8/14/2019 III-security 062006

1/22

8/14/2019 III-security 062006

2/22

NICST(National Information & Communication Security Taskforce)

Taiwan governments major initiative to build Info. & Comm. Security mechanisms among public sectors,

including, national CERT, certification scheme, regulation, law enforcement, auditing, etc.

NICSTGeneral Convenor: Vice Premier

Deputy General Convenor:NICI Task Force Convenor,RDEC Chairman

CEO:STAG Executive Secretary

Committee Member:Ministers andMayors of Taipei and Kaohsiung

NICSTGeneral Convenor: Vice Premier

Deputy General Convenor:NICI Task Force Convenor,RDEC Chairman

CEO:STAG Executive Secretary

Committee Member:Ministers andMayors of Taipei and Kaohsiung

Advisory Committee

National Defense (MND)Gov Admin (RDEC)

Academic (MOE)

Business 1 (MOEA)

Business 2 (MOTC)

Business 3 (MOF)

Business 4 (DOH)

National Security Council

InfoGathe

ring&

Analysis(N

SC)

Std.&

Spe

c.(MOEA)

Info&

Co

mm

SecurityT

echCen

ter

AuditSer

v

ice(D

GBAS)

Law&

CyberCrim

e(M

OJ,MO

I)

GeneralBusiness(STAG)

Report&

Response

(RDEC)

R&RSubgroup

s

NCERT

8/14/2019 III-security 062006

3/22

(Info. & Comm. Security TechnologyCenter)

CSIRT of NICST, project funded by RDEC (Research, Development, and

Evaluation Commission) of Cabinet Staffed by ISSC (Information Security Service Center) of PRD (Project

Resource Division), III

ICSTICST

MissionsMissions

EnhancementEnhancement Awareness, Training and PromotionAwareness, Training and Promotion

Internet Services (Web, news letter)Internet Services (Web, news letter)

GSN Vulnerability Scan & PatchGSN Vulnerability Scan & Patch

MonitoringMonitoring

Hacker behavior and Malicious codeHacker behavior and Malicious code

Security Operation Center (NSOC)Security Operation Center (NSOC)

Integrated Warning SystemIntegrated Warning System

ResponseResponse Front Desk Consulting ServicesFront Desk Consulting Services

Emergency Response ProjectEmergency Response Project

Forensics and RecoveryForensics and Recovery

CooperationCooperation

ResearchResearch

NICST Technical StaffNICST Technical Staff

International CooperationInternational Cooperation

Industry and Academia AllianceIndustry and Academia Alliance

Law and RegulationLaw and Regulation

Industry Development TrendIndustry Development Trend

IT Security CommonIT Security Common

GuidelinesGuidelines

8/14/2019 III-security 062006

4/22

2007 Education/Training Focus

Audience

Audience

GeneralOfficials

GeneralOfficials

IT Officers

IT Technicians

Auditors

IT Officers

IT Technicians

Auditors

IT Technicians

IT Technicians

Citizens

Citizens

AgencyO

fficials

AgencyO

fficials

Approaches

Approaches Contents

Contents Channels

Channels

Animation/Quiz Anti-Virus/Hacking/Spam how to What is computer crime Why social engineering a threat

Animation/Quiz Anti-Virus/Hacking/Spam how to What is computer crime Why social engineering a threat

Enhance

awareness

Enhance

awareness

Online Web Online Forum e-Paper Exhibitions

Online Web Online Forum e-Paper Exhibitions

BaselineTraining

BaselineTraining

Best Practice & Guidelines ISMS for Agency Officials

Incident Response Mechanism Data Encryption and Protection Information Security and Outsourcing

Best Practice & Guidelines ISMS for Agency Officials

Incident Response Mechanism Data Encryption and Protection Information Security and Outsourcing

NCSI e-College RDEC e-Learning

Web Seminars Directives

NCSI e-College RDEC e-Learning

Web Seminars Directives

In-depth

Training &

Certification

In-depth

Training &

Certification

BS7799 LA Training (40 hrs) BS7799 Establishment Training (40 hrs) IT Auditing Training (16 hrs)

