vers un écosystème numérique de confiance · 2019-08-29 · saher monitoring system call center...
TRANSCRIPT
29082019
1
Vers un eacutecosystegraveme numeacuterique
de confiance
retour drsquoexpeacuterience- cas de la Tunisie
Prof Belhassen ZOUARI
Cyberseacutecuriteacute Gouvernance TIC
SupCom Univ de Carthage Tunisie
DG de lrsquoANSI- tunCERT (2007-2011)
FFGI
Ouagadougou aoucirct 2019
Constat amp tendances
Un monde de plus en plus connecteacute
e-gov e-commerce domotique IoT hellip
Activiteacutes sociales amp culturelles en ligne
Tous les secteurs eacuteconomiques concerneacutes (industrie distribution agriculture hellip)
Convergence vers TCPIP Internet of Things (IoT)
vers un eacutecosystegraveme IoT
interopeacuterable et seacutecuriseacute
29082019
2
Xx xxx xxx xxx
Xxxx x x x x x xx xhellip
Xxxx x x x x x xx xhellip
Xxxx x x x x x xx xhellip
Xxxx x x x x x xx xhellip
Vertical
Solutions
amp Platforms
Pervasive
Ecosystem
[Patel et al16]
Contexte IoT
Xx xxx xxx xxx
Xxxx x x x x x xx xhellip
Xxxx x x x x x xx xhellip
Xxxx x x x x x xx xhellip
Xxxx x x x x x xx xhellip
[IoT Analytics2]
Domaines dapplication IoT
Menaces eacutemergentes
DDoS Stuxnet Cyberguerre
MIRAI les IoT sy mecirclent
WanaCry WanaCrypt (Ransomware)
Cybercrime Darkweb
29082019
3
DDoS attack- principe
DDoS attack- Historique
Historique
1ere grande attaque DDoS feacutevrier 2000 (Mafiaboy) le 7 feacutevrier
Yahoo et inaccessible pendant 3 h
Amazoncom Buycom CNN et eBay ont eacuteteacute toucheacutes par des attaques DDoS E-Trade et ZDNet (le 8 feacutevrier 2000)
Pertes Yahoo environ 500 000 dollars
Amazon environ 600 000 dollars en 10 h
Michael Calce (Mafiaboy15 ans) condamneacute agrave 8 mois dans
un centre de deacutetention pour jeune
Stuxnet
deacutecouvert en 2010
Virus 1er de sa geacuteneacuteration
conccedilu par la NSA en collaboration avec luniteacute israeacutelienne 8200
Objectif attaquer les centrifugeuses iraniennes drsquoenrichissement drsquoUranium
cible les systegravemes SCADA utiliseacutes pour le controcircle commande de proceacutedeacutes industriels Stuxnet a la capaciteacute de reprogrammer des automates programmables industriels (API) produits par Siemens
29082019
4
Stuxnet comment ccedila fonctionne
MIRAI
Attaque DDoS amp IoT
MIRAI Botnet octobre 2016
Botnet de devices IP (cameacuteras imprimantes
modems hellip) lanccedilant un DDoS sur le serveur DNS
du FSI Dyn
flux de 1 Tos entrainant la chute du serveur DNS
et provoquant lrsquoindisponibiliteacute des services clients
Twitter the Guardian Netflix Reddit CNN hellip
malware MIRAI sur ordinateurs infecteacutes cherche
des devices vulneacuterables (utilisant loginpwd par
deacutefaut) et geacutenegravere un flood DNS sur Dyn
29082019
5
WanaCry WanaCrypt
Ransomware mai 2017
a toucheacute +300 000 ordinateurs dans
+150 pays
consideacutereacutee comme le plus grand piratage
agrave ranccedilon de lhistoire dInternet hellip
Chiffrement cleacute contre ranccedilon
(4)
(96)
Les eacutetages de lrsquoIceberg
29082019
6
LrsquoOctopus
1 Les reacutesultats de recherche des
moteurs classiques scrutent les
liens et les pages web indexeacutees
2 Ils ne reacutecoltent que 1 du contenu
du Web
3 Les SGBD ne livrent que le reacutesultat
drsquoune requecircte Le reste de la BD
nrsquoest pas indexeacute forceacutement
4 Les pages des reacuteseaux priveacutes les
documents acadeacutemiques ne sont pas
forceacutement indexeacutes
5 La partie la plus cacheacutee est Tor
6 On y accegravede avec des logiciels
assurant lrsquoAnonymat
4 Also hidden are standalone pages an
d
documents behind private networks
like academic journal articles
Source CNNMoney accessed 100517
Darknets amp DarkWeb
Anonymisation par exple TOR
Qursquooffre t-il
Marchandises illicites (drogues armes hellip)
Places de marcheacutes parallegraveles
Forums
Services illicites
Le Business Model du Cybercrime
Lrsquoeacuteconomie souterraine laquo Underground raquo est organiseacutee et structureacutee pour favoriser le crime
Crime-as-a-Service (CaaS)
Eg Ransomware-as-a-Service (RaaS)
Image Source httpabout-threatstrendmicrocomusinfographicimagesCybercriminal20Underground-
022080020copyjpg
29082019
7
Diffeacuterents niveaux des acteurs du
marcheacute Underground
Source RAND accessed 100517
A quoi sert la Cyberseacutecuriteacute
doit reacutepondre agrave un besoin et apporter
de lrsquoefficaciteacute Rapiditeacute Performance
de la fiabiliteacute Qualiteacute Seacutecuriteacute
du gain Coucirct Deacutelai
Preacuterequis pour creacuteer la confiance dans lrsquousage des e-services
Climat de confiance
Adheacutesion de lrsquousager
Freins difficulteacutes
Problegravemes de Gouvernance
deacutecideurs politiques non sensibiliseacutes
Absence de vision strateacutegique
Savoir-faire non maicirctriseacute
29082019
8
Cyberseacutecuriteacute comment reacuteussir
doit ecirctre adresseacutee globalement
Les deacutecideurspolitiques doivent
deacutefinir une strateacutegie nationale en cyberseacutecuriteacute
fournir les ressources neacutecessaires agrave son
impleacutementation
Principes agrave admettre
Approche technologique insuffisante
Principe 1 le Risque Zeacutero nrsquoexiste pas mais on doit travailler agrave le minimiser et agrave limiter lrsquoimpact
Approche laquo Management du Risque raquo
Principe 2 la seacutecuriteacute est une chaicircne dont la force est celle de son maillon le plus faible
Approche globale de la seacutecuriteacute
Les 3 Piliers de la seacutecuriteacute des SI
la reacuteussite drsquoun processus de seacutecurisation repose sur
3 piliers
Technologie
outils TICSeacutecuriteacute etc
MeacutethodologieManagement
strateacutegies proceacutedures
reacuteglementation etc
Comportement social
Culture de la Cyber seacutecuriteacute
29082019
9
25
Systegraveme de Management de la Seacutecuriteacute de lrsquoInformation
Modegravele agrave suivre Modegravele PDCA de lrsquoISO 27001
Le SMSI une approche globale
Plan eacutetablir les objectifs conformeacutement aux risques exigences (correspondances objectifs lignes directrices)
Do impleacutementer et opeacuterer les fonctionnaliteacutes et proceacutedures
Check geacuterer les incidents les erreurs auditer
Act faire eacutevoluer la politique et les moyens conformeacutement aux besoins
26
La famille des normes
ISO 2700x
ISO 27001
SMSI
ISO 27006
Audit de SMSI
ISO 27000
Vocabulaire
ISO 27002 (17799)
Mesures de seacutecuriteacute
ISO 27003
Guide drsquoimpleacutementation
du SMSI
ISO 27007
Mesures PCA
ISO 27005
Risk Management
ISO 27004
Mesures et meacutetriques
Guides
2005 2007
2007
2007 or 2008
2005
Exigences
Bonnes pratiques
CERT hellip CSIRT
CERTCSIRT Computer Emergency Response Team
(Computer Security Incident Response Team)
CERTs Gouvernementaux Agences
o Technologies de la Communication Autoriteacute de reacutegulation
o Intelligence Deacutefense
o Police
CERTs speacutecialiseacutes
o Finance Opeacuterateurs Telecom Administration etc
29082019
10
Eleacutements drsquoune strateacutegie nationale
Deacutefinir un cadre leacutegal pour la cyberseacutecuriteacute
Proteacuteger le cyber-espace
Formation
R amp D (maicirctrise de la technologie)
Sensibilisation
Coopeacuteration internationale
Creacuteation de meacutecanismes drsquoexeacutecution et
drsquoimpleacutementation (Agences CERTs Task force
)
Cadre leacutegal pour la cyberseacutecuriteacute
Besoin drsquoun cadre leacutegal
Clarification des ldquocyberrdquo concepts (crime preuve
etc)
Quelles institutions quelles Responsabiliteacutes
Mesures opeacuterationelles et rocircle des CERTs
Aspects pratiques amp Application
coopeacuteration internationale
Outils drsquoimpleacutementation
Mise en place de CERTCSIRT (s)
Objectifs Scope amp Role
Gouvernemental
(administration Intelligence Deacutefense Police hellip)
Priveacute
(Finance teacuteleacutecom hellip)
29082019
11
Le rocircle drsquoun CERT
Fournir une reacuteponse immeacutediate et efficace agrave
un incident cyberneacutetique
Preacuteparer les institutions clients concerneacutes
agrave mieux geacuterer et traiter les cyber-menances
Missions drsquoun CERT
Deacutetection et Reacuteponse aux incidents
Veille amp Alerte
Gestion des incidents
Analyse des incidents
Investigation numeacuterique
Sensibilisation
Coopeacuteration (nationale amp internationale)
Services (According to the CERTCC model the US CERT)
Incident analysis Incident response on site Incident response support
Incident response
coordination Publish advisories or alerts
Vulnerability and Virus
handling
Provide and answer a
hotline Monitor IDS
Training or security
awareness
Technology watch or
monitoring service Track and trace intruders Penetration testing
Security policy development
Produce technical
documents Vulnerability assessments
Artifact analysis
Forensics evidence
collection Pursue legal investigations
Vulnerability scanning
Security product
development
Monitoring network and
system logs
Main services
Secondary services
29082019
12
World situation (2010) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
(technological and organizational aspects)
World situation (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
French CERTs (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
29082019
13
World situation (2018) source wwwfirstorg
World situation (2019) source wwwfirstorg
Objectif Geacuteneacuteral
eacutelever le niveau de seacutecuriteacute des SI tunisiens
Axes principaux
Mise agrave jour du cadre leacutegal
Mise en place des outils opeacuterationnels pour eacutevaluer et
suivre le processus de seacutecurisation des SI drsquoinstitutions
(publics amp priveacutes) obligation drsquoaudit seacutecuriteacute
Protection du cyber-espace national (Coordination
Assistance etc)
Deacuteveloppement du ldquoknow-howrdquo en IT Security (formation
RampD capaciteacutes open source)
Sensibilisation
Lrsquoexpeacuterience tunisienne
Strateacutegie en Cyber Security amp tunCERT
29082019
14
1999 2003 2004 2005 2006 2007 2008 2010
National Strategy
Awarness activities
National Survey
National project Wide Awareness
campaigns
High level decisions
Mailing-list
IS security Law
Creation of NACS Creation of cert-Tcc
Definition of the
administrative
Framework
Sensitive national
projects Developping IR
capabilities
Starting the
monitoring activities
Budget
Recruting technicall staff Setting up of SAHER
WSIS
Training activities (World
Bank)
Setting up of the
collaboration network Associative collaboration
website
Cert-Tcc joined the FIRST
Network NACS reached its maturity
International collaboration
Setting up of the Security
center facilities
NACS joined the network
of center of excellence (UNCTAD)
More training
Staff 3
Staff 5
Staff 6
Staff 15
Staff 25
Staff 42 Eacutevolution chronologique
OIC-CERT
Strong international collaboration
Staff 19
New services Staff 51
2010 2016 2019
investigation numeacuterique
Chambre blanche
Projet HoneyPotHoneyNet
Staff 51
Eacutevolution chronologique
Open data
Open gov
Staff 70
creacuteation de CERTs
sectoriels
Staff 70
Caracteacuteristiques
Constituency National CSIRT
Mission statement Defined by law protection of
the Tunisian cyberspace
Offered Services To be detailed
Funding Government
Revenue Free charge services
Number amp quality of employed
staff
50 for NACS
20 for tunCERT
Authority Partial authority (Law ndeg 52004)
Service hours 247
29082019
15
Gestion drsquoincidents (Incident Handling)
Reporting
Incident coordination
CSO CIO
CEO
Internal business managers
Human Resources Department
Physical Security Department
Audit or Risk Management Department
IT or Telecommunications Department
Legal Department
Public Relations Department
Marketing Department
Law Enforcement
Government organization agencies
Investigators
Other CERTs
Other security experts
29082019
16
Collaboration network
Collaboration
program
Antivirus suppliers haythem el mir
Equipments constructors
Publication of vulnerabilities
exploits 0days
Professional
community
Watch professionals Trend
indicators
Collect
information
Veille technologique (Watch)
httpwwwzone-horgarchive
29082019
17
Cas de webdefacements wwwleageryfr
Alert amp warning process
Vulnerability Malware Attack
29082019
18
Acteurs du processus drsquoAlerte
Managers Decision makers
Web masters Security
Admin Developers
Internet Community
Internet Services Providers
Mailing List Web Site Call Center Media (TV Radio Press)
-
SCP
Professional
community
Antivirus
suppliers
Vulnerabilities
exploits 0days
Collaboration network
Veille Plateforme drsquooutils
laquo Saher raquo Une solution deacuteveloppeacutee par tunCERT
Systegraveme SAHER missions
ISAC
SAHER
Monitoring System
Call center
Incident declaration
ISPs amp Data Centers
Antivirus venders alerts
Software venders alerts
CERTs alerts
Security Mailing-lists
Potential big Threats
Massive attacks
Virus spread
Web defacement
System breakdown
Botnets
Intrusions
Information sources Identified events
29082019
19
SAHER The technical platform
Saher ndash Web DotTN Web Sites monitoring
Saher ndash SRV Internet services
availability monitoring (Mail server
DNShellip)
SAHERndashIDS Massive attack detection
bull Web defacement
bull DoS Web
bull Deterioration of web access
bullhellip
bull Mail Bombing
bullBreakdown of DNS servers
bull DNS POISONINGhellip
bull Viral attack
bull Intrusion
bull DDoS
bull hellip
Syste
m d
evelo
ped
based
on
a s
et o
f Op
en
So
urc
e to
ols
SAHERndashHONEYNET Malware gathering bull Viral attack
bull Scan
bull Possible attacks
Saher ndash Web Supervision des sites Web nationaux
Partenaire FSI
tunCERT
Phase drsquoenregistrement
Partenaire FSI
=
tunCERT
Phase de veacuterification
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
2
Xx xxx xxx xxx
Xxxx x x x x x xx xhellip
Xxxx x x x x x xx xhellip
Xxxx x x x x x xx xhellip
Xxxx x x x x x xx xhellip
Vertical
Solutions
amp Platforms
Pervasive
Ecosystem
[Patel et al16]
Contexte IoT
Xx xxx xxx xxx
Xxxx x x x x x xx xhellip
Xxxx x x x x x xx xhellip
Xxxx x x x x x xx xhellip
Xxxx x x x x x xx xhellip
[IoT Analytics2]
Domaines dapplication IoT
Menaces eacutemergentes
DDoS Stuxnet Cyberguerre
MIRAI les IoT sy mecirclent
WanaCry WanaCrypt (Ransomware)
Cybercrime Darkweb
29082019
3
DDoS attack- principe
DDoS attack- Historique
Historique
1ere grande attaque DDoS feacutevrier 2000 (Mafiaboy) le 7 feacutevrier
Yahoo et inaccessible pendant 3 h
Amazoncom Buycom CNN et eBay ont eacuteteacute toucheacutes par des attaques DDoS E-Trade et ZDNet (le 8 feacutevrier 2000)
Pertes Yahoo environ 500 000 dollars
Amazon environ 600 000 dollars en 10 h
Michael Calce (Mafiaboy15 ans) condamneacute agrave 8 mois dans
un centre de deacutetention pour jeune
Stuxnet
deacutecouvert en 2010
Virus 1er de sa geacuteneacuteration
conccedilu par la NSA en collaboration avec luniteacute israeacutelienne 8200
Objectif attaquer les centrifugeuses iraniennes drsquoenrichissement drsquoUranium
cible les systegravemes SCADA utiliseacutes pour le controcircle commande de proceacutedeacutes industriels Stuxnet a la capaciteacute de reprogrammer des automates programmables industriels (API) produits par Siemens
29082019
4
Stuxnet comment ccedila fonctionne
MIRAI
Attaque DDoS amp IoT
MIRAI Botnet octobre 2016
Botnet de devices IP (cameacuteras imprimantes
modems hellip) lanccedilant un DDoS sur le serveur DNS
du FSI Dyn
flux de 1 Tos entrainant la chute du serveur DNS
et provoquant lrsquoindisponibiliteacute des services clients
Twitter the Guardian Netflix Reddit CNN hellip
malware MIRAI sur ordinateurs infecteacutes cherche
des devices vulneacuterables (utilisant loginpwd par
deacutefaut) et geacutenegravere un flood DNS sur Dyn
29082019
5
WanaCry WanaCrypt
Ransomware mai 2017
a toucheacute +300 000 ordinateurs dans
+150 pays
consideacutereacutee comme le plus grand piratage
agrave ranccedilon de lhistoire dInternet hellip
Chiffrement cleacute contre ranccedilon
(4)
(96)
Les eacutetages de lrsquoIceberg
29082019
6
LrsquoOctopus
1 Les reacutesultats de recherche des
moteurs classiques scrutent les
liens et les pages web indexeacutees
2 Ils ne reacutecoltent que 1 du contenu
du Web
3 Les SGBD ne livrent que le reacutesultat
drsquoune requecircte Le reste de la BD
nrsquoest pas indexeacute forceacutement
4 Les pages des reacuteseaux priveacutes les
documents acadeacutemiques ne sont pas
forceacutement indexeacutes
5 La partie la plus cacheacutee est Tor
6 On y accegravede avec des logiciels
assurant lrsquoAnonymat
4 Also hidden are standalone pages an
d
documents behind private networks
like academic journal articles
Source CNNMoney accessed 100517
Darknets amp DarkWeb
Anonymisation par exple TOR
Qursquooffre t-il
Marchandises illicites (drogues armes hellip)
Places de marcheacutes parallegraveles
Forums
Services illicites
Le Business Model du Cybercrime
Lrsquoeacuteconomie souterraine laquo Underground raquo est organiseacutee et structureacutee pour favoriser le crime
