thaicert annual report english version

THAILAND COMPUTER EMERGENCY RESPONSE TEAM (THAICERT) A MEMBER OF ETDA

JOINT PARTNERS : OFFICE OF THE ELECTRONIC TRANSACTIONS COMMISSION (ETC), MINISTRY OF INFORMATION AND COMMUNICATION TECHNOLOGY (MICT),

THAILAND COMPUTER EMERGENCY RESPONSE TEAM

OFFICE OF THE NATIONAL BROADCASTING AND TELECOMMUNICATIONS COMMISSION (NBTC)

MINISTRY OF INFORMATION AND COMMUNICATION TECHNOLOGYELECTRONIC TRANSACTIONS DEVELOPMENT AGENCY (PUBLIC ORGANIZATION)

The Government Complex Commemorating His Majesty the King’s 80th Birthday Anniversary, 120, Moo 3, Ratthaprasasanabhakti Building (Building B) 7th floor,Chaengwattana Road, Thung Song Hong, Lak Si, Bangkok 10210 Thailand

Tel : +66 2142 1160 Fax : +66 2143 8071www.thaicert.or.th | www.etda.or.th | www.mict.go.th

ISBN : 978-616-91910-0-1

NBTCTHAILAND

EnglishVERSION

2 ThaiCERT Annual Report

Title: Thailand Computer Emergency Response Team (ThaiCERT) Annual ReportBy: Thailand Computer Emergency Response Team (ThaiCERT) Electronic Transactions Development Agency (Public Organization)ISBN: 978-616-91910-0-11st edition: November 2013Volume: 1,000 issues Price: 200 BahtCopyright Act B.E. 2537, all rights reserved

Translated by International Scriberia Company Limited

Published and distributed by

Electronic Transactions Development Agency (Public Organization)

Office of the Electronic Transactions Commission

Ministry of Information and Communication Technology

The Government Complex Commemorating His Majesty the King’s 80th

Birthday Anniversary, 5th December, B.E.2550

120 Moo 3 Chaengwattana Rd., Laksi, Bangkok 10210

Tel: +66 2142 2483

Fax: +66 2143 8071

ThaiCERT Website: http://www.thaicert.or.th

ETC Website: http://www.etcommission.go.th

ETDA Website: http://www.etda.or.th

NBTC Website: http://www.nbtc.go.th

MICT Website: http://www.mict.go.th


Yingluck Shinawatra Prime Minister

Faced with the inevitable need to transform Thailand from an analog to a digital world, we estimate that by 2013

we will have 2.6 million tablets deployed for education; by 2014, the value of e-commerce will be over 60,800 million baht; and by 2015, quality broadband will be available to more than 80%

of the Thai populaton.

It is the government’s responsibility to deal with threats that emerge along with new technology. Hence, the National Cybersecurity Committee was formed and supported by ETDA and ThaiCERT.

ThaiCERT, one of the most significant organizations for

cybersecurity, provides valuable support for the implementation of

the national “Smart Thailand” policy.Mr. Anudit Nakorntub

Minister of Department of Information and Communication Technology

I aim to see ThaiCERT play a proactive role in building confidence in Thailand’s electronic transactions.

Mr. Charamporn ChotikasatienChairman of the Executive Board of Directors


I don’t want people to remember the Ministry of ICT only for shutting down

websites. We have an important role in behind-the-scenes security as well,

with the support of ThaiCERT, ETDA.

Mr. Chaiyan Puengkiatpairote*Permanent Secretary, MICT

*Dr. Surachai Srisarakham is the new permanent secretary since October 1, 2013.


Originating from the National Electronics and Computer Technology Center (NECTEC), the National Science and Technology Development Agency (NSTDA), ThaiCERT

has continued its mission to protect online transactions with the establishment of the Electronic Transactions

Development Agency (Public Organization). ThaiCERT is, therefore, a priority for us as it is a key organization for

national readiness to cope with online threats during AEC integration in 2015.

Mrs. Surangkana WayuparbExecutive Director, CEO


NBTC is ready to support and strengthen security operations with

ThaiCERT, ETDA.Mr. Takorn Tantasith

Secretary GeneralNational Broadcasting and Telecommunications Commission

We need to create awareness of hidden threats which are being transmitted through our

telecommunication network along with regular communication data. I believe that ThaiCERT is a good partner to protect Thai online society.

Mr. Thares Punsri Chairman

National Broadcasting and Telecommunications Commission


Tables ........................................................................................................................................................... 10

Picture .......................................................................................................................................................... 11

Figures .......................................................................................................................................................... 12

Introduction ................................................................................................................................................ 15

1. “Cybersecurity” Trust and Confidence in ICT Usage .................................................................. 17

2. Current Status and Readiness of Thailand: Threats & Risks ...................................................... 21

3. CERTs and ThaiCERT Background ...................................................................................................... 29

4. ThaiCERT Annual Report 2012: Threats &Cybersecurity .............................................................. 33

4.1 Services of ThaiCERT ............................................................................................................ 33

4.1.1 Responding and Handling Security Incident Services .......................................... 33

4.1.2 Security Information Updates .................................................................................... 34

4.1.3 Academic-base Security Services ............................................................................. 34

4.2 Coordination for Cybersecurity Response and Incident Management ...................... 35

4.2.1 Conducting Triage ......................................................................................................... 35

4.2.2 Analyzing and Handling Incidents ............................................................................. 36

4.2.3 Providing Expert Opinion ............................................................................................. 36

4.2.4 Issuance of Notification and Follow-up Action ..................................................... 37

4.2.5 Record of Result and Feedback ................................................................................ 37

4.3 Incidents reported to and handled by ThaiCERT ........................................................... 37

4.3.1 The Number of reported Incidents in Thailand via Automatic Feed ............... 39

1.) The incident reports via Automatic Feed 2012 by Threat Types ....................... 40

2.) Incident Report via Automatic Feed Categorized

by Internet Service Providers (ISP) in Thailand ....................................................... 42

3.) Phishing .......................................................................................................................... 44

4.) Malware URL ................................................................................................................ 47

5.) Spam .............................................................................................................................. 50

Contents


6.) Scanning ......................................................................................................................... 51

7.) Botnet ............................................................................................................................. 54

8.) Open DNS Resolver ..................................................................................................... 56

9.) Open Proxy Server ....................................................................................................... 57

4.3.2 The Statistics of Directly Reported Incidents ......................................................... 58

4.4 Case studies ............................................................................................................................. 67

4.4.1 Intrusion of T.H.NIC Domain Name Management System ................................... 68

4.4.2 Dissemination of DNS Changer Malware ................................................................. 69

4.4.3 C&C of Malware Clan “Flame” Discovery ............................................................... 70

4.4.4 Hacking the Email Account of SMS Entrepreneur ................................................. 71

4.4.5 Phishing in Thai Web Hosting ..................................................................................... 72

5. CERTs and AEC 2015 ............................................................................................................................ 75

5.1 The Roles of CERTs in AEC 2015 ......................................................................................... 75

5.2 The ASEAN Members’ CERT Reports ................................................................................. 77

5.3 Strengthening Collaboration of CERTs Network .............................................................. 81

5.3.1 Building Networks ......................................................................................................... 81

5.3.2 Point of Contact ........................................................................................................... 82

5.3.3 Threat Information Service ........................................................................................... 82

5.3.4 Standards on Threat Information .............................................................................. 83

5.3.5 Incident Drill ................................................................................................................. 83

5.3.6 Deploying Network Sensors ........................................................................................ 84

6. Threats VS Privacy ................................................................................................................................. 87

7. Is Thailand prepared for cyber threat? ............................................................................................ 93

8. Appendix ................................................................................................................................................ 97

8.1 Appendix A .............................................................................................................................. 97

8.2 Appendix B ............................................................................................................................. 99

8.3 Appendix C ............................................................................................................................ 102

List of Abbreviations ................................................................................................................. 106


Tables

Table 1: Number of incident reports sorted by threat type ........................................41

Table 2: The number of incident reports counted by unique IP and sorted by

threat type during August – December 2012 .................................................41

Table 3: Number of incident reports counted by unique IP and sorted by ISP ......42

Table 4: Number of IPs which have been registered by top 10 ISPs in Thailand ...43

Table 5: Top 10 number of phishing reports sorted by country .................................44

Table 6: Number of phishing reports sorted by type of domain name ....................45

Table 7: Top 10 number of phishing reports sorted by ISP ..........................................46

Table 8: Top 10 number of malware URL reports sorted by ISP ................................47

Table 9: Top 10 number of unique malware URL reports sorted by ISP ..................48

Table 10: Top 10 number of malware URL reports counted

by unique IP and sorted by ISP .........................................................................48


by unique IP and sorted by type of domain name ......................................49

Table 12: Top 10 number of unique malware URL reports sorted by domain

name ........................................................................................................................49

Table 13: Top 10 number of spam reports sorted by ISP ............................................50

Table 14: Top 10 number of scanning reports counted by unique IP and sorted by

port number ...........................................................................................................52

Table 15: Top 10 number of scanning reports counted


Table 16: Top 10 number of botnet reports sorted by ISP ..........................................55

Table 17: Top 10 number of open DNS resolver reports counted


Table 18: Top 10 number of open proxy server reports counted


Table 19: Cybersecurity threat type according to eCSIRT .............................................59

Table 20: Number of directly reported incidents to

ThaiCERT in 2012 sorted by threat type ..........................................................60


Table 21: Number of directly reported incidents sorted by type of relevant

individuals and their location .............................................................................61

Table 22: Number of fraud reports sorted by type of relevant individuals

and their location ..................................................................................................62

Table 23: Number of fraud reports sorted by type of relevant individuals and

organizations...........................................................................................................62

Table 24: Strategy 2: People Empowerment and Engagement ..................................75

Table 25: Strategy 4: Infrastructure Development ..........................................................76

Table 26: List of ASEAN+3 CERTS members in APCERT .................................................77

Table 27: The ASEAN+3 cyber attack types reported in

the APCERT annual report 2011 ........................................................................80

Table 28: Classification of Threats according to eCSIRT.net .........................................97

Table 29: Glossary ...................................................................................................................99

Picture

Picture 1: ThaiCERT procedures for cybersecurity response ........................................35

Picture 2: DNS amplification attack technique ................................................................56

Picture 3: Structure of domain name modification system of T.H.NIC ......................68


Figures

Figure 1: Total wired broadband subscriptions per 100 inhabitants in Thailand

compared to other countries (1997-2011) .....................................................21

Figure 2: Percentage of Internet users in Thailand compared to other countries

(1997-2011) ............................................................................................................22

Figure 3: Total number of mobile phone subscriptions per 100 inhabitants in

Thailand compared to other countries (1997-2011) ...................................22

Figure 4: Total number of ISO/IEC 27001 organizations as of August 2012 ..............24

Figure 5: Total number of CISSP certificate holders in Thailand compared

to other ASEAN countries as of March 2013 ...................................................25

Figure 6: Total number of GIAC certificate holders in Thailand compared

to other ASEAN countries as of July 2012 ....................................................25

Figure 7: Number of weekly incident reports sorted by threat type during

August – December 2012 ....................................................................................40

Figure 8: Number of weekly incident reports counted by unique IP and sorted

by threat type and ISP during August – December 20122 ..........................40

Figure 9: Number of incident reports counted by unique IP and sorted

by ISP and threat type .........................................................................................44

Figure 10: Top 10 number of scanning reports sorted by port number ....................51

Figure 11: Top 10 number of scanning reports sorted by ISP ......................................53

Figure 12: Top 10 number of botnet reports counted by unique IP and sorted

by malware name .................................................................................................54

Figure 13: Number of directly reported incidents to ThaiCERT in 2012 sorted

by threat type .......................................................................................................60

Figure 14: Percentage distribution of number of directly reported incidents sorted

by type of relevant individuals and their location .......................................61


Figure 15: Percentage distribution of number of fraud reports sorted

by type of relevant individuals and their location .......................................62

Figure 16: Percentage distribution of number of fraud victims ...................................63

Figure 17: Percentage distribution of number of fraud submitters .............................63

Figure 18: Percentage distribution of number of fraud attackers ................................64

Figure 19: Number of directly reported incidents during 2001-2012 .........................64

Figure 20: Number of unique IPs infected by Rustock sorted by month and ISP ...65

Figure 22: Percentage distribution of number of repeatedly reported and

non-repeated reported IPs from phishing reports ........................................66

Figure 23: Percentage distribution of number of repeatedly reported IPs from

phishing reports sorted by type of domain name ........................................67

Figure 24: Number of reports of DNS changer infected in network of agencies

or ISPs; information retrieved on 8 July 2012 from DCWG.org...................69

Figure 25: Number of cyber attacks reported to ASEAN+3 CERTs

during 2007-2011 ...................................................................................................78

Figure 26: Proportion of threats, sorted by ASEAN+3 countries as shown in

the APCERT annual report 2011 ........................................................................80


IntroductionThe Electronic Transactions Development Agency (ETDA), the Office of the Electronic Transactions

Commission (ETC), and the Office of the Permanent Secretary of the Ministry of Information and Communication Technology (MICT) are pillar agencies responsible for developing, promoting, and enhancing trust and confidence in electronics transactions. The ETDA and the ETC serve to support the Electronic Transactions Committee which has a proactive role in building information technology security in order to reduce online transaction risks in the public and private sectors. Moreover, they collaborate closely with the Crime Prevention and Suppression Bureau, Ministry of Information and Communication Technology, the Information Technology Support Division, Technology Crime Suppression Division, the Royal Thai Police, and the Office of the National Broadcasting and Telecommunications Commission. Additionally, ETDA extends its support to the National Cybersecurity Committee overseeing cybersecurity threats, which have become more sophisticated than in the past. Such threats can be launched from many sources and cause large-scale damage to service providers and users. In order to deal with such threats, it is necessary to have timely coordination with both domestic and overseas agencies to implement immediate and comprehensive solutions.

ETDA has urged the Thailand Computer Emergency Response Team (ThaiCERT) to work proactively in its important role as the nation’s primary cybersecurity agency and act as the national focal point for coordination with foreign Computer Emergency Response Teams (CERTs). Such practice is directly inline with the ASEAN Economic Community Blueprint and ASEAN ICT Master Plan 2015, which aims to promote and enhance confidence in electronic transactions.

ETDA published the ThaiCERT Annual Report 2012 to highlight a collection of case studies from ThaiCERT operations and reported threats in 2012. The report presents a detailed analysis of cybersecurity threats including: types of threats, types of agencies submitting threat reports, and types of computer networks or Internet Service Providers (ISP) in Thailand in order to provide an overview of 2012 national cybersecurity landscape. It reflects the current status of these threats and provides valuable information to policy makers to develop mechanisms to prevent and combat threats among civil, business, and public stakeholders, particularly those in key infrastructures

of the country.

