Computer security co-operation in Europe
description
Transcript of Computer security co-operation in Europe
CCIRN meeting, Cairns, 3 July 2004
Computer securityco-operation in Europe
Karel Vietsch
Based on materials provided by TERENA TF-CSIRT
CCIRN meeting, Cairns, 3 July 2004
Agenda
• Why co-operate?• History of co-operation• CSIRT Task Force (TF-CSIRT)• Benefits:
– Contacts– Trends and hot issues
• Deliverables, including:– Accreditation scheme for CSIRTs– IRT database object– Clearing House for Incident Handling Tools– Training course for new CSIRTs
CCIRN meeting, Cairns, 3 July 2004
Why Co-operate?
• Security incidents are international– Must work together to solve them
• No team knows everything– Share knowledge, resources, tools– Compare working practices– Develop best practice & standards– Provide better and faster service
CCIRN meeting, Cairns, 3 July 2004
Historical perspective
• Pre-1990: CSIRTs in isolation (if at all)• During 1990s: FIRST provides binding:
– Members meet members– Basic notion of trust– Exchange of operational information– Less powerful in initiating innovation
• 1997-1999: EuroCERT pilot service:– Top-down approach– Operational work outsourced to third party
• 2000: TF-CSIRT established
CCIRN meeting, Cairns, 3 July 2004
Influence of NRENs
• National Research & Education Networks– Traditionally innovative– Low commercial profile
• Natural “academic” way of working – Achievements based on collaboration– Results shared for society’s benefit– Free dissemination of expertise
Since 1986: TERENA (see: www.terena.nl)
CCIRN meeting, Cairns, 3 July 2004
Creation of TF-CSIRT
• TERENA Task Force:– Operation defined by Terms of Reference– Two years recurring lifecycle with review– Members and non-members of TERENA– No membership fee, just travel & hotel costs– Active participation by members– Success depends on members’ commitment– TERENA plays role of professional facilitator:
• Secretarial tasks• Logistical support
CCIRN meeting, Cairns, 3 July 2004
TF-CSIRT way of working
• Meeting every four months• Venue rotates among members who
volunteer to host• Two days:
– 1st day for seminars and presentations– 2nd day for Task Force official meeting
• Evening in-between: social event organised by the hosting member
• Contacts between meetings provided by mailing list and project groups
CCIRN meeting, Cairns, 3 July 2004
Who is involved?
• Academic, Government, Commercial teams
• 29 countries
meeting (3)training (3)
both (23)
CCIRN meeting, Cairns, 3 July 2004
Benefits - contacts
• Operational people talk directly to each other– Trusted contacts for later work
• Little or no formalities, collaborative atmosphere
• Ad-hoc subgroups working on concrete deliverables
• Social event often proves to be a fruitful environment for new ideas
CCIRN meeting, Cairns, 3 July 2004
Benefits – trends and hot issues
• Supportive peer review of other members’ organisation and operations
• Members share and consume expertise (a win/win approach)
• Atmosphere of understanding – no team has to fight common problems alone
• Discussing trends and hot issues among peers make these trends and hot issues easier to understand and assess
CCIRN meeting, Cairns, 3 July 2004
Wider Co-operation
• European Commission– Projects (eCSIRT.net, EISPP, TRANSITS)– Legal handbook for CSIRTs– Network & Information Security Agency (ENISA)
• National governments– Government CSIRTs– Consultation on new legislation
• Law enforcement– Operations and invited speakers at meetings
• Other regional initiatives
CCIRN meeting, Cairns, 3 July 2004
Deliverables and Projects
• Trusted Introducer Service & Directory
• Incident Object Description & Exchange Format
• RIPE IRT object• Clearing House for
Incident Handling Tools
• CSIRT training course (TRANSITS)
Under development• Incident Information
Exchange (eCSIRT.net)
• Vulnerability information exchange (EISPP)
• Assistance to new CSIRTs
• Incident Handling Procedures
CCIRN meeting, Cairns, 3 July 2004
Deliverables – Trusted Introducer (http://www.ti.terena.nl/)
• Notion of ‘trust’ – is a contact trustworthy?• Currently, no scheme generically applicable• TF-CSIRT to work out a model of which it
believes it fulfills criteria needed at operational level
• Feasibility and sanity checks• Now, outsourced to a third party• TF-CSIRT retains control by TI Review
Board
CCIRN meeting, Cairns, 3 July 2004
Deliverables – IRT database object
• Commonly perceived problem: correct points of contact in (RIPE) database
• Practical approach: – what do we miss now?– how can we design it– how can we implement it?
• Wishlist followed by discussion in RIPE database group
• Lots of iterations, but eventually implemented and populated
CCIRN meeting, Cairns, 3 July 2004
Deliverables – CHIHT(http://chiht.dfn-cert.de/)
• Clearing House for Incident Handling Tools• Share information on tools CSIRTs use
– Help new and existing teams
• Website listing tools by category– Evidence gathering & investigation, system
recovery, CSIRT operations, remote access, proactive tools
– Plan to add procedures and best practice
• Contents suggested by active CSIRTs
CCIRN meeting, Cairns, 3 July 2004
Deliverables – TRANSITS(http://www.ist-transits.org/)
Idea: best transfer of knowledge is from operational people to operational people
• Conclusion: best people to write it are TF-CSIRT members
• Two day course developed in modules:– Operational, legal, technical, organisational,
vulnerabilities
• EC funding for delivery and updating– Six presentations over three years– Materials available to members for own use
CCIRN meeting, Cairns, 3 July 2004
Deliverables – TRANSITS(http://www.ist-transits.org/)