Cert -Tcc

Insights into the Tunisian experience and strategy in the establishment of Watch, Warning and Incident Response

capabilities and needs of developing countries

Prof Nabil SAHLI,Header of the Cert-Tcc

National Agency for Computer Security, CEOTUNISIA,

n.sahli@ansi.tn

PlanI- Insights into the Tunisian Cert-Tcc activities

- Overview about Awareness & Information actions.- Overview about Assistance for Incident Handling (CSIRT) -Overview about Establishing Watch and Alert Center (ISAC “Saher”)-Overview about Professional Training & Education actions- Overview about open-source strategy .- cooperation with associations ( NGO).

II- Some specificities and needs of developing countries.(III- Some guidelines for establishing CERTs in developing countries, coming from the Tunisian experience)

2nd WSIS Action Line C5 Facilitation Meeting Building Confidence and Security in the Use of ICTs

Cert -Tcc

Overview about Cert-Tcc

(Computer emergency response team- Tunisian coordination center

SERVICES & ACTIVITIES

Cert -Tcc

PUBLIC CERT, officially launched in 2004 & Hosted by the National Agency for Computer Security

(Ministry of Technologies of Communication)

3 Teams :

Awareness & Training TeamAwareness & Training Team

Investigation & Incident Response TeamInvestigation & Incident Response Team

Information Sharing and Analysis Center

Some activities Will collapse, with the launch of Private CERTs

Cert -Tcc

Awareness Activities

Cert -Tcc

Cert-TCC works actively in the Awareness field :Development of awareness material : Brochures (8), CDs (3), small

guides (10)

Organize Booths in ALL national and regional Exhibitions

Co-organizes & Intervenes in all Conferences & Workshops (55 from 2005 and 9 during 2007)

+ Publish Awareness material through our Web site and mailing-list (rubric .Flash)

+ Rely on the Press, for raising awareness of Broad populationPress-Relations position in CERT/TCC (a journalist) :

Furniture of information Material to Journalists.

Participates in the animation of weekly rubrics in 6 Regional and National radio stations (3 in 2005) + preparation of awareness modules for students in Journalism

Cert -Tcc

- Youth and parents awareness :Development of 1 manual& Quiz (for schools), 3 “Cartoons”, a pedagogic game, 3 brochures.

+ A “Citizen assistance Desk ”, Where Home users can bring their PC to solve security problems or install security tools free for

domestic use (anti-virus, PC firewall, anti-spam, ..) and get light training (+ brochures, guides, CDs… )

+ Development of a special rubric in the Web site and Inclusion of a special Mailing-List rubric for parents (Parental control tools, risks, ..)

-Organisation of awareness events for Youths and children , In Collaboration with specialized centers and associations (3 workshops during 2007)- Organisation of short training sessions for (450) new teachers& In preparation : awareness sessions in schools

Cert -Tcc

IT professionals and Policy-makers :

Obligation for national companies (ALL public + “big” and sensitive private ones) to do Periodic (Now annually) security risk assessments (audit) of their IS.

+ Organization of the field of Security audits Audits are Made by CERTIFIED auditors (from the private sector),definition of the process of certification of auditors definition of the auditing missions and process of follow-up (ISO 1 77 99)

Best Awareness Instrument=

Promulgation by Law of Mandatory (annual) Security Audits(Law N° 5-2004 related to ICT security) :

+ The audit mission includes awareness-sessions, made by auditors for ALL the Staff Including Live simulation of attacks ( get people in touch with reality of risks and importance of Best practices)

Cert -Tcc

Information & Alert Activities

Cert -Tcc

- Broadcasts information (Collected through the Monitoring of multiple sources ) through our Mailing-List(s) :More than 7000 (voluntary) subscribers

Various Rubrics :Threats :

Information :

Information & Alert

1- Highly critical vulnerability in ………….., which permits ……2- Medium crtical vulnerability in ………….., which permits ……3- ………………..

1- “Product name”Concerned Plate-forms : ……Concerned versions : ………Brief Description :……..…….For more details : (urls)

SOLUTION……….……….