Mrs. Surangkana Wayuparb Executive Director, CEO Electronic Transactions Development Agency (Public Organization)

“CYBERSECURITY”The First Chapter of IT Use Confidence


1. “Cybersecurity” Trust and Confidence in ICT Usage

Presently, computer networks, computer

systems, and electronic devices are widely utilized

to support business transactions, organizational

operations, and communication in order to enhance

efficiency and effectiveness. They also facilitate safe

transactions in the form of electronic documents,

electronic payments, and social media.

With legal authentication under the authority

of the Electronic Transaction Act B.E. 2544 (Revision

edition B.E. 2551), electronic transactions have

been utilized and widely accepted. Despite such

legal protection, transactions are still exposed to

various threats and remain vulnerability to forms

of direct internet-based crime (“cybercrime”) or

indirect internet- facilitated crime. Public and private

sectors, therefore, should be aware of the possible

harmful effects and damage that may occur when

conducting electronic transactions, and be prepared

to prevent, protect, and deal with incidents.

The IT security Conceptual Framework is

specified in the ISO/IEC 27001:2005 Information

Security Management System (ISO/IEC 27001:2005).

Based on a risk assessment of possible damage due

to threats, the Framework places priority on the

fundamental factors of confidentiality, integrity and

system availability for IT security justification. For

example, customer databases under the Enterprise

Resource Planning System are considered confidential

and need to be completed and available at all times.

Another significant threat is flood at a data center,

causing an ICT system breakdown. Therefore, an

agency must be able to provide backup to customers

and be prepared for threats that might occur.

Various risk management measures are specified

in the ISO/IEC 27002 (ISO/IEC 7002 Information

Technology Security Techniques – Code of practice

for information security management) which has 11

classifications and a total of 133 measures. These

include IT security policies for ICT organization

management, human resource administration,

information technology administration and legal

compliance.

Despite awareness among agencies and

individuals, they remain exposed to cybersecurity

threats. Such threats highlight the need to have a

computer emergency response team (CERT) which

is solely dedicated for cybersecurity issues and

coordinates with domestic and international parties

in order to ensure prompt solutions to threats.

CERT is also specified as a framework in the ASEAN

Economic Community Blueprint stipulated in Article

B4 items 51 and 52.

ETDA has been continually implementing

ThaiCERT project since December 2011. During the

first year, ThaiCERT places priority on the two most

common threats: those originated from deceptive

websites (phishing) and botnet. Each month phishing

caused losses of hundreds of thousands of baht

from the bank accounts of numerous victims. Each

month, ThaiCERT received reports that there were

approximately fifty deceiving overseas websites


overseas. Considering the impact of Phishing, it has

been concluded that ThaiCERT suppression of the

deceiving websites can mitigate losses of millions of

baht per month. Concerning the threat from botnet

such as Zeus, Rustock or Kelihos, over 100,000

computers in Thailand have been affected. Upon

installation, the affected computers involuntarily

attack other computers or even cause damage

to computer owners by sending frequent SPAM

messages, over 25,000 messages/hour, to others,

stealing online transaction data or attacking the

availability of other computers (DDoS).

Phishing and botnet are only two of many

other threats reported to ThaiCERT, which include

widespread threats in different forms that have

become more complicated due to the advance and

rapid change of technology. In return, development

of cybersecurity needs to be well-prepared for any

unanticipated circumstances including well-known

and newly developed threats. Preparedness is very

important in order to support business continuity and

agency services especially in important infrastructures,

such as public utilities, energy, communication, health

and the like. These important infrastructures will

utilize technology more significantly in administration

which causes greater complications in information

technology. If an attack occurs, the Computer

Emergency Response Teams will handle threats and

help restore systems and services in the earliest

possible time. Additionally, they will examine and

analyze data to find the culprits.

In terms of personnel development, ThaiCERT

has continuously trained and equipped its personnel

to be able to deal with recent threats through

training in incident handling, intrusion analysis,

penetration testing, system administration, and

network security. Such training is part of ThaiCERT‘s

long term personnel development program. This

program aims to enhance the capabilities of ThaiCERT

in terms of handling and managing internal threats

while preparing its human resources to cope with

threats at the national level, analyze malware and

provide pre- or post-damage solutions, analyze and

solve problems from phishing websites, analyze and

develop solutions to online transaction vulnerability

and the arrangement of prompt backup sites or

“hot-standby” services.

ThaiCERT also focuses on enhancing its human

resources capacities in analyzing and managing threats

effectively by setting up several task-based teams

responsible for possible current threats. Such teams

include analyst team handling analysis of current

or emerging threats, surveillance team handling

network monitoring, IT incident management team

providing prompt solutions to possible IT incidents,

facilitation team in charge of sending alerts and

coordinating with domestic and foreign agencies,

and IT security promotion team in charge of raising

IT security awareness.

To ensure effectiveness in handling threats,

ThaiCERT also works and collaborates closely with

various relevant domestic and international agencies.

For example, it has joined the Asia Pacific Computer

Emergency Response Team (APCERT) and the Forum

of Incident Response and Security Teams (FIRST)

which are internationally recognized as a pool of

experts as computer emergency response teams

(CERTs) or computer incident response teams (CSIRTs).

Those national bodies are in charge of response,

coordination, and handling any possible IT security


or network violation. Upon receiving an alert from

CERTs or CSIRTs, APCERT or FIRST will coordinate

with those national agencies representing member

states to mitigate IT security infringement.

In response to a main provider system attack,

ThaiCERT needs to prepare its resources, personnel,

and information systems services in order to be

able to serve as the focal point in facilitating and

strengthening IT security management at national

and international levels. These efforts will directly

increase public confidence in electronic transactions

and reduce damage caused by any possible threats.


Current Status and Readiness of Thailand: Threats & Risks


2. Current Status and Readiness of Thailand: Threats & Risks

Nowadays, information technology plays a more significant role in our daily lives. According to

the Household Survey 2011 conducted by the National Statistical Office (NSO), 32.1 %1 of the Thai

population use computers, 24.72% use Internet2 , and 66.43% use mobile phones3 . Additionally, the

International Telecommunication Union (ITU) reported continuous growth in ICT usage as illustrated in

the graphs shown below:

Figure 1: Total wired broadband subscriptions per 100 inhabitants in Thailand compared to other

countries (1997-2011) 4

1 The key summary of the Household Survey 2011 in use of ICT

(http://service.nso.go.th/nso/nsopublish/download/files/ict_household54_pocketbook.pdf)





4 ICT Data and Statistics (IDS) by International Telecommunication Union (http://www.itu.int/ITU-D/ict/statistics/explorer/index.html)


Figure 2: Percentage of Internet users in Thailand compared to other countries (1997-2011) 5

Figure 3: Total number of mobile phone subscriptions per 100 inhabitants in Thailand compared

to other countries (1997-2011) 6

With such rapid growth in IT availability and usage, an evitable burden is placed on the organization’s ability

to protect and maintain its IT security. This situation requires the organization to exercise control and management

in order to eliminate threats and risks, or, at minimum, reduce them to acceptable levels.

5 ICT Data and Statistics (IDS) by International Telecommunication Union (http://www.itu.int/ITU-D/ict/statistics/explorer/index.html)

6 ICT Data and Statistics (IDS), International Telecommunication Union (http://www.itu.int/ITU-D/ict/statistics/explorer/index.html)


In the context of IT security, threats and risks

can be evaluated from several points of view. For

example, they can be classified as internal vs.

external depending on the source of the threat

and risk factors. Internal threats can occur due to

a lack of personnel capacity concerning technology

administration or improper use, lack of experiences,

skills and knowledge, individual omission, lack of

understanding of IT security importance, lack of

proper training, lack of clear policy or direction at

the organization level resulting in possible conflicting

implementation, or lack of appropriate tools.

External threats, however, occur due to external

factors such as attack from malicious users, natural

disasters, failure of service providers, and vulnerability

of software used in organizations. Although such

threats are often beyond local control and difficult

to foresee, they can be mitigated though proper

risk management strategies.

In order to manage such threats and risks

effectively, an organization can apply an international

standard ISO/IEC 27002 which consist of 11 domains:

(1) Security Policy

(2) Organization of Information Security

(3) Asset Management

(4) Human Resource Security

(5) Physical and Environmental Security

(6) Communications and Operations

Management

(7) Access Control

(8) Information System Acquisition,

Development and Maintenance

(9) Information Security Incident

Management

(10) Business Continuity Management

(11) Compliance

Following the mentioned auditing domains

presents the organization with an assessment of

the probability and impacts of threats on their

IT systems, the consequences that could follow,

and other possible impacts on other systems. That

information can ensure effective development

and determination of ICT security policies and

practices suitable for the organization’s operations

and to determine preventive and relief policies

when responding to threats and risks. Further, a

risk management strategic plan can be developed

at a later stage.

When analyzing the status and readiness of IT

security of Thai organizations, it is useful to compare

the number of the organizations receiving certificates

under the international standard of information

security management system (ISMS) or ISO/IEC

27001:2005 certificates. The latest statistics collected

by the International Register of ISMS Certificate in

August 2012 found that Japan ranked first. It had

4,152 certified organizations, while Thailand had 59

such organizations7 and ranked second in the ASEAN

Community after Malaysia, and fifteenth on a global

ranking. This demonstrates that Thai organizations

7 International Register of ISMS Certificates

(http://www.iso27001certificates.com/Register%20Search.htm)


afford information security management system at

higher priority compared to most organizations in

other ASEAN countries. Such success partly resulted

from the determination to implement practices

recommended by the electronic transactions and

information technology management regulations with

reference to the ISO/IEC 27001 standard. Examples

include the Royal Decree on Rules and Procedures

of the Public Sector’s Electronic Transactions

B.E. 2649 (2006) and the Royal Decree on Security

Techniques in Performing Electronic Transactions B.E.

2553 (2010). These measures helped organizations

realize the importance of ISMS and adjust their

security policy accordingly.

Figure 4: Total number of ISO/IEC 27001 organizations as of August 2012

Apart from the readiness of organizations,

it is important to consider the readiness of their

personnel as well. This factor can be measured by

the number of personnel granted internationally

accredited professional certificates in IT security

such as Certified Information System Security

Professional (CISSP) by ISC2. A survey in March 2013 8found that there were 85,285 people worldwide

who had received CISSP Certificate in 144 countries.

8 (ISC)2, Inc (https://www.isc2.org/member-counts.aspx)

The country having the highest number of CISSP

experts was the United States (55,924 people); the

second was the United Kingdom (4,256 people);

the third was Canada (4,075 people) and the fourth

was South Korea. Thailand (153 people), was the

thirty-fourth on the global ranking and third in the

ASEAN Community, after Singapore (1,132 people)

and Malaysia (239 people).


Figure 5: Total number of CISSP certificate holders in Thailand compared to other

ASEAN countries as of March 2013

Figure 6: Total number of GIAC certificate holders in Thailand compared

to other ASEAN countries 9 as of July 2012

Figure 6 shows the total number of security experts who received GIAC10 certificates. Singapore

ranked first with 336 certificate holders, followed by Malaysia with 183 certificate holders.

9 Information from SANS Asian Pacific representative as of July 2012

10 Global Information Assurance Certification (GIAC)


Internationally recognized in IT accreditation,

the EC-Council Institute, which provides well-known

certificates such as the Certified Ethical Hacker

Certificate (C|EH) and the Certified Hacking Forensic

Investigator Certificate (CHFI), reported that there

are approximately 15,000 experts in Southeast

Asia with certificate from the EC-Council. Among

these recipients, over 90% are from Singapore and

Malaysia, while there are only about 400 experts

with such certificates11 in Thailand.

The data on the number of IT security experts

in the region indicates that Thailand ranks third

in ASEAN with a higher number of experts than

several other countries. However, Thailand still

has significantly fewer security experts than its

IT-advanced ASEAN neighbor, such as Singapore

and Malaysia. It remains, therefore, a challenge

to develop to international standards a sufficient

number of certified Thai security experts in order

to raise trust and confidence in IT security and to

achieve sustainable competitive edge in the region.

11 Information from delegates of EC-Council Asia-Pacific in

December 2012


CERTs and ThaiCERT Background


3. CERTs and ThaiCERT Background

Computer Emergency Response Team or

CERT is a trade-registered term originally designated

by US-based Carnegie Mellon University, who

established the first CERT of the world and has

been in charge of responding and handling incidents

occurring within the country. The approach has

eventually been adopted by many other countries,

including Thailand, resulting in the establishment

of their own CERTs such as ThaiCERT for Thailand,

CERT-In for India, Sri Lanka CERT|CC for Sri Lanka,

and many more. Consequently, those CERTs have

created a tight network for information exchange

and collaboration.

For Thailand, the national computer emergency

response team (ThaiCERT) was established in 2000 by

the National Electronics and Computer Technology

Center (NECTEC) under the Ministry of Science and

Technology with the missions to respond and handle

cybersecurity incidents, provide support and guidance

on threats solutions, safeguard information including

monitor and publicize cybersecurity information to

the public as well as research and develop practical

guidelines in computer and internet security.

February 2011, the Cabinet of Thailand

made a decision to transfer the operation of

ThaiCERT to Electronic Transactions Development

Agency (Public Organization) or ETDA, the newly

established organization under the Ministry of

Information and Communication Technology with

the missions and visions to mitigate cyber threat,

secure electronic transactions, and enhance trust

and confidence among online users. To meet the

challenges, ThaiCERT has taken proactive measure

in capacity building of human resources regarding

the cybersecurity body of knowledge, techniques,

and practices. Furthermore, without direct legal

enforcement mandate, ThaiCERT has been fulfilling

its missions mainly through the collaboration

among network members and related agencies

both domestically and internationally. Examples

of ThaiCERT’s domestic partners include:

• Internet service providers

• The Royal Thai Police

• The Department of Special Investigation

• Thailand Information Security Association

• Thai Bankers’ Association

• Technology Crime Suppression Division,

Royal Thai Police (TCSD/RTP)

• Office of the Permanent Secretary, Ministry of

Information and Communication Technology

(MICT)


At the international level, ThaiCERT has joined and actively participated

in various networks and forums. Besides, ThaiCERT has signed memorandum of

understanding (MOU) with many organizations for the purposes of exchanging

knowledge and information as well as effectively dealing with cybersecurity

threats which often impact multiple countries due to borderless characteristic

of internet. The organizations that have signed memorandum of understanding

with ThaiCERT include:

• Japan Computer Emergency Response Team Coordination Center (JPCERT/

CC). JPCERT/CC is the Japanese focal CERT agency that has been very successful

in managing incidents at local and international levels.

