1 / 15

Enhancing National Cyber Emergency Response Capabilities: A Study

Explore the practices of CERT in building national computer network emergency response capabilities, key challenges, cooperation efforts, and successful case studies from various cyber incidents.

cnorton
Download Presentation

Enhancing National Cyber Emergency Response Capabilities: A Study

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Practices of CERT-- Building National Computer Network Emergency Response Capability Mingqi CHEN CNCERT/CC APCERT 2005-1- 28 APAN Bangkok

  2. Asia-Pacific • APCERT (Asia Pacific Computer Emergency Response Team) : • 15 Full Members now, including: • CNCERT/CC, AusCERT, JPCERT/CC • KrCERT/CC , IDCERT, MyCERT, PH-CERT, SingCERT, ThaiCERT, BKIS –Vietnam, SecurityMap Net CERT –Korea • CCERT, TWCERT, TW-CIRC,HK-CERT • LaosCERT is applying • WWW.APCERT.ORG /Mail list CIIP is one of the hottest topics in APCERT now

  3. Europe • European Government CERT : EGC • Comprised of the Government CERTs from • UK, France, Germany, Finland, Sweden, Netherlands.  • TF-CSIRT: cooperation organization with focus on research issues • IODEF • TRANSITS

  4. America • Inter-American CSIRT Watch and Warning Network, (2004.4 Framework) • Establish CSIRTs in each of the Member States; • Identify national points of contact in each State; • Establish protocols and procedures for the exchange of information; • Rapidly disseminate notice of such attacks throughout the region; • Provide rapid regional notice of general vulnerabilities in the system; • Provide regional warning of suspicious activities, and develop the cooperation needed for analysis and diagnosis of such activities; • Provide information on measures for remedying or mitigating attacks and threats; • Strengthen technical cooperation and training in computer security aimed at establishing national CSIRTs; etc. • 23 countries participated, to make up national POC operate 24x7

  5. CNCERT/CC • Established in 2000 • Became a full member of FIRSTin 2002 • At APSIRC2002, initiated APCERT with AusCERT, JPCERT/CC. • At APSIRC2003, was nominated and elected as the Steering Committee member of APCERT • In 2004, built up 31 branches across the country.

  6. How Does CNCERT/CCAct? • As an exchange center of information • From national network security monitoring platform • From public incident warning and reports • To set up reliable and expedite communication channels to all domestic and international CERTs. • Direct all the regional branches to work together. • Cooperate with Internet carriers closely. • As a security technology research center. • Provide the most trusted data to government and the society.

  7. Cases and Experiences(1) • 2001.CodeRed/Nimda Worm • Cooperate with ALLBackbone Carriers • 2003.SQL Slammer Worm • Monitoring Platform &Emergency Response systems • 2003.Deloader Worm • Without Exploiting Vulnerability; • Collecting & remote controlling • 2003.MsBlaster/Nachi& 2004.Lsass Worm • Cooperating with IT industry • Challenges of Large Scale DDoS

  8. Cases and Experiences(2) • 2004.Witty worm • Attacking prepared users • 2004.Phishing • Involving Multi-Parties • Cooperating between domestic law enforcement & CSIRT or CC of Other Nations • Dec. 2004 &Jan.2005 BotNet • More than 300,000 hosts infected by different Bots • Important source of DDoS/SPAM/Phishing/Worms • Eradicating is a long-term procedure

  9. Projects • IODEF • Triangle group with JPCERT/CC and KrCERT/CC • Internal group with quite a few CSIRTs and ISPs in China • IHS • 863-917 NetSec monitoring system

  10. Monitoring system • Gather information intime • Abnormal traffic • Severe attacking behaviors ( DDoS,etc. ) • Misuse situations etc. • To : • Get early warning capability • Judge the effectiveness of the control methods • A lot of countries or areas are doing this

  11. Detecting activity that may be due to LSASS worms

  12. Traffic of MSBLAST.remove (NACHI)

  13. Questions & Comments?

  14. THANK YOU www.cert.org.cn cmq@cert.org.cn

More Related