1 / 34

The Trusted Introducer Concept

The Trusted Introducer Concept. Brian Gilmore (TERENA). Let’s assume we all know that ... (i). Security is a problem on the Internet There’s lots of security incidents worldwide The police only comes in on a small minority of incidents (for several reasons beyond scope here). CSIRTS.

liberty
Download Presentation

The Trusted Introducer Concept

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Trusted IntroducerConcept Brian Gilmore (TERENA) TI Twelve months old

  2. Let’s assume we all know that ... (i) • Security is a problem on the Internet • There’s lots of security incidents worldwide • The police only comes in on a small minority of incidents (for several reasons beyond scope here) TI Twelve months old

  3. CSIRTS • There are CSIRTs (dedicated team) and ISPs with CSIRT functions dealing with those problems • There are now a few 100 of those around CSIRT = Computer Security Incident Response Team a.k.a. CERT TI Twelve months old

  4. Why a problem? • If you are a member of one of these 100 teams: • How do you know who to contact in another country? • Academic CSIRT, ISP CSIRT, Gov CSIRT • When you have established that, are you certain you are talking to the person you think you are? TI Twelve months old

  5. What is the solution? • So the CSIRT infrastructure is a major problem and becoming worse • There is no worldwide solution for this yet • FIRST is not involved at this level (or not yet), no other body, such as ISOC is engaged in this activity TI Twelve months old

  6. 1st Attempt • Not really the first attempt, more like the 5th! But the first to make real headway! • After advice from the community, TERENA set up the EuroCERT service TI Twelve months old

  7. EuroCERT • This service acted as a central focus point for all European CSIRTS. • Ie, if one CSIRT had an incident from outside their sphere, they handed it to EuroCERT • The service was funded by a subscription on the NRENs which hosted an (academic) CSIRT • Ran for 15 months TI Twelve months old

  8. Why did it stop? • The level of demand was such that it was clear the service would need at least 5 staff to function properly. • NRENs were not happy to subscribe at that level and preferred to fund their own CSIRTs TI Twelve months old

  9. Attempt No 2 • TERENA then hosted the first of a series of meetings of CSIRTS in Europe. • This is now a formal TERENA Task Force – TS-CSIRT • Meetings have been very successful with over 40 participants • Some 5 non-academic CSIRTs attend TI Twelve months old

  10. So ... • TF-CSIRT decided to start solving the problem itself, in Europe, ... • ... hoping that other regions will join, or copy the effort, or improve on it • They named their effort TRUSTED INTRODUCER TI Twelve months old

  11. TI mission statement The Trusted Introducer must foster trust and cooperation between CSIRTs in Europe, both new and experienced. The vehicle used to achieve this is to invite CSIRTs to present themselves and describe their service according to an established baseline – thus enabling objectivity, which is regarded as the pre-requisite of trust. TI Twelve months old

  12. Certification or Accreditation? • The TI process is NOTa formal certification process for CSIRTS • It IS a process of gathering information and documenting it to a certain standard • It ASSISTS in helping teams enter ‘the web of trust’ • ItCOULDdevelop later into a more formal process TI Twelve months old

  13. TI process (i) • The TI registers “known” European CSIRT teams as Level 0 • Teams that decide to join the TI effort to foster European inter-CSIRT cooperation get invited by the TI to become Level 1 • The Level 1 team then has 3 months to work together with the TI to present their service according to the TI baseline TI Twelve months old

  14. TI process (ii) • If they succeed, the team is recognized by the TI as Level 2 and their baseline presentation is published in the TI repositories (only partially in the public repository) TI Twelve months old

  15. TI process (iii) • Any non-compliance in the above process results in a fallback to Level 0 • Max of 2 attempts in 12 months • The experiences to date have shown that the fee charged is amply paid back in the form of the (otherwise) free consultancy that the team gets to help it define its services etc from the TI TI Twelve months old

  16. TI process (iiii) • Level 2 teams maintain their status by regularly (4 months) complying with their baseline presentation – or adapting it when due • Otherwise, they will again be dropped to Level 0 • Essential to catch teams who, for example, lose their staff and are non-effective but don’t wish to admit this! TI Twelve months old

  17. TI Level 2 criteria include ... • Filling out well defined templates • Defining information handling policy • Agreeing to publication of supplied information (only partially in public repository) • Regularly maintaining supplied information • Cooperating with TI in matters above • Adherence to RFC-2350 recommended • Visiting FIRST and TF-CSIRT events recommended TI Twelve months old

  18. L2 Criteria • For example • Cyber contact (at least) must be made with a person representing the team • That person must prove that he can represent the team and the team is corretly empowered by the parent organisation • Proof is using good cryptography with an identity backed by a check of some personal ID TI Twelve months old

  19. L2 Criteria • The CSIRT provides statements of their composition and service. • These could be checked for: • Authenticity • Actuality (reality now) • Correctness • The first two are checked, the last is seen as part of a certification process TI Twelve months old

