Cyber Security Management System of NIRS in Korea

Transcription

1 Cyber Security Management System of NIRS in Korea October 29, 2018 (Mon) * NIRS : National Information Resources Service

2 Contents Data Communication Infrastructure Cyber Crisis Response System NIRS Cyber Security Activities NCIA, All Rights Reserved.

3 1. Data Communication Infrastructure Connect governments (over 460 central & local) through a national network 45 government agencies have moved data system to NIRS Domestic Network IX National Network Overseas Network NSP Cities and Provinces (17 Local Governments) 11 Administrative Agencies 5 Government Complexes (Seoul, Aneex, Gwacheon, Daejeon, Sejong) GNS City, Province, County, District, etc. Agencies under central agency, etc. Central agency HQ NAS, MND, DAPA, etc. Daejeon Center Gwangju Center 22 institutions, including BAI, OPC, MSIT 23 institutions, including MOFA, MOFIT [3]

4 2. Cyber Crisis Response System National Cyber Security Organizations President Office of National Security (ONS) Cyber Security Secretary National Cyber Security Center (NCSC) Cyber Threat Joint Response Force 28 Sector 38 Control Centers Defense (MND Cyber Command) Private (MSIT) KISA NIRS (e-gov) Administration (MOIS) KLID (local e-gov) Finance (FSC) Cyber Crisis Response Signs of attack Actual attack Normal Attention Caution Alert Serious Monitor main websites Multi-layer protection and analysis Operate Emergency Team(4-5members) Monitor main and other target websites Expand Emergency Team (9 members) Monitor according to security policy sensitivity Take countermeasures, including blocking all IPs from country of attack Reporting Hierarchy ONS MOIS Minister Vice Minister E-Gov. Mgmt. Office NIRS President Serious Head of NIRS-CERT Integrated Control Center Crisis National Intelligence Service [4]

5 3. NRIS Cyber Security Activities Overview NRIS Cyber Security Activities Identify/eliminate data system vulnerabilities Identify web vulnerabilities via mock cyber attack Collect and analyze malware Develop detection rules 1 Prevention 2 Monitoring 24/7/365 Monitor security, network, failures ntems, nsims, NMS Investigate infringement accidents Devise plan to prevent recurrence Backup and recovery 4 Recovery 3 Response Detect and block DDoS and other hacker attacks Take measures against new threats Conduct mock training for infringement response [5]

6 3-1. (Prevention) Data System Vulnerabilities 1) Preventinon 4 복구 2 관제 3 대응 01 Data System Vulnerabilities Target: NIRS data systems (over 20,000) Scope: 8 systems (server, system SW, NW, security equipment, etc.) Tool: Vulnerability auto-diagnosis system Total: Approx. 1.1 million cases Criteria: MSIT notice, National Cyber Security Manual, etc. 02 Web Vulnerabilities Target: NIRS internet website Method: regular, on-demand, emergency inspections (Penetration test and source code diagnosis) Scope: 21 checklist items for e-gov web vulnerabilities Insufficient certification and/or permission, data leak, file download, etc. 03 Malware 04 Security Rules Target: NIRS data systems (including PCs) Scope: Server, PC, national network overseas traffic Tool: Malware detection/analysis system Objective: Collect/analyze malware (static, dynamic), Threat blocking and info sharing (related agencies) Target: NIRS e-ansis* Scope: Web hacking, DDoS attacks Procedure: Collect data Analyze attack Develop detection rules Monitor Take measures in real-time * e-ansis(electronic Advanced National Security Infrastructure System) :A multi-layer system of measures against cyber threats to protect the national network and NIRS from cyber attacks [6]