• Anti-Phishing Working Group (APWG) is a US non-profit agency which aims

to cope with information threats especially from improper use of internet as a

channel for conducting thefts and frauds where personal information such as

user account, credit card or electronic transactions details, are stolen.

• Team Cymru, a US-based non-profit agency, operates with missions of

IT security research and development in order to effectively dealing with new

threats. They provide cybersecurity incidents data collected and analyzed from

their own detection system. For regional and international collaboration, ThaiCERT

has participated as a full-right member of different regional and international

organizations including the Asia Pacific coordination center of Asia Pacific CERT

(APCERT) and the global coordination center of Forum of Incident Response and

Security Teams (FIRST).

• The APCERT is a collaborative effort of Computer Security and Incident

Response Team (CSIRTs) or CERTs of Asian Pacific country members. It aims to raise

an awareness of cybersecurity and enhance capacities of members in handling

cybersecurity incidents to meet international standard and other regional practices.

• Forum of Incident Response and Security Teams (FIRST), as a global

association of cybersecurity and network, are responsible for responding, coordinating

and managing cybersecurity breaches. Their members include representatives of

participating countries and agencies around the world.


For over a decade, ThaiCERT has taken a major

role in providing guidance and necessary support in

dealing with security threats and incidents for both

public and private sectors. Nowadays, ThaiCERT has

been well recognized in regional and international

levels resulting from its shared efforts in preventing

and suppressing cybersecurity threats. In 2013,

ThaiCERT and ETDA have been honored to co-host

the 25th Annual FIRST Conference 2013 on 16-21

June 2013 at Conrad hotel, Bangkok. This was the

second Annual FIRST Conference held in ASEAN,

after the first one in Singapore in 2005. More than

500 information security specialists around the world

attended this conference by the FIRST Steering

Committee. Among those, half of them are from

CERT agencies which are members of the FIRST. The

conference was, therefore, a golden opportunity for

ThaiCERT to demonstrate its capacities and receive

recognition internationally while raising cybersecurity

awareness among Thais and international experts

and practitioners.


ThaiCERT Annual Report 2012: Threats &Cybersecurity


4. ThaiCERT Annual Report 2012: Threats &Cybersecurity

4.1 Services of ThaiCERT

Promoting secured e-society and confidence in

electronic transactions requires a security organization

to be well-prepared in handling any unforeseen

incidents and managing incidents effectively. Such

capacities are vital mechanisms necessarily in securing

and maintaining business or service continuity of

agencies, which is especially important to critical

infrastructure agencies in domain of public utility

and energy, communication, medicine and so

on. Information technology has been widely and

increasingly utilized among those critical infrastructure

agencies for managing its operation. If the organization

is attacked on its information system or network, its

Computer Emergency Response Team (CERT) shall

play a major role in handling incidents and providing

resolutions, including investigation and conducting

an analysis particularly on digital forensic in order

to identify possible attackers.

ThaiCERT is a Computer Security Incident

Response Team (CSIRT) service organization for

Thailand, serving as an official point of contact for

dealing with incidents in Thai internet community.

ThaiCERT provides 24/7 operations in surveillance,

handing and mitigation of cybersecurity incidents

that have the potential to cause significant

damage against electronic transactions. In many

cases, ThaiCERT are required to coordinate with

any other national CERTs in order to response

and handle threats. ThaiCERT also provides an

advisory service to both the organizations and

individuals, releasing cybersecurity alerts and news,

and organizing academic trainings for the public to

enhance knowledge and raise awareness of people

on information security.

ThaiCERT has started serving under the

Electronic Transactions Development Agency Public

Organization (ETDA) in 2012. Its initial services

include incident response and coordination, security

consultancy and advisory, and academic services

emphasizing in cybersecurity. The digital Forensics

is expected to be in full service by 2013.

4.1.1 Responding and Handling

Security Incident Services

ThaiCERT provides incident handling and

response services via telephone and email to

individual, educational institutions, research institutes,

public and private agencies around the world. Upon

receiving incident report, incident response team

will analyze and validate the reported incident. This

information will be taken further for investigation in

identifying the attacker and coordinating to related

organizations for damage mitigation.

ThaiCERT has implemented a system for tracking

the progress of incident resolution—ThaiCERT will

coordinate to any relevant agencies to update the

progress of incident resolution within 2 working days.

Then, the unresolved incident will be followed

up in every 2 working days until resolution or a

satisfactory result is obtained. ThaiCERT prepares


two communicate channels for reporting incident:

telephone with number 021422483 between 8.30

am – 5.30 pm for working days and email at report@

thaicert.or.th. When a reporter needs to send

sensitive information to ThaiCERT via email, it is highly

recommended to encrypt the email message using

PGP technology12 by using the following ThaiCERT

public key as below:

Email: [email protected]

Key ID: 0x F2CB3EE1

Key Type: RSA

Expiration: 2015-06-25

Key Size: 2048

Fingerprint:29B3 2C79 FB4A D4D7 E71A 71ED 5FFE F781 F2CB 3EE1

4.1.2 Security Information

Updates

One of ThaiCERT mission is to alert public

about the threats or cybersecurity situation upon

CERT or CSIRT notification to prepare in handling

potential threats or cybersecurity incidents. ThaiCERT

experts analyzes any high impacted threat(s) or

cybersecurity incidents before giving suitable advice

to properly respond, solve or protect system or

network. In addition to threat alert, ThaiCERT has

also collected reported incident data and published

the reported incident statistics on www.thaicert.

or.th on a monthly basis to illustrate the status and

12 Pretty Good Privacy (PGP) is technology, used to encrypt message

using public key, invented by Philippe R. Zimmermann. It is also

widely used for signing email with electronic signature.

trend of computer security situation in Thailand.

4.1.3 Academic-base Security

Services

ThaiCERT provides technical and academic

services to domestic and international agencies in

the forms of consultation, planning and IT security

policy preparation according to current IT legal

requirements and international standards. Besides

providing cybersecurity consultation, ThaiCERT also

conducts various capacity building and awareness

raising activities including cybersecurity seminars

and trainings for general public and IT professional,

cyber incident drill in private and public sectors,

and giving a talk in domestic and international

conferences.


4.2 Coordination for Cybersecurity Response and Incident Management

Picture 1: ThaiCERT procedures for cybersecurity response

In order to ensure effective resolutions to any reported incident with SLA (service-level agreement)

assurance, ThaiCERT has set and followed incident response and coordination procedures as follows:

4.2.1 Conducting Triage

Upon receiving an incident report, ThaiCERT firstly conducts a triage assessment to determine the

validity of incident. At least one of following triage criteria must be met before further action:

o The reported incident must be verified and within the constituent of ThaiCERT;

o Victim(s) or reporters must be able to be identified;

o The incident must be reported from sources that can be trusted such as the reliable sources,

or existing agencies that have ever contacted ThaiCERT before.


After conducting a triage, ThaiCERT personnel

will inform the reporter whether ThaiCERT or ETDA

shall take any further actions. This process shall

follow below procedures:

If accepted, ThaiCERT personnel shall

classify the report into a legal or technical

consultation. For the legal consultation

request, it shall be submitted to ETDA legal

for their expert opinion. For the technical

incident report, ThaiCERT personnel shall

analyze the issue and proceed further to

the next step of process; or

If denied, ThaiCERT shall inform the reporter

with declining reasons such as the situation

is out of its constituency and/or inability to

verify the reported incident. All notification

will be recorded in the system before

completing the process.

4.2.2 Analyzing and Handling

Incidents

ThaiCERT incident response team is responsible

for handling any reported incidents through an

approved incident response procedure. Additionally,

other security incidents discovered or identified by

ThaiCERT threat monitoring team are also handled

by this same procedure.

After investigating the incident, ThaiCERT

will assess the effect whether it is necessary to

escalate the threat to higher security measures or to

escalate to high-level management for visibility and

immediate guidance. Impact assessment criterion

can be divided into two categories as follows:

High-impact case. The high-impact case is

any incidents with mid-level impact and beyond

according to Notification of the Electronic Transactions

Commission (ETC) Subject: on Impact Assessment

to Electronic Transaction 2012 or it could impact

highly to national security or public order. These

high-impact incidents require an immediate action

taken by ThaiCERT personnel as well as prompt

notification to high-level management.

Low-impact/general case. A low-impact or

general case is an incident with organizational-base

impact resulting in loses of property or confidential

information of their users or the organization itself.

The case shall be taken by ThaiCERT personnel

based on the incident response procedure with

standard SLA.

Note: The details of the Impact assessment

criterion and escalation procedures are currently

under consideration by authority.

4.2.3 Providing Expert Opinion

In many cases, the incident reporter requests

for comments or recommendations to proceed any

acts under the relevant laws. ThaiCERT personnel

will coordinate with ETDA legal officers who have

the expertise in Computer Crime Act to comment

and recommend on such cyber incident matters.

In case of sensitive issues or complicated matters,

ETDA legal officers may consult with external

approved legal experts to obtain opinions on the

related aspects in order to conclude and notify the

reporter for the comments or recommendations.


4.2.4 Issuance of Notification

and Follow-up Action

ThaiCERT incident response team is responsible

for handling any reported incidents and provide an

incident coordination service with the agencies or

individuals registered in verified public database

such as system owner(s), Internet service providers,

CERT agencies, governmental agencies, universities,

investigation agencies, justice agencies and others

relevant parties. ThaiCERT coordinates to any relevant

agencies to handle and respond to reported incident.

Then, the unresolved incident will be followed

up in every 2 working days until resolution or a

satisfactory result is obtained.

4.2.5 Record of Result and

Feedback

After the resolution or a satisfactory result

is obtained, ThaiCERT personnel will record all

incident response activities with detailed analysis

before notifying the reporter about the result.

4.3 Incidents reported to and

handled by ThaiCERT

In 2012, ThaiCERT receives reports of the

cybersecurity situation or incident from two channels.

The first one is direct report to ThaiCERT through

email or telephone and the second one is through

automatic feed. The information of automatic feed

is gathered from the international cybersecurity

agencies coordinating with ThaiCERT such as Anti-

Phishing Working Group (APWG), Team Cymru and

Microsoft.

By receiving incident reports from such

channels, ThaiCERT has developed systematic

analysis in coordination to cope, handle and

advice in order to solve the incident happened to

the relevant entities. Moreover, all cybersecurity

incidents received in 2012 were used for analyzing

the trend of cybersecurity threats in order to create

the statistical report of cybersecurity situation in

Thailand. The report can be concluded as follows:

The malware with the highest

number of reports was Zeus, which

is the botnet13 malware targeting the

Windows operating system for the

purpose of stealing online transactions

information of the user. The follow-

up was Rustock14, which is capable

13 Botnet is a cybersecurity threat occurred from malware-infected

computers. The botnet malware typically receives a command

from a command and control server via Internet, where the com-

mand itself may be executed for the purpose of attacking other

systems, sending spams or stealing information from the infected

computers.

14 Spam is a cybersecurity threat occurred by the attacker sending a

large amount of unsolicited messages to the others, where most

spams are advertisements on products and services.


of sending spams more than 25,000

copies per hour and performing DDoS15

attack against computer systems. In

2012, the number of reports regarding

botnet reached 4,404,089, mostly

occurred in the network of Internet

Service Providers in Thailand.

There was a total of 1,523,469 spam

reports in which all of them were

submitted through automatic feed.

More than 143,302 DNS servers in

Thailand were improperly configured,

which could be used for DDoS attack.

There was a total of 30,521 scanning

reports, where the most targeted port,

approximately 80% of all reports, was

Windows remote administration port.

When categorizing the reports by port

number, the two most targeted ports

were port 489916 and 338917 with the

15 DDoS is a cybersecurity threat related to an attack against avail-

ability of the system. The attack itself may occur from different

locations but aims to the same target. DDoS causes the targeted

service ranging from the delay of response to the denial of ser-

vice.

16 Port 4899 is used for TCP Radmin remote administration.

17 Port 3389 is used for TCP Windows Remote Desktop.

percentage of 45.40% and 34.16%

respectively.

Although DDoS attack had the least

number of reports when compared

to the other threats, it could not be

concluded that DDoS attack barely

occurred in Thailand since the

detection and analysis of DDoS attack

are more difficult than the others.

Almost all type of attacks were

founded in the network under control

of major ISPs in Thailand, while botnet

malware was also spreaded in mobile

telecommunications networks.

Fraud was the cybersecurity threat

with the highest number of directly

reported incidents to ThaiCERT with

534 reports or 67.42% from a total of

792 reports.


4.3.1 The Number of reported

Incidents in Thailand via

Automatic Feed

Since August 2011, cybersecurity incidents

originated from Thailand detected by international

cybersecurity agencies in coordination with

ThaiCERT will be submitted via automatic feed.

The cybersecurity incidents can be categorized

into 9 types, including botnet, brute force18, DDoS,

malware URL19, open DNS resolver20, open proxy

server21, phishing22, scanning23 and spam, which

can be summarized into the statistics and analysis

as follows:

18 Brute force is a cybersecurity threat in a form of an attack to-

wards the targeted system by using an algorithm designed by the

attacker for the purpose of obtaining important information. For

example, the attacker attempts to log in as another user using

randomly generated usernames and passwords.

19 Malware URL is a cybersecurity threat occurred by a website that

distributes a malware. It generally occurs by the attacker gaining

access to the targeted website and using it for distributing the

malware, while tricking people to download such malware via a

specific URL.

20 Open DNS resolver is a cybersecurity threat occurred from an

improper configuration of DNS servers in which those servers can

be used in DDoS attack.

21 Open proxy server is a cybersecurity threat occurred from an

improper configuration of web proxy servers which allow anyone

to be able to access to the website without authentication. As a

result, the attacker may use it for malicious activities.

22 Phishing is a cybersecurity threat which can be considered as

another kind of fraud. Its main objective is to steal important

information from the user such as username, password or elec-

tronic transactions information, by luring the user to access into

the fraudulent service.

23 Scanning is a cybersecurity threat occurred by discovering the

basic information of the operating system or the service running

on the server by sending information to the targeted system

and analyze the response. The scanning result is often used for

attacking the system.


1.) The incident reports via Automatic Feed 2012 by Threat

Types

Figure 7: Number of weekly incident reports sorted by threat type during

August – December 2012

Figure 8: Number of weekly incident reports counted by unique IP and sorted by threat type and

ISP during August – December 20122


Table 1: Number of incident reports sorted by threat type

Table 2: The number of incident reports counted by unique IP and sorted by

threat type during August – December 2012

Table 1 shows the number of incident reports received via automatic

feed since August 2012 with a total number of 7,050,921, while Figure 7

shows the weekly incident reports by threat type. Notice that botnet had

the highest number of reports with the weekly average of incident reports

around 259,000, followed by spam with the weekly average around 100,000.