2- “Product name”…………………

.Vulnerabilities .Virus. .Spam .Hoax .Precaution .Administrators .Alert

.Tools .Open-source .Announces .Books

. Vulnerabilities (users). A

dministrators (Security O

fficers)

+ Development of Guides on Best practices and Open-source security solutions ~30 small guides

Cert -Tcc

ISAC and CSIRT

Cert -Tcc

Public & Private institutions, must inform the National Agency for Computer Security about any Incident, which may

affect other Information Systems

Article 10 of the Law No. 2004-5 relative to IT security

CSIRT team

CERT-TCC provides :o A CSIRT team in charge of providing (free of charge) Assistance for Incident Handlingo Call-center, available 24Hours/24 and 7 days/week

With Guarantees for confidentiality :

Private and public organizations trust the Cert-TccCall for assistance

Stipulate that The employees of the National Computer Security Agency and security auditors are Responsible about the preservation

of confidentiality and are liable to penal sanctions

Article 9 of the Law No. 2004-5 relative to IT security

+ Development of a Global Reaction Plan (“Amen”)--- Establishment of Coordinating Crisis Cells ( ISPs, IDCs, Access Providers, future : corporate CSIRT) With Cert-Tcc’s CSIRT team acting as a central coordinator between them+/- Alerting the community

+ Participation in the Launch of a national project for building a National Disaster-Recovery Centermanaged by the National Center for Informatics (funds from the World Bank)

Cert -Tcc

ISAC “Saher”

CorporateNetworks

IDCs ISP Honeypots

Event GatheringDatabase

Gathering and Filtering of large sets of network data to identify unauthorized and potentially BIG attacks (Worms, cyber-attackers, …)..

Analysis& Correlation(automatic Alert-Triggers)-

+ Real-TimeMonitoring of critical DNS/ Mail) and Web servers

AGENTs (open-source : NIDS, Traffic analysisagents, honey-pots, ..)

Cert -Tcc Computing Center

+ Hot-Line

Reaction Plan« AMEN »

A Watch- center (based on open-source solutions), which permits to monitor the National Cyber-Space security in Real timeFor the early Detection of Massive attacks and moitoring of their impact.

(First prototype, deployed during WSIS, November 2005)

System“Saher”

Cert -Tcc

Training &

Education

Cert -Tcc

Education

- In Collaboration with academic institutions :-Launch of Masters in IT security :

( Motivation: A master degree in IT security permits the Obtention of NACS’s Auditor Certification ).

in 2004 : Launch of the first Master in IT security (Collaboration between two universities).

Now : 7 masters (3 publics & 4 privates universities/ 1 Regional).( 1 other regional masters in preparation for 2007-2008)

-Acts for Inclusion of security modules (awareness) inside all academic and education programs.

+ Hosting of students projects

by th(15 in 2006)

e CERT/TCC

Cert -Tcc

Professional Training

- Focused on the Creation of a Task Force of Trainers in IT Security.Launch of 3 training courses for trainers (private sector)- Training sessions for 100 trainees in 2006.- 2007 : 4 additional training modules .

- Re-Training of professionals : - organisation of trainings (with collaboration of training centers & associations )

for security auditors ( Night sessions for professionals, as a preparation to the certification exam, 50 auditors succeeded in the exam for Security administrators of e-government applications Preparation of 2 training sessions for judges and Law enforcement staff.

- Acting in Motivating Private Training Centers activities in IT SecurityIn a partnership Project with the private sector : Establishment of a Regional center of training in IT security

(Start-Up fund from the WB) .

- Motivation and Help to professionals for getting international certifications : - Organization of 2 CISSP training sessions

Cert -Tcc

OpenLDAP

Swatch In complement to Commercial toolsPermits the Economical deployment of Security Solutions , with the required cardinality (Number of licenses) & completeness (categories of needed tools)+ A Big Catalyser for the emergence of Research&Development activities

An extremely Rich repertory of “free” and efficient Open-source security tools

Open-source strategy

Cert-Tcc is acting in Raising awareness about the benefits (&limits) of the deployment of open-source tools .

