cert -tcc world bank, 7 november 2006 [email protected] overview about the tunisian experience in...
TRANSCRIPT
[email protected] CERT -TCCWorld Bank, 7 November 2006
Overview about the Tunisian Experience in developing ICT Security
and a fast overview about Urgent Need of Developing countries’s
Prof Nabil SAHLI,Header of the CERT-TCC
National Agency for Computer Security, CEOTUNISIA,
Plan- Fast Overview about the Tunisian Experience and strategy in IT Security, - Insights into the Tunisian CERT-TCC activities
- Overview about Awareness & Information actions.- Overview about Assistance for Incident Handling (CSIRT) -Overview about Establishing Watch and Alert Center (ISAC “Saher”)-Overview about Professional Training & Education actions- Overview about Research & Development strategy.- The role of NGO.
-Some specificities and Needs of Less developing countries
[email protected] CERT -TCCWorld Bank, 7 November 2006
Flag
Coat of Arms
Motto: "Order, Liberty, Justice"
Capital Tunis
Time zone CET (UTC+1)
Official langage Arabic
Education Langage French/Arabic
Independence
- from France March 20, 1956
Area 63,170 sq mi (92nd)
Population
- July 2005 est. 10,102,000
- 1994 8,785,711
Internet Penetration 10%
Number of ISP 12 (2 Gb/s, end 2006, ADSL,
VSAT WiMAX)
PC/family 4 %
Number of Cyber-Parks (Incubators)
6 (5 Regional)
Education 4O OOO /year2006 in ICT fields
Internet TLD .tn
About TUNISIA ( CARTHAGE, In The History )
[email protected] CERT -TCCWorld Bank, 7 November 2006
Fast overview about the Tunisian Experience and strategy in IT Security
[email protected] CERT -TCCWorld Bank, 7 November 2006
a fast Historical Overview
end 1999 : Launch of a UNIT ( a “Micro-CERT”) , specialized in IT Security Objective :
- sensitize policy-makers and Technical staff about security issues.
& creates a first Task-force of Tunisian Experts in IT Security
(+ Monitoring the security of highly critical national applications and infrastructures.. )
From End 2002 (“ certification of the role of IT security as a pillar of the « Information Society ») : The unit starts the establishment of a strategy and of a National Plan in IT Security (national survey , for fixing: priorities, volume of actions, needed logistic, supporting tools, .).
January 2003 : - Decision of the Council of Ministers, headed by the President, and dedicated to informatics and IT Security , of :
The creation of a National Agency, specialized in IT Security (The Tool for the execution of the national strategy and plan)
The Introduction of Mandatory and Periodic Security audits (Pillar of our strategy)
The creation of a “body of certified Auditors” in IT Security
+ some accompanying measures (launch of masters in IT security, …)
[email protected] CERT -TCCWorld Bank, 7 November 2006
Obligation for national companies (ALL public + “big” and sensitive private ones) to do Periodic (Now annually) Security audits of their IS.
Organization of the field of Security audits Audits are Made by CERTIFIED auditors (from the private sector), definition of the process of certification of auditors definition of the auditing missions and process of follow-up (ISO 1 77 99)
Creation and definition of the Missions of the National Agency for Computer Security (which does not deal with National Security & Defense issues)
(created under the Ministry of Communication Technologies)
Obligation to declare security Incidents (Viral, mass hacking attacks, ..)
that could affect others IS, with guarantee of confidentiality, by law.
In addition of previous Laws :Ø Law on Electronic Signature and e-commerce (Law N° 2000-83 ) Ø Law Against Cyber-Crimes (Law N° 1999-89, Art 199)Ø Law on consumer protection and respect of Intellectual property (Law N°1994-36)Ø Law on protection of Privacy and Personal data (Law n° 2004-63)
February 2004 : Promulgation of an “original” LAW, related to ICT security (Law N° 5-2004 and its 3 relatives decrees ) :
2005 : Consolidation of the CERT-TCC & Effective launch of the NACS(37 People (17 Engineers+ 12 Technicians ) 50 in 2007)
[email protected] CERT -TCCWorld Bank, 7 November 2006
Permits a secure « opening » and strong integration of National Information Systems (e-administration, e-banking, e-commerce, ..)