BS7799 LA Training (40 hrs) BS7799 Establishment Training (40 hrs) IT Auditing Training (16 hrs)

Training Courses Seminars Certifying Exam

Training Courses Seminars Certifying Exam

In-depth

Training

In-depth

Training

Information Technology Expert

Training (93 hrs) CISSP Training (40hrs) CEH Training (40hrs)

Information Technology Expert

Training (93 hrs) CISSP Training (40hrs) CEH Training (40hrs)

Training Courses Certifying Exam

Training Courses Certifying Exam

8/14/2019 III-security 062006

5/22

Information Technology ExpertCertificates

Background of ITE Education & Training Division of III and Computer Skills Foundation

(CSF) were selected by Ministry of Economy Affairs to execute

Information Technology Expert (ITE) appraisal planning and examination

of 10 subjects since 2001

Certificate of Software Design started to be mutually recognized between

Japan (IPA) and Taiwan (III, CSF) since Dec. 2003

Audience

College

Social people

Information Security Subject includes two areas

Information Security Management

Information Security Technology

8/14/2019 III-security 062006

6/22

Information Technology ExpertCertificates (cont.)

Information Security Management Curriculum Risk Management and Sales Continues (IRS)

Information Secure Management System Theorem, Structure,

and Control (IIS)

System Secure Concept, Practice, and Application (INS)

Communication and Network Theorem, technician and

Application (ICS)

Information Law, Investigate and Ethics (IIL)

f i h l

8/14/2019 III-security 062006

7/22

Information Technology ExpertCertificates (cont.)

Information Security Technology Curriculum Information Security Concepts

Communication Network Security Technology

System Security Technology Principles and Applications of Cryptography

From 2005, each year ISSC will cooperate with

Education & Training Division to provide 93hours of ISTC course to 200 Agency officials.

8/14/2019 III-security 062006

8/22

G t P t h C tibilit

8/14/2019 III-security 062006

9/22

e-Government Patch CompatibilityTesting

To prevent e-Government application systems frommalfunctioning after Microsoft patches were applied

ISSC coordinate government agencies to install e-Gov

application systems in Microsoft Taiwan Testing Center

for patch compatibility verification. Use Virtual Machine to simulate the client-server

operating environment of applications, including Windows

XP SP2, Windows 98, Windows 2000, and Windows 2003

Currently, two application systems have been tested andverified. ISSC and Microsoft Taiwan developed testing

procedures from experiences of these two cases and willprovide these procedures to agencies for reference.

IT S it C G id li f

8/14/2019 III-security 062006

10/22

IT Security Common Guidelines forAgencies

Standards of IT Security Technique & Management

Agency Info

Security

Classification

Rules

ISMS Guidelines for Executive Yuan(Cabinet) & Inferior Agencies

IT Outsourcing

Security

Guidelines

Incident

Response

Guidelines

IT Security

AuditGuideline

File Encryption

Operation

Guideline

Development Roadmap of IT Security Common Guidelines

CNS

17800 NSA

Report & Response WG

(RDEC)

General

Business WG(STAG)

Std. &Spec. WG(MOEA)

Audit

ServiceWG

(DGBAS)

Various working groups in NICST will develop

different guidelines for agencies.

8/14/2019 III-security 062006

11/22

8/14/2019 III-security 062006

12/22

International Cooperation

ISSC is member of international IT security organizations, includingFIRST, APCERT (both with the name of TWNCERT) and AVAR.

International cooperation projects

Honeynet project with JSOC (Japan)

SOC project with e-Cop (Singapore), VeriSign (US)

Found unknown buffer-overflow vulnerability in icm32.dll of Office

XP/2003 and reported to MSRC (Microsoft Security Response Center)

which has issued MS05-036 patch accordingly.

