Presentation is loading. Please wait.

Presentation is loading. Please wait.

Academic and Research Network of Slovenia 1 The CSIRT initiative Gorazd Božič ARNES SI-CERT, Jamova 39, Ljubljana, Slovenia NATO.

Published byJonathan Dean Modified over 9 years ago

Similar presentations

Presentation on theme: "Academic and Research Network of Slovenia 1 The CSIRT initiative Gorazd Božič ARNES SI-CERT, Jamova 39, Ljubljana, Slovenia NATO."— Presentation transcript:

1 Academic and Research Network of Slovenia 1 The CSIRT initiative Gorazd Božič ARNES SI-CERT, Jamova 39, Ljubljana, Slovenia gorazd.bozic@arnes.si NATO ANW, Ljubljana, 15.9.2001

2 Academic and Research Network of Slovenia 2 Code Red infection

3 Academic and Research Network of Slovenia 3 Email worms, past and present

4 Academic and Research Network of Slovenia 4 Outline of the presentation security issues what is CSIRT overview of collaboration efforts TERENA TF-CSIRT

5 Academic and Research Network of Slovenia 5 How much security? security convenience

6 Academic and Research Network of Slovenia 6Goals secure data storage secure information exchange ensure uninterupted operation of services enable recovery after an incident

7 Academic and Research Network of Slovenia 7 Examine stereotypes you have to be a paranoic to do it properly –Not exactly. A paranoid person could spend a lot of time on improbable scenarios: conspiracy theories and other obscurities. you have to be an outstanding technical expert –It helps, but it is not a necessity. You have to be familiar with fundamentals and have the proper experience. more security is always the way to go –Wrong. Banks could lower possibility of theft by performing strip searches of all customers and thus lose all their customers.

8 Academic and Research Network of Slovenia 8Threats stolen / altered / erased information –sensitive information –information needed for normal operations unstable operation of services –loss of customers –system becomes de facto unusable public exposure –confidential information from databases made public –details of the attack on our site are on evening news

9 Academic and Research Network of Slovenia 9 The attacker hacker / cracker / “script kiddie” –age: 15-25 years, limited social life, “rebeling against the system” self- image, seeks affirmation within the “cyber-community” vandal –angry at something / somebody, motivation not always known insider –disgrunteled or bribed employee / student / staff member industrial espionage, terrorism –hired specialist, motivation: financial or political gain

10 Academic and Research Network of Slovenia 10 Common scenario of the attack find a scanner for latest OS/server vulnerabilities and scan a wide range of address space use available exploits to gain access –http://www.securityfocus.com/ –Bugtraq mailing list hide yourself on attacked host prepare the system for future use –install sniffers to collect passwords –install DDoS tools

11 Academic and Research Network of Slovenia 11 Measures to take packet filtering content filtering application-level protection encryption tracking down the intruder preventing further attempts

12 Academic and Research Network of Slovenia 12 Outline of the presentation security issues what is CSIRT overview of collaboration efforts TERENA TF-CSIRT

13 Academic and Research Network of Slovenia 13 What is CSIRT? Computer Security Incident Response Team –CERT – Computer Emergency Response Team –IRT – Incident Response Team a well-known contact point for network security issues a source of knowledge for security issues network security incident coordinator relay service for incident reports

14 Academic and Research Network of Slovenia 14 Historical view 1998 –Internet Worm leads to formation of Computer Emergency Response Team (now CERT/CC) 1990’s –emergence of other CERTs; AusCERT and European national CERTs 1990 –FIRST - Forum of Incident Response and Security Teams 1997 –start of EuroCERT project 2000 –TF-CSIRT task force

15 Academic and Research Network of Slovenia 15 Roles of a CSIRT assist in incident resolution coordinate between victim and source sites distribute information on known vulnerabilities

16 Academic and Research Network of Slovenia 16 Do you need a CSIRT? national ISP: yes! (local issues, helping constituency directly, the same time zone) large organisation: maybe small network: probably not

17 Academic and Research Network of Slovenia 17 Existing IRT’s and associations CERT Coordination Center CIAC, Computer Incident Advisory Capability ASSIST (US Department of Defense) AUSCERT, Australian CERT FIRST, Forum of Incident Response and Security Teams national European CERTs TERENA TF-CSIRT

18 Academic and Research Network of Slovenia 18 Establishing CSIRT define what you will and will not do who will you do it for (what is your constituency) seek contacts with other CSIRTs and law enforcement agencies

19 Academic and Research Network of Slovenia 19 Defining goals raising the level of security quick resolution of incidents forming a bigger picture assisting victim sites/networks with expertise

