The National Importance Of Cyber Security Lal Dias Chief Operating Officer SRI LANKA COMPUTER EMERGENCY READINESS TEAM | COORDINATION CENTRE Wednesday, 15th February 2012 1 Agenda Drivers for adoption of Cyber Security Security Governance Threats and potential damage analysis 2 Collaboration and coordination for effective security Awareness creation End Result Drivers for adoption of Cyber Security E-Government initiatives (1) 3 Launch of e-Government services Web Applications such as e-revenue license, visa on-line, pensions services Information services Government Information Centre (GIC) Payment facilities for services (revenue license renewal fee, paying a spot fine) via web or SMS Drivers for adoption of Cyber Security E-Government initiatives (continued) Security perspective on government services; Protect confidentiality of citizen information; during storage and transmission between government organizations Provide correct information to citizens; maintain integrity of information 4 Sustained availability of services and information; redundant infrastructure, robust software platforms, good capacity planning, protect against intentional and unintentional service outages Citizens need to be able to trust government applications and websites; Applications and websites need to be able to identify citizens remotely – a digital identity is required Provide facilities to conduct financial transactions securely (Use of Digital Certificates / prevention of SMS Spoofing) Drivers for adoption of Cyber Security On-line Service Delivery (2) Extensive adoption of electronic commerce as a service delivery platform; 5 Online banking (number of local and foreign banks) Shopping (kapruka, greatdeals, etc) Trading (e-bay) Social networking sites (Facebook, purchase of credits) Drivers for adoption of Cyber Security On-line Service Delivery (continued) Security perspective on online service delivery; 6 Authenticity of users and application sites needs to be established beyond a doubt Financial transactions need to be conducted through a secure facility Security as a competitive tool to entice more customers (use of security tokens, etc) by building confidence Drivers for adoption of Cyber Security Critical National Infrastructure Automation (3) 7 National level endeavors and vision to automate critical national infrastructure for high availability, high quality and cost effective service delivery: energy, public health, water, telecommunications, agriculture, transportation, financial services, security services Example, Energy sector Smart metering Remote control (home appliances) Smart grid (IPV 6) Drivers for adoption of Cyber Security Critical National Infrastructure Automation (continued) Security perspective; 8 Automation opens door for remote manipulation by malicious groups or persons – unauthorized access Need to prevent potential loss of revenue, damage or destruction of infrastructure and/or large scale of loss of life (power outages, water supply contamination, traffic light manipulation causing pileups, air traffic control manipulation) Drivers for adoption of Cyber Security National ICT Policy (4) 9 Defines ICT activities as a major revenue source for the country To be achieved through Development of applications (stock exchange applications, security applications, travel management applications, other niche applications) Outsourcing of ICT functions Development of local ICT market and revenue generation from ISP operations Drivers for adoption of Cyber Security National ICT Policy (continued) Security perspective; 10 Applications need to be developed in a secure, structured manner with good, internationally accepted security practices incorporated during the development process. Developers need to be trained and aware Outsourcing firms need to structure operations, provide secure infrastructure and train staff to maintain good practices and procedures to meet the security expectations of their customers Security Governance Good governance is essential for maintaining a structured approach to security; measures already introduced (in Sri Lanka) in the form of: E-government policy (1) While setting out operational policies for e-government staff, the e-gov policy addresses up to 16 security requirements, such as: 010204: Migration into electronic format: Data available in participating government organizations to be collected, inspected, updated, structured in the required format, and cleansed and its integrity ensured before being migrated into electronic format. 010207: Electronic records should be maintained in such a manner as to ensure confidentiality and prevent unauthorized access, modification, alteration or deletion / removal. 010302: Email addresses of citizens gathered from government web sites should not be divulged, made available or sold to third parties. 