Embed Size (px)
Citation preview
CERT Polska
Experiences in incident handlingThe CLOSER Project
Mirosław Maj
Chisinau, 11/10/2004
Agenda
Who we are?
Not too much about NASK
A bit of history.
We look to the past but not only
What do we do and for whom?
Incidnet handling
Some projects
Why bother with security?
How to be CLOSER?
A few words about CLOSER project
Who we are?
NASK is the Research and Academic Network in Poland
Academic background
Commercial services
Administrator of the top-level domain - *.pl
CERT Polska is the incident handling team within NASK
We ARE NOT incident handling team for NASK!
A bit of history
June 1995 – First contact with CERT/CC
INET conference and pre-conference NATO sponsored networking workshop for developing countries: Security Track lead by Barbra Fraser (CERT/CC): idea of Incident Response was introduced
September 1995 – First contact with FIRST
4th FIRST conference in Karlsruhe
1996 – establishing CERT NASK
Visit to DFN-CERT to learn best practices
1997 – joining FIRST (sponsored by DFN-CERT)
2000 – extending the formula of our IRT
new roadmap to introduce new project for polish constituency
Changing the name to CERT Polska
2001 – joining TERENA TF CSIRT
Who we are?
Krzysztof Silicki Mirosław Maj Przemek Jaroszewski Piotr Kijewski
Irek Parafjańczuk Andrzej Dereszowski Dariusz Sobolewski
Who we are?
FIRST (Forum of Incident Response and Security Teams)
http://www.first.org/
TERENA TF-CSIRT (Trans European Reaserch and
Academic Networks Association – Task Force Computer Security
Incident Response Teams)
http://www.terena.nl/tech/task-forces/tf-csirt/
Trusted Introducer (Team Level 2)
http://www.ti.terena.nl/
What do we do and for whom?
Our goals:
providing a single, trusted point of contact in Poland for the NASK customers community and other networks in Poland to deal with network security incidents and their prevention
responding to security incidents in networks connected to NASK and networks connected to other Polish providers reporting of security incidents
providing security information and warnings of possible attacks cooperation with other incident response teams all over the world
Incident Handling
Number of incidents 1996 - 2003
105 126
741
1013
1196
100*75*50*
0
200
400
600
800
1000
1200
1400
1996 1997 1998 1999 2000 2001 2002 2003
Incident handling
Types of the incidents
81,6
6,7 4,81,8 1,7 1,6 1,3 0,4 0,2
0
10
20
30
40
50
60
70
80
90
InformationGathering
MaliciousCode
AbusiveContent
Fraud Availability Intrusions InformationSecurity
IntrusionAttempts
Other
procent
Incident Handling
Sources (reporter victim attacker)
0
10
20
30
40
50
60
70
80
CSIRT ISP Abuse Other security Government Research &Education
Commercial Other Non-Commercial
Private
procent
Zgłaszający Poszkodow any Atakujący
Incident Handling
Frome where are the reports?
unknown1%
foreign90%
domestic9%
Frome where are the attackers?
domestic89%
unknow n9%
foreign2%
Freome where are the victims?
unknow n6%
foreign83%
domestic11%
Some projects
Security vortal: http://www.cert.pl/
ARAKIS Project: http://arakis.cert.pl/
Hotline: just started…
So… why bother with security?
Security threats are real:
Do not just think about your infrastructure – think also about security of your end users
Source: http://isc.sans.org/
So… why bother with security?From: "Susie Ward" <[email protected]>
To: xxxxxxx
CC: xxxxxxx
Subject: S p a m - H o s t i n g - 2 5 0 $
Date: Tue, 17 Feb 2004 19:57:18 +0300
Hello.
Spam Hosting.
Location: Korea
OS: FreeBSD
Port: 100mbit.
IP: +
PHP, CGI, MYSQL, 500MB, cPanel.
250$/mesyac.
Fraud Hosting.
Location: Korea
OS: FreeBSD
Port: 100mbit.
IP: +
PHP, CGI, MYSQL, 500MB, cPanel.
450$/mesyac.
Dedicated form 500$ per mounth.
Contacts:
ICQ: 0000000
------------
extant brisk abbot ancestor swift cavitate gourd crisscross spool assay
acapulco empiric brandon citrus classmate berserk
Why bother with security?
Ignoring threats cost resources
D(D)oS - It costs to be offline
Data theft – Backups do not help much when sensitive information is stolen
Compromise – How much does your reputation cost?
.. So what is an idea for a solution?
The CLOSER project
CLuster Of SEcurity Resources
3rd call IST 6FP
Goals:
Learn and describe current situation in Europe
Build and strengthen awareness of security overall and the incident handling services in particular
Exchanging experiences of the existing CSIR Teams
Transferring these experiences and knowledge to newly established teams
The CLOSER project
TPF
The CLOSER project
The CLOSER project
Final remarks
NRENs are tidbits for hackers
Regardless of it will be CERT or just CERT’s services – having it will pay off
We do not know whether the CLOSER project will be approved or not
Anyway we promise to help anybody who is interesing as much as possible
Daddy, I can see that hackers don’t sleep!
CERT Polska
Daddy, I can see that hackers don’t sleep!
