Introduction of ISSC, III

International Group Institute for Information Industry Jan 2006

NICST (National Information & Communication Security Taskforce)
– Taiwan government’s major initiative to build Info. & Comm. Security mechanisms among public sectors, including, national CERT, certification scheme, regulation, law enforcement, auditing, etc.

NICST
General Convenor: Vice Premier    Deputy General Convenor: NICI Task Force Convenor, RDEC Chairman CEO: STAG Executive Secretary Committee Member: Ministers and Mayors of Taipei and Kaohsiung

National Security Council

Advisory Committee

NCERT
Law & Cyber Crime (MOJ, MOI) Std. & Spec. (MOEA) Audit Service (DGBAS) General Business (STAG) Info Gathering & Analysis (NSC) Report & Response (RDEC)

          

National Defense (MND) Gov Admin (RDEC) Academic (MOE) Business 1 (MOEA) Business 2 (MOTC) Business 3 (MOF) Business 4 (DOH)

Info & Comm Security Tech Center

R&R Subgroups

ICST (Info. & Comm. Security Technology Center)
• • CSIRT of NICST, project funded by RDEC (Research, Development, and Evaluation Commission) of Cabinet Staffed by ISSC (Information Security Service Center) of PRD (Project Resource Division), III Enhancement
• Awareness, Training and Promotion • Internet Services (Web, news letter) • GSN Vulnerability Scan & Patch

Monitoring
• Hacker behavior and Malicious code • Security Operation Center (NSOC) • Integrated Warning System

Research

ICST
Missions

• Law and Regulation • Industry Development Trend • IT Security Common Guidelines

Response
• Front Desk Consulting Services • Emergency Response Project • Forensics and Recovery

Cooperation
• NICST Technical Staff • International Cooperation • Industry and Academia Alliance

2007 Education/Training Focus
Audience Approaches Enhance awareness Contents Animation/Quiz Channels • Online Web • Online Forum • e-Paper • Exhibitions • NCSI e-College • RDEC e-Learning Web • Seminars • Directives Citizens
• Anti-Virus/Hacking/Spam how to • What is computer crime • Why social engineering a threat

Best Practice & Guidelines General Officials Baseline Training

• ISMS for Agency Officials • Incident Response Mechanism • Data Encryption and Protection • Information Security and Outsourcing

Agency Officials Agency Officials

IT Officers IT Technicians Auditors

In-depth Training & Certification

• BS7799 LA Training (40 hrs) • Training Courses • BS7799 Establishment Training (40 hrs) • Seminars • IT Auditing Training (16 hrs) • Certifying Exam • Information Technology Expert Training (93 hrs) • CISSP Training (40hrs) • CEH Training (40hrs)

IT Technicians

In-depth Training

• Training Courses • Certifying Exam

Information Technology Expert Certificates
• Background of ITE
– Education & Training Division of III and Computer Skills Foundation (CSF) were selected by Ministry of Economy Affairs to execute Information Technology Expert (ITE) appraisal planning and examination of 10 subjects since 2001 – Certificate of Software Design started to be mutually recognized between Japan (IPA) and Taiwan (III, CSF) since Dec. 2003

Audience
– College – Social people

Information Security Subject includes two areas
– Information Security Management – Information Security Technology

Information Technology Expert Certificates (cont.)
• Information Security Management Curriculum
– Risk Management and Sales Continues (IRS) – Information Secure Management System Theorem, Structure, and Control (IIS) – System Secure Concept, Practice, and Application (INS) – Communication and Network Theorem, technician and Application (ICS) – Information Law, Investigate and Ethics (IIL)

Information Technology Expert Certificates (cont.)
• Information Security Technology Curriculum
– Information Security Concepts – Communication Network Security Technology – System Security Technology – Principles and Applications of Cryptography

• From 2005, each year ISSC will cooperate with Education & Training Division to provide 93 hours of ISTC course to 200 Agency officials.

GSN Vulnerability Scanning & Patching
• Remotely scan more than 19,000 IPs of GSN (Government Service Network) periodically for known vulnerabilities including
– Virus or Worms – Important System Vulnerabilities Published by SANS – Unsafe Authentication Settings Published by SANS

• Scanning reports are then provided for vulnerable Agency to patch and improve these possible weaknesses. • 98 % of these vulnerable IPs can pass double check scheduled in the next season

e-Government Patch Compatibility Testing
• To prevent e-Government application systems from malfunctioning after Microsoft patches were applied • ISSC coordinate government agencies to install e-Gov application systems in Microsoft Taiwan Testing Center for patch compatibility verification. • Use Virtual Machine to simulate the client-server operating environment of applications, including Windows XP SP2, Windows 98, Windows 2000, and Windows 2003 • Currently, two application systems have been tested and verified. ISSC and Microsoft Taiwan developed testing procedures from experiences of these two cases and will provide these procedures to agencies for reference.

IT Security Common Guidelines for Agencies
• Various working groups in NICST will develop different guidelines for agencies.
Development Roadmap of IT Security Common Guidelines

Agency Info Security Classification IT Outsourcing Incident Rules File Encryption Security Response Operation Guidelines Guidelines Guideline General Business WG Std. & Report & Response WG (STAG) Spec. WG (RDEC) (MOEA) Standards of IT Security Technique & Management

ISMS Guidelines for Executive Yuan (Cabinet) & Inferior Agencies

CNS 17800

IT Security Audit Guideline

NSA

Audit Service WG (DGBAS)

IT Security Common Guidelines for Agencies
• In 2005, ISSC helps RDEC to develop
– Development Roadmap of IT Security Common Guidelines – ISMS Guidelines for Executive Yuan (Cabinet) & Inferior Agencies – IT Outsourcing Security Guidelines – Incident Response Guidelines – File Encryption Operation Guideline

• More guidelines will be developed according to " Development Roadmap of IT Security Common Guidelines" in the next few years

International Cooperation
• • ISSC is member of international IT security organizations, including FIRST, APCERT (both with the name of TWNCERT) and AVAR. International cooperation projects
– Honeynet project with JSOC (Japan) – SOC project with e-Cop (Singapore), VeriSign (US)

Found unknown buffer-overflow vulnerability in icm32.dll of Office XP/2003 and reported to MSRC (Microsoft Security Response Center) which has issued MS05-036 patch accordingly.

