OAS-FIRST Cybersecurity Technical Colloquium2015 Report

Acknowledgement 3

Introduction 4

Setting the Stage- An Overview 6

Track 1 – Incident Response 6 Track 2 –Law Enforcement 6 Track 3 –Critical Infrastructure Protection 6 Key Takeaways 7

Cybersecurity Strategies, Partnerships and International Cooperation 7

Working Groups 10

Incident Response 10 Critical Infrastructure Protection 12 Law Enforcement 14

A Focus on Cybersecurity Awareness 16

Table of Contents

The Executive Secretariat of the Inter-American Committee against Terrorism (CICTE) of the Organization of American States (OAS) would like to extend sincere thanks to the governments of Canada, Estonia, the United Kingdom and the United States for their financial support to its Cybersecurity Program. In addition, CICTE would like to thank all the experts and institutions who participated in the OAS-FIRST Technical Colloquium and Cybersecurity Workshop for their invaluable contribution to the success of the event.

Acknowledgement

Just as the Internet has facilitated global con-nectivity like never before, so have cybersecu-rity threats proliferated and intensified. From remote locations, cybercriminals and other cy-berattack instigators are able to design malwa-re that infects computers and mobile devices, launch attacks on SCADA and other industrial control systems and steal companies’ and indi-viduals’ financial and personal data. Although no country is immune to cyber threats, many countries, especially developing ones, struggle with a lack of awareness on cyber issues. Des-pite the high level of connectivity in many coun-tries, it is often difficult to elevate the issue of cyber risks to the whole of society because of the intangible nature of the Internet.

Within OAS Member States, it is often the case that multiple agencies share some responsibility for cybersecurity; however, in many instances these agencies do not work in a coordinated manner, resulting in missed opportunities to be gained from information sharing and lessons learnt. A national cyber-security framework is an excellent tool for delineating roles and responsibilities, outli-ning legal norms associated with cybercrime, and strengthening incident response capaci-ties. Each country’s cybersecurity priorities and needs, however, are unique, and there is no one-size-fits-all approach at this strategic

level. The OAS Cybersecurity Program in this regard brings stakeholders from across gover-nment, the private sector, academia and civil society to the table to develop a holistic, com-prehensive national strategic vision and set goals to address their country’s cyber needs while outlining actionable directives. To date, six OAS Member States (Canada, Colombia, Jamaica, Panama, Trinidad and Tobago and the United States) have published national cy-bersecurity strategies, and several others (The Bahamas, Colombia (2nd Version), Costa Rica, Dominica, Peru, Paraguay and Suriname) are in the process of developing or revising one. With financial assistance from Member States and Permanent Observer countries, the OAS Cybersecurity Program has assisted in establi-shing, training and equipping national Compu-ter Security Incident Response Teams (CSIRTs) in many countries of the Americas.

The OAS Cyber Security Program of the Inter-American Committee against Terrorism (CICTE) serves as a repository of information on cyber issues in the Americas and provides fora for stakeholders across the hemisphere to dis-cuss new challenges and areas for cooperation on cyber security matters. As such, from Sep-tember 29th to October 2nd 2015, the OAS hos-ted, in collaboration with the global Forum for Incident Response and Security Teams (FIRST),

Introduction

Cybersecurity Technical Colloquium Report // Introduction 5

the “OAS-FIRST Technical Colloquium and Cy-ber Security Workshop.” This event facilitated discussions on Incident Response, Law Enfor-cement, and Critical Infrastructure Protection (CIP). Particular attention was paid to the fa-cilitative and leadership role to be adopted by governments in this context while considering best practices, appropriate infrastructure and relevant policies, legislation and regulations.

Margrete Raaum, Chair of FIRST, and OAS Chief of Staff Jacinth Henry-Martin speak during the opening ceremony.

During the last day of the event (Friday, October 2nd) the OAS Cyber Security Program hosted a plenary session along with SEGURINFO and the STOP.THINK.CONNECT Initiative to launch the Cyber Security Awareness Month. The event fa-cilitated a discussion on the role of industries, nonprofits, and academia in raising awareness about cyber security matters among society and fostering a cybersecurity culture.