Crime-as-a-Service (CaaS)
Eg Ransomware-as-a-Service (RaaS)
Image Source httpabout-threatstrendmicrocomusinfographicimagesCybercriminal20Underground-
022080020copyjpg
29082019
7
Diffeacuterents niveaux des acteurs du
marcheacute Underground
Source RAND accessed 100517
A quoi sert la Cyberseacutecuriteacute
doit reacutepondre agrave un besoin et apporter
de lrsquoefficaciteacute Rapiditeacute Performance
de la fiabiliteacute Qualiteacute Seacutecuriteacute
du gain Coucirct Deacutelai
Preacuterequis pour creacuteer la confiance dans lrsquousage des e-services
Climat de confiance
Adheacutesion de lrsquousager
Freins difficulteacutes
Problegravemes de Gouvernance
deacutecideurs politiques non sensibiliseacutes
Absence de vision strateacutegique
Savoir-faire non maicirctriseacute
29082019
8
Cyberseacutecuriteacute comment reacuteussir
doit ecirctre adresseacutee globalement
Les deacutecideurspolitiques doivent
deacutefinir une strateacutegie nationale en cyberseacutecuriteacute
fournir les ressources neacutecessaires agrave son
impleacutementation
Principes agrave admettre
Approche technologique insuffisante
Principe 1 le Risque Zeacutero nrsquoexiste pas mais on doit travailler agrave le minimiser et agrave limiter lrsquoimpact
Approche laquo Management du Risque raquo
Principe 2 la seacutecuriteacute est une chaicircne dont la force est celle de son maillon le plus faible
Approche globale de la seacutecuriteacute
Les 3 Piliers de la seacutecuriteacute des SI
la reacuteussite drsquoun processus de seacutecurisation repose sur
3 piliers
Technologie
outils TICSeacutecuriteacute etc
MeacutethodologieManagement
strateacutegies proceacutedures
reacuteglementation etc
Comportement social
Culture de la Cyber seacutecuriteacute
29082019
9
25
Systegraveme de Management de la Seacutecuriteacute de lrsquoInformation
Modegravele agrave suivre Modegravele PDCA de lrsquoISO 27001
Le SMSI une approche globale
Plan eacutetablir les objectifs conformeacutement aux risques exigences (correspondances objectifs lignes directrices)
Do impleacutementer et opeacuterer les fonctionnaliteacutes et proceacutedures
Check geacuterer les incidents les erreurs auditer
Act faire eacutevoluer la politique et les moyens conformeacutement aux besoins
26
La famille des normes
ISO 2700x
ISO 27001
SMSI
ISO 27006
Audit de SMSI
ISO 27000
Vocabulaire
ISO 27002 (17799)
Mesures de seacutecuriteacute
ISO 27003
Guide drsquoimpleacutementation
du SMSI
ISO 27007
Mesures PCA
ISO 27005
Risk Management
ISO 27004
Mesures et meacutetriques
Guides
2005 2007
2007
2007 or 2008
2005
Exigences
Bonnes pratiques
CERT hellip CSIRT
CERTCSIRT Computer Emergency Response Team
(Computer Security Incident Response Team)
CERTs Gouvernementaux Agences
o Technologies de la Communication Autoriteacute de reacutegulation
o Intelligence Deacutefense
o Police
CERTs speacutecialiseacutes
o Finance Opeacuterateurs Telecom Administration etc
29082019
10
Eleacutements drsquoune strateacutegie nationale
Deacutefinir un cadre leacutegal pour la cyberseacutecuriteacute
Proteacuteger le cyber-espace
Formation
R amp D (maicirctrise de la technologie)
Sensibilisation
Coopeacuteration internationale
Creacuteation de meacutecanismes drsquoexeacutecution et
drsquoimpleacutementation (Agences CERTs Task force
)
Cadre leacutegal pour la cyberseacutecuriteacute
Besoin drsquoun cadre leacutegal
Clarification des ldquocyberrdquo concepts (crime preuve
etc)
Quelles institutions quelles Responsabiliteacutes
Mesures opeacuterationelles et rocircle des CERTs
Aspects pratiques amp Application
coopeacuteration internationale
Outils drsquoimpleacutementation
Mise en place de CERTCSIRT (s)
Objectifs Scope amp Role
Gouvernemental
(administration Intelligence Deacutefense Police hellip)
Priveacute
(Finance teacuteleacutecom hellip)
29082019
11
Le rocircle drsquoun CERT
Fournir une reacuteponse immeacutediate et efficace agrave
un incident cyberneacutetique
Preacuteparer les institutions clients concerneacutes
agrave mieux geacuterer et traiter les cyber-menances
Missions drsquoun CERT
Deacutetection et Reacuteponse aux incidents
Veille amp Alerte
Gestion des incidents
Analyse des incidents
Investigation numeacuterique
Sensibilisation
Coopeacuteration (nationale amp internationale)
Services (According to the CERTCC model the US CERT)
Incident analysis Incident response on site Incident response support
Incident response
coordination Publish advisories or alerts
Vulnerability and Virus
handling
Provide and answer a
hotline Monitor IDS
Training or security
awareness
Technology watch or
monitoring service Track and trace intruders Penetration testing
Security policy development
Produce technical
documents Vulnerability assessments
Artifact analysis
Forensics evidence
collection Pursue legal investigations
Vulnerability scanning
Security product
development
Monitoring network and
system logs
Main services
Secondary services
29082019
12
World situation (2010) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
(technological and organizational aspects)
World situation (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
French CERTs (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
29082019
13
World situation (2018) source wwwfirstorg
World situation (2019) source wwwfirstorg
Objectif Geacuteneacuteral
eacutelever le niveau de seacutecuriteacute des SI tunisiens
Axes principaux
Mise agrave jour du cadre leacutegal
Mise en place des outils opeacuterationnels pour eacutevaluer et
suivre le processus de seacutecurisation des SI drsquoinstitutions
(publics amp priveacutes) obligation drsquoaudit seacutecuriteacute
Protection du cyber-espace national (Coordination
Assistance etc)
Deacuteveloppement du ldquoknow-howrdquo en IT Security (formation
RampD capaciteacutes open source)
Sensibilisation
Lrsquoexpeacuterience tunisienne
Strateacutegie en Cyber Security amp tunCERT
29082019
14
1999 2003 2004 2005 2006 2007 2008 2010
National Strategy
Awarness activities
National Survey
National project Wide Awareness
campaigns
High level decisions
Mailing-list
IS security Law
Creation of NACS Creation of cert-Tcc
Definition of the
administrative
Framework
Sensitive national
projects Developping IR
capabilities
Starting the
monitoring activities
Budget
Recruting technicall staff Setting up of SAHER
WSIS
Training activities (World
Bank)
Setting up of the
collaboration network Associative collaboration
website
Cert-Tcc joined the FIRST
Network NACS reached its maturity
International collaboration
Setting up of the Security
center facilities
NACS joined the network
of center of excellence (UNCTAD)
More training
Staff 3
Staff 5
Staff 6
Staff 15
Staff 25
Staff 42 Eacutevolution chronologique
OIC-CERT
Strong international collaboration
Staff 19
New services Staff 51
2010 2016 2019
investigation numeacuterique
Chambre blanche
Projet HoneyPotHoneyNet
Staff 51
Eacutevolution chronologique
Open data
Open gov
Staff 70
creacuteation de CERTs
sectoriels
Staff 70
Caracteacuteristiques
Constituency National CSIRT
Mission statement Defined by law protection of
the Tunisian cyberspace
Offered Services To be detailed
Funding Government
Revenue Free charge services
Number amp quality of employed
staff
50 for NACS
20 for tunCERT
Authority Partial authority (Law ndeg 52004)
Service hours 247
29082019
15
Gestion drsquoincidents (Incident Handling)
Reporting
Incident coordination
CSO CIO
CEO
Internal business managers
Human Resources Department
Physical Security Department
Audit or Risk Management Department
IT or Telecommunications Department
Legal Department
Public Relations Department
Marketing Department
Law Enforcement
Government organization agencies
Investigators
Other CERTs
Other security experts
29082019
16
Collaboration network
Collaboration
program
Antivirus suppliers haythem el mir
Equipments constructors
Publication of vulnerabilities
exploits 0days
Professional
community
Watch professionals Trend
indicators
Collect
information
Veille technologique (Watch)
httpwwwzone-horgarchive
29082019
17
Cas de webdefacements wwwleageryfr
Alert amp warning process
Vulnerability Malware Attack
29082019
18
Acteurs du processus drsquoAlerte
Managers Decision makers
Web masters Security
Admin Developers
Internet Community
Internet Services Providers
Mailing List Web Site Call Center Media (TV Radio Press)
-
SCP
Professional
community
Antivirus
suppliers
Vulnerabilities
exploits 0days
Collaboration network
Veille Plateforme drsquooutils
laquo Saher raquo Une solution deacuteveloppeacutee par tunCERT
Systegraveme SAHER missions
ISAC
SAHER
Monitoring System
Call center
Incident declaration
ISPs amp Data Centers
Antivirus venders alerts
Software venders alerts
CERTs alerts
Security Mailing-lists
Potential big Threats
Massive attacks
Virus spread
Web defacement
System breakdown
Botnets
Intrusions
Information sources Identified events
29082019
19
SAHER The technical platform
Saher ndash Web DotTN Web Sites monitoring
Saher ndash SRV Internet services
availability monitoring (Mail server
DNShellip)
SAHERndashIDS Massive attack detection
bull Web defacement
bull DoS Web
bull Deterioration of web access
bullhellip
bull Mail Bombing
bullBreakdown of DNS servers
bull DNS POISONINGhellip
bull Viral attack
bull Intrusion
bull DDoS
bull hellip
Syste
m d
evelo
ped
based
on
a s
et o
f Op
en
So
urc
e to
ols
SAHERndashHONEYNET Malware gathering bull Viral attack
bull Scan
bull Possible attacks
Saher ndash Web Supervision des sites Web nationaux
Partenaire FSI
tunCERT
Phase drsquoenregistrement
Partenaire FSI
=
tunCERT
Phase de veacuterification
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
3
DDoS attack- principe
DDoS attack- Historique
Historique
1ere grande attaque DDoS feacutevrier 2000 (Mafiaboy) le 7 feacutevrier
Yahoo et inaccessible pendant 3 h
Amazoncom Buycom CNN et eBay ont eacuteteacute toucheacutes par des attaques DDoS E-Trade et ZDNet (le 8 feacutevrier 2000)
Pertes Yahoo environ 500 000 dollars
Amazon environ 600 000 dollars en 10 h
Michael Calce (Mafiaboy15 ans) condamneacute agrave 8 mois dans
un centre de deacutetention pour jeune
Stuxnet
deacutecouvert en 2010
Virus 1er de sa geacuteneacuteration
conccedilu par la NSA en collaboration avec luniteacute israeacutelienne 8200
Objectif attaquer les centrifugeuses iraniennes drsquoenrichissement drsquoUranium
cible les systegravemes SCADA utiliseacutes pour le controcircle commande de proceacutedeacutes industriels Stuxnet a la capaciteacute de reprogrammer des automates programmables industriels (API) produits par Siemens
29082019
4
Stuxnet comment ccedila fonctionne
MIRAI
Attaque DDoS amp IoT
MIRAI Botnet octobre 2016
Botnet de devices IP (cameacuteras imprimantes
modems hellip) lanccedilant un DDoS sur le serveur DNS
du FSI Dyn
flux de 1 Tos entrainant la chute du serveur DNS
et provoquant lrsquoindisponibiliteacute des services clients
Twitter the Guardian Netflix Reddit CNN hellip
malware MIRAI sur ordinateurs infecteacutes cherche
des devices vulneacuterables (utilisant loginpwd par
deacutefaut) et geacutenegravere un flood DNS sur Dyn
29082019
5
WanaCry WanaCrypt
Ransomware mai 2017
a toucheacute +300 000 ordinateurs dans
+150 pays
consideacutereacutee comme le plus grand piratage
agrave ranccedilon de lhistoire dInternet hellip
Chiffrement cleacute contre ranccedilon
(4)
(96)
Les eacutetages de lrsquoIceberg
29082019
6
LrsquoOctopus
1 Les reacutesultats de recherche des
moteurs classiques scrutent les
liens et les pages web indexeacutees
2 Ils ne reacutecoltent que 1 du contenu
du Web
3 Les SGBD ne livrent que le reacutesultat
drsquoune requecircte Le reste de la BD
nrsquoest pas indexeacute forceacutement
4 Les pages des reacuteseaux priveacutes les
documents acadeacutemiques ne sont pas
forceacutement indexeacutes
5 La partie la plus cacheacutee est Tor
6 On y accegravede avec des logiciels
assurant lrsquoAnonymat
4 Also hidden are standalone pages an
d
documents behind private networks
like academic journal articles
Source CNNMoney accessed 100517
Darknets amp DarkWeb
Anonymisation par exple TOR
Qursquooffre t-il
Marchandises illicites (drogues armes hellip)
Places de marcheacutes parallegraveles
Forums
Services illicites
Le Business Model du Cybercrime
Lrsquoeacuteconomie souterraine laquo Underground raquo est organiseacutee et structureacutee pour favoriser le crime
Crime-as-a-Service (CaaS)
Eg Ransomware-as-a-Service (RaaS)
Image Source httpabout-threatstrendmicrocomusinfographicimagesCybercriminal20Underground-
022080020copyjpg
29082019
7
Diffeacuterents niveaux des acteurs du
marcheacute Underground
Source RAND accessed 100517
A quoi sert la Cyberseacutecuriteacute
doit reacutepondre agrave un besoin et apporter
de lrsquoefficaciteacute Rapiditeacute Performance
de la fiabiliteacute Qualiteacute Seacutecuriteacute
du gain Coucirct Deacutelai
Preacuterequis pour creacuteer la confiance dans lrsquousage des e-services
Climat de confiance
Adheacutesion de lrsquousager
Freins difficulteacutes
Problegravemes de Gouvernance
deacutecideurs politiques non sensibiliseacutes
Absence de vision strateacutegique
Savoir-faire non maicirctriseacute
29082019
8
Cyberseacutecuriteacute comment reacuteussir
doit ecirctre adresseacutee globalement
Les deacutecideurspolitiques doivent
deacutefinir une strateacutegie nationale en cyberseacutecuriteacute
fournir les ressources neacutecessaires agrave son
impleacutementation
Principes agrave admettre
Approche technologique insuffisante
Principe 1 le Risque Zeacutero nrsquoexiste pas mais on doit travailler agrave le minimiser et agrave limiter lrsquoimpact
Approche laquo Management du Risque raquo
Principe 2 la seacutecuriteacute est une chaicircne dont la force est celle de son maillon le plus faible
Approche globale de la seacutecuriteacute
Les 3 Piliers de la seacutecuriteacute des SI
la reacuteussite drsquoun processus de seacutecurisation repose sur
3 piliers
Technologie
outils TICSeacutecuriteacute etc
MeacutethodologieManagement
strateacutegies proceacutedures
reacuteglementation etc
Comportement social
Culture de la Cyber seacutecuriteacute
29082019
9
25
Systegraveme de Management de la Seacutecuriteacute de lrsquoInformation
Modegravele agrave suivre Modegravele PDCA de lrsquoISO 27001
Le SMSI une approche globale
Plan eacutetablir les objectifs conformeacutement aux risques exigences (correspondances objectifs lignes directrices)
Do impleacutementer et opeacuterer les fonctionnaliteacutes et proceacutedures
Check geacuterer les incidents les erreurs auditer
Act faire eacutevoluer la politique et les moyens conformeacutement aux besoins
26
La famille des normes
ISO 2700x
ISO 27001
SMSI
ISO 27006
Audit de SMSI
ISO 27000
Vocabulaire
ISO 27002 (17799)
Mesures de seacutecuriteacute
ISO 27003
Guide drsquoimpleacutementation
du SMSI
ISO 27007
Mesures PCA
ISO 27005
Risk Management
ISO 27004
Mesures et meacutetriques
Guides
2005 2007
2007
2007 or 2008
2005
Exigences
Bonnes pratiques
CERT hellip CSIRT
CERTCSIRT Computer Emergency Response Team
(Computer Security Incident Response Team)
CERTs Gouvernementaux Agences
o Technologies de la Communication Autoriteacute de reacutegulation
o Intelligence Deacutefense
o Police
CERTs speacutecialiseacutes
o Finance Opeacuterateurs Telecom Administration etc
29082019
10
Eleacutements drsquoune strateacutegie nationale
Deacutefinir un cadre leacutegal pour la cyberseacutecuriteacute
Proteacuteger le cyber-espace
Formation
R amp D (maicirctrise de la technologie)
Sensibilisation
Coopeacuteration internationale
Creacuteation de meacutecanismes drsquoexeacutecution et
drsquoimpleacutementation (Agences CERTs Task force
)
Cadre leacutegal pour la cyberseacutecuriteacute
Besoin drsquoun cadre leacutegal
Clarification des ldquocyberrdquo concepts (crime preuve
etc)
Quelles institutions quelles Responsabiliteacutes
Mesures opeacuterationelles et rocircle des CERTs
Aspects pratiques amp Application
coopeacuteration internationale
Outils drsquoimpleacutementation
Mise en place de CERTCSIRT (s)
Objectifs Scope amp Role
Gouvernemental
(administration Intelligence Deacutefense Police hellip)
Priveacute
(Finance teacuteleacutecom hellip)
29082019
11
Le rocircle drsquoun CERT
Fournir une reacuteponse immeacutediate et efficace agrave
un incident cyberneacutetique
Preacuteparer les institutions clients concerneacutes
agrave mieux geacuterer et traiter les cyber-menances
Missions drsquoun CERT
Deacutetection et Reacuteponse aux incidents
Veille amp Alerte
Gestion des incidents
Analyse des incidents
Investigation numeacuterique
Sensibilisation
Coopeacuteration (nationale amp internationale)
Services (According to the CERTCC model the US CERT)
Incident analysis Incident response on site Incident response support
Incident response
coordination Publish advisories or alerts
