Roadmap for Achieving Cyber Security - Arab Countries المرصد العربي االقليمي لالمن السيبيري Regional Arabic Observatory for Cyber Security Inaugural Meeting of 8 th Febuary 2010 Beriut Lebanon Alaa Al-Din (Aladdin ) Jawad Kadhem Al-Radhi alradhi2000@yahoo.ca alaalradhi@hotmail.com Amman, Jordan, + 962 796347600
My Slides Vision Profile Final Words Page 2
Profile Bachelor Electrical Engineering, College Of Engineering / Baghdad University - Iraq Masters CINS: Computer Information Network Security, DePaul University, Chicago, Illinois, USA Passionate / Advocate of New Horizons: Science, Technology, ICT & Internet for The Best Interests of Humanity, Environment, Education, e-services & Living Conditions Committed to ICT Success Factors & 21 st Century Information / Economic Society Demands, Researches & Promotions Advisory Council Member: PIR: Public Interest Registry www.pir.org Board of Trustees: AKMS: Arab Knowledge & Management Society www.akms.org IGF Ambassador & Global Member: ISOC: Internet Society www.isoc.org President: IPv6 Forum Jordan & Iraq Chapters www.ipv6forum.com Alumni, ASK & International Contact: DePaul University Chicago, USA / School of CDM: Computing & Digital Media, www.depaul.edu Fellow: ITU, MENOG, RIPE, ICANN & DIPLO Foundation Member: IEEE, COMSOC, ISCRAM, ICIE, ACS, UN-GAID, JORLA, Internet 2 SIG & EU MED CONNECT 2. Arab Computer Society, Awarded Information Share Winner 2007-2009: ASIS&T: American Society for Information Science & Technology www.asis.org Page 3 3
Profile The ONLY real security a person can have in this world = A reserve of knowledge, Intent, experience, ability & action We must NOT only learn but adapt! There is NO answer, but ONLY solutions My Beliefs & Mottos Think Global, Act Local You can NOT gain ground if you are standing still! Page 4
Profile My Multi-Disciplinary Works & Themes: What? Main Issue / Topic Security Information Society Emerging Technologies Others Sub-Categories Human, Cyber, Network, Information, Metrics, What Works, Best Practices, Solutions Integrations, Infrastructures, In-Depth, Penetration Testing, GSM, Wireless, Risk Analysis, CERT: Computer Emergency Response Team, IDS/IPS, DNSSEC ( The Foreseen level of DNS Security), Biometrics, Assurance, ISO 27001, Policies, Standards, Architecture, Forensics, ICT4D, Socio-economic, e-gov., e-learning, Digital Divide, Digital Societies, IPv6, DNSSEC, Network Convergence, Sensor Networks, Cloud Computing, Grid Computing, Fiber, Broadband, Internet 2, Web 2.0 / Web 3.0, Cognitive Spectrum, Green IT, Data Centers, Virtualizations, NGN: Next Generations Network, 4G, RFID ( Radio Frequency ID ), Ubiquitous Computing Mind Maps, Thinking Hats, Knowledge Managements Page 5
Page 6 Profile My Multi-Disciplinary Works & Themes: (1) With Whom: Multi Global Regional Major: Who ITU ISOC RIPE Internet 2 EU MED 2 PIR IPv6 Forum IEEE ISCRAM ASIS&T Diplo ETSI WSIS EU FP7 MENOG ACS AKMS ASTF Universities Govt.s ISP s IPv6 TF s (2) My Capacity: Researcher Capacity Builder Visionary & Think Tank Advisor & Counselor Outreach & Networking's Instructor & ToT Roadmap Builder Start Actions (1) + (2) = (3) Why: Raise Awareness Technology Transfer Highlight Needs Assessments Evaluations Match-Making Enthusiasm (1) + (2) + (3) = Win-Win : Regional Promotions Stay Abreast Collaborations to global standards Effective Programs that works Technology Transfer to our region
The Problem: Internet = a hostile network like the wild-west WITHOUT a sheriff! Page 7
Cyber Security Risks comes from: Page 8
Cyber Security Risks Types: Page 9
Some Today s Alerting Facts (1/2) : Statistics as of 21 Jan. 2010 DNS, a concrete long belief of Internet Security backbone, have sever flaws. In April 2009, The Internet was about to shut down due to that. Thanks to Dan Kaminsky. Despite DNS being deployed for a decade so far, 80% of global Government Web Sites miss-configure DNS Security! For Private.COM, the related skills are badly needed. DNSSEC (The ONLY viable Solution to DNS threats), is rarely deployed on Country- Level Domains and postponed for Top-Level Domains to end 2010 / Early 2011, as hoped! ( Please see my accompanied DNSSEC Slides). Companies fight ENDLESS war against computer Attacks, as Hackers are getting stronger with sophisticated composite means. They started to use a technique which leave NO trace to follow. Also, whenever an adaptive standardized protection scheme is used by many, the Attacks become more probable! A continuous changes in the Threat schemes. For e.g. DDoS (Distributed Denial of Services) Attacks are back stronger & diverse With Facbook ( & other Social Networking's Sites), the problem get worse where personal data are susceptible to fraud. Page 10
