159 • World Wide Web: http:www.moncirt.org.mn

1.1.1. Establishment

MonCIRT was established in 2006 as NGO. From 2006 till 2013 MonCIRT operate as sole national CSIRT of Mongolia. In December 2011 the Government of Mongolia established National Cyber Security Authority and whole government entities covered by this organization. From 2014 MonCIRT acts as the focal point for cyber security for the private persons, entities and business sector.

1.1.2. Workforce

MonCIRT currently has a total of 6 constant staffs such as: executive director-1, experts 3, the bookkeeper 1, system administrator-1. Due to lake of financial support and self financing we constantly feel shortage of the qualified experts.

1.1.3. Constituency

Currently MonCIRT‘s constituency encompasses the Business Sector of Mongolia because government organizations covered by Cyber Security Authority of Mongolia by law. Therefore our constituency consist of business companies, private sector organizations, NGO and general public. We works closely with Chief Information Officers and system administrators of business sector. In 2014 we approved MonCIRT’s new regulations, procedures and launched new web site, email system. 2. Activities Operations

2.1. Activities

The summary of activities carried out by MonCIRT during the year 2014 is given in the following table: Activities Year 2014 Security Incidents handled 193 Security Alerts issued 105 Advisories Published 9 Vulnerability Notes Published 36 Security Guidelines Published 1 160 Trainings Organized 4 Mongolian Website Defacements tracked and advised 32 Open Proxy Servers tracked 3 Bot Infected Systems tracked 424 Phishing mirror web sites tracked and removed 6 Projects 1 This part of the report describes the statistics of team activities and security incident reports handled by MonCIRT, both from external and internal sources. In 2014 MonCIRT handled manually 193 incidents. Similarly to the previous years, most of them were related to fraud around 48, malware nearly 26 and spam over 13. Mostly, submitters and victims were coming from IPs belonging to companies respectively 61.8, and 49 and usually were foreign 80.3 and 40.3, while the attackers were unknown in 88.6 of the cases. In 2014 we registered a large number of identity theft incidents. The scale of the problem was similar to that in 2013. It should be emphasized that it were phishing incidents both when the sites were located on Mongolian servers and when the attack targeted Mongolian institutions. From the global perspective, the scale of the problem was much larger. In June and July we observed an increasing number of phishing attacks launched against on-line banking and social sites customers. Criminals were sending emails, allegedly in the name of the bank, on a mass scale. However, the most serious attacks on Mongolian on-line banking customers were launched with the use of malicious software such as ZeuS or Citadel. The attacks were carried out in several scenarios. In the first one criminals sent a fake message which informed victim about an incorrect wire transfer and an obligation to return funds of course to the money mule’s account. In another scenario, when a user wanted to perform wire transfer, malicious software changed the number of target account. Phishing attacks overwhelmingly come from popular and trusted web sites hacked by cybercrime. From January through December 2014, the MonCIRT received 286 email messages and more than 130 hotline calls reporting computer security incidents or requesting information. 108 of these messages, information was related with real incidents and we provided with recommendations. We received 34 vulnerability reports and handled 37 computer security incidents during this period. We cannot 161 retrieve incident handling statistics from organizations, administrators due to executive’s restriction. We continue to provide advice to system administrators in the Internet community who report security problems. We working now on establishing of regular chat system with administrators of organizations and to offer information on state of Internet security to the system administrators, network managers, and others in the Internet community.

2.2. Threats