The event saw the participation of over 160 persons comprising of policymakers and legislators, cybersecurity professionals, law enforcement officials, critical infrastructure operators, civil society actors, academics and telecommunications industry representatives from across the hemisphere participating in parallel tracks on key cyber security topics. Speakers, panelists and instructors for both the plenaries and the working group tracks included national information and communications technology (ICT) ministry officials, CSIRT managers, cybersecurity-technology industry heads, law enforcement officers and representatives from academia, NGOs and international organizations.

Track 1 Incident Response

This track provided an opportunity to learn best practices about the development and establishment of CSIRTs, (also commonly referred to as CERTs or CIRTs), and provided a better understanding in their operation and management. Additionally, mechanisms to improve communication and coordination among various CSIRTs at the national and the international level including information sharing tools were highlighted.

Track 2 Law Enforcement

Designed for law enforcement officials responsible for the development and implementation of cyber security policies, this track focused on cybercrime investigation case studies and discussions, rule-of-law-based investigations, legal frameworks, forensic image acquisition, as well as, network forensics, fraud, and financial crimes. The session also focused on raising the awareness level on the importance of cyber security considerations for law enforcement officials.

Track 3Critical Infrastructure Protection

This track provided instructive guidance on the protection of Critical Infrastructure and Industrial Control Systems (ICS) applications including monitoring tools and techniques to detect ICS network intrusions and identify how vulnerabilities are exploited. Additionally, the session encouraged participants to share their views and ideas on management strategies that can be employed in CI and ICS protection.

Setting the Stage - An Overview

Cybersecurity Technical Colloquium Report // Setting the Stage- An Overview 7

Key Takeaways

Cyber Security Strategies, Partnerships and International Coordination

The first day of the Cybersecurity Technical Colloquium was devoted to a Plenary Session, where international experts and government officials gave high-level presentations on a variety of topics related to cybersecurity strategies, partnerships and international cooperation. The Minister of Information and Communications Technology of Colombia David Luna opened with a discussion on Colombia’s process of establishing a national cyber security strategy. Next, the director of Canadian Cyber Incident Response, Public Safety Canada, Gwen Beauchemin, described Canada’s Cyber Security Strategy and efforts to gain multi-stakeholder support. Matthew Noyes, Cyber Policy Advisor of the United States Secret Service, provided an overview of “Modern Transnational Cyber Threats” while Andrés Velázquez, President and Founder of the Mexico-based computer forensics company MaTTica, discussed the need for countries to build up their digital forensics infrastructure and utilize the latest tools and methodologies for analyzing electronic evidence in his presentation “How to Profile a Cybercriminal.”

The second half of the day included

roundtable discussions on “Improving International Coordination”, featuring Sub-Secretary of CIP and Cybersecurity of Argentina Emiliano Ogando, FIRST Chair Margrete Raaum, and International Telecommunication Union (ITU) Representative for South America Sergio Scarabino, and “CSIRTs, Cyber Commands and Law Enforcement Units”, featuring the director of Uruguay’s national incident

David Luna, Minister of ICT of Colombia, is interviewed following his presentation on Colombia’s National Cybersecurity Strategy.

response team (CERTuy), Santiago Paz, Michael D. Donahue of the United States Southern Command Joint Cyber Center, Adrian Acosta of INTERPOL and Monika Josi of the Cybersecurity Advisors Network.

Although the Plenary Session covered many topics, a number of key themes emerged. First, an effective cybersecurity strategy should focus on the impact of cyber incidents on

everyday citizens and the cyber needs of society at large. The Internet is crucial for a country’s economic and social development at the local as well as national level. Strategies need to provide special attention to the millions of everyday end users who rely on the Internet for their livelihoods. Part of developing a holistic national strategy is approaching the topic from multiple perspectives with a common national vision. Public and private sector engagement

Gwen Beauchemin, Director of Canadian Cyber Incident Response, Public Safety Canada, discusses Canada’s national cybersecurity strategy and public-private partnerships.

