Your SlideShare is downloading. ×
Cert adli wahid_iisf2011
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Cert adli wahid_iisf2011


Published on

Published in: Technology, Education

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Ministry of Science, Technology and InnovationComputer Emergency Response Team Co-ordination Centre (CERT/CC) Adli WahidVP Cyber Security Response Service and Head of Malaysia CERT CyberSecurity Malaysia E: T: adliwahid
  • 2. Agenda•  Concepts•  The Case of a CERT/CC•  MyCERT Case Study•  Conclusion
  • 3. Incident Response and Handling•  Incident Response is all of the technical components required in order to analyze and contain an incident. –  Required skills i.e. networking and log analysis, computer forensics, malware reverse engineering•  Incident Handling is the logistics, communications, coordination, and planning functions needed in order to resolve an incident in a calm and efficient manner –  Goals: protect and restore
  • 4. Objectives of Incident Handling1.  To mitigate or reduce risks associated to an incident2.  To respond to all incidents and suspected incidents based on pre-determined process3.  Provide unbiased investigations on all incidents4.  Establish a 24x7 hotline/contact – to enable effective reporting of incidents.5.  Control and contain an incident   Affected systems return to normal operation   Recommend solutions
  • 5. 6 Steps Of Incident Handling 1   6   Preparation 2   3   5   Eradication 4  
  • 6. CERT/CSIRTs•  Components –  Constituency –  Mission –  Organization –  Funding –  Services –  Policies and Procedures•  This requires a TEAM
  • 7. CERTs/CSIRTs ServicesReac,ve   Proac,ve  1.  Incident  Response  and  Handling   1.  Watch  and  Warn    /  Threat  2.  Advisories   Monitoring   2.  Research  and  Development   3.  Training  and  Outreach/Awareness   4.  Cyber  Security  Crisis    
  • 9. Good vs Evil Law   Sys   Bot  Enforcem Criminals   Admins   Herders   ent   VS  Providers   CSIRTs   Spammers   Phishers  
  • 10. Motivation of a National CSIRT•  Point of contact of incidents reporting –  National (Trusted) PoC for Internal & External reporting –  Incident co-ordination (with LEs, Other CERTs/ CSIRTs –  Collaboration & Intel Exchanged•  Situational Awareness•  Improving laws and regulations•  Provide assistance to Internet users•  Protection of Critical Infrastructure
  • 11. Different types of Incidents•  The ‘Usual’ Stuff –  Malware –  Denial of Service –  Online Fraud/Scams –  Identity Theft•  Cyber Crisis –  Anonymous Attack –  APT / Targetted Attacks –  Global Outbreaks
  • 12. Handling Local Banks PhishingIncidents•  Things to do –  Prevent people from visiting phishing site •  Remove Block –  Recover stolen credentials •  Email account •  Database –  Assist Victim to make reports –  Co-ordinate with Bank and Law Enforcement –  Detect Phishing sites faster •  Do It yourself or Get others to feed you
  • 13. Issues & Challenges•  Mandate & Constituencies –  Who should ‘report’ to ‘who’ –  Who should handle what•  End-to-End Resolution –  I have reported the incident, can we catch the bad guy? Can I have my money back –  One stop centre
  • 14. MYCERT
  • 15. Incident   Malware    Co-­‐Handling  /   Research   ordinaNon  Cyber999       Centre   Centre  
  • 16. •  MyCERT was established in 1997, deals mostly with technical teams, CSIRTs, LEs•  Cyber999 launched in 2008, allows the all to report to MyCERT•  A lot of incidents were affecting the Internet Users at large –  Phishing, Malware (botnets), Online Fraud, Harassment•  Cyber999 Provides a one stop centre for incidents reporting
  • 17. •  Launched in 2009•  Previously a ‘watch and warn’ or ‘early warning function’•  Specializes in malware analysis / tracking•  Activities –  Operates the distributed honeynet project –  Produce tools / services –  Execute the national cyber security exercise –  Issues advisories and alerts , special reports
  • 18. Tools from our Lab DNSWatch   MYPHPIPS  hOp://  
  • 19. National Cyber Crisis Exercise(X-Maya)•  Led by the National Security Council since 2008•  Improve readiness and situational awareness among CNII agencies –  National Threat Level –  Reporting structure in a crisis•  CyberSecurity Malaysia / MyCERT provide simulation of the cyber security incidents for the players
  • 20. Conclusion•  Central co-ordination point is critical•  Help drives other national level initiatives i.e. awareness, training, critical infrastructure protection, certification programmes•  Working together is the best way forward
  • 21. Questions•  CyberSecurity Malaysia•  MyCERT:•  Email:•  Twitter: adliwahid