cyber security in korea...isp: network security investment & enhancement 12 dates itu-t itu-t...
TRANSCRIPT
International Telecommunication Union
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
Cyber Security in KoreaCyber Security in Korea
Woo Han KIMHead of KISC/KrCERTVice President of KISA
Republic of KOREA
2dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
Contents
A. Internet Positive Aspects
B. Internet Negative Aspects
C. Big BANG, Triggering Point
D. KISC’s Role
E. Hand-on Experience
3dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
A. Internet Positive Aspects
1. Network & Connectivity
Max avg. length 5.0 Average avg. length 4.0 Current avg. length 5.0Max max. length33.0 Average max. length29.0 Current max. length 30.0Src. : http://www.cymru.com/BGP/asnpalen01.html
AS Path Length Graph`Yearly' Graph (1 Day Average)
Src. : www.caida.org
4dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
A. Internet Positive Aspects
2. Application Change Client/Server TypeClient/Server Type
Server
Client Client Client
Pure Distributed TypePure Distributed Type
Peer
Peer
Peer Peer
PeerPeer
Peer
Src. : www.boardwatch.com
5dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
A. Internet Positive Aspects
N/A11,50013,15017,700High Speed Users (K)
4,300M31,504K112,587K47,584KNo. of IPv4
6,453,311
118.9%
Others:76.4%
785,710K
World
47,136127,9441,327,976Pop. (K)
53.5%37.1%253.3%’00-’04 CAGR
3.7%9.8%10.1%% in Global
30,000K77,300K87,000KInternet Users
KoreaJapanChinaItems
3. Volume Size of Internet
Src.: www.internetstats.com & etc.
6dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
A. Internet Positive Aspects
4. Korea Internet Infra Structure
Internet
70+ ISPs
86,000+ Leased Line 11+ Million High Speed Internet
7dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
B. Internet Negative Aspects
14,432 2,488 2003
13,085 1,978 2002
9,742 60,000 1,102 2001
4,754 49,000 271 2000
1,679 30,000 165 1999
443 24,000 127 1998
104 16,500 24 1997
27 15,000 22 1996
23 8,000 18 1995
21 5,900 17 1994
21 4,000 17 1993
20 2,600 17 1992
15 1,000 16 1991
RATVirusWormYr.
1. Worldwide Malicious CodesMal. Code (Worm, Virus, Trojan/RAT)
05,000
10,00015,00020,000
25,00030,00035,00040,00045,00050,00055,00060,000
19911992
19931994
19951996
19971998
19992000
20012002
2003
WormVirusRAT
RAT:RAT:[Remote Administration Tool]is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a "client" in the attacker's machine, and a "server" in the Victim's machine.
Src. : www.pestpetrol.com
8dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
B. Internet Negative Aspects
2. System Vulnerability Points
HDSL-RT
CPE
PeeringKRNET
….….ISP
VideoRP
DSLAM
WLL
ONU
CATVHead End
Router L/L
2W
4W
ISP NetworkGateway
ISP NISP5
ISP4ISP3ISP2
ISP1
GigaPOP
GigaPOP
GigaPOP
International InternetCM
ForeignISP
DNS
DBMS
Web
FTP
Home
Splitter
Home
Cable Modem
D/UModem
Server Farm
Dial-Up
Web Mail
BINDBIND
BB--O/FO/F
SendMailSendMail
Apache/Apache/IISIIS
SQLSQLExplorerExplorer
IOS/IOS/JuNOSJuNOS
MS :MS :Patch !!Patch !!
Hijacking,Hijacking,Conf. Conf. ErrorError
BGP4
9dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
B. Internet Negative Aspects
3. Incidents depending on OS
Windows95/9833.5%
WindowsNT/XP/2000
62.6%
etc.0.1%
Solaris0.2%Linux
3.7%
Windows95/ 9841.3%
WindowsNT/XP/2000
44.8%
etc.0.8%
Solaris1.8%Linux
11.3%
2002 2003
Windows Incidents are increasing now andmalicious traffic are overwhelming ….
Src. : www.krcert.org
10dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
C. Big Bang - Triggering Point
1. Slammer Worm (’03.1/25)
Some Parts of Slammer Source Code
PSEUDO_RAND_SEND: mov eax, [ebp-4Ch] lea ecx, [eax+eax*2] lea edx, [eax+ecx*4] shl edx, 4 add edx, eax shl edx, 8 sub edx, eax lea eax, [eax+edx*4] add eax, ebx mov [ebp-4Ch], eax
[Worldwide Phenomena]0. Too fast to Response : Warhol0. Too many impacted Server0. Too wide-spread to co-ordinate0. Too many re-tries to connect? Most Effective WORM !