Promotes Training and Awareness activities in ICT Security
Improve the safety of the National Cyber-space and confidence in the use of Internet and ICTs
+ Work for the ROI, through Employment, Export of services & Attraction of foreign investment
Launch of R&D activities, relatively to our priorities
Make Law and regulations “Up To date » and adheres to International conventions and treaties
Main Current Axis of the Tunisian strategy in IT Security
Instruments (National Plan) = National Agency for Computer Security & its CERT/TCC
[email protected] CERT -TCCWorld Bank, 7 November 2006
In charge of the implementation of the National plan and strategy in IT security
Monitoring the implementation of security plans and programs in the public sector (with the exception of applications that are proper to National Defense and National Security)
& The Coordination among stakeholders in the field of IT Security;
Promulgation of Best Practices and Regulations in the field of IT Security.
Fostering the development of national solutions in the field of computer security and promoting such solutions in accordance with the National Priorities ,
Consolidation of training and re-training in the field of computer security
And of the Follows-Up of the execution of the recommendations of Mandatory security audits
Tasks of the National Agency for Computer Security (N.A.C.S) (Accordingly to the LAW on ICT security)
( created under the Ministry of Communication Technologies)
[email protected] CERT -TCCWorld Bank, 7 November 2006
Overview about
CERT-TCC(Computer Emergency Response Team
- Tunisian Coordination Center
SERVICES & ACTIVITIES
Hosted by the NationalAgency for Computer Security
In the Future: Some activitiesWill « go » to the Private Sector
[email protected] CERT -TCCWorld Bank, 7 November 2006
Cert/TCC disseminates Information about Vulnerabilities and Malicious Activities& Awareness material :
Broadcasts information (Collected through the Monitoring of multiple sources ) through Mailing-List(s) :More than 6 500 Voluntary subscribers More than 200 e-mails sent during 2006 (More than 500 products vulnerabilities declared)
Various Rubrics : Threats :
Information :
Information & Alert
1- Highly critical vulnerability in ………….., which permits ……
2- Medium level vulnerability in ………….., which permits ……
3- ………………..
1- “Product name” Concerned Plate-forms : …… Concerned versions : ………Brief Description :……..…….For more details : (urls)
SOLUTION ………. ……….
2- “Product name” …………………
Object : …………..Concerned Plate-forms and systems : ……
Effects
Visible traces
Ways of propagation
National propagation
International propagation
More details (urls)
Preventive
Measures
+ On-going work : Development of guides on Best practices and Open-source security solutions & A Monthly Newsletter .
. Vu
lnerab
ilities (users)
. Ad
min
istrators (S
ecurity O
fficers).V
IRU
S
.Vulnerabilities .Virus. .Spam .Hoax .Precaution .Administrators .Alert
.Tools .Open-source .Announces .Books
[email protected] CERT -TCCWorld Bank, 7 November 2006
organize Booths in all National and Regional Exhibitions ( demonstration of attacks get people in touch with reality of risks and importance of Best practices)
Co-organizes & Intervenes in all Conferences & Workshops (16 interventions during this year) and acts in more sensitizing decision-makers & public controllers, for smoothing the “bureaucratic” barriers.+ Publish Awareness material through its Mailing-list (rubrics .Precaution, .Flash,/. Tools, .open-source),
Cert/TCC is very concerned with AwarenessDevelops and distributes awareness material : Guides, brochures (8), CDs ( free security tools for domestic use ,open-source tools, voluminous MS patches)
Production of AwarenessMaterial : WB Project (Loan)
[email protected] CERT -TCCWorld Bank, 7 November 2006
+ Rely on the Press, for raising awareness of broad population Press-Relations position in CERT/TCC (a journalist, which prepares and provides Material to Journalists : motivation ..)
Average of 3 papers/week published, during last semester Participates in the animation of weekly rubrics in 5 Regional and National radio stations (3 in 2005).
+ Preparation of a course on IT security trends, for students in Journalism
The promulgation of the Mandatory annual security audit (Law on computer security)= Best Awareness Instrument, for IT professionals and decision-makers + the audit includes awareness-sessions, made by auditors for the hole staff
+ Acts for raising Youth and parents awareness ,In Collaboration with specialized centers and associations :
Preparation of a first pack of short (awareness) courses for Primary school. Development of special pedagogical material for childrens&parents : Guide, 3 “Cartoons”, Quizs
- Development of a special rubric in the Web site and Inclusion of a special Mailing-List rubric for parents (Parental control tools, risks, ..)