Some Today s Alerting Facts (2/2) : Statistics as of 21 Jan. 2010 Conficker Worm ( which constituted 78% of Internet attacks in 2009) hasn't gone away. It is a foreseen Ghost for Security professionals! Infections of BotNet (Hackers Networks) is increasing with new generations of Zombies with an estimate of a globally distributed 50-100 Million. They create underground channels. 80% of 1.5 Trillion daily emails (worldwide) = Spam + Worms + Viruses + Malware + Spyware, etc! The International Security Defenders keep learning & sharing from a lower ground, while the Attackers keep Coordinated Aggregated Attacks while standing on a higher ground easily! With Cloud Computing adopted gradually & emerging, your data need be concretely protected. With more Wireless Communications deployments, Attacks are getting much easier to its protocols. Page 11
What to do when you know the following facts : Every 20 Minutes of any Attack, needs a 36 Hours of analysis ONLY by the best internationally-recognized security experts! When Attack analysis is done, and prepare the counter-measures launching, the Attack method most probably will be changed by Attackers! The current Internet is facing 2 Major flaw issues (Security-Wise): 1. A close depletion (ONLY 9% left on a global level) of current version (IPv4) Internet Operational Protocol. The complete depletion will be somewhere in time between 2011-2012 as expected. IPv6 is the ONLY coming solution for IPv4 Scarcity & Security, especially with gradually converged worlds of Telecommunications + Internet. 2. Hijacking of DNS. DNSSEC is the ONLY way ahead. While other countries (USA, EU, China, South East Asia, Latin America) started rushing to overcome (1) & (2), by deploying IPv6 & DNSSEC gradually, our region is still in the baby steps ONLY of related awareness! ONLY Africa is behind us! Page 12
ONLY 9% of useable IPv4 address spaces are available Page 13
Know your enemy: Attacks Strategy Step1: Disorganizer disrupt transportation networks. Railway, air control, road light traffic, communication networks Step 2: Attacks against the financial systems and against the communications networks. Stock market exchange, telephone networks Step 3: Attacks against resources and services distribution. Water supply, gas distribution, nuclear plants, electricity Hint 1: Did you know that the Internet Revolution have NOT started yet! With Internet 2, IPv6, NGN & Mobile-Internet Convergence SOON AHEAD, are you ready & prepared for what the new Attacks could be? Hint 2 : The power of a country lies in its ability to impose Security Standards + Promptly Receptive to Counter-Measures Reactions. Page 14
Cyber Security Challenges ( 1 / 3) Better security strategies & policies Better legal framework & regulations Better systems & processes Better technologies & tools Better skills Better cooperation & networks Better awareness Better Working Together Page 15
Cyber Security Challenges ( 2 / 3) The main challenge for national criminal legal systems is the delay between the recognition of potential abuses of new technologies & necessary amendments to the national criminal law. Law-Makers must continuously respond promptly to Internet developments & monitor the effectiveness of existing provisions Specific departments are needed within national law enforcement agencies, which are qualified to investigate potential Cyber Crimes: Computer Emergency Response Teams (CERTs) Computer Incident Response Teams, (CIRTs) Computer Security Incident Response Teams (CSIRTs) The identification of gaps in the penal code. What is considered as an ICT crime in any country, may NOT in another. WITHOUT the international harmonization of national criminal legal provisions, the fight against Trans-National Cyber Crimes run into incompatible national legislations. Developing the right procedures for collecting, analyzing & law-effecting the Digital Evidence Page 16
Cyber Security Challenges ( 3 / 3) Enhancing & Regulating the E-Signature Law Page 17
Cyber Security Challenges : Legal System ( 1 / 2) There is NO out-of-the-box solution Page 18
Cyber Security Challenges : Legal System ( 2 / 2) Page 19
