Ministry of Transport, Information Technology and Communications

Computer Assisted Exercise on information security

The Exercise in brief

On 7^th December 2011 the Ministry of Transport, Information Technologies and Communications, supported by Bulgarian Modeling and Simulation Association “BULSIM”, conducted the first for Bulgaria computer assisted exercise (CAX) on information security for the state administration.

The Computer assisted exercise “CYBERWINTER 2011” was open and conducted by the Vice-Minister of Transport, Information technologies and Communication Mr. Valeri Borissov, Director of “e-Government” Directorate Mrs. Tsvetanka Kirilova and the Chairman of Bulgarian Modeling and Simulation Association “BULSIM” Mr. Nikolay Tomov.

General opening of “CYBERWINTER 2011” by Vice-Minister Valeri Borissov

Main participants in the CAX project ‘CYBERWINTER 2011’ were:

• Ministry of Transport, Information Technologies and Communication (MTITC)
• Executive Agency ‘Electronic Communication Networks and Information Systems’
• Executive Agency ‘Automobile Administration’
• Executive Agency ‘Railway Administration’
• Directorate General ‘Civil Aviation Administration’
• Executive Agency ‘Maritime Administration’
• Executive Agency ‘Exploration and Maintenance of the Danube River’
• National Computer Emergency Response Team (CERT)

Bulgarian Modeling and Simulation Association ‘BULSIM’ is the organization that consulted MTITC in the planning, conducting and the analysis of the exercise. In addition, BULSIM provided contribution also in the following areas:

• Scenario preparation;
• Consultancy in the design and development of the physical, hardware and communication architecture for the needs of the exercise;
• Building an environment for modeling and simulation of the network, infrastructure and its monitoring, as well as modeling and simulation of information security incidents;
• Development of web-based system for monitoring of the common operative picture and information exchange;
• Consultancy in exercise analyses, evaluation and lessons learned. 

I^st level participants (decision makers) in action

Main aims of the exercise  

The exercise was aiming to review the specific measures that must be undertaken or processes that should be followed when an incident in the information security occurs. These measurements included collaboration and coordination among different units within the organization, as well discovering important interdependences that could not be perceived during the implementation of standard exercises. The main goals of the projects were:   

• Enhancing capabilities of responsible persons from MTITC, Executive Agencies and CERT for    protection of the national critical information infrastructure against cyber-threats and information security breaks.
• Identification of organizational and technical vulnerabilities in the system for information security management, in the procedures and policies for responding against cyber incidents occurrence.
• Analysis and foreseeing the new threats to the information infrastructure of MTITC and the Executive Agencies.

II^nd functional level participants (technical experts)

General scenario

The exercise scenario is created on the base of an international crises growth caused by sudden rise in cyber-attacks against governmental websites, state administration systems and corporative information systems in Europe and all over the world.

During the last few months activation of a new group of hackers “The Cyberwolves” is observed over the  Internet. They intend to join efforts with two other hacker groups - Anonymous and LulzSec, who are highly politically motivated. The last mentioned groups announced that both will collaborate in realization of the most large-scale mass campaign against the world governments in an operation named “Anty-Security”. They aim to steal classified information from different world governmental structures and to publish it in social networks.

 A message was published on Twitter announcing that Anonymous and LulzSec will enter in collaboration with “The Cyberwolves” only if the newly formed group demonstrates its capabilities to hack and release the information and documentation to public access, as well as to break down administration systems and the information infrastructure of a given country. To show their skills “Cyberwolves” members announced in several IRC channels and forums that in the next few days they will block important government websites in a South East European country and will steal data from key information systems by breaking through the computer security of the information infrastructure.

BM&SA “BULSIM” experts performing controlled hacking attacks

On 7^th December the mass hacking attack has been started…

The played exercise events comprised hacking attacks over simulated elements of the players information infrastructure:

• Web-based systems of MTITC and Executive Agencies;
• E-mail infrastructure;
• Other information and communication systems and services.

The scenario events were selected in a way aiming to involve all hierarchy levels within the organizations with responsible actions - system administrators, junior and senior experts, Heads of departments, Directors of directorates, Vice-Ministers and the Minister of Transport, Information Technologies and Communications.

The general scenario was presented in front of the players, but the distribution of MELMILs was hidden until the beginning of the exercise. With the intentions the players to be situated in an environment very close to the real one, controlled changes of the events and injections have been done.

Exercise Architecture

Following the best practices for an effective conduction of a computer assisted exercise, all the players were situated in an “isolated” environment located in a common area, separated in different centers according to the exercise operational architecture.

Each CAX participant was assigned a role and according to that role - access to the relevant information. The occurrence of the main events was visualized with software tools for modeling and simulation of networks, communication devices, hardware and software applications, which aided the responsible persons to make decisions. Each action and decision made by the players steps were registered and stored for after action review.

During the exercise the whole information flow was accessible and available for monitoring via a Common Operational Picture System. That information was also stored and archived for lessons learnt analyses.

 Achieved Results

It is commonly accepted that each conducted computer assisted exercise is on its own a success because all the players learn something new and find out opportunities for their personal growth and for the development of the organization in the information security domain.

In addition, the following activities were also studied during the exercise:

• Time for response and recovery;
• Decision making processes;
• Information sharing (inside and outside the organization);
• Collaboration (inside and outside the organization) for addressing the occurrence of an incident;
• Resource coordination, logistics and support;
• Identification of potential threats;
• Measures for responding;
• Capacity for collaboration, levels of collaboration between different structures, communication flow in case of incidents, the capability for range over the common picture, operative readiness, levels of authority and best practices.  

By the CAX means the players from different departments gained the following benefits:

• Hidden interdependences were identified;
• Experience was gained in working together with experts on the same positions, but from other departments;
• Best practices and procedures were shared;
• Existing documented procedures were tested for correspondence with the real-life situations;
• Existing contact data and channels for communications between different departments and directorates were tested;
• Level of readiness to overcome information security incidents were demonstrated in front of authorities.

CYBERWINTER 2011 was useful also for the high level authorities responsible for making decisions when an incident occurs. It is a well-known fact that these persons do not have comprehensive and detailed vision how the responsible individuals and the infrastructure of the organization will behave in case of an incident in information security. For example:

• To observe in real-time the operations for recovery after incidents;
• To determine the level of information security in the organization;
• To identify the weakness in the procedure for mitigation and response related to cybersecurity incidents;
• Reasons to assign tasks for improving the plans and procedures for mitigation and response;
• Evaluation of improvements.

The simulated cybersecurity incidents were aiming to test the readiness of the expert and governing staff to do the following actions:

• To identify the occurrence of an incident;
• To do first response actions trying to mitigate data loss or other irreversible damages in the information systems, as well to close the system gap if that is the reason for the incident occurrence;
• To make damage assesment and to identify all the incident details;
• To make a recovery plan;
• To restore the hacked system.

Following the best practices, in “CYBERWINTER 2011” most of the important elements, relevant to computer assisted exercises on information security were presented.