Cyber Security in Korea...ISP: Network Security Investment & Enhancement 12 dates ITU-T ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004 C. Big Bang - Triggering

International Telecommunication Union

ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004

Cyber Security in KoreaCyber Security in Korea

Woo Han KIMHead of KISC/KrCERTVice President of KISA

Republic of KOREA

2dates

ITU-T


Contents

A. Internet Positive Aspects

B. Internet Negative Aspects

C. Big BANG, Triggering Point

D. KISC’s Role

E. Hand-on Experience

3dates

ITU-T



1. Network & Connectivity

Max avg. length 5.0 Average avg. length 4.0 Current avg. length 5.0Max max. length33.0 Average max. length29.0 Current max. length 30.0Src. : http://www.cymru.com/BGP/asnpalen01.html

AS Path Length Graph`Yearly' Graph (1 Day Average)

Src. : www.caida.org

4dates

ITU-T



2. Application Change Client/Server TypeClient/Server Type

Server

Client Client Client

Pure Distributed TypePure Distributed Type

Peer

Peer

Peer Peer

PeerPeer

Peer

Src. : www.boardwatch.com

5dates

ITU-T



N/A11,50013,15017,700High Speed Users (K)

4,300M31,504K112,587K47,584KNo. of IPv4

6,453,311

118.9%

Others:76.4%

785,710K

World

47,136127,9441,327,976Pop. (K)

53.5%37.1%253.3%’00-’04 CAGR

3.7%9.8%10.1%% in Global

30,000K77,300K87,000KInternet Users

KoreaJapanChinaItems

3. Volume Size of Internet

Src.: www.internetstats.com & etc.

6dates

ITU-T



4. Korea Internet Infra Structure

Internet

70+ ISPs

86,000+ Leased Line 11+ Million High Speed Internet

7dates

ITU-T



14,432 2,488 2003

13,085 1,978 2002

9,742 60,000 1,102 2001

4,754 49,000 271 2000

1,679 30,000 165 1999

443 24,000 127 1998

104 16,500 24 1997

27 15,000 22 1996

23 8,000 18 1995

21 5,900 17 1994

21 4,000 17 1993

20 2,600 17 1992

15 1,000 16 1991

RATVirusWormYr.

1. Worldwide Malicious CodesMal. Code (Worm, Virus, Trojan/RAT)

05,000

10,00015,00020,000

25,00030,00035,00040,00045,00050,00055,00060,000

19911992

19931994

19951996

19971998

19992000

20012002

2003

WormVirusRAT

RAT:RAT:[Remote Administration Tool]is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a "client" in the attacker's machine, and a "server" in the Victim's machine.

Src. : www.pestpetrol.com

8dates

ITU-T



2. System Vulnerability Points

HDSL-RT

CPE

PeeringKRNET

….….ISP

VideoRP

DSLAM

WLL

ONU

CATVHead End

Router L/L

2W

4W

ISP NetworkGateway

ISP NISP5

ISP4ISP3ISP2

ISP1

GigaPOP

GigaPOP

GigaPOP

International InternetCM

ForeignISP

DNS

DBMS

Web

Mail

FTP

Home

Splitter

Home

Cable Modem

D/UModem

Server Farm

Dial-Up

Web Mail

BINDBIND

BB--O/FO/F

SendMailSendMail

Apache/Apache/IISIIS

SQLSQLExplorerExplorer

IOS/IOS/JuNOSJuNOS

MS :MS :Patch !!Patch !!

Hijacking,Hijacking,Conf. Conf. ErrorError

BGP4

9dates

ITU-T



3. Incidents depending on OS

Windows95/9833.5%

WindowsNT/XP/2000

62.6%

etc.0.1%

Solaris0.2%Linux

3.7%

Windows95/ 9841.3%

WindowsNT/XP/2000

44.8%

etc.0.8%

Solaris1.8%Linux

11.3%

2002 2003

Windows Incidents are increasing now andmalicious traffic are overwhelming ….

Src. : www.krcert.org

10dates

ITU-T


C. Big Bang - Triggering Point

1. Slammer Worm (’03.1/25)

Some Parts of Slammer Source Code

PSEUDO_RAND_SEND: mov eax, [ebp-4Ch] lea ecx, [eax+eax*2] lea edx, [eax+ecx*4] shl edx, 4 add edx, eax shl edx, 8 sub edx, eax lea eax, [eax+edx*4] add eax, ebx mov [ebp-4Ch], eax

[Worldwide Phenomena]0. Too fast to Response : Warhol0. Too many impacted Server0. Too wide-spread to co-ordinate0. Too many re-tries to connect? Most Effective WORM !

