1 National Security Authority. 2 Current State of Cyber Security In the Czech Republic.

1

National Security Authority

2


Current State of

Cyber Security

In the Czech Republic

3


Cyber Security System in the Czech Republic

Draft legislation

Practical example – DoS Attacks in March

2013

Content

4


Cyber Security System

in the Czech Republic

5


Recent development in cyber security

Ministry of Interior

2010 Memorandum on National Cyber Security Incident Response Team with the CZ.NIC Association

2011 Strategy for Cyber Security 2011-2015 and accompanying Action plan


2011 Decision of the Government n. 781 of 19th October 2011 - NSA appointed as authority responsible for the field of cybernetic security

active participation in NATO exercise „Cyber Coalition 2011“

March 2012 MoU with NATO on Cyber Defense signed

2012 Legislative intent of Law on cyber Security approved by the Government (30th May 2012)

Amendment of Strategy and Action plan

September 2012 Start of operation of the Governmental CERT (IOC)

November 2012 Participation on „Cyber Coalition 2012“ exercise

6


Entities Active in Cyber Security

Several teams recognized by the international CERT/CSIRT community i the Czech Republic

Operated by private or academic entities

Crucial are GovCERT at the NSA CZ and National CERT (CSIRT.CZ) operated by CZ.NIC Association as well as Military CERT operated by MoD

7


Responsibilities of the NSA in the field of Cyber Security

Decision of the Government n. 781 of 19th October 2011 NSA appointed as authority responsible for the field of

cybernetic security Establishment of Council for Cybernetic Security NSA Director has to present draft law on cyber security

to Government NSA Director has to establish a fully operational

National Cyber Security Centre till 31st December 2015 and as its part establish Governmental CERT

8


Cooperation with entities in the Czech Rep.

Cooperation and consultation with governmental bodies and public administration• 2012 survey• NSA director’s working group of experts• NCSC director’s working group of CIO’s

Cooperation with expert’s community Cooperation with universities Cooperation with other CERT / CSIRT teams - as

national as international

9


International Cooperation

NATO – participation at the Cyber Coalition exercise 2011 (as observer) and CC12 (as full participant)

MAR 2012 – Signature of MoU with NATO on Cyber Defense

Information and experience sharing meetings with institutions in partner countries

AFCEA – cooperation on the „Dictionary of Cybernetic Security“

ENISA – representation of the Czech Republic in ENISA since JAN 2013

10


Draft legislation

11


Basic Principles

Regulation by law – need to oblige both public and private entities (operators of critical infrastructure)

Individual responsibility of the operator for security of its network (protection against external attack and against misuse of its network for attacks on other networks)

Division of cyberspace to areas of competence of Governmental CERT (critical information infrastructure) and National CERT

Cost effective, not infringing into rights of the private entities in an excessive manner

12


Governmental CERTHas in its competence: • IS of Public Governance• Operators of Critical Information Infrastructure (in

cooperation with Czech Telecommunication Office – fulfillment of license conditions regarding communication operators)Basic duties of operators:- Establishment of permanent communication channels with NSA; - Protection of ICT systems according to NSA regulations; - Incident reporting and implementing measures recommended by the NSA

13


National CERT

• Operated by private entity on the basis of public-law contract with the NSA

• Mediates information sharing, particularly for private entities, academic sphere, self-government, non-profit organizations, not falling into competence of the Governmental CERT

14


Government

Prime Minister

NSA Director

National Cyber Security Center

Governmental CERT/CSIRT

Critical information

infrastructure

ISs of public governance

Important ISs

National CERT/CSIRT

ISPs

Important ISPs

State of cybernetic emergency

Reporting of incidents

Implementation of security measures

Implementation of counter-measures

Cooperation; Information sharing

CS Commission

15


Next stepsMay 2013 Interministerial consultation procedure to the

draft Law on Cyber SecurityJune 2013 Submission of the draft to the GovernmentZáří 2013 Submission of the draft to the GovernmentDecember 2013 Report on the state of cyber security for

the Governmkent (including private entities)

beginning 2015 Law on Cyber Security in forceNLT 31/12/2015 Fully operational National Cyber Security

