study on current status of software vulnerability …study on current status of software vii...

2006 情財第 0199 号

Study on Current Status of Software Vulnerability Information Handling Scheme in the EU Region

Scheme in EU Region Programs and Initiatives Principal CERT Organizations

April, 2007

INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN

Rheinstraße 75 64295 Darmstadt (Germany) Phone +49 (0)6151 / 869-701 Fax +49 (0)6151 / 869-704 www.sit.fraunhofer.de

Study on Current Status of Software iii Vulnerability Handling Scheme in the EU Region

Management Summary

This report presents the results of the “Study on Current Status of Software Vulnerability Handling Scheme in the EU Region” performed by SIT on behalf of IPA. The report gives an overview of the current status of vulnerability handling schemes, strategies, programs and initiatives, and an overview of Computer Emergency Response Teams (CERTs) also called Computer Security Incident Response Teams (CSIRTs) in the EU region. The description of the CERT/CSIRT organizations of different European countries focuses on France, Germany, and the United Kingdom.

The current situation and required further initiatives regarding vulnerability handling in the EU region can be summarized and classified by the following aspects:

• scope and complexity of vulnerability handling, • lack of appropriate and standardized means of vulnerability handling, and the • need for current and further initiatives. The security of communication networks, information systems, products, software, applications, data bases, and services is of increasing main concern for all areas of the society in the EU region, e.g. member states, governmental organizations, public administrations, research and educational institutions, businesses, and individuals. This situation is caused by several reasons, such as the

• technical and organizational complexity, • wide dissemination of information and communication technology, • increasing number of observed accidents, attacks and vulnerabilities to

infrastructures, systems, software, applications and services, and the • the effect of high financial damage and potential loss of user confidence. The deployment of security technologies, the provision of security management procedures, the execution of information campaigns and the initiation of research projects are the appropriate means to enhance network and information technology security. Currently many organizations, especially CSIRT organizations, exist in the EU region that are in charge of vulnerability handling. In addition many initiatives at the EU level as well as at national levels have been started in order to provide a set of security services for all sectors of the society.

Comparing the tasks and activities of individual CSIRTs, it can be observed that they all provide quite similar services such as the following ones:

iv Study on Current Status of Software Vulnerability Handling Scheme in the EU Region

• security advisory services, • security advisory dissemination services, • alert dissemination services, • profiling services, • advisory access/retrieval services, and • value-added services, e.g. the use of

− intrusion detection systems, − vulnerability scanning, − patch update services, − virus detection, − firewall configuration services, − remote server maintenance, administration, and − patching.

However, all these services offered, and tools used, are provided only or primarily to their own individual constituencies, i.e. organizations and customers.

Detailed information about policies, procedures, technical and organizational aspects is closed as sensitive information to which only certain members have restricted access. From the global European viewpoint this situation has led to a situation that can be characterized by the following statements:

• big waste of work and resources, • insufficient convergence of technologies including means of vulnerability

handling, • lack of clarity in standards and legal framework, and to a • lack of cooperation on issues of interoperability. A single, common vulnerability handling scheme does currently not exist in the European region. First activities, done in this area, have been devoted to the development and standardization of the “common advisory interchange format”, and the so-called “description and exchange formats” including for example:

• intrusion detection, • incident object, • penetration testing, and • vulnerability handling. Recently, further initiatives and activities have been launched at the European level as for example the establishment of the European Government CSIRTs Group EGC, the European Network Information Security Agency ENISA, and the creation of the European Task Force TF-CSIRT under the TERENA program in order to promote the collaboration between CSIRTs in Europe. Some of the main goals of TF-CSIRT are listed in the following set of tasks and activities:

Study on Current Status of Software v Vulnerability Handling Scheme in the EU Region

• provision of a forum for exchanging experiences and knowledge, • organization of meetings and seminars for the exchange of experiences and

the discussion of security issues, • launching of pilot services for the European CSIRTs community, • promotion of common and harmonized standards, concepts, schemes, and

procedures for vulnerability handling, • promotion of the development of sharable and harmonized data bases, and

tools, • assistance in creating new CSIRTs including the

− training of CSIRTs staff, and the − coordination of joint initiatives,

• maintenance of a web-based clearing house for security software including free and commercial software,

• liaison with the Trusted Introducer joint initiative of European CSIRTs, and the • investigation of the possibilities for collaboration with the international Forum

of Incident Response and Security Teams (FIRST) organization, and other counterparts of TF-CSIRTs in other continents.

Currently there are no concrete EU funded projects or initiatives for CERT related objectives or tasks. However the EC has recently proposed the following additional tasks for ENISA that may lead to new future projects:

• development of an appropriate data collection framework, including the procedures and mechanisms required to collect and to analyze EU-wide information on security incidents and consumer confidence,

• organization of the establishment of a strategic partnership between member states, the private sector and the research community to ensure the availability of data on the ICT security industry and on the evolving market trends for products and services in the EU region, and the

• clarification of the feasibility of the establishment of a European information sharing and alert system that provides information on threats, risks, alerts, and appropriate responses to existing and emerging security incidents to the European ICT security industry and the European market by means of a multilingual EU portal.

vi Study on Current Status of Software Vulnerability Handling Scheme in the EU Region

Table of Contents

Table of Contents vi

List of Figures ix

List of Tables x

Abbreviations and Acronyms xi

1 Introduction 15

2 General Aspects of Security Issues 16

3 European Organizations and Programs 18

3.1 European Network Information Security Agency ENISA 18 3.1.1 Legal Framework 18 3.1.2 Tasks 21 3.1.3 Structure and Roles 22 3.1.4 Activities 24 3.1.5 Working Groups 26 3.1.5.1 Ad-hoc Working Group on CERT Services 26 3.1.5.2 Ad-hoc Working Group on Awareness Raising 27 3.1.5.3 Ad-hoc Working Group CERT Cooperation and Support 28 3.1.5.4 Ad-hoc Working Group on Risk Assessment and Risk Management 28 3.1.6 Publications 29

3.2 European Information Security Promotion Program 34

3.3 European Government CSIRTs Group 45

3.4 European Task Force-CSIRT 46

3.5 Research and Development Programs 47

Study on Current Status of Software vii Vulnerability Handling Scheme in the EU Region

4 CERT Organizations in the EU Region 49

4.1 France 54 4.1.1 CERTA 54 4.1.2 Cert-IST 56 4.1.3 CERT-LEXSI 59 4.1.4 CERT-RENATER 60

4.2 Germany 62 4.2.1 Bürger-CERT 64 4.2.2 CERT-Bund 64 4.2.3 CERTBw 65 4.2.4 CERTCOM 66 4.2.5 CERT-Verbund 66 4.2.6 CERT-VW 69 4.2.7 ComCERT 69 4.2.8 dCERT 69 4.2.9 DFN-CERT 70 4.2.10 D-Grid CERT Services 71 4.2.11 GNS-CERT 71 4.2.12 HHU-CERT 72 4.2.13 Mcert 72 4.2.14 PRE-CERT 73 4.2.15 RUS-CERT 74 4.2.16 S-CERT 74 4.2.17 Secorvo 75 4.2.18 secu-CERT 76 4.2.19 SIEMENS-CERT 76 4.2.20 T-Com-CERT 76 4.2.21 Telekom-CERT 77 4.2.22 WWU-CERT 77

4.3 United Kingdom 77 4.3.1 BT SBS 78 4.3.2 BTCERTCC 78 4.3.3 CITIGROUP 79 4.3.4 E-CERT 79 4.3.5 EUCS-IRT 79

viii Study on Current Status of Software Vulnerability Handling Scheme in the EU Region

4.3.6 JANET-CERT 79 4.3.7 MLCIRT 80 4.3.8 MODCERT 81 4.3.9 OxCERT 81 4.3.10 Q-CIRT 82 4.3.11 UNIRAS, NISCC, and CPNI 82

4.4 Other European CERTs 90 4.4.1 Austria 91 4.4.2 Belgium 92 4.4.3 Denmark 93 4.4.3.1 DK-CERT 93 4.4.3.2 CSIRT.DK 93 4.4.3.3 KMD IAC 94 4.4.4 Finland 94 4.4.5 Italy 95 4.4.5.1 CERT-IT 95 4.4.5.2 GARR-CERT 96 4.4.6 Netherlands 97 4.4.6.1 AMC-CERT 97 4.4.6.2 CERT-IDC 97 4.4.6.3 CERT-KUN 98 4.4.6.4 GOVCERT.NL 98 4.4.6.5 CERT-RUG 98 4.4.6.6 SURFnet-CERT 99 4.4.6.7 CERT-UU 100 4.4.6.8 KPN-CERT 100 4.4.6.9 UvA-CERT 101 4.4.7 Norway 101 4.4.7.1 NorCERT 102 4.4.7.2 UNINETT CERT 102 4.4.8 Spain 102 4.4.8.1 esCERT-UPC 103 4.4.8.2 IRIS-CERT 104 4.4.9 Sweden 105 4.4.9.1 SITIC 105 4.4.9.2 SUNet CERT 106 4.4.9.3 TS-CERT 106 4.4.10 Switzerland 106

Study on Current Status of Software ix Vulnerability Handling Scheme in the EU Region

5 References 108

6 Contact Information and Links 111

List of Figures

Figure 1: Scope and Complexity of Vulnerability Handling 17

x Study on Current Status of Software Vulnerability Handling Scheme in the EU Region

List of Tables

Table 1: Documents of European Community Legislation 19 Table 2: Overview of Activities and Major Events 25 Table 3: Overview of main ENISA documents 29 Table 4: Overview of CERTs With SME Services 39 Table 5: Overview of Immediacy Rating 44 Table 6: Overview of Impact Rating 44 Table 7: Overview of Current Impact Rating 44 Table 8: European CERT Organizations 49 Table 9: FIRST Activities 53 Table 10: CERTA Informations and Documents 54 Table 11: Cert-IST Informations and Documents 58 Table 12: CERT-LEXSI Informations and Documents 59 Table 13: CERT-RENATER Information and Documents 61 Table 14: DFN-CERT Activities 70 Table 15: PRE-CERT Activities 73 Table 16: JANET-CERT Information and Documents 79 Table 17: OxCERT Information and Documents 81 Table 18: UNIRAS/NISCC Information and Documents 84 Table 19: CERT-IT Information and Documents 96 Table 20: GARR-CERT Information and Documents 97 Table 21: SURFnet Information and Documents 99 Table 22: CERT-UU Information and Documents 100 Table 23: KPN-CERT Information and Documents 100 Table 24: esCERT-UPC Information and Documents 103 Table 25: IRIS-CERT Information and Documents 104 Table 26: SITIC Information and Documents 105 Table 27: International Links 111 Table 28: European Links 112 Table 29: Contact Information about European Organizations 113 Table 30: Japanese Links 113 Table 31: French Links 114 Table 32: Contact Information about French Organizations 115 Table 33: German Links 116 Table 34: Contact Information about German Organizations 119 Table 35: United Kingdom Links 121 Table 36: Contact Information about Organizations in the United Kingdom 122 Table 37: Links of Other European Countries 124 Table 38: Contact Information about Other European Countries 126