Src: www.internetpulse.net

11dates

ITU-T



2. Lesson from Slammer Worm

SecureInternet

Gov. :Law Enforcement & Sec. Awareness PRAgency : On-Line Surveillance System

Home: Up-to-date PatchCorp.: Security Awareness & CERT

SW Vender : More Secure SW and Application

ISP : Network Security Investment & Enhancement

12dates

ITU-T



3. What Korean Gov. Have Done.

: 2003 – 2004-. Security Inspection for the SME ( Free of Charge )-. Incidents Handling Manual for PC, ISP, IDC, Corp.-. Monthly Information Security Campaign

: 2003 – 2004-. Security Inspection for the SME ( Free of Charge )-. Incidents Handling Manual for PC, ISP, IDC, Corp.-. Monthly Information Security Campaign

: 2003. 12. 17-. 24h X 7d Operation-. 5 min. Information Analysis (Traffic, port, incidents)-. Korea Internet Security Coordination (KrCERT/CC)

: 2003. 12. 17-. 24h X 7d Operation-. 5 min. Information Analysis (Traffic, port, incidents)-. Korea Internet Security Coordination (KrCERT/CC)

: 2004. 1 .29, Rev. 2004.7.30-. Security Inspection (ISP, IDC, Main Portal..)-. Information Sharing Obligation with KISC-. Emergency Response to Block Malicious Port #

: 2004. 1 .29, Rev. 2004.7.30-. Security Inspection (ISP, IDC, Main Portal..)-. Information Sharing Obligation with KISC-. Emergency Response to Block Malicious Port #

Security Awareness

Launching KISC

Law Enforcement

13dates

ITU-T


D. KISC’s Role

1. National Cyber-Sec. Framework

Incident Reports& Case Study

Technology &Information

Private SectorPrivate SectorISPs,AV, MSSPISPs,AV, MSSP

InformationSharing

Info. Sharing System Co-WorkSPPO

NPA

NIS

Public SectorPublic SectorGov. Agencies Gov. Agencies

Public Sectors :*NIS : National Information Service*SPPO : Supreme Public Prosecutors’ Office*NPA : National Police Agency

Private Sectors :*ISP : KT, DACOM, Hanaro .. MSSP : Coconut.. AV : Ahnlab, Hauri

14dates

ITU-T


D. KISC’s Role

2. KISC’s Task and Job Flow

Remote Agent

Notice Mail

IDS/Firewall

User

S/W,H/W

AV/Vaccine

ISP/ESM

Vul.

Worm

Detc .

Fore

ign

Info.

Notif

icatio

n

Mail

Web.

SMS

Messenger

FAX

TRS

KISC

Analysis

Propagation

Detect

Recovery

Private SectorsPrivate SectorsPrivate Sectors

Home UsersHome UsersHome Users

Press & TV/RadioPress & TV/RadioPress & TV/Radio

ISP Hot LinersISP Hot Liners

PropagationPropagationPropagationDetectDetectDetect AnalysisAnalysisAnalysis

Major ISPs &

MSSP

Foreign Ptn

KISC

15dates

ITU-T


D. KISC’s Role

3. KISC’s Today & Tomorrow

APEC,Global

HoneyNet

Hacker/IntruderHome UsersCororate.Security ASP

Domestic Agency

Foreign OrganizationSec. Info. Exchange

Net/ Vul

Windows Vul.

VC

Patch Info.

Virus/Attack Sample

IDC/SO/IDC

Foreign Agency

Global co-work

Ctr. For Ststem Vul.

BackUp

I S Ps

Nat’l Cyber Help Desk

Bank/Stock ISAC

Telecom ISAC

US, Jp.Cn CERT

www.krcert.org

Unix/Linux VulOSS

Maker

VC 2

VC 1

Net/ Vul

16dates

ITU-T



25

26

0

24

35

22

0

5

10

15

20

25

30

35

Jan Feb Mar Apr May Jun July Aug

1. Phishing ScamReported by :foreign CERTs or victim organizations, Response with ISPsMajor Victim :US-Bank, City Bank, Bank of America, Brazilian Bank ITAU etc

No. of Incidents reported to KISC

17dates

ITU-T


2. Anti-SPAM Activities


Procedure :Reported by Users or ISP(Mail Service Providers)Countermeasure :On-site Inspection and Criminal Inspection with Prosecutors

? ? ?

?

Spammer

Compromised PCs

AbettorOver LoadDNS Server

? Zombie Server

? Lists Update ,? Mail Server DNS Query

? SPAMMing

? SPAM Users

Mail Server

Malicious Code Instal

18dates

ITU-T


3. Anti-BOT(Zombie PCs) Activities


Procedure :Reported by Agencies for the IP-Lists of Compromised PCsResponse :Block the Relay-Servers and Notify to the Infected Users

050000

100000150000200000250000300000350000

Apr XX May XX May YY Jun XX Jun YY

2004

No. of Zombie PCs

Cnty A Cnty B Cnty C Cnty D Cnty E

19dates

ITU-T


4. Sec. Awareness and Support


Security Awareness Activity 1). Security Education for :Security Divide Sector ( SME, PC Plaza, Users etc. )2). Publishing Cyber Security Manuals (Manual + CDs )

Individual User, Corporate Network OperatorISP, IDC, PC-Plaza Operator

Encouraging to establish CERTOperation of CONCERT ( CONsortium of CERT : 228 in Korea )

On-Site Security Inspection for the SME ( ~ 2004 )Target : 1,000 SME with Security Divide SectorsInspection and Training ( Free of Charge )

20dates

ITU-T



5. EpilogueTo ISP and ISV :Security is the last business area.

To whom it may concern :We need more collaboration.

Src : IDC ( 2003.3 )

H/W

S/W

Service

Million US$

21dates

ITU-T



6. Qs & As

Thanks !

For any further informationPlease contact:KIM, Woo Han : [email protected]

Documents

Cyber Security in Korea...ISP: Network Security Investment & Enhancement 12 dates ITU-T ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004 C. Big Bang - Triggering