Matthew Noyes, Cyber Policy Advisor of theUnited States Secret Service presents on modern transnational cyber threats.

Setting the Stage- An Overview // Cybersecurity Technical Colloquium Report 8

is crucial for achieving this. Working groups designing a strategy should receive constant input from stakeholders representing diverse sectors, who can more articulately define their cybersecurity needs and challenges.

Drafting a national cybersecurity strategy needs to be an inclusive process, with relevant stakeholders from the private sector, civil society, government entities, and end users working together to define an optimal configuration of the country’s cybersecurity regime. Finally, transparency must be a hallmark of any cyber policy or strategy. For companies and citizens to be aware and take ownership of their part in the complex cyber ecosystem, they must feel they have a stake in advancements. This will also engender trust among constituent groups. Although there will inevitably be leading agencies on cyber issues, its importance as a political, security, economic, and social issue should render it as a part of the broader national agenda.

Finally, international coordination among governments and nongovernmental actors will help countries strengthen their cybersecurity capabilities, establish legal norms and build sound policies. Differences in technical awareness, at-times unclear rules of engagement and language differences can be some of the obstacles to international coordination. Multilateral platforms such as FIRST, ITU, ICANN and the OAS Hemispheric Network of CSIRTs are positioned to help

stakeholders overcome these obstacles. As cyberattacks and cybercrime do not respect national sovereignty, international coordination is vital to making cyberspace more secure. As Margrete Raaum, Chair of FIRST, remarked, “We see the same threats, have the same vulnerabilities and see only a small percentage of all cyberattacks. Coordination helps us see a bigger picture of the cyber landscape.”

Andrés Velásquez, President and Founder of MaTTica presents on “How to profile a cybercriminal”.

Cybersecurity Technical Colloquium Report // Setting the Stage- An Overview 9

Incident Response

On the second and third days of the workshop, attendees participated in three parallel tracks focused on specific cyber topics:

Computer Security Incident Response Teams are key actors in the national response to cyberattacks and cyber incidents. They are responsible for a number of tasks, including analyzing threats, responding to and mitigating attacks, helping to restore downed systems, issuing alerts and researching cyberattack trends. In addition, CSIRTs often share information and best practices with one another through networks, such as the Forum for Incident Response Teams and the OAS Hemispheric Network of CSIRTs.

The Incident Response track covered topics such as advanced persistent threats (APTs), information sharing and the Traffic Light Protocol (TLP), methodologies for assessing security on customer premises equipment, the relationship between CSIRTs and law enforcement, Bulk Personally Identifiable Information Theft, social engineering, private sector engagement and case studies of individual countries’ experiences related to

Working Groups

incident response. The sessions featured Klaid Mägi, Head of CERT-EE, Estonia Information System Authority (RIA); Jeimy J. Cano M., Ph.D, Professor and Researcher of the Universidad de los Andes; Patrick Cain of the Anti-Phishing Working Group (APWG); Oliver Gonzalez, General Director of CERTMX, Mexican Federal Police; Director of CERT Polska Piotr Kijewski; Rajendra Sigh of the World Bank; Fernando Nikitin of the Inter-American Development Bank (IDB); Sean Fouche, Information Technology Manager for the Caribbean Community Implementation Agency for Crime and Security (CARICOM-IMPACS); David Van Duren, Head of the Global Forum on Cyber Expertise office; and OAS Cybersecurity Program Manager Belisario Contreras. It was evident from the discussions that cyberattacks will continue to increase; therefore, it is important for incident response personnel to be able to perform triage and prioritize the largest threats. This requires a certain level of analytical capability. One way a CSIRTs can improve its analytical capability is to proportion half of the team in 24/7 incident response and the other half in research and investigation.

