The Trusted Introducer Concept - PowerPoint PPT Presentation

About This Presentation
Title:

The Trusted Introducer Concept

Description:

Ie, if one CSIRT had an incident from outside their sphere, they handed it to EuroCERT ... Defining information handling policy ... – PowerPoint PPT presentation

Number of Views:62
Avg rating:3.0/5.0
Slides: 35
Provided by: Don1175
Category:

less

Transcript and Presenter's Notes

Title: The Trusted Introducer Concept


1
The Trusted IntroducerConcept
  • Brian Gilmore (TERENA)

2
Lets assume we all know that ... (i)
  • Security is a problem on the Internet
  • Theres lots of security incidents worldwide
  • The police only comes in on a small minority of
    incidents (for several reasons beyond scope here)

3
CSIRTS
  • There are CSIRTs (dedicated team) and ISPs with
    CSIRT functions dealing with those problems
  • There are now a few 100 of those around
  • CSIRT Computer Security Incident Response Team
  • a.k.a. CERT

4
Why a problem?
  • If you are a member of one of these 100 teams
  • How do you know who to contact in another
    country?
  • Academic CSIRT, ISP CSIRT, Gov CSIRT
  • When you have established that, are you certain
    you are talking to the person you think you are?

5
What is the solution?
  • So the CSIRT infrastructure is a major problem
    and becoming worse
  • There is no worldwide solution for this yet
  • FIRST is not involved at this level (or not yet),
    no other body, such as ISOC is engaged in this
    activity

6
1st Attempt
  • Not really the first attempt, more like the 5th!
    But the first to make real headway!
  • After advice from the community, TERENA set up
    the EuroCERT service

7
EuroCERT
  • This service acted as a central focus point for
    all European CSIRTS.
  • Ie, if one CSIRT had an incident from outside
    their sphere, they handed it to EuroCERT
  • The service was funded by a subscription on the
    NRENs which hosted an (academic) CSIRT
  • Ran for 15 months

8
Why did it stop?
  • The level of demand was such that it was clear
    the service would need at least 5 staff to
    function properly.
  • NRENs were not happy to subscribe at that level
    and preferred to fund their own CSIRTs

9
Attempt No 2
  • TERENA then hosted the first of a series of
    meetings of CSIRTS in Europe.
  • This is now a formal TERENA Task Force TS-CSIRT
  • Meetings have been very successful with over 40
    participants
  • Some 5 non-academic CSIRTs attend

10
So ...
  • TF-CSIRT decided to start solving the problem
    itself, in Europe, ...
  • ... hoping that other regions will join, or copy
    the effort, or improve on it
  • They named their effort
  • TRUSTED INTRODUCER

11
TI mission statement
  • The Trusted Introducer must foster trust and
    cooperation between CSIRTs in Europe, both new
    and experienced. The vehicle used to achieve this
    is to invite CSIRTs to present themselves and
    describe their service according to an
    established baseline thus enabling objectivity,
    which is regarded as the pre-requisite of trust.

12
Certification or Accreditation?
  • The TI process is NOT a formal certification
    process for CSIRTS
  • It IS a process of gathering information and
    documenting it to a certain standard
  • It ASSISTS in helping teams enter the web of
    trust
  • It COULD develop later into a more formal process

13
TI process (i)
  • The TI registers known European CSIRT teams as
    Level 0
  • Teams that decide to join the TI effort to foster
    European inter-CSIRT cooperation get invited by
    the TI to become Level 1
  • The Level 1 team then has 3 months to work
    together with the TI to present their service
    according to the TI baseline

14
TI process (ii)
  • If they succeed, the team is recognized by the TI
    as Level 2 and their baseline presentation is
    published in the TI repositories (only partially
    in the public repository)

15
TI process (iii)
  • Any non-compliance in the above process results
    in a fallback to Level 0
  • Max of 2 attempts in 12 months
  • The experiences to date have shown that the fee
    charged is amply paid back in the form of the
    (otherwise) free consultancy that the team gets
    to help it define its services etc from the TI

16
TI process (iiii)
  • Level 2 teams maintain their status by regularly
    (4 months) complying with their baseline
    presentation or adapting it when due
  • Otherwise, they will again be dropped to Level 0
  • Essential to catch teams who, for example, lose
    their staff and are non-effective but dont wish
    to admit this!

17
TI Level 2 criteria include ...
  • Filling out well defined templates
  • Defining information handling policy
  • Agreeing to publication of supplied information
    (only partially in public repository)
  • Regularly maintaining supplied information
  • Cooperating with TI in matters above
  • Adherence to RFC-2350 recommended
  • Visiting FIRST and TF-CSIRT events recommended

18
L2 Criteria
  • For example
  • Cyber contact (at least) must be made with a
    person representing the team
  • That person must prove that he can represent the
    team and the team is corretly empowered by the
    parent organisation
  • Proof is using good cryptography with an identity
    backed by a check of some personal ID

19
L2 Criteria
  • The CSIRT provides statements of their
    composition and service.
  • These could be checked for
  • Authenticity
  • Actuality (reality now)
  • Correctness
  • The first two are checked, the last is seen as
    part of a certification process