Study on Current Status of Software xi Vulnerability Handling Scheme in the EU Region

Abbreviations and Acronyms

AFNOR Association Français de Normalisation, French Standardization Body AMC-CERT Academic Medical Center CERT, NL APCERT Asia Pacific Computer Emergency Response Team ARCEP Autorité de Régulation des Communications Electroniques et des Postes,

Regulatory Authority for Telecommunications and Post, FRA ASCII American Standard Code for Information Interchange, USA ASP Application Service Provider BITKOM Bundesverband Informationswirtschaft, Telekommunikation und neue Medien,

GER BMBF Bundesministerium für Bildung und Forschung, Federal Ministry of Education and

Research, GER BMI Bundesministerium des Innern, Federal Ministry of the Interior, GER BMWA Bundesministerium für Wirtschaft und Arbeit, Federal Ministry for Economics and

Labor, GER BMWI Bundesministerium für Wirtschaft und Technologie, Federal Ministry of Economics

and Technology, GER BSI British Standards Institute, UK BSI Bundesamt für Sicherheit in der Informationstechnik, Federal Office for Information

Security, GER BT SBS British Telecommunications Secure Business Services, UK BTCERTCC British Telecommunications CERT Co-ordination Centre, UK CAF Common Advisory Format CAIF Common Advisory Interchange Format CEA Commissariat à l'énergie atomique, National Institute for Nuclear Research, FRA CEISNE Co-operative European Information Security Network of Expertise CERT Computer Emergency Response Team CERTA Centre d'Expertise gouvernemental de Réponse et de Traitement des Attaques

informatiques, Governmental Expert Center for Responding to and Handling of IT Attacks, FRA

CERTBw Computer Emergency Response Team Bundeswehr (=Federal Army), GER CERT-IDC CERT-Internet Data Center, NL CERT-IT Italian CERT CERT-KUN CERT Katholiek Universiteit Nijmegen, NL CERT-UU CERT of the University Utrecht, NL CESG Communications Electronics Security Group, UK CIRCA Computer Incident Response Coordination Austria CLG Communities and Local Government, UK CMSI Common Model of System Information, GER CNES Centre National d’Etudes Spatiales, National Space Agency, FRA CNI Critical National Infrastructure, UK

xii Study on Current Status of Software Vulnerability Handling Scheme in the EU Region

CNRS Centre National de la Recherche Scientifique, National Center for Scientific Research, FRA

CO Cabinet Office, UK CORDIS Community Research and Development Information Service, EU CPNI Centre for the Protection of National Infrastructure, UK CSIRT Computer Security Incident Response Team CSIRT.DK Denmark CIRT CVE Common Vulnerabilities and Exposures DAF Deutsches Advisory Format, GER DANTE Delivery of Advanced Network Technology to Europe, FRA DCSSI Direction Centrale de la Sécurité des Systèmes d'Information, Central Directorate

for Information Systems Security, FRA DEF Description and Exchange Formats Defra Department for the Environment Food and Rural Affairs, UK DFN Deutsches Forschungs-Netz, German Research Network DfT Department for Transport, UK DGI D-Grid Initiative, GER DH Department of Health, UK DIDS Distributed Intrusion Detection Systems, SWE DK-CERT Danmark CERT, DEN DoS Denial of Service DTC Dynamic Trade Centre, UK-Scotland DTI Department of Trade and Industry, UK E-CERT Energis Computer Emergency Response Team, UK eCIRT European CIRTs EGC European Government CSIRTs Group EISPP European Information Security Promotion Programme ENISA European Network Information Security Agency esCERT Equipo de Seguridad para la Coordinación de Emergenciasen Redes Telemáticas,

CERT organization, ES EU European Union EUCS-IRT University of Edinburgh Computer Service Incident Response Team, UK EWIS European Warning and Information System Forum FICORA Finnish Communications Regulatory Authority, FIN FIRST Forum of Incident Response and Security Teams FSA Food Standards Agency, UK FSIE Financial Services Information Exchange, UK GIP Groupement d’Intérêt Public, FRA GOVCERT.NL Government CERT of the Netherlands HHU Heinrich-Heine-University Düsseldorf, GER HMT Her Majesty’s Treasury, UK HTTP Hyper Text Transfer Protocol ICT Information and Communication Technologies IDDEF Intrusion Detection DEF IDS Intrusion Detection System

Study on Current Status of Software xiii Vulnerability Handling Scheme in the EU Region

INRA Institut National de la Recherche Agronomique, National Institute for Agricultural Research, FRA

INRIA Institut National de Recherche en Informatique et en Automatique, National Institute for Research in Computer Science and Control, FRA

IODEF Incident Object Description and Exchange Format IPA Information-Technology Promotion Agency, JAP IPS Intrusion Prevention System ISDN Integrated Services Digital Network ISP Internet Service Provider IST Information Society Technologies, EU JPCERT/CC Japan Computer Emergency Response Team Coordination Center LEXSI Laboratoire d'Expertise en Sécurité Informatique, Laboratory of IT Security Expertise,

FRA MINEFI Ministère de l’Économie, des finances et de l’industrie, Ministry of Economics,

Finance and Industry, FRA MLCIRT Merrill Lynch Computer Security Incident Response Team, UK MODCERT Ministry of Defence CERT, UK MSPIE Managed Service Providers Information Exchange, UK NCF Nordiskt CERT-Forum NIS Network and Information Security, EU NISCC National Infrastructure Security Co-ordination Centre, UK NLO National Liaison Officers, EU NREN National Research and Education Network, BEL NSAC National Security Advice Centre, UK NSIE Network Security Information Exchange, UK NSM Nasjonal sikkerhetsmyndighet, National Security Authority, NOR NSSF National Standardization Strategic Framework, UK OECD Organisation for Economic Co-operation and Development OJEU Official Journal of the European Union OSVDB Open Source Vulnerability Data Base OTRS Open Ticket Request System OxCERT University of Oxford CERT PDA Personal Digital Assistant PGP Pretty Good Privacy PIIE Pharmaceutical Industries Information Exchange, UK PSG Permanent Stakeholders Group, EU PTDEF Penetration Testing DEF Q-CIRT QinetiQ Computer Incident Response Team, UK RTD Research & Technology Development, EU RTIR Request Tracker for Incident Response, EU S/MIME Secure/Multipurpose Internet Mail Extensions SCADA Supervisory Control and Data Acquisition SCSIE SCADA and Control Systems Information Exchange, UK SGDN Secrétariat Général de la Défense Nationale, General Secretary for National

Defense, FRA

xiv Study on Current Status of Software Vulnerability Handling Scheme in the EU Region

SIRIOS System for Incident Response in Operational Security SIT Fraunhofer Institute for Secure Information Technology SITIC Swedish IT Incident Centre SIZ Sparkassen-Informationszentrum SME Small and Media Enterprises SMTP Simple Mail Transfer Protocol SPIT SPam over Internet Telephony STDR Standards and Technical Regulations Directorate, UK SUNet-CERT Swedish University Network CERT TERENA Trans-European Research and Education Networking Association TESTA Trans-European Services for Telematics between Administrations TF-CSIRT Task Force CSIRT, EU TI Trusted Introducer, EU TRANSITS Training of Network Security Incident Teams Staff TS-CERT TeliaSonera CERT, SWE TSIE Transport Services Information Exchange, UK UKERNA United Kingdom Education and Research Networking Association UPC Universitat Politècnica de Catalunya, Politechnical University of Barcelona, ESP VDI Varslingssystem for Digital Infrastruktur, alert and early warning system for digital

infrastructure, NOR VEDEF Vulnerability and Exploit DEF VoIP Voice over IP WARP Warning Advise and Reporting Point WG-CS Working Group CERT Services, EU WLAN Wireless Local Area Network WWU Westfälisch Wilhelms-University Münster, GER XML eXtended Markup Language

Study on Current Status of Software 15 Vulnerability Handling Scheme in the EU Region

1 Introduction

This report presents the results of the “Study on Current Status of Software Vulnerability Handling Scheme in the EU Region”. The report gives an overview of the current status of vulnerability handling schemes and strategies in the EU region, and an overview of CERT organizations of different European countries focusing on France, Germany, and the United Kingdom. The style of this document is a high level description of these schemes and its related topics such as engaged organizations, schemes, procedures, strategies, programs and initiatives.

The topics of this document are “Vulnerability Handling Schemes” and “CERT Organizations” in the EU region. The focus of this document is concentrating on vulnerability handling schemes and CERT organizations in France, Germany, and the United Kingdom. Major items that have been investigated include the following aspects:

• existence of one or more vulnerability handling schemes, • type of operating the schemes, • categorization of vulnerability handling organizations, • activities developed by vulnerability handling organizations, and • cooperation among the vulnerability handling organizations. The document is structured into chapters on

• general aspects of security issues, • European organizations and programs, and on • CERT organizations in the EU region. The chapter on “general aspects of security issues” gives an introduction into the objectives, scope and complexity of vulnerability handling.

The chapter on “European organizations and programs” provides an overview of main European organizations and initiatives related to vulnerability handling.

The chapter on “CERT organizations in the EU region” summarizes the main objectives, roles, schemes, and vulnerability handling related activities of CERT organizations in France, Germany, the United Kingdom, and in a subset of other European countries.

16 Study on Current Status of Software Vulnerability Handling Scheme in the EU Region

2 General Aspects of Security Issues

The security of communication networks, information systems, products, software, applications, data bases, and services is of increasing main concern for all areas of the society in the EU region, e.g. member states, governmental organizations, public administrations, research and educational institutions, businesses, and individuals. This situation is caused by several reasons, such as the

• technical and organizational complexity, • wide dissemination of information and communication technology, • increasing number of observed accidents, attacks and vulnerabilities to

infrastructures, systems, software, applications and services • with the effect of high financial damage and potential loss of user confidence. The deployment of security technologies, the provision of security management procedures, the execution of information campaigns and the initiation of research projects are appropriate means to enhance network and information technology security.

