Time to create Pakistan's very own NSA | World Defense

Time to create Pakistan's very own NSA

Zarvan

MEMBER
Joined
Apr 27, 2015
Messages
330
Reactions
682 12 0
Country
Pakistan
Location
Pakistan
All the people here who are following developments around the world specially related to defence have clearly noticed various nuclear plants in Iran and other stuff getting blown up again and again specially in past ten days. These are clearly the result of Israel and USA cyber attacks like they did few years ago in form of STUXNET. They seem to be back on track and using Cyber Warfare to cause the damage for which until few years ago you needed to carry out a physical attack or sabotage to achieve that.

Therefore either we I mean Pakistan could try to keep our eyes shut and simply choose to ignore the threat of cyber warfare which if not now, will be knocking on our doors soon or we could establish our own dedicated agency which does following jobs.

  1. Cyber Warfare
  2. Cyber Defence
  3. SIGNIT
  4. OSINIT
  5. Helping other Government agencies and private companies in establishing their cyber wings and how to secure their data and protect themselves from cyber attacks.
Yes we have budget constraints but we have to start with whatever we have otherwise good luck in future wars. So please all those people from Pakistan who are here and who have contacts or relatives on senior posts in Armed Forces or Government of Pakistan please raise this issue.

@Khafee @Mastankhan @Signalian
 

Zarvan

MEMBER
Joined
Apr 27, 2015
Messages
330
Reactions
682 12 0
Country
Pakistan
Location
Pakistan
images - 2020-07-04T195455.874.jpeg

sanger_bookcover.jpg

images - 2020-07-04T195646.657.jpeg

images - 2020-07-04T195723.378.jpeg


Some good books to read on this topic.
 

baqai

MEMBER
Joined
Sep 6, 2019
Messages
407
Reactions
1,008 39 0
Country
Pakistan
Location
Pakistan
even back in 2008'ish i used to interact with FIA Cyber Crime unit when Mr Ammar Jaffery was the DG and they had very VERY competent people with them, we were Pakistan's only CA (Certificate Authority) issuing class1/2/3 digital certificates by VeriSign (Later bought by Symmentic) i was BDM back than, even back than we had lots of white hat's working and i am quiet sure the team is much more strong now :)
 

Zulu

MEMBER
Joined
May 11, 2020
Messages
500
Reactions
2,010 60 0
Country
Pakistan
Location
Pakistan
Team tu strong hogii purany paapi rem Doctor jiss ko 97-98 main agency ny chug liyaa thaa Karachi UNI sy ky hamary liye kaam kar???But the way things moving (point in case recent attacks in multiple sites in iran ) and esp if u look at israeli model pushing forward private companies in cyber security servies and tool providing,generating lot of hard cash for their country also at the same time giving them best possible cyber shield as on govt level we cant afford 1/10 of NSA budget
even back in 2008'ish i used to interact with FIA Cyber Crime unit when Mr Ammar Jaffery was the DG and they had very VERY competent people with them, we were Pakistan's only CA (Certificate Authority) issuing class1/2/3 digital certificates by VeriSign (Later bought by Symmentic) i was BDM back than, even back than we had lots of white hat's working and i am quiet sure the team is much more strong now :)
 

Mastankhan

THINK TANK
Joined
Nov 29, 2017
Messages
511
Reactions
2,127 71 0
Country
Pakistan
Location
USA
All the people here who are following developments around the world specially related to defence have clearly noticed various nuclear plants in Iran and other stuff getting blown up again and again specially in past ten days. These are clearly the result of Israel and USA cyber attacks like they did few years ago in form of STUXNET. They seem to be back on track and using Cyber Warfare to cause the damage for which until few years ago you needed to carry out a physical attack or sabotage to achieve that.

Therefore either we I mean Pakistan could try to keep our eyes shut and simply choose to ignore the threat of cyber warfare which if not now, will be knocking on our doors soon or we could establish our own dedicated agency which does following jobs.

  1. Cyber Warfare
  2. Cyber Defence
  3. SIGNIT
  4. OSINIT
  5. Helping other Government agencies and private companies in establishing their cyber wings and how to secure their data and protect themselves from cyber attacks.
Yes we have budget constraints but we have to start with whatever we have otherwise good luck in future wars. So please all those people from Pakistan who are here and who have contacts or relatives on senior posts in Armed Forces or Government of Pakistan please raise this issue.

@Khafee @Mastankhan @Signalian

Hi,

The problems that we have today or going to face tomorrow---the seeds were being sowed a decade ago---.

6-7 years ago---pakistan had the chance to be somebody---a power player---but its shia community associating itself with Iran forced Pakistan to face the worst in the coming years---.

So what pakistan is going thru or will go thru will be based on its day to day survival.