Our Cyber Security Objectives: Strategy (1 / 2) The main challenge for our region is finding the Response Strategies & Solutions to the Cyber Crimes threats. It s time for A comprehensive Anti-Cyber Crime Strategy Define & implement the related Technical Measures & Safeguards Any Cyber Security Roadmap must address: A developmental issue because ICT services need secure and reliable networks An economic issue relating to maintaining business continuity & Disaster Recovery A law and enforcement issue to deal with Cyber Crime & criminalizing the misuse of ICTs, A national security issue relating to Critical Information Infrastructure Protection (CIIP). Page 20
Our Cyber Security Objectives: Strategy (2 / 2) Identify Government + National participants in Cyber Security CIIP: 1. Identify the ministry/agency. 2. Describe its role(s) in the development of policy & in operations of Cyber Security CIIP related to the economy, national security, & social interaction. 3. Identify a point of contact for each entity & for each significant role. Include private sector perspectives in all stages of the development & implementation of Cyber Security CIIP policy. Establish cooperative arrangements between government & private sector for information sharing & incident management. Identify agency to provide the incident management capability function for watch, warning, response and recovery. Develop procedures & tools for incident management information. Assess and periodically reassess Page 21
Our Cyber Security Objectives: Cyber Culture Promotion (1/4) Awareness, Education & Training: Invest + Invest + Invest Collaborative Responsibility: Posters, Tool Kits, etc Response: Ready Security + Forensics Teams Ethics: Conduct of Use, User Acceptable Policy UAP, etc Risk Assessment: Penetration Testing's, Ethical Hacking, Vulnerabilities, etc Security Design, Management & Implementation: Policies, Technical Standards, Operational Roadmaps, Who is doing What, Access Control, IT Audit, etc Scheduled Monitor & Verifications Page 22
Our Cyber Security Objectives: Cyber Culture Promotion (2/4) The Risks Management Cycle Page 23
Our Cyber Security Objectives: Cyber Culture Promotion (3/4) The Defense In-Depth Approach: Protect All Net Layers Page 24
Our Cyber Security Objectives: Cyber Culture Promotion (4/4) The Patch Management Scenario : Protect All Systems Page 25
So: What Are Our Priorities? (1) An Eye on the World: Beware closely of What s Happening internationally on Technical, Policies, Implementations & Deployments Tracks: IPv6, DNSSEC, Cyber Agendas, Security Advances, See how related International Expertise is reacting towards needs Domestic problems are linked to other parts of the world With the rapid development of globalization, predicting international instability & achieving, then international security are becoming increasingly difficult. NO country can act alone Transfer International expertise to our region as appropriate. Page 26
So: What Are Our Priorities? (2) A 2 nd Eye locally: Attract attention and commitment from Government (politics) & Administration on Information Security Support Administration actions when building capability Create a structured market for professionals & industry The Up-Bottom change scheme, in our region, have the fastest track. Local Governments Policy Makers & Decision Makers are the 1 st target to be approached. Start small locally and then grow regionally. When Governments Potentials take the lead, things will go smother & faster. Lobby a campaign of multi-stakeholders for awareness, study groups, etc See what local Cyber Security Models do exists, What Works? Coordinate Regional Collaborations. Integration is better than Differentiation. Defragmentation is the current scenery! Page 27
Our Cyber Security Tasks Sets : (1) General Develop guidelines, planning tools & manuals on Cyber Security technology / policy aspects Develop Local Cyber Security toolkits for policy-makers and other relevant sectors. Develop training materials on technology strategies & technology evolution for the implementation of Cyber Security. Organize workshops, meetings and seminars to address technical, policy, legal and strategy issues for Cyber Security Provide assistance in developing laws & model legislation for Cyber Security prevention Identify Cyber Security requirements and propose solutions for the development of secure ICT applications. Assist in raising awareness and identify key issues to support a culture of Cyber Security, and recommend models of good practice to support ICT applications and minimize Cyber Threats Develop tools to facilitate information sharing on technology and policy issues, and on best practices relating to Cyber Security Page 28
