What legal aspects are needed to address specific ICT related issues?



Similar documents
Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

Tunisia s experience in building an ISAC. Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc

Fast overview about the CERT-TCC. Helmi Rais CERT-TCC Team Manager

As global mobile internet penetration increases the cybercrime and cyberterrorism vector is extended

Helmi Rais CERT-TCC Team Manager National Agency for Computer Security, Tunisia

Cybersecurity Global status update. Dr. Hamadoun I. Touré Secretary-General, ITU

Cyber Security ( Lao PDR )

Cyber Security & Role of CERT-In. Dr. Gulshan Rai Director General, CERT-IN Govt. of India grai@mit.gov.in

NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA

Internet Safety and Security: Strategies for Building an Internet Safety Wall

National Cyber Security Policy -2013

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

A Small Business Approach to Big Business Cyber Security. Brent Bettis, CISSP 23 September, 2014

DATA PROTECTION LAWS OF THE WORLD. India

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Cyber Security. John Leek Chief Strategist

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Information Security Threat Trends

Cyber Security Strategy

Cyber security Country Experience: Establishment of Information Security Projects.

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

Detailed Description about course module wise:

Cyber Security and Critical Information Infrastructure

GOVERNMENT OF THE REPUBLIC OF LITHUANIA

RETHINKING CYBER SECURITY Changing the Business Conversation

Anthony J. Keane, MSc, PhD and Jason Flood, MSc Information Security & Digital Forensics Research Group Institute of Technology Blanchardstown

Cyber security Indian perspective & Collaboration With EU

Indian Computer Emergency Response Team (CERT-In) Annual Report (2010)

Incident Response & Handling

Romanian National Computer Security Incident Response Team CERT-RO.

Cyber Security & Cyber Criminality: ~ The Facts ~ - Sgt Phil Cobley

Certified Cyber Security Analyst VS-1160

THE WORLD IS MOVING FAST, SECURITY FASTER.

Cyber Security 2014 SECURE BANKING SOLUTIONS, LLC

KEY STEPS FOLLOWING A DATA BREACH

Cybercrime in Canadian Criminal Law

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

September 20, 2013 Senior IT Examiner Gene Lilienthal

INFORMATION SECURITY GOVERNANCE READINESS IN GOVERNMENT INSTITUTION

Current Threat Scenario and Recent Attack Trends

ITU Global Cybersecurity Agenda (GCA)

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Working with the FBI

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Defending Against Data Beaches: Internal Controls for Cybersecurity

Online International Interdisciplinary Research Journal, {Bi-Monthly}, ISSN , Volume-III, Issue-IV, July-Aug 2013

BE SAFE ONLINE: Lesson Plan

Cyber security trends & strategy for business (digital?)

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

The FBI and the Internet

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

How a Company s IT Systems Can Be Breached Despite Strict Security Protocols

CERT-GOV-GE Activities & International Partnerships

THE CHANGING FACE OF IDENTITY THEFT THE CURRENT AND FUTURE LANDSCAPE

The Information Security Problem

Policies and Practices on Network Security of MIIT

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Managed Security Services

Course 4202: Fraud Awareness and Cyber Security Workshop (3 days)

Cybersecurity for ALL

CYBER SECURITY. ADVISORY SERVICES Governance Risk & Compliance. Shemrick Rodney IT Specialist Consultant Antigua & St. Kitts

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Certified Cyber Security Analyst VS-1160

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

Overview of computer and communications security

Vulnerability Assessment & Compliance

WRITTEN TESTIMONY BEFORE THE HEARING ON FEBRUARY 4, 2014 TESTIMONY OF JOHN MULLIGAN TARGET

Cybersecurity and Incident Response Initiatives: Brazil and Americas

The Danish Cyber and Information Security Strategy

U. S. Attorney Office Northern District of Texas March 2013

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

Who s Doing the Hacking?

Global IT Security Risks

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

CYBERSECURITY HOT TOPICS

Report on Cyber Security Alerts Processed by CERT-RO in 2014

Cybersecurity: Protecting Your Business. March 11, 2015

PROPOSAL 20. Resolution 130 of Marrakesh on the role of ITU in information and communication network security

Don t Fall Victim to Cybercrime:

Lith Networking and Network Marketing Safety

Promoting Network Security (A Service Provider Perspective)

Egyptian Best Practices Securing E-Services

MANAGED SECURITY SERVICES (MSS)

Now and Tomorrow. IEEE/AICCSA Conference November 2014 Malike Bouaoud Cyber Security Advisor

CYBERTRON NETWORK SOLUTIONS

Transcription:

What legal aspects are needed to address specific ICT related issues? Belhassen ZOUARI CEO, National Agency for Computer Security, Tunisia Head of the Tunisian Cert (tuncert), E-mail : b.zouari@ansi.tn Workshop on Building Trust and Confidence in Arabic E-Services Beirut, 25-27 May 2010 Agenda Universal Legal Cyber Security Framework The Need of a Legal Framework Clarifying/Defining Cyber concepts (crime, evidence, etc.) What Institutions, What Responsibilities? Operational Measures and Role of CERTs Practical & Application issues International Cooperation Tunisia as a Case of Study Cyber Security Laws & Regulation Texts Application & Cyber-safety Measures Security progress for most important National Institutions Lessons learned from experimented cases 1