Many of the difficulties and problems of information and communication technology are well known, such as:

• insufficient convergence of technologies, • lack of clarity in standards and legal framework, • lack of cooperation on interoperability, • need for tools that handle vulnerabilities, and the • need for more expertise in vulnerability handling. Within the European action plan a European warning and information system is envisaged with the aim to provide up-do-date information to EU citizens regarding the latest security issues in order to avoid or to reduce the potential damage that observed vulnerabilities might cause. Within the European Union there is currently no plan for a single organization for centralized activities regarding ICT security. The European Commission instead takes measures to an increased networking and cooperation between national CSIRT organizations.

New vulnerabilities have to be observed on a daily basis. The security of communication networks, information systems, products and software can only be assured, if they are regularly upgraded or patched. Precise and timely information about new vulnerabilities and adequate counter-measures is usually provided in the form of so-called security advisories, issued by vendors for their


own products and/or by CSIRTs for the products that are of interest to their constituencies.

Computer Security Incident Response Teams (CERTs/CSIRTs) play a major role in the area of information communication technology security. Their tasks include the following activities:

• prevention of security breaches, • limitation of the damage resulting from a violation, • immediate recovery from a breach, • provision of assistance to victims of attacks, • execution of vulnerability assessments, • awareness raising, and • promotion of best practices. Currently, a high number of CERTs/CSIRTs already exist in Europe that provide security services. These services, however, cannot satisfy the needs of all users. The establishment of further incident management teams within organizations and the expansion of CERT communities and improvement of information sharing capabilities is needed and supported by EU activities. The cooperation between existing CERTs/CSIRTs with different scopes and constituencies is essential and has to be enforced.

Figure 1: Scope and Complexity of Vulnerability Handling A main task for strong cooperation between CERT/CSIRTs is to in-crease the mutual trust between these teams, the promotion of best practices, and the har-monization of applied methods. These aspects regarding the current status of vulnerability handling schemes in the EU region have been illus-trated in Figure 1 and will be discussed in the following chapters.

EU Region Countries of

StatesMember

Counter Measures

Tools Schemes

InformationExchangeCooperations

EUInitiatives

NationalCERTs

VU

L

N

E

R

ABI

L

I

T

I

S

E

Sectors of Society

Business

Education Research

Citizens

Adminstrations

EU Region Countries of

StatesMember

Counter Measures

Tools Schemes

InformationExchangeCooperations

EUInitiatives

NationalCERTs

VU

L

N

E

R

ABI

L

I

T

I

S

E

Sectors of Society

Business

Education Research

Citizens

Adminstrations


3 European Organizations and Programs

This chapter provides an overview of main European organizations and initiatives related to vulnerability handling, including the European Network Information Security Agency (see section 3.1), the European Information Security promotion Program see section 3.2), the European Government CSIRT Group (see section 3.3),the European Task Force CSIRT (see section 3.4), and new research and technologies development programs such as CORDIS and ICT research under the 7th Framework Program (see section 3.5).

3.1 European Network Information Security Agency (ENISA)

The European Network Information Security Agency (ENISA) has been established in order to support the development of a “culture of security” by ensuring a high and effective level of network and information security. In order to achieve this goal the agency shall enhance the capability of the community, the member states, and the business sector in order to prevent the occurrence of damages, and to address and respond to important network and information security issues.

ENISA shall be enabled to provide assistance and to deliver advice to the commission for the purpose of updating and developing the legislation in the field of network and information security and its member states. ENISA is also responsible for the development of a high level of expertise, supported by national and community efforts, and shall use this expertise to stimulate a broad cooperation between organizations from the public and the private sectors.

ENISA’s tasks, as described in the 2005 work program, include the collection of best practices, the sharing of information and the facilitation of cooperation of different European initiatives that contribute to the achievement of a common level of security.

3.1.1 Legal Framework

ENISA has been established within the eEurope action plan as a new agency of the European Union in March 2004 based on the Regulation EC No 460/2004 of the European Parliament and of the Council (see [EC REG ENISA]).

An overview of further requirements and regulations of the European Union related to the agency’s field of operations is provided in Table 1.


Table 1: Documents of European Community Legislation

DOCUMENT ID DATE PURPOSE OF DOCUMENT

Communication COM/2004/61/01 2004-02-03

Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions: "Connecting Europe at high speed: recent developments in the sector of electronic communications"

Communication COM/2004/0028 2004-01-22

Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on unsolicited commercial communications or 'spam'

Regulation (EC) No 1882/2003 2003-09-29

European Parliament and Council: adapting to Council Decision 1999/468/EC the provisions relating to committees which assist the Commission in the exercise of its implementing powers laid down in instruments subject to the procedure referred to in Article 251 of the EC Treaty

Regulation (EC) No 1645/2003

2003-06-18 Council: amending Regulation (EC) No 2965/94 setting up a Translation Centre for the bodies of the European Union

Resolution 2003/C 48/01 2003-02-18 European Council: on a European approach towards a culture of

network and information security

Proposal COM/2003/0063 2003-02-11 European Parliament and Council: Establishing the European Network

and Information Security Agency

Regulation (EC, Euratom) No 2343/2002 and Corrigendum

2002-12-23

Commission: on the framework Financial Regulation for the bodies referred to in Article 185 of Council Regulation (EC, Euratom) No 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities

Communication COM/2002/718

2002-12-11 Commission: The operating framework for the European Regulatory Agencies

Decision 2002/627/EC 2002-07-29

European Commission: establishing the European Regulators Group for Electronic Communications Networks and Services (Text with EEA relevance)

Directive 2002/58/EC 2002-07-12

European Parliament and Council: concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

Regulation (EC, Euratom) No 1605/2002 and Corrigendum

2002-06-25

Council: on the Financial Regulation applicable to the general budget of the European Communities

Directive 2002/19/EC 2002-03-07

European Parliament and Council: on access to, and interconnection of, electronic communications networks and associated facilities (Access Directive)

Directive 2002/20/EC

2002-03-07 European Parliament and Council: on the authorisation of electronic communications networks and services (Authorisation Directive)


DOCUMENT ID DATE PURPOSE OF DOCUMENT

Directive 2002/21/EC

2002-03-07

European Parliament and Council: on a common regulatory framework for electronic communications networks and services lays down the tasks of national regulatory authorities, which include cooperating with each other and the Commission in a transparent manner to ensure the development of consistent regulatory practice, contributing to ensuring a high level of protection of personal data and privacy, and ensuring that the integrity and security of public communications networks are ensured

Directive 2002/22/EC 2002-03-07

European Parliament and Council: on universal service and users' rights relating to electronic communications networks and services (Universal Service Directive)

Resolution 2002/C 43/02 2002-01-28 European Council: on a common approach and specific actions in the

area of network and information security

Communication COM/2001/0298 final

2001-06-06

Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions - Network and Information Security: Proposal for A European Policy Approach

Regulation (EC) No 1049/2001 2001-05-30 European Parliament and Council: regarding public access to

European Parliament, Council and Commission documents

Regulation (EC) No 45/2001 2000-12-18

European Parliament and Council: on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data

Directive 2000/31/EC 2000-06-08

European Parliament and Council: on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce)

Communication COM/2000/890

2000-01-26

Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions, creating a safer Information Society by improving the Security of Information Infrastructures and combating Computer-related Crime

Directive 1999/93/EC 1999-12-13 European Parliament and Council: on a Community framework for

electronic signatures

Regulation (EC) No 1073/1999 and Corrigendum

1999-05-25 European Parliament and Council: concerning investigations conducted by the European Anti-Fraud Office (OLAF)

Directive 98/34/EC

1998-06-22 European Parliament and Council: laying down a procedure for the provision of information in the field of technical standards and regulations

Directive 97/66/EC 1997-12-15

European Parliament and Council: concerning the processing of personal data and the protection of privacy in the telecommunications sector. Directive repealed and replaced by Directive 2002/58/EC

Directive 95/46/EC 1995-10-24

European Parliament and Council: on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Regulation (EC) No 2965/94

1994-11-28 Council: setting up a Translation Centre for bodies of the European Union


3.1.2 Tasks

The tasks of ENISA include the following activities:

• provision of advice and recommendations, • execution of data analysis, • support for awareness raising, • support for cooperation by the EU bodies and member states building on

national and community efforts, and the • usage of expertise to stimulate the cooperation between actions from the

public and private sectors. Among these and other activities, ENISA provides strong assistance to the commission and the member states regarding their communication with the industry in order to address security-related problems in hardware and software products. ENISA also takes care of the development of standards. It promotes risk assessment activities by the member states and interoperable risk management routines. ENISA also produces studies on security issues within public and private sector organizations. Information exchange and cooperation include the following items

• risk assessment and risk management, • promotion of CERT cooperation, • track standardization, • promotion of best practices, and • awareness rising. ENISA serves as a centre of expertise for both member states and EU institutions, to provide advice in Network and Information Security (NIS) matters. ENISA supports the capability of the member states, the EU institutions and the business sector to prevent, address and respond to network and information security problems. ENISA activities in this context are focused on:

• provision of advise and assistance for the commission and the member states on information security,

• addressing of security-related problems in hardware and software products in dialogue with the industry,

• collection and analysis of data on security incidents in Europe and emerging risks,

• promotion of risk assessment and risk management methods to enhance the capability to deal with information security threats,

• exchange of best practices in awareness-raising, • cooperation between different organizations in the information security field,

especially by developing public private partnerships with industry, and


• tracking of the development of standards for products and services on network and information society.

The main role of ENISA within Europe is to support the European market by enabling and promoting cooperations and the exchange of information related to network and information security within the European community for the benefits of its citizens, consumers, and the business and public sector organizations. ENISA shall become a center of expertise in security. The main tasks of ENISA include:

• support for the commission in the technical preparatory work for legislation related to network and information security,

• provision of services for member states, the business community and European institutions,

• development of high expertise related to network and information security, • prevention, detection and solving of network and information security

problems, • sampling and analysis of information on known security incidents and

emerging risks in Europe, • raising security awareness, • promotion of methods for risk assessment and risk management to cope with

network and information security threats, • promotion of the cooperation with the public and the private IT security

sectors in Europe, • cooperation with the industry to clarify security-related problems in hardware

and software products, • keeping track of the development of standards for products and services on

network and information society, and the • development of private-public partnerships with the industry in the area of IT

security. ENISA will not only have the task of collecting information but will also play a strong advising role on decision making at the EU level. At the international level the agency can provide the necessary support for a stronger European positioning ensuring both security and data protection.