Cooperated with Bureau of Investigation, Ministry of Justice to handle

international phishing incidents from ?? countries

8/14/2019 III-security 062006

13/22

Incident Handling Statistics of Gov.From 2001 to 2004

Incident Types 2001 2002 2003 2004

Password Guessing 0 0 1 1

System vulnerability 0 1 6 0

Misconfiguration 0 8 51 43

Malicious Code 3 4 12 95

Spoofing 1 0 0 0

Application Error 0 0 7 38

DOS DDOS 0 0 3 1

Reason Unknown OnlyPerform vulnerability scan

10 34 9 12

Security check 1 1 1 1

Web Defacement 2 48 104 91

Others 11 0 4 1

Total 28 96 198 289

8/14/2019 III-security 062006

14/22

D f L A d D th E h t

8/14/2019 III-security 062006

15/22

Defense Layer And Depth Enhancementfor GSN

Internet DMZ Internal

Network

End-user

Machine

DefenseDepth

DefenseLayer

Network

Session

Application

Data

Firewall

IDS/IDPPersonal

Firewall

Anti-VirusHoneyNet

SOC Internal Alert

System

Registry

Monitor

ISSC Solutions

8/14/2019 III-security 062006

16/22

oncept o ar arn ng

8/14/2019 III-security 062006

17/22

oncept o ar y arn ngAlliance

CERT

community

CERT

community

N-SOCN-SOC

C-SOCC-SOC

N-SOCN-SOC

C-SOCC-SOC

N-SOCN-SOC

C-SOCC-SOC

Government

Sector

Government

Sector

PrivateSectorPrivateSector

OutsourceOutsource

P-SOCP-SOC

P-SOCP-SOC

Police

Force

Police

Force

Police

Force

InterpolInterpol

COUNTRY 1COUNTRY 1 COUNTRY 2COUNTRY 2 COUNTRY n..COUNTRY n..

OwnGuardOwnGuard

Commercial

Guard

Commercial

Guard

COUNTRY 1COUNTRY 1 COUNTRY 2COUNTRY 2 COUNTRY n..COUNTRY n..

Cyber vs. Physical

8/14/2019 III-security 062006

18/22

Early Warning Alliance

To enhance the early warning capability, a common format which

allows incident data to be changed between SOCs have beendeveloped by a joint alliance (coordinated by ISSC)

other SOCs

NIDS Sensor

HIDS Sensor

Correlation

Engine

Data analysis &extraction

Incident filter

Common formatXML Translator

Incident

Event

https transmitter

common formatIncident analysis

https receiver

Incidentdatabase

Early Warning System

statistic/

analysis

NSOC platform

critical

agency

critical

agency

Incidentanalysissystem

Common format

Incident report

Alert report

Incident Data Exchange Common

8/14/2019 III-security 062006

19/22

Incident Data Exchange CommonFormat

IODEF Like (IDMEF Compatible) data exchangeformat

Incident

description(might be multiple)

*incident

assessment(might be multiple)

*incident

method data(might be multiple)

Incident report

start and end

time

SOC contact

window(might be multiple)

ReportTime

Description0..1

Assessment1..*

Method

Contact

EventData

StartTime

EndTime

Incident ID

STRING

STRING name

Incident

ENUM purpose

ENUM restrictionIncident Data

0..1

0..1

0..*

0..*

Indicate which

SOC been assigned

this code

Incident source, target

and statistic data(might be multiple)

1..*

Incident Data E change Soft are

8/14/2019 III-security 062006

20/22

Incident Data Exchange SoftwareArchitecture

DOM APIDOM API JDKJDK

JVMJVM

O.S.O.S.

Java ProgramJava Program

HTTPS CommunicatingHTTPS Communicating

Validating ParserValidating Parser

XML ComposingXML Composing

Event Collecting/Event Collecting/

FilteringFiltering

PKCS.12

NSOCDTD

IDSdata

DOM APIDOM API JDKJDK

Servlet ContainerServlet Container

O.S.O.S.

Java ProgramJava Program

HTTPS CommunicatingHTTPS Communicating

Validating ParserValidating Parser

XML ParsingXML Parsing

Event LoggingEvent Logging

NSOCDTD

DB

NSOCXML

Provided byProvided by ISSCISSC

Client Side

(other SOCs)Server Side

(N-SOC)

8/14/2019 III-security 062006

21/22

Future Plan

Enhance the international cooperation

trough International Group

Enhance IT security protection capabilities Play the key role in government IT security

Provide security consulting services to

organisations

8/14/2019 III-security 062006

22/22

Thank you very much