Certain cyberattacks, such as phishing campaigns, are becoming harder to distinguish from normal websites. Once malware is

downloaded onto a computer, it can often give the users a false sense of security as it operates in the background. An attacker can create a virtual world around its victim and manipulate user behavior in this false reality. For example, attackers may intercept and manipulate information coming from an individual’s bank, causing the victim to insert their credentials, on the belief the request originated from a legitimate source. Given

Incident Response participants attend a workshop on Advanced Persistent Threats (ATPs) delivered by Jeimy Cano, PhD of Universidad de los Andes.

the increasing sophistication of these types of attacks, CSIRTs may take on the responsibility of raising societal awareness on how to detect them.

Finally, CSIRTs should engage with the private sector and civil society to build cooperation in the face of cyberattacks. Incentivizing cooperation facilitates public-private partnerships, and offering training and

Cybersecurity Technical Colloquium Report // Working Groups 11

education about cyber threats to companies is one example of how this can be done. Addressing cyber incidents is also a shared responsibility. All sectors must work together to mitigate the damage caused by cyberattacks and help citizens better defend themselves from such threats.

The first step to critical infrastructure protection (CIP) is defining what constitutes “critical infrastructure” for a country. The US Department of Homeland Security (DHS) defines 16 sectors as vital assets for a functioning economy and society: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems and Water and Wastewater Systems. While one of these sectors is explicitly related to cybersecurity, every other sector has become increasingly automated and computer operated; therefore, all critical infrastructures are at risk for cyberattacks and require effective cybersecurity measures. As critical infrastructures are often partly or wholly operated by private industry, it is

Critical Infrastructure Protection

important for government and the private sector to partner with each other on security measures, standards and technologies.

The Critical Infrastructure Protection track covered topics such as: threats to critical infrastructure, industry partnership efforts, SCADA Systems security, forensic analysis of critical infrastructure, and risk management exercises. Speakers and instructors included Juan Pablo Castro of TrendMicro; Elke Sobieraj and Michael Chaney of ICS-CERT, US DHS; Kevin Coleman of Industry Engagement and Resilience (IER) and Stakeholder Engagement and Cyber Infrastructure Resilience (SECIR), US DHS; Eduardo Carozo Blumstein of ITC-Antel; Javier Berciano of CERT-SI (Spain); Gustavo Presman of Informática Forense; and Jeffrey H. Wright, Senior Director of Cybersecurity for Aveshka.

Every software and application is vulnerable to cyberattacks, which can have a very negative impact on industrial control systems. To compound this challenge, network users, including critical infrastructure operators, often fail to update their software or implement patches on a systematic basis. Especially within the private sector, industries often do not think of themselves as connected to the other. As such, even when companies prioritize cybersecurity, they implement individual and specific security operations centers, rather than work together in a more efficient manner. Partnerships between the

Working Groups // Cybersecurity Technical Colloquium Report 12

private sector and government are a useful way for companies to receive cybersecurity assistance and discuss the cybersecurity needs of major and critical industries. To achieve this, private sector entities that disclose cyberattacks should not be punished but rather rewarded for their cooperation.

Cybersecurity is not simply an issue of technology; it is crucial for economic

Participants attend the Critical Infrastructure Protection (CIP) track.

competitiveness and citizen security. Critical infrastructure operators should incorporate cyber risk into risk management frameworks; invest in people, processes and technology; provide leadership; and drive cooperation between operations, IT and security. Finally, separate regulatory agencies play a vital role in this area as they can make sure CNI operators are complying with national laws and regulations. Operators should foster a

Cybersecurity Technical Colloquium Report // Working Groups 13

trustworthy, transparent relationship with the regulatory agencies.

Cybercrime is incredibly lucrative. According to a Kaspersky Lab report, cybercriminals are able to make enormous returns on their tools and exploits. Internet misuse is a debilitating factor in the ability of governments and private businesses to innovate and provide services in a safe manner. There is also a threat to the sustainability of Internet-connected infrastructures, which would impact the economic and human development of all countries, when cybercriminals make it their business to profit from system vulnerabilities.