Cert-TCC defined 4 projects for the “development “ of security tools by the private sector

Cert-Tcc has Defined 5 federative projects of Research&Development for academic laboratories + A laboratory

(under the supervision of the Secretary of state of Scientific Research)

Cert -Tcc

SynergyBetween National actors

Motivates the creation of specialized Associations in IT security :

• An academic association was launched in 2005: “Tunisian Association for Numerical Security”.• Another professional association in 2006 : “Tunisian Association of the Experts in Computer Security”.

Rely on Associations (NGO)

- IN Collaboration with associations (NGO) :

-Co-organisation of awareness actions ( 15 seminars and workshops in 2006) wth IT associations (ATIM, ATSN, JCI, ATAI, ...) - Motivation for the launch of technical WorkGroups

- Implication for the Development of Models of books for Tender of offers( Insures Fair concurrency attracts more private investments in the field)

- Implication for Evaluation of actions & Revision of Action Plans

(Realization of National Surveys about IT Security) .

Cert -Tcc

II- About Developing & LD Countries

Some specificities and needs of Developing Countries

and some schemes for International actions

Cert -Tcc

Developing Less Developing Countries

- Potential future “Reservoir of hackers”(unemployment, lack of entertainment, feeling of injustice and need for expression ….)- Infrastructures = “Open-Platform” for intruders(relays of Spam, Botnets, Phishing, …)

+ Risk of More Digital Divide, by undermining confidence in ICTs

In fact, SELF-INTERESTof the International

communityto avoid cyber-criminality Havens

Urgent actions (Aid)

Safer (Cyber-)World

Cert -Tcc

Immediate Needs of LDC

Awareness of key actorsInternational organizations should :

Help raising Awareness of High level Local Politicians about IT security strategic importance

Help raising awareness of International Funding institutions (International and regional development banks, NGO, donation banks, .. ) and private sector

Users Awareness- Help for the rapid Launch of a local CERT, which will be in charge of large scale awareness actions

Capacity building - Help in building Local expert’s task-force :

Need to motivate the launch of “Expert Nests” (Local CERT, …)& training and assistance

Need for specialized trainers at the university and in the private sector

- Help in establishing National strategies and plans in ICT securityNeed for clear frameworks adapted to the reality& stages of development of DC

Cert -Tcc

Reinforces deployment of protection tools and best practices

- Raise awareness about capabilities (and limits) offered by open-source tools+ training

- Provides funds (Development banks,..) to bring Interest of private actors to DC “missed markets”.

+ Software editors should provide special “cheap” prices, accordingly to the “level of life” as a marketing action for emerging new markets

- Helps for the provision of Up-stream and “centralized” protection (NIDS, Anti-virus) at the level of ISPs :ISPs connecting Less-DC ISPs (little size) should foresee how to :

- Better « clean » flows & Provides (cheap) training for Local ISPs and assistance in case of “emergencies” .

- Pay more attention & take more precautionnary measures, against the abuse of Less-DC Infrastructures (botnets, spam relays, ..) by « International » Intruders .

- Puh the “proactive approach” as a balance to the lack of protection tools, criticality of awareness about risks and best practices

Cert -Tcc

“How To ” organize help (“NEED FOR A SPECIAL CONFERENCE”)

Clear need for a “Common Model” for canalizing an efficient and flexible (less politically-sensitive) International & Multi-stakeholders Help

= Through Local CERTs( “be helped” in case of attacks originating from those countries)

Cert -Tcc

Launch of Local CERT entitiesOpportunity of a “ Regional Approach”

(in addition to the “ongoing “ International actions)

With guidance from eminent International organisations (ITU,...) and forums& academic experts specialized in the field :

--> Combine Regional skills of ALL stakeholders from BOTH Developed and Developing Countries for the Launch of Regional CERTs (Africa , South America, ..), with their assignation of the DUTY of helping the launch of local CERTs in regional countries.

Raise attention of Regional organisations (organization of African unity , Arab league , ASEM,

GCC …) to push politicians’s awareness and motivation.Raise awareness of Regional development Banks (African Development Bank, Inter American

Development Bank,IDB, …) to provide funds .

+ CERT-TCC ‘s COMMITMENT : shares our modest experience (errors, success stories)and provides our modest Logistic, to help other regional countries in the launch of local CERT+ ..

