1. Assessing cybersecurity
in a modern State
of digital era
Anto Veldre
Information Security Expert
CERT-EE
Estonian Information System Authority

2. Tallinn, Estonia

4. Milk & gasoline ...
http://y.delfi.ee/norm/102149/4987007_FZJEkH.jpeg

5. The lifestyle
http://upload.wikimedia.org/wikipedia/commons/0/03/Kakerdaja_raba.jpg

6. State Information System Authority (www.ria.ee)

7. Abbreviations
CERT
- Computer Emergency Response Team
CSIRT
- Computer Security Incident Response Team

8. CERT typology
Types:
- national
- govermental
- ISP, company, etc
- university
CERT-EE – nat/gov, dual consistuency (.EE, ASxxxx)
Compare to our neighbours - www.ficora.fi
Keyword to remember – the constituency - кому работаешь?

9. State Information System Authority (1)

10. State Information System Authority (2)

11. State Information System Authority (3)

12. http://liesma.deviantart.com/art/organized-chaos-
160240663

13. Basic categories for inventarization
(an analogy - phone numbers)
 IP addresses (like 217.26.147.31)
 Netblocks (like 217.26.147.0/24)
Autonomous Systems (AS28990)
 Domain Names (DNS) like www.xyz.md

14. Estonian Autonomous Systems?

15. Inventory - basics

16. Our Lego
Objects we care
- Timestamp
- (category – virus, break-in, DDoS, defacement, SSH doorknock)
- IP
- FQDN – fully qualified domain name
- URL (http://www.somewhat.md/infection.exe
- An executable (.exe)
- MD5("The quick brown fox jumps over the lazy dog")
= 9e107d9d372bb6826bd81d3542a419d6

17. Important considerations
Main equations
- technical control != content control
- IP address as private data? == a trap

18. Where to find information?
Passive DNS
Netflow statistics
Listening to the Ethernet directly
Webproxy logs,
Statistics, hostcount ...
...
These are standard tools present in router OS's.
Intel exchange with partners.
Honeypots.

19. Freedom on the Internet
Candidate information to be censored:
tax motivated sites
"bad" information:
- abortion
- pr0n, CP
- violence
"extremism"
- incl religious
- device design blueprints, incl. (c)

20. Freedom of information
methods of control
- surveillance
- filtering out (DNS or action based)
- redirection
- intrusion
- combined
It is extremely important to watershed between:
- Technical Monitoring (for viruses, for CNC IP)
- Content monitoring (for the word „terrorist“)

21. CERT: RFC2350
Constituency
Clients
Authority, legal possibilities
Contacts, security level, pledges
Service library
Assisting in ...
Solving …
Publishing advisories, reports …

22. CERT vs LEO
• CERT and the community
Trusted communities
Data feeds
• CERT vs intel
Technical – IP, FQDN, ASN (vs content)
A nightman job – plumbing and pipes
- ассенизаторская работа

23. Philosophy behind the CERT
• Technical intelligence
is the foundation for any CERT
• Event vs incident. Ticketing.
15 min rule vs reporting&statistics needs
• Reporting
earning our salary
People are the heart of a CERT

24. Philosophy behind the CERT (2)
• Standard secrecy on the input
Takes time to declassify
Enables LEO and mil contacts
• Mobile threats
Cloud
Automated authentication, joint IDs

25. Incidents (1)
* DDoS (2007 and further)
* malware
- Zeus/SpyEye , Sinowal etc
- drive-by infections
- forum poisoning
- false positive on svchost.exe
- phishing letter from E-bay
- tax related mail accounts

26. Incidents (2)
- e-mail offending the President
- intrusion somewhere (a registrar, a webhoster)
- authentication library on “a system“
- an APT ( = Advanced Persistent Threat)
- Tasmanian BGP → core network routers down
- anchor related incidents (Baltic Sea)

27. Incidents (3)
- domain related incidents
- assessing technology incidents (RSA, DN, ID)
- comments on public and PR incidents (firesheep)
- testimonies at the court (Allaple)
- lecturing (at universities, schools …)
- i-voting tech support

28. What we do not do
(but sometimes we could intermediate)
- assist private persons (but sometimes ...)
- repairing somebody's installation
- copyright enforcement
- filtering
- content intelligence
- pr0n, CP handling

29. People
Seven (7) • Qualifications:
- HelpDesk capability
- network admin
- programmer, coder
- teacher, lecturer
- CIO or CISO or CISA
- system analyst
- technical writer

30. Duties
- contact point - consultancy
- incident handling - input to legislators
- advisories on threats - bringing people together
- reporting - awareness raising
- http://vimeo.com/22067817
- alerting

31. Systems
• Mostly free software
• Linux/BSD
• FireShark, tcpdump, ...
• AbuseHelper (see bitbucket, ClarifiedNetworks)
• S4A (Snort for all)
• VSR – Virtual Situation Room, (see bb, C)

33. Trusted Introducer

34. Back to CyberSec

35. CIIP
Critical Information Infrastructure Protection
• 2 whales: Communication & Energy
• The Emergency Law: Vital Services – 43 fields
- PVS - Provider of (a) vital service
- IOCO - The Institution Organizing the Continuous Operation (of vital
services)
- CI - Co-ordinating Institution (in charge to contain and resolve the
emergency)
http://valitsus.ee/en/government-office/government-communication/handbook/crisis-communication
http://ee.vlex.com/vid/emergency-act-siseministeeriumi-
204964755

36. CIIP workflow
Define vital (critical) areas
Analyze dependencies
- foundation: energy and communications
- ICT
- other, not directly related to ICT
Define or list vital providers
Communicate, analyze

37. SCADA
http://www.parijat.com/scadaproduct/images/MunicipalSCADA-2.jpg

38. Telco
• Vital providers in telco field:
- 420 of these in entrepeneurs DB
- 3-4-5 large ones
- by the definition
* has an interchange point

39. Supervision Dept
- ISKE - (IT Grundschutz by BSI, .de)
Information Systems Three Level Security Baseline
- Incident reports, CERT-EE Incidents DB
- Compliance
Problems / deficiencies noted by CERT or CIIP
https://www.bsi.bund.de/ContentBSI/Aktuelles/Veranstaltungen/gstag/gstag_201010.html

40. Thank You!
Anto Veldre
www.ria.ee | anto.veldre@cert.ee | +372 663 0200
Estonian Information System's Authority | Rävala 5, 10112
Tallinn, Estonia