Law enforcement officers came together to gain knowledge in computer forensics, as well as learn about cyber risks and defense mechanisms in the financial sector. Instructors and presenters included David Piscitello, VP of Security and ICT Coordinator at the Internet Corporation for Assigned Names and Numbers (ICANN), Andrés Velázquez of MaTTica, Director of Informática Forense Gustavo Presman, Raul Alvarez of Fortinet Technologies, Mara Misto Macias of the Central Bank of Argentina and Warren Williams, Telecommunications Engineer of the Jamaica Constabulary Force.

Law Enforcement

The discussions highlighted that law enforcement and the judiciary should place emphasis on proactive investigation, rather than reactive. Studying cybercriminal behavior will help governments and critical infrastructure operators understand the major threats they pose and be more effective in implementing preventative and mitigating measures. This entails awareness about criminal networks on the Deep Web, and the interconnection between online and offline transactions, among other areas.

There is an abundance of new tools for digital forensic analysis, some of which are free and available for download. Knowing how to create a digital forensic image of a computer’s hard drive and being able to investigate Domain Name Systems (DNS) are some of the techniques law enforcement should be well versed in. Repetition is key for successfully learning new investigation tools. Investigators should keep in mind time zones – as knowing the time an event took place is crucial for attribution, as well as trash folders in locating passwords when analyzing evidence. Investigators should also remember that when analyzing sites of doubtful reputation, they should never conduct direct procedures, but rather create a virtual image.

Law enforcement should be well informed of national legislation in relation to evidence collection, as digital evidence obtained through extralegal means is often

Working Groups // Cybersecurity Technical Colloquium Report 14

inadmissible. Investigators should also be able to employ corrective measures when an investigation goes wrong. Finally, law enforcement should keep the community perspective in mind, doing what it can to help those harmed by cybercrime and educate the public on how to better protect themselves and their personal information.

Law Enforcement-track participants participate in a workshop led by David Piscitello of ICANN.

Cybersecurity Technical Colloquium Report // Working Groups 15

“There is also a threat to the sustainability of Internet-connected infrastructures, which would impact the economic and human development of all countries, when cybercriminals make it their business to profit from system vulnerabilities.”

While national cybersecurity strategies and policies as well as skilled response teams are crucial, cybersecurity really begin at a more granular level- the individual. More than half of all websites operate with known security vulnerabilities, and many of these vulnerabilities are man-made, whether it be the result of weak passwords, inadequate or outdated security software, or a lack of awareness about online risks. The need for awareness-raising efforts is especially important in Latin America and the Caribbean, where over half of the population is now online and the rate of growth of Internet users is among the highest in the world.

For these reasons, it was pertinent to bring focus on Cybersecurity Awareness Month with the launch of the month being a key feature of the Colloquium. Assistant Secretary General of the OAS Nestor Mendez opened the ceremony, highlighting that “Collaboration and shared responsibility will prove essential to the continued success of cyber security efforts going forward.” The event featured a number of important voices in cyber security awareness, including Special Assistant to the US President and Cybersecurity Coordinator J. Michael Daniel, Phyllis Schneck of the US Department of Homeland Security, Minister of ICT of Paraguay David Ocampos, Jacquelyn Beauchere of Microsoft, Oliver Gonzalez of the Federal Police of Mexico, Chris Boyer of

A Focus on Cybersecurity Awareness

AT&T and the National Cyber Security Alliance (NCSA), Andy Ozment of Cyber Security & Communications, DHS, CEO of Telefónica-Eleven Paths Chema Alonso, Jorge Bejarano of the Ministry of ICT of Colombia, Peter Cassidy of the Anti-Phishing Working Group (APWG), Liliana Velásquez Solha of the Brazil Academic and Research Network, International Rights Director of the Electronic Frontier Foundation Katitza Rodríguez, Counselor of Digital Economy of the Delegation of the EU to the USA Andrea Glorioso, Coordinator for Cyber Issues for the US Department of State (DOS) Christopher Painter and many others.