Meanwhile, the combination of the other types of incident reports resulted

in the weekly average less than 12,000.

In respect to the incident reports received via automatic feed, ThaiCERT

found that many reports were from the same IP addresses under the same

threat types since some threats such as botnet and spam regularly send

the information to the target. The number of incident reports was therefore

higher than the actual number of IP addresses.


Table 2 shows that there was a total of 1,077,017 reported IP addresses,

which could be concluded that these were IP addresses in Thailand having

a cybersecurity issue. It could clearly be seen that spam had the highest

number of reported IP addresses with a total number of 636,461 or 62.7%

of all reports, followed by botnet and open DNS resolver with 286,919 and

143,302 IP addresses respectively. Whereas the combination of IP addresses

reported as brute force and DDoS were less than 100. The analysis detail

of each threat will be presented in the next part.

2.) Incident Report via Automatic Feed Categorized by

Internet Service Providers (ISP) in Thailand

Table 3: Number of incident reports counted by unique IP and sorted by ISP


Table 4: Number of IPs which have been registered by top 10 ISPs24 in Thailand

According to the incident reports received via automatic feed as shown

in Table 3, it shows that most of the reported IP addresses belonged to the

ISPs and mobile operators such as TOT, True, Triple T Broadband, AIS and

DTAC25 which are both wired and wireless broadband ISPs. Additionally,

most of the incident reports were related to spam and botnet as shown

in Figure 9.

From the entire 8,559,616 IP addresses registered in Thailand, the

information shown in the Table 4 indicates that the top 10 IP address holders

were ISPs. The first three providers owned half of the entire IP addresses,

while there were 872,206 IP addresses related to the cybersecurity threats,

which was higher than 10% of the total number of IP addresses registered

in Thailand. Furthermore, when concerning the common usage where a

number of computers usually access the Internet through the same public

IP address, the actual number of the computers related to the incidents

was likely to be higher than the number of reported IP addresses.

24 Directory Listing Data was distributed via FTP service (ftp.apnic.net/stats/apnic) by APNIC on 16 November 2012.

25 DTAC applied “Total Access Communication, Plc” as the name on the network provider registration.


Figure 9: Number of incident reports counted by unique IP and sorted by ISP

and threat type

3.) Phishing

Table 5: Top 10 number of phishing reports sorted by country

According to Table 5, the United States was in the first rank with 64,064

reports or 30.44%, followed by Hong Kong and Germany having 32,910 and

25,217 reports or 15.64% and 11.98% respectively. Thailand was ranked in

the 14th with 2,474 reports.


Table 6: Number of phishing reports sorted by type of domain name

In reference to the reported phishing URLs26 as shown in Table 6, it

shows that commercial websites had the highest number of reports with

64.50% of all reports, which could be categorized as .com (53.89%), .co.

th (10.33%) and .biz (0.28%). While the government agency (.go.th) and

academic institute (.ac.th) websites had 20.25%. Besides, there were other

phishing reports without domain name since such phishing URLs had only

IP addresses.

26 The information used to identify the location of phishing websites.


Table 7: Top 10 number of phishing reports sorted by ISP

No. ISP AS Number

Number of

Reports

Number of Unique IP Addresses

Number of Unique

URLs

Number of Reports/Number of

Unique IP Addresses

1 CAT Telecom (Public) Co., Ltd.

9931 1,028 130 531 7.9

2 CS Loxinfo (Public) Co., Ltd

475075689891

407 62 254 6.6

3 Internet Thailand (Public) Co., Ltd.

4618 175 22 131 8.0

4 Internet Solution & Service Provider Co., Ltd.

242997654

130 19 99 6.8

5 Super Broadband Network Co., Ltd.

45458 110 1 37 110.0

6 Metrabyte Co., Ltd. 56067 97 27 74 3.6

7 Government Information Technology Services

9835 75 10 43 7.5

8 True Internet Co., Ltd. 74709287

64 8 31 8.0

9 Ministry of Education 23974 45 23 35 2.0

10 UniNet 4621 44 8 22 5.5

From Table 7, it is remarkable that most reports were from the

commercial ISPs except the ISPs servicing the government agencies (Government

Information Technology Services/GITS) and academic institutes (UniNet and

Ministry of Education) which were also ranked in the top 10. There might

be several reasons in case when the number of reports divided by the

number of unique IP addresses was more than 1. For instance, if a certain

web server hosts many websites and one of them was compromised, the

other websites could be compromised and used to distribute the phishing

pages as well. Another possible reason is that the website was used to

distribute the phishing page more than once.


4.) Malware URL

Table 8: Top 10 number of malware URL reports sorted by ISP

ThaiCERT received a total of 30,153 malware URL reports. Regarding

the information in Table 8, it can be seen that most reports occurred in

the network of CAT Telecom with 56.67% of all reports followed by CS

Loxinfo with 19.07%, where most of the ISPs in top 10 in fact provide the

commercial Internet Data Center (IDC). Meanwhile, the academic institutes

and agencies such as Ministry of Education, Sripatum University and UniNet,

were also listed in the top 10.


Table 9: Top 10 number of unique malware URL reports sorted by ISP

The information in Table 9 is the list of all unique malware URL reports. However, the analysis of such information according to unique IP addresses resulted in subtle

changes in the ranking as shown in Table 10.


by unique IP and sorted by ISP

IP Addresses

From Table 10, there were 840 IP addresses listed in the top 10 ranking according to the number of reports and sorted by ISP. CAT Telecom was still ranked in the first with only 298 IP addresses in contrast with 11,793 reports. Comparing with the statistics in Table 9, it shows that malware URL incidents occurred in the average of 39.6 reports per IP address



by unique IP and sorted by type of domain name

Table 11 indicates that commercial organizations (.com and .co.th) were reported at 411 unique IP addresses, while academic institutes and government agencies (.ac.th and .go.th) were also reported in the great numbers. It might be interpreted that the computer systems of those organizations were insecure, giving a chance to the attacker to get into those systems and use them for distributing the malware.

Table 12: Top 10 number of unique malware URL reports sorted by domain name

Table 12 shows the analysis of malware URL reports classified by domain

name. The first rank belonged to the website of Pichit Educational Service

Area Office 1 with 8,084 malware URLs, followed by www.energyfantasia.

com, the main website of the “Energy Fantasia” project launched by


Ministry of Energy, with 1,418 malware URLs. The third is school.obec.

go.th which belongs to the Office of the Basic Education Commission with

1,216 malware URLs. It is noticeable that the first three websites belong to

government agencies.

5.) Spam

Table 13: Top 10 number of spam reports sorted by ISP

In 2012, ThaiCERT was reported that there were 1,522,224 computers in

Thailand used for sending spams. Most of them were sent from the network

of commercial ISPs such as TOT (46.50%), AIS (16.59%), DTAC (13.25%) and

True (11.36%). It is interesting that commercial ISPs were selected as the base

of sending spams because of a large amount of customers. Furthermore, the


number of reported IP addresses also varied to the number of customers

of commercial ISPs.

It also shows that there was no correlation between the number of

reports divided by number of unique IP addresses and the ranking, probably

because some servers were rented or controlled by the attacker specifically

for sending spams.

6.) Scanning

Figure 10: Top 10 number of scanning reports sorted by port number


Table 14: Top 10 number of scanning reports counted by unique IP and

sorted by port number

There was a total of 5,375 IP addresses where their top 10 ranking

was shown in Table 14 and Figure 10. Most targeted ports were related

to remote administration as can be seen that the top four were 4899/

TCP Radmin remote administration (45.40%), 3389/TCP Windows Remote

Desktop (34.16%), 445/TCP Windows RPC services (6.70%) and 22/TCP SSH

server (3.91%). Based on the statistics as mentioned, it can be concluded

that most attackers intended to collect the information and attempted to

access into the targeted system mainly via remote administration services.

Disabling the remote access on the server that is directly connected to the

Internet therefore would help reduce the risk from being attacked from

such channel.


Table 15: Top 10 number of scanning reports counted


Figure 11: Top 10 number of scanning reports sorted by ISP

Regarding the scanning reports classified by ISP as illustrated in Table

15 and Figure 11, it can be seen that most IP addresses were from major

commercial ISPs in Thailand. The highest number of reported IP addresses


belonged to True Internet with 1,847 IP addresses, followed by TOT and

Triple T Broadband with 1,642 and 1,320 IP addresses respectively. The

number of IP addresses from top 3 ISPs was approximately 90% of all

reported IP addresses.

7.) Botnet

Figure 12: Top 10 number of botnet reports counted by unique IP and sorted by malware name

As shown in Table 16, the botnet reports were founded on the

commercial ISPs offering a broadband Internet service such as TOT, True

and Triple T Broadband, with a total of 88% of all reports. It shows that

personal computers were mostly targeted and controlled by botnets, and

these computers were at risk of becoming the base for attacking the other

systems or being stolen the personal information.


Table 16: Top 10 number of botnet reports sorted by ISP

No. ISP Number of Reports

1 TOT (Public) Co., Ltd. 161,402

2 True Internet Co., Ltd. 57,935

3 Triple T Broadband (Public) Co., Ltd. 57,458

4 Advanced Info Service (Public) Co., Ltd. 13,218

5 Total Access Communication (Public) Co., Ltd. 10,899

6 JasTel Network Co., Ltd. 4,904

7 Ministry of Education 2,658

8 UniNet 734

9 CS Loxinfo (Public) Co., Ltd. 407

10 True Move Co., Ltd. 348

As shown in Table 16, the botnet threats will be found mainly on the

commercial ISPs which offer Broadband Network Service such as TOT, True

and Triple T whose reports are calculated as 88% of the entire reports. It

shows that ordinary computers, like the home computers, have been mostly

targeted and controlled by botnets and these computers may be risky for

becoming the tool of attack by hackers for stealing personal information.


8.) Open DNS Resolver

Open DNS resolver is basically an improperly configured DNS server

that allows a recursive query from the computer located on any other

networks, which might become the base for attacking other systems using

DNS amplification attack technique as described in Picture 2. The concept

of such attack is to send the DNS requests to many open DNS resolvers

simultaneously where the source IP address is forged to be the IP address

of the targeted system and let the open DNS resolvers respond back to

the target. Theoretically, the size of a DNS response is significantly larger

than the DNS request. The attacker then applies such principle to use the

open DNS resolver for performing DDoS attack. This kind of attack causes

the Internet bandwidth of the targeted system to be overutilized until the

system cannot communicate with the others or even become malfunction.

Picture 2: DNS amplification attack technique


Table 17: Top 10 number of open DNS resolver reports counted


Number of Unique

IP Addresses

There was a total of 143,255 IP addresses of open DNS resolvers in which their top 10 ranking

were listed in Table 17. Most of them belonged to the major commercial ISPs such as True, TOT and

Triple T Broadband with a total of 96% of all reports. The Ministry of Education is the only government

agency that was listed in the top 10 ranking.

9.) Open Proxy Server

Open proxy server is generally a web proxy server that can be used without authentication. The

attacker is then able to abuse the open proxy server by gaining an advantage on improper configuration

or accessing into the system and changing the configuration in order to be used for malicious purposes.


Table 18: Top 10 number of open proxy server reports counted


Number of Unique

IP Addresses

There was a total of 3,596 IP addresses reported as open proxy

servers where their ten highest number of reports were listed in Table 18.

Most reports unsurprisingly belonged to the major commercial ISPs such

as Triple T Broadband, TOT and True with a total of 98% of all reports,

where The Ministry of Education is the only government agency listed in

the top 10 ranking similar to open DNS resolver. Whereas the web proxy

service normally is running on a server, the analysis shows that most of the

reported IP addresses were under the network of broadband ISPs. Such issue

requires more supported information from the ISPs for further investigation.

4.3.2 The Statistics of Directly Reported Incidents

Apart from automatic feed, the incident can be directly reported to ThaiCERT via email and telephone. Incident reports will be submitted to the ticket management system called “Request Tracker”.The reported incidents can be classified into nine categories according to the eCSIRT/The European Computer Security Incident Response Team threat classification27.

27 http://www.ecsirt.net/cec/service/documents/wp4-clearinghouse-policy-v12.html#HEAD6


The details are described in the Table 19;

Table 19: Cybersecurity threat type according to eCSIRT

No. Types Description 1 Abusive Content Contents such as child Pornography, glorification of violence

and spam are considered as abusive contents. 2 Malicious Code Software that is intentionally included or inserted in a

system for a harmful purpose. A user interaction is normally necessary to activate the code.

3 Information Gathering Gathering information of system in order to find its vulnerability and use it to attack system. It also includes information gathering from a human being in a non-technical way (e.g. lies, tricks, bribes, or threats).

4 Intrusion Attempts An attempt to compromise a system or to disrupt any services by exploiting vulnerabilities with a standardized identifier such as CVE name. Intrusion attempts also include multiple login attempts such as guessing/cracking of passwords, brute force.

5 Intrusions Successful compromise of a system or application (service). This can be caused remotely by a known or new vulnerability, but also by an unauthorized local access.

6 Availability By this kind of an attack a system is bombarded with so many packets that the operations are delayed or the system crashes. Examples of a remote DoS are SYS- a PING-flooding or email bombing (DDoS:TFN, Trinity, etc). However, the availability also can be affected by local actions (destruction, disruption or power supply, etc.)

7 Information Security Besides a local abuse of data and systems the information security can be endangered by a successful account or application compromise. Furthermore attacks are possible that intercepted and access information

8 Fraud The use of internet services such as website, email to defraud victims or to otherwise take advantage of them, for example by stealing personal information, which can even lead to identity theft.

9 Other If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.


Table 20: Number of directly reported incidents to

ThaiCERT in 2012 sorted by threat type

Figure 13: Number of directly reported incidents to ThaiCERT in 2012 sorted by threat type

From the incidents reported to ThaiCERT via email and telephone as shown in the Table 20, it

is found that there were totally 792 reports in 2012. The table also shows that fraud dominated in

reported incident type with 534 reports, counted as 67.42%. The second is Malicious Code type with

10.35% and the third is Intrusions and Intrusion Attempts type with 17.30%.


Table 21: Number of directly reported incidents sorted by type of relevant

individuals and their location

Figure 14: Percentage distribution of number of directly reported incidents sorted by type of

relevant individuals and their location

ThaiCERT has classified the relevant individuals into three types: Submitter, Attacker and Victim.

These types were further classified into Domestic, Foreign and Unknown location. According to the

table 21 and figure 14, it indicates that more than 90% submitters were from foreign countries. This

information relates to the number of foreign victims which are almost 90% as well. For the reports

which cannot identify location (Unknown), this means that there was not information to identify the

location of the victims and the attackers.


