Tags

, , , , ,

The Internet has become one of the most powerful and widely available communications mediums on earth, and our reliance on it increases daily. Governments, corporations, banks, and schools conduct their day-to-day business over the Internet. With such widespread use, the data that resides on and flows across the network varies from banking and securities transactions to medical records, proprietary data, and personal correspondence.


The Internet is easy and cheap to access, but the systems attached to it lack a corresponding ease of administration. As a result, many Internet systems are not securely configured. Additionally the underlying network protocols that support Internet communication are insecure, and few applications make use of the limited security protections that are currently available.
Cyber attack definitions

Cyber-warfare (also known as cybernetic war, or cyberwar) is the use of computers and the Internet in conducting warfare in cyberspace. Computer to computer attack that undermines the confidentiality, integrity or availability of a computer or information resident on it. The premeditated use of disruptive activities, or the threat there of, against computers and/or networks, with the intention to cause harmor further social, ideological, religious, political or similar objectives. Or to intimidate any person in furtherance of such objectives.
Cyber Attack cases

1999, Moonlight Maze
A series of alleged coordinated attacks on American computer systems in 1999.The attacks were it was claimed that these hackers had obtained large stores of data that might include classified naval codes and information on missile guidance systems, though it was not certain that any such information had in fact been compromised. Traced to a main frame computer in Moscow but it is not known if that is where they originated.

2003, Titan Rain
A series of coordinated attacks on American computer systems since 2003. Titan Rain hackers gained access to many U.S. computer networks, including those at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA.

2007, Cyber attacks on Estonia
A series of cyber attacks that began April 27, 2007 and swamped websites of Estonian organizations, including Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country’s row with Russia about relocation of a Soviet-era memorial to fallen soldiers, as well as war graves in Tallinn.

2007, Cyber attacks on US DOD, French, German and English Government system
2007, Kyrgyzstan election supervision commission website defacement and DDoS

“This site has been hacked by Dream of Estonian organization”
2008, Unauthorized access to Indian MoFA computer systems

2008, Cyber-attacks on Georgia and Azerbaijan

There are more Cyber Attack is happening each and every minutes.

Cyber security & journey of CERT
Cyber security is a cat and mouse between Black Hat and White Hat. The more people are becoming aware of the internet security, the more it is getting tough for them to keep up with the Cyber Threats. The following table show the types of incident reported in “CSI Computer Crime and Security Server”

2004
2005

2006
2007

2008
Denial of service

39%
32%

25%
25%

21%
Laptop theft

49%
48%

47%
50%

42%
Telecom fraud

10%
10%

8%
5%

5%
Unauthorized access

37%
32%

32%
25%

29%
Virus

78%
74%

65%
52%

50%
Financial fraud

8%
7%

9%
12%

12%
Insider abuse

59%
48%

42%
59%

44%
System penetration

17%
14%

15%
13%

13%
Sabotage

5%
2%

3%
4%

2%
Theft/loss of proprietary info

10%
9%

9%
8%

9%
Abuse of wireless network

15%
16%

14%
17%

14%
Web site defacement

7%
5%

6%
10%

6%
Misuse of Web application

10%
5%

6%
9%

11%
Bots

21%
20%

DNS attacks
6%

8%
Instant messaging abuse

25%
21%

Password sniffing
10%

9%
Theft/loss of customer data

17%
17%


And according to Computer Economics, 2007; only for virus attack it has 13.3 Billon USD effect for year 2006 on the economy. Following table show the comparison between the years.

Year
Impact ($ Billion)

2006
13.3

2005
14.2

2004
17.5

2003
13.0

2002
11.1

2001
13.2

2000
17.1


As these are the recent incident data, exploitation of security problems on the Internet is not a new phenomenon. In 1988 the“Internet Worm” incident occurred and resulted in a large percentage of the systems on thenetwork at that time being compromised and temporarily placed out of service. Shortly afterthe incident, a meeting was held to identify how to improve response to computer securityincidents on the Internet. The recommendations resulting from the meeting included a call fora single point of contact to be established for Internet security problems that would act as atrusted clearinghouse for security information. In response to the recommendations, theCERT Coordination Center (also known as the CERT/CC and originally named theComputer Emergency Response Team) was formed to provide response to computer securityincidents on the Internet. The CERT/CC was one of the first organizationsof this type—a computer security incident response team.

