Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
S-CURESecurity by Organisation
Cooperation of CSIRTs :does it work ?does it help?
Guilin, China, March 2005 (Lunar year 4703)
S-CURESecurity by Organisation
A short history of the Internet
& of incident response cooperation
S-CURESecurity by Organisation
1969 – 1988
• Internet childhoodsecurity is not an issue
• Arpanet 1969 USA only• 1969 – now : number of host doubles each year• TCP 1974• TCP/IP 1978• 1980s : growth outside USA but still research
S-CURESecurity by Organisation
1988 – 1992• the Internet loses its innocence
the foundation of FIRST• 70,000 hosts in 1988• 2 November 1988 : the Morris worm• December 1988 : CERT founded, soon followed
by other US teams• October 1989 : WANK worm• November 1990 : creation of FIRST
– 10 US teams, 1 from Europe (SPAN)
S-CURESecurity by Organisation
1992 – 1996
• The Internet maturesthe “CERT system” expands in other regions
• 1992 : CERT-NL founded (The Netherlands)• 1993 : AUSCERT founded (Australia)• Late 1993 : first meeting of European teams• 1996 : report “CERTs in Europe” basis for further
development in Europe• FIRST grows as only CSIRT forum worldwide
S-CURESecurity by Organisation
1996 – 2000• The Internet becomes business
FIRST grows global & regional initiatives thrive
• 1997-9 : EuroCERT– Failed due to “too much too soon”
• 2000 : TF-CSIRT & the Trusted Introducer• 1997 : APSIRC founded• 1998 : FIRST conference in Mexico
– beginning of “professionalisation”
S-CURESecurity by Organisation
2000 – today• The Internet becomes critical infrastructure
A grimmer world needs solid measures• 11 September 2001 marks a genuine change in security
awareness• Rise of government CSIRTs
– 2002 : GOVCERT.NL set up in 3 months– 2003 : APCERT founded in Asia-Pacific region
• Issues:– Critical infrastructure protection (CIP)– Global, regional and national cooperation– Crime fighting
• Organised crime exploits the Internet
S-CURESecurity by Organisation
Put in Perspective- 800,000 years : Lantian “homo erectus”- 80,000 y : Guangxi “homo sapiens”- 8,000 y : Yangshao and Longshan cultures- 800 y : Xia dynasty- 80 y : wars mark start of modern age- 36 y : birth of the Internet- 17 y : the Morris worm brings the Internet down- 8 y : the Internet becomes the foremost worldwide
communication tool for business and pleasure- 3 y : organized crime starts targeting companies through
the Internet
S-CURESecurity by Organisation
CSIRT Cooperation Examples
S-CURESecurity by Organisation
CERT (i)• Event:
– There may be a virus loose on the internet. (Andy Sudduth of Harvard, 34 minutes after midnight, 3 November1988 )
– A worm written by 23 year old Robert T Morris• Not meant to bring harm but only to spread• Took down systems due to programming errors
– 10% of the 70,000 Internet hosts went down, many more were taken offline• Follow-up:
– 8 November 1988: DARPA post mortem meeting:• Worm was analysed quickly, but:• Lack of communication between sites
– Coordination and research of incidents needed• Result:
– 17 November 1988: CERT created at SEI/CMU in Pittsburgh– http://www.cert.org/
S-CURESecurity by Organisation
CERT (ii)• Success factors:
– Caused by a shocking event– Longtime stable funding– Based in “feeding” environment (SEI)– Ability to adapt to changing needs
• Fail factors:– Original constituency (the Internet) became too big– Slowed down by own success– US centric
• Current status:– No longer focal point of vulnerability handling– Still the world’s foremost CSIRT– Most important source of thinking and courses in CSIRT area– Highly influential
S-CURESecurity by Organisation
FIRST (i)• Event:
– October 1989: WANK and OILZ worms infected DECNET systems– CERT, CIAC and NASA team researched the worms together and issued
warnings
• Follow-up:– Stimulated further cooperation
• Result:– November 1990: FIRST founded by 10 members from the US and 1 from
Europe– FIRST - the Forum of Incident Response and Security Teams
S-CURESecurity by Organisation
FIRST (ii)• Success factors:
– Caused by a shocking event followed by similar events– Built on the necessity for CSIRTs to work together– Only worldwide CSIRT forum– Brings together the top experts in the field– Neutral “interconnect” for vendors and others– Low cost / low overhead
• Fail factors:– Too much depends on too few– Reluctance of members to share information– lack of corporate & political influence– Too slow change into funded, service oriented organisation– Regional “competitors” (TF-CSIRT, APCERT)
