top go
  • main page
  • >
  • PR
  • >
  • NIRS Study Tour

NIRS Study Tour

  • +
  • -
  • FAQ 4_Cyber Security Management System
  • Date
  • 2021/04/27
  • Hit
  • 248
1. Tell us about the cyber security management system of NIRS as a national IDC.

NIRS was established as the world's first integrated government data center in order to provide not only integrated information resource operation services, but also comprehensive security management and additional common services with proficiently secure and stable environment for central government agencies.

NIRS is equipped with efficient defense systems over various types of cyber threats. It operates the multi-layered defense system preferentially to manage various kinds of attacks such as web-hackings and DDoS. In the later stage, there is a Big Data based security management system which analyzes and processes all data. Currently, the Big Data one is being transformed into an A.I. based next generation security architecture.

Through the new innovative systems, number of cyber attacks are being auto-blocked in real time and thorough analysis conducted with various analyzing gears, which are far from just simply operating security device. NIRS also carries out various sorts of mock drills in a regular basis.



2. Could you explain about major responsibilities of NIRS in the national cyber crisis defense structure.

The Republic of Korea established the National Cyber Security Center (NCSC) in 2013. As it recognizes cyber crisis as one of the serious threats to National Security, it organizes and operates civilian · government · military joint cyber threat response group centered on National Cyber Security Secretaries.

The response team consists of national defense, private, administrative, and financial sectors, and each part operates a security operation center. The head of NIRS issues warnings per each level as normal, attentive, cautious, alert, and serious, taking the ramifications and damages of the attacks aiming government administration into account.

The ‘serious’ level is issued in consultation with the Director of National Cyber Security Center (NCSC) when critical harms are expected to be unavoidable to national security. Appropriate measures such as intensive monitoring or emergency on-call are taken in accordance with warnings of each level.



3. How does NIRS conduct system health checks?

NIRS used to employ commercial S/Ws to monitor system health status, however, it has been using house-designed Big Data based system monitoring schemes since 2018.

The Big Data based system status monitoring platforms that NIRS implemented and is operating are as follows :
- nSIMS (national Security Information Management System) : The Big Data based log analysis system, collect/analyze system information (down, resource usage rate, error logs and more), detect events and transfer them to nTEMS
- nTEMS (national Total Event Management System) : Disseminates system status to staff in charge, manage events by conducting event impact analysis and assuring system recovery, transfer events to nTOPS
- nTOPS (national Total Operation Platform System) : Analyzes the cause of events, register results of follow-up measures and more



4. How does NIRS support 45 client institutions when a security infringement happens?

(Initial Response) When a cyber attack such as a hacking or DDoS happens to a client agency, the NIRS CERT is called and they do initial responses. The event is notified to the corresponding institution, and it is reported to higher institutions such as Presidential Office (BH), National Cyber Security Center (NCSC) and National Intelligence Service, if it is required, and managed together according to degree of damage and its influential extent.

(Incident Investigation) The incident is examined through related log collection and digital forensic to find out root causes, extents of damage, and ways to recover and prevent for the future.

(Follow-up measures) Follow-up measures are managed by updating and improving responding procedures, service recovery organization and related technologies.



5. Is NIRS happened to equip itself with strategies to particularly manage supply chain attacks?

To manage supply chain attacks, which spread by malicious codes inserted into a normal SW during SW development and distribution stages, NIRS regulates for software security patches and related policies not to be updated directly over the Internet.

NIRS conducts firewall policy usage check and blocks unnecessary ones in a regular basis. Internet and Intranet are physically separated to inhibit hacking activities through the Internet.

At the same time, NIRS continues executing client institutions’ homepage vulnerability check and in the event of an accident, it operates CERT and also works closely with National Cyber Security Center (NCSC).



6. Share us some ways that NIRS takes to secure internal data safe.

In order to prevent the internal data from leaking, NIRS encrypts all document so that they could not be used outside even if they are happened to be disclosed.

Basically, most of portable storage device such as USB, laptop and hard drive as well as paper document are not allowed to be carried in or out physically so that it can cut off a possible ditch in fundamental basis.

On top of that, account management for access over security equipment has been reinforced to control unauthorized users’ illegal approach. Retired employees’ email accounts are being deleted within a week after the day of official leave.



7. How are newly collected threat information managed?

NIRS collects threat information of home and abroad real time. Compiled information are classified whether they are harmful or not after being identified and investigated through comprehensive internal analysis scheme. The approved responding policies over new risks are applied to internal systems and they are verified with Big Data and A.I. systems again.



