Presentatie CSIRTs for CCIRN
Download
Report
Transcript Presentatie CSIRTs for CCIRN
Computer security
co-operation in Europe
Karel Vietsch
[email protected]
Based on materials provided by TERENA TF-CSIRT
CCIRN meeting, Cairns, 3 July 2004
Agenda
•
•
•
•
Why co-operate?
History of co-operation
CSIRT Task Force (TF-CSIRT)
Benefits:
– Contacts
– Trends and hot issues
• Deliverables, including:
–
–
–
–
Accreditation scheme for CSIRTs
IRT database object
Clearing House for Incident Handling Tools
Training course for new CSIRTs
CCIRN meeting, Cairns, 3 July 2004
Why Co-operate?
• Security incidents are international
– Must work together to solve them
• No team knows everything
– Share knowledge, resources, tools
– Compare working practices
– Develop best practice & standards
– Provide better and faster service
CCIRN meeting, Cairns, 3 July 2004
Historical perspective
• Pre-1990: CSIRTs in isolation (if at all)
• During 1990s: FIRST provides binding:
–
–
–
–
Members meet members
Basic notion of trust
Exchange of operational information
Less powerful in initiating innovation
• 1997-1999: EuroCERT pilot service:
– Top-down approach
– Operational work outsourced to third party
• 2000: TF-CSIRT established
CCIRN meeting, Cairns, 3 July 2004
Influence of NRENs
• National Research & Education Networks
– Traditionally innovative
– Low commercial profile
• Natural “academic” way of working
– Achievements based on collaboration
– Results shared for society’s benefit
– Free dissemination of expertise
Since 1986: TERENA (see: www.terena.nl)
CCIRN meeting, Cairns, 3 July 2004
Creation of TF-CSIRT
• TERENA Task Force:
–
–
–
–
–
–
–
Operation defined by Terms of Reference
Two years recurring lifecycle with review
Members and non-members of TERENA
No membership fee, just travel & hotel costs
Active participation by members
Success depends on members’ commitment
TERENA plays role of professional facilitator:
• Secretarial tasks
• Logistical support
CCIRN meeting, Cairns, 3 July 2004
TF-CSIRT way of working
• Meeting every four months
• Venue rotates among members who
volunteer to host
• Two days:
– 1st day for seminars and presentations
– 2nd day for Task Force official meeting
• Evening in-between: social event
organised by the hosting member
• Contacts between meetings provided by
mailing list and project groups
CCIRN meeting, Cairns, 3 July 2004
Who is involved?
• Academic, Government,
Commercial teams
• 29 countries
meeting (3)
training
(3)
both
(23)
CCIRN meeting, Cairns, 3 July 2004
Benefits - contacts
• Operational people talk directly to
each other
– Trusted contacts for later work
• Little or no formalities, collaborative
atmosphere
• Ad-hoc subgroups working on
concrete deliverables
• Social event often proves to be a
fruitful environment for new ideas
CCIRN meeting, Cairns, 3 July 2004
Benefits – trends and hot
issues
• Supportive peer review of other
members’ organisation and operations
• Members share and consume expertise
(a win/win approach)
• Atmosphere of understanding – no team
has to fight common problems alone
• Discussing trends and hot issues among
peers make these trends and hot issues
easier to understand and assess
CCIRN meeting, Cairns, 3 July 2004
Wider Co-operation
• European Commission
– Projects (eCSIRT.net, EISPP, TRANSITS)
– Legal handbook for CSIRTs
– Network & Information Security Agency (ENISA)
• National governments
– Government CSIRTs
– Consultation on new legislation
• Law enforcement
– Operations and invited speakers at meetings
• Other regional initiatives
CCIRN meeting, Cairns, 3 July 2004
Deliverables and Projects
• Trusted Introducer
Service & Directory
• Incident Object
Description &
Exchange Format
• RIPE IRT object
• Clearing House for
Incident Handling
Tools
• CSIRT training
course (TRANSITS)
CCIRN meeting, Cairns, 3 July 2004
Under development
• Incident Information
Exchange
(eCSIRT.net)
• Vulnerability
information
exchange (EISPP)
• Assistance to new
CSIRTs
• Incident Handling
Procedures
Deliverables – Trusted
Introducer (http://www.ti.terena.nl/)
• Notion of ‘trust’ – is a contact trustworthy?
• Currently, no scheme generically applicable
• TF-CSIRT to work out a model of which it
believes it fulfills criteria needed at
operational level
• Feasibility and sanity checks
• Now, outsourced to a third party
• TF-CSIRT retains control by TI Review
Board
CCIRN meeting, Cairns, 3 July 2004
Deliverables – IRT
database object
• Commonly perceived problem: correct
points of contact in (RIPE) database
• Practical approach:
– what do we miss now?
– how can we design it
– how can we implement it?
• Wishlist followed by discussion in RIPE
database group
• Lots of iterations, but eventually
implemented and populated
CCIRN meeting, Cairns, 3 July 2004
Deliverables – CHIHT
(http://chiht.dfn-cert.de/)
• Clearing House for Incident Handling
Tools
• Share information on tools CSIRTs use
– Help new and existing teams
• Website listing tools by category
– Evidence gathering & investigation, system
recovery, CSIRT operations, remote access,
proactive tools
– Plan to add procedures and best practice
• Contents suggested by active CSIRTs
CCIRN meeting, Cairns, 3 July 2004
Deliverables – TRANSITS
(http://www.ist-transits.org/)
Idea: best transfer of knowledge is from
operational people to operational people
• Conclusion: best people to write it are TFCSIRT members
• Two day course developed in modules:
– Operational, legal, technical, organisational,
vulnerabilities
• EC funding for delivery and updating
– Six presentations over three years
– Materials available to members for own use
CCIRN meeting, Cairns, 3 July 2004
Deliverables – TRANSITS
(http://www.ist-transits.org/)
CCIRN meeting, Cairns, 3 July 2004