National Network Security Capacity Building
Yuejin DU, Ph.D
Deputy CTO of CNCERT/CCDeputy Chair of APCERT
Regional Workshop on Frameworks for Cybersecurity & CIIP by ITU
2007.8.28.Hanoi.Vietnam
National Computer network Emergency Response technical Team/Coordination Center of China
Content
• Current Internet Security Situation• Network Security Capacity Model• Some Practices in China• Conclusion
National Computer network Emergency Response technical Team/Coordination Center of China
Current Internet Security Situation
• More ‘chances’ for attackers• ‘Underground economy’ prosperity• CIIP is facing severe threat• Governmental information systems have many
problems• Stealing data is becoming the main goal• Attackers becoming more powerful and ‘run roit’• More challenges for handling security threatsAny Evidence?
National Computer network Emergency Response technical Team/Coordination Center of China
Fraud website reports to CNCERT/CC –Phishing incident
0
100
200
300
400
500
600
700
2004 2005 2006 2007.1-6
Fraud website of 2008 Olympic Ticket System appeared even before the real one opened on May. 18th. 2007
National Computer network Emergency Response technical Team/Coordination Center of China
Total:28367,4728/Mon
Gov:1585,264/Mon
Web-defacements in China – 2007.1-6
National Computer network Emergency Response technical Team/Coordination Center of China
Computers (IP) in China Mainland controlled by hackers through Trojans – 2007.1-6
Total: 1,000,372!
National Computer network Emergency Response technical Team/Coordination Center of China
Botnet:The ‘nuclear weapon’ in the hands of the dark society
IPs controlled: 3,598,4312007.1-6
C&C Server: 14,3552007.1-6
National Computer network Emergency Response technical Team/Coordination Center of China
U.S.33%
Other17%
Malaysia2%
Brazil2%
Korea10%
Chinese Taipei9%
HongKong,China8%
Japan5%France
4%
Germany3%
Canada4%
U.K.3%
Location of C&C Servers - 2006
Total Number: > 16,000
National Computer network Emergency Response technical Team/Coordination Center of China
Network Security Capacity Model –capabilities
• Capability of ‘yu’ (预) :take precautions– Prevention, Early warning, evaluation and detection in
a early stage• Capability of ‘zhi’ (知) :knowing what’s
happening– monitoring
• Capability of ‘kong’(控):controllability – Incidents or emergency response / crisis management
• Capability of ‘sheng’(生):recover and survive– Recover from incidents, survivability of the core
National Computer network Emergency Response technical Team/Coordination Center of China
Network Security Capacity Model-elements
• Infrastructure – Products, devices, infrastructure/platform– “Perfect job, need perfect tool”
• Resources– Knowledge and database on vulnerabilities, attacking
behaviors, information of infrastructure/ key systems and important users, methodology, procedure, etc.
– “No flour, No Bread”• Teams
– Professional security teams & cooperation framework
National Computer network Emergency Response technical Team/Coordination Center of China
Network Security Capacity Model-threats
• The Art of War : “Not only know yourself, but also know your enemy, that’s the rule of win”
• Capabilities of handling certain type of threats– Botnet, Spyware, Phishing, DDoS, Spam,– ……
• Keep studying new threats, finding out the most appropriate handling method and procedure toward them, evaluate capacity X and Y (adjust them if needed).
National Computer network Emergency Response technical Team/Coordination Center of China
Network Security Capacity Structure
elements (x)
RequiredCapabilities (y)
Threats (z)
Pre- X
Knowing
Controlling
Surviving
…
蠕虫
DDoSBotnet
Spyware
Teams/Orgs(professional)
Platforms(products)
Resources
National Computer network Emergency Response technical Team/Coordination Center of China
• National CSIRT• Domestic Emergency
Response Cooperation Framework
• Early Warning Capability
• Basic Resources
Practice – CERT & Domestic IR Framework
• CNCERT/CC’s Activities:– Information Collecting– Incident Monitoring– Incident Handling– Data Analyzing– Resource Building– Researching– Training– Consulting– International
Cooperation
National Computer network Emergency Response technical Team/Coordination Center of China
Main roles of CNCERT/CC
• Critical information infrastructure– Coordination ; Technical support ;Watch and
warning ;Resource and capacity building; etc• Important application systems
– Technical support; Information sharing; etc.• POC• Awareness raising : end users; government
(Need to know new threats by ourselves)• Others
National Computer network Emergency Response technical Team/Coordination Center of China
Practice – International Cooperation
• APCERT• FIRST• APEC-TEL• Many other international organizations:
– TF-CSIRT– OAS– ENISA– EGC
National Computer network Emergency Response technical Team/Coordination Center of China
Practice - Platform
National Computer network Emergency Response technical Team/Coordination Center of China
6.3-6.5PCT vulnerability misuseCNCERT/CC
National Computer network Emergency Response technical Team/Coordination Center of China
Conclusion
• Network security threat is becoming more powerful and complicated than before. National network security capacity has to be adaptable to the new challenge.
• Cooperation is crucial. It’s the only way we can enhance our capability to a necessary level.
• We all are responsible, we all can contribute!
Thanks
www.cert.org.cn