Table 22: Number of fraud reports sorted by type of relevant individuals

and their location

Submitters Percentage (%)

Victims Percentage (%)

Attackers Percentage (%)

Domestic 18 3.37 15 2.81 515 96.44

Foreign 516 96.63 519 97.19 19 3.56

Unknown 0 0 0 0 0 0

Figure 15: Percentage distribution of number of fraud reports sorted by type of relevant

individuals and their location

Table 23: Number of fraud reports sorted by type of relevant individuals and organizations

Number of Submitters

Percentage (%)

Number of Victims

Percentage (%)

Number of Attackers

Percentage (%)

Individuals 4 0.75 0 0 0 0 CSIRT/Infosec agencies 349 65.36 0 0 0 0 Internet Service Providers 1 0.19 0 0 0 0 Company/Business/Private agencies

179 33.52 519 97.19 345 64.61

Academic Institutes 0 0 0 0 45 8.43 Government agencies 1 0.19 0 0 85 15.92 Others 0 0 15 2.81 59 11.05


Table 23 presents the number of fraud reports categorized by type of

relevant individuals and organizations, where an attacker could be either the

phishing page itself or the system owner who intended to host a fraudulent

website. According to Table 23, relevant entities can be categorized into 7

types including individuals, CSIRT/Infosec agencies, Internet Service Providers,

company/business/private agencies, academic institutes, government

agencies and the others.

Figure 16: Percentage distribution of number of fraud victims

Figure 17: Percentage distribution of number of fraud submitters

Figure 16 shows that most of fraud victims were in the group of

companies/businesses/private agencies with the ratio higher than 90% of

all fraud reports. The rest are in other type which could not identify the

actual victim because the phishing pages were already deleted or changed

during the incident investigation and there was not enough information

to further identify the target of the attack. According to the submitters in

fraud incidents as shown in the figure 17, 65.36% of submitters were from

the CERT organizations around the world, followed by Company/business/

private agencies type like banks or the financial institutions with 33.52%.


The rest of submitters are individual, ISPs and Government agencies were

about 1.13%

Figure 18: Percentage distribution of number of fraud attackers

The percentage distribution of fraud attackers shown in Figure 18

indicates that most of the attackers about 64% belonged to the group

of companies/businesses/individuals while 24% belonged to government

agencies and academic institutes. In reference to the information obtained

during analysis, ThaiCERT found that all phishing pages were not created

by the website owners. They were instead the victims of the attackers

who compromised the web servers in order to create the phishing pages,

and the website administrators were unaware of these malicious activities.

This finding shows that most websites of companies/businesses/individuals

in Thailand still require stronger security measures to protect against the

attackers.

Num

ber o

f Rep

orte

d In

cide

ntsT

hrea

ts

Percentage (%)

Figure 19: Number of directly reported incidents during 2001-2012

Figure 19 shows the number of directly reported incidents since 2001

- 2012. The red bars indicate the number of incident reports during 2001 -


2010 while ThaiCERT was operated under Thailand’s National Electronics

and Computer Technology Center (NECTEC), in which the number of

incident reports in the past years was extracted from Asia Pacific Computer

Emergency Response Team (APCERT) annual reports. The graph itself did

not show the number of incident reports in 2009 since ThaiCERT did not

submit the report to APCERT.

The blue bars represent the number of directly reported incidents

during 2011 - 2012 after ThaiCERT was transferred to be operated under

Electronic Transactions Development Agency (ETDA). The number of incident

reports in 2011 is 792, which was higher than the number of incident reports

in 2013 with 646 incident reports approximately 22%.

Apart from automatic feed and email as channels to receive incident

reports, ThaiCERT also collaborated with Microsoft to gather information

and handle cybersecurity incidents related to Rustock and Zeus malwares.

The statistics can be concluded as following.

Num

ber o

f Uni

que

IP A

ddre

sses

Months

Figure 20: Number of unique IPs infected by Rustock sorted by month and ISP

Figure 20 represents the number of unique IP addresses infected by

Rustock in Thailand which was collected from January 13th to June 20th,

2012 with a total of 71,719 IP addresses. After ThaiCERT analyzed the incident

reports and coordinated with relevant ISPs to handle such incidents, the

number of reports was continuously decreased since January 2012 from

approximately 4,500 to under 3,000 per week. Such decreased amount was


the IP addresses of TOT and True.

30,000

35,000

25,000

20,000

15,000

10,000

5,000

Jun Jul Aug Sep Oct Nov

Num

ber o

f Uni

que

IP A

ddre

sses

Months

Figure 21: Number of unique IPs infected by Zeus sorted by month and ISP

In June 2012, Microsoft announced to stop providing the incident reports regarding the Rustock and provided the Zeus reports instead since Microsoft took down the command and control servers of Zeus botnet and found that there were much more IP addresses infected by Zeus. ThaiCERT therefore received the incident reports of Zeus during June - November 2012 as shown in Figure 21.

According to Figure 21, it shows that there was a total of 88,708 unique IP addresses infected by Zeus, where the number of reported IP addresses reached the topmost in July at 32,217. Similar to the Rustock case, the number of reported IP addresses graph went down after ThaiCERT

analyzed the incident reports and coordinated with relevant ISPs

Repeated

Not repeated

Figure 22: Percentage distribution of number of repeatedly reported and non-repeated reported

IPs from phishing reports


Figure 23: Percentage distribution of number of repeatedly reported IPs from phishing reports

sorted by type of domain name

According to the number of reported IP addresses on phishing reports

as shown in Figure 22 and Figure 23, it can be seen that the proportion of

repeatedly reported IP addresses was 19%, and most were from commercial

agencies (.com) with 44.6% or 124 IP addresses, followed by educational

institutes (.ac.th) combined with governmental agencies (.go.th) with 26.9% or

75 IP addresses. These statistics represent the efficiency of the organizations

in fixing vulnerabilities of their websites after receiving reports.

4.4 Case studies

In 2012, ThaiCERT handle the incidents and had the interesting cases studies such as Domain

Intrusions of T.H. NIC, undesirable DNS Changer programs, discovering of C&C for Flame Malwares, Email

account hacking and Phishing threats on Web Hosting in Thailand and etc.


4.4.1 Intrusion of T.H.NIC

Domain Name Management

System

In June 30th 2012, ThaiCERT received a report

from an international cybersecurity organization

that IP addresses of many multinational companies

in Thailand were changed likely by malicious

intent. It was known as domain hijacking attack,

but the attacking method was unknown. After the

coordination with T.H.NIC, a national domain name

registrar in Thailand (ccTLD/ Country Code - Top

Level Domain), ThaiCERT found that T.H.NIC’s domain

name database was compromised. Moreover, there

were number of stolen domain names which the

owners of domain names were unaware of.

Picture 3: Structure of domain name modification system of T.H.NIC

After analyzing the reports and close

coordination to T.H.NIC for suggestion and assistance

during the month of June 31st 2012 to July 2nd,

2012, ThaiCERT found that the suspicious individual

uses IP address in Eastern Europe countries to attack

a vulnerability of Content Management System

(CMS) in T.H.NIC’s publishing page. Because of this,

the suspicious individual can access main database

system and also to the source code of system

that manage domain name register’s information.

Since all systems share the same server and database,

server’s log shows that the malicious person got

all passwords of the domain name register and

the database administrator’s password. Therefore,

the hacker can change all domain name register’s

information in system of T.H.NIC.

With all information on hand, ThaiCERT

helped T.H.NIC identify the causes of the domain

name management problems and advise how to

improve the system for operation.

From this case, ThaiCERT acknowledge the

importance of capability of intrusion detection that

is needed to be developed to international standard

level in order to be able to handle incident response

which may happen to system of organizations that

are responsible for internet infrastructure. Moreover,

the Digital Forensics capability is not only important

to the investigation of police but it can be used to

identify vulnerability of compromised information

system in order to develop measure of prevention

efficiently and promptly.


4.4.2 Dissemination of DNS

Changer Malware

DNS Changer malware was first discovered

in 2007 and can infect both Windows and Mac OS

X computers. DNS Changer malware will change

the DNS server records in infected computers

to the IP address of rogue DNS servers set up by

criminals. Whenever users of infected computers try

to access a website from an infected computer, it

will contact to the rogue DNS servers operated by

a criminal instead of their legitimate DNS servers.

Subsequently, users are redirected to fraudulent

website or user’s online activities are interfered.

In November 2011, the FBI (United States Federal

Bureau of Investigation) reported that currently

more than 4 million computers around the world

were infected with DNS Changer malware28.

The FBI arrested the criminals responsible

for spreading DNS Changer malware and running the

28 http://www.fbi.gov/news/stories/2011/november/mal-

ware_110911/DNS-changer-malware.pdf

rogue DNS servers, allowing them to manipulate

the victim’s online activities. Although the FBI had

attempted to disable the rogue DNS servers, they

were unable to do so because it would cause the

infected computers unable to access the internet

since those computers rely on the rogue DNS services

for internet access. According to an investigative

report dating from March 2012, there were about

450,000 computers around the world infected by

DNS changer malware, including many government

computers.

By April 23, 2012, the FBI had sent list

of the IP addresses of all infected computers to

the responsible ISPs in each country to clean up

computers infected with DNS changer malware

before the set deadline of July 9, 2012, the date

that the FBI will shut down the clean DNS servers

for the infected victims.

Figure 24: Number of reports of DNS changer infected in network of agencies or ISPs; information

retrieved on 8 July 2012 from DCWG.org


ThaiCERT received the list of infected

computers with DNS changer malware in Thailand

from (DCWG)29 to cooperate with Thai ISPs in order

to notify the infected victims. Upon July 8, 2012,

a day before the FBI shut down the clean DNS

servers for the infected victims, there were 2,023

infected computers in Thailand. These could be

roughly divided up into ten groups based on their

associated ISP networks, as shown in figure 24.

From the chart, it can be seen that the infected

computers could be found among major ISPs such

as TOT, Triple-T and CAT, as well as in the networks

of government sector, e.g. the Ministry of Education.

This is an interesting case study, because even

the IP addresses of infected computers were known,

but ThaiCERT was not able to track down the victims

by their IP addresses. This is owed to the fact that

IP addresses are owned directly by the ISPs, which

makes it impossible for ThaiCERT to contact and

notify the victims directly. Thus, ThaiCERT had to

coordinate with ISPs so they can notify their clients

about the infected computers. Therefore, despite

ThaiCERT being capable of all necessary tracking

processes to follow up problems, the efficiency of

the process largely depends on the cooperation,

customer service approach of each ISP.

4.4.3 C&C of Malware Clan

“Flame” Discovery

ThaiCERT was informed on June 19, 2012

by a security partner that they had found the

29 DNS Changer Working Group

C&C (Command and Control) server30 of Botnet

malware which is most probably a new variant of

malware called “Flame” in Thailand. In the past,

Flame was most commonly known as a malware

targeting government agencies in Middle East

countries. ThaiCERT’s investigation revealed that

the reported C&C computer was hosted in a web

hosting provider in Thailand.

ThaiCERT coordinated with the informant (the

security partner) and requested more information

for further analysis and investigation, and then

confirmed that the reported C&C server indeed

existed. Moreover, they informed ThaiCERT that

there was possibility that the owners of the C&C

server may have involved in some illegal activities

and they may delete all data in the server if there

was an attempt to seize the C&C server, which

happened before in many cases in other countries.

The informant advised ThaiCERT to initiate legal

actions to obtain a warrant regarding confiscation

of C&C server.

ThaiCERT went on to discuss the case with the

legal authorities both from the Technology Crime

Suppression Division, Royal Thai Police and the IT

Crime Prevention and Suppression Bureau, Ministry

of Information and Communication Technology. In

practice, a crime can be not be prosecuted by an

authority unless a victim files a complaint against the

criminals in Thailand. As in this case, there was no

identified victim, prosecution criteria under Thai laws

cannot be fulfilled for legal proceeding. ThaiCERT

30 Command Control Center (C&C) is the computer which is created

and used by malware developer to control and command mal-

ware in infected computers to serve his needs.


has taken steps recommending legal amendments

that would mitigate official limitations in existing

law-enforcement. This is a long-term mission and

there still persists significant lack of short-term

measures. Therefore, improving security measures

should be emphasized. In trying to do so, the

National Cybersecurity Committee was established,

having Prime Minister as the Chairperson.

4.4.4 Hacking the Email

Account of SMS Entrepreneur

ThaiCERT was reported by an SME-exporter entrepreneur that their main email used to correspond with international clients was compromised, this case involved fraud, having victim as the clients of SME entrepreneur. In addition, they found that the fraudster set up a new email account using similar address to their original SME’s email to deceive their clients into believing that the email was not false or deceptive. Then the fraudster, impersonating the entrepreneur, informed the clients that the entrepreneur had changed the bank account number for trading, and tried to trick the clients to transfer money to this fraudulent account. Some clients fell for this scam and transferred money to this fraudulent account. After became aware of being a victim of this fraudulent scheme, the entrepreneur reported to Technology Crime Suppression Division, Royal Thai Police and the Ministry of Information and Communication Technology then they were referred to consult with ThaiCERT.

Interestingly, the evidences threw up some questions: How did the fraudster know the email addresses of the victims? How did the fraudster know about details of the business activities, like detail of orders in terms of product types and payment

transactions, which was found in content of email between the fraudster and the victim clients? The fact that the fraudster apparently could access these details from the entrepreneur email account explains why the fraudster possessed sufficient information to deceive the clients into thinking that they are dealing with the real entrepreneur.

ThaiCERT investigated the entrepreneur’s email access log because we assumed that the fraudster may be in possession of username and password of the entrepreneur’s email account, thus being able to access personal information like client names, client emails or old purchase orders. However, it turned out that the incident happened over a very long period of time, which made it extremely difficult to investigate the fraudster activities. ThaiCERT coordinated with the email service provider and related CERTs for helps to investigate the fraudster activities and to disable the fraudulent email account. Unfortunately, the email service provider requested legal documents as a precondition to take any further action. Responding to such demands, ThaiCERT coordinated with the Technology Crime Suppression Division who could assist the entrepreneur on the requested documents to legal proceeding.

The interesting point from this case is that even the SME entrepreneur took extensive precautions in using computers and Internet, e.g. by only using licensed and updated software and by not accessing their email account from public computers; they also used long and complex passwords that are difficult to guess, the fraudster was still able to access in to their email account.


