enisa operational security cert relations...2. enisa cert exercises at universities 3. enisa as...
TRANSCRIPT
How to navigate on our website ? Fast links to 2012 reports:
http://www.enisa.europa.eu/media/2012-fast-links
2
Supporting the CERT and other
operational communities (WS3)
3
National/governmental CERTs the situation has changed…
in 2005 in 2013 ESTABLISHED IN 2005: Finland
France Germany Hungary The Netherlands Norway Sweden UK
Baseline capabilities of n/g CERTs - Initially defined in 2009 (operational aspects)
- In 2010 Policy recommendations drafted
- In 2012 ENISA continues to work on a harmonisation together with MS
Status Report 2012
National/governmental CERT capabilities – updated recommendations 2012
ENISA’s new CERT interactive map: http://www.enisa.europa.eu/activities/cert/background/inv/certs-by-country-interactive-map
Project Background and Objectives
5
2009 & 2010 ENISA carried out its very first attempt to define a minimum set of
baseline capabilities for a n/g CERT.
http://www.enisa.europa.eu/activities/cert/support/baseline-capabilities
Current Project ENISA conducted a stock-taking “Further definition and deployment of
baseline capabilities for national / governmental CERTs” with two
principal objectives:
• to assess the level of compliance of n/g CERTs in EU Member States
with currently defined baseline capabilities and to provide a status
report on the level of deployment of the current set of baseline
capabilities;
• to further discuss the baseline capabilities with CERTs, and where
appropriate adjust and extend the currently defined baseline
capabilities with a focus on national and regional cooperation.
Project Results The final results of the current project have been published in two
reports
•Final Status Report on Deployment of Baseline Capabilities of National /
Governmental CERTs
•Baseline Capabilities of National / Governmental CERTs, Update
Recommendations, 2012
Status Report 2012 Some initial statistics…
15%
10%
30%
30%
5%
10%
Initial
Repeatable
Defined
Managed
Optimised
Other
Self-Assessment of the Maturity
Status of National / Governmental
CERTs
20%
28% 32%
16%
4%
Up to one year 1-2 years 3-5 years
6-8 years Over 8 years
Years of Operation of National /
Governmental CERT
Total: 45 responses to the questionnaire (25 from n/g
CERTs; 20 from other CERTs and other stakeholders)
Interviewed teams assessed themselves as either governmental or
national/governmental CERTs indicated the years of operations between: 4 months
and 11 years.
7
Highlights: Mandate & Strategy
Clarification of the Mandates for N/G CERTs
The role of n/g CERTs is supported by mandates (only two n/g CERT respondents did not refer to
any kind of mandate), the details and form of which vary greatly across Member States.
Are all responsibilities of n/g CERTs considered clear in the mandate?
12 11
6 5
0%
20%
40%
60%
80%
100%
National/GovernmentalCERTs
Other stakeholders
YES NO
n=34 (18 n/g CERTs + 16 other stakeholders)
• 63 percent of n/g CERTs claimed that the roles and
responsibilities of their teams are clearly defined and
that no major changes are needed. This is broadly in
line with the sentiment of other stakeholders, almost 70
percent of which agree with this statement.
• Areas where more more clarity might be necessary:
The scope of services described in the mandate
does not correspond to the team's capacity.
Although constituents are requested to report
incidents, problems can arise when the law is not
sufficiently clear and ISPs and operators do not know
to whom they should report incidents.
Clarification might be required in the future with
regard to collaboration with LEAs.
The provision and funding of so-called GovCERT
services have so far not been adequately addressed.
8
Highlights: Service Portfolio
Scope of Services Provided by N/G CERTs
The scope of support (proactive services, reactive and security quality management services) the
teams provide to their constituents depends on the type of constituent, or customer respectively.
•The more mature the n/g CERT is, the more reactive
services it tends to provide to its constituents.
• Telecommunication operators and government
institutions in general regard the activities of n/g CERTs
positively One of their opinions is illustrative: “Despite a
lack of empowerment from the government institutions
there is a good coordination effort and a very good
sense or responsibility and coordination between the
members.”
