Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Cyber Security in Korea Woo Han KIM Republic of KOREA Head of KISC/KrCERT

advertisement 
International Telecommunication Union
Cyber Security in Korea
Woo Han KIM
Head of KISC/KrCERT
Vice President of KISA
Republic of KOREA
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
Contents
ITU-T
A. Internet Positive Aspects
B. Internet Negative Aspects
C. Big BANG, Triggering Point
D. KISC’s Role
E. Hand-on Experience
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
2
A. Internet Positive Aspects
1. Network & Connectivity
ITU-T
Src. : www.caida.org
AS Path Length Graph
`Yearly' Graph (1 Day Average)
Max avg. length 5.0
Average avg. length 4.0
Max max. length 33.0
Average max. length 29.0
Src. : http://www.cymru.com/BGP/asnpalen01.html
Current avg. length 5.0
Current max. length 30.0
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
3
A. Internet Positive Aspects
2. Application Change
ITU-T
Client/Server
Client/Server Type
Type
Pure
Pure Distributed
Distributed Type
Type
Peer
Server
Peer
Peer
Peer
Client
Client
Client
Peer
Peer
Peer
Src. : www.boardwatch.com
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
4
A. Internet Positive Aspects
3. Volume Size of Internet
ITU-T
Items
Internet
Users
% in
Global
’00-’04
CAGR
No. of
IPv4
High
Speed
Users (K)
Pop. (K)
China
Japan
Korea
World
87,000K
77,300K
30,000K
785,710K
10.1%
9.8%
3.7%
Others:
76.4%
253.3%
37.1%
53.5%
118.9%
47,584K
112,587K
31,504K
4,300M
17,700
13,150
11,500
N/A
1,327,976
127,944
47,136
6,453,311
Src.: www.internetstats.com & etc.
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
5
A. Internet Positive Aspects
4. Korea Internet Infra Structure
ITU-T
Internet
70+ ISPs
86,000+ Leased Line
11+ Million High Speed Internet
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
6
B. Internet Negative Aspects
1. Worldwide Malicious Codes
ITU-T
Yr.
Worm
Virus
RAT
1991
16
1,000
15
60,000
1992
17
2,600
20
50,000
1993
17
4,000
21
40,000
1994
17
5,900
21
30,000
1995
18
8,000
23
20,000
1996
22
15,000
27
10,000
1997
24
16,500
104
1998
127
24,000
443
1999
165
30,000
1,679
2000
271
49,000
4,754
2001
1,102
60,000
9,742
2002
1,978
13,085
2003
2,488
14,432
Mal. Code (Worm, Virus, Trojan/RAT)
Worm
Virus
RAT
55,000
45,000
35,000
25,000
15,000
5,000
0
03
20
02
20
01
20
00
20
99
19
98
19
97
19
96
19
95
19
94
19
93
19
92
19
91
19
RAT:
[Remote Administration Tool]
is a Trojan that when run, provides an
attacker with the capability of remotely
controlling a machine via a "client" in the
attacker's machine, and a "server" in the
Victim's machine.
Src. : www.pestpetrol.com
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
7
B. Internet Negative Aspects
2. System Vulnerability Points
ITU-T
IOS/JuNOS
IOS/
JuNOS
Hijacking,
Conf.
Error
KRNET
ISP1
ISP2
Dial-Up
D/UModem
Peering
ISP3
ISP
ISP4
ISP5
ISP N
B-O/F
CPE
….
Cable Modem
ISP Network
Splitter
GigaPOP CATV
Head End
Gateway
CM
DSLAM
BIND
DNS
Mail
Router
SendMail
DBMS
SQL
Web
Mail
WLL
Apache/
IIS
Explorer
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
L/L
Video
RP
Web
2W
HDSLRT
4W
GigaPOP
FTP
Server Farm
Home
ONU
GigaPOP
BGP4
Foreign
International Internet
ISP
Home
….
MS :
Patch !!