Pakistan has forced itself into an extremely critical situation.
 

baqai

MEMBER
Joined
Sep 6, 2019
Messages
407
Reactions
1,008 39 0
Country
Pakistan
Location
Pakistan
Team tu strong hogii purany paapi rem Doctor jiss ko 97-98 main agency ny chug liyaa thaa Karachi UNI sy ky hamary liye kaam kar???But the way things moving (point in case recent attacks in multiple sites in iran ) and esp if u look at israeli model pushing forward private companies in cyber security servies and tool providing,generating lot of hard cash for their country also at the same time giving them best possible cyber shield as on govt level we cant afford 1/10 of NSA budget

he was part of #delusion and #karachi admin team on undernet servers, i am still in touch with a lot of irc peeps
 

Zulu

MEMBER
Joined
May 11, 2020
Messages
500
Reactions
2,010 60 0
Country
Pakistan
Location
Pakistan
Ah good old times.BTW i was wrong about 1/10 make it 1/1000 as NSA budget over 60 billion dollar o_O we cant compete without encouraging private companies like isrealies as they allowed them to sell to any foreign parties/govts too after approval(no need to remind u importance of backdoors ) .With good idea and brilliant team its possible for anyone to start from minimum level but not without proper govt (read it PA ) support
undernet servers,
 

Armchair

MEMBER
Joined
Sep 21, 2019
Messages
457
Reactions
1,577 56 0
Country
Bangladesh
Location
Bangladesh
NSA - FIA
CIA - ISI

I am guessing cyberwarfare is under strategic division.
 

Counter-Errorist

THINK TANK
Joined
Oct 1, 2019
Messages
1,105
Reactions
2,855 149 0
Country
Pakistan
Location
Pakistan
Auditing and Compliance:

Unlike common perception, cyberdefense is a tediously boring job. It doesn't involve typing faster than your adversary to "hack their mainframe". It involves things like auditing, training sessions where even the speaker can't stop yawning, documenting process/procedures and simply just sitting down and documenting more things. Once we do all that comprehensively enough - we create a defensive counter-intelligence shield.

FIA is a reactive agency. They are structured to respond to activities. We need a dedicated Pak-CERT agency to educate corporations and the public, audits, certifies, documents and monitors local and global networks.

A comprehensive certification process needs to be written and companies that handle any sort of private unclassified data should require these certifications based on their tier. This can be based on the US NIST-800 draft.

cybersecurity-framework-core.png

sp-800-53.jpg

cybersecurity-framework-tiers.png

The purpose behind this certification process is to ensure companies that handle any private data take adequate steps to protect it, against leakages, internal and external malicious actors. Periodic re-certification is needed to ensure continued compliance.

It's unrealistic to think we can start with such an ambitious project. But we do need to start - with auditing organizations carrying data sensitive to national security - energy generation (power plants, dams, pipeline operators), airlines, banks, telecoms, research centers, law enforcement, large hospitals and universities, and of course, government institutions.
 

Zarvan

MEMBER
Joined
Apr 27, 2015
Messages
330
Reactions
682 12 0
Country
Pakistan
Location
Pakistan
Auditing and Compliance:

Unlike common perception, cyberdefense is a tediously boring job. It doesn't involve typing faster than your adversary to "hack their mainframe". It involves things like auditing, training sessions where even the speaker can't stop yawning, documenting process/procedures and simply just sitting down and documenting more things. Once we do all that comprehensively enough - we create a defensive counter-intelligence shield.

FIA is a reactive agency. They are structured to respond to activities. We need a dedicated Pak-CERT agency to educate corporations and the public, audits, certifies, documents and monitors local and global networks.

A comprehensive certification process needs to be written and companies that handle any sort of private unclassified data should require these certifications based on their tier. This can be based on the US NIST-800 draft.

View attachment 14573
View attachment 14574
View attachment 14575
The purpose behind this certification process is to ensure companies that handle any private data take adequate steps to protect it, against leakages, internal and external malicious actors. Periodic re-certification is needed to ensure continued compliance.

It's unrealistic to think we can start with such an ambitious project. But we do need to start - with auditing organizations carrying data sensitive to national security - energy generation (power plants, dams, pipeline operators), airlines, banks, telecoms, research centers, law enforcement, large hospitals and universities, and of course, government institutions.
We have to start with what ever we have
 

Counter-Errorist

THINK TANK
Joined
Oct 1, 2019
Messages
1,105
Reactions
2,855 149 0
Country
Pakistan
Location
Pakistan
Education and Training:

Develop security awareness coursework. Pak-CERT trainers visit certified organizations to train employees to remain vigilant against accidental information leakage, and malicious attempts to disrupt and gain intelligence.
  • Password selection and storage
  • Limiting sharing of information and files
  • Social media vigilance
  • Physical security
  • Detecting phishing attempts
  • Securing own systems, including mobile devices and home networks
Develop advanced coursework for specialized staff. These need to be tailored to functions.

Security awareness is a integral component of a secure organization.

cys-flow.JPG


In addition to corporate security, Pak-CERT needs to disseminate educational and engaging videos to the general public to enhance the level of vigilance.
 
Last edited:

Counter-Errorist

THINK TANK
Joined
Oct 1, 2019
Messages
1,105
Reactions
2,855 149 0
Country
Pakistan
Location
Pakistan
We have to start with what ever we have
I'm currently covering cyberdense, not information gathering or offense. Defense, as with everything else requires structural changes - goal being to build a wall, find and strengthen weak links in the chain.