Cooperated with Bureau of Investigation, Ministry of Justice to handle international phishing incidents from ?? countries

Incident Handling Statistics of Gov.
From 2001 to 2004

Incident Types
Password Guessing System vulnerability Misconfiguration Malicious Code Spoofing Application Error DOS 、 DDOS Reason Unknown Only Perform vulnerability scan Security check Web Defacement Others

2001
0 0 0 3 1 0 0 10 1 2 11

2002
0 1 8 4 0 0 0 34 1 48 0

2003
1 6 51 12 0 7 3 9 1 104 4

2004
1 0 43 95 0 38 1 12 1 91 1

Total

28

96

198

289

Challenges in Defense Layer And Depth
Defense Layer

Data

• Can’t effectively detect unknown malicious code of special purposes or by means of social engineering Malicious email forensics by ICST • 2004: 79 (Confirmed)/ 120(Collected) • 2005: 132/178

Anti-Virus

Application

• Require professional expertise to fine tune • Hard to interpret Session massive logs • False alarm

IDS/IDP Firewall

• Require professional expertise to fine tune • Hard to interpret massive logs • Hard to configure to detect malicious Personal traffic Firewall from inside

• Certain configuration complexity for end user • Not widely adopted

Network

Internet

DMZ

Internal Network

End-user Machine

Defense Depth

Defense Layer And Depth Enhancement for GSN
Defense Layer

ISSC Solutions

Data

HoneyNet
Application

Anti-Virus Registry Monitor

SOC
Session

Internal Alert System Personal Firewall

IDS/IDP Firewall

Network

Internet

DMZ

Internal Network

End-user Machine

Defense Depth

Results of ISSC Solutions
HoneyNet Deployment 1 (located at ISSC) 2005 Plan Deploy to 3~6 Agencies Internal Alert System 14 agencies Forensics & Recon N/A NSOC & Alert Issuance 6 agencies 9 agencies/32 Network

Provide training Forensics Lab in and installation ICST CD to all agencies
• Capture 6 hacker break-in • Capture 8 virus outbreaks • Present in 2005 FIRST conference • Malicious email forensics(211/298) • 250+ backdoors and hacker tools • Found MS05-036 vulnerability • Long-term tracking and monitoring of stepping stones • Cooperate with law enforcement and national security agency

Results

• Capture 5 hacker break-in • Record hacker break-in and attack methods • Long-term tracking and monitoring stepping stones

• Issued 33 intrusion alerts, 4 vulnerabilities alerts, 20 web defacement alerts in 2005 • Formed early warning alliance and complete Incident Data Exchange Common Format

Concept of Early Warning Alliance
• Cyber vs. Physical
CERT CERT community community

Interpol

COUNTRY 1 COUNTRY 1 N-SOC N-SOC C-SOC C-SOC

COUNTRY 2 COUNTRY 2 N-SOC N-SOC C-SOC C-SOC

COUNTRY n.. COUNTRY n.. N-SOC N-SOC C-SOC C-SOC

COUNTRY 1 COUNTRY 1 Police Force

COUNTRY 2 COUNTRY 2 Police Force

COUNTRY n.. COUNTRY n.. Police Force

Outsource Outsource

Government Government Sector Sector Private Private Sector Sector

P-SOC P-SOC Commercial Commercial Guard Guard P-SOC P-SOC Own Own Guard Guard

Early Warning Alliance
• To enhance the early warning capability, a common format which allows incident data to be changed between SOCs have been developed by a joint alliance (coordinated by ISSC)
other SOCs Early Warning System
NIDS Sensor HIDS Sensor Correlation Engine Event Incident Incident filter Data analysis & extraction Common format XML Translator https transmitter Common format Incident report Alert report

NSOC platform
Incident analysis system

Incident database

statistic/ analysis

common format Incident analysis https receiver

critical agency

critical agency

Incident Data Exchange Common Format
• IODEF Like (IDMEF Compatible) data exchange Indicate which Incident ID format Incident SOC been assigned
1..* ENUM purpose ENUM restriction STRING STRING name Incident Data 0..1
this code

Incident description

(might be multiple)

Description Contact ReportTime

SOC contact window
(might be multiple)

0..1 0..1 Incident source, target and statistic data
(might be multiple)

Incident report start and end time

StartTime EndTime Method Assessment EventData

*incident method data
(might be multiple)

0..* 1..* 0..*

*incident assessment
(might be multiple)

Incident Data Exchange Software Architecture
NSOC XML

Java Program
PKCS.12 NSOC DTD

Java Program
HTTPS Communicating Validating Parser XML Parsing Event Logging
DB NSOC DTD

HTTPS Communicating Validating Parser XML Composing Event Collecting/ Filtering

IDS data

DOM API JVM O.S.

JDK

DOM API O.S.

JDK

Servlet Container
Server Side (N-SOC)

Client Side (other SOCs)

Provided by ISSC

Future Plan
• Enhance the international cooperation trough International Group • Enhance IT security protection capabilities • Play the key role in government IT security • Provide security consulting services to organisations

Thank you very much