1 / 15

Evolution of CSIRTs: how to engage Critical Infrastructures and cooperate beyond borders

This article discusses the increase in security incidents and the evolution of CSIRTs to provide preventive and quality services. It explores national, regional, and international initiatives for cooperation and provides recommendations for improving CSIRT engagement and coordination.

ajeffery
Download Presentation

Evolution of CSIRTs: how to engage Critical Infrastructures and cooperate beyond borders

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Evolution of CSIRTs: how to engage Critical Infrastructures and cooperate beyond borders Giza, 19th December 2011

  2. In the last years the number, type and impact of security incident is increasing Security Incident timeline • Internet distributed denial of service attack. 6 of the 13 root servers that form the foundation of the Internet were affected, two badly • Cyber-attack hits Canadian government computers • Massive DNS cache poisoning attack that affected millions of users in Brazil • Titan Rain, a series of coordinated attacks on US army, navy and missile units systems • A series of coordinated cyber attacks against major government, media, and financial websites in South Korea and the USA • Major videogames companies under attacks 2008-2010 2009-2010 4-6/2011 11/2011 3-9/2011 2007 2007 7/2009 2/2011 2/2011 • A series of cyber attacks that swamped websites of Estonian parliament, banks, ministries, newspapers and broadcasters • Operation Aurora, sophisticated and targeted attack international organizations • Main SSL Certificate has been violated • Suxnet worm infect 100.000 industrial control system with a worldwide geographic distribution • Cyber-attack hits Canadian government computers

  3. Relevant CERTs was born to prevent and response to incident… European CERTs Map 2011

  4. …they extended their services from being a only reaction force to a more complete security service provider, including preventive and quality services.. CERT Services

  5. …and at national, regional and international level are started CERTs cooperation initiatives but no one only for national private sector Main cooperation initiatives National initiatives Regional/international initiatives APCERT a CERTs coalition that ensures network security and incident response activities in the Asia Pacific Region. NORDUnet CERT assembles Scandinavian CERTs within the NORDUnet (cooperation of Nordic national research networks) CIRCA National forum of cooperation from public and private sector CERT-Verbund the initiative associates German security and incident response teams from various sectors UKCERTS the British UKCERTs alliance is an informal forum of CERTs from different sectors CEENet Central and Eastern European Association comprised of 23 national research/education networks EGC a group of CERTs with governmental constituencies and national responsibilities in their countries. Polish Abuse Forum Abuse Forum assembles a group of CERTs and security teams of Polish ISP and ICP (Incident Content Providers) O-IRT-o the Dutch o-IRT-o initiative associates CERT teams including 31 organizations from public and private sector FIRST the biggest international forum of CERTs and other security teams TERENA TF-CSIRT a task force organised under the TERENA

  6. Indeed today CERTs have still lack of engagement, services, investment, mutual aid and coordination CERTs improvement needs To Be • Engagement • Involvement in Incident Response • Coordination at the international level • Inter-sector and intra-sector cooperation • Two-ways services • Information sharing and shared situational awareness • Incident management mutual aid • Shared incident management policies and procedures • Shared incident management framework As is • No engagement • No involvement in Incident Response • Lack of coordination at the international level • Only one-way services • Lack of information sharing • Lack of mutual aid • No shared incident management policies and procedures • No shared incident management strategies and framework

  7. Responding to issues and in accordance with common points of national strategies, GCSEC intent to create a Cyber Incident Response Coordination Capabilities (CIRC2) involving private sector Common key Points and Recommendations national cyber security strategy Relevant Sectors to involve in the first stage Energy Company Transportation Company Telco Company Finance Company

  8. Objectives of CIRC2 are information sharing, mutual aid, definition of shared policies/procedures, contribution to regulatory framework, private cooperation • information sharing on threats, vulnerabilities, warnings, alerts, methodologies and tools for incident management CIRC2 Objectives • Definition of shared incident management policies and procedures • Mutual aid to directly enforce the CIRC2 member’s capabilities of incident response • Contribution to definition of national and international regulatory and policy framework • Representation in international context and facilitation of coordination between public and private stakeholders

  9. Only in the second stage, the CIRC2 could be transformed in an effective Incident Response Joint Team of Private Sector Incident Response Joint Team (Private Sector) Comments • To became an effective IR Joint Team, the IR Capability should take several actions as: • establish the legal form of the organization (e.g. consortium) • define the mission and the range and level of services that IRT will offer (e.g. proactive or reactive services) • define a funding model • identify an organizational model • define interactions/interfaces • define incident response processes • implement secure information systems and network infrastructures • identify required resources Out of scope Public National Italian Response Team IRT Energy Company IRT Finance Company IRT Transportation Company During the second stage of the project, a capabilityassessment of each IRT will be performed by GCSEC , in order to alignthem to the best practice

  10. CIRC2 is based on a model composed of organization, processes and tools CIRC2 Model Organization Processes Tools

  11. The model includes strategies, legal and administrative framework, organizational model and policies… Illustrative Organization main aspects • Mission, vision, goals, objectives, constraints • Participation strategy (members and other National Stakeholders) and minimum capability’s level • Risk Management strategies • Trust Model • … Strategies • Legal entity • Funding Model • Non disclosure agreements (NDAs) • Mutual Aid and Assistance Agreement • … Legal & admin framework • Organizational model and structure • Reporting structure, authority • Roles and responsibilities • Staff • … Organization model • Information sharing policy • Incident classification and communication policy • Trust communication policy • Resource management policies • Incident handling guidelines • Risk management policy • Interoperability policy • … Policies

  12. … management processes of CIRC2 … Illustrative Processes main aspects • Information sharing process • Mutual aid and assistance process • Communication and coordination process • Risk management process • Incident reporting process • Incident classification process • Incident coordinated response process • Performance measurement process • Shared resources (personnel, equipment, facilities, supplies, and other) management process • Escalation process • Emergency management process • Post incident evaluation process • Lessons learned and improvement process • Incident management exercise process • …

  13. …all tools needed for cooperation, information sharing and incident management Illustrative Tools main aspects • Information sharing platform • Technological instruments to support trust • Early warning system • Instruments for secure communications • Incident forensics tools • Other tools

  14. Each member will draw benefits from participation in the CIRC2 CIRC2 member benefit • More effectively and efficiently some processes that if they had implemented individually (e.g. forensics and post incident analysis) • Information knowledge and information sharing • Better incident response through mutual aid and assistance • Incident exercises and awareness building across private sector • Shared technologies and common automated platform for security vulnerabilities identification and communication, alerts and warning • Cost reduction • Resource sharing and staff exchange

  15. Other organizations/governments can benefit CIRC2 project How to participate • Be informed on CIRC2 development • Support requirements definition • Join the Pilot project

More Related