IJISC
  • Indexed in

  • Latest News

    December 29, 2018
    Volume 7, Issue 2 of the International Journal of Information Security and Cybercrime was published
    June 29, 2018
    Volume 7, Issue 1 of the International Journal of Information Security and Cybercrime was published
    December 29, 2017
    Volume 6, Issue 2 of IJISC – International Journal of Information Security and Cybercrime was published
    December 4, 2017
    IJISC has been successfully evaluated for the ICI Journals Master List 2016 and received the ICV of 85.83 points
  • --- More News ---
  • Popular Articles

  • Report on Cyber Security Alerts Processed by CERT-RO in 2015


    Author(s): CERT, RO
    Issue: Volume 5, Issue 1, Year 2016

    Download PDF | Views: 993

    CERT-ROThe objective of this report is to analyze the cybersecurity alerts collected and processed by CERT-RO in 2015, so as to obtain an overview on the events relevant for evaluating the cybersecurity risks incurred by the cyber infrastructures on Romanian territory, which are under the CERT-RO constituency.

    During the reference period, respectively 01.01.2015 – 31.12.2015, CERT-RO has collected and processed 68,206,856 cybersecurity alerts, with a drop of 13% compared to 2014 (78,769,993), out of which:

    Cybersecurity alert means, within the context of this report, any signalling containing an IP address or a web domain (URL), with regards to a possible cybersecurity incident or event, which involves or might involve informatics systems from the national cyber-space held / managed by natural or legal persons from Romania.

    The alerts collected by CERT-RO in 2015 regarded a set of 2,321,931 unique IP addresses. The total number of unique IPs assigned to organizations from Romania is of 8,958,498, thus dropping compared to 2014 (approximately 10 million) and 2013 (approximately 13.5 million).

    Following the analysis of the cybersecurity alerts collected by CERT-RO in 2015, the following have been determined:

    Types of alerts processed by CERT-RO

    CERT-RO processes two types of cyber-security alerts:

    Statistics based upon the alerts received

    The number of alerts collected by CERT-RO in 2015 dropped by 13% (68,205,856) compared to 2014 (78.769.993), as it is also shown in Fig. 1.

    CERT
    Fig. 1 – Evolution in the number of alerts collected in 2013, 2014, and 2015

    The drop in the number of alerts collected during 2015 in comparison with 2014 can be explained by the fact that a part of the vulnerable information systems (DNS servers of Open Resolver type, proxy servers without authentication, NTP servers with inadequate configuration, etc.) have been remedied in the previous year.

    The significant number of alerts presented in the CERT-RO reports highlights the institution’s demand for ensuring high performance systems, which would be able to achieve the automatic processing and dissemination of a large data volume.

    3.1. Alert distribution depending on the class (alert category)

    The alerts collected and processed by CERT-RO have been classified based upon a taxonomy where several alerts classes and types have been defined (an alerts class is a generic category, which may integrate several specific types of alerts).

    The table and graphic below show the distribution of the 5 most frequent categories of alerts, depending on their number.

    CERT
    Tab. 1 – Top 5 security alerts, on alert classes (categories)

    CERT
    Fig. 2 – Alert distribution on classes (categories)

    3.2. The alerts’ distribution on number of incidents

    Given that some of the alerts collected by CERT-RO are repetitive, meaning that more than one refers to the same IP address and the same problem (class / alert type), a reduplication of the alerts through a grouping on incidents has been performed.

    The general principle standing at the basis of the alerts’ grouping on incidents was to gather all alerts which refer to the same information system and the same type of problem (class / alert type).

    Considering that the alerts collected by CERT-RO only refer to public IP addresses, it is impossible to determine the exact number of affected information systems (victims), because of the following 2 reasons:

    Under such circumstances, grouping alerts on incidents has been made depending on the following:

    1. The alerts regarding vulnerabilities have a significant weight in the total number of alerts (78.33%). Such vulnerabilities refer to applications and services that run on server-type platforms (web servers, data bases servers, time servers, etc.), whose IP addresses are not dynamically assigned, and that generally do not even change their IP address too often. Consequently, related to vulnerabilities alerts, we have considered that it would be enough for the aggregation to be made on the IP address and the alert class/type;
    2. In case of botnet type alerts, whose weight is of 20.78%, we refer to information systems belonging to household users which are infected with various types of botnet malware. In the majority of cases, in such information systems the IP addresses assignment is made dynamically. Consequently, for botnet alerts, their grouping into incidents has been made based upon the IP address, alert class / type, and the time between 2 reports (up to 14 days).

