1 / 39

The CSIRT initiative

The CSIRT initiative. Gorazd Bo žič ARNES SI-CERT , Jamova 39, Ljubljana , Slovenia gorazd.bozic@arnes.si NATO ANW, L jubljana, 15.9.2001. Code Red infection. Email worms, past and present. Outline of the presentation. security issues what is CSIRT overview of collaboration efforts

Télécharger la présentation

The CSIRT initiative

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The CSIRT initiative Gorazd BožičARNES SI-CERT, Jamova 39, Ljubljana, Sloveniagorazd.bozic@arnes.siNATO ANW, Ljubljana, 15.9.2001

  2. Code Red infection

  3. Email worms, past and present

  4. Outline of the presentation • security issues • what is CSIRT • overview of collaboration efforts • TERENA TF-CSIRT

  5. How much security? convenience security

  6. Goals • secure data storage • secure information exchange • ensure uninterupted operation of services • enable recovery after an incident

  7. Examine stereotypes • you have to be a paranoic to do it properly • Not exactly. A paranoid person could spend a lot of time on improbable scenarios: conspiracy theories and other obscurities. • you have to be an outstanding technical expert • It helps, but it is not a necessity. You have to be familiar with fundamentals and have the proper experience. • more security is always the way to go • Wrong. Banks could lower possibility of theft by performing strip searches of all customers and thus lose all their customers.

  8. Threats • stolen / altered / erased information • sensitive information • information needed for normal operations • unstable operation of services • loss of customers • system becomes de facto unusable • public exposure • confidential information from databases made public • details of the attack on our site are on evening news

  9. The attacker • hacker / cracker / “script kiddie” • age: 15-25 years, limited social life, “rebeling against the system” self-image, seeks affirmation within the “cyber-community” • vandal • angry at something / somebody, motivation not always known • insider • disgrunteled or bribed employee / student / staff member • industrial espionage, terrorism • hired specialist, motivation: financial or political gain

  10. find a scanner for latest OS/server vulnerabilities and scan a wide range of address space use available exploits to gain access http://www.securityfocus.com/ Bugtraq mailing list hide yourself on attacked host prepare the system for future use install sniffers to collect passwords install DDoS tools Common scenario of the attack

  11. Measures to take • packet filtering • content filtering • application-level protection • encryption • tracking down the intruder • preventing further attempts

  12. Outline of the presentation • security issues • what is CSIRT • overview of collaboration efforts • TERENA TF-CSIRT

  13. What is CSIRT? • Computer Security Incident Response Team • CERT – Computer Emergency Response Team • IRT – Incident Response Team • a well-known contact point for network security issues • a source of knowledge for security issues • network security incident coordinator • relay service for incident reports

  14. Historical view • 1998 • Internet Worm leads to formation of Computer Emergency Response Team (now CERT/CC) • 1990’s • emergence of other CERTs; AusCERT and European national CERTs • 1990 • FIRST - Forum of Incident Response and Security Teams • 1997 • start of EuroCERT project • 2000 • TF-CSIRT task force

  15. Roles of a CSIRT • assist in incident resolution • coordinate between victim and source sites • distribute information on known vulnerabilities

  16. Do you need a CSIRT? • national ISP: yes! (local issues, helping constituency directly, the same time zone) • large organisation: maybe • small network: probably not

  17. Existing IRT’s and associations • CERT Coordination Center • CIAC, Computer Incident Advisory Capability • ASSIST (US Department of Defense) • AUSCERT, Australian CERT • FIRST, Forum of Incident Response and Security Teams • national European CERTs • TERENA TF-CSIRT

  18. Establishing CSIRT • define what you will and will not do • who will you do it for (what is your constituency) • seek contacts with other CSIRTs and law enforcement agencies

  19. Defining goals • raising the level of security • quick resolution of incidents • forming a bigger picture • assisting victim sites/networks with expertise

  20. Defining what you will (not) do • dealing with intrusions • relaying reports • giving advice on security issues • on-site assistance • determining active measures • investigating abuse

  21. Availability • working hours • additional ad-hoc coverage duringnon-working hours • paging service • around the clock availability • on-site inspections