Public security awareness is a cheap and effective fence. Most people don't understand how much information they are willing giving out to all these apps and social networks, and how they can be used against them and their country. When was the last time you thought about how many permissions you're giving to the apps installed on your phone? A lot of them ask for access to contacts and messages - that's game over for you.
 

Zulu

MEMBER
Joined
May 11, 2020
Messages
500
Reactions
2,010 60 0
Country
Pakistan
Location
Pakistan
Share some possible to do scenario incl business wise may be some investor attract .Imp thing is always an idea and proper team .Last year we discussed it on pdf too real problem after 30 very few got stamina or time to pursue dreams . Talent tu bht dekh chukkay hum Pakistan main bhii as mostly such talent work independently :)) btw @baqai mashallah yeh bhai bhi paapi hain
I'm currently covering cyberdense, not information gathering or offense. Defense, as with everything else requires structural changes - goal being to build a wall, find and strengthen weak links in the chain.

Public security awareness is a cheap and effective fence. Most people don't understand how much information they are willing giving out to all these apps and social networks, and how they can be used against them and their country. When was the last time you thought about how many permissions you're giving to the apps installed on your phone? A lot of them ask for access to contacts and messages - that's game over for you.
 

Counter-Errorist

THINK TANK
Joined
Oct 1, 2019
Messages
1,105
Reactions
2,855 149 0
Country
Pakistan
Location
Pakistan
Share some possible to do scenario incl business wise may be some investor attract .Imp thing is always an idea and proper team .Last year we discussed it on pdf too real problem after 30 very few got stamina or time to pursue dreams . Talent tu bht dekh chukkay hum Pakistan main bhii as mostly such talent work independently :)) btw @baqai mashallah yeh bhai bhi paapi hain
You're looking for a business idea in cyber defense? The problem in Pakistan is that very few take it seriously enough to pay good money for it. That's the reason the talent we have (and we do have some exceptional talent) prefer getting paid in dollars.

I had built a website defacement detector for aeCERT - it would track government websites for any unauthorized change and alert on it - with a siren going off and everything - an important requirement was that it needs to look fanciful for the sheikh. Back then, websites had poor security and lots of them got defaced often. Now with proper auditing and controls, and with secure technology and security awareness among developers, defacements are a low-level threat. I guess this is something someone can build in Pakistan.

Other than simple defacements, there were a few cases where malicious parties had injected fake news in major press release systems that were then sent out globally bypassing their checks - end result being fake news being spread through legitimate organization. Think about if someone manages to create a thread on this forum posting as Khafee saying Pakistan is planning to sell nuclear weapons to Israel, it could do some damage. They don't necessarily have to hack Khafee's account. The underlying forum platform could have an exploit. Now think about doing the same on popular news websites. Lots of damage before it gets under control, and even then it would look like a coverup or conspiracy.

Then there's so much work that can be done filtering, analyzing and aggregating public data like twitter feeds, corporate documents posted online, even job openings - to pick up on possible information leakage. Lots of ideas, but for a business to thrive, there needs to be a market.

Good example, I just posted that aeCERT has defacement detector - this could've been useful information. Though in this case, it was already made public back then.
 

Counter-Errorist

THINK TANK
Joined
Oct 1, 2019
Messages
1,105
Reactions
2,855 149 0
Country
Pakistan
Location
Pakistan
Physical security:

In addition to electronic security, it's just as crucial to physically secure IT assets. The wireless nature of modern technology increases the range of requisite security perimeter.

Hacking into a company's wifi network is the simplest form of intrusion. IT networks generally have less-restrictive security policies for those accessing assets from within a network - as opposed to those accessing from outside the network. Once an actor has hacked a company's wifi connection, they are now inside, and the less-restrictive policy applies to them - meaning, more information about assets in the network is available to them and further escalation is now a whole lot easier.

Apart from applying appropriate policies and restrictive authentication to the network, you need to keep the wifi's range restricted to your property. But wifi range extenders are available, an intruder can throw in or infiltrate and hide an extender within the building to extend the range of your wifi thus letting them attack your network from further away. This is one example of why physical security is essential.

EX7000-house-diagram_1024x1024_98f6d20d-275d-4bda-.jpg


There's one interesting case found during a past audit. We found a USB keylogger that connects to the the keyboard wire and then itself to the PC. An infiltrator had installed this on systems of few board members. Once installed, it would log every key typed on the keyboard and send out the information to a wifi listening device outside the building, which would then forward the information to a private server via a SIM data connection.

In essence, someone was stealing credentials, bank account details, browsing history, documents / emails / chats being typed and whole lot of other information from a company's board members because they'd gained physical access to systems and completely bypassed all their electronic security protocols.

41SeNitlqYL._AC_SY400_.jpg


There are plenty of other examples available whereby physical security bypasses comprehensively implemented electronic and IT security measures simply because no one bothered with it. A common one is where companies implement complex password policy, users fail to remember them and consequently write them down in post-it notes and stick it on their cubicle walls. The other most obvious example being outright theft of assets.

In summary, physical security must be taken into account when planning security of your IT assets.
 
Top