1. 16th GCC e-Gov. & e-Serv. Forum
Cyber-war, Cyber-crime
Risks and Defenses
jorge.sebastiao@its.ws

2. Scope of Security the internet

3. Spread of Code Red Worm
July 19 01:05:00 2001
3

4. Spread of Worm
July 19 20:15:00 2001
Financial Cost: CodeRED Worm: $2.6 billion
4

5. SQL Slammer Worm: 30min
- Infections doubled every 8.5 seconds
- Spread 100X faster than Code Red
-At peak, scanned 55 million hosts per second.
-COST: $1.2 billion

6. Largest Botnet Busted
Netherlands-Botnet
Oct 2005
Dutch authorities arrested three individuals last
week accused of running one of the largest
ever hacker botnets comprising of zombie
PCs.
botnet consisted of over 100,000 systems that
were commandeered using the W32.toxbot
Internet worm

7. Oct 2007
Storm worm strikes back at security -
Researcher says those discovered trying to
defeat worm suffer DDoS attacks
The Storm worm is fighting back against security
researchers that seek to destroy it and has them
running scared, Interop New York show attendees
heard Tuesday.
The worm can figure out which users are trying
to probe its command-and-control servers, and
it retaliates by launching DDoS attacks against
them…

8. 2007 Estonia vs Russia
Escalation from Political incident
• One of Most advanced EU Internet
• Over 2 Weeks complete shutdown
• 1st massive external DDOS
• 2nd massive internal DDOS
• No eGov – 0%
• No eBanking - 0%
• Severe Economic
cost

9. Estonia

10. Middle East: cyber-war
Core hackers: less than 100
provide the ideas, the tools
Volunteers and conscripts: +10000
From all over the world
Provide brute force scanning and DoS power
Cyber attack intensity has mirrored the intensity
of fighting on the ground

11. Other Examples
Melissa Virus Estimated $80M Damages
Hackers For Hire Pleaded Guilty break into:
At&T, Gte, Sprint, Credit Card Numbers, Sold
To Org. Crime In Italy, $2M Damages
Chinese Hacker Attacked US Targets After
Bombing Of Embassy In Belgrade Spy Plane
Resulted In Largest Attach In History

12. The most powerful cyber attack:
propaganda
Old fashioned
Some faked in English papers
The Internet dissemination of the Abu Ghraib
photos did more to damage the political
interests of the U.S. than all of the cyber
attacks since the beginning of the Internet
age!

13. eGovernment Impact

14. Why Does This Happen?
Attack
Firewall IDS Anti-Virus

15. Infosec -Traditional View
Net insecure because of lack of features –
crypto, authentication, filtering:
Solution : better filtering, AES, PKI,
IT Time-to-market is critical
Microsoft philosophy ship every Tuesday
right by version 3
Until 1999
DDOS viruses now don’t attack the infected
machine
use it to attack others

16. Infosec - New Views
After 2000
Systems mostly insecure because the people
Bank customers suffer when poorly-designed bank
systems make fraud and phishing easier
Casino websites suffer when infected PCs
run DDoS attacks on them
Websites with a TRUSTe certification
2X likely to be malicious
The top Google ad
2X likely as the top free search result to be
malicious

17. Report Govcert (NL) 2009
Internet: Serious security flaws
Increase:
No Contaminated Computers
Criminal Takeover Home Computers
On-line activities, increase of vulnerabilities
Careless management of personal information: social
engineering attacks
New Weaknesses in Fundamental Infrastructure Found
Becoming Out-of-date of Encryption
Need International co-operation and effective
enforcement

18. More sophisticated Attacks

19. Security Threats
Cyber terrorism Viruses
Threats Environmental
Industrial
Espionage
Natural Unexpected
Disasters (“OOPS” factor)

20. Business Risks
Financial Intellectual
loss capital
Public Business Litigation
Image/Trust Risks
Employee &
Legislative
customer
violations
privacy

21. Infrastructure Best Practices

22. Why should you care?
Avoiding complete loss of e-Gov & e-Serv
Avoid
Revenue Loss
Damage to Reputation
Productivity
Performance and Governance
Complex Problem to Solve
Protect critical business processes
Protect critical supporting infrastructure
Protect company data and Intellectual Property
Meet Compliance regulations
Manage People in the Process

23. Impact of Disaster
Revenue:
$ billions
Direct loss, compensatory exponential
payment, lost future increase
Governance
revenues, billing losses and Performance
investment losses
damaged
reputation
$ impact
Productivity:
Number of employees x productivity/
impacted x hours out x employees
burdened hours = ?
direct financial/
customer
Damaged reputation: $ millions
Customers, competitors gain constant
advantage, suppliers, increase
financial markets, business minutes days
time
partners
Governance &
performance:
Revenue recognition, cash Indirect impact of downtime can be
flow, credit rating, stock
price, regulatory fines far more severe and unpredictable
23