    In conclusion, following the grouping of alerts on incidents, according to the algorithm and considerations mentioned above, there resulted a number of 4,900,651 incidents in 2015, distributed according to the table and graphic below.

    CERT
    Tab. 2 – Alert distribution on number of alerts

    CERT
    Fig. 3 – Alert distribution on incidents

    The statistics based upon the aggregation of the collected alerts on incidents show that the main problem of the national cybernetic space consists in information systems which are part of botnet networks (64%), although the statistics based upon the number of alerts show that 78% of these refer to vulnerabilities, and only 20% to botnet networks. This is due to the fact that the alerts that refer to vulnerabilities are more repetitive, many of the targeted systems staying vulnerable for a long period of time, thus being reported several times.

    3.3. Malware types typical for the Romanian cybernetic space

    A percentage of 20% of the total alerts collected and processed by CERT-RO in 2015 also contain information regarding the type of malware associated to the alert (such as botnet type alerts or the ones referring to malicious URLs).

    CERT
    Tab. 3 – Top 10 malware types in Romania 2015

    3.4. Types of affected information systems

    A percentage of 23.87% of the total alerts collected and processed by CERT-RO in 2015 also contain information regarding the operation system of the information systems targeted by the alerts.

    CERT
    Tab. 4 – Distribution of the total alerts on affected operation systems

    3.5. Peculiarities of the manually processed alerts

    Next to automatic alerts, the CERT-RO analysis took over during the reference period a set of cybersecurity alerts reported directly by people or organizations in the country or abroad, classified as manually processed alerts.

    These are significantly fewer than the automatic ones, but they contain more complete and more relevant information on the incident, the affected organization, as well as on the source of attack and the attack method. In the majority of cases, data is collected from the affected entities (natural or legal persons in the country or abroad) by the CERT-RO analysts, once the incident is reported.

    Consequently, during the reference period, CERT-RO collected 1,223 manually processed alerts, distributed as follows:

    CERT
    Tab. 5 – Distribution of individual alerts

    The remainder of 8% of the manually processed alerts can be included in various classes and types of alerts, such as: botnet, spam, defacement, bruteforce, malware, or confidential information dissemination, etc.

    In the table below, there is a top 5 most affected types of systems, extracted from the alerts manually processed by CERT-RO.

    CERT
    Tab. 6 – Distribution of manually processed alerts on types of affected systems

    3.6. Compromised ”.ro” domains

    Throughout the reference period, CERT-RO received alerts regarding 17.088 compromised ”.ro” domain.
    Out of 855,9973 domains registered in Romania in February 2015, the number represents approximately 2% of the total ”.ro” domains, and approximately 6.5% of the total active ”.ro” domains.

    The distribution of the affected domains according to the type of incident can be found in the table below:

    CERT
    Tab. 7 – Compromised .ro domains

    Conclusions

    Based upon the findings above, the following conclusions can be drawn:

    Despite the technical aspects which make it impossible to identify the exact number of affected devices or people which are behind the over 2.3 mil. IP addresses or 68 mil. alerts reported at CERT-RO, it is important to remember that they cover approximately 26% of the national cybernetic space (in relation to the number of IPs assigned to RO), and, consequently, it is necessary to take measures to solve the situation through the involvement of all actors with technical or legal responsibilities.


    Additional Information

    Title: Report on Cyber Security Alerts Processed by CERT-RO in 2015
    Author(s): CERT, RO
    Publication: International Journal of Information Security and Cybercrime
    ISSN: 2285-9225, e-ISSN: 2286-0096
    Issue: Volume 5, Issue 1, Year 2016
    Section: Cyber-Attacks Evolution and Cybercrime Trends
    Page Range: 89-100



    Copyright

    Copyright ©2012-2019 IJISC - International Journal of Information Security and Cybercrime

    All rights reserved: International Journal of Information Security and Cybercrime is a trademark of RAISA - Romanian Association for Information Security Assurance.
    No part of this publication may be reproduced, stored in a retrieval system, photocopied, recorded or archived, without the written permission from RAISA. When authors submit their papers for publication, they agree that the copyright for their article be transferred to Romanian Association for Information Security Assurance, if the articles are accepted for publication. The copyright covers the exclusive rights to reproduce and distribute the article, including reprints and translations.