• Like
  • Save
Cert adli wahid_iisf2011
Upcoming SlideShare
Loading in...5
×
 

Cert adli wahid_iisf2011

on

  • 929 views

 

Statistics

Views

Total Views
929
Views on SlideShare
929
Embed Views
0

Actions

Likes
1
Downloads
166
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Cert adli wahid_iisf2011 Cert adli wahid_iisf2011 Presentation Transcript

    • Ministry of Science, Technology and InnovationComputer Emergency Response Team Co-ordination Centre (CERT/CC) Adli WahidVP Cyber Security Response Service and Head of Malaysia CERT CyberSecurity Malaysia E: adli@cybersecurity.my T: adliwahid
    • Agenda•  Concepts•  The Case of a CERT/CC•  MyCERT Case Study•  Conclusion
    • Incident Response and Handling•  Incident Response is all of the technical components required in order to analyze and contain an incident. –  Required skills i.e. networking and log analysis, computer forensics, malware reverse engineering•  Incident Handling is the logistics, communications, coordination, and planning functions needed in order to resolve an incident in a calm and efficient manner –  Goals: protect and restore
    • Objectives of Incident Handling1.  To mitigate or reduce risks associated to an incident2.  To respond to all incidents and suspected incidents based on pre-determined process3.  Provide unbiased investigations on all incidents4.  Establish a 24x7 hotline/contact – to enable effective reporting of incidents.5.  Control and contain an incident   Affected systems return to normal operation   Recommend solutions
    • 6 Steps Of Incident Handling 1   6   Preparation 2   3   5   Eradication 4  
    • CERT/CSIRTs•  Components –  Constituency –  Mission –  Organization –  Funding –  Services –  Policies and Procedures•  This requires a TEAM
    • CERTs/CSIRTs ServicesReac,ve   Proac,ve  1.  Incident  Response  and  Handling   1.  Watch  and  Warn    /  Threat  2.  Advisories   Monitoring   2.  Research  and  Development   3.  Training  and  Outreach/Awareness   4.  Cyber  Security  Crisis    
    • THE CASE FOR A CERT/CC
    • Good vs Evil Law   Sys   Bot  Enforcem Criminals   Admins   Herders   ent   VS  Providers   CSIRTs   Spammers   Phishers  
    • Motivation of a National CSIRT•  Point of contact of incidents reporting –  National (Trusted) PoC for Internal & External reporting –  Incident co-ordination (with LEs, Other CERTs/ CSIRTs –  Collaboration & Intel Exchanged•  Situational Awareness•  Improving laws and regulations•  Provide assistance to Internet users•  Protection of Critical Infrastructure
    • Different types of Incidents•  The ‘Usual’ Stuff –  Malware –  Denial of Service –  Online Fraud/Scams –  Identity Theft•  Cyber Crisis –  Anonymous Attack –  APT / Targetted Attacks –  Global Outbreaks
    • Handling Local Banks PhishingIncidents•  Things to do –  Prevent people from visiting phishing site •  Remove Block –  Recover stolen credentials •  Email account •  Database –  Assist Victim to make reports –  Co-ordinate with Bank and Law Enforcement –  Detect Phishing sites faster •  Do It yourself or Get others to feed you
    • Issues & Challenges•  Mandate & Constituencies –  Who should ‘report’ to ‘who’ –  Who should handle what•  End-to-End Resolution –  I have reported the incident, can we catch the bad guy? Can I have my money back –  One stop centre
    • MYCERT
    • Incident   Malware    Co-­‐Handling  /   Research   ordinaNon  Cyber999       Centre   Centre  
    • •  MyCERT was established in 1997, deals mostly with technical teams, CSIRTs, LEs•  Cyber999 launched in 2008, allows the all to report to MyCERT•  A lot of incidents were affecting the Internet Users at large –  Phishing, Malware (botnets), Online Fraud, Harassment•  Cyber999 Provides a one stop centre for incidents reporting
    • •  Launched in 2009•  Previously a ‘watch and warn’ or ‘early warning function’•  Specializes in malware analysis / tracking•  Activities –  Operates the distributed honeynet project –  Produce tools / services –  Execute the national cyber security exercise –  Issues advisories and alerts , special reports
    • Tools from our Lab DNSWatch   MYPHPIPS  hOp://www.mycert.org.my/en/resources/security_tools/main/main/detail/768/index.html  
    • National Cyber Crisis Exercise(X-Maya)•  Led by the National Security Council since 2008•  Improve readiness and situational awareness among CNII agencies –  National Threat Level –  Reporting structure in a crisis•  CyberSecurity Malaysia / MyCERT provide simulation of the cyber security incidents for the players
    • Conclusion•  Central co-ordination point is critical•  Help drives other national level initiatives i.e. awareness, training, critical infrastructure protection, certification programmes•  Working together is the best way forward
    • Questions•  CyberSecurity Malaysia http://www.cybersecurity.my•  MyCERT: http://www.mycert.org.my•  Email: adli@cybersecurity.my•  Twitter: adliwahid