Cert -Tcc

Some guidelines for establishing CERTs in developing countries

(coming from the Tunisian experience )

FIRST: Start the launch of a PUBLIC CERT(as Fast as possible ), which will provide :

- A “Nest” for Local Experts & an identifiable point for efficient International cooperation

and assign it the “special” task of raising awareness of Policy-makers and for contributing in the

definition and implementation of a national strategy and Plan in ICT security

(starting by awareness actions)

Cert -Tcc

Awareness and Training( Important task of CERTs in DC)

AwarenessThe launched Public CERT should :

-Act intensively in the awareness field : Raise the community's awareness about computer security issues and provides guides and training on Best Practices

- Start by focusing on IT Managers & administrators, whom will be the task force in charge of “Attacking”IT users & Finally, the broad Population, by a progressive approach (with care to not frightening).-- start specialized mailing-list (vulnerabilities, vulgarisation, information, assistance)--- develop awareness material (brochures, guides, CDs for security tools free for domestic use,….)---- Organize periodic awareness events

- Work with the Press to exploit their capabilities in the awareness field (create a press relations position) and acts to better prepare the youngs- Acts as a synergic point for local experts and encourages the launch of security associations, which should be active in the awareness field (co-organize with them awareness events, …).

Training and education - Work for Reinforcing the potential of Trainers in IT Security (organize training for Trainers)- Help for the launch of Specialized Universitary Diplomas in ICT Security (Masters, ..)and the Introduction of basic (awareness) courses in academic and scholar programs.(provide programs, documentation and trainings for trainers)

- Encourages high level certification of professionals (CISSP, …) in the field(motivate & provide training)

Cert -Tcc

Establish mechanisms and tools for Reinforcing the security of the National Cyber-space

- Motivate/Help ISP in providing “Up-Stream” protection (NIDS, Anti-virus gateways, tools for parental control, ..)- Provides free assistance and support for Incident handling (Hotline and CSIRST team)

- Develop an ISAC center for the monitoring&early detection of Mass attacks, possibly starting with solutions from the open-source field.

-Define National Reaction Plans to mass attacks, based on the coordination between key actors (ISPs, Access providers, Security

administrators)

Cert -Tcc

Assists for the upgrade of the security of National Information Systems

- Encourages and provides support for the deployment of Open-source tools, relatively to the « expensive » and urgent Needs and in parallel with the promotion of commercial products.

- Helps in defining rules for insuring a sure and progressive improvementOf the security of IS and the follows-Up of Realistic and efficient Security Plans

Case of Tunisia:Institution of Mandatory periodic security audits of ALL public and sensitive private Information Systems : 1- Raise Awareness of policy makers and of administrators 2- Guarantee the improvement of the security of IS (well established security plans, taking into account the reality of resources

and insuring a realistic and efficient upgrade).

- Reinforces the role played by the private sector and assist it to grow (provides training for trainers, help for certification + markets& fair concurrency rules, ..)

- Provides technical assistance for administrators of critical IS (Incident handling assistance, guides ,audits& intrusive tests,..)

- Evaluates priorities and volume of needs and Identify (&Regroup) the national «Heavy” Investments to engage (Disaster recovery infrastructures, ….)

- Motivates the emergence of academic associations in the field of IT Security and motivates National R&D in strategic and basic areas (protection tools, methodologies, mechanisms)

Cert -Tcc

Participate in the effort of the Update of laws and Public regulations

-Help in Adopting/ Customizing norms, regulation rules and certification procedures in IT Security

-Help in Implementing efficient mechanisms for controlling abuses (Spam, respect of Intellectual property, respect of privacy, consumer protection, …)and help in defining responsibility rules for the Internet actors and self-regulatory mechanisms

- Help in the Reinforcement of the competence of judges and investigators, dealing with cyber-crimes (training)

Strength the International Collaboration in dealing with cyber-security incidents (Mutual assistance with CERTs, transfer of proceedings …, along with motivating the adhesion of the country to international conventions

and treaties in the field of cyber-security)

Cert -Tcc

THANKS YOU

Pr Nabil SAHLI,Ministry of Communication Technologies,

Header of the Cert-TccNational Agency for Computer Security, CEO

n.sahli@ansi.tn