24. eGov Importance of Infrastructure

25. Critical Infrastructure - cable cuts
Bahrain 0.2m
Qatar 0.3m
Kuwait 0.8m
UAE 1.7m
Saudi Arabia 4.7m
Egypt 6m
Pakistan 12m
India 60m
Recent Middle East
 Dragging anchor cut two critical cables
 85+ million users impact across eight countries
 Incident highlights potential terrorist opportunities
Resiliency is ABSOLUTELY CRITICAL

26. Electrical Control System Attacks
(SCADA)
26

27. Nuclear Bomb - the EMP Issue
―The most devastating sort of cyber attack on the U.S.
would involve a decidedly kinetic weapon — a nuclear
bomb, detonated high over the Earth. Such an explosion
would shut down all but the most ―hardened‖ networks and
computers within range; the Pentagon has hardened its
most critical structures and weapons systems, such as
nuclear-capable B-52 bombers, for such an eventuality.‖
―Military needs hackers, StratCom chief says,‖ October 2nd,
2008
27

28. New Complexity & Conflict
Does the defense of a country or a system
depend on:
least effort?
best effort?
sum of efforts?
The last is optimal; the first is awful
Software is a mix: it depends on the worst effort
of the least careful programmer, the best effort
of the security architect, and the sum of efforts of
the testers
Solution: hire fewer better programmers, more
testers, top architects, keep it simple

29. Complexity adds risk
System calls in IIS

30. Implementation, Quality, Peer Issues
What does this code do?
@P=split//,".URRUUc8R";@d=split//,"n
rekcah xinU / lreP rehtona tsuJ";sub
p{@p{"r$p","u$p"}=(P,P);pipe"r$p","u$p
";++$p;($q*=2)+=$f=!fork;map{$P=$P[$f|
ord($p{$_})&6];$p{$_}=/^$P/ix?$P:close
$_}keys%p}p;p;p;p;p;map{$p{$_}=~/^[P.]
/&& close$_}%p;wait until$?; map{
/^r/&&<$_>}%p;$_=$d[$q];sleep rand(2)
if/S/;print

31. Successful implementation requires
Technology
People Process

32. People is the biggest problem?

33. Identity Theft and Phishing
'The Hacker' Arrested for Phishing Scheme
Stephen Tidwell, Assistant Director in Charge of the FBI’s Los
Angeles Field Office. Goodin, who was known as “The
Hacker,” was originally arrested in January 2006 on charges
he operated an identity theft scheme known as “phishing.”

34. Identity Theft brokers

35. User Awareness Problem
AFP published
this untouched
photograph of a
Hurricane Katrina
evacuee and her
debit card. What
happened next
was no surprise

36. Phishing, Hijacked growth
ID Theft Exponential
Phishing only started in 2004, but in 2006 it cost the UK
£35m and the USA perhaps $200m

37. Phishing: Target Sites
• Target customers of banks
and online payment
services
• Obtain sensitive data from
U.S. taxpayers by
pretended IRS- emails
• Identity theft for social
network sites, e.g.
myspace.com
• Recently more non-
financial brands were
attacked including social
networking, VOIP, and
numerous large web-
based email providers.
http://www.antiphishing.org/

38. Phishing: Techniques
Upward trend in number of
phishing mails sent
Massive increase of phishing
sites over the past
Increasing sophistication
Link manipulation, URL spelling
Website address manipulation
Evolution of phishing methods
from shotgun-style email
Image phishing
Spear phishing (targeted)
Voice over IP phishing
Whaling: High-profile people http://www.antiphishing.org/

39. What causes most incidents?
Many incidents are due to a lack of
security awareness:
Attackers use tricks
Web links and pop-ups
Installing software

40. Avoid installing additional software
―Free‖ versions
of software may
contain Trojan
horses, spyware
or other malicious
software that
Some quick online research can often
could infect a PC help identify malicious software
Plug-ins may also
contain malicious
software
If a website requires a plug-in to view
it, try to avoid using it

41. New Applications, New Risks
SOA
Social
networks
Mobility
Wireless
Many
Devices

42. Mobiles are new Biggest Risk, Target

44. ―Social Networking is like the
Hotel California. You can check
out, but you can never leave‖
Nipon Das to the New York Times

45. Risk Analysis provides focus for Security
High
Medium
Area of
Major
Low Concern
Low Medium High

46. Managing Risk
exploit
Threats Vulnerabilities
protect against increase increase expose
reduce
Controls Risks Assets
met by indicate increase have
Security Business
Requirements Impact

47. Managing risk?

48. Control is Key
So how do you implement security controls?
Administrative controls:
The Security Policy states that Internet services must
be used safely.
Technical controls:
Site implements a firewall to stop external attackers
but allow academic collaboration.
Education:
Explain to users why there is a firewall (to stop
attackers) and how to ask for exceptions (to allow
collaboration).

