�ݺ�ߣ

Editor's Notes

1. In a large amount of affected enterprises critical business processes were stopped for 1-2 days; Several weeks in many cases were required to fully recover oprations Losses are up to the 0.5% of country GDP The backdoor, which was used to compromise the tax reporting software users got the Pwnie award on the BlackHat conference The first attacks attempts started a month before the main attack. The tax reporting software vendor refused the backdoor existence. The WannaCry lessons were not studied, still many systems were not properly patched The tax reporting software service or its user account usually had all rights in the system, which facilitated the attack Companies which had its critical networks isolated got less damage Internet started from 1990 and the CERT team in 2007 and the world record in 2010 – 100 Gb/s DDos
2. The power grids were stopped for several hours (which could lead to the humanitarian disaster due to the frost at winter) The incidents repeated in 2015 and 2016 in the same period of year The power grid management systems were not separated from the Internet The power supply was resumed only because of the "manual mode“ Power system operators thought that their PCs are operated by local "IT guys“ The PR services of the affected organizations worked inefficiently Attackers were active on the network for several months Attackers had private tools for attacks on industrial systems Perhaps there were several independent groups of attackers (representing different intelligence services)
3. Losses reached millions of USD Attackers have studied systems and processes of institutions for many months InfoSec departments of the institutions first selected the wrong way of the internal fraud investigation Improper internal investigation activities led to the loss of digital evidence Timely manual monitoring of financial accounts allowed to identify further malicious activity The attackers known well payment systems and ATM protocols
4. Multi-weeks denial of service (DoS) attacks on websites Attackers constantly changed tactics Websites were not ready to defend against attacks Personal accounts of mail and social networks were under the attack Also the targets were mobile phones In the center of Kiev, demonstrators seized the room used for power systems management
5. Main regulations The cyber-security strategy, approved by the President1 in 2016 The cyber-security strategy implementation plans approved by the Cabinet of Ministers 2,3 The sanctions list, which bans Russian IT companies and social networks4 The President decree on the national cyber security center5 The National Security Council decisions on the urgent cyber-security measures 6,7 The National Law on Cybersecurity8 Some other important regulations: Law on personal data protection EU cyber-crime convention National technical standards on information security and cryptography 1http://www.president.gov.ua/documents/962016-19836 2http://zakon2.rada.gov.ua/laws/show/440-2016-%D1%80 3http://zakon2.rada.gov.ua/laws/show/155-2017-%D1%80#n13 4http://www.president.gov.ua/documents/1332017-21850 5http://www.president.gov.ua/documents/2422016-20141 6http://zakon2.rada.gov.ua/laws/show/n0015525-16/paran2#n2 7http://www.rnbo.gov.ua/documents/447.html 7http://zakon3.rada.gov.ua/laws/show/2163-19
6. Main entities The Information Security Authority1 and its CERT team2 The Security Service of Ukraine and its cyber-security situational centers3 The Cybercrime police unit4 The State Concern Ukroboronprom (Ukrainian Defence Industry) cybersecurity center5 The Military center of information and cyber security6 The National coordination center on cyber-security (governed by the National Security Council) The National Bank of Ukraine (only for financial institutions) 1http://dsszzi.gov.ua 2http://cert.gov.ua 3https://ssu.gov.ua/ua/news/1/category/2/view/3668#.i42HGqpp.dpbs 4http://cybercrime.gov.ua 5http://cyberguard.com.ua 6http://www.mil.gov.ua/ukbs/pravila-informaczijnoi-ta-kibernetichnoi-bezpeki-v-zoni-provedennya-ato.html
7. The actors of the major incidents were not properly identified and prosecuted No proper prediction of major incidents Ukraine authorities are not capable by themselves to investigate complex malware or SCADA malware The national cyber-security system is still immature, national cyber-security standards about 20 years old or even refer to the USSR standards The high corruption level does not allow effective investments into the national cyber-security Personal data has very weak means of protection in the state databases E-government systems and IT controls either do not work or efficiently being bypassed by public servants Insufficient salaries for cyber-security professionals in the state agencies (up to several hundreds USD per month) State information security authority has a conflict of interest as it puts the rules and checks the compliance against them Development of national security capabilities: State demand for the word-class security products and services Educational programs to create generation of “reverse-engineering” and cyber-security experts Highest requirements for cyber-security specialists in the state agencies and cyber-security national actors Creation of national security tools and research centers (e.g. SCADA systems labs, etc.) National cryptography development National cyber-security audit strategy for critical infrastructure assets Effective IT governance at the state agencies Culture and ethics level improvements at the state agencies Proper cyber-risk management and responsibility for failures of state agencies officials Overall improvement of state agencies efficiency and their continuous audit and monitoring Independence of critical infrastructure cyber-security from the centralized information security authority Improved security of the supplied chain for IT goods and services The lack of skilled persons or even persons who knows English well at cyber-security positions at state agencies and national cyber-security actors The hardware and software security verification is at the lowest level The lack of responsibility for cyber-security failures, the lack of “due care” and “due diligence” from agency heads High dependency of the IT supply chain from one neighbor country Majority of the Internet traffic is still routed through the one neighbor country There is no civil society control and sufficient limits on the lawful interception activities Corrupted officials from the law enforcement agencies often practice seizure of all IT equipment in companies and require bribes to return it back Clean national internet segment from infected and misconfigured devices, which facilitate cyber-attacks Remove cracked/pirated software from the public systems Implement continuity standards for media and telecoms for the hybrid-war affected locations Implement effective filtering mechanisms on the national Internet traffic exchange points Ensure availability of the redundant internet routes through all the country Improve digital evidence and threat indicators sharing capabilities Implement effective civil society controls over unauthorised interception and collection of data Provide resources for military and security services to effectively conduct forensics and memory acquisition of IT devices in the conflict zones
8. Support from donors: Participation in the EU Common Security and Defense Policy (CSDP) NATO Cyber Defense Trust Fund Participation in the UK Cyber Security Capacity Building Programme US cyber-security assistance Involvement of Ukraine in the UK, EU, US, NATO projects: Procurement of cyber-security services and goods in Ukraine Support for Ukraine domination in the Russian speaking Internet media segment Outsourcing of cyber-security operations to Ukraine Joint research programs with Ukrainian institutions. Potential areas are: Nuclear plants cyber-security Military cyber-security Cryptography (Ukraine has a strong crypto and math school inherited from the USSR)