11 Security Governance High level Information Security Policy (H-POL) for government organizations (2) Based on ISO27001 Information Security Management System (ISMS) Template made available for customization by individual government organizations 17 security areas are addressed in H-POL: ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ 12 Organizational security Personnel security Incident management Malware protection E-mail and Internet security Acceptable use policy Fraud management Comms & Ops management - Acquisition of Hardware - Acquisition of Software - Logical Access Control - Asset classification - Privacy & outside entities - Physical security - Compliance measurement - BCM Security Governance E-Laws (3) Computer Crimes Act no. 24 of 2007 Makes eight provisions for prosecuting individuals found guilty of committing a crime using a computer Includes, unauthorized access, illegal interception of data, threats to national security, illegal modification of data or systems Provides foundation for conducting investigations and for the use of electronic evidence Payment devices Frauds Act no. 30 of 2006 Credit card fraud, ATM Card fraud crimes prosecuted under this law. Several successful prosecutions Electronic Transactions Act no. 19 of 2006 Sets foundation for establishment of electronic contracts Sets foundation for establishment of digital identities Sets foundation for establishment of National Certificate Authorities 13 Security Governance International standards (4) ISO27001 Helps raise confidence in the security measures implemented in an organization; especially where the business is required to deal with sensitive information Many banks, intellectual property development firms, Internet data centre of telecom operators, strive to achieve this standard Used actively as a marketing tool PCI-DSS Defines security requirements specific to payment card industry 14 Security Governance Security as a matter of national importance (5) 15 Cyber intelligence is gaining in importance for most sovereign nations. Cyber warfare is heating up globally. Political agendas can now be pursued through cyber channels, such as Twitter, Facebook and various underground sites Sovereign Nations need to be able to identify and intercept malicious and/or covert communications (encrypted messages between subversive groups, pornographic content, false alerts) which may cause instability in society Cyber espionage is also on the rise. Governments need to prevent outsiders from listening to sensitive information and also prevent unauthorized information leakage (e.g. Wikileaks). Blackberry mail is banned in Saudi/UAE. Threats & Potential Damage Analysis Threats to national security from cyber attacks (1) Example STUXNET and critical infrastructure 16 Famous for slowing down centrifuges in Iranian nuclear reactors to prevent weaponisation of fissile material First known cyber weapon to identify and target a specific subsystem from a specific manufacturer (Siemens) Other successors launched, such as Dark Star Sri Lanka not yet at a level of automation that would cause such serious loss through a cyber missile like STUXNET However, when developing such systems for the future we must be mindful of such threats Threats & Potential Damage Analysis Cyber espionage (2) Example GHOSTNET 17 Operated out of mainland China, was used to gather a large amount of sensitive information from countries in South Asia, North America and the middle east through their diplomatic offices Unauthorized disclosure of sensitive information (thru illegal interception) embarrassed these Governments Armed with prior knowledge of intentions of their counterparts, countries that engage in cyber espionage have an edge in political maneuvering (“chess game”) Threats & Potential Damage Analysis Distributed Denial of Service attacks (3) Example Estonia 18 In 2007, Estonia, one of the most connected countries in the world was subjected to a full scale Denial of Service Attack from Russia as a result of a political clash Within a few hours, critical infrastructure such as telephony and financial services were obstructed Thanks to an excellent incident response effort and plan, Estonia managed to contain the attack and recover within a remarkable time frame Despite the initial attack, Estonia is credited with having successfully defended its cyberspace. NATO set up it’s Cyber Defence Centre in Estonia in recognition of this. Are we in a position to do it? Threats & Potential Damage Analysis Threat awareness (4) It is important to be aware of the threat landscape, not just locally, but in the region and globally as well. It is also important to be aware of the threats originating from our own economy. This is in line with the “cyber clean” project initiated by APCERT. Sensor networks, such as the Network Early Warning System (NEWS) deployed by IMPACT, the security arm of the ITU, and a host of others such as Shadow Server, Dragon Research Group, TSUBAME by JPCERT/CC Sensor networks provide useful information such as: • The point of origin and destination of attack traffic • The type of traffic used and the possible type of attack being launched • The systems being targeted 19 • Known hosts within our IP Address space that are attacking other economies and the ISPs they belong to Collaboration & Coordination for Effective Security Adopting a structured approach to security (1) Predetermined strategies and procedures for effectively handling security incidents need to be implemented and drilled For example, in the event of a phishing attack: • • • • 20 Who should the incident be reported to? What parties should be engaged to identify and take down the phishing site? What are the measures to be taking to contain the damage caused by the incident until the site is disabled? What