If you are having trouble viewing this email, click here to view this online



   ISSUE 85

31 August 2018

Article of the Month Around the World


National Information and cyber security strategy

Previously discussed topics:

1. Cyber Security Landscape in Sri Lanka

2. Overview of the National Information and Cyber Security Strategy

3. Thrust #2: Legislation, Polices, and Standards

4.Thrust #3: Development of a Competent Workforce

5.Thrust #4: Resilient Digital Government Systems and Infrastructure

Thrust #5: Raising Awareness and Empowerment of Citizens

The Sixth pillar of the strategy:

Thrust # 6: Development of Public-Private, Local- International Partnerships


Our Strategy

Sri Lankan cyber community as a part of the global Internet community faces many vulnerabilities. Social engineered trojans attacks, malware attacks, phishing attacks, advanced persistent threats, botnets, ransomware, financial frauds for example are increasingly posing many threats to the Sri Lankan Internet community.

The government of Sri Lanka acknowledges that the government alone cannot effectively combat these threats. Collective efforts of end users, academics, private sector hardware and software vendors, Telcos and ISPs, private sector critical infrastructure owners, are essential in battling against these cyber threats. Moreover, cybersecurity cannot be achieved by any one nation alone, and greater levels of international cooperation is needed to confront those actors who seek to disrupt or exploit our networks




Our Initiatives

6.1. Partner with Telecommunication and ISPs to Protect Internet Users

6.1.1. ISPs in Sri Lanka occupy a unique position as the gateway to Sri Lanka�s cyberspace. We will, therefore, set up a Telco-CERT with the involvement of Telcos and ISPs to effectively handle emerging cyber threats. Telco-CERT would be involved in tackling phishing attacks, blocking malicious domains and IP addresses, and deploying other measures to disrupt malware attacks including measures to secure the telecommunications and Internet routing infrastructure.

6.1.2. We will encourage ISPs to increase their customers� awareness on cyber security risks, and best practices for avoiding cyber threats.

6.2. IP Reputational Service

We will work with Telecommunication Regulatory Authority of Sri Lanka (TRC) and ISPs to determine the possibility of maintaining an Internet Protocol Reputation Service. This will facilitate online service providers to obtain information about an IP address to which they are connecting. Through this service, spreading of harmful content shall be minimized.

6.3. Partner with Firms Operating Critical Information Infrastructure (CII) to Create Resilience

Our systems depend on the critical infrastructure information systems that are owned by non-government actors. There are many private companies which provide critical services to the general public in the domains of finance, power and energy, transport, aviation, health and so forth. Although the government is not responsible for securing the critical information infrastructure owned by private firms, it is essential to support these private firms to protect their information infrastructure where a damage to the information infrastructure would interrupt the day-to-day lives of citizens. We will therefore, work closely with Critical Infrastructure owners and operators to expand initiatives to secure the CII ecosystem, preserve the benefits of cyberspace, and avoid unnecessary impediments to technological evolution.

6.4. Empower Sectoral Ministries Maintaining Digital Government Systems

The primary responsibility of safeguarding security in each sector�s digital government systems and infrastructure, and of ensuring adequate preventive measures against cyber threats lies with the sectoral ministries. This means that each sectoral ministry has a responsibility of identifying critical infrastructure in their sector, and ensuring adequate security by assessing, determining and implementing preventive measures in their sector.

6.5. Work with Military Establishments to Establish a Joint Military Security Operation Centre/Defence CERT

Sri Lankan Militaries, Police, and Intelligence Services all work separately in confronting malicious cyber actors. However, there is a lack of coordination among these organizations to share valuable information on cyber threats. In this context, with the involvement of relevant authorities, we will establish a joint Cyber Security Operations Centre/Defence CERT (D-CERT) with a focus on strengthening our cyber defences and ensuring that our defence forces are able to continue to operate securely. The creation of a single unified military security operations center would provide better capabilities to speedily overcome challenges presented by operating in cyberspace.