49. New Solutions-Reputation Management
Seller reputation
Peer-to-peer
Key management
Anti-spam/IP reputation
Content filtering
Avatar Reputation
Social Network Peer Reputation
Unified Communications (IM, SPIT/SPIM etc…)

50. Standardisation bodies
ISO/IEC - Wide scope of standardization. 27xxx and 13335
IETF – Focuses on Internet related technical Security requirements
NIST-CSRC (http://www.nist.gov/) – Wide scope of coverage for both
government and enterprise needs.
OASIS (http://www.oasis-open.org/) - Application Vulnerability
Description Language
OGSF (Open Group Security Forum,
http://www.opengroup.org/security/) - started Intrusion Attack and
Response Workshop
Best practices and recommendations
CERT/CC (http://www.cert.org/)
SANS (System Administration, Networking, and Security) Institute –
http://www.sans.org/
ISACA (http://www.isaca.org/) – Most noted for CoBIT framework fIT
Governance
ISSA (http://www.issa.org/) – GAISP (Generally Accepted Information
Security Principles)

51. Standards, Guidelines
ISMS family of standards (ISO/IEC 27xxx)
ISO/IEC 27001 – ISMS (BS 7799-2)
ISO/IEC 27002 – ISO/IEC 17799 (BS 7799-1)
ISO/IEC 27005 –Infosec risk management
ISO/IEC 27006 – Guide to ISMS certification process
ISO/IEC 27003 – ISMS implementation guide
ISO/IEC 27004 – Infosec Metrics
ISO/IEC 27007 - Guideline for ISMS auditing
ISO/IEC 27011 - ISMS implementation guideline for
the telecommunications industry
ISO/IEC 27034 - a guideline for application security

52. Standards, Guidelines
COBIT
Control Objectives for Information
& related Technology
De-facto Standard
IT governance framework and supporting toolset
Bridge the gap between business and IT
Enhance delivery of value by IT (business enabler)
Emphasizes regulatory compliance and risk management
Performance measurement ->effective resource utilization
Umbrella framework - Aligned with other frameworks
E.g. COSO, ISO/IEC 27001, ISO/IEC 27001
Promoted by numerous regulations/regulator bodies

53. Security Metrics

54. Incident Response Components
(from RFC 2350)
CSIRT’s
Organisational form depends on
type of organisation and
required level of support to community
Security Policy
Define what is required/allowed/acceptable
Incident Response Policy
What is provided, who receives it and who provides support
Incident Response Plan
Which incidents will be responded and how

55. Response and Risk approach
Crises
Impact Monitor & resolve the
“critical few” with crisis
Crisis Management management team
Process
Monitor & resolve at
appropriate level using
Incident Management processes
Process
Incidents
Risk Management and Business Controls
Events
Assess impact of events &
implement appropriate controls

56. Incident Handling Life Cycle
Other Email
IDS
Triage Information
Request
Incident
Hotline/ Report Analyze
Phone
Vulnerability
Report
Obtain
Coordinate Contact
Information Information
and
Response
Provide
Technical
Assistance

57. Role and Responsabilities eGov
Security: CERT
Prevention security incidents
Government Body
Advice & security policies
Co-operation with Law Enforcement
Awareness: informing the public about risks
Initiating Legislation
Law Enforcement
Intelligence

58. Range of CSIRT Services
Mandatory Services:
Incident Handling
Common CSIRT Services:
Alerts and Auditing and
Announcements Penetration Testing
Vulnerability Analysis Security Consulting
and Response Risk Analysis
Artifact Analysis Security Product
Education and Training Development
Incident Tracing Collaboration
Intrusion Detection Coordination

59. EU CERTS

60. Action Plan 1
Build resilience / Harden the infrastructure
Servers and links redundancy
Security of routing protocol / traffic exchange
Security of DNS service
Profiling attackers and understanding their objectives
(know your enemies)
Response preparedness
National contingency plan for the Internet
Cyber exercises on National/international level are crucial
Strengthen multinational cooperation for rapid response (formal
rather than informal)
Importance of CERTs/CSIRTs and their role for national and
international cooperation
Measurement - monitoring of traffic to understand what is
going on

61. Action Plan - 2
Technology will not be sufficient
Study the economics of security and cyber crime
Set-up Public Private Partnership (PPP)
Example www.antiphishing.org
Develop cross-sector and cross-organisational
cooperation on National, EU and international levels
Agree on responsibility’s allocation
Information and best practices sharing  importance
of trust
Raising awareness and education of individuals, public
bodies, corporate users and service providers

62. Acton Plan 3-
Policy, Regulatory & Institutional Framework
Consultative visioning exercise
leads to the formulation of a COUNTRY ICT VISION
Country ICT Vision
Governments develop policies,
COUNTRY ICT POLICY with objectives that influence
strategies and action plans
Strategies provide a framework for Legislation enshrines policy in law
the implementation of policy and ICT STRATEGY LEGAL FRAMEWORK and provides legal sanctity to
lead to a set of action plans measures provided in the strategy
Action plan gives a detailed
Institutional structures are
timeplan for implementation ACTION PLAN INST. FRAMEWORK required to implement action plans
of the strategy

63. Conclusions
Cannot solve alone
The complexity of Risks to global cybersecurity
demand a global framework of response!
The magnitude of the problem needs coordinated
global response
Standards Organizations, CERTs can act as a
catalyst and facilitator for a global response to
cybercrime.
This will create a cyberspace safe for
e-Government Corporation and people to service,
trade, learn and enjoy.

64. Questions
+973-36040991
jorge.sebastiao@its.ws