Vulnerability and Virus
handling
Provide and answer a
hotline Monitor IDS
Training or security
awareness
Technology watch or
monitoring service Track and trace intruders Penetration testing
Security policy development
Produce technical
documents Vulnerability assessments
Artifact analysis
Forensics evidence
collection Pursue legal investigations
Vulnerability scanning
Security product
development
Monitoring network and
system logs
Main services
Secondary services
29082019
12
World situation (2010) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
(technological and organizational aspects)
World situation (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
French CERTs (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
29082019
13
World situation (2018) source wwwfirstorg
World situation (2019) source wwwfirstorg
Objectif Geacuteneacuteral
eacutelever le niveau de seacutecuriteacute des SI tunisiens
Axes principaux
Mise agrave jour du cadre leacutegal
Mise en place des outils opeacuterationnels pour eacutevaluer et
suivre le processus de seacutecurisation des SI drsquoinstitutions
(publics amp priveacutes) obligation drsquoaudit seacutecuriteacute
Protection du cyber-espace national (Coordination
Assistance etc)
Deacuteveloppement du ldquoknow-howrdquo en IT Security (formation
RampD capaciteacutes open source)
Sensibilisation
Lrsquoexpeacuterience tunisienne
Strateacutegie en Cyber Security amp tunCERT
29082019
14
1999 2003 2004 2005 2006 2007 2008 2010
National Strategy
Awarness activities
National Survey
National project Wide Awareness
campaigns
High level decisions
Mailing-list
IS security Law
Creation of NACS Creation of cert-Tcc
Definition of the
administrative
Framework
Sensitive national
projects Developping IR
capabilities
Starting the
monitoring activities
Budget
Recruting technicall staff Setting up of SAHER
WSIS
Training activities (World
Bank)
Setting up of the
collaboration network Associative collaboration
website
Cert-Tcc joined the FIRST
Network NACS reached its maturity
International collaboration
Setting up of the Security
center facilities
NACS joined the network
of center of excellence (UNCTAD)
More training
Staff 3
Staff 5
Staff 6
Staff 15
Staff 25
Staff 42 Eacutevolution chronologique
OIC-CERT
Strong international collaboration
Staff 19
New services Staff 51
2010 2016 2019
investigation numeacuterique
Chambre blanche
Projet HoneyPotHoneyNet
Staff 51
Eacutevolution chronologique
Open data
Open gov
Staff 70
creacuteation de CERTs
sectoriels
Staff 70
Caracteacuteristiques
Constituency National CSIRT
Mission statement Defined by law protection of
the Tunisian cyberspace
Offered Services To be detailed
Funding Government
Revenue Free charge services
Number amp quality of employed
staff
50 for NACS
20 for tunCERT
Authority Partial authority (Law ndeg 52004)
Service hours 247
29082019
15
Gestion drsquoincidents (Incident Handling)
Reporting
Incident coordination
CSO CIO
CEO
Internal business managers
Human Resources Department
Physical Security Department
Audit or Risk Management Department
IT or Telecommunications Department
Legal Department
Public Relations Department
Marketing Department
Law Enforcement
Government organization agencies
Investigators
Other CERTs
Other security experts
29082019
16
Collaboration network
Collaboration
program
Antivirus suppliers haythem el mir
Equipments constructors
Publication of vulnerabilities
exploits 0days
Professional
community
Watch professionals Trend
indicators
Collect
information
Veille technologique (Watch)
httpwwwzone-horgarchive
29082019
17
Cas de webdefacements wwwleageryfr
Alert amp warning process
Vulnerability Malware Attack
29082019
18
Acteurs du processus drsquoAlerte
Managers Decision makers
Web masters Security
Admin Developers
Internet Community
Internet Services Providers
Mailing List Web Site Call Center Media (TV Radio Press)
-
SCP
Professional
community
Antivirus
suppliers
Vulnerabilities
exploits 0days
Collaboration network
Veille Plateforme drsquooutils
laquo Saher raquo Une solution deacuteveloppeacutee par tunCERT
Systegraveme SAHER missions
ISAC
SAHER
Monitoring System
Call center
Incident declaration
ISPs amp Data Centers
Antivirus venders alerts
Software venders alerts
CERTs alerts
Security Mailing-lists
Potential big Threats
Massive attacks
Virus spread
Web defacement
System breakdown
Botnets
Intrusions
Information sources Identified events
29082019
19
SAHER The technical platform
Saher ndash Web DotTN Web Sites monitoring
Saher ndash SRV Internet services
availability monitoring (Mail server
DNShellip)
SAHERndashIDS Massive attack detection
bull Web defacement
bull DoS Web
bull Deterioration of web access
bullhellip
bull Mail Bombing
bullBreakdown of DNS servers
bull DNS POISONINGhellip
bull Viral attack
bull Intrusion
bull DDoS
bull hellip
Syste
m d
evelo
ped
based
on
a s
et o
f Op
en
So
urc
e to
ols
SAHERndashHONEYNET Malware gathering bull Viral attack
bull Scan
bull Possible attacks
Saher ndash Web Supervision des sites Web nationaux
Partenaire FSI
tunCERT
Phase drsquoenregistrement
Partenaire FSI
=
tunCERT
Phase de veacuterification
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
4
Stuxnet comment ccedila fonctionne
MIRAI
Attaque DDoS amp IoT
MIRAI Botnet octobre 2016
Botnet de devices IP (cameacuteras imprimantes
modems hellip) lanccedilant un DDoS sur le serveur DNS
du FSI Dyn
flux de 1 Tos entrainant la chute du serveur DNS
et provoquant lrsquoindisponibiliteacute des services clients
Twitter the Guardian Netflix Reddit CNN hellip
malware MIRAI sur ordinateurs infecteacutes cherche
des devices vulneacuterables (utilisant loginpwd par
deacutefaut) et geacutenegravere un flood DNS sur Dyn
29082019
5
WanaCry WanaCrypt
Ransomware mai 2017
a toucheacute +300 000 ordinateurs dans
+150 pays
consideacutereacutee comme le plus grand piratage
agrave ranccedilon de lhistoire dInternet hellip
Chiffrement cleacute contre ranccedilon
(4)
(96)
Les eacutetages de lrsquoIceberg
29082019
6
LrsquoOctopus
1 Les reacutesultats de recherche des
moteurs classiques scrutent les
liens et les pages web indexeacutees
2 Ils ne reacutecoltent que 1 du contenu
du Web
3 Les SGBD ne livrent que le reacutesultat
drsquoune requecircte Le reste de la BD
nrsquoest pas indexeacute forceacutement
4 Les pages des reacuteseaux priveacutes les
documents acadeacutemiques ne sont pas
forceacutement indexeacutes
5 La partie la plus cacheacutee est Tor
6 On y accegravede avec des logiciels
assurant lrsquoAnonymat
4 Also hidden are standalone pages an
d
documents behind private networks
like academic journal articles
Source CNNMoney accessed 100517
Darknets amp DarkWeb
Anonymisation par exple TOR
Qursquooffre t-il
Marchandises illicites (drogues armes hellip)
Places de marcheacutes parallegraveles
Forums
Services illicites
Le Business Model du Cybercrime
Lrsquoeacuteconomie souterraine laquo Underground raquo est organiseacutee et structureacutee pour favoriser le crime
Crime-as-a-Service (CaaS)
Eg Ransomware-as-a-Service (RaaS)
Image Source httpabout-threatstrendmicrocomusinfographicimagesCybercriminal20Underground-
022080020copyjpg
29082019
7
Diffeacuterents niveaux des acteurs du
marcheacute Underground
Source RAND accessed 100517
A quoi sert la Cyberseacutecuriteacute
doit reacutepondre agrave un besoin et apporter
de lrsquoefficaciteacute Rapiditeacute Performance
de la fiabiliteacute Qualiteacute Seacutecuriteacute
du gain Coucirct Deacutelai
Preacuterequis pour creacuteer la confiance dans lrsquousage des e-services
Climat de confiance
Adheacutesion de lrsquousager
Freins difficulteacutes
Problegravemes de Gouvernance
deacutecideurs politiques non sensibiliseacutes
Absence de vision strateacutegique
Savoir-faire non maicirctriseacute
29082019
8
Cyberseacutecuriteacute comment reacuteussir
doit ecirctre adresseacutee globalement
Les deacutecideurspolitiques doivent
deacutefinir une strateacutegie nationale en cyberseacutecuriteacute
fournir les ressources neacutecessaires agrave son
impleacutementation
Principes agrave admettre
Approche technologique insuffisante
Principe 1 le Risque Zeacutero nrsquoexiste pas mais on doit travailler agrave le minimiser et agrave limiter lrsquoimpact
Approche laquo Management du Risque raquo
Principe 2 la seacutecuriteacute est une chaicircne dont la force est celle de son maillon le plus faible
Approche globale de la seacutecuriteacute
Les 3 Piliers de la seacutecuriteacute des SI
la reacuteussite drsquoun processus de seacutecurisation repose sur
3 piliers
Technologie
outils TICSeacutecuriteacute etc
MeacutethodologieManagement
strateacutegies proceacutedures
reacuteglementation etc
Comportement social
Culture de la Cyber seacutecuriteacute
29082019
9
25
Systegraveme de Management de la Seacutecuriteacute de lrsquoInformation
Modegravele agrave suivre Modegravele PDCA de lrsquoISO 27001
Le SMSI une approche globale
Plan eacutetablir les objectifs conformeacutement aux risques exigences (correspondances objectifs lignes directrices)
Do impleacutementer et opeacuterer les fonctionnaliteacutes et proceacutedures
Check geacuterer les incidents les erreurs auditer
Act faire eacutevoluer la politique et les moyens conformeacutement aux besoins
26
La famille des normes
ISO 2700x
ISO 27001
SMSI
ISO 27006
Audit de SMSI
ISO 27000
Vocabulaire
ISO 27002 (17799)
Mesures de seacutecuriteacute
ISO 27003
Guide drsquoimpleacutementation
du SMSI
ISO 27007
Mesures PCA
ISO 27005
Risk Management
ISO 27004
Mesures et meacutetriques
Guides
2005 2007
2007
2007 or 2008
2005
Exigences
Bonnes pratiques
CERT hellip CSIRT
CERTCSIRT Computer Emergency Response Team
(Computer Security Incident Response Team)
CERTs Gouvernementaux Agences
o Technologies de la Communication Autoriteacute de reacutegulation
o Intelligence Deacutefense
o Police
CERTs speacutecialiseacutes
o Finance Opeacuterateurs Telecom Administration etc
29082019
10
Eleacutements drsquoune strateacutegie nationale
Deacutefinir un cadre leacutegal pour la cyberseacutecuriteacute
Proteacuteger le cyber-espace
Formation
R amp D (maicirctrise de la technologie)
Sensibilisation
Coopeacuteration internationale
Creacuteation de meacutecanismes drsquoexeacutecution et
drsquoimpleacutementation (Agences CERTs Task force
)
Cadre leacutegal pour la cyberseacutecuriteacute
Besoin drsquoun cadre leacutegal
Clarification des ldquocyberrdquo concepts (crime preuve
etc)
Quelles institutions quelles Responsabiliteacutes
Mesures opeacuterationelles et rocircle des CERTs
Aspects pratiques amp Application
coopeacuteration internationale
Outils drsquoimpleacutementation
Mise en place de CERTCSIRT (s)
Objectifs Scope amp Role
Gouvernemental
(administration Intelligence Deacutefense Police hellip)
Priveacute
(Finance teacuteleacutecom hellip)
29082019
11
Le rocircle drsquoun CERT
Fournir une reacuteponse immeacutediate et efficace agrave
un incident cyberneacutetique
Preacuteparer les institutions clients concerneacutes
agrave mieux geacuterer et traiter les cyber-menances
Missions drsquoun CERT
Deacutetection et Reacuteponse aux incidents
Veille amp Alerte
Gestion des incidents
Analyse des incidents
Investigation numeacuterique
Sensibilisation
Coopeacuteration (nationale amp internationale)
Services (According to the CERTCC model the US CERT)
Incident analysis Incident response on site Incident response support
Incident response
coordination Publish advisories or alerts
Vulnerability and Virus
handling
Provide and answer a
hotline Monitor IDS
Training or security
awareness
Technology watch or
monitoring service Track and trace intruders Penetration testing
Security policy development
Produce technical
documents Vulnerability assessments
Artifact analysis
Forensics evidence
collection Pursue legal investigations
Vulnerability scanning
Security product
development
Monitoring network and
system logs
Main services
Secondary services
29082019
12
World situation (2010) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
(technological and organizational aspects)
World situation (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
French CERTs (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
29082019
13
World situation (2018) source wwwfirstorg
World situation (2019) source wwwfirstorg
Objectif Geacuteneacuteral
eacutelever le niveau de seacutecuriteacute des SI tunisiens
Axes principaux
Mise agrave jour du cadre leacutegal
Mise en place des outils opeacuterationnels pour eacutevaluer et
suivre le processus de seacutecurisation des SI drsquoinstitutions
(publics amp priveacutes) obligation drsquoaudit seacutecuriteacute
Protection du cyber-espace national (Coordination
Assistance etc)
Deacuteveloppement du ldquoknow-howrdquo en IT Security (formation
RampD capaciteacutes open source)
Sensibilisation
Lrsquoexpeacuterience tunisienne
Strateacutegie en Cyber Security amp tunCERT
29082019
14
1999 2003 2004 2005 2006 2007 2008 2010
National Strategy
Awarness activities
National Survey
National project Wide Awareness
campaigns
High level decisions
Mailing-list
IS security Law
Creation of NACS Creation of cert-Tcc
Definition of the
administrative
Framework
Sensitive national
projects Developping IR
capabilities
Starting the
monitoring activities
Budget
Recruting technicall staff Setting up of SAHER
WSIS
Training activities (World
Bank)
Setting up of the
collaboration network Associative collaboration
website
Cert-Tcc joined the FIRST
Network NACS reached its maturity
International collaboration
Setting up of the Security
center facilities
NACS joined the network
of center of excellence (UNCTAD)
More training
Staff 3
Staff 5
Staff 6
Staff 15
Staff 25
Staff 42 Eacutevolution chronologique
OIC-CERT
Strong international collaboration
Staff 19
New services Staff 51
2010 2016 2019
investigation numeacuterique
Chambre blanche
Projet HoneyPotHoneyNet
Staff 51
Eacutevolution chronologique
Open data
Open gov
Staff 70
creacuteation de CERTs
sectoriels
Staff 70
Caracteacuteristiques
Constituency National CSIRT
Mission statement Defined by law protection of
the Tunisian cyberspace
Offered Services To be detailed
Funding Government
Revenue Free charge services
Number amp quality of employed
staff
50 for NACS
20 for tunCERT
Authority Partial authority (Law ndeg 52004)
Service hours 247
29082019
15
Gestion drsquoincidents (Incident Handling)
Reporting
Incident coordination
CSO CIO
CEO
Internal business managers
Human Resources Department
Physical Security Department
Audit or Risk Management Department
IT or Telecommunications Department
Legal Department
Public Relations Department
Marketing Department
Law Enforcement
Government organization agencies
Investigators
Other CERTs
Other security experts
29082019
16
Collaboration network
Collaboration
program
Antivirus suppliers haythem el mir
Equipments constructors
Publication of vulnerabilities
exploits 0days
Professional
community
Watch professionals Trend
indicators
Collect
information
Veille technologique (Watch)
httpwwwzone-horgarchive
29082019
17
Cas de webdefacements wwwleageryfr
Alert amp warning process
Vulnerability Malware Attack
29082019
18
Acteurs du processus drsquoAlerte
Managers Decision makers
Web masters Security
Admin Developers
Internet Community
Internet Services Providers
Mailing List Web Site Call Center Media (TV Radio Press)
-
SCP
Professional
community
Antivirus
suppliers
Vulnerabilities
exploits 0days
Collaboration network
Veille Plateforme drsquooutils
laquo Saher raquo Une solution deacuteveloppeacutee par tunCERT
Systegraveme SAHER missions
ISAC
SAHER
Monitoring System
Call center
Incident declaration
ISPs amp Data Centers
Antivirus venders alerts
Software venders alerts
CERTs alerts
Security Mailing-lists
Potential big Threats
Massive attacks
Virus spread
Web defacement
System breakdown
Botnets
Intrusions
Information sources Identified events
29082019
19
SAHER The technical platform
Saher ndash Web DotTN Web Sites monitoring
Saher ndash SRV Internet services
availability monitoring (Mail server
DNShellip)
SAHERndashIDS Massive attack detection
bull Web defacement
bull DoS Web
bull Deterioration of web access
bullhellip
bull Mail Bombing
bullBreakdown of DNS servers
bull DNS POISONINGhellip
bull Viral attack
bull Intrusion
bull DDoS
bull hellip
Syste
m d
evelo
ped
based
on
a s
et o
f Op
en
So
urc
e to
ols
SAHERndashHONEYNET Malware gathering bull Viral attack
bull Scan
bull Possible attacks
Saher ndash Web Supervision des sites Web nationaux
Partenaire FSI
tunCERT
Phase drsquoenregistrement
Partenaire FSI
=
tunCERT
Phase de veacuterification
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
5
WanaCry WanaCrypt
Ransomware mai 2017
a toucheacute +300 000 ordinateurs dans
+150 pays
consideacutereacutee comme le plus grand piratage
agrave ranccedilon de lhistoire dInternet hellip
