and the Role of NSA Current Situation and Future Plans Multicountry Workshop on Developing National Cyber Security Capacities TAIEX JHA59743 Sarajevo Bosnia and Herzegovina 6 7 April 2016 ID: 705770
Download Presentation The PPT/PDF document "Croatian Cyber Security Approach" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Croatian Cyber Security Approach and the Role of NSA- Current Situation and Future Plans -Multi-country Workshop on Developing National Cyber Security Capacities (TAIEX JHA59743)Sarajevo, Bosnia and Herzegovina, 6 - 7 April 2016
Dr. Aleksandar KlaićSlide2
Strengths, Weaknesses, Opportunities, Threats (SWAT) Analysis – Cyber Security Strategy development (2014)The Role of Croatian NSA in the lessons learned process during the years preceding Strategy development (2004 - 2014)Overview of Croatian National Cyber Security Strategy, main objectives and areas of the Strategy (2014
- 2015)Expectations and Directions (2016 and beyond)Conclusion
Agenda:Slide3
Ratification of Budapest Cybercrime Convention (NN MU 09/02)National Information Security Programme, 2005 (www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdf - in Croatian)Analysis of the State and Possible Threats to the Public TelecommunicationsOffice of the National Security Council (UVNS), 2009 - 2010Early Warning System On the Internet (SRU@HR)National CERT, 2011Ordinance on the Method and the Terms for the Implementation of the Measures for the Protection of Security and Integrity of the Networks and Services (
NN 109/12, 33/13, 126/13 – in Croatian)HAKOM (NRA), MPPI, UVNS, NCERT (Directive 2009/140/EC, ENISA
– 2011-14)
StrengthsSlide4
Implementa-tion of Croatian National Information Security Programme enacted in 2005:Slide5
National CERT Responsibility and International Exchange of Security Incident Information5
IP addressDomain
Physical Location
Domain Owner
1.
Croatian S
/
H
*
Providers
.hr
Croatia (RH)
Domestic/Foreign
2.
Croatian
S
/
H
*
Providers
.com;
.net; .org; …Croatia (RH)Domestic/Foreign3.Foreign S/H* Providers.hrOut of CroatiaDomestic/Foreign4.Foreign S/H* Providers.com; .net; .org; …Out of CroatiaDomestic
* S/H = Service or Hosting
Red Arrows = Feeds to National CERT
Black Arrows = Notifications from National CERTSlide6
National CERT Cyber Security Incidents Statistics in 2014No.Incident TypeNumber
Percentage1.Web Defacement389
36.00%
2.Phishing URL
334
31.00%
3.
Malware URL
220
2
1
.00%
4.
Other
Incidents
45
0.04%
5
.
Denial of Service (
DoS
)
250.03%6.Spam URL200.02%7.Forbidden Network Activities120.01%8.Command & Control Centres
70.01%………
Advanced Persistent Threat (APT)Slide7
Croatian Internet Exchange (CIX) – (2009/10)Not-for-profit service – Academic Sector Computing Centre (SRCE)Home ADSL – WiFi Routers – (2009/10)Initiative for more active approach of NRA and ISPs EU Directive 2009/140/EC on regulatory framework for el. comm. networks and services (Article 13a) – (2011/12)Technical Guideline for Minimum Security Measures (ENISA)Technical Guideline on Reporting Incidents (ENISA)EU NIS Directive COM(2013) 48 final – (
2013 and onwards)Mediation activities in other sectors (mainly usage of CI)National Security (LI), Defence (CIP), Financial, Transport, …Mediation Activities of Croatian NSA - ExamplesSlide8
Slow acceptance of the data and infrastructure owners’ security responsibilities Inadequately developed culture of risk management------------------------------------------------------------------------------------------------------------------Frequent regulation inconsistency – general, sectoral, EUNew security concepts such as critical infrastructure protection------------------------------------------------------------------------------------------------------------------Hierarchical tradition of government administration (silo effect)Very limited information sharing practises (departmental, sectoral) ------------------------------------------------------------------------------------------------------------------Lack of education that support virtual society developmentUnclear criteria for educational programmes verification
WeaknessesSlide9
NSA Oversight Authority Recommendations and initiativesGovernment sector (MoI, MoD, …)Industrial Security Programme (FSCs) Reorganization and information sharing initiativesNational Security Policy (Information Security Areas)Personnel Security, Physical Security, Security of Classified Information, CIS Security, Industrial SecurityFinancial Sector, Ministry of Health, State Inspection, …Law Enforcement Agencies / Lawful Interception, Critical Infrastructure, DefenceTelecommunication Sector, Sector of Transport, …
National and sectoral security policy harmonisationCroatian NSA Roles (Legacy)Slide10
Social DevelopmentEducation and CultureEconomic DevelopmentDevelopment of national capabilities in cyberspace Interrelation of national & sectoral policies, infrastructures, capabilities and potential productsSupport to all economic sectorsOpportunitiesSlide11
Information Sharing initiativesAcademic - Governmental: (MoU) NCERT – MoI - MoDGovernmental: Ministry of Administration (e-Gov) – ZSIS – UVNSTelecomm Sector: (Ordinance) Ministry – NRA (ISPs) - NCERT(EU) Digital AgendaActive role in the Strategy e-Croatia 2020 and Government Information Infrastructure Council (Ministry of Administration)
(EU) Smart Specialization StrategySecurity/Cyber Security area – closely coordinated with National cyber Security Strategy (Ministry of Economy)Croatian NSA InitiativesSlide12
Declarative approach to development strategiesInefficient in transition societies that need reforms and clear development policiesInsufficient awareness of the need and necessity of national capabilities developmentInadequate capacity for public-private partnershipGeneral society goals vs particular objectives of stakeholders(Inter)national market rules vs national competitivenessProblem of the society as a wholeThreatsSlide13
