National Network Security Capacity Building

Yuejin DU, Ph.D

Deputy CTO of CNCERT/CCDeputy Chair of APCERT

Regional Workshop on Frameworks for Cybersecurity & CIIP by ITU

2007.8.28.Hanoi.Vietnam

National Computer network Emergency Response technical Team/Coordination Center of China

Content

• Current Internet Security Situation• Network Security Capacity Model• Some Practices in China• Conclusion

National Computer network Emergency Response technical Team/Coordination Center of China

Current Internet Security Situation

• More ‘chances’ for attackers• ‘Underground economy’ prosperity• CIIP is facing severe threat• Governmental information systems have many

problems• Stealing data is becoming the main goal• Attackers becoming more powerful and ‘run roit’• More challenges for handling security threatsAny Evidence?

National Computer network Emergency Response technical Team/Coordination Center of China

Fraud website reports to CNCERT/CC –Phishing incident

0

100

200

300

400

500

600

700

2004 2005 2006 2007.1-6

Fraud website of 2008 Olympic Ticket System appeared even before the real one opened on May. 18th. 2007

National Computer network Emergency Response technical Team/Coordination Center of China

Total：28367，4728/Mon

Gov：1585，264/Mon

Web-defacements in China – 2007.1-6

National Computer network Emergency Response technical Team/Coordination Center of China

Computers (IP) in China Mainland controlled by hackers through Trojans – 2007.1-6

Total： 1,000,372!

National Computer network Emergency Response technical Team/Coordination Center of China

Botnet：The ‘nuclear weapon’ in the hands of the dark society

IPs controlled： 3,598,4312007.1-6

C&C Server： 14,3552007.1-6

National Computer network Emergency Response technical Team/Coordination Center of China

U.S.33%

Other17%

Malaysia2%

Brazil2%

Korea10%

Chinese Taipei9%

HongKong,China8%

Japan5%France

4%

Germany3%

Canada4%

U.K.3%

Location of C&C Servers - 2006

Total Number： > 16,000

National Computer network Emergency Response technical Team/Coordination Center of China

Network Security Capacity Model –capabilities

• Capability of ‘yu’ (预) ：take precautions– Prevention, Early warning, evaluation and detection in

a early stage• Capability of ‘zhi’ (知) ：knowing what’s

happening– monitoring

• Capability of ‘kong’(控)：controllability – Incidents or emergency response / crisis management

• Capability of ‘sheng’(生)：recover and survive– Recover from incidents, survivability of the core

National Computer network Emergency Response technical Team/Coordination Center of China

Network Security Capacity Model-elements

• Infrastructure – Products, devices, infrastructure/platform– “Perfect job, need perfect tool”

• Resources– Knowledge and database on vulnerabilities, attacking

behaviors, information of infrastructure/ key systems and important users, methodology, procedure, etc.

– “No flour, No Bread”• Teams

– Professional security teams & cooperation framework

National Computer network Emergency Response technical Team/Coordination Center of China

Network Security Capacity Model-threats

• The Art of War : “Not only know yourself, but also know your enemy, that’s the rule of win”

• Capabilities of handling certain type of threats– Botnet, Spyware, Phishing, DDoS, Spam,– ……

• Keep studying new threats, finding out the most appropriate handling method and procedure toward them, evaluate capacity X and Y (adjust them if needed).

National Computer network Emergency Response technical Team/Coordination Center of China

Network Security Capacity Structure

elements (x)

RequiredCapabilities (y)

Threats (z)

Pre- X

Knowing

Controlling

Surviving

…

蠕虫

DDoSBotnet

Spyware

Teams/Orgs(professional)

Platforms(products)

Resources

National Computer network Emergency Response technical Team/Coordination Center of China

• National CSIRT• Domestic Emergency

Response Cooperation Framework

• Early Warning Capability

• Basic Resources

Practice – CERT & Domestic IR Framework

• CNCERT/CC’s Activities:– Information Collecting– Incident Monitoring– Incident Handling– Data Analyzing– Resource Building– Researching– Training– Consulting– International

Cooperation

National Computer network Emergency Response technical Team/Coordination Center of China

Main roles of CNCERT/CC

• Critical information infrastructure– Coordination ; Technical support ;Watch and

warning ;Resource and capacity building; etc• Important application systems

– Technical support; Information sharing; etc.• POC• Awareness raising : end users; government

(Need to know new threats by ourselves)• Others

National Computer network Emergency Response technical Team/Coordination Center of China

Practice – International Cooperation

• APCERT• FIRST• APEC-TEL• Many other international organizations:

– TF-CSIRT– OAS– ENISA– EGC

National Computer network Emergency Response technical Team/Coordination Center of China

Practice - Platform

National Computer network Emergency Response technical Team/Coordination Center of China

6.3-6.5PCT vulnerability misuseCNCERT/CC

National Computer network Emergency Response technical Team/Coordination Center of China

Conclusion

• Network security threat is becoming more powerful and complicated than before. National network security capacity has to be adaptable to the new challenge.

• Cooperation is crucial. It’s the only way we can enhance our capability to a necessary level.

• We all are responsible, we all can contribute!

Thanks

www.cert.org.cn