Chiffrement cleacute contre ranccedilon
(4)
(96)
Les eacutetages de lrsquoIceberg
29082019
6
LrsquoOctopus
1 Les reacutesultats de recherche des
moteurs classiques scrutent les
liens et les pages web indexeacutees
2 Ils ne reacutecoltent que 1 du contenu
du Web
3 Les SGBD ne livrent que le reacutesultat
drsquoune requecircte Le reste de la BD
nrsquoest pas indexeacute forceacutement
4 Les pages des reacuteseaux priveacutes les
documents acadeacutemiques ne sont pas
forceacutement indexeacutes
5 La partie la plus cacheacutee est Tor
6 On y accegravede avec des logiciels
assurant lrsquoAnonymat
4 Also hidden are standalone pages an
d
documents behind private networks
like academic journal articles
Source CNNMoney accessed 100517
Darknets amp DarkWeb
Anonymisation par exple TOR
Qursquooffre t-il
Marchandises illicites (drogues armes hellip)
Places de marcheacutes parallegraveles
Forums
Services illicites
Le Business Model du Cybercrime
Lrsquoeacuteconomie souterraine laquo Underground raquo est organiseacutee et structureacutee pour favoriser le crime
Crime-as-a-Service (CaaS)
Eg Ransomware-as-a-Service (RaaS)
Image Source httpabout-threatstrendmicrocomusinfographicimagesCybercriminal20Underground-
022080020copyjpg
29082019
7
Diffeacuterents niveaux des acteurs du
marcheacute Underground
Source RAND accessed 100517
A quoi sert la Cyberseacutecuriteacute
doit reacutepondre agrave un besoin et apporter
de lrsquoefficaciteacute Rapiditeacute Performance
de la fiabiliteacute Qualiteacute Seacutecuriteacute
du gain Coucirct Deacutelai
Preacuterequis pour creacuteer la confiance dans lrsquousage des e-services
Climat de confiance
Adheacutesion de lrsquousager
Freins difficulteacutes
Problegravemes de Gouvernance
deacutecideurs politiques non sensibiliseacutes
Absence de vision strateacutegique
Savoir-faire non maicirctriseacute
29082019
8
Cyberseacutecuriteacute comment reacuteussir
doit ecirctre adresseacutee globalement
Les deacutecideurspolitiques doivent
deacutefinir une strateacutegie nationale en cyberseacutecuriteacute
fournir les ressources neacutecessaires agrave son
impleacutementation
Principes agrave admettre
Approche technologique insuffisante
Principe 1 le Risque Zeacutero nrsquoexiste pas mais on doit travailler agrave le minimiser et agrave limiter lrsquoimpact
Approche laquo Management du Risque raquo
Principe 2 la seacutecuriteacute est une chaicircne dont la force est celle de son maillon le plus faible
Approche globale de la seacutecuriteacute
Les 3 Piliers de la seacutecuriteacute des SI
la reacuteussite drsquoun processus de seacutecurisation repose sur
3 piliers
Technologie
outils TICSeacutecuriteacute etc
MeacutethodologieManagement
strateacutegies proceacutedures
reacuteglementation etc
Comportement social
Culture de la Cyber seacutecuriteacute
29082019
9
25
Systegraveme de Management de la Seacutecuriteacute de lrsquoInformation
Modegravele agrave suivre Modegravele PDCA de lrsquoISO 27001
Le SMSI une approche globale
Plan eacutetablir les objectifs conformeacutement aux risques exigences (correspondances objectifs lignes directrices)
Do impleacutementer et opeacuterer les fonctionnaliteacutes et proceacutedures
Check geacuterer les incidents les erreurs auditer
Act faire eacutevoluer la politique et les moyens conformeacutement aux besoins
26
La famille des normes
ISO 2700x
ISO 27001
SMSI
ISO 27006
Audit de SMSI
ISO 27000
Vocabulaire
ISO 27002 (17799)
Mesures de seacutecuriteacute
ISO 27003
Guide drsquoimpleacutementation
du SMSI
ISO 27007
Mesures PCA
ISO 27005
Risk Management
ISO 27004
Mesures et meacutetriques
Guides
2005 2007
2007
2007 or 2008
2005
Exigences
Bonnes pratiques
CERT hellip CSIRT
CERTCSIRT Computer Emergency Response Team
(Computer Security Incident Response Team)
CERTs Gouvernementaux Agences
o Technologies de la Communication Autoriteacute de reacutegulation
o Intelligence Deacutefense
o Police
CERTs speacutecialiseacutes
o Finance Opeacuterateurs Telecom Administration etc
29082019
10
Eleacutements drsquoune strateacutegie nationale
Deacutefinir un cadre leacutegal pour la cyberseacutecuriteacute
Proteacuteger le cyber-espace
Formation
R amp D (maicirctrise de la technologie)
Sensibilisation
Coopeacuteration internationale
Creacuteation de meacutecanismes drsquoexeacutecution et
drsquoimpleacutementation (Agences CERTs Task force
)
Cadre leacutegal pour la cyberseacutecuriteacute
Besoin drsquoun cadre leacutegal
Clarification des ldquocyberrdquo concepts (crime preuve
etc)
Quelles institutions quelles Responsabiliteacutes
Mesures opeacuterationelles et rocircle des CERTs
Aspects pratiques amp Application
coopeacuteration internationale
Outils drsquoimpleacutementation
Mise en place de CERTCSIRT (s)
Objectifs Scope amp Role
Gouvernemental
(administration Intelligence Deacutefense Police hellip)
Priveacute
(Finance teacuteleacutecom hellip)
29082019
11
Le rocircle drsquoun CERT
Fournir une reacuteponse immeacutediate et efficace agrave
un incident cyberneacutetique
Preacuteparer les institutions clients concerneacutes
agrave mieux geacuterer et traiter les cyber-menances
Missions drsquoun CERT
Deacutetection et Reacuteponse aux incidents
Veille amp Alerte
Gestion des incidents
Analyse des incidents
Investigation numeacuterique
Sensibilisation
Coopeacuteration (nationale amp internationale)
Services (According to the CERTCC model the US CERT)
Incident analysis Incident response on site Incident response support
Incident response
coordination Publish advisories or alerts
Vulnerability and Virus
handling
Provide and answer a
hotline Monitor IDS
Training or security
awareness
Technology watch or
monitoring service Track and trace intruders Penetration testing
Security policy development
Produce technical
documents Vulnerability assessments
Artifact analysis
Forensics evidence
collection Pursue legal investigations
Vulnerability scanning
Security product
development
Monitoring network and
system logs
Main services
Secondary services
29082019
12
World situation (2010) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
(technological and organizational aspects)
World situation (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
French CERTs (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
29082019
13
World situation (2018) source wwwfirstorg
World situation (2019) source wwwfirstorg
Objectif Geacuteneacuteral
eacutelever le niveau de seacutecuriteacute des SI tunisiens
Axes principaux
Mise agrave jour du cadre leacutegal
Mise en place des outils opeacuterationnels pour eacutevaluer et
suivre le processus de seacutecurisation des SI drsquoinstitutions
(publics amp priveacutes) obligation drsquoaudit seacutecuriteacute
Protection du cyber-espace national (Coordination
Assistance etc)
Deacuteveloppement du ldquoknow-howrdquo en IT Security (formation
RampD capaciteacutes open source)
Sensibilisation
Lrsquoexpeacuterience tunisienne
Strateacutegie en Cyber Security amp tunCERT
29082019
14
1999 2003 2004 2005 2006 2007 2008 2010
National Strategy
Awarness activities
National Survey
National project Wide Awareness
campaigns
High level decisions
Mailing-list
IS security Law
Creation of NACS Creation of cert-Tcc
Definition of the
administrative
Framework
Sensitive national
projects Developping IR
capabilities
Starting the
monitoring activities
Budget
Recruting technicall staff Setting up of SAHER
WSIS
Training activities (World
Bank)
Setting up of the
collaboration network Associative collaboration
website
Cert-Tcc joined the FIRST
Network NACS reached its maturity
International collaboration
Setting up of the Security
center facilities
NACS joined the network
of center of excellence (UNCTAD)
More training
Staff 3
Staff 5
Staff 6
Staff 15
Staff 25
Staff 42 Eacutevolution chronologique
OIC-CERT
Strong international collaboration
Staff 19
New services Staff 51
2010 2016 2019
investigation numeacuterique
Chambre blanche
Projet HoneyPotHoneyNet
Staff 51
Eacutevolution chronologique
Open data
Open gov
Staff 70
creacuteation de CERTs
sectoriels
Staff 70
Caracteacuteristiques
Constituency National CSIRT
Mission statement Defined by law protection of
the Tunisian cyberspace
Offered Services To be detailed
Funding Government
Revenue Free charge services
Number amp quality of employed
staff
50 for NACS
20 for tunCERT
Authority Partial authority (Law ndeg 52004)
Service hours 247
29082019
15
Gestion drsquoincidents (Incident Handling)
Reporting
Incident coordination
CSO CIO
CEO
Internal business managers
Human Resources Department
Physical Security Department
Audit or Risk Management Department
IT or Telecommunications Department
Legal Department
Public Relations Department
Marketing Department
Law Enforcement
Government organization agencies
Investigators
Other CERTs
Other security experts
29082019
16
Collaboration network
Collaboration
program
Antivirus suppliers haythem el mir
Equipments constructors
Publication of vulnerabilities
exploits 0days
Professional
community
Watch professionals Trend
indicators
Collect
information
Veille technologique (Watch)
httpwwwzone-horgarchive
29082019
17
Cas de webdefacements wwwleageryfr
Alert amp warning process
Vulnerability Malware Attack
29082019
18
Acteurs du processus drsquoAlerte
Managers Decision makers
Web masters Security
Admin Developers
Internet Community
Internet Services Providers
Mailing List Web Site Call Center Media (TV Radio Press)
-
SCP
Professional
community
Antivirus
suppliers
Vulnerabilities
exploits 0days
Collaboration network
Veille Plateforme drsquooutils
laquo Saher raquo Une solution deacuteveloppeacutee par tunCERT
Systegraveme SAHER missions
ISAC
SAHER
Monitoring System
Call center
Incident declaration
ISPs amp Data Centers
Antivirus venders alerts
Software venders alerts
CERTs alerts
Security Mailing-lists
Potential big Threats
Massive attacks
Virus spread
Web defacement
System breakdown
Botnets
Intrusions
Information sources Identified events
29082019
19
SAHER The technical platform
Saher ndash Web DotTN Web Sites monitoring
Saher ndash SRV Internet services
availability monitoring (Mail server
DNShellip)
SAHERndashIDS Massive attack detection
bull Web defacement
bull DoS Web
bull Deterioration of web access
bullhellip
bull Mail Bombing
bullBreakdown of DNS servers
bull DNS POISONINGhellip
bull Viral attack
bull Intrusion
bull DDoS
bull hellip
Syste
m d
evelo
ped
based
on
a s
et o
f Op
en
So
urc
e to
ols
SAHERndashHONEYNET Malware gathering bull Viral attack
bull Scan
bull Possible attacks
Saher ndash Web Supervision des sites Web nationaux
Partenaire FSI
tunCERT
Phase drsquoenregistrement
Partenaire FSI
=
tunCERT
Phase de veacuterification
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
6
LrsquoOctopus
1 Les reacutesultats de recherche des
moteurs classiques scrutent les
liens et les pages web indexeacutees
2 Ils ne reacutecoltent que 1 du contenu
du Web
3 Les SGBD ne livrent que le reacutesultat
drsquoune requecircte Le reste de la BD
nrsquoest pas indexeacute forceacutement
4 Les pages des reacuteseaux priveacutes les
documents acadeacutemiques ne sont pas
forceacutement indexeacutes
5 La partie la plus cacheacutee est Tor
6 On y accegravede avec des logiciels
assurant lrsquoAnonymat
4 Also hidden are standalone pages an
d
documents behind private networks
like academic journal articles
Source CNNMoney accessed 100517
Darknets amp DarkWeb
Anonymisation par exple TOR
Qursquooffre t-il
Marchandises illicites (drogues armes hellip)
Places de marcheacutes parallegraveles
Forums
Services illicites
Le Business Model du Cybercrime
Lrsquoeacuteconomie souterraine laquo Underground raquo est organiseacutee et structureacutee pour favoriser le crime
Crime-as-a-Service (CaaS)
Eg Ransomware-as-a-Service (RaaS)
Image Source httpabout-threatstrendmicrocomusinfographicimagesCybercriminal20Underground-
022080020copyjpg
29082019
7
Diffeacuterents niveaux des acteurs du
marcheacute Underground
Source RAND accessed 100517
A quoi sert la Cyberseacutecuriteacute
doit reacutepondre agrave un besoin et apporter
de lrsquoefficaciteacute Rapiditeacute Performance
de la fiabiliteacute Qualiteacute Seacutecuriteacute
du gain Coucirct Deacutelai
Preacuterequis pour creacuteer la confiance dans lrsquousage des e-services
Climat de confiance
Adheacutesion de lrsquousager
Freins difficulteacutes
Problegravemes de Gouvernance
deacutecideurs politiques non sensibiliseacutes
Absence de vision strateacutegique
Savoir-faire non maicirctriseacute
29082019
8
Cyberseacutecuriteacute comment reacuteussir
doit ecirctre adresseacutee globalement
Les deacutecideurspolitiques doivent
deacutefinir une strateacutegie nationale en cyberseacutecuriteacute
fournir les ressources neacutecessaires agrave son
impleacutementation
Principes agrave admettre
Approche technologique insuffisante
Principe 1 le Risque Zeacutero nrsquoexiste pas mais on doit travailler agrave le minimiser et agrave limiter lrsquoimpact
Approche laquo Management du Risque raquo
Principe 2 la seacutecuriteacute est une chaicircne dont la force est celle de son maillon le plus faible
Approche globale de la seacutecuriteacute
Les 3 Piliers de la seacutecuriteacute des SI
la reacuteussite drsquoun processus de seacutecurisation repose sur
3 piliers
Technologie
outils TICSeacutecuriteacute etc
MeacutethodologieManagement
strateacutegies proceacutedures
reacuteglementation etc
Comportement social
Culture de la Cyber seacutecuriteacute
29082019
9
25
Systegraveme de Management de la Seacutecuriteacute de lrsquoInformation
Modegravele agrave suivre Modegravele PDCA de lrsquoISO 27001
Le SMSI une approche globale
Plan eacutetablir les objectifs conformeacutement aux risques exigences (correspondances objectifs lignes directrices)
Do impleacutementer et opeacuterer les fonctionnaliteacutes et proceacutedures
Check geacuterer les incidents les erreurs auditer
Act faire eacutevoluer la politique et les moyens conformeacutement aux besoins
26
La famille des normes
ISO 2700x
ISO 27001
SMSI
ISO 27006
Audit de SMSI
ISO 27000
Vocabulaire
ISO 27002 (17799)
Mesures de seacutecuriteacute
ISO 27003
Guide drsquoimpleacutementation
du SMSI
ISO 27007
Mesures PCA
ISO 27005
Risk Management
ISO 27004
Mesures et meacutetriques
Guides
2005 2007
2007
2007 or 2008
2005
Exigences
Bonnes pratiques
CERT hellip CSIRT
CERTCSIRT Computer Emergency Response Team
(Computer Security Incident Response Team)
CERTs Gouvernementaux Agences
o Technologies de la Communication Autoriteacute de reacutegulation
o Intelligence Deacutefense
o Police
CERTs speacutecialiseacutes
o Finance Opeacuterateurs Telecom Administration etc
29082019
10
Eleacutements drsquoune strateacutegie nationale
Deacutefinir un cadre leacutegal pour la cyberseacutecuriteacute
Proteacuteger le cyber-espace
Formation
R amp D (maicirctrise de la technologie)
Sensibilisation
Coopeacuteration internationale
Creacuteation de meacutecanismes drsquoexeacutecution et
drsquoimpleacutementation (Agences CERTs Task force
)
Cadre leacutegal pour la cyberseacutecuriteacute
Besoin drsquoun cadre leacutegal
Clarification des ldquocyberrdquo concepts (crime preuve
etc)
Quelles institutions quelles Responsabiliteacutes
Mesures opeacuterationelles et rocircle des CERTs
Aspects pratiques amp Application
coopeacuteration internationale
Outils drsquoimpleacutementation
Mise en place de CERTCSIRT (s)
Objectifs Scope amp Role
Gouvernemental
(administration Intelligence Deacutefense Police hellip)
Priveacute
(Finance teacuteleacutecom hellip)
29082019
11
Le rocircle drsquoun CERT
Fournir une reacuteponse immeacutediate et efficace agrave
un incident cyberneacutetique
Preacuteparer les institutions clients concerneacutes
agrave mieux geacuterer et traiter les cyber-menances
Missions drsquoun CERT
Deacutetection et Reacuteponse aux incidents
Veille amp Alerte
Gestion des incidents
Analyse des incidents
Investigation numeacuterique
Sensibilisation
Coopeacuteration (nationale amp internationale)
Services (According to the CERTCC model the US CERT)
Incident analysis Incident response on site Incident response support
Incident response
coordination Publish advisories or alerts
Vulnerability and Virus
handling
Provide and answer a
hotline Monitor IDS
Training or security
awareness
Technology watch or
monitoring service Track and trace intruders Penetration testing
Security policy development
Produce technical
documents Vulnerability assessments
Artifact analysis
Forensics evidence
collection Pursue legal investigations
Vulnerability scanning
Security product
development
Monitoring network and
system logs
Main services
Secondary services
29082019
12
World situation (2010) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
(technological and organizational aspects)
World situation (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