What is CERT:
A CERT (CSIRT) is a team of IT security experts whose main business is to respondto computer security incidents. It provides the necessary services to handle them andsupport their constituents.

CSIRT: Computer Security Incident Response Team
CERT: Computer Emergency Response Team

Type of CERT:
·         Academic CERT

·         Commercial CERT
·         CIP/CIIP (Critical Information Infrastructure Protection) CERT

·         Governmental CERT
·         Internal CERT

·         Military CERT
·         National CERT

·         Small & Medium Enterprises CERT
·         Vendor CERT

The benefits of having a CERT:
·         A centralized coordination for IT security issues (Trusted Point of Contact).

·         Centralized and specialized handling of and response to IT incidents.
·         Cyber watch and monitoring

·         Having the expertise to support and assist to quickly recover from security incidents.
·         Dealing with legal issues and preserving evidence in the event of a lawsuit.

CERT Operations:
Some factors influence the CERT operations:

·         Constituency
·         Mission statement

·         Authority
·         Offered services

·         Funding

Constituency: Constituency is the formal group that the CERT provides services for according to its mission. A CIRT constituency can be unbounded or bounded constituencies that tend to be reflection of the CIRT funding source.


Mission statement: The roles and responsibilities of the team, the mission and goals that it has, and how the team will operate.

Authority:“Authority” describes the control that the CERT has over its own actions and the actions of its constituents related to computer security and incident response. Authority is the basic relationship the CERT has to the organization it serves.

A CERT can be:
1.     No authority (can influence only)

2.     Full authority for our constituency (can issue mandates and take systems off the network)
3.     Partial authority (included in the constituency decision-making process regarding how to respond to an incident)

4.     Authority is different for various services.

Offered Services:

Reactive Services
Proactive Services

Security Quality / Management Services
1. Alerts and warnings

2. Incident Handlings
·  Incident analysis

·  Incident response on site
·  Incident response support

·  Incident response coordination
3. Vulnerability Handling

·  Vulnerability analysis
·  Vulnerability response

·  Vulnerability response coordination
4. Artifact Handling

·  Artifact analysis
·  Artifact response

·  Artifact response coordination
1. Announcements

Technology Watch
Security Audit or Assessments

2. Configuration & Maintenance of Security Tools, Applications & Infrastructures
3. Development of Security Tools

4. Intrusion Detection Services
5. Security Related Information Dissemination

1. Risk Analysis
2. Business Continuity & Disaster Recovery Planning

3. Security Consulting
4. Awareness Building

5. Education/Training
6. Product Evaluation or Certification

Among the services “Incident Handling” is the mandatory service of CERT. CERT is the single contact point for all the incident. Beside Incident Handling, there are some core services that CERT should do. These are Alerts and warning, Incident Analysis, Incident response support, Incident response coordination, Announcements. There might be some other offered services by CERT based on there mission statement. For a newly established CERT it is difficult to find out the services they should offer. In starting phase CERT should only provide the Core Services. In additional phase CERT can provide extension of core services and in maturity phase CERT can provide the extra services.

Funding: Funding is crucial of any CERT to survive. There are many way a CERT can be funded. These are:

1.     Government funding
2.     Each service has a fee attached

3.     Parent organization funding
4.     Subscriptions

5.     Research consortium

CERT should follow some funding strategy. They can collect time based subscription from there members for delivery of range of services. A government can also fund a CERT. There may be combination of funding source.

CERT Services
The services offered by a CSIRT should be clearly defined. Each definition needs to beunder stood and available to the CSIRT and the parties with whom it interacts; these definitions might be provided at different levels of abstraction.
Incident handling& analysis service: Incident handling is the major service that any CERT should provide.  “Triage Function,” part of the lifecycle of an incident may take place within the triage function, where an incident can be initially categorized, identified as a new event to track or as part of some existing incident already being tracked. The appropriate tracking number is assigned to it (either a new tracking number or the number for an activity already being tracked and to which it belongs).Note that a new incident can also be identified during the handling function as a result of incorrectly triaged information, information provided to the team under an incorrect tracking number, or new information being discovered as a result of more in-depth technical analysis. 
Once an incident is opened, it may transition through many different states, with all the information relating to the incident (its change of state and associated actions) until no further action is required from the team’s perspective (the “circle” portion of the life-cycle illustration) and the incident is finally closed. It is also important to note that an incident (or event) can cycle through the analysis portion multiple times during the activity’s life cycle. When collecting the incident report CERT should record the following information:
1.     When : Date and time?

