LARGE SCALE ATTACKSLessons learnt

Proposals for National and EU Policy

Ferenc Suba J.D., MAChairman of the BoardPTA CERT-HungaryVice-chair of the MBENISA

Large scale attacks

1. Large phishing attack against Hungarian banks:

7 banks in HU, for 2 weeks, „foreign” attacks from international botnet administered by 4 virtual domain name servers (all abroad, from Asia, Europe, Americas)

2. Attacks on Estonia (international aspects):

attacks from 4000 compromised machines (cca. 50% from the Americas, 12 from HU)

The response

Phishing in HU (national+ international response):- PTA-CERT Hungary as coordinator- With the help of CERT community+ HU Banking ISAC- Localisation +shutting down of VDNS (all abroad)- Within 4-12 hours- Notification of ISPs via national CERTs - Notification of clients from the banks- Filing a case against unknown persons at the police

Estonian crisis (international response):- Finnish national CERT + US CERT as coordinators- With the help of CERT community- Localisation + cleaning of compromised machines- Within 2 weeks (after FIRST and TF-CSIRT involvement)- Notification of ISPs, system administrators via national CERTs

Lessons learntProposals for National Policy

Not enough or lacking:- Preparedness- Early warning- Manpower- Coordination - Communication with international partners- Media work

National policy:- Goverment support (national strategy, responsible HLO, money)- Crisis management plan- Early warning system- National CERT- National coordination body (private sector, policy makers, law enforcement, CERTs)- Involvement of international CERT community- Communication plan- Regular exercises

Financial ISAC in Hungary

- History: joint comexes with banks since early 2006

- Great leap forward: large phising attacks in Dec 2006

- Constituents: CERT-HU, Law Enforcement, Banking Assoc. of HU, Financial Supervisory Authority

- Activity: information sharing, exercises, recommendations, coordination- Results: TLP, Advisory, complex exercises (simulated DDos attack, insider attack)

- Future: FSA recomm. on the security of internet banking, coop. with similar ISACs (GOVCERT.NL, AUSCERT, DHS)

CIIP in Energy Sector

Reason: proprietary systems are vulnerable, too!

Keywords: CO-OPERATION, COMMUNICATION, EXERCISE

USA: ISAC Model (branch specific co-op. under DHS)

Europe: EU-SCSIE (Shell, Electrabell, Swissgrid, EDF, CERN, SEEMA, Melanie, CERT-Hungary)

Global: Meridian Process Control WG

Hungary: CIIP WG (MOL, Paks, MAVIR, Telco, CERT-Hungary)

Legal instruments of International Collaboration,

future

- No legally binding international agreements- Basic instrument: Memorandum of Understanding for co-operation- reasons: legally binding procedures too slow + flexibility- FIRST: two faces: association incorporated according to Californian law + conference = annual general meeting- ICAAN: association incorporated according to Californian law- Future at international level: Governments enter into this area of international co-operation (e.g. NATO Cyberdefence Policy)- Future at national level: Act on Information Security, Government Decision

Thank you!

ferenc.suba@cert-hungary.hu

PTA CERT-Hungarywww.cert-hungary.hu

Puskás Tivadar Közalapítvány www.neti.huENISAwww.enisa.europa.eu