French CERTs (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
29082019
13
World situation (2018) source wwwfirstorg
World situation (2019) source wwwfirstorg
Objectif Geacuteneacuteral
eacutelever le niveau de seacutecuriteacute des SI tunisiens
Axes principaux
Mise agrave jour du cadre leacutegal
Mise en place des outils opeacuterationnels pour eacutevaluer et
suivre le processus de seacutecurisation des SI drsquoinstitutions
(publics amp priveacutes) obligation drsquoaudit seacutecuriteacute
Protection du cyber-espace national (Coordination
Assistance etc)
Deacuteveloppement du ldquoknow-howrdquo en IT Security (formation
RampD capaciteacutes open source)
Sensibilisation
Lrsquoexpeacuterience tunisienne
Strateacutegie en Cyber Security amp tunCERT
29082019
14
1999 2003 2004 2005 2006 2007 2008 2010
National Strategy
Awarness activities
National Survey
National project Wide Awareness
campaigns
High level decisions
Mailing-list
IS security Law
Creation of NACS Creation of cert-Tcc
Definition of the
administrative
Framework
Sensitive national
projects Developping IR
capabilities
Starting the
monitoring activities
Budget
Recruting technicall staff Setting up of SAHER
WSIS
Training activities (World
Bank)
Setting up of the
collaboration network Associative collaboration
website
Cert-Tcc joined the FIRST
Network NACS reached its maturity
International collaboration
Setting up of the Security
center facilities
NACS joined the network
of center of excellence (UNCTAD)
More training
Staff 3
Staff 5
Staff 6
Staff 15
Staff 25
Staff 42 Eacutevolution chronologique
OIC-CERT
Strong international collaboration
Staff 19
New services Staff 51
2010 2016 2019
investigation numeacuterique
Chambre blanche
Projet HoneyPotHoneyNet
Staff 51
Eacutevolution chronologique
Open data
Open gov
Staff 70
creacuteation de CERTs
sectoriels
Staff 70
Caracteacuteristiques
Constituency National CSIRT
Mission statement Defined by law protection of
the Tunisian cyberspace
Offered Services To be detailed
Funding Government
Revenue Free charge services
Number amp quality of employed
staff
50 for NACS
20 for tunCERT
Authority Partial authority (Law ndeg 52004)
Service hours 247
29082019
15
Gestion drsquoincidents (Incident Handling)
Reporting
Incident coordination
CSO CIO
CEO
Internal business managers
Human Resources Department
Physical Security Department
Audit or Risk Management Department
IT or Telecommunications Department
Legal Department
Public Relations Department
Marketing Department
Law Enforcement
Government organization agencies
Investigators
Other CERTs
Other security experts
29082019
16
Collaboration network
Collaboration
program
Antivirus suppliers haythem el mir
Equipments constructors
Publication of vulnerabilities
exploits 0days
Professional
community
Watch professionals Trend
indicators
Collect
information
Veille technologique (Watch)
httpwwwzone-horgarchive
29082019
17
Cas de webdefacements wwwleageryfr
Alert amp warning process
Vulnerability Malware Attack
29082019
18
Acteurs du processus drsquoAlerte
Managers Decision makers
Web masters Security
Admin Developers
Internet Community
Internet Services Providers
Mailing List Web Site Call Center Media (TV Radio Press)
-
SCP
Professional
community
Antivirus
suppliers
Vulnerabilities
exploits 0days
Collaboration network
Veille Plateforme drsquooutils
laquo Saher raquo Une solution deacuteveloppeacutee par tunCERT
Systegraveme SAHER missions
ISAC
SAHER
Monitoring System
Call center
Incident declaration
ISPs amp Data Centers
Antivirus venders alerts
Software venders alerts
CERTs alerts
Security Mailing-lists
Potential big Threats
Massive attacks
Virus spread
Web defacement
System breakdown
Botnets
Intrusions
Information sources Identified events
29082019
19
SAHER The technical platform
Saher ndash Web DotTN Web Sites monitoring
Saher ndash SRV Internet services
availability monitoring (Mail server
DNShellip)
SAHERndashIDS Massive attack detection
bull Web defacement
bull DoS Web
bull Deterioration of web access
bullhellip
bull Mail Bombing
bullBreakdown of DNS servers
bull DNS POISONINGhellip
bull Viral attack
bull Intrusion
bull DDoS
bull hellip
Syste
m d
evelo
ped
based
on
a s
et o
f Op
en
So
urc
e to
ols
SAHERndashHONEYNET Malware gathering bull Viral attack
bull Scan
bull Possible attacks
Saher ndash Web Supervision des sites Web nationaux
Partenaire FSI
tunCERT
Phase drsquoenregistrement
Partenaire FSI
=
tunCERT
Phase de veacuterification
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
7
Diffeacuterents niveaux des acteurs du
marcheacute Underground
Source RAND accessed 100517
A quoi sert la Cyberseacutecuriteacute
doit reacutepondre agrave un besoin et apporter
de lrsquoefficaciteacute Rapiditeacute Performance
de la fiabiliteacute Qualiteacute Seacutecuriteacute
du gain Coucirct Deacutelai
Preacuterequis pour creacuteer la confiance dans lrsquousage des e-services
Climat de confiance
Adheacutesion de lrsquousager
Freins difficulteacutes
Problegravemes de Gouvernance
deacutecideurs politiques non sensibiliseacutes
Absence de vision strateacutegique
Savoir-faire non maicirctriseacute
29082019
8
Cyberseacutecuriteacute comment reacuteussir
doit ecirctre adresseacutee globalement
Les deacutecideurspolitiques doivent
deacutefinir une strateacutegie nationale en cyberseacutecuriteacute
fournir les ressources neacutecessaires agrave son
impleacutementation
Principes agrave admettre
Approche technologique insuffisante
Principe 1 le Risque Zeacutero nrsquoexiste pas mais on doit travailler agrave le minimiser et agrave limiter lrsquoimpact
Approche laquo Management du Risque raquo
Principe 2 la seacutecuriteacute est une chaicircne dont la force est celle de son maillon le plus faible
Approche globale de la seacutecuriteacute
Les 3 Piliers de la seacutecuriteacute des SI
la reacuteussite drsquoun processus de seacutecurisation repose sur
3 piliers
Technologie
outils TICSeacutecuriteacute etc
MeacutethodologieManagement
strateacutegies proceacutedures
reacuteglementation etc
Comportement social
Culture de la Cyber seacutecuriteacute
29082019
9
25
Systegraveme de Management de la Seacutecuriteacute de lrsquoInformation
Modegravele agrave suivre Modegravele PDCA de lrsquoISO 27001
Le SMSI une approche globale
Plan eacutetablir les objectifs conformeacutement aux risques exigences (correspondances objectifs lignes directrices)
Do impleacutementer et opeacuterer les fonctionnaliteacutes et proceacutedures
Check geacuterer les incidents les erreurs auditer
Act faire eacutevoluer la politique et les moyens conformeacutement aux besoins
26
La famille des normes
ISO 2700x
ISO 27001
SMSI
ISO 27006
Audit de SMSI
ISO 27000
Vocabulaire
ISO 27002 (17799)
Mesures de seacutecuriteacute
ISO 27003
Guide drsquoimpleacutementation
du SMSI
ISO 27007
Mesures PCA
ISO 27005
Risk Management
ISO 27004
Mesures et meacutetriques
Guides
2005 2007
2007
2007 or 2008
2005
Exigences
Bonnes pratiques
CERT hellip CSIRT
CERTCSIRT Computer Emergency Response Team
(Computer Security Incident Response Team)
CERTs Gouvernementaux Agences
o Technologies de la Communication Autoriteacute de reacutegulation
o Intelligence Deacutefense
o Police
CERTs speacutecialiseacutes
o Finance Opeacuterateurs Telecom Administration etc
29082019
10
Eleacutements drsquoune strateacutegie nationale
Deacutefinir un cadre leacutegal pour la cyberseacutecuriteacute
Proteacuteger le cyber-espace
Formation
R amp D (maicirctrise de la technologie)
Sensibilisation
Coopeacuteration internationale
Creacuteation de meacutecanismes drsquoexeacutecution et
drsquoimpleacutementation (Agences CERTs Task force
)
Cadre leacutegal pour la cyberseacutecuriteacute
Besoin drsquoun cadre leacutegal
Clarification des ldquocyberrdquo concepts (crime preuve
etc)
Quelles institutions quelles Responsabiliteacutes
Mesures opeacuterationelles et rocircle des CERTs
Aspects pratiques amp Application
coopeacuteration internationale
Outils drsquoimpleacutementation
Mise en place de CERTCSIRT (s)
Objectifs Scope amp Role
Gouvernemental
(administration Intelligence Deacutefense Police hellip)
Priveacute
(Finance teacuteleacutecom hellip)
29082019
11
Le rocircle drsquoun CERT
Fournir une reacuteponse immeacutediate et efficace agrave
un incident cyberneacutetique
Preacuteparer les institutions clients concerneacutes
agrave mieux geacuterer et traiter les cyber-menances
Missions drsquoun CERT
Deacutetection et Reacuteponse aux incidents
Veille amp Alerte
Gestion des incidents
Analyse des incidents
Investigation numeacuterique
Sensibilisation
Coopeacuteration (nationale amp internationale)
Services (According to the CERTCC model the US CERT)
Incident analysis Incident response on site Incident response support
Incident response
coordination Publish advisories or alerts
Vulnerability and Virus
handling
Provide and answer a
hotline Monitor IDS
Training or security
awareness
Technology watch or
monitoring service Track and trace intruders Penetration testing
Security policy development
Produce technical
documents Vulnerability assessments
Artifact analysis
Forensics evidence
collection Pursue legal investigations
Vulnerability scanning
Security product
development
Monitoring network and
system logs
Main services
Secondary services
29082019
12
World situation (2010) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
(technological and organizational aspects)
World situation (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
French CERTs (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
29082019
13
World situation (2018) source wwwfirstorg
World situation (2019) source wwwfirstorg
Objectif Geacuteneacuteral
eacutelever le niveau de seacutecuriteacute des SI tunisiens
Axes principaux
Mise agrave jour du cadre leacutegal
Mise en place des outils opeacuterationnels pour eacutevaluer et
suivre le processus de seacutecurisation des SI drsquoinstitutions
(publics amp priveacutes) obligation drsquoaudit seacutecuriteacute
Protection du cyber-espace national (Coordination
Assistance etc)
Deacuteveloppement du ldquoknow-howrdquo en IT Security (formation
RampD capaciteacutes open source)
Sensibilisation
Lrsquoexpeacuterience tunisienne
Strateacutegie en Cyber Security amp tunCERT
29082019
14
1999 2003 2004 2005 2006 2007 2008 2010
National Strategy
Awarness activities
National Survey
National project Wide Awareness
campaigns
High level decisions
Mailing-list
IS security Law
Creation of NACS Creation of cert-Tcc
Definition of the
administrative
Framework
Sensitive national
projects Developping IR
capabilities
Starting the
monitoring activities
Budget
Recruting technicall staff Setting up of SAHER
WSIS
Training activities (World
Bank)
Setting up of the
collaboration network Associative collaboration
website
Cert-Tcc joined the FIRST
Network NACS reached its maturity
International collaboration
Setting up of the Security
center facilities
NACS joined the network
of center of excellence (UNCTAD)
More training
Staff 3
Staff 5
Staff 6
Staff 15
Staff 25
Staff 42 Eacutevolution chronologique
OIC-CERT
Strong international collaboration
Staff 19
New services Staff 51
2010 2016 2019
investigation numeacuterique
Chambre blanche
Projet HoneyPotHoneyNet
Staff 51
Eacutevolution chronologique
Open data
Open gov
Staff 70
creacuteation de CERTs
sectoriels
Staff 70
Caracteacuteristiques
Constituency National CSIRT
Mission statement Defined by law protection of
the Tunisian cyberspace
Offered Services To be detailed
Funding Government
Revenue Free charge services
Number amp quality of employed
staff
50 for NACS
20 for tunCERT
Authority Partial authority (Law ndeg 52004)
Service hours 247
29082019
15
Gestion drsquoincidents (Incident Handling)
Reporting
Incident coordination
CSO CIO
CEO
Internal business managers
Human Resources Department
Physical Security Department
Audit or Risk Management Department
IT or Telecommunications Department
Legal Department
Public Relations Department
Marketing Department
Law Enforcement
Government organization agencies
Investigators
Other CERTs
Other security experts
29082019
16
Collaboration network
Collaboration
program
Antivirus suppliers haythem el mir
Equipments constructors
Publication of vulnerabilities
exploits 0days
Professional
community
Watch professionals Trend
indicators
Collect
information
Veille technologique (Watch)
httpwwwzone-horgarchive
29082019
17
Cas de webdefacements wwwleageryfr
Alert amp warning process
Vulnerability Malware Attack
29082019
18
Acteurs du processus drsquoAlerte
Managers Decision makers
Web masters Security
Admin Developers
Internet Community
Internet Services Providers
Mailing List Web Site Call Center Media (TV Radio Press)
-
SCP
Professional
community
Antivirus
suppliers
Vulnerabilities
exploits 0days
Collaboration network
Veille Plateforme drsquooutils
laquo Saher raquo Une solution deacuteveloppeacutee par tunCERT
Systegraveme SAHER missions
ISAC
SAHER
Monitoring System
Call center
Incident declaration
ISPs amp Data Centers
Antivirus venders alerts
Software venders alerts
CERTs alerts
Security Mailing-lists
Potential big Threats
Massive attacks
Virus spread
Web defacement
System breakdown
Botnets
Intrusions
Information sources Identified events
29082019
19
SAHER The technical platform
Saher ndash Web DotTN Web Sites monitoring
Saher ndash SRV Internet services
availability monitoring (Mail server
DNShellip)
SAHERndashIDS Massive attack detection
bull Web defacement
bull DoS Web
bull Deterioration of web access
bullhellip
bull Mail Bombing
bullBreakdown of DNS servers
bull DNS POISONINGhellip
bull Viral attack
bull Intrusion
bull DDoS
bull hellip
Syste
m d
evelo
ped
based
on
a s
et o
f Op
en
So
urc
e to
ols
SAHERndashHONEYNET Malware gathering bull Viral attack
bull Scan
bull Possible attacks
Saher ndash Web Supervision des sites Web nationaux
Partenaire FSI
tunCERT
Phase drsquoenregistrement
Partenaire FSI
=
tunCERT
Phase de veacuterification
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
8
Cyberseacutecuriteacute comment reacuteussir
doit ecirctre adresseacutee globalement
Les deacutecideurspolitiques doivent
deacutefinir une strateacutegie nationale en cyberseacutecuriteacute
fournir les ressources neacutecessaires agrave son
impleacutementation
Principes agrave admettre
Approche technologique insuffisante
Principe 1 le Risque Zeacutero nrsquoexiste pas mais on doit travailler agrave le minimiser et agrave limiter lrsquoimpact
Approche laquo Management du Risque raquo
Principe 2 la seacutecuriteacute est une chaicircne dont la force est celle de son maillon le plus faible
Approche globale de la seacutecuriteacute
Les 3 Piliers de la seacutecuriteacute des SI
la reacuteussite drsquoun processus de seacutecurisation repose sur
3 piliers
Technologie
outils TICSeacutecuriteacute etc
MeacutethodologieManagement
strateacutegies proceacutedures
reacuteglementation etc
Comportement social
Culture de la Cyber seacutecuriteacute
29082019
9
25
Systegraveme de Management de la Seacutecuriteacute de lrsquoInformation
Modegravele agrave suivre Modegravele PDCA de lrsquoISO 27001
Le SMSI une approche globale
Plan eacutetablir les objectifs conformeacutement aux risques exigences (correspondances objectifs lignes directrices)
Do impleacutementer et opeacuterer les fonctionnaliteacutes et proceacutedures
Check geacuterer les incidents les erreurs auditer
Act faire eacutevoluer la politique et les moyens conformeacutement aux besoins
26
La famille des normes
ISO 2700x
ISO 27001
SMSI
ISO 27006
Audit de SMSI
ISO 27000
Vocabulaire
ISO 27002 (17799)
Mesures de seacutecuriteacute
ISO 27003
Guide drsquoimpleacutementation
du SMSI
ISO 27007
Mesures PCA
ISO 27005
Risk Management
ISO 27004
Mesures et meacutetriques
Guides
2005 2007
2007
2007 or 2008
2005
Exigences
Bonnes pratiques
CERT hellip CSIRT
CERTCSIRT Computer Emergency Response Team
(Computer Security Incident Response Team)
CERTs Gouvernementaux Agences
o Technologies de la Communication Autoriteacute de reacutegulation
o Intelligence Deacutefense
o Police
CERTs speacutecialiseacutes
o Finance Opeacuterateurs Telecom Administration etc
29082019
10
Eleacutements drsquoune strateacutegie nationale
Deacutefinir un cadre leacutegal pour la cyberseacutecuriteacute
Proteacuteger le cyber-espace
Formation
R amp D (maicirctrise de la technologie)
Sensibilisation
Coopeacuteration internationale
Creacuteation de meacutecanismes drsquoexeacutecution et
drsquoimpleacutementation (Agences CERTs Task force
)
Cadre leacutegal pour la cyberseacutecuriteacute
Besoin drsquoun cadre leacutegal
Clarification des ldquocyberrdquo concepts (crime preuve
etc)
Quelles institutions quelles Responsabiliteacutes
Mesures opeacuterationelles et rocircle des CERTs
Aspects pratiques amp Application
coopeacuteration internationale
Outils drsquoimpleacutementation
Mise en place de CERTCSIRT (s)