Center

16


EU Strategy on Cyber Security

Issued by the Commission in February 2013 Main tasks:

• Reaching cyber resilience• Significant reduction of cyber crime• Development of policy and capabilities of cyber defence in

the framework of Common Security and Defence Policy (CSDP)

• Development of industrial and technological capabilities of cyber security

• Coherent EU policy regarding cyberspace

The Czech Republic already fulfils most of the goals (Cyber Security Strategy, governmental/national CERT)

17


EU Directive on Network and Information Security (NIS)

Proposed by the Commission in February 2013 To reach high level of cyber security across the

EU Cooperation of the Member States in this field Harmonization of standards in the field of cyber

security and facilitation of information exchange among relevant actors

18


EU Directive on Network and Information Security (NIS) – Czech comments

The draft in line with our policy and we welcome it

The Law on Cyber Security shall implement it into Czech legislation

We have only partial comments:• To limit the scope on critical infrastructure• To allow greater flexibility for the member

states (p.e. to allow more CERTs with nation-wide responsibility)

19


Practical example

DoS Attacks in March 2013

20


The Course of the Attacks I

• Monday 4th March – the attack targeted news servers; The servers involved were the largest and most visited news servers in the Czech Republic.

• Tuesday 5th March – the mainpage and login page of Seznam.cz, the largest portal and search engine in the Czech Republic with more than 150 000 daily registered users, was targeted. Seznam.cz was unavailable from 10:00 a.m. to 11:30 a.m. The attack reoccurred around 1:30 p.m. and resulted in intermittent unavailability of servers.

21


• Wednesday 6th March – The attack targeted web servers of all major banks resulting in unavailability of their webpages and internet banking services from cca 9:30 to 11:00 a.m. The e-commerce service and some ATMs of Česká spořitelna bank were not operational for a short period of time as well. The second wave of attacks on the servers of Česká spořitelna bank came at 2:00 p.m.

• Thursday 7th March – the attack started at 9:30 a.m. and targeted servers of two (of three in total) major mobile telecom operators (Telefonica O2 and T-Mobile). Telefonica eliminated the attack around 10:00 a.m., T-Mobile around 11:00 a.m.

• Various other services were affected by the attacks as well (including the servers of the state governance) due to shared infrastructure. However, no critical infrastructure got involved.

The Course of the Attacks II

22


Types of Attacks

The attacks utilized so called “three-way handshaking” feature of the Transmission Control Protocol (TCP)

23


Types of Attacks – SYN Flood

• The first attack (carried out on Monday and Tuesday) was a so called “SYN flood” type of attack.

• Large number of SYN messages is sent to the targeted server which replies with SYN-ACK messages.

• However, the ACK message never comes and since the targeted server has to allocate certain capacity for the expected connection, its resources are soon depleted.

24


Types of Attacks – DRDoS• The second type of attack (carried out on Wednesday and

Thursday) was Distributed Reflection Denial of Service (DRDoS) type of attack.

• The attacker sends SYN messages with spoofed IP address of the target to the third-party servers (reflectors).

• They reply with SYN-ACK messages to the target server and overload its capacities.

25


Conclusions• No damage, but a lot of media attention. • No one claimed responsibility and also the motive remains

unknown.• The tracking of packets during the attack showed that they came

from the RETN network operated mostly on the territory of the Russian Federation. Further tracking was not possible according to the RETN operator.

• The attacks were the first of similar scope on the territory of the Czech Republic and proved to be valuable exercise of cyber security cooperation and capabilities of the private, state and academic entities.

• The cooperation and information sharing considerably improved during the attacks and resulted in improved response to the attacks which was probably the reason why the attacker ceased activities after four days.

26


Lessons learned

• The legal basis for sharing important operational data among various companies and institutions active in cyber-security has to be established.

• The entities have to pay attention to the design of their IT infrastructure from the security perspective and include it in their crisis plans.

• The network of points of contact in the most important companies and institutions has to be established and updated.

27


End of PresentationQuestions?

1 National Security Authority. 2 Current State of Cyber Security In the Czech Republic.

Documents

Transcript of 1 National Security Authority. 2 Current State of Cyber Security In the Czech Republic.