  22. Scope of work • what platforms will you cover • types of incidents • research on vulnerabilities • standalone projects (hardware and software evaluations, testing hosts and networks, securing specific sites, …)

  23. Defining constituency • by parent ISP organisation • by geographical/national criteria • by organisational criteria • question of constituency is related to community that will fund the CSIRT

  24. Communicating with your constituency • guarantee non-disclosure of information • give feedback on incident resolution progress • don’t interfere with sites’ security policies, but offer advice

  25. Communicating with other CSIRTs • make yourself known to the CSIRT community • work with other teams • submit your information to Trusted Introducer • get your team’s PGP key signed by other CSIRTs (key signing parties at conferences)

  26. Communicating with law enforcement • law enforcement will probably be unprepared for dealing with computer crime • find the proper department that will understand basic issues • require advice about local law • assist them willingly, don’t let them abuse your availability

  27. Outline of the presentation • security issues • what is CSIRT • overview of collaboration efforts • TERENA TF-CSIRT

  28. History of CSIRT collaboration efforts • 1992 • RARE established the CERT Task Force, which was active until 1994. The CERT-TF concluded that there was an urgent need for a European incident response centre. • 1993 • First meeting of European CERTs and interested parties was held in Amsterdam. • 1994 • Series of discussions and initiatives for an European CERT Coordination Center by RARE/TERENA

  29. History of CSIRT collaboration efforts • 1995 • TERENA forms the task force CERIE, which forms a report outlining the functioning of a possible European CERT Coordination Center • 1996 • Proposal for European CERT/CC won by DANTE/UKERNA consortium • 1997 • Official start of SIRCE project (also called EuroCERT) • 1999 • SIRCE/EuroCERT project finished

  30. The results of 1990’s efforts • the need for collaboration is apparent • various teams with different constituencies • European-wide CSIRT is currently not feasible • will to continue working together on specific issues that are of common interest

  31. Outline of the presentation • security issues • what is CSIRT • overview of collaboration efforts • TERENA TF-CSIRT

  32. TERENA TF-CSIRT task force • http://www.terena.nl/task-forces/tf-csirt/ • formed in May 2000 • participants are European CSIRTs from research, commercial and governmental networks in Europe and neighbouring countries • more gradual approach • concentrate on specific projects

  33. Aims of TF-CSIRT • to provide a forum for exchanging experiences and knowledge • to establish pilot services for the European CSIRTs community • to promote common standards and procedures for responding to security incidents • to assist the establishment of new CSIRTs and the training of CSIRTs staff • to co-ordinate other joint initiatives

  34. Activities of TF-CSIRT • seminars and meetings (every 4 months) • TI – Trusted Introducer service • IODEF – Incident Object Description and Exchange Format • security contact information in RIPE database • assisting the establishment of new CSIRTs • training of new (staff of) CSIRTs

  35. TI – Trusted Introducer service • http://www.ti.terena.nl/ • establishing level of trust between CSIRTs • level 0 team: the team exists • level 1 team: team has applied for level 2 status • level 2 team: the team is recognised • team information is checked regulary • if you are a security team: • fill the form http://www.ti.terena.nl/templates/l0-new.txt • send it to ti@stelvio.nl

  36. IODEF working group • the goal: • “define a common data format and common exchange procedures for sharing information needed to handle an incident between different CSIRTs” • the results will include: • The Incident Object Data Model specification • The IODEF XML Data Type Description • Tools for using the IODEF XML DTD

  37. Training workshop • workshop will train staff of existing CSIRTs or help new CSIRTs • workshop will encompass the following: • legal issues • organisational issues • technical issues • market issues • operational issues

  38. Conclusion • network security is a basic need • larger networks need to form a CSIRT • existing CSIRTs wish to cooperate • different needs require a gradual approach • let others know you exist

  39. References • http://www.terena.nl/task-forces/tf-csirt, TERENA TF-CSIRT • http://www.ti.terena.nl/, TI – Trusted Introducer • http://www.first.org/, FIRST – Forum of Incident Response and Security Teams • http://www.cert.org/, CERT Coordination Center

More Related