Objectifs Scope amp Role
Gouvernemental
(administration Intelligence Deacutefense Police hellip)
Priveacute
(Finance teacuteleacutecom hellip)
29082019
11
Le rocircle drsquoun CERT
Fournir une reacuteponse immeacutediate et efficace agrave
un incident cyberneacutetique
Preacuteparer les institutions clients concerneacutes
agrave mieux geacuterer et traiter les cyber-menances
Missions drsquoun CERT
Deacutetection et Reacuteponse aux incidents
Veille amp Alerte
Gestion des incidents
Analyse des incidents
Investigation numeacuterique
Sensibilisation
Coopeacuteration (nationale amp internationale)
Services (According to the CERTCC model the US CERT)
Incident analysis Incident response on site Incident response support
Incident response
coordination Publish advisories or alerts
Vulnerability and Virus
handling
Provide and answer a
hotline Monitor IDS
Training or security
awareness
Technology watch or
monitoring service Track and trace intruders Penetration testing
Security policy development
Produce technical
documents Vulnerability assessments
Artifact analysis
Forensics evidence
collection Pursue legal investigations
Vulnerability scanning
Security product
development
Monitoring network and
system logs
Main services
Secondary services
29082019
12
World situation (2010) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
(technological and organizational aspects)
World situation (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
French CERTs (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
29082019
13
World situation (2018) source wwwfirstorg
World situation (2019) source wwwfirstorg
Objectif Geacuteneacuteral
eacutelever le niveau de seacutecuriteacute des SI tunisiens
Axes principaux
Mise agrave jour du cadre leacutegal
Mise en place des outils opeacuterationnels pour eacutevaluer et
suivre le processus de seacutecurisation des SI drsquoinstitutions
(publics amp priveacutes) obligation drsquoaudit seacutecuriteacute
Protection du cyber-espace national (Coordination
Assistance etc)
Deacuteveloppement du ldquoknow-howrdquo en IT Security (formation
RampD capaciteacutes open source)
Sensibilisation
Lrsquoexpeacuterience tunisienne
Strateacutegie en Cyber Security amp tunCERT
29082019
14
1999 2003 2004 2005 2006 2007 2008 2010
National Strategy
Awarness activities
National Survey
National project Wide Awareness
campaigns
High level decisions
Mailing-list
IS security Law
Creation of NACS Creation of cert-Tcc
Definition of the
administrative
Framework
Sensitive national
projects Developping IR
capabilities
Starting the
monitoring activities
Budget
Recruting technicall staff Setting up of SAHER
WSIS
Training activities (World
Bank)
Setting up of the
collaboration network Associative collaboration
website
Cert-Tcc joined the FIRST
Network NACS reached its maturity
International collaboration
Setting up of the Security
center facilities
NACS joined the network
of center of excellence (UNCTAD)
More training
Staff 3
Staff 5
Staff 6
Staff 15
Staff 25
Staff 42 Eacutevolution chronologique
OIC-CERT
Strong international collaboration
Staff 19
New services Staff 51
2010 2016 2019
investigation numeacuterique
Chambre blanche
Projet HoneyPotHoneyNet
Staff 51
Eacutevolution chronologique
Open data
Open gov
Staff 70
creacuteation de CERTs
sectoriels
Staff 70
Caracteacuteristiques
Constituency National CSIRT
Mission statement Defined by law protection of
the Tunisian cyberspace
Offered Services To be detailed
Funding Government
Revenue Free charge services
Number amp quality of employed
staff
50 for NACS
20 for tunCERT
Authority Partial authority (Law ndeg 52004)
Service hours 247
29082019
15
Gestion drsquoincidents (Incident Handling)
Reporting
Incident coordination
CSO CIO
CEO
Internal business managers
Human Resources Department
Physical Security Department
Audit or Risk Management Department
IT or Telecommunications Department
Legal Department
Public Relations Department
Marketing Department
Law Enforcement
Government organization agencies
Investigators
Other CERTs
Other security experts
29082019
16
Collaboration network
Collaboration
program
Antivirus suppliers haythem el mir
Equipments constructors
Publication of vulnerabilities
exploits 0days
Professional
community
Watch professionals Trend
indicators
Collect
information
Veille technologique (Watch)
httpwwwzone-horgarchive
29082019
17
Cas de webdefacements wwwleageryfr
Alert amp warning process
Vulnerability Malware Attack
29082019
18
Acteurs du processus drsquoAlerte
Managers Decision makers
Web masters Security
Admin Developers
Internet Community
Internet Services Providers
Mailing List Web Site Call Center Media (TV Radio Press)
-
SCP
Professional
community
Antivirus
suppliers
Vulnerabilities
exploits 0days
Collaboration network
Veille Plateforme drsquooutils
laquo Saher raquo Une solution deacuteveloppeacutee par tunCERT
Systegraveme SAHER missions
ISAC
SAHER
Monitoring System
Call center
Incident declaration
ISPs amp Data Centers
Antivirus venders alerts
Software venders alerts
CERTs alerts
Security Mailing-lists
Potential big Threats
Massive attacks
Virus spread
Web defacement
System breakdown
Botnets
Intrusions
Information sources Identified events
29082019
19
SAHER The technical platform
Saher ndash Web DotTN Web Sites monitoring
Saher ndash SRV Internet services
availability monitoring (Mail server
DNShellip)
SAHERndashIDS Massive attack detection
bull Web defacement
bull DoS Web
bull Deterioration of web access
bullhellip
bull Mail Bombing
bullBreakdown of DNS servers
bull DNS POISONINGhellip
bull Viral attack
bull Intrusion
bull DDoS
bull hellip
Syste
m d
evelo
ped
based
on
a s
et o
f Op
en
So
urc
e to
ols
SAHERndashHONEYNET Malware gathering bull Viral attack
bull Scan
bull Possible attacks
Saher ndash Web Supervision des sites Web nationaux
Partenaire FSI
tunCERT
Phase drsquoenregistrement
Partenaire FSI
=
tunCERT
Phase de veacuterification
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
9
25
Systegraveme de Management de la Seacutecuriteacute de lrsquoInformation
Modegravele agrave suivre Modegravele PDCA de lrsquoISO 27001
Le SMSI une approche globale
Plan eacutetablir les objectifs conformeacutement aux risques exigences (correspondances objectifs lignes directrices)
Do impleacutementer et opeacuterer les fonctionnaliteacutes et proceacutedures
Check geacuterer les incidents les erreurs auditer
Act faire eacutevoluer la politique et les moyens conformeacutement aux besoins
26
La famille des normes
ISO 2700x
ISO 27001
SMSI
ISO 27006
Audit de SMSI
ISO 27000
Vocabulaire
ISO 27002 (17799)
Mesures de seacutecuriteacute
ISO 27003
Guide drsquoimpleacutementation
du SMSI
ISO 27007
Mesures PCA
ISO 27005
Risk Management
ISO 27004
Mesures et meacutetriques
Guides
2005 2007
2007
2007 or 2008
2005
Exigences
Bonnes pratiques
CERT hellip CSIRT
CERTCSIRT Computer Emergency Response Team
(Computer Security Incident Response Team)
CERTs Gouvernementaux Agences
o Technologies de la Communication Autoriteacute de reacutegulation
o Intelligence Deacutefense
o Police
CERTs speacutecialiseacutes
o Finance Opeacuterateurs Telecom Administration etc
29082019
10
Eleacutements drsquoune strateacutegie nationale
Deacutefinir un cadre leacutegal pour la cyberseacutecuriteacute
Proteacuteger le cyber-espace
Formation
R amp D (maicirctrise de la technologie)
Sensibilisation
Coopeacuteration internationale
Creacuteation de meacutecanismes drsquoexeacutecution et
drsquoimpleacutementation (Agences CERTs Task force
)
Cadre leacutegal pour la cyberseacutecuriteacute
Besoin drsquoun cadre leacutegal
Clarification des ldquocyberrdquo concepts (crime preuve
etc)
Quelles institutions quelles Responsabiliteacutes
Mesures opeacuterationelles et rocircle des CERTs
Aspects pratiques amp Application
coopeacuteration internationale
Outils drsquoimpleacutementation
Mise en place de CERTCSIRT (s)
Objectifs Scope amp Role
Gouvernemental
(administration Intelligence Deacutefense Police hellip)
Priveacute
(Finance teacuteleacutecom hellip)
29082019
11
Le rocircle drsquoun CERT
Fournir une reacuteponse immeacutediate et efficace agrave
un incident cyberneacutetique
Preacuteparer les institutions clients concerneacutes
agrave mieux geacuterer et traiter les cyber-menances
Missions drsquoun CERT
Deacutetection et Reacuteponse aux incidents
Veille amp Alerte
Gestion des incidents
Analyse des incidents
Investigation numeacuterique
Sensibilisation
Coopeacuteration (nationale amp internationale)
Services (According to the CERTCC model the US CERT)
Incident analysis Incident response on site Incident response support
Incident response
coordination Publish advisories or alerts
Vulnerability and Virus
handling
Provide and answer a
hotline Monitor IDS
Training or security
awareness
Technology watch or
monitoring service Track and trace intruders Penetration testing
Security policy development
Produce technical
documents Vulnerability assessments
Artifact analysis
Forensics evidence
collection Pursue legal investigations
Vulnerability scanning
Security product
development
Monitoring network and
system logs
Main services
Secondary services
29082019
12
World situation (2010) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
(technological and organizational aspects)
World situation (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
French CERTs (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
29082019
13
World situation (2018) source wwwfirstorg
World situation (2019) source wwwfirstorg
Objectif Geacuteneacuteral
eacutelever le niveau de seacutecuriteacute des SI tunisiens
Axes principaux
Mise agrave jour du cadre leacutegal
Mise en place des outils opeacuterationnels pour eacutevaluer et
suivre le processus de seacutecurisation des SI drsquoinstitutions
(publics amp priveacutes) obligation drsquoaudit seacutecuriteacute
Protection du cyber-espace national (Coordination
Assistance etc)
Deacuteveloppement du ldquoknow-howrdquo en IT Security (formation
RampD capaciteacutes open source)
Sensibilisation
Lrsquoexpeacuterience tunisienne
Strateacutegie en Cyber Security amp tunCERT
29082019
14
1999 2003 2004 2005 2006 2007 2008 2010
National Strategy
Awarness activities
National Survey
National project Wide Awareness
campaigns
High level decisions
Mailing-list
IS security Law
Creation of NACS Creation of cert-Tcc
Definition of the
administrative
Framework
Sensitive national
projects Developping IR
capabilities
Starting the
monitoring activities
Budget
Recruting technicall staff Setting up of SAHER
WSIS
Training activities (World
Bank)
Setting up of the
collaboration network Associative collaboration
website
Cert-Tcc joined the FIRST
Network NACS reached its maturity
International collaboration
Setting up of the Security
center facilities
NACS joined the network
of center of excellence (UNCTAD)
More training
Staff 3
Staff 5
Staff 6
Staff 15
Staff 25
Staff 42 Eacutevolution chronologique
OIC-CERT
Strong international collaboration
Staff 19
New services Staff 51
2010 2016 2019
investigation numeacuterique
Chambre blanche
Projet HoneyPotHoneyNet
Staff 51
Eacutevolution chronologique
Open data
Open gov
Staff 70
creacuteation de CERTs
sectoriels
Staff 70
Caracteacuteristiques
Constituency National CSIRT
Mission statement Defined by law protection of
the Tunisian cyberspace
Offered Services To be detailed
Funding Government
Revenue Free charge services
Number amp quality of employed
staff
50 for NACS
20 for tunCERT
Authority Partial authority (Law ndeg 52004)
Service hours 247
29082019
15
Gestion drsquoincidents (Incident Handling)
Reporting
Incident coordination
CSO CIO
CEO
Internal business managers
Human Resources Department
Physical Security Department
Audit or Risk Management Department
IT or Telecommunications Department
Legal Department
Public Relations Department
Marketing Department
Law Enforcement
Government organization agencies
Investigators
Other CERTs
Other security experts
29082019
16
Collaboration network
Collaboration
program
Antivirus suppliers haythem el mir
Equipments constructors
Publication of vulnerabilities
exploits 0days
Professional
community
Watch professionals Trend
indicators
Collect
information
Veille technologique (Watch)
httpwwwzone-horgarchive
29082019
17
Cas de webdefacements wwwleageryfr
Alert amp warning process
Vulnerability Malware Attack
29082019
18
Acteurs du processus drsquoAlerte
Managers Decision makers
Web masters Security
Admin Developers
Internet Community
Internet Services Providers
Mailing List Web Site Call Center Media (TV Radio Press)
-
SCP
Professional
community
Antivirus
suppliers
Vulnerabilities
exploits 0days
Collaboration network
Veille Plateforme drsquooutils
laquo Saher raquo Une solution deacuteveloppeacutee par tunCERT
Systegraveme SAHER missions
ISAC
SAHER
Monitoring System
Call center
Incident declaration
ISPs amp Data Centers
Antivirus venders alerts
Software venders alerts
CERTs alerts
Security Mailing-lists
Potential big Threats
Massive attacks
Virus spread
Web defacement
System breakdown
Botnets
Intrusions
Information sources Identified events
29082019
19
SAHER The technical platform
Saher ndash Web DotTN Web Sites monitoring
Saher ndash SRV Internet services
availability monitoring (Mail server
DNShellip)
SAHERndashIDS Massive attack detection
bull Web defacement
bull DoS Web
bull Deterioration of web access
bullhellip
bull Mail Bombing
bullBreakdown of DNS servers
bull DNS POISONINGhellip
bull Viral attack
bull Intrusion
bull DDoS
bull hellip
Syste
m d
evelo
ped
based
on
a s
et o
f Op
en
So
urc
e to
ols
SAHERndashHONEYNET Malware gathering bull Viral attack
bull Scan
bull Possible attacks
Saher ndash Web Supervision des sites Web nationaux
Partenaire FSI
tunCERT
Phase drsquoenregistrement
Partenaire FSI
=
tunCERT
Phase de veacuterification
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
10
Eleacutements drsquoune strateacutegie nationale
Deacutefinir un cadre leacutegal pour la cyberseacutecuriteacute
Proteacuteger le cyber-espace
Formation
R amp D (maicirctrise de la technologie)
Sensibilisation
Coopeacuteration internationale
Creacuteation de meacutecanismes drsquoexeacutecution et
drsquoimpleacutementation (Agences CERTs Task force
)
Cadre leacutegal pour la cyberseacutecuriteacute
Besoin drsquoun cadre leacutegal
Clarification des ldquocyberrdquo concepts (crime preuve
etc)
Quelles institutions quelles Responsabiliteacutes
Mesures opeacuterationelles et rocircle des CERTs
Aspects pratiques amp Application
coopeacuteration internationale
Outils drsquoimpleacutementation
Mise en place de CERTCSIRT (s)
Objectifs Scope amp Role
Gouvernemental
(administration Intelligence Deacutefense Police hellip)
Priveacute
(Finance teacuteleacutecom hellip)
29082019
11
Le rocircle drsquoun CERT
Fournir une reacuteponse immeacutediate et efficace agrave
un incident cyberneacutetique
Preacuteparer les institutions clients concerneacutes
agrave mieux geacuterer et traiter les cyber-menances
Missions drsquoun CERT
Deacutetection et Reacuteponse aux incidents
Veille amp Alerte
Gestion des incidents
Analyse des incidents
Investigation numeacuterique
Sensibilisation
Coopeacuteration (nationale amp internationale)
Services (According to the CERTCC model the US CERT)
Incident analysis Incident response on site Incident response support
Incident response
coordination Publish advisories or alerts
Vulnerability and Virus
handling
Provide and answer a
hotline Monitor IDS
Training or security
awareness
Technology watch or
monitoring service Track and trace intruders Penetration testing
Security policy development
Produce technical
documents Vulnerability assessments
Artifact analysis
Forensics evidence
collection Pursue legal investigations
Vulnerability scanning
Security product
development
Monitoring network and
system logs
Main services
Secondary services
29082019
12
World situation (2010) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
(technological and organizational aspects)
World situation (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
French CERTs (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
29082019
13
World situation (2018) source wwwfirstorg
World situation (2019) source wwwfirstorg
Objectif Geacuteneacuteral
eacutelever le niveau de seacutecuriteacute des SI tunisiens
Axes principaux
Mise agrave jour du cadre leacutegal
Mise en place des outils opeacuterationnels pour eacutevaluer et
suivre le processus de seacutecurisation des SI drsquoinstitutions
(publics amp priveacutes) obligation drsquoaudit seacutecuriteacute
Protection du cyber-espace national (Coordination
Assistance etc)
Deacuteveloppement du ldquoknow-howrdquo en IT Security (formation
RampD capaciteacutes open source)
Sensibilisation
Lrsquoexpeacuterience tunisienne
Strateacutegie en Cyber Security amp tunCERT
