National Security Authority

geographertonguesAI and Robotics

Nov 30, 2013 (3 years and 10 months ago)

62 views

1

National Security Authority

2

National Security Authority

Current State of

Cyber Security

In the Czech Republic

3

National Security Authority



Cyber

Security

System

in
the

Czech

Republic




Draft
legislation


Practical

example



DoS

Attacks

in
March

2013

Content

4

National Security Authority

Cyber Security System

in the Czech Republic

5

National Security Authority

Recent development in cyber security

Ministry of Interior

2010


Memorandum on National Cyber Security Incident Response Team


with the CZ.NIC Association

2011



Strategy for Cyber Security 2011
-
2015 and accompanying Action


plan


National Security Authority

2011




Decision of the Government n. 781 of 19th October 2011
-

NSA




appointed as authority responsible for the field of cybernetic




security







active participation in NATO exercise „Cyber Coalition 2011“

March 2012
MoU with NATO on Cyber Defense signed

2012




Legislative intent of Law on cyber Security approved by the




Government (30th May 2012)






Amendment of Strategy and Action plan

September 2012
Start of operation of the Governmental CERT (IOC)

November 2012
Participation on „Cyber Coalition 2012“ exercise











6

National Security Authority

Entities Active in Cyber Security


Several te
ams recognized by the international
CERT/CSIRT community

i the Czech Republic



Operated by private or academic entities



Crucial are GovCERT at the NSA CZ and National CERT
(CSIRT.CZ) operated by CZ.NIC Association as well as
Military CERT operated by MoD








7

National Security Authority

Responsibilities of the NSA

in
the field of
C
yber

Security



Decision of the Government n. 781 of
19th October 2011


NSA appointed as authority responsible for the field of
cybernetic security


Establishment of
Council for Cybernetic Security


NSA Director has to present draft law on cyber security
to Government


NSA Director has to establish a fully operational
National Cyber Security

Centre
till
31st December
2015
and as its part establish
Governmental
CERT







8

National Security Authority

Cooperation

with

entities

in
the

Czech Rep.


Cooperation

and
consultation

with

governmental

bodies

and public
administration


2012
survey


NSA director’s working group of experts


NCSC director’s working group of CIO’s


Cooperation

with

expert

s
community


Cooperation with universities


Cooperation

with

other

CERT / CSIRT
teams

-

as
national

as
international


9

National Security Authority

International Cooperation


NATO


participation at the Cyber Coalition exercise
2011 (as observer) and CC12 (as full participant)


MAR 2012


Signature of MoU with NATO on Cyber
Defense


Information and experience sharing meetings with
institutions in partner countries


AFCEA


cooperation on the „Dictionary of Cybernetic
Security“


ENISA


representation of the Czech Republic in ENISA
since
JAN 2013






10

National Security Authority

Draft legislation

11

National Security Authority

Basic Principles


Regulation by law


need to oblige both public
and private entities (operators of critical
infrastructure)


Individual responsibility of the operator for
security of its network (protection against
external attack and against misuse of its network
for attacks on other networks)


Division of cyberspace to areas of competence
of
Governmental CERT
(critical information
infrastructure) and
National CERT


Cost effective, not infringing into rights of the
private
entities

in an excessive manner






12

National Security Authority

Governmental CERT

Has in its competence:


IS of Public Governance


Operators of Critical
Information
Infrastructure
(in
cooperation with Czech Telecommunication Office


fulfillment of license conditions

regarding communication
operators
)


Basic duties of operators:


-

Establishment of permanent communication channels
with NSA;


-

Protection of ICT systems according to NSA
regulations;


-

Incident reporting and implementing measures
recommended by the NSA







13

National Security Authority

National CERT




Operated by private
entity

on the basis of
public
-
law contract with the NSA



Mediates information sharing, particularly
for private
entities
, academic sphere, self
-
government, non
-
profit organizations,
not
falling into competence of the
Governmental CERT







14

National Security Authority

Govern
ment

Prime Minister

NSA

Director

National Cyber Security

Center

Governmental CERT/CSIRT

Critical
information
infrastructure

ISs of public
governance

Important ISs

National
CERT/CSIRT

ISPs

Important
ISPs

State of cybernetic
emergency

Reporting of
incidents

Implementation of
security measures

Implementation of
counter
-
measures

Cooperation;
Information
sharing

CS Commission

15

National Security Authority

Next steps

May 2013

Interministerial consultation procedure to the



draft Law on Cyber Security

June 2013

Submission of the draft to the Government

Září 2013

Submission of the draft to the Government

December 2013


Report on the state of cyber security for





the Governmkent (including private





entities)

beginning 2015

Law on Cyber Security in force

NLT 31/12/2015
Fully operational National Cyber Security





Center

16

National Security Authority

EU Strategy on Cyber Security


Issued by the Commission in
February 2013


Main tasks:


Reaching cyber resilience


Significant reduction of cyber crime


Development of policy and capabilities of cyber defence in the
framework of Common Security and Defence Policy (CSDP)