[email protected] CERT -TCCWorld Bank, 7 November 2006
ISAC(Information Sharing and Analysis Center)
Project “Saher”
CERT-TCC’s
[email protected] CERT -TCCWorld Bank, 7 November 2006
Gathering and Filtering of large sets of network data to identify unauthorized and potentially malicious activity (Worms, attacks, scans …)..
Gathering & Pre-Processing
A Watch- center (based on open-source solutions), which permits to monitor the National Cyber-Space security in Real time For the early Detection of Massive attacks and minimization of their impact.(First prototype, deployed during WSIS, November 2005)
HoneyPots, HoneyNet
Secure connections(SSh)
Mail Anti-virus server(script) reports
Corporate Networks
ISPs
IDCs
N.IDS ( Snort)
Ale
rt
Reaction Plan « AMEN »
Community Alerting
+/-
ISAC “Saher”
Analysis & Correlation
- Tool “WebObserver”- Flows Control triggers
Incidents Reports(Call-Center, Fax,Web Site)
Automatic Alert-Triggers- Scripts for Traces Correlation.- Tools for Flows Control & analysis.- Trace Tools.- Scripts for “Smart Honey-Poting”- Technical proactive and Counter-measures.
« Saher »
CERT -TCC Computer Center
DistributedCorporate ISACS
(IDCs)« Saher II »
Computing resources: WB Project (Loan)
[email protected] CERT -TCCWorld Bank, 7 November 2006
“Amen” : Alert Handling plan --- “Formal” Global Reaction Plan.--- Establishment of Coordinating Crisis Cells ( ISPs, IDCs, Acess Providers).
With CERT/TCC acting as a coordinator between them
“Amen” was deployed 6 times, During Sasser& MyDoom worms attack, during suspicious hacking activity and, proactively, during big events hosted by Tunisia ( only with ISPs and telecommunication operator)
National Project for building a National Disaster-Recovery Center (managed by the National Center for Informatics, with funds from the World Bank)
Funds for studies :
for the establishment of Disaster Recovery Plans for some critical national applications. for the improvement of protection of the National Cyber-Space against big DDOS attacks.
Disaster-Recovery Infrastructures
Study & Implementation WB Project (Loan)
[email protected] CERT -TCCWorld Bank, 7 November 2006
Public & Private institutions, must inform the National Agency for Computer Security about any Incident,
which may affect other Information Systems
Private and public organizations should trust the CERT-TCC Call for assistance
Stipulate that The employees of the National Computer Security Agency and security
auditors are Responsible about the preservation of confidentiality and are liable to
penal sanctions
Article 9 of the Law No. 2004-5 relative to IT security
Article 10 of the Law No. 2004-5 relative to IT security
CSIRT
+ Acting for the emergence of corporate CSIRT in some sensitive sectors (E-gov, E-Banking Energy, Transportation, Health )
CERT/TCC provides :
o A CSIRT team in charge of providing (free of charge) Assistance for Incident Handling
o Call-center, available 24Hours/24 and 7 days/week
+ A “Citizen’s assistance service ”, To which Home users can bring their PC to solve security problems or install security tools (anti-virus, PC firewall, anti-spam, ..), free for domestic use.
With Guarantees for confidentiality :
Assistance Project : WB Project (Loan)
[email protected] CERT -TCCWorld Bank, 7 November 2006
Professional Training
- Establishment of a Task Force of Trainers in IT Security. Launch of training courses for trainers (private sector)
- Training sessions for 100 trainees (Loan from the World Bank, 35 trainers in the 3 basic fields of ICT : Network security, Systems security, Methodologies of security assessment ( ISO 1 7799, ISO 1 9011. ISO 27 001) and organisational aspects)
- Preparation of 4 additional training modules for trainers, end 2006.
Re-Training of professionals : - organisation of trainings (with collaboration of training centers & associations )
for security auditors ( Night sessions for professionals, as a preparation to the certification exam) for Security administrators (Periodic sessions for the adminsitrators of e-government applications ) Preparation of 2 training sessions for judges and Law enforcement staff.
- Acting in Motivating Private Training Centers activities in IT Security (average of 2 seminars by month in 2005) .
-Acting to Helps professionals for getting international certifications : - CISSP exam preparation training
WB Project (Loan)
[email protected] CERT -TCCWorld Bank, 7 November 2006
-Collaboration with academic institutions for :
-Developing Masters in IT security : ( Now, A master degree in IT security permits the Obtention of Auditor Certification ).
in 2004 : Launch of the first Master in IT security (Collaboration between two universities). Now : 4 masters (2 publics & 2 privates universities). Next academic year 7 (3 regional)
Education
- Preparation of training modules (5) for teachers from the university .