4.4.5 Phishing in Thai Web

Hosting

Between July 2011 and August 2012, ThaiCERT

had been receiving several reports from Bradesco

bank in Brazil about phishing web pages that imitate

Bradesco web page in order to steal personal

information from visitors. The cases appeared to

be linked to a web hosting in Thailand and 34.7 %

of all phishings targeting Bradesco bank were from

this web hosting. Although each websites with

phishing pages on web hosting were created using

different technologies, created phishing pages had

common signature. This led the analysts to suspect

that these websites were attacked by same person.

Furthermore, there was possibility that attacker

hacked into the websites by directly hacking into

the management system of web hosting instead

of hacking into each websites created by different

technologies, as stated above.

In an attempt to solve the case, ThaiCERT

contacted the administrators of web hosting service

provider to inform them on the investigation

and gave advice on how to enhance the system

security to prevent intrusion. The suggestions led

to improvement. Between July to December 2012,

there were no reports of phishing pages of Bradesco

bank on attacked web hosting. We can therefore

assume that attacker prefer attacking vulnerable

management system of web hosting. This way of

attack is very effective since even if websites are

sufficiently protected, vulnerability within the central

management system of web hosting make them

likely to be compromised. However, a quick response

by the web hosting to such a situation can make

real difference in mitigating the problem. It can be

concluded that success in preventing such incident

highly depends on the coordination between both

sides and incidents should be reported immediately

after attack was found.


CERTS and AEC 2015


5. CERTs and AEC 20155.1 The Roles of CERTs in AEC 2015

For over 10 years, ASEAN telecommunication and information

technology infrastructure has continuously been developed by its member states

with the purpose of improving the quality of life for the region’s more than 500

million people. These technological progresses have been welcomed and pushed

forward by telecommunication and IT ministers of all ASEAN member states in

attempts of making businesses more competitive, attracting more investment,

and increasing ASEAN citizens’ potentials to achieve a state of readiness for the

advent of the AEC in 2015. In order to reach their goals, ASEAN member states

drafted the “ASEAN ICT Masterplan 2015” and ratified it at the “10th ASEAN

Telecommunication and IT Ministers Meeting” during January 13-14, 2011 with the

vision of moving towards an empowering and transformational ICT and creating

an inclusive, vibrant and integrated ASEAN. To achieve the vision, the Masterplan

identifies 6 strategic thrusts with concrete work plans, focusing on economic

transformation, people empowerment and engagement, innovation and infrastructure

development, human capital development and bridging the digital divide.

Strategy 2: People Empowerment and Engagement

Table 24: Strategy 2: People Empowerment and Engagement

Initiation 2.4 Confidence Reinforcement

Work Plan Explanation

Encourage Safe ASEAN

Transactions

• developing Mutual Recognition Arrangements (MRA) for the use of com-

mon ASEAN electronic certifications within ASEAN member states.

• promoting the use of two-faction authentication in order to identify

personal characteristics.

Promote Cyber Security Awareness

to ASEAN citizen

• building public awareness on online system security.

• creating and fostering close cooperation between the private sector and

the public.


Strategy 4: Infrastructure Development

Table 25: Strategy 4: Infrastructure Development

Initiation 4.2 Promote safe and stable network and information systems, information protection, and Computer

Emergency Response Team (CERT) cooperation

Work Plan Explanation

Network Security Development • establishing minimum standards of cooperative security to guarantee

ASEAN network stability and readiness.

• monitoring network security by setting up and applying the so-called

“ASEAN Health Screening” for networks and information systems

Safety Information Development • exchanging information on telecommunication infrastructure protection

methods between ASEAN members

Both strategies 2 and 4 of the ASEAN ICT Masterplan 2015 indicate

the importance of the processes of fostering safe and secure cyberspace

through creating cybersecurity awareness among people, business sector,

and other relevant organizations, as well as developing telecommunication

infrastructure with appropriate cybersecurity measures.

In order to reach these targets, the Electronic Transactions

Development Agency (Public Organization) or ETDA has been assigned by

the Ministry of Information and Communication Technology to become one

of the country’s main institutions to take on these challenges. ThaiCERT

has represented ETDA in many ASEAN activities conducted under the

Masterplan, including being an active member of ASEAN Network Security

Action Council (ANSAC).


5.2 The ASEAN Members’ CERT Reports

The cross-border nature of cyber attacks makes it important to share

cybersecurity information and intelligence. They are often shared at the

level of CERT operations through a trusted network of incident responders.

Cyber-attack patterns can potentially be extracted from data shared by the

CERTs. We have selected ASEAN+3 Cyber-attack data from the APCERT

annual report 2011 and elaborate them here to illustrate cybersecurity

trends in this region, where ASEAN+3 means ASEAN + the Republic of

China, Japan and the Republic of Korea, and APCERT stands for Asia Pacific

Computer Emergency Response Team. APCERT is a cooperation of 22 Asia

Pacific organizations from 19 economic zones. All 16 organizations from 11

countries in ASEAN+3 are shown in Table 26.

Table 26: List of ASEAN+3 CERTS members in APCERT

Name Country

Bach Khoa Internetwork Security Center (BKIS) Vietnam

Brunei Computer Emergency Response Team (BruCERT) Brunei

CERNET Computer Emergency Response Team (CCERT) China

National Computer network Emergency Response technical Team /

Coordination Center of China

People’s Republic of China (CNCERT/CC)

China

Indonesia Computer Emergency Response Team (ID-CERT) Indonesia

Indonesia Security Incident Response Team on Internet Infrastructure Coordination

Center (ID-SIRTII/CC)

Indonesia

Japan Computer Emergency Response Team / Coordination Center (JPCERT / CC) Japan

Korea Internet Security Center (KrCERT/CC) Korea

Malaysian Computer Emergency Response Team (MyCERT) Malaysia

Philippine Computer Emergency Response Team (PHCERT) Philippins

Singapore Computer Emergency Response Team (SingCERT) Singapore

Thailand Computer Emergency Response Team (ThaiCERT) Thailand


Vietnam Computer Emergency Response Team (VNCERT) Vietnam

Government Computer Security and Incident Response Team (GCSIRT) Philippins

Myanmar Computer Emergency Response Team (mmCERT) Myanmar

National University of Singapore Computer Emergency Response Team (NUSCERT) Singapore

Note that LaoCERT (Laos) and CamCERT (Cambodia) were not members of APCERT

at the time of APCERT annual report 2011 publication.

Figure 25: Number of cyber attacks reported to ASEAN+3 CERTs during 2007-2011

This graph displays the number of reported cyber attacks within ASEAN+3 countries from 2007 up to

2011 (5 years). It shows that the attacks tended to increase continuously over that 5-year period. CERTS having

reported more than 10,000 cases per year are MyCERT, CNCERT/CC, JPCERT/CC and KRCERT/CC while BruCERT,

ID-SERTII, PHCERT, ThaiCERT, and VNCERT reported fewer than number of cases, with the number of cases

below 5,000 cases in 2011.


Table 27 illustrates the percentage of various

types of cyber attack with respect to the number of

reported cases for ASEAN+3 CERT. Note that the data

presented are from BruCERT, ID-SERTII, MyCERT, ThaiCERT,

VNCERT, CNCERT/CC, JPCERT/CC, and KRCERT/CC.

The information that ThaiCERT contributed

to the APCERT annual report 2011 included all attack

cases reported during July-December 2011 under the

management of the Electronic Transactions Development

Agency (Public Organization). However, CNCERT/CC and

JPCERT/CC did not submit any information on SPAM

cases found in their auto-feed systems.

Remarks: PHCERT did not contribute to the 2011

annual report, and SingCERT did not reveal its threat

cases but only stated that fraud cases were the most

reported attacks in the APCERT 2011 annual report.


Table 27: The ASEAN+3 cyber attack types reported in

the APCERT annual report 2011

Figure 26: Proportion of threats, sorted by ASEAN+3 countries as shown in

the APCERT annual report 2011

From Table 27 and Figure 26, we can see that malicious code cases had the highest percentage

(more than 50%) compared to other types of attacks for Brunei and South Korea in 2011. For Indonesia

and Japan, the majority of more than 80% and 60% of the reported cases, respectively, are information

gathering and intrusion attempt attacks. For Malaysia, Thailand, Vietnam, and China, fraud cases were

reported the most.

All the data in year 2011 leads to the conclusion that cyber attacks within ASEAN+3 are on the

rise, and the top types of attacks are information gathering, intrusion attempts, and fraud.


5.3 Strengthening Collaboration of CERTs

Network

5.3.1 Building Networks

Coping with cyber threats effectively requires

relevant parties to collaborate, particularly those

directly in charge of IT security administration.

Most of the time, CERTs do not have legal power

to enforce any law. They rely on collaboration and

create their networks such as FIRST, APCERT, and

OICCERT. As members of network, CERTs together

can exchange information and deal with threats

more effectively. Thailand saw the global benefits of

such collaboration and has been an active member

of APCERT, FIRST and other CERT communities.

Asia Pacific Computer Emergency Response

(APCERT) consists of more than 22 members from

19 zones. Their visions are to promote cybersecurity

and feasibility among members through international

cooperation. APCERT members meet annually to

share information and lessons learned on dealing

with cybersecurity incidents. Additionally, they

conduct annual incident drills to test efficiency

and revise their guidelines of incident handling if

necessary.

The Forum of Incident Response and Security

Teams (FIRST) has more than 260 members. It aims

to promote collaboration among members in dealing

with threats effectively by using shared guidelines,

tools and secured communication channels. Members

of FIRST can create their joint taskforce to carry out

collaborative work of interests using their expertise.

For example, the CVSS Special Interest Group

(CVSS SIG) is responsible for creating a guideline for

assessment of severity of system vulnerabilities. The

Metrics SIG is responsible for creating guideline for

evaluation of incident handling effectiveness. The

Network Monitoring SIG promotes the collection

and analysis of data from sensor network and looks

for malicious activities in computer networks. The

Malware Analysis SIG aims to promote tools and

methods for malware analysis.

All these initiatives are beneficial for CERTs

communities and their constituencies globally

as they promote collaboration among members,

enhance capacities in handling threats and ensure

international standard of incident handling practice.


5.3.2 Point of Contact

Handling cybersecurity incidents require

extensive coordination at both organizational

and national levels. A key element of success

of incident handling is the Point of Contact (PoC),

an organization representative who needs to be

sufficiently IT-competent and well-equipped with

tools to ensure prompt and effective coordination

when the organization faces threats.

As the PoC is a vital role in incident handling,

PoC information must always be updated when

there are changes such as change of a coordinator

or change of communication channels. The PoC

information should be made available to the public.

At present, CERT networks have initiated several

measures to consolidate the PoC information and

keep public updated. For example, the FIRST PoC

is published at http://www.first.org/members/teams 31, It lists more than 260 entries. The list enables

information sharing to the PoCs by telephone,

facsimile and email. The PGP technology is employed

to identify senders and recipients. It also allows

message encryption for communicating sensitive

information.

31 http://www.first.org/members/teams

accessible from 31 August, 2012

5.3.3 Threat Information

Service

Successful threat management requires an

organization to be proactive. Some organizations

have ability in to monitor their network activities

while the others are unable to do so. Nevertheless,

several independent institutions have initiated

threat data collection and provide the data to

their members. With that data, the members

can promptly take actions against the threats. For

example, the Anti-Phishing Working Group (APWG)

or the Phishtank, operated by OpenDNS, collects

and distributes information about phishing attacks.

Information includes phishing URL which can be

used by relevant CERTs for instant incident handling.

In addition, CERTs also exchange threat

information among themselves. Information includes

threat origins and characteristics, possible prevention

measures and solutions. Any organization can use

this type information to alert other organizations

that may possibly be a target of similar threat. Such

initiatives help enhance awareness and prepare

many organizations for tacking cyber threats.


5.3.4 Standards on Threat

Information

One of the main problems of information

exchange on cyber attack is that the formation of

the information to be shared is not standardized.

This requires additional work of consolidating

and preparing data so that it can be shared to

other parties. To tackle such issue, CERT networks

initiated a common information standard to increase

effectiveness. Among these is the Incident Object

Description Exchange Format (IODEF) as documented

as RFC 507032 approved by the Internet Engineering

Task Force (IETF). Furthermore, the Common

Vulnerability Scoring System (CVSS) was developed

as a common evaluation standard measuring severity

of vulnerability. The CVSS create a common

understanding of severity levels.

32 http://www.ietf.org/rfc/rfc5070.txt

accessible from 31 August, 2012

5.3.5 Incident Drill

Incident drill is one of the regular CERT practice.

It aims to test the existing threat management process

and decision making of relevant personnel by using a

mock situation. This activity can enhance confidence

at organizational level by helping an organization

prepare their staffs to react to cybersecurity incidents

effectively. The preparedness theoretically reduces

cybersecurity risks and will help limit any damages

that might result from an incident.

The drill can be conducted at different levels.

The most basic form of the drill can be done by

inviting relevant staff members in and assigning

them with different roles in a scenario. They then

have to discuss and make decisions on how to

handle the incident in the scenario. The exercise

can also be conducted in a more realistic setting,

with simulated incidents using real computer and

network systems. The result of the exercise could

be used to improve incident handling procedures..


5.3.6 Deploying Network

Sensors

Some CERTs create their own surveillance

system to detect anomaly within computer networks

by using log monitoring software or sensors. These

sensors are normally installed around the world to

analyze unusual data flows. For instance, a sensor

detects high Denial of Service (DoS) attack traffic

from different countries, the surveillance system

can send out an alert to a designated person.

JPCERT/CC invented Tsubame, a Japanese

sensor network with worldwide coverage. It collects

originating IP addresses, originating port numbers,

and arrival time. The traffic data are processed and

animated to help understand the situation visually

and help anticipate other possible incidents. The

Tsubame project was developed to reduce cyber

risks. The development of such tools for scanning,

detecting, and tracing attacks should be a priority

for Thailand. This highlights the importance of

research and development in cybersecurity.


Threats VS Privacy.


6. Threats VS Privacy

Threats often come in forms of privacy

violations such as personal data thefts, which stolen

data is used for frauds. According to threat statistics,

the trend shows significant growth. Personal data

protection or privacy has been a critical issue and

rose in various international arenas such as United

Nations, APEC, ASEAN, and the Organization for

Economic Co-operation and Development (OECD)

conferences. This highlights the need of prevention

measures both legal and practical ones (soft law)

as well as raising awareness among public regarding

the threats, prevention measures and impacts of

threat such as identity thefts, personal data abuse.

For example, spam or phishing can be used to steal

one’s personal data and attacker can use stolen data

to impersonate victim to gain financial information.

More serious case that can post life and death would

be accessing and modification of medical diagnosis or

prescriptions information. However, not many people

in Thailand and other Asian countries are aware of

the threats and its potential consequences. People

still believe that it is not involving their lives directly,

even though many of their daily activities are recorded

and processed on computers and social networks.