6.6. Promote Cooperation with Industry Sectors

6.6.1. We will encourage industry sectors to work together in order to jointly improve detection, prevention, response and recovery capabilities.

6.6.2. We will develop a channel to share real-time sensitive information on cyber threats and potential consequences with industry sectors. We will also develop a mechanism to share information on cyber threats and vulnerabilities with medium size businesses, which are currently increasingly being victimized by malicious actors in the cyber space. Tailored alerts and advice will be generated for them.

6.7. Strengthening International Partnerships

Through effective operational links between countries and across the region, we will engage with the international community to build a system of cyberspace stability. We will sign agreements with international organizations such as International Telecommunication Union (ITU), The European Union Agency for Network and Information Security (ENISA), Asia Pacific Computer Emergency Response Team (APCERT), Internet Corporation for Assigned Names and Numbers (ICANN), United States National Cyber security and Communications Integration Center (NCCIC), Forum for Incident Response Security Teams (FIRST), United Nations Internet Governance Forum (UNIGF), Internet Society (ISOC), International Watch and Warning Network (IWWN), and the International Criminal Police Organization (Interpol) for exchanging technical information on threats and vulnerabilities, obtaining latest software and hardware products, conducting joint cyber drills, and building the capacity of the staff.

6.8. Budapest Convention

On 1st September 2015, Sri Lanka ratified the Council of Europe�s Convention on Cybercrime (Budapest Convention) and became the first country in South Asia to become a party to the Convention. The Budapest Convention is the only international legally binding treaty on Cybercrime in the world today and seeks to harmonize national laws, adopt improved investigative powers based on international standards, enhance criminal justice cooperation among State Parties in order to effectively combat the threat against cybercrime 9. We will take initiatives to implement and comply with the Budapest Convention requirements and will continuously work with member countries to build a secure cyber space.

6.9. Increase our Presence at International level

We will enhance our presence at the international level through participation in international forums and conferences on cyber security and through playing an active role in knowledge gaining and sharing exercises.

6.10. Partner with Businesses to Promote Security in Products and Services

We will work with suppliers to bring products and services to the market with a high level of security to ensure the privacy and security of customer information.

6.11. Partner with Universities to build a Cyber Security Research Culture

6.11.1. We will work with Universities in Sri Lanka to promote a cybersecurity research culture in Sri Lanka.

6.11.2. In partnership with donors and universities, we will introduce research grant schemes for students undertaking research on cyber security.

6.11.3. With the partnership of all stakeholders in this domain we will continue to host an annual national cybersecurity week followed by a national cyber security conference.

6.12. Support of Government Organizations, Social Groups and NGOs

6.12.1. With the involvement of government stakeholders including the Ministry of Social Empowerment and Welfare, Ministry of Women and Child Affairs, the Child Protection Authority, and Ministry of Law and Order we will increase the awareness of rural communities, and most vulnerable communities in our society on cyber security.

6.12.2. With the involvement of groups in the civil society (e.g. SMART Social Circles, Nenasala Centers, Community Centres), and NGOs, we will increase rural and semi urban citizens� awareness on cyber security, and help and guide citizens towards safe, enjoyable experiences online.

6.13. Nurture Start-ups

We aim to support young entrepreneurs to establish cyber security startups. We will also nurture start-ups to boost the development of niche and advanced solutions and grow local champions to sustain strategic areas of interest. In partnerships with Sri Lanka Software Exporters Association (SLASSCOM), we will also develop market opportunities to bring made-in-Sri Lanka solutions into the global market.



Dr. Kanishka Karunasena,

Research and Policy Development Specialist, Sri Lanka CERT|CC

























1 Statistics on the Internet growth in Sri Lanka
2.The Dragon Research Group (DRG)
3.TSUBAME (Internet threat monitoring system) from JPCERT | CC
4.Shadowserver Foundation
5. Team Cymru

  Microsoft Windows Zero-Day Found in Task Scheduler


"...A zero-day flaw recently disclosed in Microsoft�s Windows task scheduler could enable a bad actor to gain elevated privileges. The flaw, which was disclosed Monday on Twitter, does not yet have a patch.