A highlight of the event was a keynote speech delivered by the Toomas Hendrik Ilves, President of Estonia. As the head of state of one of the world’s leaders in cybersecurity, President Ilves offered a unique perspective on raising cybersecurity awareness. He described two cultures, or conversations, when it comes to cybersecurity stakeholders: the technical side and the policy side. According to President Ilves, each side needs to appreciate the other side’s role and engage in dialogue on how best to combine their respective skills. He also discussed the importance Estonia’s cybersecurity regime places on data protection and data integrity.

Cybersecurity is an issue that touches

every part of society. It should be applied to and understood by all, as no users are completely safe from cyber risks. Raising cybersecurity awareness within the general population is a challenge that requires constant attention. As it behavioral change is a long process, and countries should envision a multi-year, even multi-decade, process for teaching people how to use the Internet safely. Cybersecurity awareness efforts should be directed toward

all parts of society, including teachers, parents, children, governments, corporations and small and medium-sized enterprises (SMEs), which cannot afford a large cyber security staff. Cybersecurity should be taught early on in the schools, as future generations will become increasingly tech savvy.

Some of the speakers emphasized that governments often experience difficulty in

Cybersecurity Technical Colloquium Report // A Focus on Cybersecurity Awareness 17

Toomas Hendrik Ilves, President of Estonia delivers a keynote speech at the Official Launch of Cybersecurity Awareness Month

A Focus on Cybersecurity Awareness // Cybersecurity Technical Colloquium Report 18

reaching and cooperating with some sections of its population, which is a gap civil society and non-profit organizations can fill. It is critical to create stakeholder groups that span all sectors of society to ensure efforts cover all technology users which will have diverse interests. This means that messages to raise the level of awareness need to be adaptable. Before mounting an awareness raising campaign, governments must objectively understand the

levels of awareness present, the groups most at risk, and what internet users know and practice. This could be gleaned from surveys, or from technical data produced by a CSIRT or other party. It is necessary to tailor campaigns to the audience in a way that will engage them.

Awareness-raising campaigns work best when they are carried out in a coordinated manner. By holding multiple

Jacquelyn Beauchere, Chief Online Safety Officer of Microsoft discusses cybersecurity awareness-raising efforts.

Chema Alonso, CEO of Telefonica-Eleven Paths, delivers a presentation on new methods for identifying cyber threats.

Cybersecurity Technical Colloquium Report // A Focus on Cybersecurity Awareness 19

Christopher Painter, Coordinator for Cyber Issues for the US Department of State, gives a keynote speech to end the Official Launch of Cybersecurity Awareness Month 2015.

events around a common theme, a country can have a magnification effect in cybersecurity awareness. Furthermore, campaigns that convey positive messages are more effective in motivating change than campaigns based on fearing threats. Finally, although the cyber security awareness development process will be different for each country, international cooperation is a useful way to combine efforts and support initiatives. Finally in the words

of Christopher Painter, “In order to make international cooperation work, you need to have respect.” In the IT world, this is not always the case; therefore, international actors involved in cybersecurity awareness should be prepared to listen and understand each country’s relationship with information and communication technology.

A Focus on Cybersecurity Awareness // Cybersecurity Technical Colloquium Report 20

Some of the participants of the OAS-FIRST Cybersecurity Technical Colloquium 2015, Washington, D.C.

Organization ofAmerican States

All rights reserved

Disclaimer

The contents of this publication do not necessarily reflect the views or policies of the OAS or contributory

organizations.

November 2015

© OAS Secretariat for Multidimensional Security

1889 F Street, N.W., Washington, D.C., 20006

United States of America

www.oas.org/cyber/

Secretary GeneralLuis Almagro Lemes

Assistant Secretary GeneralNestor Mendez

OAS-FIRST Cybersecurity Technical Colloquium Report 2015

Executive Secretary of the Inter-American Committee against

Terrorism Alfred Schandlbauer

Editors Pablo Martinez

Belisario ContrerasKerry-Ann Barrett

Robert Fain

ContributorsBarbara Marchiori de Assis

Catalina Lillo Diego Subero

Emmanuelle PelletierGonzalo García-Belenguer

Jessica Baptista

This activity was organized with the financial support of the Government of Canada