400 likes | 466 Vues
The CSIRT initiative. Gorazd Bo žič ARNES SI-CERT , Jamova 39, Ljubljana , Slovenia gorazd.bozic@arnes.si NATO ANW, L jubljana, 15.9.2001. Code Red infection. Email worms, past and present. Outline of the presentation. security issues what is CSIRT overview of collaboration efforts
E N D
The CSIRT initiative Gorazd BožičARNES SI-CERT, Jamova 39, Ljubljana, Sloveniagorazd.bozic@arnes.siNATO ANW, Ljubljana, 15.9.2001
Outline of the presentation • security issues • what is CSIRT • overview of collaboration efforts • TERENA TF-CSIRT
How much security? convenience security
Goals • secure data storage • secure information exchange • ensure uninterupted operation of services • enable recovery after an incident
Examine stereotypes • you have to be a paranoic to do it properly • Not exactly. A paranoid person could spend a lot of time on improbable scenarios: conspiracy theories and other obscurities. • you have to be an outstanding technical expert • It helps, but it is not a necessity. You have to be familiar with fundamentals and have the proper experience. • more security is always the way to go • Wrong. Banks could lower possibility of theft by performing strip searches of all customers and thus lose all their customers.
Threats • stolen / altered / erased information • sensitive information • information needed for normal operations • unstable operation of services • loss of customers • system becomes de facto unusable • public exposure • confidential information from databases made public • details of the attack on our site are on evening news
The attacker • hacker / cracker / “script kiddie” • age: 15-25 years, limited social life, “rebeling against the system” self-image, seeks affirmation within the “cyber-community” • vandal • angry at something / somebody, motivation not always known • insider • disgrunteled or bribed employee / student / staff member • industrial espionage, terrorism • hired specialist, motivation: financial or political gain
find a scanner for latest OS/server vulnerabilities and scan a wide range of address space use available exploits to gain access http://www.securityfocus.com/ Bugtraq mailing list hide yourself on attacked host prepare the system for future use install sniffers to collect passwords install DDoS tools Common scenario of the attack
Measures to take • packet filtering • content filtering • application-level protection • encryption • tracking down the intruder • preventing further attempts
Outline of the presentation • security issues • what is CSIRT • overview of collaboration efforts • TERENA TF-CSIRT
What is CSIRT? • Computer Security Incident Response Team • CERT – Computer Emergency Response Team • IRT – Incident Response Team • a well-known contact point for network security issues • a source of knowledge for security issues • network security incident coordinator • relay service for incident reports
Historical view • 1998 • Internet Worm leads to formation of Computer Emergency Response Team (now CERT/CC) • 1990’s • emergence of other CERTs; AusCERT and European national CERTs • 1990 • FIRST - Forum of Incident Response and Security Teams • 1997 • start of EuroCERT project • 2000 • TF-CSIRT task force
Roles of a CSIRT • assist in incident resolution • coordinate between victim and source sites • distribute information on known vulnerabilities
Do you need a CSIRT? • national ISP: yes! (local issues, helping constituency directly, the same time zone) • large organisation: maybe • small network: probably not
Existing IRT’s and associations • CERT Coordination Center • CIAC, Computer Incident Advisory Capability • ASSIST (US Department of Defense) • AUSCERT, Australian CERT • FIRST, Forum of Incident Response and Security Teams • national European CERTs • TERENA TF-CSIRT
Establishing CSIRT • define what you will and will not do • who will you do it for (what is your constituency) • seek contacts with other CSIRTs and law enforcement agencies
Defining goals • raising the level of security • quick resolution of incidents • forming a bigger picture • assisting victim sites/networks with expertise
Defining what you will (not) do • dealing with intrusions • relaying reports • giving advice on security issues • on-site assistance • determining active measures • investigating abuse
Availability • working hours • additional ad-hoc coverage duringnon-working hours • paging service • around the clock availability • on-site inspections