20
TI setup
  • Stelvio (www.stelvio.nl) operates TI service
    (under a contract with TERENA)
  • Klaus-Peter Kossakowski (TI service manager),
    Mark Koek, Erwan Smits, Don Stikvoort (Stelvio
    CEO) all parttime involved
  • E-mail ti_at_stelvio.nl
  • Public site http//www.ti.terena.nl/

21
TI checks and balances (i)
  • TERENA focal point to fund service
  • TERENA independent, www.terena.nl
  • TERENA experienced in helping setup services,
    like RIPE NCC
  • TI not limited to TERENA constituency
  • TI Review Board reviews the TI work and deals
    with special cases and problems

22
TI checks and balances (ii)
  • TI Review Board consists of representatives of
    Level 2 teams
  • Initially was, however, of well known Eu
    network/security individuals
  • Brian Gilmore, chair (Edinburgh university)
  • Karel Vietsch, secretary (TERENA SG)
  • Andrew Cormack (JANET-CERT)
  • Christoph Graf (SWITCH-CERT)
  • Wilfried Wöber (ACONET)

23
New TI Review Board
  • A call was put out to the Level 2 teams for
    nominations for a new board. TERENA received 3
    nominations but one person declined.
  • The remaining two stand but the old board stays
    until we receive the third nomination
  • Andrew Cormack
  • Jacques Schuurman
  • Vacancy

24
May 1st 2001 snapshot
  • Public website www.ti.terena.nl
  • 55 teams registered in repository
  • 8 Level 2 teams
  • 3 pioneer teams CERT-NL, GARR-CERT and
    JANET-CERT
  • IRIS-CERT, SIEMENS-CERT, UniNett CERT, NORDUNET
    CERT, CSIRT.DK
  • Special repository for only Level 2 teams
    available
  • 4 Level 1 teams
  • TeliaCERT, SI-CERT, BTCERTCC, BT SBS

25
September 1st Snapshot
  • 63 teams registered in repository
  • NREN 27
  • Commercial 22
  • Other 3
  • Gov Mil 11
  • Includes L0, L1 and L2

26
L1 Teams
  • Total L1 Teams 7
  • NREN 3
  • Commercial 2
  • Other 2
  • Gov Mil 0
  • Remember they have three months to achieve L2

27
L2 Teams
  • Total L2 Teams 12
  • NREN 7
  • Commercial 5
  • Other 0
  • Gov Mil 0

28
List of L2 Teams
  • BTCERTCC (United Kingdom) - (1. June 2001)
  • BT SBS (United Kingdom) - (1. June 2001)
  • CERT-NL (The Netherlands) - (1. January 2001)
  • CSIRT.DK (Denmark) - (20. April 2001)
  • GARR-CERT (Italy) - (1. January 2001)
  • IRIS CERT (Spain) - (23. March 2001)
  • JANET-CERT (United Kingdom) - (1. January 2001)
  • NORDUNET CERT - (6. April 2001)
  • SI-CERT (Slovenia) - (3. July 2001)
  • SIEMENS-CERT (Germany) - (23. March 2001)
  • TeliaCERT(Sweden) - (12. July 2001)
  • UniNett CERT (Norway) - (1. April 2001)

29
TI does not offer you
  • FIRST membership
  • FIRST only worldwide CSIRT forum
  • FIRST offers nothing like TI yet
  • TI Level 2 teams are well prepared for FIRST
    membership
  • A free ride
  • Initial fee to go to Level 2 (mainly high level
    consultancy) of Euro 900
  • Level 2 maintenance costs Euro 600 per year

30
TI does offer you
  • Public and maintained repository of all known
    or Level 0 European CSIRTs with contact info
  • Formalized and published accreditation process
    for CSIRTs those that pass it are Level 2
    CSIRTs --- maintenance is ensured
  • Maintained trusted repository for Level 2 CSIRTs
    only, offering extended information on all
    members
  • Management level material if you need it

31
How to achieve Level 2 ? (or be registered as
Level 0)
  • Go to www.ti.terena.nl and follow the logical
    route .......... OR ...........
  • Ask ti_at_stelvio.nl ......... OR ..........
  • Ask any of the TI crew
  • Erwan Smits
  • Mark Koek
  • Klaus-Peter Kossakowski (TI manager)
  • Don Stikvoort

32
Current Status
  • The one year pilot has come to an end
  • The CSIRT Co-ordination meeting (hosted by
    TERENA) agreed this service should continue
  • TERENA and Stelvio have signed a contract to
    continue the service for a further year.

33
What are the Problems?
  • The current service is funded by
  • A subscription from L2 teams
  • A fee from a team at L1 (trying for L2)
  • What are the cost drivers?
  • There is a significant effort on maintaining the
    information on L0 teams but we cant make them
    pay!
  • Model is currently ok, but will need to be
    revisited (economies of scale?)

34
Summary
  • Academic networks need a CSIRT just as much as
    other networks (if not more!)
  • It is in your interest to register as a L0 team
    and join TF-CSIRT
  • You should play your part in the community and
    strive to reach L2
Write a Comment
User Comments (0)
About PowerShow.com