3.1.3 Structure and Roles

It is essential for ENISA to establish, maintain and develop relationships with and between the EU bodies and member states. Acting as a center of excellence, ENISA is advising and assisting the EU bodies and member states through fostering the information exchange and cooperation between all stakeholders. Consequently, delegates for the EU member states, the commission, as well as stakeholders are therefore found in the organizational structure of the ENISA management board.


Accordingly to the basic act the organizational structure of ENISA comprises an executive director, a management board, and a permanent stakeholders group.

The executive director is in charge of managing the agency performing his duties independently. One main task is to establish a permanent stakeholders' group composed of experts representing the relevant stakeholders, such as Information and Communication Technologies (ICT) industry, consumer groups and academic experts in network and information security.

The tasks of the management board include the:

• establishment of the budget, • verification of its execution, • adoption of the appropriate financial rules, • establishment of transparent working procedures for decision making by the

agency, • approval of the agency's work program, • adoption of its own rules of procedure and the agency's internal rules of

operation, and the • appointment and removal of the executive director. The management board is ensuring that the agency carries out its tasks under conditions which enable it to serve in accordance with the founding regulations. The board is composed of representatives from the member states, the commission, and of the stakeholders. It shall adopt the agency’s internal rules of operation on the basis of a proposal created by the commission.

The Permanent Stakeholders Group (PSG), currently composed of 30 high-level experts from all over Europe, is a group of leading experts that gives advice to the executive director in preparing a proposal for the agency's work program, and in ensuring the communication with the relevant stakeholders on all issues related to the work program. PSG members are appointed ad personally, and are selected solely on the basis of their special expertise in NIS. A complete list of the current PSG members and the internal rules of operation governing their work can be found in the documents [ENISA PSGL] and [ENISA PSGR] respectively.

PSG advises the agency in order to achieve the following objectives:

• recognized group of European NIS interests in global cooperation, • development of necessary relationships to forward European interests with a

clearly defined role relative to the commission and to individual member states, • European center of excellence in network and information security, • trusted expert body whose opinion is regarded in key projects of both the

public and private sectors,


• advanced driving force behind the creation, development and dissemination of trusted secure information security technology,

• enabling the consumers in both the public and private sectors to use digital technology without undue security risks, and

• recognized consultation center for the EU bodies and member states as well as for other international standardization and legislative bodies.

In consultation with the PSG the executive director establishes so-called ad hoc working groups that in turn are composed of experts. These ad hoc working groups are addressing specific technical and scientific ICT security matters.

3.1.4 Activities

ENISA has started its work on network and information security for the EU and the member states for which it provides advice in NIS-matters. For EU members or stakeholders ENISA may be a broker for advice on suitable contacts in the member states or the EU institutions. The agency can guide towards the best practice of a member state suitable for particular requests, or can direct to the responsible institution of each member state. Relevant organizations regarding NIS topics in all EU member states are listed in the document [ENISA NISA]. A summary of the activities of ENISA can be found in its general report [ENISA GR05].

The PSG is analyzing current and future network security threats and risks of both technical and non technical character. PSG has presented a visions document [ENISA VIS] as an input and an advice to the executive director of ENISA from the NIS stakeholders.

For the current and foreseen security issues, the PSG analyses in detail a number of risks and threats of both technical character e.g., malware, worms, rootkits, botnets, identity theft, attacks on mobile and wireless networks, spam and SPIT, and of non technical character such as lack of security awareness, professionalism of cyber criminals, and increased reliance on the internet and network resources.

ENISA is regularly co-organizing the training of network security incident teams. These courses deal with the operational, organizational and legal aspects of incident responses. Its target groups are professionals who either are members of existing computer security teams, or who are involved in the establishment of such a team within their organization. Courses may also be organized jointly with the “Trans-European Research and Education Networking Association” (TERENA) and/or the “Forum for Incident Response and Security Teams” (FIRST).

ENISA supports knowledge sharing by conducting and/or participation in professional workshops on specific topics, such as the


• information security policy makers workshop: Brussels, Belgium, December 2005,

• CERTs and awareness raising workshop: Brussels, Belgium, December 2005, • ENISA-BSI information security management days: Bonn, Germany, November

2005, • Italian Information Security Seminar: Rome, Italy, November 2005, • technological conference of "Polish Secure", Warsaw, Poland, 2005, • regional seminar on cyber security: Riga, Latvia, May 2005, • OECD working party on information security and privacy (WPISP) ,Seoul, South

Korea, May 2006, or • APCERT 2006 conference in Beijing, China

An overview of main activities and events is provided in Table 2.

Table 2: Overview of Activities and Major Events

DATE ACTIVITY/EVENT LINK

2006-10-19 Communication and Multimedia Security Conference http://www.ics.forth.gr/cms06/index.html

2006-10-10 Co-organization of the ISSE conference http://www.eema.org/static/isse/

2006-10-04 Co-organization of the 2nd Awareness Raising dissemination workshop

http://www.enisa.eu.int/pages/04_01_2nd_ar_dissemination_ws_2006.htm

2006-09-12 ENISA - Joint Research Centre (JRC) meeting with presentations of the JRC's and ENISA activities in NIS, to investigate synergies and possible future collaborations

http://www.ares-conf.org/?q=isrm

2006-09-06 Joint Software and Service Development, Security and Dependability Workshop

http://www.esfors.org/index.php?option=com_content&task=view&id=28&Itemid=31&lang=en

2006-08-10 Publication of Awareness Raising Guide http://www.enisa.eu.int/pages/02_01_press_2006_08_10_ENISA_publishing_awareness_raising_guide.htm

2006-08-04 Mobile & Wireless Communications Summit http://mobilesummit2006.org/ms2006/servlet/org.nkpap.visualizer.Main?item=24

2006-07-14 Information Security Certificates http://www.enisa.eu.int/pages/IS_certificates.html

2006-07-13 Third DIMVA Conference http://www.ares-conf.org/?q=isrm

2006-06-21 ISSA conference http://www.aipsi.org/eventi/download/brochure_iie_2006_rome.pdf

2006-05-22 Security and Privacy in Dynamic Environments Conference

http://www.sec2006.org/

2006-05-16 20th WPISP Meeting http://www.oecd.org/document/46/0,2340,en_2649_34255_36862382_1_1_1_1,00.html

2006-05-12 Presentation of the ENISA General Report 2005 at the European Council's Working Party on

http://www.isss.cz/loris


DATE ACTIVITY/EVENT LINK Telecommunications and Information Society

2006-04-26 Dutch Digibewust conference on e-security with discussions on the ENISA Work Programme for 2007

http://www.ecp.nl/agendaitem.php?id=185

2006-04-05 Baltic IT&T 2006 Forum http://www.ebaltics.com/QuickPlace/forum2006/Main.nsf?OpenDatabase

2006-03-029 Training of Network Security Incident Teams http://www.ist-transits.org/ws_vilnius.php

2006-02-21 Third Annual Worldwide Security Conference, "Protecting People and Infrastructure: Achievements, Challenges and Future Tasks”

http://wsc.ewi.info/

2005-12-13 Information Security policy makers workshop http://www.enisa.eu.int/pages/02_03_news_2005_12_12_workshop_in_Brussels.htm

2005-11-24 European Network and Information Security Conference Readiness for Handling Network and Information Security Incidents

http://www.securityconference.rrt.lt./

2005-11-18 First Pan-European ENISA - EU25 meeting with National Liaison Officers

http://www.enisa.eu.int/pages/02_03_news_2005_11_18_1st_pan_european_enisa.htm

2005-11-10 ENISA-BSI Information Security Management Days http://www.bsi.bund.de/veranst/enisa/index.htm

2005-09-07 Identity Theft Seminar http://w3.uniroma1.it/security/index.html

3.1.5 Working Groups

Currently the following three working groups have been created and are operational:

• working group on CERT services, • working group on risk management and risk assessment, and the • working group on regulatory aspects of network and information security.

3.1.5.1 Ad-hoc Working Group on CERT Services

The ad-hoc Working Group CERT Services (WG-CS), established in 2005, deals with issues that are related to the provision of security services, also called CERT services for specific categories or groups of users. In this context ENISA intends to provide

• information about measures for assuring an appropriate level of service quality in order to support these communities in their activities, and

• recommendations for the EU member states and the EU bodies regarding the coverage of specific groups of IT users with appropriate security services.


The tasks of this group include the

• analysis of possible measures for the assurance of an appropriate level of quality for providing security services by CSIRTs and similar facilities (to be delivered in 2007),

• categorization of users and user groups for CERT services, • provision of a list of the appropriate facilities needed for these services, and • short-term and low-effort actions that are suitable to close some of the gaps in

the coverage with security services observed in the gap analysis of the 2005 working group.

The output of this group will include the following set of deliverables:

• inventory of publicly available sources for security information, • revised list of CERT services, • list of providers of CERT services such as CSIRTs, Warning Advise and Reporting

Points (WARP), abuse teams, vendors, and a list of provided CERT services, • list of categories of users or user groups of IT systems connected to the Internet,

and • user or user group specific tables listing the actions that support the active

CSIRTs, WARPs, and abuse teams in serving their constituency, and an • analysis of the expected outcomes of each proposed action. Current WG-CS members are experts from France, The Netherlands, Germany, Poland, Italy, Norway, United Kingdom, and Hungary.

3.1.5.2 Ad-hoc Working Group on Awareness Raising

The main task of the ad hoc Working Group on Awareness Raising, established in 2005, is to support the agency in addressing particular matters in the awareness raising area regarding the following objectives:

• development of a customized information package including the description of selected target groups, their communication objectives, samples of messages, channels and benchmarking,

• recognition of information on good examples of European awareness raising programs and initiatives for the following priority target groups: − silver surfers (citizens sector), − Small and Media Enterprises (SMEs, economic sector), − local government authorities (institutional sector), and − media (other specific sector), and

• production of guidelines on the use and dissemination of the information package for member states.


The current output of the working group can be found in the deliverables, [ENISA RNISA] [ENISA ARSS], [ENISA ARSME], [ENISA ARM], and [ENISA ARLG].