Our Security Tasks Sets : (2) Establish Work Groups WG Goal Standards Legal Education & Research CERT Awareness Agency Page 29 Description Define a list of Information Security Standards to be adopted by the Administration Support creating a Information Security System scheme Support the experts representing the country @ all international standardization bodies Identify the weaknesses in legal context Propose necessary evolution to appropriate actors Education = Propose a common official program for universities & High Schools (+ secondary schools) Research = coordinate the activities Establish A country Computer Emergency Response Team Identify audience and messages Prepare and launch campaigns Help creating a country Information Security Agency to provide strategy and coordination
Information Security Fields to be addressed Page 30
Know your enemy: The Risk Cycle Page 31
Know your : Risk Analysis Page 32
Know your : IT Risk Assessment (1 / 3) Unknown How to Assess Threat Page 33
Know your : IT Risk Assessment (2 / 3) Unknown How to Assess Vulnerability Page 34
Know your : IT Risk Assessment (3 / 3) Unknown How to Assess Asset Value Page 35
Know your : Asses & Manage Risks Page 36
Know Why Needed : Security Policy ( 1/ 2) Page 37
Know Why Needed : Security Policy ( 2 / 2) Page 38
Operational Security Roadmap Page 39
What others are doing for Cyber Security? (1) ITU (1/2) GLOBAL CYBERSECURITY AGENDA (GCA): FOSTERING SYNERGIES & BUILDING PARTNERSHIPS & COLLABORATION BETWEEN ALL RELEVANT PARTIES IN THE FIGHT AGAINST CYBER-THREATS WITHIN FIVE MAIN AREAS: 1. Legal Measures; 2. Technical & Procedural Measures; 3. Organizational Structures; 4. Capacity Building; 5. International Cooperation CHILD ONLINE PROTECTION (COP) CURBING CYBER-THREATS CYBERSECURITY GATEWAY www.itu.int/cybersecurity OTHERS: Guidelines, Standards, Conferences, & Study Groups. Page 40
What others are doing for Cyber Security? (1) ITU (2/2) Cyber Security Guide for Developing Countries Edition 2007 ITU Publications National Cyber Security / CIIP (Critical Information Infrastructure Protection) Self-Assessment Tool, 2009 TOOLKIT FOR CYBERCRIME LEGISLATION, 2009 UNDERSTANDING CYBERCRIME: A GUIDE FOR DEVELOPING COUNTRIES 2009 Page 41
Near -Term Action Plan: 1 / 2 Issued Nov. 2009 ( White House ) What others are doing for Cyber Security? (2) USA (1 / 6 ) Page 42
Near -Term Action Plan: 2 / 2 Issued Nov. 2009 ( White House ) What others are doing for Cyber Security? (2) USA ( 2 / 6 ) Page 43
Mid -Term Action Plan: 1 / 2 Issued Nov. 2009 ( White House ) What others are doing for Cyber Security? (2) USA ( 3 / 6 ) Page 44
Mid -Term Action Plan: 2 / 2 Issued Nov. 2009 ( White House ) What others are doing for Cyber Security? (2) USA ( 4 / 6 ) Page 45
History Informs Our Future - Technology Issued Nov. 2009 ( White House ) What others are doing for Cyber Security? (2) USA ( 5 / 6 ) Page 46
History Informs Our Future - Law Issued Nov. 2009 ( White House ) What others are doing for Cyber Security? (2) USA ( 6 / 6 ) Page 47
What others are doing for Cyber Security? (3) EU (1 / 2) Strategy for a Secure Information Society, Issued Jan. 2009 Creating a special Agency to share Cyber Security best practices & knowledge, European Network and Information Security Agency (ENISA) The establishment of a High Level ICT standardization policy platform A policy initiative on Critical Information Infrastructure Protection (CIIP) Page 48
What others are doing for Cyber Security? (3) EU (2 / 2) Project of Cyber Security Core Elements (Issued 2007 & Updated March 2009) Page 49
What others are doing for Cyber Security? (4) Canada Cyber Security Infrastructure Multi-Stakeholders Model Page 50
What others are doing for Cyber Security? (5) Malaysia (1/2) Page 51
What others are doing for Cyber Security? (5) Malaysia (2/2) Page 52
What others are doing for Cyber Security? (6) Tunisia (1 / 3) Page 53
What others are doing for Cyber Security? (6) Tunisia (2 / 3) Page 54
What others are doing for Cyber Security? (6) Tunisia (3 / 3) Page 55
What others are doing for Cyber Security? (7) KSA Page 56
Final Words: 5 Mind for the Future of Security Discipline Page 57
Knowledge is Like a Garden; if it is NOT Cultivated, it can NOT be Harvested. Page 58