Src: www.internetpulse.net
11dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
C. Big Bang - Triggering Point
2. Lesson from Slammer Worm
SecureInternet
Gov. :Law Enforcement & Sec. Awareness PRAgency : On-Line Surveillance System
Home: Up-to-date PatchCorp.: Security Awareness & CERT
SW Vender : More Secure SW and Application
ISP : Network Security Investment & Enhancement
12dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
C. Big Bang - Triggering Point
3. What Korean Gov. Have Done.
: 2003 – 2004-. Security Inspection for the SME ( Free of Charge )-. Incidents Handling Manual for PC, ISP, IDC, Corp.-. Monthly Information Security Campaign
: 2003 – 2004-. Security Inspection for the SME ( Free of Charge )-. Incidents Handling Manual for PC, ISP, IDC, Corp.-. Monthly Information Security Campaign
: 2003. 12. 17-. 24h X 7d Operation-. 5 min. Information Analysis (Traffic, port, incidents)-. Korea Internet Security Coordination (KrCERT/CC)
: 2003. 12. 17-. 24h X 7d Operation-. 5 min. Information Analysis (Traffic, port, incidents)-. Korea Internet Security Coordination (KrCERT/CC)
: 2004. 1 .29, Rev. 2004.7.30-. Security Inspection (ISP, IDC, Main Portal..)-. Information Sharing Obligation with KISC-. Emergency Response to Block Malicious Port #
: 2004. 1 .29, Rev. 2004.7.30-. Security Inspection (ISP, IDC, Main Portal..)-. Information Sharing Obligation with KISC-. Emergency Response to Block Malicious Port #
Security Awareness
Launching KISC
Law Enforcement
13dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
D. KISC’s Role
1. National Cyber-Sec. Framework
Incident Reports& Case Study
Technology &Information
Private SectorPrivate SectorISPs,AV, MSSPISPs,AV, MSSP
InformationSharing
Info. Sharing System Co-WorkSPPO
NPA
NIS
Public SectorPublic SectorGov. Agencies Gov. Agencies
Public Sectors :*NIS : National Information Service*SPPO : Supreme Public Prosecutors’ Office*NPA : National Police Agency
Private Sectors :*ISP : KT, DACOM, Hanaro .. MSSP : Coconut.. AV : Ahnlab, Hauri
14dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
D. KISC’s Role
2. KISC’s Task and Job Flow
Remote Agent
Notice Mail
IDS/Firewall
User
S/W,H/W
AV/Vaccine
ISP/ESM
Vul.
Worm
Detc .
Fore
ign
Info.
Notif
icatio
n
Web.
SMS
Messenger
FAX
TRS
KISC
Analysis
Propagation
Detect
Recovery
Private SectorsPrivate SectorsPrivate Sectors
Home UsersHome UsersHome Users
Press & TV/RadioPress & TV/RadioPress & TV/Radio
ISP Hot LinersISP Hot Liners
PropagationPropagationPropagationDetectDetectDetect AnalysisAnalysisAnalysis
Major ISPs &
MSSP
Foreign Ptn
KISC
15dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
D. KISC’s Role
3. KISC’s Today & Tomorrow
APEC,Global
HoneyNet
Hacker/IntruderHome UsersCororate.Security ASP
Domestic Agency
Foreign OrganizationSec. Info. Exchange
Net/ Vul
Windows Vul.
VC
Patch Info.
Virus/Attack Sample
IDC/SO/IDC
Foreign Agency
Global co-work
Ctr. For Ststem Vul.
BackUp
I S Ps
Nat’l Cyber Help Desk
Bank/Stock ISAC
Telecom ISAC
US, Jp.Cn CERT
www.krcert.org
Unix/Linux VulOSS
Maker
VC 2
VC 1
Net/ Vul
16dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
E. Hand-on Experience
25
26
0
24
35
22
0
5
10
15
20
25
30
35
Jan Feb Mar Apr May Jun July Aug
1. Phishing ScamReported by :foreign CERTs or victim organizations, Response with ISPsMajor Victim :US-Bank, City Bank, Bank of America, Brazilian Bank ITAU etc
No. of Incidents reported to KISC
17dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
2. Anti-SPAM Activities
E. Hand-on Experience
Procedure :Reported by Users or ISP(Mail Service Providers)Countermeasure :On-site Inspection and Criminal Inspection with Prosecutors
? ? ?
?
Spammer
Compromised PCs
AbettorOver LoadDNS Server
? Zombie Server
? Lists Update ,? Mail Server DNS Query
? SPAMMing
? SPAM Users
Mail Server
Malicious Code Instal
18dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
3. Anti-BOT(Zombie PCs) Activities
E. Hand-on Experience
Procedure :Reported by Agencies for the IP-Lists of Compromised PCsResponse :Block the Relay-Servers and Notify to the Infected Users
050000
100000150000200000250000300000350000
Apr XX May XX May YY Jun XX Jun YY
2004
No. of Zombie PCs
Cnty A Cnty B Cnty C Cnty D Cnty E
19dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
4. Sec. Awareness and Support
E. Hand-on Experience
Security Awareness Activity 1). Security Education for :Security Divide Sector ( SME, PC Plaza, Users etc. )2). Publishing Cyber Security Manuals (Manual + CDs )
Individual User, Corporate Network OperatorISP, IDC, PC-Plaza Operator
Encouraging to establish CERTOperation of CONCERT ( CONsortium of CERT : 228 in Korea )
On-Site Security Inspection for the SME ( ~ 2004 )Target : 1,000 SME with Security Divide SectorsInspection and Training ( Free of Charge )
20dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
E. Hand-on Experience
5. EpilogueTo ISP and ISV :Security is the last business area.
To whom it may concern :We need more collaboration.
Src : IDC ( 2003.3 )
H/W
S/W
Service
Million US$
21dates
ITU-T
ITU-T Cybersecurity Symposium - Florianópolis, Brazil, 4 October 2004
E. Hand-on Experience
6. Qs & As
Thanks !
For any further informationPlease contact:KIM, Woo Han : [email protected]