  20. TI setup • Stelvio (www.stelvio.nl) operates TI service (under a contract with TERENA) • Klaus-Peter Kossakowski (TI service manager), Mark Koek, Erwan Smits, Don Stikvoort (Stelvio CEO) all parttime involved • E-mail : ti@stelvio.nl • Public site: http://www.ti.terena.nl/ TI Twelve months old

  21. TI checks and balances (i) • TERENA focal point to fund service • TERENA independent, www.terena.nl • TERENA experienced in helping setup services, like RIPE NCC • TI not limited to TERENA constituency • TI Review Board reviews the TI work and deals with special cases and problems TI Twelve months old

  22. TI checks and balances (ii) • TI Review Board consists of representatives of Level 2 teams • Initially was, however, of well known Eu network/security individuals: • Brian Gilmore, chair (Edinburgh university) • Karel Vietsch, secretary (TERENA SG) • Andrew Cormack (JANET-CERT) • Christoph Graf (SWITCH-CERT) • Wilfried Wöber (ACONET) TI Twelve months old

  23. New TI Review Board • A call was put out to the Level 2 teams for nominations for a new board. TERENA received 3 nominations but one person declined. • The remaining two stand but the old board stays until we receive the third nomination • Andrew Cormack • Jacques Schuurman • Vacancy TI Twelve months old

  24. May 1st 2001 snapshot • Public website www.ti.terena.nl • 55 teams registered in repository • 8 Level 2 teams • 3 pioneer teams: CERT-NL, GARR-CERT and JANET-CERT • IRIS-CERT, SIEMENS-CERT, UniNett CERT, NORDUNET CERT, CSIRT.DK • Special repository for only Level 2 teams available • 4 Level 1 teams • TeliaCERT, SI-CERT, BTCERTCC, BT SBS TI Twelve months old

  25. September 1st Snapshot • 63 teams registered in repository • NREN 27 • Commercial 22 • Other 3 • Gov & Mil 11 • Includes L0, L1 and L2 TI Twelve months old

  26. L1 Teams • Total L1 Teams 7 • NREN 3 • Commercial 2 • Other 2 • Gov & Mil 0 • Remember they have three months to achieve L2 TI Twelve months old

  27. L2 Teams • Total L2 Teams 12 • NREN 7 • Commercial 5 • Other 0 • Gov & Mil 0 TI Twelve months old

  28. List of L2 Teams • BTCERTCC (United Kingdom) - (1. June 2001) • BT SBS (United Kingdom) - (1. June 2001) • CERT-NL (The Netherlands) - (1. January 2001) • CSIRT.DK (Denmark) - (20. April 2001) • GARR-CERT (Italy) - (1. January 2001) • IRIS CERT (Spain) - (23. March 2001) • JANET-CERT (United Kingdom) - (1. January 2001) • NORDUNET CERT - (6. April 2001) • SI-CERT (Slovenia) - (3. July 2001) • SIEMENS-CERT (Germany) - (23. March 2001) • TeliaCERT(Sweden) - (12. July 2001) • UniNett CERT (Norway) - (1. April 2001) TI Twelve months old

  29. TI does not offer you • FIRST membership • FIRST: only worldwide CSIRT forum • FIRST offers nothing like TI yet • TI Level 2 teams are well prepared for FIRST membership • A free ride • Initial fee to go to Level 2 (mainly high level consultancy) of Euro 900 • Level 2 maintenance costs Euro 600 per year TI Twelve months old

  30. TI does offer you • Public and maintained repository of all “known” or “Level 0” European CSIRTs with contact info • Formalized and published accreditation process for CSIRTs: those that pass it are “Level 2” CSIRTs --- maintenance is ensured • Maintained trusted repository for Level 2 CSIRTs only, offering extended information on all members • Management level material if you need it TI Twelve months old

  31. How to achieve Level 2 ? (or be registered as Level 0) • Go to www.ti.terena.nl and follow the logical route .......... OR ........... • Ask ti@stelvio.nl ......... OR .......... • Ask any of the TI crew: • Erwan Smits • Mark Koek • Klaus-Peter Kossakowski (TI manager) • Don Stikvoort TI Twelve months old

  32. Current Status • The one year pilot has come to an end • The CSIRT Co-ordination meeting (hosted by TERENA) agreed this service should continue • TERENA and Stelvio have signed a contract to continue the service for a further year. TI Twelve months old

  33. What are the Problems? • The current service is funded by: • A subscription from L2 teams • A fee from a team at L1 (trying for L2) • What are the cost drivers? • There is a significant effort on maintaining the information on L0 teams but we can’t make them pay! • Model is currently ok, but will need to be revisited (economies of scale?) TI Twelve months old

  34. Summary • Academic networks need a CSIRT just as much as other networks (if not more!) • It is in your interest to register as a L0 team and join TF-CSIRT • You should play your part in the community and strive to reach L2 TI Twelve months old

More Related