BSides Sofia 2022: Keynote

Good afternoon everyone, I hope we can hear each other. Dear Mr. Bozhanov, Minister of Electronic Management of the Republic of Bulgaria, dear colleagues, friends, guests, welcome to the National University of the World of Technology, to this international conference on cybersecurity, so important for us and for you. I am Kirov, I am the Deputy Director of Digitalization and Cybersecurity. And allow me, on behalf of the Rector-Professor Dimitar Dimitrov and on behalf of the entire Rector's leadership to welcome you to our University. Feel at home. I hope that many useful reports, discussions, comments will come out from this conference and we will draw on the efforts for the development of this area in the future. Our university has put a lot of effort in the

last years to modernize our education, to move forward with the latest trends, to be extremely useful to our students, so that they are as well prepared for the labor market. And because of this reason we are developing a very successful master program in cyber security management. We are convinced and we want to expand significantly the training of students in this direction and in general in this direction, because we realize that these challenges in real business and real life are getting bigger and bigger. and when they graduate from the university they must be prepared for this environment. For this reason we did not think about the moment when the organizers suggested because we believe that this

fits very well into our policy to develop the education of young people, to help them to realize that these things are a problem that should be dealt with, to realize and know the latest trends in this area and in general to be able to successfully realize themselves when they finish. I won't talk for too long. Let me give the floor to Minister Bozhanov for the introduction to the conference. Please, come in. Thank you for the invitation and for the hospitality. Usually, a minister is expected to come and say a few good words, to greet, to wish good luck and to leave. But I have been talked about a lot at the Cyber Security Conference, so I will deal with some details. I will start with

the things we have done in the last few months. First, I had the opportunity to choose between the blue and red door. I chose the blue one so that it is clear that we are on the side of the blue team, not the red team. The interesting thing starts from January 1st, when a bug appeared in Microsoft Exchange, which meant that you can't get an email because of the anti-malware plugin on Exchange. Which is not very good, but in the administration of most places we rely only on it, because no one has taken it. other adequate software. On January 1st I had a detailed conversation with colleagues from the Ministry to decide whether to stop the emails, that is, to leave the unworking emails until

Microsoft releases a fix or to stop the malware plugin and, accordingly, everyone in the administration got infected. Fortunately, Microsoft in the last days released a patch, so our decision turned out to be right not to stop the anti-malware plugin, but from then on We continued with many other tasks that seem simple, fast and easy. In the administration they take a little more time. And the sad thing is that so far they have not happened and that we had to make such basic steps for days and weeks. Naturally, we subscribed to Shodan and Shadow Server, things that the administration didn't have at the moment. At the moment we receive reports from both of them for open ports. We installed all the

RDP ports, or at least I have arranged. Again, basic things. I mean, the organization can't have 40 open RDP ports, but there were. We subscribed to all domains of the country, maybe over 500, in Heavy Beam Pwned. In communication with Troy Hunt, I think we are the third country or something like that, which communicated with him directly and sent him a list. Of course, this functionality is free and accessible through the interface, but in order not to manually confirm 500 domains, it acts to centralize them. We sent a letter to all the administrations to manage DKIM, SPF and DMARC settings. Now, a letter from a minister with so many technological terms in it, maybe it is

unusual, but we actually protect the citizens from phishing, because phishing emails from the Ministry domains are sent in time, which do not have SPF and DKIM records, respectively, the mail servers say to me that this is probably OK to be sent from this IP. We added DDoS to the state's protected internet network. The state has a protected internet network and it must have DDoS to protect all administrative practices. We migrated those that were not transferred through the network. So, if there is DDoS, we have adequate protection so that even smaller attacks do not come to us. We took out compromise indicators from threat intelligence feeds connected with Russia and Belarus and blocked them at the ISP level, in any

case. This is maybe not enough. It is clear that Russian and Belarusian hackers do not use only Russian and Belarusian IPs, far from that. But since there was already an active illegal activity from them, in any case, on the state firewall, so to speak, 500, 600 ISPs received this list. We are renewing it because the Ministry has a network of honeypots that collects such IPs and we are renewing this list. For now, we have renewed it once with another 2,500 thinkers. And something that we should thank the people who are here among us, we gather volunteers for pen tests. I say volunteers, there is a formal civil contract to arrange the duties and responsibilities on both sides, of course, but the

payment is so sub-market, so to speak, minimal, so it is in practice volunteer work. It took me a little more time than I wanted with the voting of all the ministries that have to submit it, but since Monday we have been submitting to the volunteers who have expressed their wishes. If any of you have a wish, you can express it. Probably the organizers will help me with that. Thank you. Now, it would be nice for the state to have a responsible disclosure of the rules. In 2016, when I participated in the introduction of the Cybersecurity Law, I introduced the Law on Electronic Management and I requested the state to publish such rules. Only in 2019, when the Cybersecurity Law was introduced, this has fallen off. It

has run off the channel. Now we plan to publish such rules, one way or another, even if we do not have a request from the law. but we will put it in the Cybersecurity Law at the next editorial this year. So those who want to contribute responsibly and voluntarily, not to worry that someone may knock on their door. And now we come to the issue with people. I rely a lot on the Directorate of Network Information Security in the Ministry. There are competent and prepared people, but they are few. for the responsibilities and the authority that the Ministry has, people need. That's why we impose things on volunteers, because we can't do everything ourselves, but this problem with

people is not only in the public sector, it is also in the private sector. Unfortunately, we are few of those who understand in detail this matter. And that's why the medium-term and long-term policy that I want to introduce, and thanks to UNSS that we had a meeting on this topic that day, to increase the capacity through education, through courses, through training, not only in the administration, but in general. The administration will win some part of those people who will produce the educational system, the other will go to the private sector, as it should, but we need to have people who will keep and public systems and of course private ones. Because there will be a lot of technology, vendors will release a lot of

XDR, XCM and all sorts of other shortcuts, but in the administration especially, there are not enough people who know what to do with these things. There are no security analysts, there are no people who can configure it. As I said, there are not enough people. There are white leaves here that we rely on. but they still have to. And this is actually my message, that we have to develop the people, we have to develop the community, these people to talk to each other, to exchange ideas and experience. This sounds common, sounds like something hard political, but actually it is super important in practice. At the moment we are supporting things in the country, because they have not been supported for many years, but after the

support regime we will move to the regime of capacity development, long-term policies for building a community, a much larger community of experts in cybersecurity. Thank you.