CCIRN meeting, Cairns, 3 July 2004 Computer security co-operation in Europe Karel Vietsch Based on materials provided by TERENA TF-CSIRT

CCIRN meeting, Cairns, 3 July 2004 Agenda Why co-operate? History of co-operation CSIRT Task Force (TF-CSIRT) Benefits: –Contacts –Trends and hot issues Deliverables, including: –Accreditation scheme for CSIRTs –IRT database object –Clearing House for Incident Handling Tools –Training course for new CSIRTs

CCIRN meeting, Cairns, 3 July 2004 Why Co-operate? Security incidents are international –Must work together to solve them No team knows everything –Share knowledge, resources, tools –Compare working practices –Develop best practice & standards –Provide better and faster service

CCIRN meeting, Cairns, 3 July 2004 Historical perspective Pre-1990: CSIRTs in isolation (if at all) During 1990s: FIRST provides binding: –Members meet members –Basic notion of trust –Exchange of operational information –Less powerful in initiating innovation : EuroCERT pilot service: –Top-down approach –Operational work outsourced to third party 2000: TF-CSIRT established

CCIRN meeting, Cairns, 3 July 2004 Influence of NRENs National Research & Education Networks –Traditionally innovative –Low commercial profile Natural “academic” way of working –Achievements based on collaboration –Results shared for society’s benefit –Free dissemination of expertise Since 1986: TERENA (see:

CCIRN meeting, Cairns, 3 July 2004 Creation of TF-CSIRT TERENA Task Force: –Operation defined by Terms of Reference –Two years recurring lifecycle with review –Members and non-members of TERENA –No membership fee, just travel & hotel costs –Active participation by members –Success depends on members’ commitment –TERENA plays role of professional facilitator: Secretarial tasks Logistical support

CCIRN meeting, Cairns, 3 July 2004 TF-CSIRT way of working Meeting every four months Venue rotates among members who volunteer to host Two days: –1st day for seminars and presentations –2nd day for Task Force official meeting Evening in-between: social event organised by the hosting member Contacts between meetings provided by mailing list and project groups

CCIRN meeting, Cairns, 3 July 2004 Who is involved? Academic, Government, Commercial teams 29 countries meeting (3) training (3) both (23)

CCIRN meeting, Cairns, 3 July 2004 Benefits - contacts Operational people talk directly to each other –Trusted contacts for later work Little or no formalities, collaborative atmosphere Ad-hoc subgroups working on concrete deliverables Social event often proves to be a fruitful environment for new ideas

CCIRN meeting, Cairns, 3 July 2004 Benefits – trends and hot issues Supportive peer review of other members’ organisation and operations Members share and consume expertise (a win/win approach) Atmosphere of understanding – no team has to fight common problems alone Discussing trends and hot issues among peers make these trends and hot issues easier to understand and assess

CCIRN meeting, Cairns, 3 July 2004 Wider Co-operation European Commission –Projects (eCSIRT.net, EISPP, TRANSITS) –Legal handbook for CSIRTs –Network & Information Security Agency (ENISA) National governments –Government CSIRTs –Consultation on new legislation Law enforcement –Operations and invited speakers at meetings Other regional initiatives

CCIRN meeting, Cairns, 3 July 2004 Deliverables and Projects Trusted Introducer Service & Directory Incident Object Description & Exchange Format RIPE IRT object Clearing House for Incident Handling Tools CSIRT training course (TRANSITS) Under development Incident Information Exchange (eCSIRT.net) Vulnerability information exchange (EISPP) Assistance to new CSIRTs Incident Handling Procedures

CCIRN meeting, Cairns, 3 July 2004 Deliverables – Trusted Introducer ( Notion of ‘trust’ – is a contact trustworthy? Currently, no scheme generically applicable TF-CSIRT to work out a model of which it believes it fulfills criteria needed at operational level Feasibility and sanity checks Now, outsourced to a third party TF-CSIRT retains control by TI Review Board

CCIRN meeting, Cairns, 3 July 2004 Deliverables – IRT database object Commonly perceived problem: correct points of contact in (RIPE) database Practical approach: –what do we miss now? –how can we design it –how can we implement it? Wishlist followed by discussion in RIPE database group Lots of iterations, but eventually implemented and populated

CCIRN meeting, Cairns, 3 July 2004 Deliverables – CHIHT ( Clearing House for Incident Handling Tools Share information on tools CSIRTs use –Help new and existing teams Website listing tools by category –Evidence gathering & investigation, system recovery, CSIRT operations, remote access, proactive tools –Plan to add procedures and best practice Contents suggested by active CSIRTs

CCIRN meeting, Cairns, 3 July 2004 Deliverables – TRANSITS ( Idea: best transfer of knowledge is from operational people to operational people Conclusion: best people to write it are TF- CSIRT members Two day course developed in modules: –Operational, legal, technical, organisational, vulnerabilities EC funding for delivery and updating –Six presentations over three years –Materials available to members for own use

CCIRN meeting, Cairns, 3 July 2004 Deliverables – TRANSITS (