VeriSign Report

1
VeriSign Report

• and the next steps

Jovce Plastinovski Deputy Chief of
Party jovce.plastinovski_at_internews.org
e-Gov Project ? Dane Krapcev 18 ? 1000 Skopje
? Tel 02 32 31 104 ? Fax 02 32 20 636 The e-Gov
Project is funded by USAID and implemented by
Internews Network
2
Two years ago

• The entire Macedonian IP space was Blacklisted

100 of the transactions tracked by VeriSign
originating from Macedonian IP space were flagged
as risky, making Macedonia a candidate for the
informal Blacklisting
3
Fourth Quarter, 2004

• In the fourth quarter, Macedonia no longer led
  the list of countries with the highest percentage
  of risky transactions. This is unfortunately not
  necessarily indicative of an improvement in
  cybercrime or e-commerce security practices in
  Macedonia rather, it is likely a function of the
  small sample size. However, other nations in the
  region, such as Croatia and Slovenia, rank highly.

4
Concequences

• The key consequence for individuals and
  companies in Macedonia is that international
  companies have made a judgment that providing a
  service to Macedonia is not sufficiently
  lucrative to offset the risk they believe they
  will incur as a result
• Changing this image is one of the crucial steps
  for Macedonia to take advantage of the Internet
  to interact commercially with the rest of the
  world

5
March 2005, VeriSign engaged by USAID

• VeriSigns Global Security Consulting team was
  engaged by USAID/MCA Project to
• deliver an actionable analysis of the current
  state of cybercrime in Macedonia and
• to prepare an action plan to equip ISPs, the
  Ministry of Internal Affairs, and other key
  Macedonian personnel with the knowledge and tools
  to begin to combat cybercrime.

6
Findings

• Almost no documentation of policies and
  procedures for
• Auditors
• International evaluators
• Poor awareness of importance of security
• Cybercrime already occurring, although largely
  muted
• Carding
• Bots
• General fraud
• Domain issues
• Corruption

7
Recommendations

• For the ISPs
• Write and publish on the Internet information
  security and incident handling policies and
  procedures.
• Develop and implement information security
  policies and procedures
• Develop/implement server hardening/configuration
  standards
• Choose and implement security monitoring
  technologies, such as intrusion detection
• Develop information security competence of
  personnel through training and awareness measures

8
Recommendations

• For the Government
• Draft and pass a law governing digital
  certificates
• Draft and pass a law punishing cybercrime
  offenses
• Require ISPs to monitor their infrastructure for
  cybercrime

9
Action The Workshops

• Awareness workshops for
• Macedonian ISPs
• Ministry of Internal Affairs
• Ministry of Justice
• and the Financial institutions
• The workshops were among the first steps in the
  process to take Macedonia off the black list
  which prevents Macedonian (.mk) domain-based
  computer users to conduct online financial
  transactions with key providers such as eBay,
  PayPal and Skype.

10
Action The declaration of the ISPs

• The countrys largest ISPs (Internet Services
  Providers) plus the administrator of the .mk
  domain have signed and published to their web
  sites
• Declaration for Information Security
• Action Plans for improvement of Information
  Security
• Privacy Statements
• Incident Management Policies.

11
Additional activities

• Several actions have been initiated by USAID in
  order to improve the look and feel of the
  Macedonian Financial Institutions in the Internet
  Security Arena.
• A pilot project is rolling on, involving
  multiple partners.
• Marta A. Tomovska, CEO of UNET has the story