20 Academic and Research Network of Slovenia 20 Defining what you will (not) do dealing with intrusions relaying reports giving advice on security issues on-site assistance determining active measures investigating abuse

21 Academic and Research Network of Slovenia 21Availability working hours additional ad-hoc coverage during non-working hours paging service around the clock availability on-site inspections

22 Academic and Research Network of Slovenia 22 Scope of work what platforms will you cover types of incidents research on vulnerabilities standalone projects (hardware and software evaluations, testing hosts and networks, securing specific sites, …)

23 Academic and Research Network of Slovenia 23 Defining constituency by parent ISP organisation by geographical/national criteria by organisational criteria question of constituency is related to community that will fund the CSIRT

24 Academic and Research Network of Slovenia 24 Communicating with your constituency guarantee non-disclosure of information give feedback on incident resolution progress don’t interfere with sites’ security policies, but offer advice

25 Academic and Research Network of Slovenia 25 Communicating with other CSIRTs make yourself known to the CSIRT community work with other teams submit your information to Trusted Introducer get your team’s PGP key signed by other CSIRTs (key signing parties at conferences)

26 Academic and Research Network of Slovenia 26 Communicating with law enforcement law enforcement will probably be unprepared for dealing with computer crime find the proper department that will understand basic issues require advice about local law assist them willingly, don’t let them abuse your availability

27 Academic and Research Network of Slovenia 27 Outline of the presentation security issues what is CSIRT overview of collaboration efforts TERENA TF-CSIRT

28 Academic and Research Network of Slovenia 28 History of CSIRT collaboration efforts 1992 RARE established the CERT Task Force, which was active until 1994. The CERT-TF concluded that there was an urgent need for a European incident response centre. 1993 First meeting of European CERTs and interested parties was held in Amsterdam. 1994 Series of discussions and initiatives for an European CERT Coordination Center by RARE/TERENA

29 Academic and Research Network of Slovenia 29 History of CSIRT collaboration efforts 1995 TERENA forms the task force CERIE, which forms a report outlining the functioning of a possible European CERT Coordination Center 1996 Proposal for European CERT/CC won by DANTE/UKERNA consortium 1997 Official start of SIRCE project (also called EuroCERT) 1999 SIRCE/EuroCERT project finished

30 Academic and Research Network of Slovenia 30 The results of 1990’s efforts the need for collaboration is apparent various teams with different constituencies European-wide CSIRT is currently not feasible will to continue working together on specific issues that are of common interest

31 Academic and Research Network of Slovenia 31 Outline of the presentation security issues what is CSIRT overview of collaboration efforts TERENA TF-CSIRT

32 Academic and Research Network of Slovenia 32 TERENA TF-CSIRT task force http://www.terena.nl/task-forces/tf-csirt/ formed in May 2000 participants are European CSIRTs from research, commercial and governmental networks in Europe and neighbouring countries more gradual approach concentrate on specific projects

33 Academic and Research Network of Slovenia 33 Aims of TF-CSIRT to provide a forum for exchanging experiences and knowledge to establish pilot services for the European CSIRTs community to promote common standards and procedures for responding to security incidents to assist the establishment of new CSIRTs and the training of CSIRTs staff to co-ordinate other joint initiatives

34 Academic and Research Network of Slovenia 34 Activities of TF-CSIRT seminars and meetings (every 4 months) TI – Trusted Introducer service IODEF – Incident Object Description and Exchange Format security contact information in RIPE database assisting the establishment of new CSIRTs training of new (staff of) CSIRTs

35 Academic and Research Network of Slovenia 35 TI – Trusted Introducer service http://www.ti.terena.nl/ establishing level of trust between CSIRTs –level 0 team: the team exists –level 1 team: team has applied for level 2 status –level 2 team: the team is recognised team information is checked regulary if you are a security team: –fill the form http://www.ti.terena.nl/templates/l0-new.txthttp://www.ti.terena.nl/templates/l0-new.txt –send it to ti@stelvio.nlti@stelvio.nl

36 Academic and Research Network of Slovenia 36 IODEF working group the goal: –“define a common data format and common exchange procedures for sharing information needed to handle an incident between different CSIRTs” the results will include: –The Incident Object Data Model specification –The IODEF XML Data Type Description –Tools for using the IODEF XML DTD

37 Academic and Research Network of Slovenia 37 Training workshop workshop will train staff of existing CSIRTs or help new CSIRTs workshop will encompass the following: –legal issues –organisational issues –technical issues –market issues –operational issues