Despite a misconception on “Right to Privacy”, which

many still understand that it only refers to personal

data, Article 35 of the Thai Constitution states that

“A person’s family rights, dignity, reputation

and the right of privacy shall be protected. The

assertion or circulation of a statement or picture by

any means to the public which violates or affects a

person’s family rights, dignity, reputation or the right

of privacy, shall not be made except in the case which

is beneficial to the public. A person shall have the

right to be protected from illegal use of his or her

personal information as provided by law.”

According to the above statement, “personal

data” can be observed in four (4) different perspectives

of the following:

• Communication Privacy. This refers to

legal protection on security and privacy regarding

correspondence, telephone, emails or other private

communication means;

• Territorial Privacy refers to prohibiting other

intrusions or trespassing of personal area including

CCTV installation, ID pass inspection for resident

access;

• Bodily Privacy focuses protection on one’s

physical body. For example, genetic testing, drug

testing are prohibited; and

• Information Privacy concerns data protection

of an individual. It governs procedures regarding

personal data collection and management.


Privacy violation is not a new threat. Over

the past decades organizations and governments

in many countries have attempted to establish

universal standards for the protection of privacy and

the prevention of privacy violations under mutual

agreements, e.g. outlined in section 1233 of the Universal

Declaration of Human Rights 1948, which states that;

“No one shall be subjected to arbitrary interference

with his privacy, family, home or correspondence, nor

to attacks upon his honor and reputation. Everyone

has the right to the protection of the law against

such interference or attacks.” Such statement set a

milestone to develop sufficient privacy protection

for their own citizen.

In response to personal data protection in

Thailand, several Articles in Thai laws govern privacy.

However “Personal Information” is defined in different

contexts resulting in misunderstanding. Generally,

personal information includes any forms of data which

can directly or indirectly be related to its owner e.g. ID

card number, last name, telephone number, address,

images, emails, banking statements, transcripts etc.

This information is often used and publicized without

permission making it very necessary to expedite

the Data Protection Law, which has been in review

process for more than 10 years. The draft is aimed

to be mutual legal framework and enhance public

confidence in establishment of standard for storing

and using data securely. The urgency of the matter

has led many countries, such as Malaysia and South

33 Article 12 of the Universal Declaration of Human Rights 1948 “No

one shall be subjected to arbitrary interference with his privacy,

family, home or correspondence, nor to attacks upon his honor

and reputation. Everyone has the right to the protection of the

law against such interference or attacks”

Korea, to appoint responsible agencies taking charge

of personal data and security under the same agency.

Technology has become a major part to our

lives. It offers us conveniences in our daily life with

borderless network for information exchange and access

to popular social network. Despite such conveniences,

there is risk of privacy of large amount of personal

information. Information technology makes it more

viable for intrusion or privacy violation without being

noticed. The following examples reflect some of

these violations;

1. Three US telecommunication giants Bellsouth, Verizon and AT&T, had been sued by 26 people in 18 states for compensation worth $200,000 for their violations of personal data, which the companies had signed contract agreements to reveal telephone usage data to the National Security Agency (NSA) without permission. The data was supposedly to facilitate constitutional telephone tracking projects to track down terrorist networks. To do this the NSA depends on spying methods such as intercepting telephone, radio, internet, and other communication channels.

2. Several tracking measures have been implemented for online personal tracking occurred through the use Cookies Web Bugs, Web Tracking Spy Ware, Packer Sniffer, Keystroke Logger or FBI Carnivore system. These programs can easily track the personal computer usage and spy on the private data online.


3. An employee of the Social Security Office had been fired for the reason of leaking personal information of factory employees to debt-collectors, whom being hired to push debtors to settle their payments.

4. It is common practice among financial institutions from both the banking and non-banking sector to ask their clients to sign a form for approval of using their personal information when they apply for credit card. Those companies will eventually sell their clients’ personal information at a rate of 1-1.5 Bt. Per person. Then the institute will sort the names and data according to client’s preferences before sending their clients marketing materials of such products along with an invoice.

5. Growth of Data trading websites is significant. The traded data are mainly official data such as criminal records, civil registration, arrest warrants, pictures or video of extramarital affair, debt collecting records, or past mobile phone records. Those websites requires the clients to leave their contact to hide themselves from police investigation. Service fee is also stated on the page.

6. Cyber stalking is another internet-based infringement. It is an action of observing, threatening or disturbing certain Internet users by sending emails, posting texts or images on web boards, chat rooms or social network

platforms such as Facebook, Instgram, and Twitter etc. Such activities cause anxiety and fear in the security of property and life among internet users which negatively affect mental

conditions.

Besides the cases mentioned above, there are many other methods in use for infringement such as popup advertisements, identity thefts, usage of Spyware for the purpose of stealing personal information, email marketing, sending spam, which also disturbs users, fraud, counterfeit, or risk of being victim of information warfare and terrorism using cyber attack.

Hence, it is obvious that privacy violation tend to exponentially increase in number and severance. This is in many ways considered as a type of threat which causes damage, no less severe than other threats. The impact of such personal data violation affects as widely as cybersecurity threat. Violation of personal data can negatively impact on security of life and properties or even a society’s security. Concerning such violations, many countries have initiated strong legal standards such as a personal data protection Law34 or law to tighten offence regulation, promotion of social standard to enhance awareness among citizen. However, when taking a look at the situation in Thailand, it becomes obvious that public awareness is still on the way. This is true despite the fact that several laws on privacy rights do exist, such as Section 35 of Thai Constitution;

34 The Organization for Economic Co-operation and Development

(OECD) determined the guidelines on the protection of Privacy

and Trans-border Data Flows of Personal Data, helping countries

to create standard. For details, please visit

http://www.oecd.org/internet/ieconomy/oecdguidelinesonthe-

protectionofprivacyandtransborderflowsof-personaldata.htm


Government Information Act 1997 (B.E.540), which determines the measures for the protection of personal data for governmental agencies; the Business Credit Information Act 2002 (B.E. 2545), which determines the measures of protection for personal data in possession of financial institutions; the Electronic Transactions Act 2001 (B.E.2544), which includes a guideline and policy of personal data protection within government agencies 2010 (B.E.2553). However, these laws in overall are not inclusive, specific and comprehensive enough to sufficiently be able to control all the agencies which are collecting personal data. Measures taken in some of these laws do not meet international standards.

For the public sector, in response to the announcement of the Electronic Transactions Commission on personal data protection, only a very small number of agencies submitted its policy on personal information protection to the Electronic Transactions Commission. Some agencies collect high amounts of personal data. This may impact on level of confidence in the administration of government if personal data is stolen.

Therefore, all sectors should engage and collaborate in order to solve these problems. The government has to implement a strict measure

to ensure and protect privacy of their citizen. In addition, the private sector should implement a self-regulation by promoting awareness among social network users regarding rights to privacy or introducing technical measures such as setting privacy for their social network account in order to reduce violations. Last but not least, users should also be aware and recognize their privacy as their basic rights. Such attitude together with cooperation among different authorities can ensure effective protection and reduce damage for the people of Thailand.


Is Thailand prepared for cyber threat?


7. Is Thailand prepared for cyber threat?

Since ThaiCERT’s establishment under ETDA in 2010, it has implemented two incident report channels: auto-feeds from partner’s networks, and email reports from general users. Analysis of the collected statistics indicates that the main cause of IT Security issues comes primarily from a lack of awareness or knowledge about information security among users.

a.) System Administrator

Most threats faced by administrators are related to either servers being attacked or servers being used by hackers to attack other computer systems. This includes, for instance, sending spam email, Denial of Service (DoS) attack and using servers for fraudulent purpose. Such problems are facilitated by incapable administration and outdated maintenance leading to vulnerability which allows attackers to access systems without authorization and continue with their infringing activities.

b.) General Users

In general, the main cause of a computer being infected by malware is due to the use of pirated operating system and software which prevents regular updates to remove system vulnerabilities. Lack of awareness concerning protection and risk taking behavior also play and important role and frequently lead to vulnerability, including visiting suspicious websites and executing software download or opening email attachments without pre-verification.

This behavior makes the computer susceptible to malicious malware, and, in some cases, enables attackers to take control of the computer and start sending spam emails or intercepting information transmitted by the user.

In addition, compromised computers and computer systems can spread security risks in various forms and cause damage to individuals, organizations and national infrastructure. There is the case, for example, of a web server in Thailand that was hacked and used to create a phishing site because the network administrators ignored to secure the operating system and software, close all unnecessary ports and keep the software up to date. Subsequently, the system was vulnerable to attackers who committed crimes by creating web pages to steal others’ personal information.

Cyber threats can cause severe consequences if users are not aware of the importance of IT security. Technology is advancing continuously and rapidly along with the growth and consumerization of mobile devices together with the trend of “bring your own device (BYOD)”. Furthermore, cyber threats not only pose risks to various aspects of IT security (e.g., confidentiality, integrity, availability), but also impact personal information privacy.

For effective protection of security information, Thailand has to prepare the following:


Development of necessary infrastructure

Develop and enhance capacities of officers in charge of IT security and train security

personnel to internationally recognized standards together with awareness promotion

among users of possible threats of system attacks.

Develop a legal framework that is viable for law enforcement so that relevant officers,

such as the police, judicial officials or other competent officers, can suppress and pros-

ecute criminals efficiently..

Preparation

Promote IT security research and development in order to prepare for possible threats

and to reduce dependency on foreign security technology.

Establish an institution or organization to support key national agencies to respond to

threats.

Create an agency to support key national agencies for threat management and to

support the National IT Security Plan, which provides directions and integration of

public and private operations regarding threat responses and management.

Strengthen cooperation with foreign institutions in responding to and resolving threats

which attack the systems of national agencies.

Build national capacity and competitiveness in preparation for the AEC.

Integration

Integrate IT security awareness raising activities for users, consumers, policy makers,

regulators and relevant agencies.

Create mechanisms among relevant agencies to ensure unified threat response.

As illustrated above, current IT security operations are being restructured to facilitate upgrading to

international standards. This situation is reflected in the publication of the Royal Decree on Rules and

Procedures of the Public Sector’s Electronic Transactions B.E. 2649 (2006) and the Royal Decree on Security

Techniques in Performing Electronic Transactions B.E. 2553 (2010). As of December 2012, there are 56 approved

agencies which issued policies and regulations regarding IT security between 1990 and 2012. In response to MICT

instructions to promote and implement IT security policy, the Office of the Electronic Transactions Committee

has implemented several measures to promote such instructions through activities such as seminars, which

have been well-attended. To ensure effectiveness, the National Cybersecurity Committee, on which the


Prime Minister serves as chair, was setup to draft the

National Cybersecurity Policy Framework as well as the

National Cybersecurity Master plan. The committee

serves as an integration mechanism for information

exchange and collaboration among different agencies

and sectors. Presently, the crucial challenge is the lack

of knowledge and awareness among executives and

their employees. Such issues make it more difficult

to promptly respond to threats that can potentially

occur at any given time. Since human resources are the

most important mechanism to prevent and respond to

threats, all personnel should be trained to recognize

cyber threats and be able to react appropriately in a

collaborative manner to ensure efficiency. Success

depends not only on government agencies or private

institutions, but also on collaboration with civil society

to help spread useful information to the general public.

The mentioned initiatives highlights the importance

of capable human resources and the urgent need to

develop IT security professional in order for Thailand to

be better prepared in threat prevention, suppression,

and collaboration among involved parties.

In summary, the ETDA has appointed ThaiCERT

to be a key mechanism in the cybersecurity arena and

aims to work proactively to ensure safe and security.

During its initial four years, ETDA has prepared itself

to serve as key mechanism in Thailand cyber threat

response, as well as, to build and coordinate collaboration

among involved domestic and international entities.

ETDA aims to ensure Thailand readiness and capacity

in responding to any future threats.


Appendix


8. Appendix

8.1 Appendix AClassification of Threats

The Electronic Computer Security Response Team network (eCSIRT.net)

categorizes threats into 8 types. Some threats can possibly be overlapped

but they can be sorted into one main category. For example, if there is

an intruder accessing the system and was able to go further to the Root

Privilege, which results in stealing of important information, the intrusion

will be categorized as Privileged Account Compromise. Table 28 below

defines eCSIRT ’s classification of threats.

Table 28: Classification of Threats according to eCSIRT.net

Incident Class

(mandatory

input field)

Incident Type

(optional but desired input field)

Description / Examples

Abusive Content

Spam

Or “unsolicited bulk email”, this means that the recipient has not

granted verifiable permission for the message to be sent and that

the message is sent as part of a large collection of messages, all

having identical content.

harassmentDiscrimination of somebody (i.e.cyberstalking)

Child/sexual/violence Child pornography, glorification of violence, …

Malicious Code

virus

Software that intentionally included or inserted in a system for a

harmful purpose. A user interaction is normally necessary to activate

the code..

Worm

Trojan

spyware

dialer

Information

gathering

scanning

Attacks that send requests to a system to discover weak points. This

includes also some kind of testing processes to gather information

about hosts, services and accounts. Examples: fingerd, DNS querying,

ICMP, SMTP (EXPN, RCPT)

sniffing Observing and recording of network traffic (wiretapping).

Social engineering

Gathering information from a human being in a non-technical way

(e.g. lies, tricks, bribes, or threats).


Incident Class

(mandatory

input field)

Incident Type

(optional but desired input field)

Description / Examples

Intrusion Attempts

Exploiting of known Vulnerabilities

An attempt to compromise a system or to disrupt any services by

exploiting vulnerabilities with a standardized identifier such as CVE

name (e.g. buffer overflow, backdoors, cross side scripting, etc.)

Locking attemptsMultiple login attempts (guessing/cracking of passwords, brute force).

New attack signatureAn attempt using an unknown exploit.

Intrusions

Privileged account compromise Successful compromise of a system or application (service). This can

be caused remotely by a known or new vulnerability, but also by an

unauthorized local access.Un Privileged account compromise

Application compromise

Availability

DoS By this kind of an attack a system is bombarded with so many pack-

ets that the operations are delayed or the system crashes. Examples

of a remote DoS are SYS- a PING-flooding or email bombing (DDoS:T-

FN, Trinity, etc). However, the availability also can be affected by

local actions (destruction, disruption or power supply, etc.)

DDoS

Sabotage

Information Security

Unauthorised access to information Besides a local abuse of data and systems the information security

can be endangered by a successful account or application compro-

mise. Furthermore attacks are possible that intercepted and access

information during transmission (wiretapping, spoofing, or hijacking).Unauthorised modification of information

Fraud

Unauthorized use of resources

Using resources for unauthorized purposes including profit-making

ventures (E.g. the use of email to participate in illegal profit chain

letters or pyramid schemes).