7 3-2. (Monitoring) 24/7/265 Integrated Monitoring (1/2) 1 예방 4 복구 3 대응 2) Monitoring Monitoring Procedure Real-time Monitoring Detection Spread Information Initial Response Utilize various monitoring tools to monitor failures or anomalies nsims: Big data log analysis system Collect/analyze logs Real-time log search Batch analysis Network /Security Application Server Other logs Equipment Event source log Detect and become aware of slow website connection, success/ failure of attacks ntems: Total event management system Security monitoring Tenent System Security Monitoring Failure monitoring Performance monitoring Share information with people in charge Propose gathering of NIRS-CERT Spread information (Message, ) Minimize damage through initial response, i.e. blocking attacker IP and restarting server Monitoring/Initial response Detect cyber threat Initial remediation against threat CERT Remediated against cyber threat Detailed analysis of threat and response If necessary (Within 1 hr.) No. of Staff Shifts Daytime Nighttime Integrated Monitoring Operation Daejeon 80 4 groups, 2 shifts Gwangju 59 4 groups, 2 shifts Total [7]

8 3-2. (Monitoring) 24/7/265 Integrated Monitoring (2/2) 1 예방 4 복구 3 대응 2) Monitoring IPS Firewall Switch WAF Web WAS Internet Database IDS IPS IDS Firewall Switch WAF (Web Application Web log Firewall) WAS log /1`2`3`4`123fc1`1234` ` /notice /WAFV1.0[1111]: mcpd[0001]: _access.log.done, :1: _access.log.done,[ [ID 1234 daemon.info] datetime=" [01/Jan/2014:01:01:01 moni- 01:01:01] 01:01:01" +0900] "GET /resources/ "POST /testlist.do" :01:01`1`2` ` `12345 Pool member %123: xxx FTP ` `30000`AB`AB````````````C` Rule tor status Login down. Fail 1 agent_id="sid " test.jsp HTTP/1.1" ms webserver_ip= " 0A0B0C0D0E0F0G0H0I0J0K0L0M0N0O0P0Q0 log_type="whiteurl" block_method=" 탐지 " R0S0T0U0V0W0X0Y0Z0A0B0C0D0E0F0G0H0 Collect data in real-time and source_ip=" " analyze log using big data for security system target_domain=" and overall target_url="/ Efficient I0J0K0L0M0N0O0P0Q0R0S0T0U0V0W0X0Y0 Z admin.jsp? " owasp=" 취약한접근통제접근통제통제 " hacking_type=" 권한접근통제우회 " count= 12345" Innovative information resource direction="request" detect_item="request URL" reqeust_method="get" detect_value="change( ) (i1234)" [8]

9 3-3. (Response) Multi-layer Protection 1 예방 4 복구 2 관제 3) Response Ensure security through multi-layer protection scheme Data Leak Attempt Known Vulnerabilities Attack Web hacking attempt 1st Intrusion detection/ prevention Data System Vulnerabilities Firewall Firewall Malware Dos 1st DDoS Respnose DDoS Account Hijacking APT Attack Response to Cyber Threats 1st 2nd Web Hacking attempt National Network Intrusion Prevention System Over 2,100 block rules Central Network Intrusion Prevention System Over 8,700 block rules Block spam/ virus 1st Boundary 2nd Intrusion detection/ prevention Target of Protection Data Systems within NIRS 2nd Boundary Web Firewall 3rd Boundary 3rd Server Security Analyze Harmful Traffic Analyze Vulnerabilities (Tenant Systems) 45 government agencies (Services) 1,500 services (HW) 27,000 units, including servers (SW) 17,000 SWs, including DBMS Website Falsification Analyze Malware Analyze Threats Local Network External Network Data System Data System National Network DB Access Security Analyze Logs 2nd 3rd L7 DDoS Response DDoS Response 770 government agencies DDoS Cyber Shelter - Central Administrative Agency and affiliated institutions - Local governments and affiliated institutions - National Assembly Secretariat, MND, etc. 3rd 1st 2nd 3rd Web Firewall Block directory, etc. DDoS Attack 1 st level DDoS Equipment Massive harmful traffic Block within 2 mins. 2 nd level DDoS Equipment Block within 20 secs. Move to cyber shelter L7 Equipment (DDoS response) Block within 10 mins. (Upon auto/manual analysis) [9]

10 NIRS, the Heart of Korean e-gov. the Forefront of Smart Gov.!