TOP | 2015 | Weekly Column | Challenges in the Role of National CERT of Thailand

Challenges in the Role of National CERT of Thailand
ThaiCERT
 
The readiness of Thailand in coping with threats is still limited in many ways, while complex threats appear in novel forms at all times, e.g. in events such as the discovery of a Trojaned version of Xcode (iOS and OS X software development tools). Developers unknowingly compiled iOS apps using the modified Xcode and distributed those infected apps through the App Store, affecting more than 500 million iOS users. Also, reports from several sources have indicated that Thailand is at a relatively high risk of being a primary target of various threats.

The International Institute for Management Development (IMD) has performed cybersecurity assessment on organizations in each member country, which affects the competitiveness in the report "World Competitiveness Rankings" for 2015. The ranking for cybersecurity of Thailand was at 30 of the 61 member countries and 3rd within the ASEAN countries after Singapore and Malaysia.

Moreover, the Anti-Phishing Working Group (APWG) reported that the percentage of websites being used to distribute phishing, compared to the overall number of domains registered in Thailand was among the highest. These facts showed that Thailand was in an alarming situation and at high risk. Thus, preventing security threats and taking countermeasures in a timely manner is essential for emergency measures before the damage is widespread. Working in a manner called of Computer Emergency Response Team (CERT), ThaiCERT has been recognized by serving the country as a liaison coordinator with other countries, both domestically and through networks around the world. So CERT is one of the most important mechanisms in the fight against cyber threats that can affect every country around the world with links and accesses to the internet.

The CERTs of each country must develop practical guidelines for coping with threats as soon as possible and minimize the damage by using policies, systems, tools, including experts who are ready to serve immediately when incidents occur.

ThaiCERT has had a role in the development and administration of a notification system for handling important incidents, such as handling phishing of Thai banks and analysis of malware. ThaiCERT also promoted development of human resources with specific expertise, who have been trained and internationally certified. ThaiCERT has also been driving the cooperation with international organizations, as well as national agencies. The domestic work comprises providing training and seminars for executives and information cybersecurity personnel, both in the public and private sectors of the country, to be prepared and aware of threats and be informed of the necessary precautions, especially in the agencies that are part of the national infrastructure and public finance, which are required to securely provide services for 24 hours per day. This is to build the confidence of the public in the electronic transaction processes and maintain the country's image in the eyes of foreigners in the long run. ThaiCERT has set the standard of service to handle incidents within 2 business days (Service Level Agreement - SLA). It has developed information systems for optimizing incident handling services to resolve threats nationally and has focused on developing skills of technical personnel with expertise in analyzing the new complex threat forms that may affect the key information systems of the country. In addition, it is most important to expand the cooperation with international CERTs, especially from the countries that have often used Thailand as a base for attacks.

For future plans, ThaiCERT will leverage the work on background, from providing technical support to other organizations, to the work at national level for monitoring the overall cybersecurity of the country in the role of National CERT. This will be a proactive development to fully support the works of the government and also the implementation of government policy in the cybersecurity of the country.

The primary targets in the near future are as follow.

1. Advancing ThaiCERT to act as the Cybersecurity Center of Command in the role of the National CERT
that needs to have management structure and an integrated policy for cybersecurity protection in the country. Moreover, it needs to prepare a national policy to handle, prevent and reduce the risk of cyber threat scenarios that may occur at any time, including a set of guidelines and measures in compliance with the cybersecurity policy framework defined by National Cybersecurity Committee, and push for the implementation of such policy.

2. The development of report/response processes for incidents that may affect the national cybersecurity
(National Incident Response Flow -National IR Flow) between the agencies involved, which consists of four main steps:

1) The process when an incident is detected,
2) Preliminary analysis and evaluation,
3) Reporting the threats in each level, up until the policy level,
4) Confirmation of the analysis results, and follow up.

This is in order to disseminate important information to all relevant agencies and link all the works throughout the systems, including a push for the National IR Flow to be globally recognized and seriously put into practice.

3. Building cybersecurity at key organizations,
such as the banking sector, organizations in the country infrastructure, and security-related agencies, by pushing for the establishment of a strong sector-based CERT to cooperate with ThaiCERT and key organizations in handling threats, including to develop a network for the information exchange of threats that have come up and affected the domestic organizations.

4. The preparation of the national business continuity plan
(NBCP) as a mechanism to maintain the availability of business in the country, a key component of cybersecurity, and to encourage the development and practical use of BCP in all sectors, whether in the governmental or in the private.

5. Creating readiness in handling incidents
for both the experts and tools to be on par with other ASEAN countries. It is also to create a database and method for exchanging information on incidents that occur with all the ISPs in Thailand. This database and exchanged information can be used to prevent or suppress the impact and limit the possible damage before spreading.

6. Increasing the capability and variety of the incident handling systems
as well as the availability of the critical systems, in line with the needs of the organizations, especially those classified as being in the critical infrastructure, which can have impacts on the security and peace of the country, or to the public. The focus will thus be on the monitoring on the websites of important organizations, the development of the protection systems for distributed denial of service (DDoS) attacks, including the development of the system that can perform analysis, research on threats.