3.1.5.3 Ad-hoc Working Group CERT Cooperation and Support

The main task of the special ad hoc Working Group CERT Cooperation and Support, established in 2005, is to support ENISA in the area of CERT co-operation regarding the following objectives:

• validation of an initial inventory on CERTs/CSIRTs in Europe and their services (drafted by ENISA),

• provision of information concerning on-going cooperation between existing CERTs/CSIRTs and similar organizations,

• recommendations for enhancing further cooperation between CERTs/CSIRTs, regarding − relevant international and European organizations and their rules, − gap analysis of CERT/CSIRT cooperation, − best practice models for CERT/CSIRT cooperation − methods for building trust in order to be able to participate in existing CERT

networks, and the − analysis of the needs for early warning cooperation systems,

• gap analysis of geographical and business areas that are not covered by CERT or similar organizations,

• provision of a checklist or guidelines on how to establish a CERT/CSIRT or a similar body, and the

• production of recommendations for training of skills for newly created CERTs/CSIRTs or similar bodies.

The current output of the working group can be found in its report [ENISA WGR].

The establishment of and the cooperation between CERTs/CSIRTs is currently facilitated by several organizations and initiatives e.g. TERENA, FIRST, and the European Government CERT group (see section 3.3).

3.1.5.4 Ad-hoc Working Group on Risk Assessment and Risk Management

The ad-hoc Working Group on Risk Assessment and Risk Management, established in 2005, provides expertise in different existing risk assessment and risk management methods. The tasks of this working group include the following activities:

• production of an overview and a comparison of existing risk assessment and risk management methods, including the identification of important organizations in this area and their relationships,


• development of a suitable approach to risk assessment and risk management for a selection of different types of organizations (notably SMEs) with the goal to enable these organizations to perform risk assessment with reasonable effort and to establish an efficient system for managing risk related to information security, and the

• development of a proposal for a roadmap in order to improve the comparability of risk assessments between different organizations.

The current output of this working group can be found in the documents [ENISA IRAM], [ENISA IPSME] and [ENISA RM].

3.1.6 Publications

ENISA publishes the following types of documents:

• country pages, • studies and reports, and the • journal ENISA Quarterly. The “Country Pages” provide an overview of contact points and other relevant information related to network and information security in EU member states. They contain a list of national authorities and other bodies and organizations that are active in network and information security.

ENISA has established a network of so-called National Liaison Officers (NLO). NLOs have the role of a primary contact point for ENISA to the member states. ENISA enables the NLOs to reinforce the activity of the agency in the member states, and to exchange information between NLOs.

ENISA provides a special web page that contains studies and reports related to different fields of network and information security. At this page also the results of studies that will be initiated by ENISA and/or by community programs are presented.

Actual information on ENISA’s activities is given in the journal ENISA Quarterly (see http://www.enisa.eu.int/publications/index_en.htm), and its press releases (see http://www.enisa.eu.int/pages/02_01.htm).

An overview of main documents that have been published by ENISA is given in Table 3.

Table 3: Overview of main ENISA documents

DOCUMENT DATE LINK

Computer Security and Incident Response 2006-06-26 http://www.enisa.eu.int/doc/pdf/FACsheets/FSWhat%20is%


DOCUMENT DATE LINK 20a%20CERTFINALubversion.pdf

Relations with EU-Institutions and Member States 2006-06-26 http://www.enisa.eu.int/doc/pdf/FACsheets/EU_MS.pdf

Relations with Industry and International Institutions 2006-06-26 http://www.enisa.eu.int/doc/pdf/FACsheets/FS6FINALRelwIn

dustryIntInstitutions%20%282%29.pdf

ENISA Quarterly 2006-06 http://www.enisa.eu.int/doc/pdf/publications/enisa_quarterly_06_06.pdf

Users' Guide: How to Raise Information Security Awareness

2006-06 http://www.enisa.eu.int/doc/pdf/deliverables/enisa_a_users_guide_how_to_raise_IS_awareness.pdf

Information and Communications Technology Law

2006-03-01 http://www.enisa.eu.int/doc/pdf/LR_33-54.pdf

Work Program 2006 2006-03-01 http://www.enisa.eu.int/doc/pdf/management_board/decisions/work_programme_2006.pdf

ENISA Quarterly 2006-03 http://www.enisa.eu.int/doc/pdf/publications/enisa_quarterly_03_06.pdf

Survey on Industry Measures taken to comply with National Measures implementing Provisions of the Regulatory Framework for Electronic Communications relating to the Security of Services

2006-02-28

http://www.enisa.eu.int/doc/pdf/deliverables/enisa_security_spam.pdf

E-Government for All Europeans - Seminar Recommendations

2006-02-10 http://www.enisa.eu.int/doc/pdf/studies/egovernment_vienna.pdf

Study Trust in The Net 2006-02-09 http://www.enisa.eu.int/doc/pdf/studies/trust_net.pdf

Inventory of CERT activities in Europe 2006-02 http://www.enisa.eu.int/doc/pdf/deliverables/enisa_cert_inventory_v1.2_060210.pdf


DOCUMENT DATE LINK

Country Page France 2006 http://www.enisa.eu.int/doc/pdf/Country%20Pages/France.pdf

Country Page Germany 2006 http://www.enisa.eu.int/doc/pdf/Country%20Pages/Germany.pdf

Country Page United Kingdom 2006 http://www.enisa.eu.int/doc/pdf/Country%20Pages/United%20Kingdom.pdf

Information Security Certificates - Invitation to Participate

2006 http://www.enisa.eu.int/pages/IS_certificates.html

New Fact Sheet on Awareness Raising 2006 http://www.enisa.eu.int/doc/pdf/FACsheets/New_Fact_Sheet_on_Awareness_Raising.pdf

Risk Assessment and Risk Management 2006 http://www.enisa.eu.int/pages/03_04.htm

Rules Governing Traineeship at ENISA 2006 http://www.enisa.eu.int/doc/pdf/recruitment/traineeship/traineeship_rules.pdf

Reports 2005-2006 http://www.enisa.eu.int/pages/05_02.htm#3

CASES: raise awareness and foster co-operation in network and information security

2005-12-14 http://www.enisa.eu.int/doc/pdf/deliverables/enisa_cases_thill.pdf

Challenges in raising Awareness about IT risks 2005-12-14 http://www.enisa.eu.int/doc/pdf/deliverables/rand_europe_

Lorenzo_valeri_enisa_awareness141205.pdf

Raising the security bar - Best Practice Sharing of 'Germany safe on the Net'

2005-12-14 http://www.enisa.eu.int/doc/pdf/deliverables/enisa_raising_the_security_bar.pdf

Establishing a Government CERT from scratch - the Swedish Experience 2005-12-13 http://www.enisa.eu.int/doc/pdf/deliverables/enisa_establishi

ng_a_government_cert_from_scratch_martenson.pdf

Setting up of SURFnet-CERT 2005-12-13 http://www.enisa.eu.int/doc/pdf/deliverables/enisa_setting_up_of_surfnet_schuurman.pdf

The European Government CERT group 2005-12-13 http://www.enisa.eu.int/doc/pdf/deliverables/enisa_establishing_a_government_cert_from_scratch_martenson.pdf

Swedish IT-Strategy 2006 Work Program 2005-12-06 http://www.enisa.eu.int/doc/pdf/studies/Swedish_ITStrategy2006WorkProgram.pdf

Raising Awareness in Information Security - Insight and Guidance for Member States 2005-12 http://www.enisa.eu.int/doc/pdf/deliverables/enisa_cd_awar

eness_raising.pdf

Study Information Security and Identity Management Report 2005-12 http://www.enisa.eu.int/doc/pdf/studies/EWIReport_Informa

tion_Security_and_Identity_Management.pdf

The Legal handbook for CSIRTs 2005-12

http://www.enisa.eu.int/doc/pdf/deliverables/enisa_the_legal_handbook_for_csirts_part_1_valerie_robertson.pdf http://www.enisa.eu.int/doc/pdf/deliverables/enisa_the_legal_handbook_for_csirts_part_2_graux.pdf

Information Security and Privacy, Authentication report 2005-11 http://www.enisa.eu.int/doc/pdf/studies/oecd_2005_authen

tication_report.pdf

Risk Management - Road Map 2005-11 http://www.enisa.eu.int/doc/pdf/deliverables/WGRARM/risk_management_enisa.pdf


DOCUMENT DATE LINK

Work Program 2006 2005-10-21 http://www.enisa.eu.int/doc/pdf/management_board/decisions/work_programme_2006.pdf

ICT Outlook for Germany 2005-10 http://www.enisa.eu.int/doc/pdf/studies/ICT_Outlook_for_Germany.pdf

Conference report Information Security Solutions Europe

2005-09-27 http://www.enisa.eu.int/doc/pdf/studies/2005_isse_report.pdf

Symantec Internet Security Threat Report ISTR Nr. 8

2005-09-08 http://www.enisa.eu.int/doc/pdf/studies/Symantec_ISTR_8.pdf

Early Warning system Germany BITKOM 2005-08-01 http://www.enisa.eu.int/doc/pdf/studies/EarlWarningsystemGermany_BITKOM.pdf

IT Security Risk & Responsibilities Matrix 2005-04 http://www.enisa.eu.int/doc/pdf/studies/ITSecurity_Risk&Reponsabilities_MatrixBITKOM.pdf

Cyber Security PITAC-report 2005-02 http://www.enisa.eu.int/doc/pdf/studies/cybersecurityPITAC.pdf

A pan-European approach to optimize awareness raising - current experiences and future plans

2005 http://www.enisa.eu.int/doc/pdf/deliverables/enisa_a_pan_european_approach_to_optimise_awareness_raising_richardson.pdf

A view of awareness raising amongst SMEs in the UK 2005 http://www.enisa.eu.int/doc/pdf/deliverables/awareness_hilt

on.pdf

Awareness Raising 2005 http://www.enisa.eu.int/pages/02_04.htm

Awareness Raising - Fairy tale for children 2005

http://www.enisa.eu.int/doc/pdf/studies/superundersokarna_MSU.pdf http://www.enisa.eu.int/doc/pdf/studies/handledning_nosapanatet.pdf

CERT-in-a-box, Alerting-Service-in-a-box 2005 http://www.enisa.eu.int/doc/pdf/deliverables/enisa_cert_in_a_box_leguit.pdf

Computer Emergency Response Teams - MAP

2005 http://www.enisa.eu.int/doc/pdf/deliverables/enisa_cert_map.pdf

European Cooperation of Abuse Fighting Teams 2005 http://www.e-coat.org/

General Report 2005 http://www.enisa.eu.int/doc/pdf/deliverables/general_report_2005_final.pdf

