Q: In brief, what does CERT do?
A: In a nutshell, the Sri Lanka Computer Emergency Readiness Team and Coordination Centre (Sri Lanka CERT | CC) exists to ensure that we take every possible measure to protect ICT users in Sri Lanka from cyber attacks. If those measures fail, we are equipped to resolve those attacks in the shortest time possible.
Q: What are the processes used to do that?
A: There are two terms which you need to know when talking about security related anomalies – events and incidents – Events are day to day actions such as logging into Facebook or TCP connections made from one machine to another. An incident is an event where a system, application or process behaves abnormally. An example would be is a large number of log-in attempts to a Facebook account in a short time, which is a sign of a brute force attack. The other is a huge number of TCP packets being sent to a server, which is a sign of a denial of service attack. Security incidents are not always triggered intentionally, they can be accidental.
What we do is to try to minimize the occurrence of incidents from happening by creating awareness of what is normal acceptable behavior (events) and how to spot abnormal behavior (incidents). However if it happens, we are here as a response team to support victims to solve the problem.
Q: Why should a simple user who uses the internet just for e-mails and Facebook, care about security?
A: Even if you use internet sparingly, you can become a victim of identity theft. Someone can steal your online identity to conduct fraudulent activities and you would end up being responsible for it. It can also be used to harm your reputation – by posting personal photographs in public blogs or sending out e-mails to your friends asking for money.
There is also the risk of viruses being passed through video links on sites such as Facebook. These links normally come with captions saying it is a really cool video, but when you click on the link you are connected to a malicious site and your machine may become infected.
Q: How can I safeguard myself from being victim to a security related incident?
A: Firstly, you need to be careful about the information you make available online. Think of the relationship between the information you provide and how that information can be used by someone to pretending to be you. When you use phone banking, for verification they use your personal information such as your ID card number, DOB or mother’s maiden name. If you have somehow made this information available online, you may be vulnerable to identity theft.
The personal information you provide without consideration creates a wealth of information for a potential hacker to harvest and use against you.
Q: If my Facebook or email account is hacked, will CERT be able to help me?
A: Yes. We get many complaints – mostly Facebook related – every day. It could be due to personal grudges or it could be with malicious intentions to spread viruses or Trojans or even to extort money in exchange for returning hijacked accounts. You should write to us at [email protected] or call us on 011 2691 692. Currently, identity theft is the largest threat we have to deal with, around 100 complaints being received monthly.
Q:Can you elaborate on what has been done thus far?
A: We have been in existence for 6 years now. When we started our biggest challenge was to create awareness of security, which was very low back then. I think we have achieved quite a bit in creating awareness through a combination of annual security conference, mass media programs, continuous technical workshops and engagement with private and state sector organizations for security activities. The e-Sri Lanka electronic government initiative among other things, will deliver services such as passport renewal and revenue license renewals to citizens online. While it will make life more comfortable for you as a citizen, the risk of someone impersonating you using this data becomes higher.
We have been working and continue to educate public and private sectors as well as the general public, to follow good security practices so that they can experience these services with minimal risk. We work with the ICTA, which is our parent body to create awareness among CIO (Chief Innovation Officers) of respective department’s belonging to E-Sri Lanka Program, so that they will incorporate these good security practices and technologies into their respective programs.
We are in contact with them regularly regarding that aspect. We also work with the ICTA and other related parties to provide security infrastructure for the country. One concept that is being developed right now is to provide each citizen with a Digital ID, so that they can be positively identified in cyber space, just as we do in the real world with our National ID Card.
For the past six years we have conducted an Annual Cyber Security Week (CSW) Program. It is a huge meeting ground for security enthusiasts including government bodies, private sector, general public, overseas security specialists and firms. We launched two more events as part of the CSW 2011 Program. The first one was a hacking challenge, where we set up a network and gave five challenges for participating teams to break through. This was to see how strong our technical security enthusiasts are. We also held a security quiz to find out the knowledge level of our university students, and the result were very encouraging, with 16 teams participating from both state and private universities. With the interest shown by lots of parties for those two events we conducted it again in 2012 December as part of Annual Cyber Security Week conference in 21012.
We conduct periodic workshops to help security professionals to build knowledge and capabilities in special areas of interest, such as how to secure networks, how to develop a secure web application and how to analyze malware. This knowledge is then applied directly back to their work and results in more secure applications which require less patching and Corporate networks that are less prone to attack.
We have also done Vulnerability Assessment and Penetration Testing (VAPT), where it was necessary. There are three approaches. First is Black Box testing, where we know nothing of the environment we are testing other than for it Domain name, like www.testme. com. In Gray Box testing we have partial information such as an IP address. White box testing is where we know everything about our test subject, and we will test the system as an insider. Interesting fact, 50% of security incidents happen because of insiders.
Q: What are the future plans for CERT?
a: Right now, we are handling every case by ourselves, on a case by case basis. However as time goes by it will become increasingly difficult for us to do so, because we are a small team. To address this we are now in the process of forming something called the CERT Umbrella. In this model, Sri Lanka CERT will be the national coordinating body for cyber security activities, with second tier sector-based CERT’s like Banks, ISP and Education doing the operational level work. This way, we can be prepared as a country, to face large scale external or internal attacks. We will also run continuous cyber security drills, just like fire drills, to ensure we are ready to face those incidents.
We will also work with the ISPs to run what we call the “Cyber Clean Project”. We will share information received from sensor networks based in other countries regarding malicious activities originating from our country such as spam, Malware servers and BOT-infected hosts with the relevant ISPs who will then coordinate efforts with their customers to clean their machines. Who knows, your home computer could be just one of those!
Have anything interesting and IT related to share? email the [email protected]