• Current status– Still the foremost worldwide CSIRT forum– Grown to 180 members (March 2005)– Service orientation & professional attitude rapidly improving– Regional orientation (TCs, TRANSITS courses)
S-CURESecurity by Organisation
FIRST membershipFIRST Members by year
0
20
40
60
80
100
120
140
160
180
1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003
Year
Num
ber o
f FIR
ST T
eam
s
Latin AmericaAsia/PacificEuropeNorth America
S-CURESecurity by Organisation
EuroCERT (i)• Event:
– No significant event– Need to have European incident coordination independent from US funding
• Follow-up:– European CSIRTs worked together and with (mainly) CERT/CC, CIAC and
AusCERT from 1993 onwards– 1996 Task Force “CERTs in Europe”
• Result:– EuroCERT founded in 1997
• At first only collecting CSIRT data• Later to add incident coordination• Finally followed by support and research
– EuroCERT was conceived as a European CERT/CC, to coordinate with other regional peers
• Hierarchical coordination model as opposed to network model
S-CURESecurity by Organisation
EuroCERT (ii)• Success factors:
– Strong network of research/education CSIRTs – Supported by all opinion leaders
• Fail factors:– Not founded on shocking incidents “just” on vision– No willingness to “submit” to a coordinating team– Too ambitious for the time– Wrong idea of coordination and CERT/CC
• Current status:– Project ended in 1999 after 2 years cause of lack of interest and
funding
S-CURESecurity by Organisation
TF-CSIRT (i)• Event:
– The failure of EuroCERT & the real need for continued collaboration in Europe
• Follow-up:– Agreement reached on:
• Working groups with volunteers to achieve goals• Stimulate collaboration of teams instead of superposing one team• Together enable joint meetings
• Result:– TF-CSIRT started in 2000– TERENA (European Association for Research Networks) as facilitator– 3 meetings a year, with help of local hosts– http://www.terena.nl/tech/task-forces/tf-csirt/
S-CURESecurity by Organisation
TF-CSIRT (ii)• Success factors:
– Inspired by a marked event– Building on a collaboration dating back to 1993– Cooperation and collaboration instead of coordination
• matches European culture– Low cost, including low travel cost (regional)– Setting clear goals and achieving them (TI, IRT Object, IODEF,
TRANSITS)• Fail factors:
– Difficulty in addressing corporate and governmental needs• Current status:
– Still going strong (over a 100 attendees per meeting)– Gaining recognition at Eu and national levels– Possible cooperation with FIRST once a year
S-CURESecurity by Organisation
Trusted Introducer (i)• Event:
– The need to pursue EuroCERT’s maintained CSIRT database • Follow-up:
– Design of a CSIRT Accreditation process• Result:
– September 2000 : start of the Trusted Introducer ( TI )• Public database of all European CSIRTs• Accreditation process for established teams• Secure website and database for accredited teams• Teamdata are actively maintained• Subcontracted service but governed by accredited teams
– http://www.trusted-introducer.nl/
S-CURESecurity by Organisation
Trusted Introducer (ii)• Success factors:
– Continuing the good parts of a failed service– Quality and maintenance (up-to-date)– Accreditation fits into increasing accountability needs
• Possible future certification– Interaction with TF-CSIRT– Professionally operated, governed by accredited teams– Subcontractor part of the CSIRT scene (not “just” a company)
• Fail factors:– Difficult to identify teams who are “no good”
• Current status:– Successful: 42 accredited teams and growing (50% penetration)– IRT object promoted by the TI– 1 January 2005 : new services added ( in-band re-encrypting messaging, out-
of-band alerting, statistics, PKI)
S-CURESecurity by Organisation
Trusted Introducer – accredited teams# "Accredited" CSIRTs
0
5
10
15
20
25
0 20 40 60
# months after TI start
Research &EducationCommercial
Government &MilitaryMixed
S-CURESecurity by Organisation
APCERT• Event:
– no significant event, but need to grow system to next maturity level– Increased government support partially due to:
• a grimmer world (11 Sep 2001)• Critical Infrastructure Protection
• Follow-up:– APSIRC evolving into a formal structure
• Result:– APCERT founded in 2003
• Goals comparable to TF-CSIRT and FIRST, but also:• Coordination of incident response efforts
• Success factors:– Good coverage of Asia-Pacific countries– Coordination on national levels is enabler
• Fail factors:– Cultural differences
• Current status:– Started ambitiously– Good collaboration with FIRST and other bodies– Going strong !