Development of industrial and technological capabilities of
cyber security


Coherent EU policy regarding cyberspace


The Czech Republic already fulfils most of the
goals (Cyber Security Strategy,
governmental/national CERT)






17

National Security Authority

EU Directive on Network and Information
Security (NIS)



Proposed by the Commission in
February 2013


To reach high level of cyber security across the
EU


Cooperation of the Member States in this field


Harmonization of standards in the field of cyber
security and facilitation of information exchange
among relevant actors






18

National Security Authority

EU Directive on Network and Information
Security (NIS)


Czech comments


The draft in line with our policy and we welcome
it


The Law on Cyber Security shall implement it
into Czech legislation


We have only partial comments:


To limit the scope on critical infrastructure


To allow greater flexibility for the member
states (p.e. to allow more CERTs with
nation
-
wide responsibility)






19

National Security Authority

Practical example

DoS Attacks in March 2013

20

National Security Authority

The Course of the Attacks I


Monday

4
th

March



the

attack

targeted

news

servers
;

The

servers

involved

were

the

largest

and

most

visited

news

servers

in

the

Czech

Republic
.


Tuesday

5
th

March



the

mainpage

and

login

page

of

Seznam
.
cz
,

the

largest

portal

and

search

engine

in

the

Czech

Republic

with

more

than

150

000

daily

registered

users,

was

targeted
.

Seznam
.
cz

was

unavailable

from

10
:
00

a
.
m
.

to

11
:
30

a
.
m
.

The

attack

reoccurred

around

1
:
30

p
.
m
.

and

resulted

in

intermittent

unavailability

of

servers
.








21

National Security Authority


Wednesday

6
th

March



The

attack

targeted

web

servers

of

all

major

banks

resulting

in

unavailability

of

their

webpages

and

internet

banking

services

from

cca

9
:
30

to

11
:
00

a
.
m
.

The

e
-
commerce

service

and

some

ATMs

of

Česká

spořitelna

bank

were

not

operational

for

a

short

period

of

time

as

well
.

The

second

wave

of

attacks

on

the

servers

of

Česká

spořitelna

bank

came

at

2
:
00

p
.
m
.


Thursday

7
th

March



the

attack

started

at

9
:
30

a
.
m
.

and

targeted

servers

of

two

(of

three

in

total)

major

mobile

telecom

operators

(
Telefonica

O
2

and

T
-
Mobile)
.

Telefonica

eliminated

the

attack

around

10
:
00

a
.
m
.
,

T
-
Mobile

around

11
:
00

a
.
m
.


Various

other

services

were

affected

by

the

attacks

as

well

(including

the

servers

of

the

state

governance)

due

to

shared

infrastructure
.

However,

no

critical

infrastructure

got

involved
.






The Course of the Attacks II

22

National Security Authority

Types of Attacks

The a
ttacks utilized so called “three
-
way handshaking”
feature of the Transmission Control Protocol (TCP)







23

National Security Authority

Types of Attacks


SYN Flood


The first attack (carried out on
Monday

and
Tuesday
) was a so
called “SYN flood” type of attack.


Large number of SYN messages is sent to the targeted server which
replies with SYN
-
ACK messages.


However, the ACK message

never comes and since the targeted
server has to allocate certain capacity for the expected connection,
its resources are soon depleted.







24

National Security Authority

Types of Attacks


DRDoS


The

second

type

of

attack

(carried

out

on

Wednesday

and

Thursday
)

was

Distributed

Reflection

Denial

of

Service

(DRDoS)

type

of

attack
.



The

attacker

sends

SYN

messages

with

spoofed

IP

address

of

the

target

to

the

third
-
party

servers

(reflectors)
.



They

reply

with

SYN
-
ACK

messages

to

the

target

server

and

overload

its

capacities
.






25

National Security Authority

Conclusions


No

damage,

but

a

lot

of

media

attention
.



No

one

claimed

responsibility

and

also

the

motive

remains

unknown
.


The

tracking

of

packets

during

the

attack

showed

that

they

came

from

the

RETN

network

operated

mostly

on

the

territory

of

the

Russian

Federation
.

Further

tracking

was

not

possible

according

to

the

RETN

operator
.


The

attacks

were

the

first

of

similar

scope

on

the

territory

of

the

Czech

Republic

and

proved

to

be

valuable

exercise

of

cyber

security

cooperation

and

capabilities

of

the

private,

state

and

academic

entities
.



The

cooperation

and

information

sharing

considerably

improved

during

the

attacks

and

resulted

in

improved

response

to

the

attacks

which

was

probably

the

reason

why

the

attacker

ceased

activities

after

four

days
.





26

National Security Authority

Lessons learned


The

legal

basis

for

sharing

important

operational

data

among

various

companies

and

institutions

active

in

cyber
-
security

has

to

be

established
.



The

entities

have

to

pay

attention

to

the

design

of

their

IT

infrastructure

from

the

security

perspective

and

include

it

in

their

crisis

plans
.



The

network

of

points

of

contact

in

the

most

important

companies

and

institutions

has

to

be

established

and

updated
.






27

National Security Authority

End of Presentation

Questions?