Introduction of Network Security Management of China

1
Introduction of Network Security Management of
China CNCERT/CC

• Xiaolin Xu
• National Computer Network Emergency Technical
  Team/Coordination Center,
• MII,china
• Kuala Lumpur,august.18,2003

2
Table of Contents

• Introduction of Emergency Response System of
  China
• Situation of Network Security of China
• Cases of Emergency Response

3
The System of Emergency Response

4
Overview of CNCERT/CC

• Prepare to construct in the latter half of the
  year 2000
• Become a member of FIRST , Mar,2001
• Establish National Computer Network Emergency
  Response Coordination Center?National Computer
  virus Emergency Response Center?National Computer
  Network Intrusion Protection Center,2002
• CNCERT/CC Established formally,Local branch
  center in construction,July 2003

5
CNCERT/CCs Mission

• Formulate Industry Standard on National Computer
  Network Emergency Response
• Establish China National Computer Network
  Emergency Response Information Publishing and
  Technical Support Platform
• Organize domestic relevant departments to take
  response and deal with computer network security
  events timely
• Promote exchanges and cooperation among domestic
  Computer Network Emergency Response Teams

6
Our Mission(cont.)

• Provide decision making support to national
  computer network emergency response work
• Participate in exchange and cooperation with
  international computer emergency response team
• Assist formulate activities on computer network
  information security technology standard and
  network security evaluation scheme
• Provide training for computer network emergency
  response services teams of national ministries.

7
Table of Contents

• Introduction of Emergency Response System of
  China
• Situation of Network Security of China
• Cases of Emergency Response

8
Computer Network Security Incidents on Chinese
Mainland in 2003

• The incidents reported by users
• SQL Slammer (W32.SQLEXp.Worm)
• CodeRed Worm (Codered.F)
• DOS DDOS (Target include common website and
  government website?etc)
• Remote Administrator backdoor
• Homepage Defacing
• others

9
Severe Security Incidents of 2003

• SQL SLAMMER
• Time Jan,2003
• Wild Most of backbone networks were hit. We
  take response promptly and have no time to make
  statistics.
• Damage Many networks were choked,even
  breakdown?

10
Server Security Incidents of 2003 (cont.)

• 2. Worm Deloder (W32.HLLW.Delder)
• Time Mar,2003
• Wild The traffic of many network was severely
  disrupted The number of Infections is about
  40,000 in two days
• Damage Network congestion some college network
  breakdown many hosts were inserted backdoor
  attacker try to recall and control the host.

11
Server Security Incidents of 2003 (cont.)

• 3. CodeRed.F
• Time Mar,2003
• Wild middle
• 4. MSBLASTER
• Time Aug,2003
• Wild the number is about 30,000 until August
  15,still in handling

12
Statistic of Infections
13
Table of Contents

• Introduction of Emergency Response System of
  China
• Situation of Network Security of China
• Cases of Emergency Response

14
Typical Cases handled by CNCERT/CC

• Case oneCodeRedII Nimida
• Time August September ,2001
• Wild The data reported from September 14 to
  September 26 show that the number of infections
  is about 10,000 in one day,80,000 in one week.
  The number of attack is more than
  million.Nimida,even more .
• Damage many networks breakdown, servers were
  clogged ,inserted backdoor.

15
Our Response

• Call upon the carriers,anti-virus vendors
  ,intrusion protection center and network security
  services providers to exchange information , set
  up CodeRedII Response Allan and handle this event
  together harmoniously.
• Publicize website of CNCERT and hotline
• Analyze the distribution way , collect the data
  and make report .
• It is the first time to handle the severe
  security incident

16
Summary of this case

• Network become the target ,not only computer
• Network manager is very important to reaction.
• Coordination among carriers is the key factor.
• October,2001, MII of China demand all carriers
  construct their CERT and strengthen cooperation
  with CNCERT/CC for handling event quickly.

17
Typical Cases handled by CNCERT/CC

• Case TwoSQL Slammer
• Time January 25,2003
• WildNo time to count because CNCERT/CC response
  in several hours after get report .
• Damage Most network were hit ,some breakdown

18
Our Response Procedure

• Receive complain
• Verify the situation of the whole network
• Exchange the info and analyze the example
• Pay close attention to the trends
• Find out about external situation
• Analyze and verify the isolate method
• Share the information and implement controls
  among ISPs
• Recover network
• Medias report
• Finish report

19
Summary of this case

• Organize domestic relevant departments to take
  response to this event timely through the
  response system
• Take the practice of the response procedure
• Coordination take effectAlthough the CNCERT/CC
  is still young,but it play an important role in
  organizing other departments and exchanging
  experience , reducing losses and influence

20
Typical Cases handled by CNCERT/CC

• Case ThreeCISCO IOS Vulnerability
• TimeJuly 17, 2003
• Wildno infection report because of response in
  time
• Damage If it take effect , the vulnerability
  will make the backbone network dead because of
  the popularity of Cisco routers.The consequence
  will be very serious .

21
Our response

• Know the bulletin from Ciscos website and get
  report from one of our ISPs CERT
• Inform other ISPsCERT as soon as possible to
  patch the system .
• No infection report so far

22
Summary of this case

• This case show that CNCERT/CC make a great stride
  forward on the precaution and fast reaction.
• The channel we had constructed between CNCERT/CC
  and other CERT is useful and very important.
• Improve the ability to deal with incident across
  nationwide.

23
Thank you

• More information
• Website http//www.cncert.org.cn
• E-mail cncert_at_cert.org.cn
• Phone (86)10-82990999