38 Academic and Research Network of Slovenia 38Conclusion network security is a basic need larger networks need to form a CSIRT existing CSIRTs wish to cooperate different needs require a gradual approach let others know you exist

39 Academic and Research Network of Slovenia 39References http://www.terena.nl/task-forces/tf-csirthttp://www.terena.nl/task-forces/tf-csirt, TERENA TF-CSIRT http://www.ti.terena.nl/http://www.ti.terena.nl/, TI – Trusted Introducer http://www.first.org/http://www.first.org/, FIRST – Forum of Incident Response and Security Teams http://www.cert.org/http://www.cert.org/, CERT Coordination Center

Download ppt "Academic and Research Network of Slovenia 1 The CSIRT initiative Gorazd Božič ARNES SI-CERT, Jamova 39, Ljubljana, Slovenia NATO."

Similar presentations

Clara CSIRTs in Latin America and the Caribbean CCIRN 2004 Cairns, Australia July 2004 Michael Stanton CLARA Technical Committee RNP- Brazil (material.

Clara CSIRTs in Latin America and the Caribbean CCIRN 2004 Cairns, Australia July 2004 Michael Stanton CLARA Technical Committee RNP- Brazil (material.
1 ASEAN Regional Forum Meeting 28 – 30 April 2010 Bandar Seri Begawan, Brunei CERT-Ins Initiative on International Information Security Dr A S Kamble Director.

1 ASEAN Regional Forum Meeting 28 – 30 April 2010 Bandar Seri Begawan, Brunei CERT-Ins Initiative on International Information Security Dr A S Kamble Director.
Computer Emergency Response Teams

Computer Emergency Response Teams
Tanzania Communications Regulatory Authority - TCRA Response to Cyber incidences in Tanzania: Where are we? Presented at Cyber Security Mini Conference.

Tanzania Communications Regulatory Authority - TCRA Response to Cyber incidences in Tanzania: Where are we? Presented at Cyber Security Mini Conference.
Major Incident Process

Major Incident Process
Capability Cliff Notes Series PHEP Capability 5—Fatality Management What Is It And How Will We Measure It?

Capability Cliff Notes Series PHEP Capability 5—Fatality Management What Is It And How Will We Measure It?
Joint efforts in incident response in AP region and future work with RIR Suguru Yamaguchi JPCERT/CC.

Joint efforts in incident response in AP region and future work with RIR Suguru Yamaguchi JPCERT/CC.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.

© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.
Mumbai Cyber Lab A Joint Endeavor of Mumbai Police and NASSCOM Mumbai Cyber Lab A Joint Endeavor of Mumbai Police and NASSCOM Dr. Pradnya Saravade Dy.

Mumbai Cyber Lab A Joint Endeavor of Mumbai Police and NASSCOM Mumbai Cyber Lab A Joint Endeavor of Mumbai Police and NASSCOM Dr. Pradnya Saravade Dy.
CERT Polska Experiences in incident handling The CLOSER Project Mirosław Maj Chisinau, 11/10/2004.

CERT Polska Experiences in incident handling The CLOSER Project Mirosław Maj Chisinau, 11/10/2004.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Security Controls – What Works

Security Controls – What Works
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
Networks ∙ Services ∙ People www.geant.org John DYER TF-MSP Video Conference Community Procurement Support Building on the SPOT-ON Proposal Smart Procurement,

Networks ∙ Services ∙ People John DYER TF-MSP Video Conference Community Procurement Support Building on the SPOT-ON Proposal Smart Procurement,
1 2003-05-19 Experiences from establishing a national Centre for Information Security in Norway TERENA Networking Conference 2003 Maria Bartnes Dahl &

Experiences from establishing a national Centre for Information Security in Norway TERENA Networking Conference 2003 Maria Bartnes Dahl &
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Giandonato CAGGIANO ENISA MANAGEMENT BOARD REPRESENTATIVE LEGAL ADVISER ON EUROPEAN AFFAIRS OF THE MINISTRY OF COMMUNICATIONS U. OF ROMA TRE LAW FACULTY.

Giandonato CAGGIANO ENISA MANAGEMENT BOARD REPRESENTATIVE LEGAL ADVISER ON EUROPEAN AFFAIRS OF THE MINISTRY OF COMMUNICATIONS U. OF ROMA TRE LAW FACULTY.
1 ENISA’s contribution to the development of Network and Information Security within the Community By Andrea PIROTTI Executive Director ENISA Cyprus, 28.

1 ENISA’s contribution to the development of Network and Information Security within the Community By Andrea PIROTTI Executive Director ENISA Cyprus, 28.

Similar presentations

Ads by Google