are the acceptable timeframes for resolving the incident? Collaboration & Coordination for Effective Security Adopting a structured approach to security (2) Contingency plans for national level disasters caused by cyber attacks 21 Same as before, but on a larger scale For example, Distributed Denial of Service attack as in Estonia How would ISPs continue to provide connectivity for critical operations if the regular links are congested? What is our critical infrastructure? How would government information services continue to operate if servers are compromised? Have we simulated such scenarios and seen if the contingency plans work? Collaboration & Coordination for Effective Security Adopting a structured approach to security (3) Creation of sector-based silos for security 22 Works on the concept that each industry operates its own unique technology environment Therefore, no one security body such as Sri Lanka CERT can dedicate enough resources to learn security vulnerabilities and mitigation techniques of specialized systems Sector-based CSIRTs such as the Bank CSIRT will be dedicated to addressing security issued within the Finance industry, Telco industry, Military, etc Functions: • Introduction and enforcement of baseline security standards • Providing incident reponse services • Providing vulnerability alerts • Telco CSIRT: Hosting Content filtration system, SMS firewall, Sharing compromised host information with ISPs to “clean local cyber space” Collaboration & Coordination for Effective Security Adopting a structured approach to security (4) Security training and certification is expensive Organizations find it difficult to retain skilled security professionals Measures need to be taken and finances need to be made available to retain security professionals who contribute to various security disciplines such as: • • • • 23 Penetration testing Incident response Risk Management Audit Collaboration & Coordination for Effective Security The role of international collaboration There is a general uncertainty about info required for resolving cross-border incidents Need directory of contacts from all over the globe Formal contact need to be established between peer organizations (e.g. cert to cert) • Formal service level agreements need to be established between peers to ensure effectiveness of security measures Only then can we guarantee complete resolution of incidents to our constituents A role for FIRST and APCERT • 24 Collaboration & Coordination for Effective Security The role of international collaboration Challenges and successes in international cooperation to tackle security incidents • • • • 25 Success!: Establishment of links with commercial organization to disable fake social networking and electronic mail accounts Success!: Establishment of contacts to disable phishing sites Challenge: Need to enforce a formal procedure whereby strict timelines are defined for disabling fake accounts and phishing sites. The importance of these timelines is well understood by ISPs, banks and other affected parties. For example, blocking of a host originating Denial of Service traffic within 4 hours, disabling a phishing site within 12 hours, Removing a fake Facebook account in 24 hours. Awareness Creation Awareness creation among state sector employees; Spreading the word in information security policies • • • • • • • • • 26 E.g. Entering and leaving the premises What they can say to customers and other third parties What websites they can access at work What devices they are or are not allowed to use Need for non-disclosure agreements Penalties for non-compliance Promoting good security practices Make employees understand what the policy means to them at an operational level Encourage employees to nurture good security practices intrinsically Continues practicing security at home Teach good security practices to friends and family Penalties and laws must be used as motivators to adopt good security practices Awareness creation Awareness creation among general public Protection of children • • • Safe use of online transaction facilities • • 27 Online safety program for schools underway Monthly online safety bulletin (Cyber Guardian) Educating parents on techniques to restrict children’s activities online such as net nanny and parental control settings Educating users on identifying secure web sites Identification and prevention of social engineering is a major part of efforts. Phishing mails, scams, etc are social engineering attacks End Result Trust & success 28 Whether it be for government citizen services or for commercial purposes, Increased trust in online services and data security, translates to financial success and increased adoption of technology Once security is identified as a contributor to financial success and increased ICT adoption, demand for security functions will increase and in turn help sustain a competent security skill set Improved global reputation as a competent and secure ICT hub, will also help sustain the goals of the national ICT Policy Establishment of digital identities, such as through the use of digital certificates, will help transform cyber space into a true living space for citizens where they can meet friends, bank, work and relax Thank You Sri Lanka CERT|CC e-mail: lal@cert.gov.lk Website: www.cert.gov.lk 29