The issue exists in the Advanced Local Procedure Call (ALPC) interface of Microsoft Windows task scheduler in 64-bit operating systems (Windows 10 and Server 2016). Essentially, the API function of ALPC does not check permissions, so that any potential local bad actor can alter them......"


GoDaddy Leaks �Map of the Internet� via Amazon S3 Cloud Bucket Misconfig


"...GoDaddy, the world�s largest domain name registrar, has exposed high-level configuration information for tens of thousands of systems (and competitively sensitive pricing options for running those systems) in Amazon AWS, thanks to yet another cloud storage misconfiguration.

The documents were left exposed in a publicly accessible Amazon S3 bucket, and included configuration information for 24,000 systems within GoDaddy�s hosting infrastructure, including fields for hostname, operating system, workload (i.e., what the system was used for), AWS region, memory, CPU specs and more. The bucket, named abbottgodaddy, was found June 19 by UpGuard, which said the information contained within represented a detailed map to a large portion of the internet......"

  WhatsApp warns that Google Drive backups are not encrypted


'...But, the company warns, those backups won�t be encrypted. That means that the chats, photos and videos sent via the app and backed up on Google Drive are accessible to Google, but also to hackers that manage to compromise users� Google Drive account.

According to the new agreement, WhatsApp backups that haven�t been updated in more than one year will also be automatically removed from Google Drive storage...'

FBI Fights Viral Influence Campaigns With Informational Videos



'...With midterm elections fast approaching, the FBI on Thursday released a dozen informational videos detailing ways political campaigns can protect themselves against cyberattacks from foreign powers.

The Protected Voices initiative covers a wide range of cybersecurity topics�including software patching, secure communications, password protection and browser safety�that can help campaigns fend off the most common attacks....'

Fake banking apps on Google Play leak stolen credit card data


'....Another set of fake banking apps has found its way into the official Google Play store. Claiming to increase the credit card limit for users of three Indian banks, the malicious apps phish for credit card details and internet banking credentials using bogus forms. What�s even worse, the data stolen from the victims is leaked online, in plain text, via an exposed server....'

Month in Brief
Facebook Incidents Reported to Sri Lanka CERT|CC in August 2018
  Statistics - Sri Lanka CERT|CC

My Health Record access controls used only 214 times in million record trial

'...As one begins to work with numbers that approach zero, small differences in weightings and roundings can easily become orders of magnitude out of whack.

So it was that back in May, officials from the Australian Digital Health Agency (ADHA) told Senate Estimates that less than 0.1 percent of users in its trial areas had set access codes to change the default setting of general access to health care providers, and instead restrict data to nominated health care providers or people....'

Less than a third of companies have dedicated cybersecurity insurance

"...Only one third of senior executives in UK organisations admit their company insurance currently covers them for a security breach and for the financial impact of data loss, despite the fact that 81 percent agree that it is �vital� their organisation is insured against information security breaches. This is according to the Risk:Value report from NTT Security, which also reveals that 29 percent of firms have dedicated cybersecurity insurance in place..."
​'Crypto haven' government officials to gather in Seoul

�...High-level officials from countries that are considered havens for cryptocurrency firms will gather in Seoul later this month to discuss the future of policy.

Representatives from Estonia, Switzerland, Malta, Singapore, Lithuania, and the city of Hong Kong will discuss their respective country policy concerning blockchain at the three-day Blockchain Seoul tradeshow from September 17 to 19 at COEX D Hall.......�
Defense Department Seeks �Rapid Cloud Migration� Ideas for MilCloud

."...The Defense Department�s technical arm wants to see what capabilities exist in the marketplace to improve the migration of data and applications to milCloud 2.0, the Pentagon�s on-premise cloud.

On Wednesday, the Defense Information Systems Agency issued a request for information to industry seeking input on �rapid cloud migration� as it aims to understand capabilities relevant to �automated cloud migration techniques.�. ...."

Notice Board

Training and Awareness Programmes - August  2018


Brought to you by: