Cert adli wahid_iisf2011


Published on

Published in: Technology, Education
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cert adli wahid_iisf2011

  1. 1. Ministry of Science, Technology and InnovationComputer Emergency Response Team Co-ordination Centre (CERT/CC) Adli WahidVP Cyber Security Response Service and Head of Malaysia CERT CyberSecurity Malaysia E: adli@cybersecurity.my T: adliwahid
  2. 2. Agenda•  Concepts•  The Case of a CERT/CC•  MyCERT Case Study•  Conclusion
  3. 3. Incident Response and Handling•  Incident Response is all of the technical components required in order to analyze and contain an incident. –  Required skills i.e. networking and log analysis, computer forensics, malware reverse engineering•  Incident Handling is the logistics, communications, coordination, and planning functions needed in order to resolve an incident in a calm and efficient manner –  Goals: protect and restore
  4. 4. Objectives of Incident Handling1.  To mitigate or reduce risks associated to an incident2.  To respond to all incidents and suspected incidents based on pre-determined process3.  Provide unbiased investigations on all incidents4.  Establish a 24x7 hotline/contact – to enable effective reporting of incidents.5.  Control and contain an incident   Affected systems return to normal operation   Recommend solutions
  5. 5. 6 Steps Of Incident Handling 1   6   Preparation 2   3   5   Eradication 4  
  6. 6. CERT/CSIRTs•  Components –  Constituency –  Mission –  Organization –  Funding –  Services –  Policies and Procedures•  This requires a TEAM
  7. 7. CERTs/CSIRTs ServicesReac,ve   Proac,ve  1.  Incident  Response  and  Handling   1.  Watch  and  Warn    /  Threat  2.  Advisories   Monitoring   2.  Research  and  Development   3.  Training  and  Outreach/Awareness   4.  Cyber  Security  Crisis    
  9. 9. Good vs Evil Law   Sys   Bot  Enforcem Criminals   Admins   Herders   ent   VS  Providers   CSIRTs   Spammers   Phishers  
  10. 10. Motivation of a National CSIRT•  Point of contact of incidents reporting –  National (Trusted) PoC for Internal & External reporting –  Incident co-ordination (with LEs, Other CERTs/ CSIRTs –  Collaboration & Intel Exchanged•  Situational Awareness•  Improving laws and regulations•  Provide assistance to Internet users•  Protection of Critical Infrastructure
  11. 11. Different types of Incidents•  The ‘Usual’ Stuff –  Malware –  Denial of Service –  Online Fraud/Scams –  Identity Theft•  Cyber Crisis –  Anonymous Attack –  APT / Targetted Attacks –  Global Outbreaks
  12. 12. Handling Local Banks PhishingIncidents•  Things to do –  Prevent people from visiting phishing site •  Remove Block –  Recover stolen credentials •  Email account •  Database –  Assist Victim to make reports –  Co-ordinate with Bank and Law Enforcement –  Detect Phishing sites faster •  Do It yourself or Get others to feed you
  13. 13. Issues & Challenges•  Mandate & Constituencies –  Who should ‘report’ to ‘who’ –  Who should handle what•  End-to-End Resolution –  I have reported the incident, can we catch the bad guy? Can I have my money back –  One stop centre
  14. 14. MYCERT
  15. 15. Incident   Malware    Co-­‐Handling  /   Research   ordinaNon  Cyber999       Centre   Centre  
  16. 16. •  MyCERT was established in 1997, deals mostly with technical teams, CSIRTs, LEs•  Cyber999 launched in 2008, allows the all to report to MyCERT•  A lot of incidents were affecting the Internet Users at large –  Phishing, Malware (botnets), Online Fraud, Harassment•  Cyber999 Provides a one stop centre for incidents reporting
  17. 17. •  Launched in 2009•  Previously a ‘watch and warn’ or ‘early warning function’•  Specializes in malware analysis / tracking•  Activities –  Operates the distributed honeynet project –  Produce tools / services –  Execute the national cyber security exercise –  Issues advisories and alerts , special reports
  18. 18. Tools from our Lab DNSWatch   MYPHPIPS  hOp://www.mycert.org.my/en/resources/security_tools/main/main/detail/768/index.html  
  19. 19. National Cyber Crisis Exercise(X-Maya)•  Led by the National Security Council since 2008•  Improve readiness and situational awareness among CNII agencies –  National Threat Level –  Reporting structure in a crisis•  CyberSecurity Malaysia / MyCERT provide simulation of the cyber security incidents for the players
  20. 20. Conclusion•  Central co-ordination point is critical•  Help drives other national level initiatives i.e. awareness, training, critical infrastructure protection, certification programmes•  Working together is the best way forward
  21. 21. Questions•  CyberSecurity Malaysia http://www.cybersecurity.my•  MyCERT: http://www.mycert.org.my•  Email: adli@cybersecurity.my•  Twitter: adliwahid