UN/ITU - Organisational Structures and Incident Management - Cybersecurity

“Organisational Structures
&
Incident Management
for
Cybersecurity in the Americas”
ITU AND CITEL REGIONAL CYBERSECURITY
CAPACITY BUILDING WORKSHOP FOR THE AMERICAS
Monday 1st November 2010, Salta City, Argentina
1
Cybersecurity in the Americas”
Dr David E. Probert

Cybersecurity Organisational Structures
& Incident Management for CITEL-OAS
1 –Aim: National Cybersecurity 2 – Critical Service Sectors 3 – Cyber Attack Scenarios
4–“Best Practice” Case Studies 5–CIRT: Organisational Models 6 – The “Cyber” Business Case
7 – Global IMPACT Alliance 8 - Public-Private Partnership 9 – Next Suggested Steps
2

ITU: High-Level Expert Group
– Global Cybersecurity Agenda -
3

The ITU GCA - Global
ITU:– Global Cybersecurity Agenda
The ITU GCA - Global
Cybersecurity Agenda:
1 – Legal Measures
2 – Technical Measures
3 – Organisational Measures
4 – Capacity Building
5 – International Cooperation
4

Worldwide Security in Cyberspace!
- (4) – Capacity Building
- (2) –
- (1) –
Legal Measures
- (3) –
Organisational
Structures
- (2) –
Technical
&
Procedural
Measures
5
- (5) – Regional and International Collaboration

ITU: Global Cybersecurity Agenda – Web Portal
6

ITU GCA – The Seven Strategic Goals
- for National & International Cybersecurity -
7
….These 7 goals can be achieved through the implementation of National CIRTs!

“Visualisation of Cyberspace”: Global IP “WHOIS” Addresses
8
…From 20thC Physical World To 21stC Cyberspace! ...

Active Internet Domains – “American IP Registry”
9

“Outer Galaxies of Cyberspace” – Other Registries
10

Malicious Cybercrime Activity in Global Cyberspace
Key: Hilbert
Space-Filling
Curve Process
11
Link: www.team-cymru.org

Global IP Connectivity: Real-Time Infection
12

Implementation of ITU’s GCA Framework
The Implementation of the ITU GCA Framework can be significantly
accelerated using the National CIRT as a key programme catalyst:
Legislation, Laws & Regulations – Many CIRTs support their government legal
professionals in the definition, drafting & review of new cyberlawsprofessionals in the definition, drafting & review of new cyberlaws
Technical & Procedural Measures – CIRTs will usually have the most professional
technical & operational cyber skills that can be replicated within critical sectors
Organisational Structures – The CIRT may work with both public & private sector
as the catalyst to support the creation of a national cybersecurity agency
Capacity Building – CIRTs may work with the Educational Sector (Universities,
Colleges & Schools), as well as Specialised Cybersecurity Businesses to organise
and staff in-depth professional cybersecurity workshops and training courses
International Collaboration – The ITU already partners with many International
and National CIRT organisations including IMPACT, FIRST, US-CERT & ENISA.
…..In summary, the ITU encourages & supports countries to establish CIRTs, and to
further leverage these skills in the provision of a national cybersecurity strategy
13

14

Critical Service Sector Infrastructure
National Strategies: Many countries now consider the threat of cyber
attacks to be high enough to establish national cybersecurity strategies.
UK Strategy: As with physical security & defence, these should be annually
updated. For example the UK published its 1st Cybersecurity Strategy (Juneupdated. For example the UK published its 1st Cybersecurity Strategy (June
2009), and now an updated UK National Security Strategy (Oct 2010).
Every Critical Service Sector should be strategically addressed in-depth:
Government (National & Regional)
Telecomms/Mobile/ISPs
Banking/Financial Services
Transportation/Airports/Ports
Energy Power Grid & Utilities
Healthcare & Emergency Services
Healthcare & Emergency Services
Police & Law Enforcement Agencies
….The national cybersecurity organisation will include all these sector stakeholders, whilst the CIRTs
will respond to incidents & communicate cyber alerts & emergency actions across ALL sectors
15

Cyber Threats against UK Critical Services
16

CyberCrimes against Critical Sectors
Government:
Theft of secret intelligence, manipulation of documents, and illegal
access to confidential citizen databases & national records
Banking/Finance:Banking/Finance:
Denial of Service attacks against clearing bank network, phishing
attacks against bank account & credit cards, money laundering
Telecomms/Mobile:
Interception of wired & wireless communications, and penetration
of secure government & military communications networks
Transport/Tourism:
Cyber Terrorism against airports, air-traffic control, coach/train
transport hubs, & malicious penetration of on-line travel networks
transport hubs, & malicious penetration of on-line travel networks
Energy/Water:
Manipulation and disruption of the national energy grid & utilities
through interference of the process control network (SCADA)
17

Case Study: StuxNet Worm - Industrial SCADA Systems
Stuxnet Worm : 1st Discovered June 2010
18
SCADA = Supervisory Control & Data Acquisition
- Mainly for Power Stations & Industrial Plants -