-Inclusion of security modules (awareness) inside academic and education programs.
+ Hosting of students projects
by the CERT/TCC
(15 in 2006)
[email protected] CERT -TCCWorld Bank, 7 November 2006
Insights into the Tunisian Strategy in the Field of Open-source
[email protected] CERT -TCCWorld Bank, 7 November 2006
Swatch
Management console
Amavis
SendMail
Spam Assassin
INTERNET
OpenLDAP
Apache
WebMin
HoneyD
- Source codes available
Permits Economical deployment of Security Solutions , with the required cardinality (Number of licenses)
& completeness (categories of needed tools)+ A Big Catalyser for the emergence of Research&Development activities
An extremely Rich repertory of “free” and efficient security tools
+ Source codes available+ Conformity to Standards (IETF ).+ Documentation and assistance provided Widely and Freely on the Net, by the dynamic Community of open-source.
Open-source = a “Seducer”
[email protected] CERT -TCCWorld Bank, 7 November 2006
CERT/TCC is Acting :- For sensitizing young investors (by providing “Markets”),To
First Step : Provides support for open-source tools deployment ( installation, training, “maintenance”)
Then Customization of open-source solutions (for clients specific needs )
End Launch of Research/Development activities
- Acting in Raising awareness about the benefits (&limits) of the deployment of open-source tools.
- Formulation (funds) of 4 projects for the development of security tools (from open-source) for the private sector (including improvement of the system “Saher”).
- Definition of 5 federative projects of Research&Development for academic laboratories (under the supervision of the Ministry of Scientific Research)
- Collaboration, with the university for the launch of a Research laboratory specialized in open-source security tools (Loan from the World Bank).
[email protected] CERT -TCCWorld Bank, 7 November 2006
Induction of SynergyBetween National actors
Motivates the creation of specialized Associations in IT security : • An academic association was launched in 2005: “Tunisian Association for Numerical Security”.• A professional association : “Tunisian Association of the Experts in Computer Security”.In project : An association of ISPs
Rely on Associations (NGO)
[email protected] CERT -TCCWorld Bank, 7 November 2006
Motivation (funds) for the Development of Self-assessment methodologies (adapted to our STEP)
& Guides of Best Practices
- Realization of National Surveys about IT Security• An Electronic National Survey was done in end 2003, for the tuning of the national Plan (weakness, urgent actions and their volumes)
• A new survey is prepared for 2006, with participation of the 2 associations
.
Implication for Evaluation of actions & Revision of Action Plans
Implication for the Development of Models of books for Tender of offers ( Insures Fair concurrency attracts more private investments in the field)
• Publication of a “Model for tender of offers” for Risk Assessment operations (With consultation and validation of private auditors)
•Development of Models of books for tender of offers for -Commercial Security Tools acquisition (Firewalls, IDS, …,)
•Open-source Security tools deployment (Training, assistance)
-Organisation (ATIM, ATSN, JCI, ATAI, ...) of awareness actions ( 10 seminars and workshops)
- IN Collaboration with associations (NGO) :
[email protected] CERT -TCCWorld Bank, 7 November 2006
After consolidation of its (national) activitiesStarts, in 2006, foreseeing International Collaboration
[email protected] CERT -TCCWorld Bank, 7 November 2006
-CERT/TCC is co-founder and General Secretary of the new OIC-CERT (President :Malaysia, Members : Nigeria, UAE, Pakistan, Saudi ArabiaFor Funds from IDB)
- CERT/TCC Foresees to be member of the “ FIRST”, during 2006 Launch of a Mission of Assistance for Sponsorship, by a private member of the FIRST : CERT-IST
(Loan from the World Bank)
-CERT/TCC is very active inside ITU (Action Line C5)
In trend of Organisation : an International conference sponsored by ITU, in Tunisia “ICT cybesecurity for Development 1”, 27-28 March 2007
-Is member of the Microsoft SCP program (contract under signature)+ ……
International Collaboration
“Cyber Security for Development I” , 26-27 March 2007Echoing the WSIS I Geneva Declaration and Action Plan C5, the conference is intended to: • Present worldwide case studies of national ICT Security strategies with their successes and failures stories. • Present worldwide case studies in developing Watch, Warning and Incident Response Capabilities, and measures to be taken to develop or refine such capabilities. • Study mechanisms and partnerships opportunities between stakeholders, for concrete actions concerning the support to provide for Less Developed countries
• Present current and future technological trends, with special attention for open-source field, and evaluate their impact on national strategies • Identify common policies and orientations in developing national regulations and legislative approaches and in fighting SPAM, trying bridging and networking between initiatives and experts.
