2. MONGOLIAN SITUATION
Mongolian Internet Infrastructure vulnerable target
for attack
In recent years the attack techniques have become
sophisticated
Rapid proliferation of viruses, Trojans and worms
Terminals become the zombie computers of Botnets.
Critical infrastructure can get affected by attacks on
information infrastructure.
There were some incidents in financial sector.
It is registered some cyber crimes.
The information infrastructure and broadband
develops quickly.
Information Security knowledge of Internet users is
low
3. MONGOLIAN CIRT
Mongolian Cyber Incident Response Team established in
2007 for creating national information security system, for
enhancing cyber security and for providing support in the
protection of critical infrastructure
From end of 2007 started the reactive service
In 2008 planning to start proactive and security quality
services.
The purpose of MonCIRT is to become the nation’s most
trusted referral agency of the Mongolian Community for
responding to Computer Security and Cyber Security
incidents as and when they occur.
In further to become CERTs coordination center
Will also assist organizations in implementing proactive
measures to reduce the risks of cyber security incidents.
4. MONCIRT MISSION
To become the warranty of information,
communication technology development
of steppe country.
To enhance the security of Mongolia’s
Communications and Information
Infrastructure through proactive
actions and effective collaboration
Prevent and respond to incidents which
have place in Mongolian segment of
Internet.
5. MONCIRT PROJECT
For creating MonCIRT we was developed project in 2005. We consider that
for successful implementation of the project, it is necessary to set up the
following purposes.
To determine the mission and function of the MONCERT, to develop the
operation rules of the MONCERT.
To determine the structure and internal organization of the MONCERT,
to select its staff members
To train the selected staff members
To collect and analyze data on cyber attacks, cyber damages, level of
protection of users and ISP-s, and on their information security
knowledge.
To find the maecenas and sponsors
To obtain the equipments, hardware and software
To start the MONCERT operation
To offer free service for users and ISP-s, to carry out registration and
keep statistics
To establish Hotline communication with other CERT-s, APCERT and
FIRST, to cooperate with them and to help mutually.
6. MONCIRT CREATING STAGES
(PLANNED)
Step 1: Obtain government support and buy-
in
Step 2: Determine the MonCIRT strategic
plan
Step 3: Gather relevant information
Step 4: Design the MonCIRT vision
Step 5: Communicate the MonCIRT vision
and operational plan
Step 6: Start MonCIRT operation
Step 7: Promotion of MonCIRT
Step 8: Evaluate MonCIRT effectiveness
Now we are in stage 7
10. CURRENT ACTIVITY
Incident coordination among organizations and
aimaks (province) of Mongolia.
Distribute documents about security incidents and
vulnerabilities
Anti-spam, phishing, pharming, Social engineering
scams
Guidance of construction of other teams in critical
infrastructure organizations.
Research and development.
Creating of Honeynet
Installing IDS-s in main gateways.
Creating of single point of contact for reporting
incidents
Developing of handbooks, guidelines on Mongolian
11. INCIDENTS CATEGORY
HANDLED BY MONCIRT
Worm, Trojan and viruses (286 times)
System intrusion / compromise (2 times)
DoS attack / abnormal (5 times)
Port scan (63 times)
Spam, phishing, pharming (184 times)
(from August till December 2007)
12. MONTHLY INCIDENT REPORT
(DECEMBER. 2007)
I nci dent Cat egor y
0
5
10
15
20
25
30
35
Portscan
worm/virus
abnormal/DoS
Intrusion
Open-Relay
Others
Por t scan r epor t s
6
10
5
2
3 3
Web r pc sshd dns pr i nt ot her
65 times
13. ONGOING PROJECTS
IDS based on Autonomous agent
Cooperative Incident handling system
with Government Communication
Department
Incident handling, Artifact handling
handbooks on mongolian
Honeynet
Incident database
14. WE NEED
Share information and lessons learned with other
CERTs
Incident analysis and response experiences
Auditing and penetration testing experiences
Education and trainings, site visiting
Technical supports in creation of vulnerability
database, Incident Tracking System,
Infrastructure building
Forensics tools
Experiences in botnet analysis