mon cirt khaltar
TRANSCRIPT
MONGOLIAN CIRT (CYBER INCIDENT RESPONSE TEAM)Khaltar Togtuun. (PhD, ass professor).Managing director of MonCIRT
MONGOLIAN SITUATION Mongolian Internet Infrastructure vulnerable
target for attack In recent years the attack techniques have
become sophisticated Rapid proliferation of viruses, Trojans and worms Terminals become the zombie computers of
Botnets. Critical infrastructure can get affected by attacks
on information infrastructure. There were some incidents in financial sector. It is registered some cyber crimes. The information infrastructure and broadband
develops quickly. Information Security knowledge of Internet users
is low
MONGOLIAN CIRT Mongolian Cyber Incident Response Team established in
2007 for creating national information security system, for enhancing cyber security and for providing support in the protection of critical infrastructure
From end of 2007 started the reactive service In 2008 planning to start proactive and security quality
services. The purpose of MonCIRT is to become the nation’s most
trusted referral agency of the Mongolian Community for responding to Computer Security and Cyber Security incidents as and when they occur.
In further to become CERTs coordination center Will also assist organizations in implementing proactive
measures to reduce the risks of cyber security incidents.
MONCIRT MISSIONTo become the warranty of
information, communication technology development of steppe country.
To enhance the security of Mongolia’s Communications and Information Infrastructure through proactive actions and effective collaboration
Prevent and respond to incidents which have place in Mongolian segment of Internet.
MONCIRT PROJECTFor creating MonCIRT we was developed project in 2005. We consider
that for successful implementation of the project, it is necessary to set up the following purposes.
To determine the mission and function of the MONCERT, to develop the operation rules of the MONCERT.
To determine the structure and internal organization of the MONCERT, to select its staff members
To train the selected staff members To collect and analyze data on cyber attacks, cyber damages, level of
protection of users and ISP-s, and on their information security knowledge.
To find the maecenas and sponsors To obtain the equipments, hardware and software To start the MONCERT operation To offer free service for users and ISP-s, to carry out registration and
keep statistics To establish Hotline communication with other CERT-s, APCERT and
FIRST, to cooperate with them and to help mutually.
MONCIRT CREATING STAGES (PLANNED) Step 1: Obtain government support and
buy-in Step 2: Determine the MonCIRT strategic
plan Step 3: Gather relevant information Step 4: Design the MonCIRT vision Step 5: Communicate the MonCIRT vision
and operational plan Step 6: Start MonCIRT operation Step 7: Promotion of MonCIRT Step 8: Evaluate MonCIRT effectivenessNow we are in stage 7
ORGANIZATIONAL MODEL OF MONCIRT
In first time as Security Team.From 2009 will work as CERTs coordination Center
Managing Board
Managing Director
Bookkeeper
Incident handler /group leader/
Manager Vulnerabilityhandler /expert/
Technology Watchers -4
Malware expert
Botnet analyst
System administrator
Artifact and IDS analyst
Organizational structure of MonCIRT
CONSTITUENCY OF MONCIRT
ДАРХАН-УУЛ
БУЛГАН
SAINSHAND
CHOIR
УЛАНБАТОР
ДОРНОГОБИ
ХУБСУГУЛ
AРХАНГАЙ
УВС
БАЯН-УЛГИЙ
ХОВД ЗАВХАН
ГОБИ-АЛТАЙБАЯНХОНГОРУБУРХАНГАЙ
УМНУГОБИ
ДУНДГОБИ
ХЭНТИЙTOV
ДОРНОД
СУХЭБАТОР
СЭЛЭНГЭ
•Serve all the society•Best Effort service for users of ISPs
CURRENT ACTIVITY Incident coordination among organizations and
aimaks (province) of Mongolia. Distribute documents about security incidents and
vulnerabilities Anti-spam, phishing, pharming, Social engineering
scams Guidance of construction of other teams in critical
infrastructure organizations. Research and development. Creating of Honeynet Installing IDS-s in main gateways. Creating of single point of contact for reporting
incidents Developing of handbooks, guidelines on Mongolian
INCIDENTS CATEGORY HANDLED BY MONCIRT
Worm, Trojan and viruses (286 times) System intrusion / compromise (2
times) DoS attack / abnormal (5 times) Port scan (63 times) Spam, phishing, pharming (184 times)
(from August till December 2007)
MONTHLY INCIDENT REPORT (DECEMBER. 2007)
I nci dent Category
05
101520253035
Port scan reports
6
10
5
23 3
Web rpc sshd dns pri nt other
65 times
ONGOING PROJECTS IDS based on Autonomous agent Cooperative Incident handling system
with Government Communication Department
Incident handling, Artifact handling handbooks on mongolian
Honeynet Incident database
WE NEED Share information and lessons learned with
other CERTs Incident analysis and response experiences Auditing and penetration testing experiences Education and trainings, site visiting Technical supports in creation of vulnerability
database, Incident Tracking System, Infrastructure building Forensics tools Experiences in botnet analysis