8. Does NIRS operate a Bounty Program?

As the multi-layered defense systems of NIRS hardly allow any external movement to get in, it is quite challenging to discover any internal vulnerability from outside in terms of structural senses. NIRS does not operate a Bounty Program which hires hackers in order to find out internal weaknesses, for it has a system that preferentially manages vulnerabilities in advance by finding some for its own.



9. Could you tell us about cooperation state of NIRS in the area of cyber security management?

NIRS, as a national IDC which hosts a large number of major government information resources in Korea, conducts intensive joint drills with private ISP companies over cyber crisis. It also holds nationwide cyber threat information sharing systems to pro-actively catch signs of new security threats in advance, as well as collaborating committees to ensure effective coordination for any contingency.

In addition, it has finished implementing an A.I. based external threat collection · analysis intelligence system since 2020 which would benefit itself with more precise and prompt cyber threat analysis capability.



10. Does NIRS have to worry about losing monitoring agents when A.I. technology is applied to the cyber security management system?

NIRS does not necessarily need to worry about letting them go while considering A.I. set up to be in place. Those monitoring agents would rather be dealing with more advanced tasks such as A.I. modelling or new attacking techniques investigation than current relatively simple responsibilities. Our goal is to reinforce the system to be impressively epochal in terms of both in processing scope and speed.

The ultimate objective of the A.I. project is not to replace human forces to new machines, but to support people to work more efficiently and to expand fields where used to have limitations of time and resources to reach.



11. Would A.I. system of NIRS be only exercised in the security management area?

NIRS aims for the platform to be universal in its nature so that it processes many different models in distinctive environment. NIRS still counts cyber security management with the technology as a priority for consideration to take for now, however, it expects the system to be able to conduct other assignments by steps such as forecasting incidents or carrying out simple internal tasks like approving firewall tickets (about 100 cases per day).

The system aims to be used in variety of objectives in different fields.



12. What sorts of obstacles NIRS can anticipate while applying/operating A.I. technology to the current systems?

Initial drawbacks NIRS dealt with when implementing the A.I. system was that it needed to consume more resources to operate, including the legacies at the same time.

A.I. is very close to a baby requiring learning periods which definitely demands more resources such as forces to take care of existing systems, conduct additional studying and analyzing duties. For instance, it is expected to take about 6 months to create a primary model and 2 years to make it advanced.



13. What benefits NIRS can expect from newly implementing A.I. based security management system?

First of all, processing scope will be expanded from current about two hundred thousands events per day to over ten million. Processing speed will also be improved from 10 minutes per event to 30 seconds. On top of that, responding capability over unknown attacks will definitely get better through practicing detecting abnormalities over normal behaviors.

NIRS expects such innovation will bring reduction in risk costs benefiting around 4.5 up to 9 billion US dollars.



14. Any new information security management scheme to prepare for the future?

In the past, the security industry was largely divided into 2 categories, physical and information security. However, advances of technologies are widening the points of contact between the two domains. NIRS has created a new information security management system called ‘nAEGIS’ that comprehensively covers both terrains.

NIRS is reengineering information security management organizations and arrangements to best suit the cloud environment. It does not only work to strengthen endpoint security management scheme from current network-oriented one to host areas such as servers but also to build an artificial intelligence-based security system for future environment.



15. Any suggestion or implication to share to effectively manage those increasing number of attacks and advanced nature of global cyber threats?

Those intelligent and large scale cyber attacks are quite demanding to be detected or blocked in advance in a personal or a country level.

Therefore, in order to effectively respond to those threats, it is considered essential and vital to establish international cooperation system. This will help plan strategies together when infringements happen and it will enable to set out a mutual information sharing system that catches and blocks new threats across public-private boundaries.

In order to successfully operate various sets of global cooperation assemblies in the area of cyber threat management, NIRS supposes that it is also important to build a reliable governance scheme based on mutual trusts. When conduct activities, not only the quantity of information shared but also the accuracy and credibility of data are the significant properties it should take careful consideration into.

Actual hands-on cooperating activities such as activating mutual exchange exercises, such as exchanging specialists, expanding numbers of joint new technology development projects, and holding joint seminars for sharing best practices and know-hows should not be neglected as some of the constructive means to improve trust in relations.


Next ▲
FAQ 5_Disaster Recovery & BCP
Preview ▼
FAQ 3_Cloud