Country Report Security Practices in Bhutan CERT Best Practices September 2004

1
Country ReportSecurity Practices in BhutanCERT
Best Practices - September 2004 -

• Karma Dhendup
• ICT Security Coordinator
• Department of Information Technology, Ministry
  of Information and Communications

2
About Bhutan

• Location Eastern Himalaya
• Population 600,000
• Land Area 46,500 square Km
• Economy Agriculture(90), Hydro Power and
  Tourism
  
• Government Monarchy
• Religion Buddhism
• Development Philosophy GNH

3
ICT status in Bhutan

• ICT development is still new in Bhutan.

Tele-density (fix line) Urban 15, rural 1
Electrification (via power grid) 20 30
About 8,000 10,000 computers1 in the country
Only one ISP in service, started in 1999 (2,600
dial-up subscribers, 30 leased lines2)
Internet Users appx. 0.73 VSAT OPGW3 just lau
nched in urban area 12 Internet Cafes, 15 IT Vend
ors, 18 IT Training Institutes
KEY FIGURES
Bhutan ICT Policy and Strategy (BIPS) endorsed
ICM Act drafted, awaiting to be passed
MoIC established in 2003, ICT Units are to be
established in all Ministries
RECENT GOVT ACTIONS
DIT/BT estimates as of September 2003, 2.
Druknet figure as of September 2003, 3. Optical
Power Ground Wire
4
Security situation in Bhutan

• E-Security Practice is still at an infant stage
• No CERT established so far
• Security threats virus, SPAM, intrusions
• Security Working Group has just been formed by
  DIT to address IT security issues (June, 2004)

5
About Security WG

• Objective to solve common security problems
  collectively in the government
  
• Scope Limited to government agencies (expand it
  to the whole country in future)
  
• Members Network administrators in every
  Ministrys ICT Unit
  
• Progress So far 5 meetings held, methodology
  and activities are identified

6
Methodology (1/5)

• Hold a meeting twice a month and share security
  problems in individual organizations.
  
• Inform new threats and viruses that they have
  encountered in recent days.
  
• Find solutions for the new threat and discuss
  measures to prevent the similar threats for other
  organizations.
  
• Discuss new techniques and methods that are
  available in the Operating Systems that are used
  in the organizations.

7
Methodology (2/5)

• Compare firewall setups and the services each
  organizations are using.
  
• Interview members about the kind of services they
  are using and threats involved for each service.
  
• Identify the types of servers organizations use
  (Windows server/Linux/Solaris) for the firewall.
  
• Evaluate the access lists in the routers and
  server firewalls.

8
Methodology (3/5)

• Draft a security policy
• Policy for the User
• Policy for the System Administrator
• Files and folders management policy
• Data management policy
• Firewall management policy
• Location and safety of server rooms

9
Methodology (4/5)

• Prepare questionnaire and survey the security
  measures.
  
• The operating systems that are used on desktops
• Databases used within the organization
• The kind of threats they encounter
• The kind of software that they use

10
Methodology (5/5)

• Saving bandwidth from downloads and software
  updates and threats,
  
• Set rules for the software updates
• Use common software within the organizations like
  the Anti virus software corporate edition and
  centrally monitor virus definition updates and
  patches.
• Set download rules and use network bandwidth
  monitoring tools to monitor the bandwidth usage.
  
• Finally conduct a workshop for wider audience.

11
Future prospective

• As ICT infrastructure comes up, security issue
  becomes a growing concern
  
• Security coordination will be a continuous
  effort
  
• Lack of security expertise is a challenge for
  Bhutan
  
• CERT as our solution??

12

• Thank you for your attention
• Your suggestions are welcomed

Tashi Delek!! kdhendup_at_dit.gov.bt