19

Sources of Cyber Threats
The complexity of cyber threats means that several complimentary
frameworks have been developed that classify the risks:
For this workshop session we’ll focus on the categorisation developed
by the ITU Telecommunications Study Group 17 as follows:
Category 1 : Unauthorised Access – The systems & networks are accessed by
persons or “bots” that do not have legal access or permissions
Category 2 : Denial of Service Attacks (DoS) – Such attacks are used to target
& disable a specific website or server using an army of infected machines
Category 3 : Malicious Code – Malware such as trojans, viruses & spyware are
embedded within host machines for both commercial & criminal purposes
Category 4 : Improper Use of Systems – In these cases, the systems are being
used for access and applications against the communicated policies
Category 5 : Unauthorised Access AND Exploitation – Many attacks will fall into
this category when the hacker will penetrate systems and then use the
this category when the hacker will penetrate systems and then use the
acquired data, information & documents for cybercriminal activities
Category 6 : Other Unconfirmed Incidents – These are alerts that require
further investigation to understand whether they are actually malicious
20

Regional “Bot” Infections – 2Q 2010
21
Source: Microsoft – Security Intelligence Report - 2010

Typical “Botnet” Cyberattack
22

Cyber Attacks: Criminal Industrialisation
Industrialisation and Mainstreaming of Cyber Attacks:
(1) Researchers & Cyber Software Creators of Malicious Codes : Often
creative talented computer scientists that have turned their skills to
tools for illegal penetration & control of secure systems
(2) “Botnet” - Farmers & Herders : They are responsible for the illegal
international distribution and infection of target “zombie” networked
laptops PCs & Servers within homes and offices. The malicious codes
(malware such as viruses & trojans) are spread through spam emails,
infected websites and “backdoor” attacks.
(3) “Commercial Botnet Dealers” : They sell access to herds of
“zombie” infected machines. The embedded malicious code can be
“zombie” infected machines. The embedded malicious code can be
triggered to stimulate “Denial of Service (DDoS)” attacks on target
servers & websites. The aim is usually to maximise economic and
political damage upon the targeted nation and associated businesses.
...For further information: ITU “BotNet” Mitigation Toolkit
23

Recent Cyber Attacks: Case Studies
Estonia : May 2007
Targeted at Government & Banking Servers – and immobilised
national & commercial economic infrastructure for several daysnational & commercial economic infrastructure for several days
Georgia : August 2008
Targeted at Government Servers including Parliament & Ministry of
Foreign Affairs, and the National & Commercial Banking Network.
South Korea : July 2009
Targets included the Defence Ministry, Presidential Offices, National
Assembly, and Korea Exchange Banks. This attack was also
simultaneously targeted at various high-profile US Sites & Servers
such as the NY Stock Exchange, White House & Pentagon.
such as the NY Stock Exchange, White House & Pentagon.
…….Small scale penetrations & cyber attacks continue on an almost 24/7
against certain countries, targeted regimes and business interests.
24

25

National Cybersecurity Agency: Case Studies
US Government: Cyberspace Policy Review – Assuring a Trusted and
Resilient Information and Communications Infrastructure – May 2009
Canada: Canadian Cyber Incident Response Centre (CCIRC) – Integrated
within the Strategic Government Operations Centre (GOC)
UK Government: Cybersecurity Strategy for the UK – Safety, Security &
Resilience in Cyberspace (UK Office of Cybersecurity – June 2009)
Australia: Australian Cybersecurity Policy and Co-ordination Committee
(CSPC – Nov 2009), within the Attorney-General’s Government Dept
Malaysia: “Cybersecurity Malaysia” – Mosti : Ministry of Science, Technology
& Innovation, and includes the MyCERT & Training Centre
Singapore: Cybersecurity Awareness Alliance & the IDA Security Masterplan
(Sept 2009) -Singapore Infocomm Techology Security Authority - SITSA
South Korea: Korea Internet and Security Agency (KISA – July 2009)
South Korea: Korea Internet and Security Agency (KISA – July 2009)
…..Many nations are now also following similar strategies and using their
National CIRTs as the focus & catalyst to develop national cyber agencies
26

US Government : Office of CyberSecurity (CS&C)
Following the June 2009, US Government Policy Review, the
Department of Homeland Security (DHS) has responsibility for hosting
the “Office of Cybersecurity and Communications” (CS&C). Within this
large organisation is the “National Cyber Security Division” (NCSD):
National Cyberspace Response System
National Cyber Alert SystemNational Cyber Alert System
US-CERT Operations
National Cyber Response Co-ordination Group
Cyber Cop Portal (for investigation and prosecution of cyber attacks)
Federal Network Security
Ensuring the maximum security of executive civilian departments and agencies
Cyber-Risk Management Programs
Cyber Exercises: Cyber Storm
National Outreach Awareness
National Outreach Awareness
Software Assurance Program
….The US Government DHS also has a National Cyber Security Center (NCSC) which
is tasked with the protection of the US Government’s Communications Networks
27

Canadian Government
The Canadian Cyber Incident Response Centre (CCIRC) monitors the cyber threat
environment around the clock and is responsible for coordinating the national
response to any cyber security incident. Its focus is the protection of national
critical infrastructure against cyber incidents. The Centre is a part of the
Government Operations Centre and a key component of the government's all-
hazards approach to national security and emergency preparedness.hazards approach to national security and emergency preparedness.
CCIRC works with national and international counterparts to collect, analyze and
CCIRC works with national and international counterparts to collect, analyze and
disseminate data on cyber threats. The Centre provides analytical releases, as well
as a variety of information products and services specifically for IT professionals
and managers of critical infrastructure and other related industries.
28

UK Office of Cybersecurity – OCS & CSOC
29

Australian Government : CSPC
The Cyber Security Policy and Coordination (CSPC)
Committee is the Australian Government committee that
coordinates the development of cyber security policy for the
Australian Government. The CSPC Committee:Australian Government. The CSPC Committee:
Provides whole of government strategic leadership on cyber security
Determines priorities for the Australian Government
Coordinates the response to cyber security events
Coordinates Australian Government cyber security policy internationally.
30

Malaysian Government: MOSTi
31

Singapore Government : SITSA
32

South Korea Government: KISA
KISA = “Korean Internet & Security Agency”
33

National Cybersecurity Agencies: Common Roles
Common roles and responsibilities for all these national cyber agencies:
Cyber Alerts: Management of the National Response to Cyber Alerts, and AttacksCyber Alerts: Management of the National Response to Cyber Alerts, and Attacks
Education: Co-ordination of the National Awareness and Skills Training Programmes
Laws: Leadership role in the development and approval of new cyber legislation
Cybercrime: Facilitation for building a National Cybercrime of e-Crime Unit
Standards: Setting the national cybersecurity standards and auditing compliance
International: Leadership in the promotion of international partnerships for
Research: Support for research & development into cybersecurity technologies
Critical Sectors: Co-ordination of National Programmes for Critical Infrastructure
34
...Next we consider the ITU’s standards based approach to the organisation
of a national or critical sector Computer Incident Response Team (CIRT)…

35

ITU’s Strategic Vision on National
CIRTs – Organisation & Benefits
ITU sees major national strategic & operational benefits from CIRTs
which may provide strong national foundations and catalysts for:
1) Human Capacity Building
2) Cybercrime Legislation & Training2) Cybercrime Legislation & Training
3) eGovernment Framework & Applications
4) Child On-Line Protection Programme
5) National Identity & Access Management
6) Cybersecurity Culture & Awareness Programme
7) Enhanced Incident Response & Management
8) Cyber Event Prevention & Mitigation Strategy
9) Disaster & Emergency Recovery Strategy
10) National Public Key Infrastructure (PKI)
11) Public-Private Sector Cybersecurity Collaboration
11) Public-Private Sector Cybersecurity Collaboration
12) Critical Service Sector CIRTS: Banking, Energy, Transport…
…….The ITU Global Programme is supported through regional CIRT Workshops,
Cyber Guidelines, Standards Developments and International Partnerships
36

ITU WTSA Resolution 58: Establish National CIRTs
37

“Building Blocks”“Building Blocks”
of theof the
Enhanced IncidentEnhanced Incident
ResponseResponse
National AwarenessNational Awareness
StrategyStrategy
Cyber Crime LegislationCyber Crime Legislation
ITU : Business Benefits from CIRTs…ITU : Business Benefits from CIRTs…..
of theof the
“National“National
CybersecurityCybersecurity
ProgrammeProgramme””
within thewithin the
Principles ofPrinciples of
“International“International
Cooperation”Cooperation”
ManagementManagement
Culture of CybersecurityCulture of Cybersecurity
Prevention & MitigationPrevention & Mitigation
StrategyStrategy
PublicPublic--Private SectorPrivate Sector
CollaborationCollaboration
Cyber Crime LegislationCyber Crime Legislation
National Identity andNational Identity and
Access ManagementAccess Management
FrameworkFramework
eGovernmenteGovernment FrameworkFramework
Child Online ProtectionChild Online Protection
CollaborationCollaboration
National PKINational PKI
Child Online ProtectionChild Online Protection
Disaster Recovery StrategyDisaster Recovery Strategy
Human CapacityHuman Capacity
BuildingBuilding

CERT/CIRT Services
39

ITU-IMPACT: Global Response Centre
40

Business CIRT: Integrated Command & Control
Security Operations Command Centre for Global Security Software Enterprise
41

42

US and Asia-Pacific CERTs
43

Selected Latin American CERTs
Argentina:
ArCERT – Argentina Public Administration– arcert.gov.ar
CSIRT BANELCO – Banking Sector including Standard Bank & Santanderrio
Brazil:
CAIS/RNP – Brazilian Academic & Research Network- cais.rnp.brCAIS/RNP – Brazilian Academic & Research Network- cais.rnp.br
CERTbr – Brazilian Internet Steering Committee – cert.br
Chile:
CLCERT – Chilean Government CERT – clcert.cl
Mexico:
UNAM-CERT – National Autonomous University of Mexico – unam-cert.unam.mx
Peru:
TERIS – Telefonica Security Incident CERT – tp.com/teris and tp.com.pe/security
Uruguay:
Uruguay:
CSIRT ANTEL – National Telecomms Administration – csirt-antel.com.uy
Venezuala:
VenCERT – Venezualan Government CERT – vencert.gob.ve
44
Source: www.FIRST.org

ITU: National CIRT Implementation Framework
45

National CIRT Alert Centre
Alerts: A Fundamental Process within any CERT is the management and
classification of “incidents”, and their routing to provide a response
Triage: Some “incidents” may actually be due to some unusual statistical
traffic patterns rather than an actual alert, “hack” or cybercrime
Risk: Once an incident is classified the CERT will need to assign staff
responsibility to assess the event risk and potential impact & damage
Communicate: The CERT will communicate their analysis with relevant
stakeholders, that may include government agencies, business
stakeholders, and those responsible for critical information infrastructure
Neutralise: CERT will work with partners to minimise the disruptive risk &
Neutralise: CERT will work with partners to minimise the disruptive risk &
damage in order to neutralise the cyber attack and any future threat
…………The following slides show this incident process flow in more detail…
46

Critical Events: Incident Flows – ITU:E.409
47

Comparison of Security Management &
Incident Management: ITU – X.1056
48

49

Cybersecurity Costs : Short-Term
1) CIRT & National Cyber Agency: Establishment of a CIRT & National
Government Cybersecurity Agency within the Government MinistriesGovernment Cybersecurity Agency within the Government Ministries
2) CIIP: Long Term Critical Information Infrastructure Protection (CIIP)
3) System Upgrades: Technical Infrastructure Upgrades including Hardware,
Software, Databases, Secure Network Links, Biometrics & RFID
4) Back-Up: Disaster Recovery, Business Continuity and Back-Up Systems
5) Physical : Physical Security Applications – CCTV, Alarms, Control Centre
6) Awareness Campaign: Government Campaign for cybersecurity awareness
7) Training: National Cybersecurity Skills & Professional Training Programme
8) Encryption: National User & Systems PKI Authentication Programme
8) Encryption: National User & Systems PKI Authentication Programme
9) Laws: Costs for Drafting and Enforcing Cyber Laws. Policies & Regulations
50

Annual Cybersecurity Budgets
Managing cybersecurity is an ongoing task with a continuous need
for government & business systems upgrades, staff training, and
response to emergency cyber events & alerts
Annual Security Budgets will need to include allowances for:
Staff salaries & operational costs for the CIRT & National Cybersecurity Agency
Costs for tackling cybercrime through a possible National Cybercrime Unit
Management of cybersecurity by National & Regional Civilian Authorities
Costs of required annual security audits to ensure ongoing compliance
Professional training courses at leading Educational Colleges & Universities
Costs for maintaining “best practice” cybersecurity within each of the critical
service sectors within your National Economies such as Telecomms & Banking
Regular Systems, Computing & Communications reviews & upgrades for all
Regular Systems, Computing & Communications reviews & upgrades for all
secure government computing centres, as well as those for major enterprises
On-going costs top support extensive international partnerships & collaboration
51

Cybersecurity Benefits: Government
Improved cybersecurity provides significant benefits to the
Government & Critical National Service Sectors including:
eGovernment: Fully secure & cost effective delivery of on-line
services to both citizens and businesses, such as taxes & customs,services to both citizens and businesses, such as taxes & customs,
social welfare, civil & land registries, passports & driving licences
eDefence: Early warning, alerts and defences against cyberattacks
through national CIRT (Computer Emergency Response Centre)
Cybercrime: Investigate, Digital Forensics and Prosecution of
cybercrimes such ID & Financial Theft, “Computer Misuse,
Laundering, On-Line Drug Trafficking & Pornographic Materials
Cyberterrorism: Ability to assess, predict and prevent potential major
cyber terrorist attacks, and to minimise damage during events
Power & Water Utilities: Prevent malicious damage to control systems
Power & Water Utilities: Prevent malicious damage to control systems
Telecommunications: Top security of government communications
with alternative routings, encryption & protection against cyberattack
52

53

IMPACT : Worldwide Cybersecurity Alliance
IMPACT International Partners: ITU, UN, INTERPOL and CTO
54
Industry Partners include: Symantec, Kaspersky Labs, Cisco, Microsoft, (ISC)²,
F-Secure, EC-Council, Iris, GuardTime, Trend Micro and the SANS Institute
IMPACT = International Multilateral Partnerships Against Cyber Threats

ITU : IMPACT Cybersecurity Programmes
The ITU is one of the key international players in the global alliance
with IMPACT with its worldwide headquarters at Cyberjaya, Malaysia.
IMPACT is an outstanding example of the New Generation of
21stCentury Worldwide PPP Organisation that is dedicated to the
challenge of tackling global Cyberattacks and Cyberterrorism
IMPACT runs 4 major service programmes that are defined as:
The Global Response Centre (GRC): Modelled on the CDC in Atlanta, USA, the GRC is
designed to be the foremost cyber threats resource centre in the world
Centre for Policy and International Co-Operation: IMPACT partnership with the ITU
brings a potential membership of 191 member states. Other International Partners
include the United Nations, Interpol, and the Council of Europe (CoE)
Centre for Training and Skills Development: IMPACT works on cybersecurity training and
Centre for Training and Skills Development: IMPACT works on cybersecurity training and
certification with many of the world leading companies and organisations.
Centre for Security Assurance and Research: In-Depth Research into Data Mining and
Threats, Botnets and the development of the IMPACT Research Online Network (IRON).
Also the development of the global “CIRT-LITE” Service and the IGSS DashBoard.
…….
55

