How we work as a national CERT in China

ZHOU YonglinCNCERT/CC, China

2Addressing security challenges on a global scale Geneva, 6-7 December 2010

Internet Development in China

By the end of June 2010,• The number of Internet users was about 420 million,

counting for 31.8% of total population.• Broadband users was nearly 364 million• Mobile Internet users was nearly 277 million

• The commercial applications showed remarkable increase.• The users of online-shopping, online-payment, online-banking

were 142 million, 128 million and 122 million, counting for 33.8%, 30.5%, 29.1% of total Internet user.

• Online video users was about 265 million• Benefitting from mobile phone development, the online-

reading users reached 188 million.

3Geneva, 6-7 December 2010 Addressing security challenges on a global scale

Source: MIIT and CNNIC

Internet Security Situation in China: Malicious code activity

• In the first half of 2010, CNCERT monitored:• Trojans activity:

• control servers counting by IP ： 247,235• compromised hosts counting by IP ： 3,966,329

• IRC-Bot activity:• control server counting by IP ： 6,451• compromised host counting by IP ： 3,148,046

• In the whole year of 2009, about 28 million Conficker worm infected computers were in China.

Internet Security Situation in China: Website defacement

• In the first half of 2010, CNCERT monitored:– Number of all defaced website: 14,907 ， decreased

21.75% than the same period of 2009。– Defaced government website ： 2,574, increased

222.56% than the same period of 2009

Internet Security Situation in China: More…

• DDOS attacks• Phishing• Smart Phone malware– ‘DuMusicPlay’ infection: nearly 1 million in first week

of Sep.– ‘Mobile Skull’ infection: nearly 560 thousand in same

week.

6Addressing security challenges on a global scale Geneva, 6-7 December 2010

About CNCERT

• Full name: National Computer network Emergency technical Response Team Coordination Center of China

• CNCERT/CC is a National level CERT organization, which is responsible for the coordination of activities among all Computer Emergency Response Teams within China concerning incidents on national public networks.

• It provides computer network security services and technology support in the handling of security incidents for national public networks, important national application systems and key organizations, involving detection, prediction, response and prevention.

• It collects, verifies, accumulates and publishes authoritative information on the Internet security issues. It is also responsible for the exchange of information, coordination of action with International Security Organizations.

About CNCERT

• CNCERT has 31 branches around the nation, located at each capital of provinces.

• CNCERT is a leading organization on cyber security industry. Also take the role of network and information security committee of Internet Society of China.

• CNCERT is a full member of FIRST and APCERT.

Connections and working mechanism

• Supporting government– Ministry of Industry and Information Technology who is in

charge of the Internet and telecommunication infrastructure security and coordinating the safeguarding of online government information system, and social critical information systems• CNCERT: Collecting security info. of ICT field and issue advisories,

coordinating ISPs, DNRs to clean malware control servers, monitoring attacks to government online systems, etc.

– Other governments• CNCERT: following the cross-department working mechanism,

provides technical supports like vulnerability evaluation, incident handling,… etc.

9Addressing security challenges on a global scale Geneva, 6-7 December 2010

• Uniting Industries and initiatives Industrial Self-discipline

10Addressing security challenges on a global scale Geneva, 6-7 December 2010

CNVD- China National Vulnerability Database ANVA – Anti Network Virus Association

CNCERT played key role on cyber safeguarding of national events

2008 Beijing Olympics Shanghai EXPO 2010

Nation Leaders’ Online Talks 2010 Guangzhou Asian Games

• Actively join international cooperation– Join FIRST and APCERT and relevant events– Sign MOU with CERTs in other countries or regions, who have

common interest on incident handling and information sharing.

– Carry out joint activity during critical period or incident. • Notice potential conflicts on Internet during hot foreign

affairs• Waledac botnet handling: Microsoft initiated Waledac

campaign in US. Feb 2010, according to MS’s request, CNCERT quickly stopped 16 malicious domain names registered in China.

12Addressing security challenges on a global scale Geneva, 6-7 December 2010

ACKNOWLEDGEMENT

Many thanks to ITU-T secretariat, workshop chairman and coordinators for your kind invitation and helps.

Many thanks to the development of Internet and telecommunication technology by which I can join you remotely. Yes, that is what our cyber security guys are

fighting for!

CONTACTzyl AT cert DOTorg DOTcn

+86 10 8299 0355www.cert.org.cn