IT-Security for SMEs 2005 http://www.enisa.eu.int/doc/pdf/studies/SMEpocketseminar_it-security.pdf

Phishing Problems report 2005 http://www.enisa.eu.int/doc/pdf/studies/Phishing_Problems_BITKOM.pdf

Public awareness raising in the Netherlands: focus on public private partnership

2005 http://www.enisa.eu.int/doc/pdf/deliverables/enisa_public_awareness_raising_in_the_netherland_boersma_durincks.pdf

SMEs 2005 http://www.enisa.eu.int/pages/05_02.htm#4

Study Awareness Raising 2005 http://www.enisa.eu.int/pages/05_02.htm#1

Study German Landscape map of Stakeholders 2005 http://www.enisa.eu.int/doc/pdf/studies/GermanLandscape

_of_Stakeholders.pdf


DOCUMENT DATE LINK

Study The SAFT-report –Children on the Internet Awareness Campaign

2005 http://www.enisa.eu.int/doc/pdf/studies/saft_final_report.pdf

StudyPC School for Elderly-in German 2005

http://www.enisa.eu.int/doc/pdf/studies/001_048_2005_stiwa_internet.pdf http://www.enisa.eu.int/doc/pdf/studies/048_096_2005_stiwa_internet.pdf http://www.enisa.eu.int/doc/pdf/studies/097_144_2005_stiwa_internet.pdf

Think security first! Make your community cyber safe 2005 http://www.enisa.eu.int/doc/pdf/deliverables/enisa_think_se

curity_first_leroux.pdf

UK government experience of best practice information security awareness 2005 http://www.enisa.eu.int/doc/pdf/deliverables/enisa_uk_gove

rnment_experiences.pdf

WARPs and CERTs – A cooperative effort 2005

http://www.enisa.eu.int/doc/pdf/deliverables/enisa_warps_and_certs_part_1_burnett.pdf http://www.enisa.eu.int/doc/pdf/deliverables/enisa_warps_and_certs_part_2_cormack.pdf

Working Group on Awareness Raising 2005 http://www.enisa.eu.int/pages/03_04.htm

Studies For consumer organizations & other organizations 2004-2006 http://www.enisa.eu.int/pages/05_02.htm#2

Rules regarding the establishment and operation of ad hoc Working Groups 2004-12-16 http://www.enisa.eu.int/doc/pdf/management_board/decisi

ons/ad_hoc_wg.pdf

Terms and conditions for internal investigations 2004-12-16 http://www.enisa.eu.int/doc/pdf/management_board/decisi

ons/olaf.pdf

Rules regarding the establishment and operation of the PSG

2004-10-08 http://www.enisa.eu.int/doc/pdf/stakeholders/PSG.pdf

Internal Rules of Procedure 2004-09-15 http://www.enisa.eu.int/doc/pdf/management_board/decisions/RoP.pdf

Study SMEs Internet & Mail Use 2004 http://www.enisa.eu.int/doc/pdf/studies/BITKOMSMEinternet_mailUsestudy.pdf

Security reports 2003-2006 http://www.enisa.eu.int/pages/05_02.htm#5

Terena’s Task Force CSIRT 2003-05 http://www.enisa.eu.int/doc/pdf/deliverables/enisa_terenas_task_force_csirt_cormack_stikvoort.pdf

E-Security in the EU, benchmarking Security and Trust EU/US 2003-03 http://www.enisa.eu.int/doc/pdf/studies/esecurity_in_eu.pdf

Recommendations for Internet Security 2003 http://www.enisa.eu.int/doc/pdf/Press%20releases/tor_final_security_study_en.pdf

E- government reports 2001-2006 http://www.enisa.eu.int/pages/05_02.htm#6


3.2 European Information Security Promotion Program

The European Information Security Promotion Program (EISPP) was a project that was run between June 2002 until January 2004 within the action plan eEurope 2005 by a consortium of private sector organizations, comprising CERTs, Internet Service Providers (ISP), Application Service Providers (ASP), and security professional organizations. The members of the consortium have been Cert-IST (see section 4.1.2), esCERT-UPC (see section 4.4.8.1), SIEMENS-CERT (see section 4.2.19), Callineb Consulting (independent private Swedish CERT organization that provides advanced IT security consultancy), I-NET (Italian application infrastructure provider), CLUSIT (Italian information security association with the task to promote and improve awareness, education and information sharing at the national and international level), and InetSecur (Spanish company that provides security products and security services).

The main task of this project was the development of a European framework, sharing security knowledge, and the definition of the content and procedures of disseminating security information to SMEs. Main results of this project can be found in the documents “EISPP Results“ [EISPP RES] and “EISPP Common Advisory Format for Vulnerabilities Advisories“ [EISPP CAF]. This Common Advisory Interchange Format (CAIF) includes the following items:

• complete identification data, • vulnerability classification including the following elements:

− list of standard identifiers such as Common Vulnerabilities and Exposures (CVE) numbers, Bugtraq IDs, etc. for the vulnerability,

− information about the issuers’ confidence in the presented information, − description of the vulnerability's reason, − technical requirements needed by an attacker to exploit the vulnerability, − rating of vulnerability's current impact on IT security. − information about how immediate the threat posed by the vulnerability is, − current status of the vulnerability in the vulnerability life cycle, − level of automation that has been achieved for exploitation, − rating of the severity of the vulnerability's effect, − effects that successful exploitation has on the attacked system, − provision of a general assessment of the threat posed by the vulnerability,

and the − overall assessment of the risk, taking into account any constituency-specific

factors, • system information including the following kinds of information:

− information about platforms affected by the described vulnerability, − information about software affected by the described vulnerability, − combined information about affected platform and software, and − additional information about systems that may be affected, respectively are

not affected, etc.


• problem description including the following kinds of information: − information that brings the advisory into context, − information that helps the user to understand the technical context of the

advisory, − description of the vulnerability/vulnerabilities treated by the advisory, − detailed technical information, targeted at security experts, and the − diagnostic information to help the reader to determine whether his system

is vulnerable, and a section on • solutions including

− general information about possible solutions, and − individual solution sections identified by a solution type (patch, workaround,

etc.), affected system, or both with each section describing a possible solution.

The security advisory format has been developed and defined based on best practices of the participating CERT organizations. It was defined in XML that supports the exchange of advisory information between these organizations and the automatic processing of advisory information. In addition, basic translation schemes have been defined that allow transforming XML advisories presented to the customers into HTML or ASCII format.

EISPP has developed an initiative called “Cooperative European Information Security Network of Expertise” (CEISNE). The road map for establishing CEISNE within the European CERT community, i.e. its model and processes have been specified in the document “CEISNE model and processes” [CEISNE MP] that was based on experiences gathered during the execution of an experimentation phase that has regarded both the required infrastructure and the required processes for cooperation. This road map is planned to be implemented under the umbrella of an already well-established association of CERTs such as TERENA’s TF-CSIRT through which a significant number of CERTs can be reached, and central tools and services can be provided. The following CERT tasks and dependencies between these tasks have been identified by EISPP:

• observation of new vulnerabilities − information gathering by monitoring various sources of information such as

vendors' security announcements, security advisories released by other bodies, open mailing lists or forums, closed mailing lists (restricted to members), and

− information analysis in order to discard the non-relevant information, to maintain a list of pieces of information that needs to be completed before a decision can be taken, to maintain a list of reports that require an analysis of a reported vulnerability, or updating of an already published advisory,

• vulnerability analysis − main activity for an advisory service depending on the service level the CERT

has to provide to its constituency,


− very rough risk assessment on a uniform scale, forwarding information about the affected systems in a uniform schema,

− detailed analysis of the vulnerability, accompanied by extensive tests of patches, and

− prioritization of sub tasks to be performed such as risk assessment, collection of additional information about the vulnerability, analysis of the vulnerability based on the collected information, test execution of the vulnerability, analysis/test/design of a solution for the vulnerability, and test of patches for the vulnerability,

• vulnerability response coordination − coordination of steps required by a CERT in order to respond to newly

observed vulnerabilities such as analysis of vulnerabilities, creation of solutions, and notification the users,

− coordination of the publication time of the vulnerability by mediation between the discoverer of the vulnerability and the vendor(s) of the affected product,

− well defined policy regulating the coordination process including the definition of a notification phase and a grace period for the vendor to react and to propose a solution to the vulnerability,

• creation or updating security advisories − creation and/or update of a security advisory tailored to the specific

requirements of the CERT's constituency, • publication and dissemination of security advisories

− ensuring that the produced advisories reach the constituency, and optionally the provision of further assistance to the constituency,

− means of dissemination are mailing lists and/or publication via a web server, − dissemination may based on the definition and maintenance of user profiles

regarding lists of relevant products, − filtering out of advisories that are not of relevance for specific users, and the − provision of an additional service that supports the constituency in order to

implement the proposed measures specified in a security advisory.

Experiments that have been carried out between the participating EISPP CERTs have demonstrated that the following requirements regarding CERT activities have to be fulfilled:

• provision of a tool via a central server that gives an overview of the exchanged advisories,

• grouping of advisories in order to highlight differences regarding the vulnerability rating,

• use of one common information base by all participants in order to safe resources,

• definition of rules that regulate the cooperation, and that provide a high degree of trust between the cooperating CERTs,


• cooperation between CERTs regarding security advisory creation via information exchange,

• regular exchange of advisory data in order to support quality control and quality improvement,

• sharing of the workload of advisory creation through unstructured information exchange e.g. via mailing lists,

• sharing of the workload through structured information exchange or joint maintenance of information e.g. via monitoring mailing lists,

• substantial information exchange between CERTs by increasing the number of participating CERTs, and the

• provision of adequate tools that support the cooperation. The rules and regulations for membership in CEISNE have to be defined: These include requirements for joining CEISNE, and the specification of a code of conduct that regulates the CEISNE procedures for information exchange and the usage of the exchanged information. The decision for joining requirements is a process for CERT accreditation such as that provided by the Trusted Introducer (TI). The establishment of an adequate code of conduct should be based on the adaptation of one of the codes of conduct that already exist and are used in member bodies to the special needs of CEISNE.

An initial step for the operation of CEISNE is the implementation of a service for information sharing tools service in order to enable information exchange between its members on a broad common basis. Another basic requirement is the realization of a central advisory repository service for the exchange of security advisory data.