Features of the Global Resource Centre
Key Features of the GRC include:
1) Network Early Warning System
2) Automated Threat Analysis System (ATAS)
3) Global Visualisation of Threats3) Global Visualisation of Threats
4) Remediation Facility
5) Trend Management and Knowledge base
6) Country Specific Cyber Threat
7) Incident and Case Management
8) Trend Monitoring and Analysis
9) IMPACT Honey Pot
10)Cyber Threat Route Plotter
56

57

Public – Private Partnerships (PPP) :
Development of CyberSecurity Skills
The extensive scope required for cybersecurity capacity & skills building
mean that a recommended way forward is for the government to
negotiate partnerships with the private business sector
The PPP Model is used extensively in many countries in which the
government outsources ICT-based eGov services and training to private
sector companies that already have the requisite skills:
CERT/CSIRTs may be outsourced to Telecomms/ISPs as well as the University Networks
Government ICT Infrastructure, and eGov Applications Hosting can also be outsourced
Awareness and Professional Training can be managed through Colleges & Universities
Critical Service Sector Skills Building for Cybersecurity will be developed in partnership with
the relevant sector such as banking/finance, energy, agriculture, travel and tourism
Using PPP will significantly accelerate the rate at which your Government
Administration can implement its cybersecurity action plan & roadmap
whilst at the same time sharing the investment cost with business.
58

International CollaborationInternational CollaborationNational CollaborationNational Collaboration
FIRSTFIRST
FINANCIALFINANCIAL
SECTORSECTOR
SERVICESERVICE
SECTORSECTOR
SECTORSECTOR
CERT’sCERT’s ENISAENISA
FIRSTFIRST
CIRT Deployment: Public-Private International Collaboration
National CIRTNational CIRT
REGIONALREGIONAL CERT/CIRTsCERT/CIRTsIMPACTIMPACT
ITUITU USUS--CERTCERT
GOV AGENCIESGOV AGENCIES
EDUCATIONEDUCATION
SECTORSECTOR
UTILITIESUTILITIES
SECTORSECTOR
SECTORSECTOR
ISPISP
SECTORSECTOR
TELCOTELCO
OTHERSOTHERS
DEFENSEDEFENSE
SECTORSECTOR
FIRSTFIRST
MEMBERSMEMBERS
APCERTAPCERT
TELCOTELCO
SECTORSECTOR UNUNOTHEROTHER
SECTORSSECTORS
Critical Service SectorsCritical Service Sectors InternationalInternational OrganisationsOrganisations

60

Suggested Next Steps for CITEL-OAS Members
Review and implement UN Resolution 64/211 (December 2009) – “Creation of Global
Culture of Cybersecurity, including Voluntary Self-Assessment Tool for National Efforts
to protect Critical Information Infrastructures” – Using ITU Guidelines & Toolkits
Appoint Top-Level Cybersecurity Team to review current status of cybersecurity
within the Government, Telecomms & designated Critical Information Service Sectorswithin the Government, Telecomms & designated Critical Information Service Sectors
using ITU’s GCA 5 Pillars of Legal, Technical, Organisational, Capacity & Partnerships
Establish a National CIRT and National Government Cybersecurity Agency (or Council)
with authority and budget for the following suggested short to mid-term actions:
1- Cyber Alerts (CIRT): Manage the National Incident Response to Cyber Alerts, and Attacks
2- Critical Sectors: Co-ordination of National Programmes for Critical Information Infrastructure
3- Education & Awareness: Co-ordination of the National Awareness & Cyber Skills Training
4- Legislation: Leadership role in the development of new cyber legislation & regulations
5- Cybercrime Unit: Facilitation for the establishment of a National Cybercrime e-Crime Unit
5- Cybercrime Unit: Facilitation for the establishment of a National Cybercrime e-Crime Unit
6- Security Standards: Setting the national cybersecurity standards and auditing compliance
7- International Partnerships: Leadership in the promotion & management of partnerships
8- Research: Support for research & development into cybersecurity technologies & solutions
….These actions will be implemented most effectively through outsourcing actions to Public-
Private Partnerships (PPP) that utilise existing professional cyber resources & assets!
61

ITU & CITEL RegionalITU & CITEL Regional
Cybersecurity WorkshopCybersecurity Workshop
-- Organisational Structures & Incident ManagementOrganisational Structures & Incident Management --
ThankThank--YouYou!...!...
ThankThank--YouYou!...!...
62

Cybersecurity Workshop: Organisational
Structures & Incident Management
BACK-UP SLIDESBACK-UP SLIDES
63

Electronically Secure Collaboration
Platform for Experts (ESCAPE)
64

Network Early Warning System(NEWS)
65

Cyber Threat Sources against
Critical National Infrastructure
# Item THREAT SOURCE NAME THREAT LEVEL
1 Foreign Intelligence Agencies Severe
2 Hackers (Individual & National Hackers) Severe
3 Organised Crime Severe
4 Unreliable Employees Moderate
5 Infrastructure Owners and Operators Moderate
6 Political Activists Low
6 Political Activists Low
7 Investigative Journalists Negligible
66

Critical Incident Management
67

The Life-Cycle of Network Cybersecurity
68

3 Layers of Cyberspace
69

Phase 1 : Emergency Management
70

Phase 2 : Handling Management
71

Phase 3 : Follow-Up Activities
72

IMPACT GRC: NEWS & ESCAPE Programmes
73

Cyber-Incident Depth Analysis
74

Worldwide IMPACT Alliance: Organisation
75

US Government : Cybersecurity Review
* 60-Day *
Policy Review
May 2009
Policy Review
76

An Approach to Organisational
Structures for National Cybersecurity
77

Structures and Strategies
National Cybersecurity Strategy: The Government Administration first
needs to define and communicate its cybersecurity strategy. This
strategy will probably be associated with the plans for e-Government
National Cybersecurity Agency (NCA): An effective government agency
closely linked to the Cabinet and Ministry of Security is required to co-
ordinate resources, and to roll-out the national cybersecurity roadmap
Enterprise Organisations: Businesses will also need to consider the
implementation and management of enterprise-wide cybersecurity
through the appointment of a Chief Security Officer (CSO) working
alongside the Chief Information Officer (CIO)
Specialised Cybersecurity Organisations: There is also a requirement for
dedicated organisations such as a national CIRT (Computer Incident
Response Team), and National Cybercrime Unit (NCU)
78

Cybersecurity Co-ordination
The proposed National Security Agency (or Council) is responsible
for the co-ordination of all actions & programmes:
1) Liaison with all the Jamaican Government Ministries & Agencies
2) Co-ordination with Regional & Local Government Organisations
3) Leadership for the Cybersecurity Training and Awareness Programmes
4) Partnerships with Private Business to promote secure eBusiness / eTrade
5) Development and Implementation of Cybercrime Legislation & Regulations
6) Working with the police & military regarding cybercrime / cyberterrorism
7) International Collaboration and Partnerships such as the ITU and Interpol
8) Establish of National CERT/CSIRT for 24/7 National Cyberspace Monitoring
9) Work with Critical Service Sectors such as Banking/Finance, Telecomms,
Energy, Education, Healthcare and Travel/Tourism to upgrade cybersecurity
Energy, Education, Healthcare and Travel/Tourism to upgrade cybersecurity
……We’ll consider each of these requirements during the course of this session!
79

Framework for Organisational Structures
80

National Cyber Agency (NCA)
We’ll briefly consider and summarise the organisation &
strategies of the National Cybersecurity Agencies for :
UK Government - Cybersecurity Strategy for the UK – Safety, Security &
Resilience in Cyberspace (UK Office of Cybersecurity – June 2009)
USA Government - Cyberspace Policy Review – Assuring a Trusted and
Resilient Information and Communications Infrastructure – May 2009
Australian Government - Australian Cybersecurity Policy and Co-ordination
Committee (CSPC – Nov 2009), within Attorney-General’s Government Dept
Malaysian Government - “Cybersecurity Malaysia” – Mosti : Ministry of
Science, Technology & Innovation, and includes the MyCERT & Training Centre
… There are other national agency case studies that we could consider but they
all have the common feature that they are driven from the highest level of
government and include the 24/7 management of cyber incidents and alerts.
81

SECURITY OBJECTIVE CYBERSECURITY TECHNOLOGY SOLUTION ROLE
Access Control
Boundary Protection Firewalls Aim to prevent unauthorised access to or from a private network.
Content Management Monitor web, messaging and other traffic for inappropriate content such as spam,
banned file types and sensitive or classified information.
Authentication Biometrics Biometric systems rely on human body parts such as fingerprints, iris and voice to
identify authorised users
Smart tokens Devices such as smart cards with integrated circuit chips (ICC) to store and process
authentication details
Authorisation User Rights
and Privileges
Systems that rely on organisational rules and/or roles to manage access
System Integrity
Antivirus and
anti-spyware
A collection of applications that fight malicious software (malware) such as viruses,
worms, Trojan Horses etc
Integrity Checkers Applications such as Tripwire that monitor and/or report on changes to criticalIntegrity Checkers Applications such as Tripwire that monitor and/or report on changes to critical
information assets
Cryptography
Digital Certificates Rely on Public Key Infrastructure (PKI) to deliver services such as confidentiality,
authentication, integrity and non-repudiation
Virtual Private Networks Enable segregation of a physical network in several ‘virtual’ networks
Audit and Monitoring
Intrusion Detection
Systems (IDS)
Detect inappropriate, incorrect or abnormal activity on a network
Intrusion Prevention Systems (IPS) Use IDS data to build intelligence to detect and prevent cyber attacks
Security Events
Correlation Tools
Monitor, record, categorise and alert about abnormal events on network
Computer
Forensics tools
Identify, preserve and disseminate computer-based evidence
Configuration Management and Assurance
Policy Enforcement Applications Systems that allow centralised monitoring and enforcement of an organisation’s
Policy Enforcement Applications Systems that allow centralised monitoring and enforcement of an organisation’s
security policies
Network Management Solutions for the control and monitoring of network issues such as security, capacity
and performance
Continuity of Operations tools Backup systems that helps maintain operations after a failure or disaster
Scanners Tools for identifying, analysing and reporting on security vulnerabilities
Patch Management Tools for acquiring, testing and deploying updates or bug fixes
82

