CCIRN meeting, Cairns, 3 July 2004

Computer securityco-operation in Europe

Karel Vietsch

vietsch@terena.nl

Based on materials provided by TERENA TF-CSIRT

CCIRN meeting, Cairns, 3 July 2004

Agenda

• Why co-operate?• History of co-operation• CSIRT Task Force (TF-CSIRT)• Benefits:

– Contacts– Trends and hot issues

• Deliverables, including:– Accreditation scheme for CSIRTs– IRT database object– Clearing House for Incident Handling Tools– Training course for new CSIRTs

CCIRN meeting, Cairns, 3 July 2004

Why Co-operate?

• Security incidents are international– Must work together to solve them

• No team knows everything– Share knowledge, resources, tools– Compare working practices– Develop best practice & standards– Provide better and faster service

CCIRN meeting, Cairns, 3 July 2004

Historical perspective

• Pre-1990: CSIRTs in isolation (if at all)• During 1990s: FIRST provides binding:

– Members meet members– Basic notion of trust– Exchange of operational information– Less powerful in initiating innovation

• 1997-1999: EuroCERT pilot service:– Top-down approach– Operational work outsourced to third party

• 2000: TF-CSIRT established

CCIRN meeting, Cairns, 3 July 2004

Influence of NRENs

• National Research & Education Networks– Traditionally innovative– Low commercial profile

• Natural “academic” way of working – Achievements based on collaboration– Results shared for society’s benefit– Free dissemination of expertise

Since 1986: TERENA (see: www.terena.nl)

CCIRN meeting, Cairns, 3 July 2004

Creation of TF-CSIRT

• TERENA Task Force:– Operation defined by Terms of Reference– Two years recurring lifecycle with review– Members and non-members of TERENA– No membership fee, just travel & hotel costs– Active participation by members– Success depends on members’ commitment– TERENA plays role of professional facilitator:

• Secretarial tasks• Logistical support

CCIRN meeting, Cairns, 3 July 2004

TF-CSIRT way of working

• Meeting every four months• Venue rotates among members who

volunteer to host• Two days:

– 1st day for seminars and presentations– 2nd day for Task Force official meeting

• Evening in-between: social event organised by the hosting member

• Contacts between meetings provided by mailing list and project groups

CCIRN meeting, Cairns, 3 July 2004

Who is involved?

• Academic, Government, Commercial teams

• 29 countries

meeting (3)training (3)

both (23)

CCIRN meeting, Cairns, 3 July 2004

Benefits - contacts

• Operational people talk directly to each other– Trusted contacts for later work

• Little or no formalities, collaborative atmosphere

• Ad-hoc subgroups working on concrete deliverables

• Social event often proves to be a fruitful environment for new ideas

CCIRN meeting, Cairns, 3 July 2004

Benefits – trends and hot issues

• Supportive peer review of other members’ organisation and operations

• Members share and consume expertise (a win/win approach)

• Atmosphere of understanding – no team has to fight common problems alone

• Discussing trends and hot issues among peers make these trends and hot issues easier to understand and assess

CCIRN meeting, Cairns, 3 July 2004

Wider Co-operation

• European Commission– Projects (eCSIRT.net, EISPP, TRANSITS)– Legal handbook for CSIRTs– Network & Information Security Agency (ENISA)

• National governments– Government CSIRTs– Consultation on new legislation

• Law enforcement– Operations and invited speakers at meetings

• Other regional initiatives

CCIRN meeting, Cairns, 3 July 2004

Deliverables and Projects

• Trusted Introducer Service & Directory

• Incident Object Description & Exchange Format

• RIPE IRT object• Clearing House for

Incident Handling Tools

• CSIRT training course (TRANSITS)

Under development• Incident Information

Exchange (eCSIRT.net)

• Vulnerability information exchange (EISPP)

• Assistance to new CSIRTs

• Incident Handling Procedures

CCIRN meeting, Cairns, 3 July 2004

Deliverables – Trusted Introducer (http://www.ti.terena.nl/)

• Notion of ‘trust’ – is a contact trustworthy?• Currently, no scheme generically applicable• TF-CSIRT to work out a model of which it

believes it fulfills criteria needed at operational level

• Feasibility and sanity checks• Now, outsourced to a third party• TF-CSIRT retains control by TI Review

Board

CCIRN meeting, Cairns, 3 July 2004

Deliverables – IRT database object

• Commonly perceived problem: correct points of contact in (RIPE) database

• Practical approach: – what do we miss now?– how can we design it– how can we implement it?

• Wishlist followed by discussion in RIPE database group

• Lots of iterations, but eventually implemented and populated

CCIRN meeting, Cairns, 3 July 2004

Deliverables – CHIHT(http://chiht.dfn-cert.de/)

• Clearing House for Incident Handling Tools• Share information on tools CSIRTs use

– Help new and existing teams

• Website listing tools by category– Evidence gathering & investigation, system

recovery, CSIRT operations, remote access, proactive tools

– Plan to add procedures and best practice

• Contents suggested by active CSIRTs

CCIRN meeting, Cairns, 3 July 2004

Deliverables – TRANSITS(http://www.ist-transits.org/)

Idea: best transfer of knowledge is from operational people to operational people

• Conclusion: best people to write it are TF-CSIRT members

• Two day course developed in modules:– Operational, legal, technical, organisational,

vulnerabilities

• EC funding for delivery and updating– Six presentations over three years– Materials available to members for own use

CCIRN meeting, Cairns, 3 July 2004

Deliverables – TRANSITS(http://www.ist-transits.org/)