8
B. Internet Negative Aspects
3. Incidents depending on OS
ITU-T
Windows Incidents are increasing now and
malicious traffic are overwhelming ….
Linux
11.3%
Solaris
1.8%
Linux
3.7%
etc.
0.8%
Windows
NT/XP/2000
44.8%
Windows
95/ 98
41.3%
2002
Solaris etc.
0.2% 0.1%
Windows
95/98
33.5%
Windows
NT/XP/2000
62.6%
2003
Src. : www.krcert.org
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
9
C. Big Bang - Triggering Point
1. Slammer Worm (’03.1/25)
ITU-T
Some Parts of Slammer Source Code
PSEUDO_RAND_SEND:
mov eax, [ebp-4Ch]
lea ecx, [eax+eax*2]
lea edx, [eax+ecx*4]
shl edx, 4
add edx, eax
shl edx, 8
sub edx, eax
lea eax, [eax+edx*4]
add eax, ebx
mov [ebp-4Ch], eax
[Worldwide Phenomena]
0. Too fast to Response : Warhol
0. Too many impacted Server
0. Too wide-spread to co-ordinate
0. Too many re-tries to connect
? Most Effective WORM !
Src: www.internetpulse.net
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
10
C. Big Bang - Triggering Point
2. Lesson from Slammer Worm
ITU-T
Gov. :Law Enforcement
& Sec. Awareness PR
Agency : On-Line
Surveillance System
ISP : Network Security
Investment &
Enhancement
Secure
Internet
SW Vender : More Secure
SW and Application
Home: Up-to-date Patch
Corp.: Security
Awareness & CERT
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
11
C. Big Bang - Triggering Point
3. What Korean Gov. Have Done.
ITU-T
Law Enforcement
::2004.
2004.11.29,
.29,Rev.
Rev.2004.7.30
2004.7.30
-.-.Security
Inspection
(ISP,
IDC,
Main
Security Inspection (ISP, IDC, MainPortal..)
Portal..)
-.-.Information
Sharing
Obligation
with
Information Sharing Obligation withKISC
KISC
-.-.Emergency
EmergencyResponse
Responseto
toBlock
BlockMalicious
MaliciousPort
Port##
Launching KISC
::2003.
2003.12.
12.17
17
-.-.24h
X
7d
Operation
24h X 7d Operation
-.-.55min.
min.Information
InformationAnalysis
Analysis(Traffic,
(Traffic,port,
port,incidents)
incidents)
-.-.Korea
Internet
Security
Coordination
(KrCERT/CC)
Korea Internet Security Coordination (KrCERT/CC)
Security Awareness
::2003
2003––2004
2004
-.-.Security
SecurityInspection
Inspectionfor
forthe
theSME
SME((Free
Freeof
ofCharge
Charge))
-.-.Incidents
IncidentsHandling
HandlingManual
Manualfor
forPC,
PC,ISP,
ISP,IDC,
IDC,Corp.
Corp.
-.-.Monthly
MonthlyInformation
InformationSecurity
SecurityCampaign
Campaign
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
12
D. KISC’s Role
1. National Cyber-Sec. Framework
ITU-T
Public Sector
Gov. Agencies
NIS
SPPO
Private Sector
ISPs,AV, MSSP
Incident Reports
& Case Study
Information
Sharing
Info. Sharing System
Co-Work
Technology &
Information
NPA
Public Sectors :
*NIS : National Information Service
*SPPO : Supreme Public Prosecutors’ Office
*NPA : National Police Agency
Private Sectors :
*ISP : KT, DACOM, Hanaro .. MSSP : Coconut.. AV : Ahnlab, Hauri
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
13
D. KISC’s Role
2. KISC’s Task and Job Flow
ITU-T
Detect
Detect
ISP/ESM
Propagation
Propagation
Mail
m
or .
W tc
De
Major ISPs
&
MSSP
Analysis
Analysis
ISP
ISP Hot
Hot Liners
Liners
Remote Agent
IDS/Firewall
KISC
FAX
Private
Private Sectors
Sectors
Vul.