• The increasing focus on proactive services is reflected
in the way that n/g CERTs deploy these services. It is
now common for n/g CERTs to publish advisories for
events and incidents that are considered to be of special
importance to its constituents.
Satisfaction of constituents with services provided by n/g CERTs
73%
27%
YES
NO
n=11 other stakeholders (other than n/g CERTs)
Highlights: Service Portfolio
9
Highlights: Operational Capabilities
Budgetary Limitations of N/G CERTs
N/g CERTs' limited budgets often do not allow for significant investments that are needed to provide
additional and innovative services. Nevertheless, the necessary staff training and education is taken
care of mostly within the teams, including participation in international seminars and conferences.
Funding Considered as Sufficient
55%
45% YES
NO
n=11 n/g CERTs
• The budgetry situation is improving as new
strategies and mandates envisage an enhanced role
for the n/g CERTs, which should also result in
increased funding. A slight majority of n/g CERTs who
commented on this topic believe that the current level
of funding is sufficient for them to fulfil their expected
tasks. However, many n/g CERTs still reported a lack
of funds, especially in the newer Member States of
the EU.
• Funding for n/g CERTs usually comes from
governmental bodies and host organisations. Where
n/g CERTs are hosted by NRAs, a part of the budget
directly flows from the operators in a form of a small
portion of their yearly turnover. But a few n/g CERTs
are also actively seeking and generating funds from
other sources.
10
Highlights: Cooperation
Engagement in International CERT Initiatives and Bilateral Cooperation
The n/g CERTs are firmly anchored in international structures and they also engage in fruitful
bilateral cooperation with their counterparts within Europe and beyond.
• Membership in various CERT initiatives is widespread
throughout the EU. With a couple of exceptions, all n/g
CERT’s surveyed indicated that they are members of
one or more of them.
• The most common structures that n/g CERTs belong
to are Trusted Introducer, FIRST, and TF-CSIRT. Other
popular structures included EGC Group, ENISA’s
workshops and working groups and the Anti-Phishing
Working Group.
•The nature of bilateral coordination is typically
informal, particularly in cases where n/g CERTs want to
exchange experiences and best practices.
• Two key factors supporting cooperation with n/g
CERTs in other EU Member States include regional
synergies, and also the maturity level of the other n/g
CERT.
Factors Supporting Cooperation with n/g CERTs in Other Member States
37%
25%
38% Regionalsynergy
Maturity stage
both
n=16 n/g CERTs
Report Overview: Baseline Capabilities of National / Governmental CERTs, Update Recommendations, 2012
The gaps identified in the baseline deployment
study served as the basis for an updated set of
recommendations, the objective of which is to
provide n/g CERTs with guidance needed to
address the gaps, better meet their deployment
capabilities, and identify best practices for
national, regional and international cooperation.
The recommendations were published in the
report “Baseline Capabilities of National /
Governmental CERTs, Update
Recommendations, 2012.”
Recommendations to overcome gaps and
achieve deployment objectives were formulated
in line with responsibilities of relevant
stakeholders, such as policymakers, heads of
n/g CERTs, and members of n/g operational
teams.
Recommendations were also made in line with
developing best practices for national, regional
and international cooperation among n/g CERTs,
their constituents and other stakeholders. 11
Target of Recommendations
Best P
ractic
es in
Co
op
era
tion
Policymakers
Heads of N/G
CERTs
Operational
Teams
CERT Exercises and training material
ENISA CERT training/exercise material, used since 2009, was
extended to host 23 different topics and training exercises
including:
technical aspects (mobile devices forensics based on
Android emulator, investigation of DDoS traces, netflow
analysis, deployment of Honeypots etc.);
organisational aspects (developing CERT infrastructure,
establishing external contacts etc.);
operational aspects (triage & basic incident handling,
automation in incident handling, calculating cost of
information security incident and its return on security
investment (ROSI) etc.).