[email protected] CERT -TCCWorld Bank, 7 November 2006
- To contribute in developing measures to deal with large-scale or regional network security incidents & Share information relating to security incidents
- To Improve links to international network security groups and to collaborate with the international frameworks for the Launch of collaborative actions on subjects of mutual interest
- To establish Partnership with the private sectors to promote network security in the region
- To Participate in the setup of regional CERT (African countries), to help other countries that does not have National CERT bodies and to contributes in seting-Up “emergency task forces”.
+ CLEAR COMMITMENT TO :
- Along with other CERTs, shares our modest experience (errors, success stories) and provides (FREE of CHARGE), and as available in this step, assistance and logistic (hosting of trainees, awareness material, Saher, open-source training,…) For the establishment of CERT/ ISAC/CSIRT in developing countries.- - Collaborates with other CERTs and provides collaboration in investigations about incidents, seeming, originating from Tunisia.
[email protected] CERT -TCCWorld Bank, 7 November 2006
Less Developed Countries“In Mind”
« In HEART »
« Raw Reflexions »
[email protected] CERT -TCCWorld Bank, 7 November 2006
Less Developed Countries
- Use of their ICT infrastructures by foreign intruders(relays of Spam, Botnets, Phishing, …)-Also, Potential future “Reservoir of hackers” (unemployment, lack of entertainment, feeling of injustice and need for expression ….)
Safer (Cyber-)WorldFOR ALL
In fact,
SELF-INTERESTto prevent the creation of criminal havens
Need for Urgent Actions (« HELP »)
+ Risk of More Digital Divide, by undermining confidence in ICTs
About Less Developed Countries
[email protected] CERT -TCCWorld Bank, 7 November 2006
Some Characteristics and Needs of Less-Developing countries
Lack of Awareness :Necessity of a pragmatic approach :
- Raise Awareness of Politicians and policy-makers + Provides Funds (Loans, donation via “HELP” programs )& Technical
Assistance,
Launch of “Nucleus” of local CERTs, Which provides a first “Nest” of local experts, which will be in charge of :
raising awareness of IT Managers & administrators, whom will be the task force in charge of “Attacking” IT users
& Finally, the broad Population, by a progressive approach (with care to not frightening).Establishing a National strategy and plan for treating cyber-security issues, accordingly to the state of development of each country.
Lack of Experts
-Necessity to help the Set-Up of a first Task-force of local Experts : Need for training
[email protected] CERT -TCCWorld Bank, 7 November 2006
“Poor” economies (& Quite total Lack of Protection Tools)
- Crutiality of awareness and information about Best practices ( the “proactive approach”).
Provides help to local CERTs (awareness material, …). - Encourages the use of Open-source products (in parallel with commercial ones) Need for raising awareness about capabilities offered by the open-source field & trainers in the open-source field Need for “Cheap” Commercial licences&Assistance
- Need for the provision of “central” protection (NIDS, Anti-virus, ..) at the level of ISPs : - Provides/dedidactes CSIRST teams, ready to intervene in case of emergencies in LDC (“Cybenetic Red-Cross”, It is Information society …)
[email protected] CERT -TCCWorld Bank, 7 November 2006
Industry
Devel
oping C
ountries
Industry,Business
Intruders
SocietyDeveloped Countries
NGO,Civil Society
What Is Needed, from the Various StakeHolders
« UNDER CONTROL »WIS
[email protected] CERT -TCCWorld Bank, 7 November 2006
IndustryIndustry,Business
-Pursue the maintenance of « old » versions (It is their responsability)Or Provides LIGHT versions, requesting less processing Power. -Take care to raise attention about hidden risks (also those where usual basic competence is assumed)and still provide « more pedagogic » Documentation
- Security Industry : Provide “special” prices (relative to the level of life)
- ISPs connecting Less-DC should foresee how to « clean » flows& Better : Provision of cheap training and assistance for local ISP staff
-Access Providers connecting Less-DC should forsee how to provide protection Against DDOS attacks.(Cheap Back-Up connections)…………
Special Treatment = As an Investment in, hopefully, future
Growing markets (= Marketing)
Expectations from the Industry
[email protected] CERT -TCCWorld Bank, 7 November 2006
Industry
Industry,Business
NGO,Civil Society
- Associations& Forums in IT Security (FIRST, CERT/CC, …) :Should : - Include a special rule for becoming A member = « Help » provided to Less-DC - Encourage more work on solutions, adapted to Less-DC stage and reality. -International Normalisation Organisations (ITU, …) : Should Take into account « specific stage » of Less-DC for
- More Clear Guidelines about strategies of Evolution. - More representatives from Less-DC in Workgroups (Clear schemes of migration (of – DC) to new technologies and norms).