The Need of a Legal Framework ICTs : new technologies but new Threats Confidence and Trust in ICTs are vital for e-services Lack of clarity & Uncontrollable technology are enablers for malicious activities and then, obstacles to confidence in e-services Defining a Legal Framework is the first step in the cyber security process Involvement of the government in a prerequisite Globality call for International Cooperation Clarifying/Defining Cyber concepts Creating Laws & Regulation texts related to: Cyber crime and Digital evidence Privacy Protection, Intellectual property Data protection, IS Access, Spam Digital Signature/ Archive Securing IS Borders for institutions (Security Audits, IS Management System Implementation) Avoiding re-defining crimes : Traditional vs. Cyber Fraude, Theft, Phishing, Identity theft, 2

Which Institutions, What Responsibilities? Multi-stakeholders/ Multi-actors : The User, beneficiary of an e-service The e-service provider, The Application Developer, (error programming) Internet Provider (DNS, routing functions) The web site hoster (Internet Server/ OS functions) Telecom Operator (infrastructure disruptions) Third parties (Certification/Registration Authorities) Trans-border access Operational Measures & Role of CERTs A Trust point of contact / A cyber security Authority Responsible of implementing a cyber security strategy Main Missions : Cyber space protection Watch & Warning (product vulnerabilities, viruses, ) Incident Detection / Incident Handling Incident Analysis / Forensics Vulnerability assessment Information sharing & coordination center (massive attacks) International Cooperation (FIRST, regional groups) 3

Practical & Application issues Raising Awareness / Training : Users (Domestic, Children, Office, ) Decision makers Professionals Teachers Students Journalists Lawyers Assistance / Communication International Cooperation FIRST : Forum of Incident Response Teams ITU ; ESCWA ; UNCTAD ; OECD TF-CERT; ENISA ; AP-CERT ; OIC- CERT ; Council of Europe INTERPOL Bilateral Conventions 4

Tunisia as a Case of Study NACS : National Agency for Computer Security (also known as tuncert ) Created by Law in 2004 under the Ministry of Communication Technologies) Introduction of Mandatory and Periodic Security Audits (Pillar of our strategy) The creation of a body of certified Auditors in IT Security Launch of tuncert in 2005 Full Member of FIRST in 2007 Center of excellence of UNCTAD in 2008 Main Sponsor and Partner of E-ComSec (SA) for establishing a CERT and introduction to FIRST in 2008 Tunisian Cyber Security Legal Framework Computer crime law: Law No. 1999-89 Laws regarding the respect for intellectual property: Act No. 2000-84, Act No. 2001-20, Act No. 2001-21, Act No. 2001-36, Electronic Certification Act: Act No. 2000-83 Computer Security Act: Law No. 2004-5 Privacy Protection Act : Law No. 2004-63 Act on Cyber Terrorism: Law No. 2003-75 Defining the position of CISO (Chief Information Security Officer) within all public institutions : Prime Minister note, 2007 5

Tunisian Cyber Security Laws Tunisian law: Article 10, 11 of Law No. 2004-5 of February 3, 2004, relating to computer security (JORT published February 3, 2004) and Mandatory Audits Tunisian Cyber Security Laws 6

Tunisian Incident Declaration Law Tunisian Law: Article 9 of Law No. 2004-5 of February 3, 2004, relating to computer security: Mandating incident declaration to NACS & Keeping the Incident details private as well as any information related to Auditing or assisting company systems Tunisian Cyber Security Law Privacy protection Law Law No. 2004-63 of July 27, 2004, concerning the protection of personal data. 7

Tunisian Cyber Security Laws The law specificities: General provisions on personal data protection Personal data treatment conditions: procedures for processing such data Data obligations and Control The rights of the concerned person (consent, right of access, right opposition) Personal data protection Measures etc... Tunisian Cyber-safety Measures Technical Vulnerability Assessment Providing services informing about discovering vulnerabilities AVO which consists in alerting the first website responsible about the serious vulnerability discovered in the system, and this is before it can be exploited by attackers, with a full description and information about this vulnerability accompanied with a proof of concept. Analyzing data about suspicious activities in the cyberspace which can be detected using the Saher system by a honeypot model and some global structures and institutions (like Shadowserver, CERT Brazil,..), to understand and control new malicious software development. 8

SAHER : monitoring the cyber space System developed based on a set of Open Source tools Saher Web: DotTN Web Sites monitoring Saher SRV: Internet services availability monitoring (Mail server, DNS, ) SAHER IDS: Massive attack detection SAHER HONEYNET: Malware gathering Web defacement DoS Web Deterioration of web access Mail Bombing Breakdown of DNS servers DNS POISONING Viral attack Intrusion DDoS Viral attack Scan Possible attacks Credit Card Cybercrime Cases 9

A famous Phishing Case Albert Gonzalez Hacker behind the largest credit and debit card data breach in U.S. history Stealing data from more than 130 million accounts. costing companies, banks and insurers nearly $200 million sentenced to 20 years in prison. Some social network Cybercrimes In 2009 Social networking sites are used by around 80% of all Internet users, the equivalent of more than one billion people. (According to Kaspersky Lab). Malicious code distributed via social networking sites is 10 times more effective than malware spread via email. Stolen names and passwords belonging to the users of social networking sites can be used to send links to infected sites, spam or fraudulent messages such as a seemingly innocent request for an urgent money transfer. 10

Conclusion Today it is clear that no country can independently solve the electronic communication problem. If we consider that the cyber security are a way to be assured than it should be in place as a priority for each country Hackers should be aware that even the harmless computer intrusions can be classified under a crime. Cooperation is the only weapon to deal with Cyber crime There is a great need for a common criminal policy to protect the society against cyber crime Thank you B.Zouari@ansi.tn 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information