Copyright

Selling or Installing copies of unlicensed commercial software or

other copyright protected materials (Warez).

Masquerade

Type of attacks in which one entity illegitimately assumes the identi-

ty of another in order to benefit from it.

Other

All incidents which don’t fit in one of the

given categories should be put into this

class..

If the number of incidents in this category increases, it is an indicator

that the classification scheme must be revised.

Source: (http://www.ecsirt.net/cec/service/documents/wp4-pub-userguide-v10.html

accessed on 10 November, 2012)


8.2 Appendix B Table 29: Glossary

Word Meaning

Abusive ContentContents such as child Pornography, glorification of violence and spam are considered as abusive

contents.

Malicious CodeSoftware that is intentionally included or inserted in a system for a harmful purpose. A user interaction

is normally necessary to activate the code.

Information GatheringGathering information of system in order to find its vulnerability and use it to attack system. It also

includes information gathering from a human being in a non-technical way (e.g. lies, tricks, bribes, or

threats).

Intrusion AttemptsAn attempt to compromise a system or to disrupt any services by exploiting vulnerabilities with a

standardized identifier such as CVE name. Intrusion attempts also include multiple login attempts such

as guessing/cracking of passwords, brute force.

IntrusionsSuccessful compromise of a system or application (service). This can be caused remotely by a known or

new vulnerability, but also by an unauthorized local access.

AvailabilityBy this kind of an attack a system is bombarded with so many packets that the operations are delayed

or the system crashes. Examples of a remote DoS are SYS- a PING-flooding or email bombing (DDoS:TFN,

Trinity, etc). However, the availability also can be affected by local actions (destruction, disruption or

power supply, etc.)

FraudThe use of internet services such as website, email to defraud victims or to otherwise take advantage of

them, for example by stealing personal information, which can even lead to identity theft.

DDoSDDoS is a kind of technique to attack the availability of system by attacking from many computers at

the same time. DDoS makes services run improperly causing services to be delayed or down. For exam-

ple, Web server cannot provide services because it receives too many requests from clients.

Brute ForceAttack to gain password, username by checking all possible values until the correct one is found. This

kind of attack is only effective to the system with improper configuration such as username and pass-

word that are easy to guess. Captcha is one measure to protect website from brute force.

Phishing The act of attempting to acquire information such as usernames, passwords, and credit card details (and

sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.


Word Meaning

BotnetMalware that can be controlled from attackers to do malicious activities such as DDoS attack or stealing

secret data.

RustockBotnet malware installed on Windows operating system. It’s capable of DDoS attack and has main func-

tion as spamming. Statistics show that this malware can send over 25,000 emails per hour. According to

Microsoft, there were around 2.5 million computers attacked worldwide.

KelihosBotnet malware installed on Windows operating system and has ability of DDoS attack and sending

spam.

FeodoBotnet malware installed on Windows operating system aiming to steal online transaction information.

DDoS_dirtjumperBotnet malware installed on Windows operating system and has ability of DDoS attack.

ConfickerWorm malware installed on Windows operating system aiming to interrupt the availability of the system.

For example, it can disable logging in to windows, automatic windows update and windows defender.

It also causes response of the network slower than normal. It can spread to other computers through

network share and attack via the vulnerability MS08-067.

ZeusBotnet malware installed on Windows operating system aiming to steal online transaction information

of users.

VirutBotnet malware installed on Windows operating system aiming to download and install other malwares

on computers.

TDSSBotnet malware installed on Windows operating system aiming to download and install other malwares

on computers.

Worm_boinbergWorm malware installed on Windows operating system controlled by IRC Server. Generally they spread

over Windows Live Messenger, USB drives and compressed files such as RAR and ZIP. Malware will make

computer work slowly, and steal information: username and password.

TorpigBotnet malware installed on Windows operating systems aiming to steal users’ online transaction

information.

CarberpBotnet malware installed on Windows operating system aiming to steal users’ online transaction infor-

mation.

SpyeyeBotnet malware installed on Windows operating systems aiming to steal users’ online transaction

information

RamnitBotnet malware installed on Windows operating systems and created in 2010 The first period of this

Botnet Malware was not dangerous but nowadays, it can steal online transaction and information as

well. Ramnit can spread through USB drive.


Word Meaning

GoziBotnet malware installed on Windows operating systems aiming to steal users’ online transaction

information.

GbotBotnet malware installed on Windows operating systems and is capable of DDoS attack, download and

install other malwares for the purpose of fraud and stealing online transaction information.

C&C ServerStands for Command and Control Server and has ability to contact malware Botnet and attack other

computer in the form of DDoS.

Domain NameA domain name (for instance, “example.com”) is an identification string that defines a realm of adminis-

trative autonomy, authority, or control on the Internet. It can be used instead of IP address.

CorporateInternet network for agencies or organizations with fixed IP address.

BroadbandInternet network with dynamic IP addresses which vary upon network of ISPs. Broadband is used in the

house or small offices.

StormwormStorm worm is botnet malware but unlike other botnet malwares that use server-client model, storm

worm uses peer-to-peer model and spread via spam mails by themselves.


8.3 Appendix CSubordinate Laws having Security Maintenance-Related Measure

LawLaw Enforcement Mechanisms

Principleregulation prevention suppression

Penal Code Title V. Offence Relating to The Electronic Card

√ At present, there are pervasive increase by number and application type in the usage of any of documents or materials or data made in the form of electronic card, such as credit card and debit card, for the purpose of goods, services and other kinds of debt payment. In addition, there are commitments of many crimes and personal data stolen, which vastly affect the economy and consumer. Hence, it is appropriate to initiate the criminal offence on electronic card and electronic data-related crime, in order that any form of crimes are covered under the law and suitable rate of penalty according to crime severity is provided.

Laws on Information Technology

Electronic transaction Act B.E.2544 (2001) (Revised 2nd

version) B.E.2551 (2008).

√ To promote the construction of a credible electronic transaction and certify the validity of electronic transaction as equal to ones of paper based.

The Royal Decree prescribing criteria and procedures for Electronic Transactions of the Government Sector B.E. 2549 (2006).

√ To establish important rules and procedures on electronic transaction to be conducted by public sectors in order to promote and support the capacity of public sectors to develop electronic transactions of the same standard and to be in the same direction.

The Royal Decree on Security Procedures for Electronic Transactions B.E. 2553(2010)

√ The Royal Decree applies to the electronic transactions that affect national security, public order, or the general public and that of an agency or an organization which deems to be the country’s critical infrastructure. It stipulates the levels of security techniques and information security standards in accordance with security procedures for each level.

Notification of the Electronic Transactions Commission on Category of electronic transactions and Criteria for

assessment of impact level

of electronic transactions

pursuant to Security

Procedure B.E. 2555 (2012)

√ To specify the categories of electronic transactions and criteria for assessment of level of impact of the electronic transactions for correct and appropriate application of information security procedures.




Notification of the Electronic Transactions Commission on Information Security Standards in accordance with the Security Procedures B.E. 2555 (2012)

√ To set out information security standards in accordance with each level of security procedures acquired from impact assessment of electronic transactions.

Notification of the Electronic Transactions Commission on Policy and Practice Guideline on Information Security of a State Agency B.E. 2553 (2010)

√ To set out a preliminary guideline for state agencies to establish policy and practice on maintenance of information security in order to make any of their operations done by electronic means reliable and meet international standard.

Notification of the Electronic Transactions Commission on Policy and Practice in protection of personal information of the State agency 2553 (2010)

√ To set out a preliminary guideline for state agencies, which collect, maintain, use, disseminate or proceed by other means in relation to personal data of the electronic transactions’ subscriber, to establish policy and practice on the protection of personal information in electronic transactions.

Computer-Related Crime Act B.E. 2550 (2007)

√ √ The act aimed at preventing and suppressing computer-related crime. It provides criminal penalties, investigation procedure, authority of the competent official, and the duty of service providers to store computer traffic data.

Laws relating to Telecommunication

Telecommunications Business Act B.E. 2544 (2001)

√ To prescribe the criteria for the application for operation license of the telecommunication business, qualifications of applicant for telecommunication business provider, and provision of telecommunication network business.

Notification of National Telecommunications Commission on measures for protection of telecommunication users’ right relating to personal information, rights of privacy and freedom of communication through telecommunication

√ Due to the fact that personal information of the users through telecommunication could be easily processed and disseminated to the public in a short period of time, which would affect the rights of privacy and freedom in communication through telecommunication, legal measure is provided for protecting the personal information, the rights of privacy and the freedom in communication through telecommunication.

Regulation of National Broadcasting Telecommunications Commission on the exposure of information technology B.E. 2548 (2005)

√ To set out rule on information organization obviously and in compliance with the Official Information Act 1997 (B.E. 2540)




Regulation of National Broadcasting Telecommunications Commission on Information Technology relating to Telecommunication Business B.E. 2550 (2007)

√ To set out the rules and procedures for management of information technology in the area of telecommunication business.

Finance and Banking Laws

The Royal Decree on Supervision of Electronic Payment Service Business B.E. 2551 (2008)

√ To regulate the business operation of electronic payment services in order to maintain financial and commercial stability. The Royal Decree forms the regulation model and categorizes the appropriate types of electronic payment service business.

Notification of the Electronic Transactions Commission on Rules, Procedures and Conditions for the Operation of Electronic Payment Service Business B.E. 2555 (2012)

√ To stipulate rules, procedures and conditions for the operation of electronic payment service business in addition to the rules provided under the Royal Decree on Supervision of Electronic Payment Service Business B.E. 2551 (2008). The Notification provides additional qualifications of electronic payment service providers and set out details of the electronic payment service providers according to the table attached to the Royal Decree on Supervision of Electronic Payment Service Business B.E. 2551.

Notification of the Bank of Thailand No. Sor Ror Khor 3/2552 on Information Security Policy and Measures for Operation of Electronic Payment Services Business

√ To be a guideline for prescribing policy and practice on information security and procedures for examination and maintenance of information security for electronic payment service providers.

Securities Laws

Securities and Exchange Act B.E.2535 (1992)

√ To set up the structure of an agency regulating activities of capital market, rules regulating the offering of securities to support the development of establishment form of securities issuer, as well as internationalized rules for securities market regulations, including the provision on business transactions in the securities market, i.e. pledge of listed securities. The purpose of the Act is for the flow of activities in capital market as well as to level up the protection of investor.




Notification of the Office of Securities and Exchange Commission No. Sortor/Nor 32/2552 regulating operation and maintenance of information security of of securities companies (2009)

√ To establish rules for operation and maintenance of information security for securities companies.

Insurance Laws

Emergency Decree Establishing Fund For Promotion of Catastrophic Insurance, B.E. 2555 (2012)

√ √ To set up measures for management of catastrophe risks by means of insurance and reinsurance and to provide financial aids to non-life insurer.

Insurance Commission Act B.E.2550 (2007)

√ As the insurance business is a monetary transaction which directly affect economic financial system of Thailand including an insured which is a consumer, the agency responsible for supervision of the insurance business should be flexible to be able to keep up with the development of the business and should be independent for effective of supervision of insurance business and protection of the insured’s right. It is appropriate to set up the Insurance Commission which is independent and have flexibility in supervising the insurance business.


List of Abbreviations NECTEC National Electronics and Computer Technology Center

NSTDA National Science and Technology Development Agency

ETDA Electronic Transactions Development Agency (Public Organization)

ThaiCERT Thailand Computer Emergency Response Team

AEC ASEAN Economic Community

ASEAN Association of Southeast Asian Nations

APCN Asia-Pacific Collaboration Network

APCERT Asia Pacific Computer Emergency Response Team

CISSP Certified Information Systems Security Professional

ETC Electronic Transactions Committee

CSIRT Computer Security Incident Response Team

NSO National Statistical Office

ITU International Telecommunication Union

MICT Ministry of Information and Communication Technology

TCSD/RTP Technology Crime Suppression Division, Royal Thai Police

ISP Internet Service Provider

MOE Ministry of Energy

IODEF Incident Object Description Exchange Format

IETF Internet Engineering Task Force

Surangkana Wayuparb Executive Director, CEO

(Policy Overview)


Report Compilation Team

Surangkana Wayuparb Executive Director, CEO

(Policy Overview)

Kachida Meetortharn Director of Legal Affairs Office

(Law Content)

Atcharaphorn Mutraden Director of Policy Office

(Policy Content)

Thongchai Sangsiri Identification Expert Testimony Specialist

(Security Content)

Soranun Jiwasurat Director of Security Office

(Security Content)

Chaichana Mitrpant Assistant Executive Director

(Security Content)

CreativeDirectors

Editorial Staff

Phaichayont VimuktanandanaPornprom PrapakittikulSupakorn LerkditheepornSetthawhut SaennamJetsada ChangsisangWisan PrasongsookThongchai SilpavarangkuraSanchai TinothaiChotika SinnoKannika PataravisitsanNuttachot Dusitanontand ThaiCERT Team

Law Content Staff

Ploy Charoensom

Phichayaluk Kamthongsuk

Nattawat Sukwongtrakul

Ployphatchara Chouchai

Art Directors

Nattapong Worapivut

Napadol Utsanaboonsiri

Nattanai Roudreiw

Coordinators

Rojana Lamlert

Wipaporn Butmek

Suchayapim Siriwat

Khemiga Sakulphat

Phanwadee Kowintasate

Working Group


THAILAND COMPUTER EMERGENCY RESPONSE TEAM (THAICERT) A MEMBER OF ETDA

JOINT PARTNERS : OFFICE OF THE ELECTRONIC TRANSACTIONS COMMISSION (ETC), MINISTRY OF INFORMATION AND COMMUNICATION TECHNOLOGY (MICT),

THAILAND COMPUTER EMERGENCY RESPONSE TEAM

OFFICE OF THE NATIONAL BROADCASTING AND TELECOMMUNICATIONS COMMISSION (NBTC)

MINISTRY OF INFORMATION AND COMMUNICATION TECHNOLOGYELECTRONIC TRANSACTIONS DEVELOPMENT AGENCY (PUBLIC ORGANIZATION)

The Government Complex Commemorating His Majesty the King’s 80th Birthday Anniversary, 120, Moo 3, Ratthaprasasanabhakti Building (Building B) 7th floor,Chaengwattana Road, Thung Song Hong, Lak Si, Bangkok 10210 Thailand

Tel : +66 2142 1160 Fax : +66 2143 8071www.thaicert.or.th | www.etda.or.th | www.mict.go.th

ISBN : 978-616-91910-0-1

NBTCTHAILAND

EnglishVERSION

thaicert annual report english version

Documents