Malaysia: Cybersecurity Strategy
83

ITU Cybercrime Toolkit – 2010
ITU Tookit: An excellent toolkit for countries such as Countries to review
and update legislation to reflect all aspects of cybercrime &
cyberterrorism. Successive sections of the ITU toolkit consider:
Substantive Provisions: Acts Against Computers, Computer Systems,
Networks, Computer Data, Content Data, and Traffic DataNetworks, Computer Data, Content Data, and Traffic Data
Procedural Provisions: for Criminal Investigations and Proceedings for
Offenses Within this Law
Jurisdictional Provisions and International Cooperation
Country Work Sheets: In-Depth Templates that comprehensively span
most of the conceivable cybercrime activities & attacks that may occur
most of the conceivable cybercrime activities & attacks that may occur
International Comparisons: Matrix of Provisions of the Cybercrime Laws
that were reviewed from major countries as the basis for the toolkit
84

ITU CYBERCRIME TOOLKIT LEGISLATIVE REQUIREMENTS
Acts Against Computers, Computer Systems, Networks, Computer
Data, Content Data, and Traffic Data
Section 1: Definition of Terms
Section 2: Unauthorized Access to Computers, Computer Systems, and
Networks
Section 3: Unauthorized Access to or Acquisition of Computer Data,
Content Data, Traffic Data
Jurisdictional Provisions
Section 21: Jurisdiction
International Cooperation
Section 22: International Cooperation: General Principles
Section 23: Extradition Principles
Section 24: Mutual Assistance: General Principles
Content Data, Traffic Data
Section 4: Interference and Disruption
Section 5: Interception
Section 6: Misuse and Malware
Section 7: Digital Forgery
Section 8: Digital Fraud, Procure Economic Benefit
Section 9: Extortion
Section 10: Aiding, Abetting, and Attempting
Section 11: Corporate Liability
Provisions for Criminal Investigations and Proceedings for Offenses
within this Law
Section 12: Scope of Procedural Provisions
Section 13: Conditions and Safeguards
Section 25: Unsolicited Information
Section 26: Procedures for Mutual Assistance
Section 27: Expedited Preservation of Stored Computer Data,
Content Data, or Traffic Data
Section 28: Expedited Disclosure of Preserved Content Data,
Computer Data or Traffic
Section 29: Mutual Assistance Regarding Access to Stored
Computer Data, Content Data, or Traffic Data
Section 30: Trans Border Access to Stored Computer Data,
Section 13: Conditions and Safeguards
Section 15: Expedited Preservation and Partial Disclosure of Traffic Data
Section 17: Production Order
Section 18: Search and Seizure of Stored Data
Section 19: Interception (Real Time Collection) of Traffic Data
Section 20: Interception (Real Time Collection) of Content Data
85
Section 31: Mutual Assistance In Real Time Collection of Traffic
Data
Section 32: Mutual Assistance Regarding Interception of Content
Data or Computer Data

# Action SHORT-TERM ACTION PLAN: APRIL – SEPTEMBER 2011
1 Government Cybersecurity Accountability
Consider making cybersecurity one of the Government’s main management accountabilities with clear success criteria.
2 Appoint National Cybersecurity Coordinator
Consider designating a senior Government Aide as National Cybersecurity Coordinator. The official should coordinate
cybersecurity activities across the Government and report to the appropriate national bodies
3 Complete and Promulgate National Cybersecurity Strategy
Consider using the template from the ITU Guidelines as a starting point for the National Cybersecurity Strategy. The
Strategy should have clear roles and responsibilities, priorities, timeframes and performance metrics. Thereafter, obtain
Government approval for the Cybersecurity Strategy.
Example of National Cybersecurity Action Plan: Short-Term
Government approval for the Cybersecurity Strategy.
4 Create National Cybersecurity Coordination Agency
In common with other countries, consider creating a multi-agency body as a focal point for all activities dealing with
protecting ’s cyberspace against threats such as cybercrime.
5 Define National Cybersecurity Framework
The framework should be flexible to allow stakeholder organisations to achieve the stated goals in the most efficient and
effective manner.
6 Initiate Public-Private Sector Cybersecurity partnership
The process should be transparent and consider all views.
7 Create Computer Incident Response Team (CIRT)
Consider creating a national CIRT to analyse cyber threat trends, improve response coordination and dissemination of
information across the Government, to industry, citizens and international partners.
8 Strengthen Legal and Regulatory System
Complete the Cybercrime Legislation Programme and enforce the new laws.
9 Initiate Cybersecurity Awareness and Education campaign
9 Initiate Cybersecurity Awareness and Education campaign
Consider working with the private sector and civil society to explain cyber threats to the citizens and their role in
defending cyberspace.
10 Define and initiate Cybersecurity Skills and Training Programme
Consider the experience of other countries in creating a cybersecurity skills and training programme with periodic
measurement of skills.
86