29082019
14
1999 2003 2004 2005 2006 2007 2008 2010
National Strategy
Awarness activities
National Survey
National project Wide Awareness
campaigns
High level decisions
Mailing-list
IS security Law
Creation of NACS Creation of cert-Tcc
Definition of the
administrative
Framework
Sensitive national
projects Developping IR
capabilities
Starting the
monitoring activities
Budget
Recruting technicall staff Setting up of SAHER
WSIS
Training activities (World
Bank)
Setting up of the
collaboration network Associative collaboration
website
Cert-Tcc joined the FIRST
Network NACS reached its maturity
International collaboration
Setting up of the Security
center facilities
NACS joined the network
of center of excellence (UNCTAD)
More training
Staff 3
Staff 5
Staff 6
Staff 15
Staff 25
Staff 42 Eacutevolution chronologique
OIC-CERT
Strong international collaboration
Staff 19
New services Staff 51
2010 2016 2019
investigation numeacuterique
Chambre blanche
Projet HoneyPotHoneyNet
Staff 51
Eacutevolution chronologique
Open data
Open gov
Staff 70
creacuteation de CERTs
sectoriels
Staff 70
Caracteacuteristiques
Constituency National CSIRT
Mission statement Defined by law protection of
the Tunisian cyberspace
Offered Services To be detailed
Funding Government
Revenue Free charge services
Number amp quality of employed
staff
50 for NACS
20 for tunCERT
Authority Partial authority (Law ndeg 52004)
Service hours 247
29082019
15
Gestion drsquoincidents (Incident Handling)
Reporting
Incident coordination
CSO CIO
CEO
Internal business managers
Human Resources Department
Physical Security Department
Audit or Risk Management Department
IT or Telecommunications Department
Legal Department
Public Relations Department
Marketing Department
Law Enforcement
Government organization agencies
Investigators
Other CERTs
Other security experts
29082019
16
Collaboration network
Collaboration
program
Antivirus suppliers haythem el mir
Equipments constructors
Publication of vulnerabilities
exploits 0days
Professional
community
Watch professionals Trend
indicators
Collect
information
Veille technologique (Watch)
httpwwwzone-horgarchive
29082019
17
Cas de webdefacements wwwleageryfr
Alert amp warning process
Vulnerability Malware Attack
29082019
18
Acteurs du processus drsquoAlerte
Managers Decision makers
Web masters Security
Admin Developers
Internet Community
Internet Services Providers
Mailing List Web Site Call Center Media (TV Radio Press)
-
SCP
Professional
community
Antivirus
suppliers
Vulnerabilities
exploits 0days
Collaboration network
Veille Plateforme drsquooutils
laquo Saher raquo Une solution deacuteveloppeacutee par tunCERT
Systegraveme SAHER missions
ISAC
SAHER
Monitoring System
Call center
Incident declaration
ISPs amp Data Centers
Antivirus venders alerts
Software venders alerts
CERTs alerts
Security Mailing-lists
Potential big Threats
Massive attacks
Virus spread
Web defacement
System breakdown
Botnets
Intrusions
Information sources Identified events
29082019
19
SAHER The technical platform
Saher ndash Web DotTN Web Sites monitoring
Saher ndash SRV Internet services
availability monitoring (Mail server
DNShellip)
SAHERndashIDS Massive attack detection
bull Web defacement
bull DoS Web
bull Deterioration of web access
bullhellip
bull Mail Bombing
bullBreakdown of DNS servers
bull DNS POISONINGhellip
bull Viral attack
bull Intrusion
bull DDoS
bull hellip
Syste
m d
evelo
ped
based
on
a s
et o
f Op
en
So
urc
e to
ols
SAHERndashHONEYNET Malware gathering bull Viral attack
bull Scan
bull Possible attacks
Saher ndash Web Supervision des sites Web nationaux
Partenaire FSI
tunCERT
Phase drsquoenregistrement
Partenaire FSI
=
tunCERT
Phase de veacuterification
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
11
Le rocircle drsquoun CERT
Fournir une reacuteponse immeacutediate et efficace agrave
un incident cyberneacutetique
Preacuteparer les institutions clients concerneacutes
agrave mieux geacuterer et traiter les cyber-menances
Missions drsquoun CERT
Deacutetection et Reacuteponse aux incidents
Veille amp Alerte
Gestion des incidents
Analyse des incidents
Investigation numeacuterique
Sensibilisation
Coopeacuteration (nationale amp internationale)
Services (According to the CERTCC model the US CERT)
Incident analysis Incident response on site Incident response support
Incident response
coordination Publish advisories or alerts
Vulnerability and Virus
handling
Provide and answer a
hotline Monitor IDS
Training or security
awareness
Technology watch or
monitoring service Track and trace intruders Penetration testing
Security policy development
Produce technical
documents Vulnerability assessments
Artifact analysis
Forensics evidence
collection Pursue legal investigations
Vulnerability scanning
Security product
development
Monitoring network and
system logs
Main services
Secondary services
29082019
12
World situation (2010) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
(technological and organizational aspects)
World situation (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
French CERTs (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
29082019
13
World situation (2018) source wwwfirstorg
World situation (2019) source wwwfirstorg
Objectif Geacuteneacuteral
eacutelever le niveau de seacutecuriteacute des SI tunisiens
Axes principaux
Mise agrave jour du cadre leacutegal
Mise en place des outils opeacuterationnels pour eacutevaluer et
suivre le processus de seacutecurisation des SI drsquoinstitutions
(publics amp priveacutes) obligation drsquoaudit seacutecuriteacute
Protection du cyber-espace national (Coordination
Assistance etc)
Deacuteveloppement du ldquoknow-howrdquo en IT Security (formation
RampD capaciteacutes open source)
Sensibilisation
Lrsquoexpeacuterience tunisienne
Strateacutegie en Cyber Security amp tunCERT
29082019
14
1999 2003 2004 2005 2006 2007 2008 2010
National Strategy
Awarness activities
National Survey
National project Wide Awareness
campaigns
High level decisions
Mailing-list
IS security Law
Creation of NACS Creation of cert-Tcc
Definition of the
administrative
Framework
Sensitive national
projects Developping IR
capabilities
Starting the
monitoring activities
Budget
Recruting technicall staff Setting up of SAHER
WSIS
Training activities (World
Bank)
Setting up of the
collaboration network Associative collaboration
website
Cert-Tcc joined the FIRST
Network NACS reached its maturity
International collaboration
Setting up of the Security
center facilities
NACS joined the network
of center of excellence (UNCTAD)
More training
Staff 3
Staff 5
Staff 6
Staff 15
Staff 25
Staff 42 Eacutevolution chronologique
OIC-CERT
Strong international collaboration
Staff 19
New services Staff 51
2010 2016 2019
investigation numeacuterique
Chambre blanche
Projet HoneyPotHoneyNet
Staff 51
Eacutevolution chronologique
Open data
Open gov
Staff 70
creacuteation de CERTs
sectoriels
Staff 70
Caracteacuteristiques
Constituency National CSIRT
Mission statement Defined by law protection of
the Tunisian cyberspace
Offered Services To be detailed
Funding Government
Revenue Free charge services
Number amp quality of employed
staff
50 for NACS
20 for tunCERT
Authority Partial authority (Law ndeg 52004)
Service hours 247
29082019
15
Gestion drsquoincidents (Incident Handling)
Reporting
Incident coordination
CSO CIO
CEO
Internal business managers
Human Resources Department
Physical Security Department
Audit or Risk Management Department
IT or Telecommunications Department
Legal Department
Public Relations Department
Marketing Department
Law Enforcement
Government organization agencies
Investigators
Other CERTs
Other security experts
29082019
16
Collaboration network
Collaboration
program
Antivirus suppliers haythem el mir
Equipments constructors
Publication of vulnerabilities
exploits 0days
Professional
community
Watch professionals Trend
indicators
Collect
information
Veille technologique (Watch)
httpwwwzone-horgarchive
29082019
17
Cas de webdefacements wwwleageryfr
Alert amp warning process
Vulnerability Malware Attack
29082019
18
Acteurs du processus drsquoAlerte
Managers Decision makers
Web masters Security
Admin Developers
Internet Community
Internet Services Providers
Mailing List Web Site Call Center Media (TV Radio Press)
-
SCP
Professional
community
Antivirus
suppliers
Vulnerabilities
exploits 0days
Collaboration network
Veille Plateforme drsquooutils
laquo Saher raquo Une solution deacuteveloppeacutee par tunCERT
Systegraveme SAHER missions
ISAC
SAHER
Monitoring System
Call center
Incident declaration
ISPs amp Data Centers
Antivirus venders alerts
Software venders alerts
CERTs alerts
Security Mailing-lists
Potential big Threats
Massive attacks
Virus spread
Web defacement
System breakdown
Botnets
Intrusions
Information sources Identified events
29082019
19
SAHER The technical platform
Saher ndash Web DotTN Web Sites monitoring
Saher ndash SRV Internet services
availability monitoring (Mail server
DNShellip)
SAHERndashIDS Massive attack detection
bull Web defacement
bull DoS Web
bull Deterioration of web access
bullhellip
bull Mail Bombing
bullBreakdown of DNS servers
bull DNS POISONINGhellip
bull Viral attack
bull Intrusion
bull DDoS
bull hellip
Syste
m d
evelo
ped
based
on
a s
et o
f Op
en
So
urc
e to
ols
SAHERndashHONEYNET Malware gathering bull Viral attack
bull Scan
bull Possible attacks
Saher ndash Web Supervision des sites Web nationaux
Partenaire FSI
tunCERT
Phase drsquoenregistrement
Partenaire FSI
=
tunCERT
Phase de veacuterification
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
12
World situation (2010) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
(technological and organizational aspects)
World situation (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
French CERTs (2016) source wwwfirstorg
Need for operational Cybersecurity Centers (CERTs)
29082019
13
World situation (2018) source wwwfirstorg
World situation (2019) source wwwfirstorg
Objectif Geacuteneacuteral
eacutelever le niveau de seacutecuriteacute des SI tunisiens
Axes principaux
Mise agrave jour du cadre leacutegal
Mise en place des outils opeacuterationnels pour eacutevaluer et
suivre le processus de seacutecurisation des SI drsquoinstitutions
(publics amp priveacutes) obligation drsquoaudit seacutecuriteacute
Protection du cyber-espace national (Coordination
Assistance etc)
Deacuteveloppement du ldquoknow-howrdquo en IT Security (formation
RampD capaciteacutes open source)
Sensibilisation
Lrsquoexpeacuterience tunisienne
Strateacutegie en Cyber Security amp tunCERT
29082019
14
1999 2003 2004 2005 2006 2007 2008 2010
National Strategy
Awarness activities
National Survey
National project Wide Awareness
campaigns
High level decisions
Mailing-list
IS security Law
Creation of NACS Creation of cert-Tcc
Definition of the
administrative
Framework
Sensitive national
projects Developping IR
capabilities
Starting the
monitoring activities
Budget
Recruting technicall staff Setting up of SAHER
WSIS
Training activities (World
Bank)
Setting up of the
collaboration network Associative collaboration
website
Cert-Tcc joined the FIRST
Network NACS reached its maturity
International collaboration
Setting up of the Security
center facilities
NACS joined the network
of center of excellence (UNCTAD)
More training
Staff 3
Staff 5
Staff 6
Staff 15
Staff 25
Staff 42 Eacutevolution chronologique
OIC-CERT
Strong international collaboration
Staff 19
New services Staff 51
2010 2016 2019
investigation numeacuterique
Chambre blanche
Projet HoneyPotHoneyNet
Staff 51
Eacutevolution chronologique
Open data
Open gov
Staff 70
creacuteation de CERTs
sectoriels
Staff 70
Caracteacuteristiques
Constituency National CSIRT
Mission statement Defined by law protection of
the Tunisian cyberspace
Offered Services To be detailed
Funding Government
Revenue Free charge services
Number amp quality of employed
staff
50 for NACS
20 for tunCERT
Authority Partial authority (Law ndeg 52004)
Service hours 247
29082019
15
Gestion drsquoincidents (Incident Handling)
Reporting
Incident coordination
CSO CIO
CEO
Internal business managers
Human Resources Department
Physical Security Department
Audit or Risk Management Department
IT or Telecommunications Department
Legal Department
Public Relations Department
Marketing Department
Law Enforcement
Government organization agencies
Investigators
Other CERTs
Other security experts
29082019
16
Collaboration network
Collaboration
program
Antivirus suppliers haythem el mir
Equipments constructors
Publication of vulnerabilities
exploits 0days
Professional
community
Watch professionals Trend
indicators
Collect
information
Veille technologique (Watch)
httpwwwzone-horgarchive
29082019
17
Cas de webdefacements wwwleageryfr
Alert amp warning process
Vulnerability Malware Attack
29082019
18
Acteurs du processus drsquoAlerte
Managers Decision makers
Web masters Security
Admin Developers
Internet Community
Internet Services Providers
Mailing List Web Site Call Center Media (TV Radio Press)
-
SCP
Professional
community
Antivirus
suppliers
Vulnerabilities
exploits 0days
Collaboration network
Veille Plateforme drsquooutils
laquo Saher raquo Une solution deacuteveloppeacutee par tunCERT
Systegraveme SAHER missions
ISAC
SAHER
Monitoring System
Call center
Incident declaration
ISPs amp Data Centers
Antivirus venders alerts
Software venders alerts
CERTs alerts
Security Mailing-lists
Potential big Threats
Massive attacks
Virus spread
Web defacement
System breakdown
Botnets
Intrusions
Information sources Identified events
29082019
19
SAHER The technical platform
Saher ndash Web DotTN Web Sites monitoring
Saher ndash SRV Internet services
availability monitoring (Mail server
DNShellip)
SAHERndashIDS Massive attack detection
bull Web defacement
bull DoS Web
bull Deterioration of web access
bullhellip
bull Mail Bombing
bullBreakdown of DNS servers
bull DNS POISONINGhellip
bull Viral attack
bull Intrusion
bull DDoS
bull hellip
Syste
m d
evelo
ped
based
on
a s
et o
f Op
en
So
urc
e to
ols
SAHERndashHONEYNET Malware gathering bull Viral attack
bull Scan
bull Possible attacks
Saher ndash Web Supervision des sites Web nationaux
Partenaire FSI
tunCERT
Phase drsquoenregistrement
Partenaire FSI
=
tunCERT
Phase de veacuterification
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
13
World situation (2018) source wwwfirstorg
World situation (2019) source wwwfirstorg
Objectif Geacuteneacuteral
eacutelever le niveau de seacutecuriteacute des SI tunisiens
Axes principaux
Mise agrave jour du cadre leacutegal
Mise en place des outils opeacuterationnels pour eacutevaluer et
suivre le processus de seacutecurisation des SI drsquoinstitutions
(publics amp priveacutes) obligation drsquoaudit seacutecuriteacute
Protection du cyber-espace national (Coordination
Assistance etc)
Deacuteveloppement du ldquoknow-howrdquo en IT Security (formation
RampD capaciteacutes open source)
Sensibilisation
Lrsquoexpeacuterience tunisienne
Strateacutegie en Cyber Security amp tunCERT
29082019
14
1999 2003 2004 2005 2006 2007 2008 2010
National Strategy
Awarness activities
National Survey
National project Wide Awareness
campaigns
High level decisions
Mailing-list
IS security Law
Creation of NACS Creation of cert-Tcc
Definition of the
administrative
Framework
Sensitive national
projects Developping IR
capabilities
Starting the
monitoring activities
Budget
Recruting technicall staff Setting up of SAHER
WSIS
Training activities (World
Bank)
Setting up of the
collaboration network Associative collaboration
website
Cert-Tcc joined the FIRST
Network NACS reached its maturity
International collaboration
Setting up of the Security
center facilities
NACS joined the network
of center of excellence (UNCTAD)
More training
Staff 3
Staff 5
Staff 6
Staff 15
Staff 25
Staff 42 Eacutevolution chronologique
OIC-CERT
Strong international collaboration
Staff 19
New services Staff 51
2010 2016 2019
investigation numeacuterique
Chambre blanche
Projet HoneyPotHoneyNet
Staff 51
Eacutevolution chronologique
Open data
Open gov
Staff 70
creacuteation de CERTs
sectoriels
Staff 70
Caracteacuteristiques
Constituency National CSIRT
Mission statement Defined by law protection of
the Tunisian cyberspace
Offered Services To be detailed
Funding Government
Revenue Free charge services
Number amp quality of employed
staff
50 for NACS
20 for tunCERT
Authority Partial authority (Law ndeg 52004)
Service hours 247
29082019
15
Gestion drsquoincidents (Incident Handling)
Reporting
Incident coordination
CSO CIO
CEO
Internal business managers
Human Resources Department
Physical Security Department
Audit or Risk Management Department
IT or Telecommunications Department
Legal Department
Public Relations Department
Marketing Department
Law Enforcement
Government organization agencies
Investigators
Other CERTs