Currently the discussions between CERTs on new vulnerabilities are mainly based on mailing-lists for interesting and important information. In this context the provision of a service that supports the monitoring of mailing-lists for all CEISNE participants is envisaged in order to reduce and minimize the workload for teams to monitor mailing-lists. Experiments carried out within EISPP have shown that such a mailing list monitoring service needs to be implemented step-wise:

• maintaining a list of mailing lists, and optional inclusion of comments and judgments about the quality of the list,

• provision of an archive of the most relevant mailing lists in order to create a common basis for reference within discussions between the CEISNE members for the most important security information,

• provision of functionality for flagging and/or commenting on postings in order to support the process of watching for new vulnerabilities and reactions, and the

• definition of processes for joint mailing-list monitoring in order to support real workload sharing through joint monitoring of mailing lists.


A tool support for importing and authoring security advisories in the EISPP format shall be jointly developed within CEISNE. Such a need has been demonstrated by the initiative to build a common incident response tool based on request tracker.

EISPP has developed special security services for Small and Medium Enterprises (SMEs: details see [EISPP SME]) in order to increase their trust in e-commerce businesses. These services include the use of basic technologies, formats, protocols, and PKI-technologies. The SMEs advisory service provides the distribution of security advisories that contain information about the latest vulnerabilities and countermeasures which are distributed either directly from CERTs to SMEs, or via so-called intermediaries such as internet service providers, application service providers, or chambers of commerce and the industry. This information is primarily forwarded to system administrators of SMEs to enable them to cope with identified vulnerabilities. Security advisories are produced by vendors for their own affected products, and by CERT organizations for their members for the products and systems that are of interest to their constituencies.

The integrity and authenticity of disseminated security advisories has been protected by digital signatures of the CERT organizations or intermediaries. Security advisories are exchanged between the participating CERT organizations and intermediaries in the CAF format. The potential content of security advisories is defined by the elements provided by the CAF data format that, for example, also includes information about the seriousness of vulnerabilities (see paragraphs before Table 5). Security advisories sent from CERTs or intermediaries to SMEs are presented in XML, HTML or TXT format.

Security advisories are distributed based on profiles completed by SMEs that take into account the particular hardware and software used in IT networks and systems of the participating SME organizations. A specific set of published advisories that is stored in a distributed vulnerability database can also be accessed by SMEs at the EISPP web server via HTTPS client certificates. Value-added services provided for SMEs are complementary services beyond the advisory service. They include pattern and system update, virus detection, vulnerability scanning, firewall technology, and remote system update i.e. security patches. The full set of services includes the following measures:

• security advisory and alert services including: − security advisory dissemination service, − alert dissemination service for exceptional alerts that have to be treated with

highest urgency, − profiling service, − security information digital signature, and − advisory access and retrieval service,


• value added services including: − intrusion detection systems (IDS), − vulnerability scanning, − patch update service, − virus detection, − firewall configuration, and − remote server maintenance, administration and patching.

An overview of CERT organizations that participated in the experimental pilot phase of EISPP during which the realization of security services for SMEs has been tested and analyzed is given in Table 4. The experiments have been executed independently by the involved CERT organizations and SMEs in their countries. However, all organizations focused on the same set of objectives and services, including:

• advisory access and retrieval, • alert dissemination, • use of digital signatures, • SME based profiling of advisories and their contents, and • security advisory dissemination.

Table 4: Overview of CERTs With SME Services

CERT SERVICE REMARKS

advisory access and retrieval

storing of published advisories on the customer-specific part of the website, access of advisories issued in the archive section via web, searchable and usable profiles, use of personalized X509 authentication certificates for access to the web based system, optional provision of a common sector based area for sharing information within a group of users

alert dissemination

issuance of serious alerts based on published information, submitted information and rumors, use of confidence level of alerts, transport via e-mail (PGP-signed and optionally encrypted), archive for customer access

CALLINEB (Sweden)

digital signature

security advisories signed with CALLINEB PGP-key, optionally encrypted if required by the recipient, use of e-mail or fax machine and PGP for authentication



profiling

definition of profiles and personalization by SMEs regarding the content on CALLINEB and the set of advisories to be received in order to filter out unwanted advisories, advisories are sent directly to the person listed in the profile of larger organizations with multiple profiles, possibility to change customer profiles in order to cope with organizational changes via a configuration page in CALLINEB client system, protection of privacy and secure transmission of sensitive information access to CALLINEB web based client system via HTTPS and X509 client certificates

CALLINEB (Sweden)

security advisory dissemination

distribution of advisories via e-mail and fax, complete vulnerability discussions on a mailing list, gathering and HTML-based archiving of information on a daily basis, severity rating on the information


published advisories are available on the Cert-IST private web site for its SMEs/Intermediaries, possibility to browse only advisories concerning products of interest, provision of a search engine in order to search advisories by keywords or by reference numbers, access to via HTTP/HTTPS, use of a personal X509 certificate in order to use this service

alert dissemination

issuance of serious alerts with the goal to warn quickly SMEs/Intermediaries about a threat, sent in an S/MIME signed e-mail, information about threats, and the technical basics of the threat, publication of full details of the problem either before or after the release of the alert

digital signature

digitally signed advisories and alerts via signed Email, use of S/MIME encryption mechanism for advisory authentication, Cert-IST certificate signed by a major certification authority ( e.g. VeriSign)

profiling

possibility for SMEs/Intermediaries to select the relevant products from a list of products released by Cert-IST, receipt of advisories for only those products via e-mail, and only related Cert-IST web site advisories, chaining of filtering criteria via submission of a request to Cert-IST in order to update the service which is offered in French and English language, SMEs/Intermediaries may choose between TXT, HTML or XML (or a combination of these) formats for the advisories, provision of only basic presentation of security advisories (with only description of risk and the solution) for small organizations, comprehensive information for larger organizations with some expertise

Cert-IST (France)


basic service provided by Cert-IST to its SMEs/Intermediaries via email

profiling

support for the collection of the information required for profile registration, intermediary between the user and the CERTs, information can be collected in Italian and translated by CLUSIT, adoption of PKI usage to the needs of the CERTs, support for the integration of the CERT PKI into the user infrastructure CLUSIT

(Italy) security advisory dissemination

intermediary between CERTs and users, collection and forward of advisories, limited help desk activity




consultation of a mySQL security advisories database via HTTPS which contains all the security advisories released by esCERT-UPC information about vulnerabilities of the last years, requirements: account username/password or the personal X.509 certificate

alert dissemination

specific information about new attack patterns, sent via e-mail, with S/MIME signature

digital signature

digitally signed security advisories using a X.509 digital certificate

profiling

advisories customization, subscription of SMEs to a subset of vendor classified platforms supported by esCERT, management of personal data such as the mail accounts to which advisories are to be sent, maintenance of the profile via web, authentication either via username and password or a certificate provided by esCERT

esCERT (Spain)


daily-customized distribution of advisories via email advisories in EISPP common format, protocol SMTP


access to the security advisories database by means of authentication to the web server with X.509 certificate and SSL

alert dissemination

activation of an alerting service by users via their profile, alerts sent to users via e-mail, fax or SMS, important information is available on web site or was sent by mail

digital signature

digitally signed security advisories translated into Italian language using PGP

profiling collection and redistribution of security advisories to the users, storing of advisories in a database, translation into Italian language, profiling of the access by users regarding the chosen language, media (web or mail) and alerting

I.NET (Italy)


intermediary between the SMEs and CERT, dissemination of advisories using a multi channel media, receipt via e-mail and/or web access, mail channel: mail clients and PGP, web channel: web browser and X.509 certificate

EISPP and CEISNE have been EU funded projects that contributed to the standardization of procedures and formats related to CERT activities such as the receipt and the analysis of information on vulnerabilities, the risk rating of the seriousness of vulnerabilities, the generation of advisories and the final publication of information on vulnerabilities. These activities have been complemented by pilot experiments with SMEs as shown in the previous table.

The outcome of EISPP and CEISNE has been and will be further used by EGC (see section 3.3) and TF-CSIRT (3.4), and its member CERTs (see chapter 4). An example of the dissemination of EISPP and CEISNE results is the “Common Advisory Format” (CAF) that has been used in Germany for the definition of the “Deutsches Advisory Format” (DAF, German Advisory Format) which in turn is used by German national CERT organizations such as CERT-Bund (see section 4.2.2), CERT-


Verbund (see section 4.2.5), DFN-CERT (see section 4.2.9), or Mcert (see section 4.2.13). Differences between CAF and DAF can be summarized as follows:

• provision of a standard translation of terms and concepts used in CAF into German language in order to guarantee a consistent use of the same terms,

• profiling of CAF by constraining the use of the CAF elements “Identification Data”, “Vulnerability Classification” and “Description” in order to support the cooperation between CERT organizations,

• maintenance of up-to-date versions of open lists-of-values such as list of EISPP/DAF issuers and list of standardized resources,

• integration of a common model of system information (CMSI: more details see section 4.2.5) that provides information about systems affected by a particular vulnerability, and the

• definition of some extension to CAF related to the “Description” element, and provision of mapping these extensions from DAF to CAF.

Currently there are no specific EU funded projects or initiatives for CERT related objectives or tasks. In the context of CERT activities, the European Union follows a decentralized approach in which the individual national CERT organizations (see chapter 4) themselves are responsible for their policies and operations, i.e. the procedures for receiving, analyzing, disseminating and publishing of information on vulnerabilities. Therefore, there are currently neither activities in the EU region for the creation of an index identifying the seriousness of vulnerabilities, nor for the creation of a central European vulnerability database. Instead, the advisory formats CAF and DAF are used by national CERT organizations to express the seriousness of vulnerabilities within particular fields of the advisory data structure. Information on vulnerabilities and security advisories are stored in databases established, operated, and maintained by the individual national CERTs.