# Action MID-TERM ACTION PLAN: OCTOBER 2011 – JANUARY 2012
1 Define, localise and communicate Government cybersecurity Standards in areas such as Data Classification and
Staff Vetting and Clearance.
2 The National Cybersecurity Agency (NCA) should ensure that cybersecurity policies are in line with the new
Cybercrime legislation
3 Launch cybersecurity awareness campaign across Government and NCA website for government, commercial
and educational sectors with guidelines, standards and training materials.
4 As National Technical Authority for Information Assurance, the NCA should advise on how to secure
eGovernment Services.
5 Use formal channels to organise study trips for NCA Staff to other Cybersecurity Agencies
Example of National Cybersecurity Action Plan: Mid-Term
5 Use formal channels to organise study trips for NCA Staff to other Cybersecurity Agencies
6 Conduct in-depth cybersecurity review and audit of Government ministries, agencies and associated bodies.
7 Review Physical Security of organisations hosting critical infrastructure.
8 Parliamentary review of the proposed National Cybersecurity Act 2011
9 NCA Programme on Business Continuity and Disaster Recovery
10 Develop and Resource the national CIRT/CERT. In addition, develop national Cyber Incident Response
Framework involving public-private stakeholders. Also develop, test and exercise incident response plans for
Government emergency communications during natural disasters, cyberattacks, crisis or war as required by the
National Security Concept.
11 Implement six to nine months’ programme of Operational Cybersecurity upgrades. The activities may extend into
2011 and beyond.
12 Ensure that the Government Communications Network and all new services comply with the agreed
Government Authentication Framework.
13 Launch the Cybersecurity Skills and Training Programme for cybersecurity professionals and collaborate with
13 Launch the Cybersecurity Skills and Training Programme for cybersecurity professionals and collaborate with
commercial and educational sectors to boost cybersecurity Research and Development.
14 Secure Parliamentary, Cabinet & Government approval of the Cybersecurity Act 2011 and associated
Cybercrime legislation.
15 Organise an annual Regional Cybersecurity Conference to communicate progress, share views and promote
national Cybersecurity Programme.
87

4–“Best Practice” Case Studies 5–CERT: Organisational Models 6 – The “Cyber” Business Case
88

US Government – Cyber Crime Center
89

Emergency and Security Incident Response
– CERTs/CIRTs/CSIRTs -
The provision of a CERT (Computer Emergency Response Team) , CIRT (Computer
Incident Response Team) or CSIRT will be a top priority for any new National or
Sector-based Cybersecurity Organisation. In many countries the “Education Sector”Sector-based Cybersecurity Organisation. In many countries the “Education Sector”
will already have built some form of CERT/CIRT/CSIRT for their own needs.
There are many excellent on-line guides to the establishment of a CERT/CIRT/CSIRT
such as “Organizational Models for CSIRTs”-Published by Carnegie Mellon University.
Many such useful documents can be downloaded from www.cert.org & www.first.org
The European Agency – ENISA – is another excellent source for the latest research
and guides to the installation and management of national CERTs/CSIRTs
Practically all the operational CERTs are members of a much wider international
Practically all the operational CERTs are members of a much wider international
CERT community that shares information regarding the latest cyber incidents,
alerts, malicious attacks & hackers. They will often work together to identify the
source of international cyberattacks, and hence to counter major cyberthreats
90

Incident Handling Life-Cycle
91

CIRT – Information Process Flow
92

Incident Handling Process Flow
93

European Union : ENISA
94

ENISA: European CERT Network
95

IMPACT Global Headquarters:
Cyberjaya, Malaysia
96
IMPACT = International Multilateral Partnerships Against Cyber Threats

ITU-IMPACT: CIRT-LITE Programme
97

ITU : IMPACT Programme (B)
IMPACT is an outstanding example of the 1st New Generation 21stCentury
Worldwide PPP Organisation that is dedicated to the challenge of tackling
global Cyberthreats, Cybercrimes, Cyberattacks and Cyberterrorism
The ITU is promoting the IMPACT Programmes which allow smaller
developing countries access to scarce cyber skills and resources
especially in areas such as the establishment of the CIRT-LITE Service
The IMPACT – NEWS Service: Network Early Warning System – allows
countries to gain real-time access to the latest cyber developments
malware, threats, attacks, and hence to anticipate and take action with
regards to their own national critical information infrastructure
The IMPACT – ESCAPE Service: Electronically Secure Collaboration
Platform for Experts – allows real-time collaboration and consultation
between experts during the time of massive cyberthreats & crises
98

Pyramid of Critical Events – ITU: E409
99

UN/ITU - Organisational Structures and Incident Management - Cybersecurity

More Related Content

What's hot (20)

Similar to UN/ITU - Organisational Structures and Incident Management - Cybersecurity (20)

More from Dr David Probert (20)

Recently uploaded (20)

UN/ITU - Organisational Structures and Incident Management - Cybersecurity