Other security experts
29082019
16
Collaboration network
Collaboration
program
Antivirus suppliers haythem el mir
Equipments constructors
Publication of vulnerabilities
exploits 0days
Professional
community
Watch professionals Trend
indicators
Collect
information
Veille technologique (Watch)
httpwwwzone-horgarchive
29082019
17
Cas de webdefacements wwwleageryfr
Alert amp warning process
Vulnerability Malware Attack
29082019
18
Acteurs du processus drsquoAlerte
Managers Decision makers
Web masters Security
Admin Developers
Internet Community
Internet Services Providers
Mailing List Web Site Call Center Media (TV Radio Press)
-
SCP
Professional
community
Antivirus
suppliers
Vulnerabilities
exploits 0days
Collaboration network
Veille Plateforme drsquooutils
laquo Saher raquo Une solution deacuteveloppeacutee par tunCERT
Systegraveme SAHER missions
ISAC
SAHER
Monitoring System
Call center
Incident declaration
ISPs amp Data Centers
Antivirus venders alerts
Software venders alerts
CERTs alerts
Security Mailing-lists
Potential big Threats
Massive attacks
Virus spread
Web defacement
System breakdown
Botnets
Intrusions
Information sources Identified events
29082019
19
SAHER The technical platform
Saher ndash Web DotTN Web Sites monitoring
Saher ndash SRV Internet services
availability monitoring (Mail server
DNShellip)
SAHERndashIDS Massive attack detection
bull Web defacement
bull DoS Web
bull Deterioration of web access
bullhellip
bull Mail Bombing
bullBreakdown of DNS servers
bull DNS POISONINGhellip
bull Viral attack
bull Intrusion
bull DDoS
bull hellip
Syste
m d
evelo
ped
based
on
a s
et o
f Op
en
So
urc
e to
ols
SAHERndashHONEYNET Malware gathering bull Viral attack
bull Scan
bull Possible attacks
Saher ndash Web Supervision des sites Web nationaux
Partenaire FSI
tunCERT
Phase drsquoenregistrement
Partenaire FSI
=
tunCERT
Phase de veacuterification
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
14
1999 2003 2004 2005 2006 2007 2008 2010
National Strategy
Awarness activities
National Survey
National project Wide Awareness
campaigns
High level decisions
Mailing-list
IS security Law
Creation of NACS Creation of cert-Tcc
Definition of the
administrative
Framework
Sensitive national
projects Developping IR
capabilities
Starting the
monitoring activities
Budget
Recruting technicall staff Setting up of SAHER
WSIS
Training activities (World
Bank)
Setting up of the
collaboration network Associative collaboration
website
Cert-Tcc joined the FIRST
Network NACS reached its maturity
International collaboration
Setting up of the Security
center facilities
NACS joined the network
of center of excellence (UNCTAD)
More training
Staff 3
Staff 5
Staff 6
Staff 15
Staff 25
Staff 42 Eacutevolution chronologique
OIC-CERT
Strong international collaboration
Staff 19
New services Staff 51
2010 2016 2019
investigation numeacuterique
Chambre blanche
Projet HoneyPotHoneyNet
Staff 51
Eacutevolution chronologique
Open data
Open gov
Staff 70
creacuteation de CERTs
sectoriels
Staff 70
Caracteacuteristiques
Constituency National CSIRT
Mission statement Defined by law protection of
the Tunisian cyberspace
Offered Services To be detailed
Funding Government
Revenue Free charge services
Number amp quality of employed
staff
50 for NACS
20 for tunCERT
Authority Partial authority (Law ndeg 52004)
Service hours 247
29082019
15
Gestion drsquoincidents (Incident Handling)
Reporting
Incident coordination
CSO CIO
CEO
Internal business managers
Human Resources Department
Physical Security Department
Audit or Risk Management Department
IT or Telecommunications Department
Legal Department
Public Relations Department
Marketing Department
Law Enforcement
Government organization agencies
Investigators
Other CERTs
Other security experts
29082019
16
Collaboration network
Collaboration
program
Antivirus suppliers haythem el mir
Equipments constructors
Publication of vulnerabilities
exploits 0days
Professional
community
Watch professionals Trend
indicators
Collect
information
Veille technologique (Watch)
httpwwwzone-horgarchive
29082019
17
Cas de webdefacements wwwleageryfr
Alert amp warning process
Vulnerability Malware Attack
29082019
18
Acteurs du processus drsquoAlerte
Managers Decision makers
Web masters Security
Admin Developers
Internet Community
Internet Services Providers
Mailing List Web Site Call Center Media (TV Radio Press)
-
SCP
Professional
community
Antivirus
suppliers
Vulnerabilities
exploits 0days
Collaboration network
Veille Plateforme drsquooutils
laquo Saher raquo Une solution deacuteveloppeacutee par tunCERT
Systegraveme SAHER missions
ISAC
SAHER
Monitoring System
Call center
Incident declaration
ISPs amp Data Centers
Antivirus venders alerts
Software venders alerts
CERTs alerts
Security Mailing-lists
Potential big Threats
Massive attacks
Virus spread
Web defacement
System breakdown
Botnets
Intrusions
Information sources Identified events
29082019
19
SAHER The technical platform
Saher ndash Web DotTN Web Sites monitoring
Saher ndash SRV Internet services
availability monitoring (Mail server
DNShellip)
SAHERndashIDS Massive attack detection
bull Web defacement
bull DoS Web
bull Deterioration of web access
bullhellip
bull Mail Bombing
bullBreakdown of DNS servers
bull DNS POISONINGhellip
bull Viral attack
bull Intrusion
bull DDoS
bull hellip
Syste
m d
evelo
ped
based
on
a s
et o
f Op
en
So
urc
e to
ols
SAHERndashHONEYNET Malware gathering bull Viral attack
bull Scan
bull Possible attacks
Saher ndash Web Supervision des sites Web nationaux
Partenaire FSI
tunCERT
Phase drsquoenregistrement
Partenaire FSI
=
tunCERT
Phase de veacuterification
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
15
Gestion drsquoincidents (Incident Handling)
Reporting
Incident coordination
CSO CIO
CEO
Internal business managers
Human Resources Department
Physical Security Department
Audit or Risk Management Department
IT or Telecommunications Department
Legal Department
Public Relations Department
Marketing Department
Law Enforcement
Government organization agencies
Investigators
Other CERTs
Other security experts
29082019
16
Collaboration network
Collaboration
program
Antivirus suppliers haythem el mir
Equipments constructors
Publication of vulnerabilities
exploits 0days
Professional
community
Watch professionals Trend
indicators
Collect
information
Veille technologique (Watch)
httpwwwzone-horgarchive
29082019
17
Cas de webdefacements wwwleageryfr
Alert amp warning process
Vulnerability Malware Attack
29082019
18
Acteurs du processus drsquoAlerte
Managers Decision makers
Web masters Security
Admin Developers
Internet Community
Internet Services Providers
Mailing List Web Site Call Center Media (TV Radio Press)
-
SCP
Professional
community
Antivirus
suppliers
Vulnerabilities
exploits 0days
Collaboration network
Veille Plateforme drsquooutils
laquo Saher raquo Une solution deacuteveloppeacutee par tunCERT
Systegraveme SAHER missions
ISAC
SAHER
Monitoring System
Call center
Incident declaration
ISPs amp Data Centers
Antivirus venders alerts
Software venders alerts
CERTs alerts
Security Mailing-lists
Potential big Threats
Massive attacks
Virus spread
Web defacement
System breakdown
Botnets
Intrusions
Information sources Identified events
29082019
19
SAHER The technical platform
Saher ndash Web DotTN Web Sites monitoring
Saher ndash SRV Internet services
availability monitoring (Mail server
DNShellip)
SAHERndashIDS Massive attack detection
bull Web defacement
bull DoS Web
bull Deterioration of web access
bullhellip
bull Mail Bombing
bullBreakdown of DNS servers
bull DNS POISONINGhellip
bull Viral attack
bull Intrusion
bull DDoS
bull hellip
Syste
m d
evelo
ped
based
on
a s
et o
f Op
en
So
urc
e to
ols
SAHERndashHONEYNET Malware gathering bull Viral attack
bull Scan
bull Possible attacks
Saher ndash Web Supervision des sites Web nationaux
Partenaire FSI
tunCERT
Phase drsquoenregistrement
Partenaire FSI
=
tunCERT
Phase de veacuterification
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
16
Collaboration network
Collaboration
program
Antivirus suppliers haythem el mir
Equipments constructors
Publication of vulnerabilities
exploits 0days
Professional
community
Watch professionals Trend
indicators
Collect
information
Veille technologique (Watch)
httpwwwzone-horgarchive
29082019
17
Cas de webdefacements wwwleageryfr
Alert amp warning process
Vulnerability Malware Attack
29082019
18
Acteurs du processus drsquoAlerte
Managers Decision makers
Web masters Security
Admin Developers
Internet Community
Internet Services Providers
Mailing List Web Site Call Center Media (TV Radio Press)
-
SCP
Professional
community
Antivirus
suppliers
Vulnerabilities
exploits 0days
Collaboration network
Veille Plateforme drsquooutils
laquo Saher raquo Une solution deacuteveloppeacutee par tunCERT
Systegraveme SAHER missions
ISAC
SAHER
Monitoring System
Call center
Incident declaration
ISPs amp Data Centers
Antivirus venders alerts
Software venders alerts
CERTs alerts
Security Mailing-lists
Potential big Threats
Massive attacks
Virus spread
Web defacement
System breakdown
Botnets
Intrusions
Information sources Identified events
29082019
19
SAHER The technical platform
Saher ndash Web DotTN Web Sites monitoring
Saher ndash SRV Internet services
availability monitoring (Mail server
DNShellip)
SAHERndashIDS Massive attack detection
bull Web defacement
bull DoS Web
bull Deterioration of web access
bullhellip
bull Mail Bombing
bullBreakdown of DNS servers
bull DNS POISONINGhellip
bull Viral attack
bull Intrusion
bull DDoS
bull hellip
Syste
m d
evelo
ped
based
on
a s
et o
f Op
en
So
urc
e to
ols
SAHERndashHONEYNET Malware gathering bull Viral attack
bull Scan
bull Possible attacks
Saher ndash Web Supervision des sites Web nationaux
Partenaire FSI
tunCERT
Phase drsquoenregistrement
Partenaire FSI
=
tunCERT
Phase de veacuterification
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
17
Cas de webdefacements wwwleageryfr
Alert amp warning process
Vulnerability Malware Attack
29082019
18
Acteurs du processus drsquoAlerte
Managers Decision makers
Web masters Security
Admin Developers
Internet Community
Internet Services Providers
Mailing List Web Site Call Center Media (TV Radio Press)
-
SCP
Professional
community
Antivirus
suppliers
Vulnerabilities
exploits 0days
Collaboration network
Veille Plateforme drsquooutils
laquo Saher raquo Une solution deacuteveloppeacutee par tunCERT
Systegraveme SAHER missions
ISAC
SAHER
Monitoring System
Call center
Incident declaration
ISPs amp Data Centers
Antivirus venders alerts
Software venders alerts
CERTs alerts
Security Mailing-lists
Potential big Threats
Massive attacks
Virus spread
Web defacement
System breakdown
Botnets
Intrusions
Information sources Identified events
29082019
19
SAHER The technical platform
Saher ndash Web DotTN Web Sites monitoring
Saher ndash SRV Internet services
availability monitoring (Mail server
DNShellip)
SAHERndashIDS Massive attack detection
bull Web defacement
bull DoS Web
bull Deterioration of web access
bullhellip
bull Mail Bombing
bullBreakdown of DNS servers
bull DNS POISONINGhellip
bull Viral attack
bull Intrusion
bull DDoS
bull hellip
Syste
m d
evelo
ped
based
on
a s
et o
f Op
en
So
urc
e to
ols
SAHERndashHONEYNET Malware gathering bull Viral attack
bull Scan
bull Possible attacks
Saher ndash Web Supervision des sites Web nationaux
Partenaire FSI
tunCERT
Phase drsquoenregistrement
Partenaire FSI
=
tunCERT
Phase de veacuterification
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
18
Acteurs du processus drsquoAlerte
Managers Decision makers
Web masters Security
Admin Developers
Internet Community
Internet Services Providers
Mailing List Web Site Call Center Media (TV Radio Press)
-
SCP
Professional
community
Antivirus
suppliers
Vulnerabilities
exploits 0days
Collaboration network
Veille Plateforme drsquooutils
laquo Saher raquo Une solution deacuteveloppeacutee par tunCERT
Systegraveme SAHER missions
ISAC
SAHER
Monitoring System
Call center
Incident declaration
ISPs amp Data Centers
Antivirus venders alerts
Software venders alerts
CERTs alerts
Security Mailing-lists
Potential big Threats
Massive attacks
Virus spread
Web defacement
System breakdown
Botnets
Intrusions
Information sources Identified events
29082019
19
SAHER The technical platform
Saher ndash Web DotTN Web Sites monitoring
Saher ndash SRV Internet services
availability monitoring (Mail server
DNShellip)
SAHERndashIDS Massive attack detection
bull Web defacement
bull DoS Web
bull Deterioration of web access
bullhellip
bull Mail Bombing
bullBreakdown of DNS servers
bull DNS POISONINGhellip
bull Viral attack
bull Intrusion
bull DDoS
bull hellip
Syste
m d
evelo
ped
based
on
a s
et o
f Op
en
So
urc
e to
ols
SAHERndashHONEYNET Malware gathering bull Viral attack
bull Scan
bull Possible attacks
Saher ndash Web Supervision des sites Web nationaux
Partenaire FSI
tunCERT
Phase drsquoenregistrement
Partenaire FSI
=
tunCERT
Phase de veacuterification
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
19
SAHER The technical platform
Saher ndash Web DotTN Web Sites monitoring
Saher ndash SRV Internet services
availability monitoring (Mail server
DNShellip)
SAHERndashIDS Massive attack detection
bull Web defacement
bull DoS Web
bull Deterioration of web access
bullhellip
bull Mail Bombing
bullBreakdown of DNS servers
bull DNS POISONINGhellip
bull Viral attack
bull Intrusion
bull DDoS
bull hellip
Syste
m d
evelo
ped
based
on
a s
et o
f Op
en
So
urc
e to
ols
SAHERndashHONEYNET Malware gathering bull Viral attack
bull Scan
bull Possible attacks
Saher ndash Web Supervision des sites Web nationaux
Partenaire FSI
tunCERT
Phase drsquoenregistrement
Partenaire FSI
=
tunCERT
Phase de veacuterification
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
20
Partenaire FSI
=
FSI Partenaire
tunCERT
Phase drsquoAlerteReacuteaction
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Serveur Mail
Serveur DNS
Routeur
ATI CCK
Gnet Planet
TopNet
tunCERT
Serveur Mail
Serveur DNS
Routeur
ATI CCK
TopNet
FSI Partenaire
tunCERT
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
21
Saher ndash IDS Deacutetection des attaques massives
Partenaire FSI
Ministegravere Data Center
tunCERT
Partenaire FSI
Ministegravere Data Center
tunCERT
Saher ndash Web Supervision des sites Web nationaux
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
22
Saher ndash SRV Supervision de la disponibiliteacute des services
Internet (serveur Mail DNS hellip)
Saher ndash IDS Deacutetection des attaques massives
NACS acts as a Security Expert for the government It is involved in the main national IT projects E-Government
- Madania (civil information system) - INSAF (carrier management system for public employees) - ADEB (public budget management system) - National Backup Center - Social management systems
E- (Justice health handicap hellip) LA POSTE (e-dinar) EDUNET (education systems) University systems
-Orientation -Inscription -Student portal
Projets Nationaux
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
23
Awareness Training Children and parents Home users
Professional Training Security management Security audit Standards and
methods Risk assessment Network security risk and solutions Open source for security Web security cryptography Business continuity amp disaster recovery Incident handling amp computer forensics Vulnerability assessment and Pentesting hellip
Formation amp Assistance
Security policies Security Audit Guides Terms of reference models for security solution Best practices (IIS Apache CISCO hellip)
Vulnerability assessment methodology Penetration test methodology Open source security tools guides
Assistance
Formation
- ldquoFormalrdquo Global Reaction Plan
- Establishment of Coordinating
Crisis Cells ( ISPs IDCs Acess
Providers)
With tunCERT acting as a
coordinator between them
Plan de Reacuteaction National
Cert-Tcc
ISPs
NACS
Administration
Telecom
Operators
Media
Vendors
Industry
Sectors
Finance and Banks
Health
Sector
Transport
Sector
coordination Deployed several times
2004 African Football Cup
2004 5+5 summit
2004 Sasser amp MyDoom worms
2004 Presidential election
2005 Suspicious hacking activity 2005
2005 WSIS
2005 Arab League Meeting
2006 Hand Ball World Cup
2009 Conficker
Sensibilisation (Awareness)
+ Decision makers
+ Professionals
+ Teachers
+ Students
+ Home users
+ Journalists
+ Lawyers
+ Customers
Awareness material
Flyers Posters
Cartoon Video Spot Radio Emission
Emails
Attack Simulation Guide
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention
29082019
24
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach
open source)
Making the awareness as one the first priorities
Improving Training and education
Providing free technical support (Incident
management capabilities)
Conclusion
merci de votre attention