Scope of work • what platforms will you cover • types of incidents • research on vulnerabilities • standalone projects (hardware and software evaluations, testing hosts and networks, securing specific sites, …)
Defining constituency • by parent ISP organisation • by geographical/national criteria • by organisational criteria • question of constituency is related to community that will fund the CSIRT
Communicating with your constituency • guarantee non-disclosure of information • give feedback on incident resolution progress • don’t interfere with sites’ security policies, but offer advice
Communicating with other CSIRTs • make yourself known to the CSIRT community • work with other teams • submit your information to Trusted Introducer • get your team’s PGP key signed by other CSIRTs (key signing parties at conferences)
Communicating with law enforcement • law enforcement will probably be unprepared for dealing with computer crime • find the proper department that will understand basic issues • require advice about local law • assist them willingly, don’t let them abuse your availability
Outline of the presentation • security issues • what is CSIRT • overview of collaboration efforts • TERENA TF-CSIRT
History of CSIRT collaboration efforts • 1992 • RARE established the CERT Task Force, which was active until 1994. The CERT-TF concluded that there was an urgent need for a European incident response centre. • 1993 • First meeting of European CERTs and interested parties was held in Amsterdam. • 1994 • Series of discussions and initiatives for an European CERT Coordination Center by RARE/TERENA
History of CSIRT collaboration efforts • 1995 • TERENA forms the task force CERIE, which forms a report outlining the functioning of a possible European CERT Coordination Center • 1996 • Proposal for European CERT/CC won by DANTE/UKERNA consortium • 1997 • Official start of SIRCE project (also called EuroCERT) • 1999 • SIRCE/EuroCERT project finished
The results of 1990’s efforts • the need for collaboration is apparent • various teams with different constituencies • European-wide CSIRT is currently not feasible • will to continue working together on specific issues that are of common interest
Outline of the presentation • security issues • what is CSIRT • overview of collaboration efforts • TERENA TF-CSIRT
TERENA TF-CSIRT task force • http://www.terena.nl/task-forces/tf-csirt/ • formed in May 2000 • participants are European CSIRTs from research, commercial and governmental networks in Europe and neighbouring countries • more gradual approach • concentrate on specific projects
Aims of TF-CSIRT • to provide a forum for exchanging experiences and knowledge • to establish pilot services for the European CSIRTs community • to promote common standards and procedures for responding to security incidents • to assist the establishment of new CSIRTs and the training of CSIRTs staff • to co-ordinate other joint initiatives
Activities of TF-CSIRT • seminars and meetings (every 4 months) • TI – Trusted Introducer service • IODEF – Incident Object Description and Exchange Format • security contact information in RIPE database • assisting the establishment of new CSIRTs • training of new (staff of) CSIRTs
TI – Trusted Introducer service • http://www.ti.terena.nl/ • establishing level of trust between CSIRTs • level 0 team: the team exists • level 1 team: team has applied for level 2 status • level 2 team: the team is recognised • team information is checked regulary • if you are a security team: • fill the form http://www.ti.terena.nl/templates/l0-new.txt • send it to ti@stelvio.nl
IODEF working group • the goal: • “define a common data format and common exchange procedures for sharing information needed to handle an incident between different CSIRTs” • the results will include: • The Incident Object Data Model specification • The IODEF XML Data Type Description • Tools for using the IODEF XML DTD
Training workshop • workshop will train staff of existing CSIRTs or help new CSIRTs • workshop will encompass the following: • legal issues • organisational issues • technical issues • market issues • operational issues
Conclusion • network security is a basic need • larger networks need to form a CSIRT • existing CSIRTs wish to cooperate • different needs require a gradual approach • let others know you exist
References • http://www.terena.nl/task-forces/tf-csirt, TERENA TF-CSIRT • http://www.ti.terena.nl/, TI – Trusted Introducer • http://www.first.org/, FIRST – Forum of Incident Response and Security Teams • http://www.cert.org/, CERT Coordination Center