- Humanitary NGO, should - Create cyber-protection emergency Units (It is Information Society …).-Rules for Responsability of Developed& Developing countries to take immediateMeasures, against using Less-DC Infrastructures (as « hostages ») by local Intruders
………………..
Intruders
Society
Expectations from the Civil Society
[email protected] CERT -TCCWorld Bank, 7 November 2006
Industry
Devel
oping C
ountries
Industry,Business
Intruders
Society
WB & other Development
Banks
Developed Countries
Developing Countries Should :- Provides Guidelines about the lessons learned in their evolution (they were Less-DC)- Provides « cheap » Technical Assistance.- Be a « comprehensive » link between DC & Less-DC
Developed Countries :«ALL THE REST »,
NGO,Civil Society
Expectations from the Governments
[email protected] CERT -TCCWorld Bank, 7 November 2006
IT STILL POSSIBLE TO DREAM & LOVE
(Beautiful mysteries Of BRAIN & LIFE)
Industry,Business
Intruders
Society
NGO,Civil Society
[email protected] CERT -TCCWorld Bank, 7 November 2006
To best effect and to maximise success of International « Aid » for LDC, it is essential that we try :
- Combining Skills and Efforts of all stakeholders (Private sector, NGO, governments)
from Both Developed and Developing Countries
With Inputs and Guidance from :-International experts, Research centers (CMU, ..), Centers Cylab, CMU, CERT/CC, …) and CERTS (CERT/CC, ..)
How To Organize for That
For Efficiency (Capitalization of efforts)Motivates the Launch of Regional CSIRTs (Africa , Asia,ME, South America, ..), with the task of acting in helping regional LDC countries establishing CSIRSTs. ( OIC-CERT)
Better address problems that are Specific and common to several countries in each region (similar Langage/culture/State of development/
Time/Adress Block/, …) & capitalize Efforts/Actions (Training, ..)
Raising awareness of Regional development Banks (African Bank for Development, Islamic Bank For Development, …).
Provides Funds for ICT Security Development
[email protected] CERT -TCCWorld Bank, 7 November 2006
CERT/TCC’s COMMITMENT : Our Modest Experience & Logistic Is Offered “FREE of Charges”
For participating with Others Countries, in International “AID” programs,
And
Will try To Get Out With Concrete Actionsin the coming multi-stakeholder meeting, dedicated to
Less-DC, under the supervision of ITU and other international organizations
[email protected] CERT -TCCWorld Bank, 7 November 2006
THANKS YOU
Pr Nabil SAHLI,Ministry of Communication Technologies,
Header of the CERT/TCCNational Agency for Computer Security, CEO
[email protected] CERT -TCCWorld Bank, 7 November 2006
Some Guidelines
(Main Axis of the Tunisian Strategy in IT Security)
1- Launch of an entity (UNIT/Agency, ..) specialized in IT Security In charge of defining and implementing a national Plan in IT security(+ a Survey for evaluating priorities and volume of needs)
[email protected] CERT -TCCWorld Bank, 7 November 2006
Security of National Information Systems
Puts rules for Insuring a sure and progressive improvementOf the security of IS and the follows-Up of Realistic and efficient Security Plans
Periodic Risk Assessment
Identify&Regroup the « Heavy” Investments to engage Provides National infrastructure for the recovery for critical national
applications(Disaster revovery infrastructures)
Provide technical assistance for guaranteeing a safe protection of The important IS and critical infrastructures
Permits a secure « opening » and strong integration between National Information Systems (e-administration, e-banking, e-commerce, ..)