19. CERT participation in incident handling
related to the Article 13a obligations
20. CERT participation in incident handling
related to the Article 4 obligations
21. Assessing and Testing Communication
Channels between CERTs and all their
stakeholders
22. Social networks used as an attack vector for
targeted attacks
CERT Exercises expanded
Existing 12 exercises improved
10 exercises added:
13. Incident handling during attack on CII
14. Proactive incident detection
15. Cost of ICT incident calculation
16. Mobile incident handling
17. Incident Handling In the Cloud
18. Advanced Persistent Threat incident
handling
CERT Exercises expanded
Additionally a Roadmap was created to answer:
how could ENISA provide more proactive and efficient CERT training?
Based on live consultations & survey
10 proposals identified
Planning window 2013 – 2017
ENISA legal environment & mandate taken into account while
analysing proposals
Proposals: 1. ENISA support to the TRANSITS Framework and other suitable training programs
2. ENISA CERT Exercises at Universities
3. ENISA as co-provider of CERT trainers and trainings
4. CERT Training Information Desk
5. Video material by ENISA – how to organise the exercises
6. ‘Fire Drills’ for the CERT community
7. ENISA CERT Training Hubs (ECTH)
8. ENISA CERT Exercises Certified Provider (ECTCP)
9. Recommendations for Public Administration Organisations
10. Certification Paths
Roadmap
Survey: Perception of TRANSITS
Average scores on a scale of 1 to 10 :
SANS security trainings : 6.5 (*)
CERT/CC CSIRT trainings : 7.0
As compared to TRANSITS courses :
TRANSITS I : 8.7
TRANSITS II : 9.5
Train-the-trainers: 8.0
(*) the low SANS score was unexpected and not clearly explained
Survey: Comparative perceptions
Outside TRANSITS, SANS and CERT/CC
the most mentioned training providers were :
International Information Systems Security
Certification Consortium: (ISC)²
Information Systems Audit and Control
Association: ISACA®
Internet Systems Consortium: ISC
NATO Cooperative Cyber Defence
Centre of Excellence: CCDCOE
Survey: Other useful trainings
EISAS 2012 – Large scale pilot
19
European Information Sharing and Alert System introduced in
COM(2006) 251: “Communication on a strategy for a Secure
Information Society”
In 2012: Pilot Project for collaborative
Awareness Raising for EU Citizens and SMEs Gathered n/g CERTs, governmental agencies and private
companies in 6 different MS
Cross-border awareness raising campaign
Reached more than 1.700 people in 5 months
Social networks involved
Information Provider
Deutsche Telekom AG
NorSIS
LMU
Providers, Disseminators
1. Social Engineering Movie
2. ID Theft Quiz
3. Securing PCs against Botnets
Information Disseminator
CESICAT (Catalonia)
LaCaixa (Catalonia)
CERT Hungary
CERT Poland
NorSIS
all three
all three
all three
all three
No. 1, SE Movie
Main goals:
Define key concepts
Describe the technical and legal/regulatory aspects of the fight against cybercrime
Compile an inventory of operational, legal/regulatory and procedural barriers and
challenges and possible ways to overcome these challenges
Collect existing good and best practices
Develop recommendations
Focus on CERT-LEA cooperation
Differences:
Definitions cybercrimes/attacks
Meanings of sharing
Character of the organizations
Objectives
Types of information
Directions of requests
…
Cybercrime project 2012
21
Legal obstacles
CERT legitimacy, scope, remit and competences
CERTs as evidence holders
Legal pitfalls of data sharing/Data Protection
Legal know-how and awareness
Laws as a barrier to receive information
Cybercrime project 2012
22
Operational obstacles
Governance
Different /unknown policies and procedures
Absence of clearly defined policies have a negative impact on sharing information
Financial burden, opportunity cost or competing priorities
Processes
Security clearance/certification
Language barriers
Different/incompatible/unknown workflows
Duplication
Information misdirection
Tools and technology
Lack of early warning/Knowledge Management tools
Lack of common case management tools
Lack of secure communication channels
Administrative problems: inappropriate time stamp
Information
Lack of clarity on what other party will do with information
Insufficient detail/inappropriate detail
Lack of service catalogues
Lack of information on understanding of role & parameters for co-operation
Cybercrime project 2012
23
Operational obstacle
Personnel and training
Lack of known & trusted personnel/inexperience
Previous poor experience in sharing information
Lack of confidence/clarity in your/their official status
Recommendations
Training
For CERTs: training element on how to deal with LEAs (TRANSITS?)
