1 / 17

Computer security co-operation in Europe

Computer security co-operation in Europe. Karel Vietsch vietsch@terena.nl Based on materials provided by TERENA TF-CSIRT. Agenda. Why co-operate? History of co-operation CSIRT Task Force (TF-CSIRT) Benefits: Contacts Trends and hot issues Deliverables, including:

tuan
Download Presentation

Computer security co-operation in Europe

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer securityco-operation in Europe Karel Vietsch vietsch@terena.nl Based on materials provided by TERENA TF-CSIRT CCIRN meeting, Cairns, 3 July 2004

  2. Agenda • Why co-operate? • History of co-operation • CSIRT Task Force (TF-CSIRT) • Benefits: • Contacts • Trends and hot issues • Deliverables, including: • Accreditation scheme for CSIRTs • IRT database object • Clearing House for Incident Handling Tools • Training course for new CSIRTs CCIRN meeting, Cairns, 3 July 2004

  3. Why Co-operate? • Security incidents are international • Must work together to solve them • No team knows everything • Share knowledge, resources, tools • Compare working practices • Develop best practice & standards • Provide better and faster service CCIRN meeting, Cairns, 3 July 2004

  4. Historical perspective • Pre-1990: CSIRTs in isolation (if at all) • During 1990s: FIRST provides binding: • Members meet members • Basic notion of trust • Exchange of operational information • Less powerful in initiating innovation • 1997-1999: EuroCERT pilot service: • Top-down approach • Operational work outsourced to third party • 2000: TF-CSIRT established CCIRN meeting, Cairns, 3 July 2004

  5. Influence of NRENs • National Research & Education Networks • Traditionally innovative • Low commercial profile • Natural “academic” way of working • Achievements based on collaboration • Results shared for society’s benefit • Free dissemination of expertise Since 1986: TERENA (see: www.terena.nl) CCIRN meeting, Cairns, 3 July 2004

  6. Creation of TF-CSIRT • TERENA Task Force: • Operation defined by Terms of Reference • Two years recurring lifecycle with review • Members and non-members of TERENA • No membership fee, just travel & hotel costs • Active participation by members • Success depends on members’ commitment • TERENA plays role of professional facilitator: • Secretarial tasks • Logistical support CCIRN meeting, Cairns, 3 July 2004

  7. TF-CSIRT way of working • Meeting every four months • Venue rotates among members who volunteer to host • Two days: • 1st day for seminars and presentations • 2nd day for Task Force official meeting • Evening in-between: social event organised by the hosting member • Contacts between meetings provided by mailing list and project groups CCIRN meeting, Cairns, 3 July 2004

  8. Who is involved? • Academic, Government, Commercial teams • 29 countries meeting (3) training (3) both (23) CCIRN meeting, Cairns, 3 July 2004

  9. Benefits - contacts • Operational people talk directly to each other • Trusted contacts for later work • Little or no formalities, collaborative atmosphere • Ad-hoc subgroups working on concrete deliverables • Social event often proves to be a fruitful environment for new ideas CCIRN meeting, Cairns, 3 July 2004

  10. Benefits – trends and hot issues • Supportive peer review of other members’ organisation and operations • Members share and consume expertise (a win/win approach) • Atmosphere of understanding – no team has to fight common problems alone • Discussing trends and hot issues among peers make these trends and hot issues easier to understand and assess CCIRN meeting, Cairns, 3 July 2004

  11. Wider Co-operation • European Commission • Projects (eCSIRT.net, EISPP, TRANSITS) • Legal handbook for CSIRTs • Network & Information Security Agency (ENISA) • National governments • Government CSIRTs • Consultation on new legislation • Law enforcement • Operations and invited speakers at meetings • Other regional initiatives CCIRN meeting, Cairns, 3 July 2004

  12. Trusted Introducer Service & Directory Incident Object Description & Exchange Format RIPE IRT object Clearing House for Incident Handling Tools CSIRT training course (TRANSITS) Under development Incident Information Exchange (eCSIRT.net) Vulnerability information exchange (EISPP) Assistance to new CSIRTs Incident Handling Procedures Deliverables and Projects CCIRN meeting, Cairns, 3 July 2004

  13. Deliverables – Trusted Introducer (http://www.ti.terena.nl/) • Notion of ‘trust’ – is a contact trustworthy? • Currently, no scheme generically applicable • TF-CSIRT to work out a model of which it believes it fulfills criteria needed at operational level • Feasibility and sanity checks • Now, outsourced to a third party • TF-CSIRT retains control by TI Review Board CCIRN meeting, Cairns, 3 July 2004

  14. Deliverables – IRT database object • Commonly perceived problem: correct points of contact in (RIPE) database • Practical approach: • what do we miss now? • how can we design it • how can we implement it? • Wishlist followed by discussion in RIPE database group • Lots of iterations, but eventually implemented and populated CCIRN meeting, Cairns, 3 July 2004

  15. Deliverables – CHIHT(http://chiht.dfn-cert.de/) • Clearing House for Incident Handling Tools • Share information on tools CSIRTs use • Help new and existing teams • Website listing tools by category • Evidence gathering & investigation, system recovery, CSIRT operations, remote access, proactive tools • Plan to add procedures and best practice • Contents suggested by active CSIRTs CCIRN meeting, Cairns, 3 July 2004

  16. Deliverables – TRANSITS(http://www.ist-transits.org/) Idea: best transfer of knowledge is from operational people to operational people • Conclusion: best people to write it are TF-CSIRT members • Two day course developed in modules: • Operational, legal, technical, organisational, vulnerabilities • EC funding for delivery and updating • Six presentations over three years • Materials available to members for own use CCIRN meeting, Cairns, 3 July 2004

  17. Deliverables – TRANSITS(http://www.ist-transits.org/) CCIRN meeting, Cairns, 3 July 2004

More Related