The way how to (within virtual society):Identify societal sectors and subsectorsAssess sectoral specificsDo the planning of organisational prerequisitesRecognize the threat environmentEstablish comprehensive coordination processScope, Requirements, Content, ManagementDevelopment Method for the StrategyCyber Security StrategySlide14
Cyber Security Strategy VisionCyberspace = virtual dimension of the societyProtection of core values of liberty, fairness, transparency and the efficient rule of law Development of certain capabilities and mutual coordination of all the societal (industrial) sectorsPrimarily organizational framework for the range of issuesCroatian National Cyber Security Strategy (CRO, ENG
): Office of the National Security Council (UVNS) – responsible bodyMore than 30 institutions participated in the Government Interdepartmental Committee for drafting the strategyStarted in April 2014, enacted on 7 October 2015 Slide15
Cyber Space regulation and Security Policy …
Gaps:
Critical Infrastructure Protection
-----------------
National Critical Sectors
Government Security Policy
-----------------
Classified / Unclassified Information Protection
Sensitive Information
Sensitive infrastructure
Duty of Diligence
---------------
Awareness & Responsibility
Duty of Care
---------------
Appropriate Protection MeasuresSlide16
UK – Cyber Essential Scheme:Boundary firewalls and internet gateways, Secure configuration, Access Control, Malware Protection, Patch Management Mapping to ISO 27001/02, ISF, HMG, …US - Framework for Improving Critical Infrastructure Cybersecurity Mapping to NIST SP800-53, ISO 27001, CoBIT, …What is the difference between IS and CS policy?Cyber Security Risk vs Information Security Risk, Core Strategic Risk vs Operational Risk
Organisational factor in the policy, interdependencies among key policy factors Information Security Policy vs Cyber Security PolicySlide17Slide18
1
Extract from the interpretation of Croatian National Bank regarding e-banking fraud from May 28, 2014 (http://www.hnb.hr/-/objasnjenje-hrvatske-narodne-banke-u-povodu-zanimanja-javnosti-za-pitanja-vezana-uz-zloporabu-usluge-elektronickog-bankarst-1 , in Croatian)“. . . according to the law the bank is accountable to prove that an authentication of the payment transaction was done, that the transaction was correctly registered and accounted, and that the realization of the payment transaction was not influenced by a technical failure or any other deficiency. However, it is prescribed that the fact that an e-banking service provider has recorded the usage of payment instrument is not necessarily enough in order to prove that the payer (e-banking client) authorized that payment transaction, or that the payer proceeded fraudulently, or that the payer on purpose or due to extreme negligence has not fulfilled one or more of its obligations . . .”
In the
interpretation of Croatian National Bank
it can be easily recognized
1
the
duty of care
principle (both in relation to e-banking service providers, and in relation to e-banking clients), as well as the
duty of diligence
principle regarding awareness of the risks in business activities for e-banking service providers. It is the interpretation of
non-repudiation criteria
from the business point of view and not from technical point of view (
core strategic risks
vs operational risks).Slide19
What else is the difference between IS and CS policy?Cyber Security Risk vs Information Security Risk, Core Strategic Risk vs Operational RiskOrganisational factor
in the policy, and the interdependencies among key policy factors Information Security Policy vs Cyber Security Policy
* Systemic
Security Management: ICIIP/ISACA Slide20Slide21
The Method for the Elaboration of Strategy and Action Plan:Slide22
The Main Elements of Croatian Strategy:Slide23
Correlation of the Strategy and Action PlanStrategy:VISION is defined with 8 GENERAL GOALS5 AREAS and 4 INTERRELATIONS with 35 SPECIFIC OBJECTIVESAction Plan:35 SPECIFIC OBJECTIVES are elaborated with 77 MEASURESObjectives & measures harmonised by Interdepartmental Committee
Areas & Interrelations marked with red colour are covered by most of the measures: (B) Gov. Inf. Infrastructure, (D) Critical Inf. Infrastructure & Crises Management, (I) Education, Security Awareness, R&D
Areas and Interrelations
5+4
A
B
C
D
E
F
G
H
I
Specific
Objectives
35
3
3
2
5
5
5
363Measures7738413
565627Slide24
Levels for the Strategy Planning ProcessSlide25
Covered Levels In the Initial DocumentsSlide26
Stakeholders & Strategy Implementation Management
National Council for Cyber Security
Other Institutions – Stakeholders in the Strategy & Action Plan
Operational and Technical
Cyber Security
Coordination
GroupSlide27
Cyber Security (CS) – comprehensive societal approach is needed (cyber risks treated as core strategic risks), complex organizational issueInformation Sharing - Why it is so hard?Among peer organizations (trust)Inside a heterogeneous system of entities (trust & knowledge)The role of NSA – security policy planning & oversight purview combined with proactive security policy approach„Ideal candidate” for coordination and mediation of cyber strategy issuesClassified Information vs Sensitive/Protected InformationNational CS strategy – nation-wide policy („shallow”)Specialized
CS strategies – narrow sectoral policies („deep”) that rely on the national strategy (typically intelligence and military aspects)ConclusionSlide28
Aleksandar Klaić, Ph.D.Assistant Director for Information Securityaleksandar.klaic@uvns.hr Office of the National Security Counciltel. +385.1.4681 222fax. +385.1.4686 049www.uvns.hr
Thank You !?