S-CURESecurity by Organisation
• http://www.enisa.eu.int/• European Network and Information Security Agency • EC funded security thinktank
– Centre of expertise for all member states and sectors– Awareness raising with regards to security– E.g.: promoting member state CSIRT activities
• Andrea Pirotti (director) is touring Europe gaining support• Build up phase• Both on board level and in the PSG (permanent stakeholder
group) the CSIRT community has representatives
ENISA
S-CURESecurity by Organisation
Conclusions
S-CURESecurity by Organisation
The problems of 1973
• Internet consists of 31 hosts• RFC 602 complains about:
– weak passwords– „open“ addresses– system penetrations
S-CURESecurity by Organisation
The problems of 2005• All of the above and more …
– In 2004 up to 1000 security alerts• What’s new on the net:
– The incredible scale and reach of the Internet• GRID networking – as in botnets …• Legal boundaries clash with boundless Internet
– The Internet as element of Critical Infrastructure• Phone traffic over IP
– Organized crime– Terrorism ?
Tons of security incidents that MUST be handled
S-CURESecurity by Organisation
Core reasons to have a CSIRT
• To organise “authority”
• To organise “escalation”
• To organise internal and external contacts
• All with regards to prevention and resolution of information security incidents
S-CURESecurity by Organisation
Cooperation of CSIRTs : does it work ??
• CERT, FIRST, TF-CSIRT, APCERT etcetera etcetera
YES IT WORKS !!
(but major incidents help)
S-CURESecurity by Organisation
Cooperation of CSIRTs : does it help ??
• Most CSIRTs invest considerable effort in cooperating with other CSIRTs
• The trusted channels needed for incident handling require cooperation of teams
• No complex incident is handled by one team alone (local teams, vendor teams, police teams ….)
YES IT HELPS !!
• And by the way – we have no choice …
S-CURESecurity by Organisation
The road ahead
S-CURESecurity by Organisation
Challenges• Critical infrastructure protection• Build resilience against organised crime, terrorism
(and other warfare)• Foster (Inter)national cross-sector cooperation
– Legal boundaries tough issue : need international law??• Stop blaming the vendors
– Invest in security, based on risk management• Re-think security architecture
– Time for *genuine* security thinking again• Stop blaming the users
– the spyware/malware drama
S-CURESecurity by Organisation
International Boundaries
• Miscreants treat the Internet as their backyard – without boundaries
• CSIRTs deal with 100+ countries with 100+ laws and 1000+ CSIRTs
• What to do ?– Inventory of relevant laws– National Internet crime squads– Cooperation both on CSIRT and Law Enforcement levels
• Codes of conduct
– Harmonisation of essential laws “Internet law”– Role of United Nations ?
S-CURESecurity by Organisation
National Collaboration• Each country has industry, research, education,
government, military, law enforcement ….– Different needs and demands
• Collaboration on CSIRT level necessary• What to do ?
– National coordinating teams • feasible in AP region, Middle-East and possibly Africa• difficult in Western countries (culture and law)
– National cooperation and collaboration• Government teams driving factor since 11 September• Supportive measures (e.g. research)
– CSIRTs of last resort– Accreditation & certification
S-CURESecurity by Organisation
International Collaboration• The need is clear, but ….
– Cultural differences (example: the business card protocol)– Legal differences (example: credit card fraud)– Interest differences (example: multinationals)– Secrecy
• What to do?– CSIRT level: FIRST collaborate with regional fora– Law enforcement level: cut the red tape– Government level: stimulating measures & national CSIRT
cooperation & harmonising laws– Sector level: sectorial CSIRT cooperation ?– Accreditation & certification
S-CURESecurity by Organisation
And the techniques ?
• CSIRTs:– Mapping IP numbers to CSIRTs (IRT object)– Intrusion detection networks and automated collection
of data– Automated exchange of incident data (IODEF?)
• IPv6 ?• Vendor awareness• (dream:) secure software engineering
S-CURESecurity by Organisation
Can we win ?
• Too many legal and cultural differences ?– Re-think: consider each time what *binds* rather than
what *divides* and concentrate on the binding factors– Example: human culture and life
• Great variety • Binding factors: reproduction, immortality and friendship
• In real life : to win is not to lose