Notice Mail
S/W,H/W
AV/Vaccine
SMS
gn
ei
r
Fo fo.
In
Web.
Home
Home Users
Users
N
n otif
ica
tio
Foreign Ptn
Messe
nger
Analysis
Detect
KISC
Propa
gation
Press
Press && TV/Radio
TV/Radio
TRS
Recovery
User
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
14
D. KISC’s Role
3. KISC’s Today & Tomorrow
ITU-T
Unix/Linux Vul
OSS
Ctr. For Ststem Vul.
Net/ Vul
Maker
Sec. Info. Exchange
Net/ Vul
Foreign
Organization
BackUp
Windows Vul.
US, Jp.Cn CERT
Nat’l Cyber Help Desk
www.krcert.org
Patch Info.
Foreign Agency
Global co-work
APEC,Global
VC
HoneyNet
VC 1
VC 2
IDC/SO/IDC
Domestic
Agency
Virus/Attack Sample
Telecom ISAC
Bank/Stock ISAC
Security ASP
I S Ps
Cororate.
Home Users
Hacker/Intruder
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
15
E. Hand-on Experience
1. Phishing Scam
ITU-T
Reported by :
foreign CERTs or victim organizations, Response with ISPs
Major Victim :
US-Bank, City Bank, Bank of America, Brazilian Bank ITAU etc
35
35
No. of Incidents reported to KISC
30
25
24
22
20
15
10
5
2
0 Jan
5
Feb
6
2
Mar
Apr
0
May
Jun
July
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
Aug
16
E. Hand-on Experience
2. Anti-SPAM Activities
ITU-T
Procedure :
Reported by Users or ISP(Mail Service Providers)
Countermeasure :
On-site Inspection and Criminal Inspection with Prosecutors
? SPAM
Users
Mail Server
Over Load
DNS Server ? ? ?
Abettor
? SPAMMing
? Mail Server DNS Query
? Zombie Server
? Lists Update
,
? Malicious Code Instal
Spammer
Compromised PCs
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
17
E. Hand-on Experience
3. Anti-BOT(Zombie PCs) Activities
ITU-T
Procedure :
Reported by Agencies for the IP-Lists of Compromised PCs
Response :
Block the Relay-Servers and Notify to the Infected Users
No. of Zombie PCs
Cnty A
Cnty B
Cnty C
Cnty D
Cnty E
350000
300000
250000
200000
150000
100000
50000
0
Apr XX
May XX May YY
Jun XX
Jun YY
2004
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
18
E. Hand-on Experience
4. Sec. Awareness and Support
ITU-T
Security Awareness Activity
1). Security Education for :
Security Divide Sector ( SME, PC Plaza, Users etc. )
2). Publishing Cyber Security Manuals (Manual + CDs )
Individual User, Corporate Network Operator
ISP, IDC, PC-Plaza Operator
Encouraging to establish CERT
Operation of CONCERT ( CONsortium of CERT : 228 in Korea )
On-Site Security Inspection for the SME ( ~ 2004 )
Target : 1,000 SME with Security Divide Sectors
Inspection and Training ( Free of Charge )
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
19
E. Hand-on Experience
5. Epilogue
ITU-T
To ISP and ISV :
Security is the last business area.
To whom it may concern :
We need more collaboration.
Million US$
H/W
S/W
Service
Src : IDC ( 2003.3 )
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
20
E. Hand-on Experience
6. Qs & As
ITU-T
For any further information
Please contact:
KIM, Woo Han : whkim@kisa.or.kr
Thanks !
ITU- T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
dates
21
Related documents
CYBERSECURITY SYMPOSIUM Ladies and Gentlemen
CYBERSECURITY SYMPOSIUM Ladies and Gentlemen
Practical information
Practical information
BIO ITU-T Workshop “Opportunities & Challenges in Home networking”
BIO ITU-T Workshop “Opportunities & Challenges in Home networking”
Download
advertisement