Reinforce the role played by the private sector and assist it to evolves (provides “Markets”, training, help for certification, fair concurrency, ..)
---------- Adopt regulatory rules for public and also sensitive private entities,
Case of Tunisia: Institution of Mandatory periodic security audits of ALL public and sensitive private Information Systems : 1- Raise Awareness 2- Guarantee the improvement of the security of IS (well established security plans, taking into account the reality of resources
and insuring a realistic and efficient upgrade).
[email protected] CERT -TCCWorld Bank, 7 November 2006
security of National Cyber-space
- Implements efficient tools of coordination between stakeholders, in case of cyber-space attacks
Permits a confident use of ICTs and Internet (« Information Society »)
- Development of : - Mechanisms for early detection of attacks (ISAC system), - Efficient Reactions Plans
- Provides the needed assistance and support in the field of IT security (CSIRST teams)
[email protected] CERT -TCCWorld Bank, 7 November 2006
“Know-How” In IT security Reach a relative technological autonomy
-Improves National R&D capabilities and makes it More responsive to urgent needs.
- Encourages the development of National Solutions and Tools, related to the « Heavy » and strategic Needs. (starting from Open-source tools)
- Ensures efficient « Technological Follow Up » in the field.
- Encourages Basic (University) Research in the Important topics (cryptography, methodologies, mechaisms)
-Motivates the emergence of Academic associations in the field of IT Security
[email protected] CERT -TCCWorld Bank, 7 November 2006
Training and Awareness in IT Security
- Reinforces the potential of trainers in IT Security
- Launch of Specialized Academic Diplomas in IT Security (Masters). - Introduction of basic (awareness) courses in ALL academic and scholar courses.
- Encourages high level (International) certification of professionals in the field (CISSP, …).
Security relies more on awareness and good practices than on tools
Promote National Computer Emergency Response Teams (CERT) & security associations, that will Take proactive steps to rise the community's awareness about computer security issues
(& providing alerts, information, training, free tools and hot-line assistance)
[email protected] CERT -TCCWorld Bank, 7 November 2006
Juridical and regulatory aspects
-Adopt/ Customize norms, regulation rules and certification procedures in IT Security and harmonize the task of public regulators. - Implements efficient mechanisms for controlling abuses (Spam, respect of Intellectual property, respect of privacy, consumer protection, …)
- Reinforces competence of judges and investigators, dealing with cyber-crimes (training)
Insures the “continuous Update” of Laws, according to the new concerns introduced by IT security
And the correct application of International conventions and treaties (Cybernetic crimes, …).
Make the law and Public regulations “Up To date »
[email protected] CERT -TCCWorld Bank, 7 November 2006
Industry
Devel
oping C
ountries
Industry,Business
Intruders
Society
UN
Developed Countries
NGO,Civil Society
IT STILL POSSIBLE TO DREAM & LOVE
(Beautiful mysteries Of BRAIN & LIFE)
Industry,Business
Intruders
Society
NGO,Civil Society
[email protected] CERT -TCCWorld Bank, 7 November 2006
ADENUM : Objectives of OIC-CERT (DRAFT) :The purpose of OIC-CERT is to encourage and support the smooth collaboration and cooperation between CERTs among the OIC members. The objectives are as follows:
-- Education and Outreach Program for setting-up CERTs / CSIRTs among OIC members that do not have CERT / CSIRT within their respective organisations. The OIC CERT also is able to assist other CERTs and CSIRTs in the region to conduct efficient and effective computer emergency response.
-Strengthen Relationship amongst CERTs / CSIRTs in the OIC member domain. This is to build cooperation amongst -OIC members for an effective coordination and management of security incidents. This also will enhance the -international cooperation on information security Information Sharing in terms of findings from reported incident cases,-so that the information can be used to identify and to correct security vulnerabilities before they can be exploited. This also enables OIC members to share experiences and best practices. This objective will enable the OIC CERT to jointly developing measures to deal with large-scale or regional network security incidents
- Prevent / reduce cyber terrorism and computer crimes.
-Promote Collaborative Technology Research and Development such as advisory information on potential threats and emerging incident situations, exchanging information on information security reviews and facilitation of research activities in specific area.
-Providing inputs and/or recommendation to help address legal issues related to information security and emergency response across regional boundaries
-Report all development and propose recommendations on decided issues and resolutions to the OIC Secretariat / IDB Secretariat for further action.