Lessons Learned from Large-Scale Phishing Attacks: Policy Proposals for National and EU Security

1. Ferenc Suba J.D., MA Chairman of the Board PTA CERT-Hungary Vice-chair of the MB ENISA LARGE SCALE ATTACKSLessons learnt Proposals for National and EU Policy

2. 1. Large phishing attack against Hungarian banks: 7 banks in HU, for 2 weeks, „foreign” attacks from international botnet administered by 4 virtual domain name servers (all abroad, from Asia, Europe, Americas) 2. Attacks on Estonia (international aspects): attacks from 4000 compromised machines (cca. 50% from the Americas, 12 from HU) Large scale attacks

3. Phishing in HU (national+ international response): - PTA-CERT Hungary as coordinator - With the help of CERT community+ HU Banking ISAC - Localisation +shutting down of VDNS (all abroad) - Within 4-12 hours - Notification of ISPs via national CERTs - Notification of clients from the banks - Filing a case against unknown persons at the police Estonian crisis (international response): - Finnish national CERT + US CERT as coordinators - With the help of CERT community - Localisation + cleaning of compromised machines - Within 2 weeks (after FIRST and TF-CSIRT involvement) - Notification of ISPs, system administrators via national CERTs The response

4. Not enough or lacking: - Preparedness - Early warning - Manpower - Coordination - Communication with international partners - Media work National policy: - Goverment support (national strategy, responsible HLO, money) - Crisis management plan - Early warning system - National CERT - National coordination body (private sector, policy makers, law enforcement, CERTs) - Involvement of international CERT community - Communication plan - Regular exercises Lessons learntProposals for National Policy

5. - History: joint comexes with banks since early 2006 - Great leap forward: large phising attacks in Dec 2006 - Constituents: CERT-HU, Law Enforcement, Banking Assoc. of HU, Financial Supervisory Authority - Activity: information sharing, exercises, recommendations, coordination - Results: TLP, Advisory, complex exercises (simulated DDos attack, insider attack) - Future: FSA recomm. on the security of internet banking, coop. with similar ISACs (GOVCERT.NL, AUSCERT, DHS) Financial ISAC in Hungary

6. Reason: proprietary systems are vulnerable, too! Keywords: CO-OPERATION, COMMUNICATION, EXERCISE USA: ISAC Model (branch specific co-op. under DHS) Europe: EU-SCSIE (Shell, Electrabell, Swissgrid, EDF, CERN, SEEMA, Melanie, CERT-Hungary) Global: Meridian Process Control WG Hungary: CIIP WG (MOL, Paks, MAVIR, Telco, CERT-Hungary) CIIP in Energy Sector

7. - No legally binding international agreements - Basic instrument: Memorandum of Understanding for co-operation - reasons: legally binding procedures too slow + flexibility - FIRST: two faces: association incorporated according to Californian law + conference = annual general meeting - ICAAN: association incorporated according to Californian law - Future at international level: Governments enter into this area of international co-operation (e.g. NATO Cyberdefence Policy) - Future at national level: Act on Information Security, Government Decision Legal instruments of International Collaboration, future

8. Thank you! ferenc.suba@cert-hungary.hu PTA CERT-Hungary www.cert-hungary.hu Puskás Tivadar Közalapítványwww.neti.hu ENISA www.enisa.europa.eu