For LEA: how to deal with CERTs (EC3?)
Structures
Facilitation & Collaboration
Best Practice development
Harmonisation/clarification of legal and regulatory aspects
Cybercrime project 2012
24
An increasing number of complex attacks demand improved early warning detection capabilities for CERTs. By having threat intelligence collected without any impact on production infrastructure, CERTs can better defend their constituencies assets. Honeypots are powerful tools that can be used to achieve this goal.
Long but good! (179 pages)
Additionally „ENISA Honeypots excercise” (another 60 pages)
ENISA Honeypots study
25
Motivation for conducting the study
26
Survey responses concerning categories of tools used for network security
incident gathering
0
5
10
15
20
25
30
35
40
45
50
No answer
I never used it and will not use it.
I used it in the past, but dropped it.
I don't use it but plan to use it in future.
I use it
Honeypots vs other tools
27
Honeypots vs sandboxes
Honeypots vs darknets
Honeypots vs Intrusion Detection / Prevention Systems
Honeypots and web security proxies
Overall, the study has found that honeypot
technologies, while sometimes difficult to
handle, are a good source of threat
intelligence information for CERTs.
General Recommendations for CERTs
28
CERTs are encouraged to explore the possibility of deploying
honeypots across their constituencies. Less privacy concerns than
with other technologies.
CERTs need to cooperate and develop large scale interconnected
sensor networks in order to collect threat intelligence from multiple
geographic areas. Honeypots are a good choice for such solutions.
CERTs should plan for how they will handle any vulnerabilities
discovered or incidents within their network discovered through the
use of a honeypot.
CERTs are encouraged to take part in the development of
honeypots and in providing feedback to honeypot developers. This
will lead to the creation of better tools.
General Recommendations for CERTs
29
Paper on Return on security investments
The aim of this document is to initiate a discussion
among CERTs to create basic tools and best
practices to calculate their Return on Security
Investment (ROSI).
This key notion is essential when justifying costs
engagement and budgets for those entities that deal
with security on a regular basis (security
departments, CERTs, etc.)
FIRST Metrics SIG works to better the metrics and
evaluation methods for internal evaluation of
CERTs.
As part of this work, the Metrics SIG is addressing the topic
of cost of incidents and return on security investment
Note: New exercise scenario on calculating cost of information
security incident and its return on security investment (ROSI)
30
Other activities
- 7th ENISA workshop ‘CERTs in Europe’
Part I. - > technical training for n/g CERT experts
hands-on training exclusively for the EU national/governmental CERT teams
2 days of deep technical dive into topics like botnets, mobile malware and other interesting topics.
Part II. - > 2nd time jointly organised with EUROPOL on 16/17 October
Goal: to facilitate better cooperation between n/g CERTs and LEA in MS.
Continuation of the first workshop (6th ENISA workshop in 2011)
Interactive sessions – n/g CERTs and LEAs group exercise
Final report is published
Supported TRANSITS in Prague and Porto in 2012.
31
Our activities in 2013
- Workshops: 8th annual CERT workshop
I. tentatively in Q2; in Romania; co-located
with TF-CSIRT meeting; hands-on training
II. Tentatively in Q4; with EC3 (EUROPOL) in
The Hague; cybercrime theme (CERT&LEA)
III. Continue supporting TRANSITS trainings
32
Our activities in 2013
- Projects: I. n/g CERT – harmonisation of the baseline capabilities
framework + provision on ICS CERT capabilities
II. Exercise material – extension to cybercrime scenarios
III. EISAS – deployment study
IV. CERT services - Alerts, Warnings and Announcements
V. Secure communication solutions for CERTs; (requirements and
stocktaking)
VI. Information sharing and international incident handling –
harmonisation of legal frameworks
VII. Practical implementation of the ‘Directive on attacks against
IS…’
33
Thank you for your attention!
34