2.     Where?
3.     What has occurred?

4.     Who has been contacted?
5.     What actions have been taken or need to be taken?

Alert and Warning service/ Awareness: This is also important activity for CERT. They should always alert and warn their constituency regularly and actively. There are various ways of notifying the constituency. Some of them are:
1.     Public Website

2.     Closed member area on the website
3.     Mailing List

4.     Personalized email
5.     Phone/Fax

6.     SMS
7.     Monthly or annual reports

8.     Media
CERT need to create awareness between it’s constituency by arranging various awareness program. Awareness should be created between decision makers, professionals, teachers, students, home users, journalists, lawyers, customers through flyers, posters, emails, radio emission, cartoon video spot, attack simulation. APCERT (Asia Pacific CERT) arrange “Cyber Security Drill” between the CERT as an awareness program.

BDCERT (Bangladesh Computer Emergency Response Team):
BDCERT is the Computer Emergency Response Team for Bangladesh and is the primary Point of Contact for handling incidents from Bangladesh networks. We work for improving Internet security for Bangladeshi Internet users.

BDCERT help to mitigate Internet attacks directed at Bangladesh Internet users and networks. It also provide training and awareness programs on Information Security and issues affecting Internet security in Bangladesh and globally.



BDCERT was formed on July 2007 and started Incident Response on 15th November 2007. BDCERT is initiated by some IT professionals who have long experience in data and Internet communication and technologies industry. It is funded voluntarily with limited resource but highly motivated professionals.

BDCERT (Bangladesh) was approved as General Member as of 25th Dec 2008 by APCERT & 15thJanuary 2009 by OIC-CERT.

Mission Statement:
Always Trusted Contact, Increase Computer and Network Security for Bangladesh Internet and Intranet Users, Knowledge Sharing with other CERTs & Related Organization.

 

 

BDCERT Services:
BDCERT uses online Incident Reporting System to track & evaluate incident reported to BDCERT. Closed issue s also tracked down. This Reporting System is also used to evaluate the incident response of BDCERT.

BDCERT receives incident in various ways. Any one can report incident through online from BDCERT web page (http://www.bdcert.org/incident.php). They can also send incident through FAX or Email. SMS based incident reporting services is also available in BDCERT.



BDCERT has also “Internet Traffic Monitoring Data Visualization Project” with JPCERT/CC (Japan Computer Emergency Response Team / Coordination Center). The project named “TSUBAME”. This project establishes a framework for sharing Internet traffic monitoring data in the Asia Pacific region and develops a system that implements this framework for the purpose of early detection and handling of cross-border cyber attacks and spreading of viruses. In this project, sensors for the Internet traffic monitoring system are installed mainly by National CSIRTs in the Asia Pacific region, and monitoring data acquired by these sensors are shared among participants of this project.

Sources:

1. Handbook for Computer Security Incident Response Teams (CSIRTs) by Moira J. West-Brown, Don Stikvoort, Klaus-Peter Kossakowski, Georgia Killcrece, Robin Ruefle, Mark Zajicek
2 . Issues & Challenges of Running Cert by Haytem El Mir, Technical Manager / NACS, Head of the Incident Response Team / cert-TCC (OIC CERT Annual Conference, 2009)

3. CSIRT-What & Why by Yurie Ito, Director of Technical Operation, JPCERT/Coordination Center, Japan (BDCERT Conference 2008)
4. Establishing a CERT & Team motivation by Mohd Khairuddin Abdullah, Director ICT Security Services, HeiTech Padu Bhd

5. APCERT Annual Report 2009
6. “CSI Computer Crime and Security Server Report 2009