security Monitoring (NSM) • PHASE 2 56 CIRT Implementation Phase 3 Overview Prevention of further intrusions • Goal is to reconstruct modus operandi of intruder to prevent further intrusions. Assessment of damage • Goal is to certify system for safe use. Sandbox Evidence preservation Package 2 Reconstruction of an incident • For criminal proceedings. • For organization-internal proceedings. Advance Forensic CIRT Forensic Evidence Collection Reporting format Malware Analysis Package 1 CIRT Forensics Package 3 Mobile Forensic 57 Thank you www.facebook.com/impactalliance IMPACT Jalan IMPACT 63000 Cyberjaya Malaysia T +60 (3) 8313 2020 F +60 (3) 8319 2020 E contactus@impact-alliance.org impact-alliance.org © Copyright 2013 IMPACT. All Rights Reserved.