Information about vulnerabilities is specified within the “Vulnerability Classification” field of CAF advisories that consists of the following set of elements (highlighted by Courier font):

• Vulnerability Identifiers: list of standard identifiers such as CVE numbers, Bugtraq IDs or others that identify the individual vulnerability,

• Confidence Level: issuer rating of the reliability of the vulnerability classification including one of the following set of values: − official_and_tested: vulnerability has been announced by a

recognized authority or vendor, and has been successfully tested by the issuer or a trusted third party,

− official: vulnerability has been announced by an official authority or vendor,

− tested: vulnerability has not been announced by a recognized authority or vendor, but has been successfully tested by the issuer or a trusted third party,


− probable: vulnerability has not been announced by an official authority or vendor, but is highly probable due to cross checking between several information sources, or

− not_qualified: vulnerability has not been announced by a recognized authority or vendor, and could neither be tested nor cross-checked, but must be considered as critical requiring the generation of an advisory,

• Vulnerability Category: brief description of the cause of the vulnerability,

• Attack Requirements: technical requirements needed by an attacker to exploit the vulnerability including one of the following set of values: − remote_no_account: system can be attacked remotely without

requiring an account, − remote_account: system can be attacked remotely requiring an account, − victim_interaction: attack may be performed remotely using some

form of victim interaction, − local: attack requires local access to the victim, or − packet_access: attack requires access to packets,

• Current Impact: rating of the current impact on ICT security of the vulnerability,

• Immediacy: information about how immediate the threat posed by the vulnerability is (see Table 5), including: − Vulnerability Status: current status of the vulnerability in the

vulnerability life cycle including one the following set of values: theoretical: existence of indications that a vulnerability might exist, exploitable: existence and exploitability of a vulnerability has been observed, currently_exploited: existence of indications that the vulnerability may be actively exploited, exploit_published: public availability of exploits for the vulnerability, and

− Propagation Method: level of automation that has been achieved for exploitation, including one the following set of values: manual: vulnerability exploitation without automated means, automatic: vulnerability exploitation with automated means, or replicating: vulnerability exploitation by means of replication,

• Vulnerability Impact: rating of the severity of the vulnerability’s effect (see Table 6), including the elements: − loss: main information with respect of the kind of security loss that might

occur, − scope: scope within which an attacker can take control, and − impact: severity of the vulnerability,

• Current Impact: general assessment of the threat posed by the vulnerability rated by a combination of the immediacy of the vulnerability and its impact (see Table 7), and


• Risk: overall assessment of the risk, taking into account customer specific factors.

Table 5: Overview of Immediacy Rating

IMMEDIACY RATING PROPAGATION METHOD

VULNERABILITY STATUS MANUAL AUTOMATED REPLICATING

THEORETICAL very low low medium

EXPLOITABLE low medium high

CURRENTLY EXPLOITED medium high high

EXPLOIT PUBLISHED medium high very high

Table 6: Overview of Impact Rating

IMPACT RATING SCOPE

LOSS PERSON SERVICE SYSTEM NETWORK

TAKE CONTROL high high very high very high

TAKE PARTIAL CONTROL medium medium high high

INTEGRITY low medium high high

CONFIDENTIALITY very low low medium high

AVAILABILITY very low low medium high

CIRCUMVENTION OF SECURITY MEASURES

very low low medium high

Table 7: Overview of Current Impact Rating

CURRENT IMPACT RATING IMPACT

IMMEDIACY VERY LOW LOW MEDIUM HIGH VERY HIGH

VERY LOW very low very low low low medium

LOW very low low low medium high

MEDIUM low low medium high high

HIGH low medium high high very high

VERY HIGH medium high high very high very high

Nevertheless, the EU is currently supporting the coordination and cooperation of national CERTs and the establishment of new CERTs by the European Network Information Security Agency, the European Government CERT Group and the


European Task Force-CSIRT. In this context, the EC has recently proposed the following additional tasks for ENISA in its strategic document “A strategy for a Secure Information Society – “Dialogue, partnership and empowerment” [EC COM DPE]:

• development of an appropriate data collection framework, including the procedures and mechanisms required to collect and to analyze EU-wide information on security incidents and consumer confidence,

• organization of the establishment of a strategic partnership between member states, the private sector and the research community to ensure the availability of data on the ICT security industry and on the evolving market trends for products and services in the EU region, and the

• clarification of the feasibility of the establishment of a European information sharing and alert system that provides information on threats, risks and alerts and that provides appropriate responses to existing and emerging security incidents to the European ICT security industry and the European market by means of a multilingual EU portal.

3.3 European Government CSIRTs Group

The European Government CSIRTs group (EGC) is a group of governmental CERTS that has been established with the main goal to strengthen the co-operation between its members regarding the solution of security incidents problems. Currently the EGC group consists of the following set of members:

• CERT-FI (Finland: see section 4.4.4), • CERTA (France: see section 4.1.1), • CERT-Bund (Germany: see section 4.2.2), • GOVCERT.NL (Netherlands: see section 4.4.6.4), • NorCERT (Norway: see section 4.4.7), • SITIC (Sweden: see section 4.4.9.1), • SWITCH-CERT (Switzerland: see section 4.4.10), and • UNIRAS (United Kingdom: see section 4.3.11). The tasks of EGC include the following main activities:

• joint development of measures to cope with national or regional network security incidents,

• promotion of information and technology sharing, • exchange of information regarding IT security incidents, threats, and

vulnerabilities, • identification of areas of sharable knowledge and expertise, • identification of subjects of common interest, • identification of research and development projects of mutual interest, • promotion of further governmental CSIRTs in EU member states, and the


• exchange of views and concepts with other organizations and initiatives.

3.4 European Task Force-CSIRT

The European Task Force (TF-CSIRT) has been established under the TERENA program in order to promote the collaboration between CSIRTs in Europe during the period 2006 until 2008. TF-CSIRT performs its tasks in compliance with the “Terms of Reference” (see [TF-CSIRT ToR]), approved by the TERENA technical committee on 6 June 2006.

The main objectives of TF-CSIRT include the following tasks and activities:

• dissemination and use of the EISPP outcomes, i.e. CAF and CEISNE, • provision of a forum for exchanging experiences and knowledge, • establishment of pilot services for the European CSIRTs community, • promotion of common standards and procedures for responding to security

incidents, • improvement of the Request Tracker for Incident Response (RTIR) tool, • assistance in the creation of new CSIRTs, • assistance in the training of CSIRTs staff, • coordination of joint initiatives, • provision of the means for liaisons of EU CSIRTs with the commission and other

policy boards, • organization of meetings and seminars for the exchange of experiences and

the discussion of security issues, • liaison with TI, • maintenance of a web-based clearing house for security software including

free and commercial software, • collaboration with Information Security Metadata Activities regarding the

development and standardization of the following Description and Exchange Formats (DEFs): − Intrusion Detection DEF (IDDEF), − Incident Object DEF (IODEF), − Penetration Testing DEF (PTDEF), and − Vulnerability and Exploit DEF (VEDEF), and the

• investigation of the possibilities for collaboration with FIRST and other counterparts of TF-CSIRTs in other continents.

The activities of TF-CSIRT are mainly focused on the EU region and its neighboring countries. The collaboration of TF-CSIRT may be extended to other teams and organization outside the EU area, if it complies with the aims of TF-CSIRT. The scope of potential CSIRT partners includes the following kinds of organizations:

• CSIRTs operated by national or international research and education networks, • commercial ISPs,


• companies, • governmental organizations, • vendor product teams, and • commercial CSIRTs. The Trusted Introducer (TI) is a joint initiative of European CSIRTs that has been undertaken to support the cooperation between the members by providing a source of mutual trust and operational knowledge regarding the involved CSIRTs. In this context trust is facilitated by an accreditation scheme that member candidates must undergo in order to proceed from a “listed” to an “accredited” member status. The TI service only allows access for accredited members to a restricted repository that provides details about accredited members and their value-added services. TI is one of the joint activities that are undertaken within the cooperative body TF-CSIRT.

3.5 Research and Development Programs

The Community Research and Development Information Service (CORDIS) is a source on European Research and Technologies Development (RTD) programs such as the Information Society Technologies (IST) program (2002-2006). Issues related to software vulnerabilities are now covered by the Information and Communication Technologies (ICT) action complying with the policy priorities of the i2010 initiative (see [i2010]) of the EU. ICT research will now be supported under the 7th Framework Program (see [ICT FP7]).

The objectives of these research activities are to strengthen the EU scientific and technologic ICT base, and to stimulate and to promote the innovation of products, services and processes for the benefits of EU citizens, businesses, industries and governments. The new ICT work program has been sub-structured into the following set of so-called “challenges” that represent the main activities for which also calls for proposals have been recently initiated:

• pervasive and trusted network and service infrastructures, • cognitive systems, interaction and robotics, • components, systems and engineering, • digital libraries and content, • sustainable and personalized healthcare, • mobility, environmental sustainability and energy efficiency, • independent living and inclusion, • future and emerging technologies, and • research e-Infrastructures. Among these broad-scope challenges the following activities also contribute to issues of vulnerability:


• development of new network infrastructure requiring robustness, resilience, trust and security,

• provision of authentication, authorization, accountability, ethics, privacy, liability, risk and governance,

• enabling users to have full control over their digital identity, personal data and protection of their privacy,

• strengthening of trust and flexibility in the use of networks, software and services,

• provision of a wider availability of dynamic services and new-networked media consumption and production systems,

• research on service platforms and architectures for trusted and secure services, • handling of vulnerabilities in the intercommunication of systems, equipment,

services and processes and their resilience against malicious attacks of terrorism, • protection of the security of citizens related to organized crime, • protection and safeguard of critical infrastructures against incidents,

malfunctions and failures, • development of technology building blocks for the creation, monitoring and

management of secure, resilient and available information infrastructures, • provision of means for survival of malicious attacks or accidental failures, • guaranteeing the integrity of data, • provision of responsive and trustworthy services, • mastering the vulnerabilities of interdependent critical infrastructures, • provision of recovery mechanisms for critical scenarios, • development of security and dependability metrics and assurance methods for

quantifying infrastructure interdependencies, • design and development of systemic risk analysis and security configuration

management, • development of common methodologies for global analyses and assessment

of risks, failures and vulnerabilities, and the • development of tools to achieve high level situation awareness.


4 CERT Organizations in the EU Region

Currently many CERT organizations exist in the EU region. An overview of most of the European CERT organizations in alphabetic order is given in Table 8. Some details about these organizations are described in the following sections.

Table 8: European CERT Organizations

COUNTRY ORGANIZATION ACCREDITATION DATE

LINK

Austria ACOnet-CERT 2003-03-28 http://www.trusted-introducer.nl/teams/aconet-cert.html

Belgium BELNET CERT 2004-09-14 http://www.trusted-introducer.nl/teams/belnet-cert.html

Croatia CARNet-CERT 2002-09-09 http://www.trusted-introducer.nl/teams/carnet-cert.html

Cyprus CYPRUS http://www.trusted-introducer.nl/teams/teams-c.html#CYPRUS

Czech Republic CESNET-CERTS http://www.trusted-introducer.nl/teams/teams-

c.html#CESNET-CERTS

CSIRT.DK 2001-04-20 http://www.trusted-introducer.nl/teams/csirtdk.html

DK-CERT 2002-02-05 http://www.trusted-introducer.nl/teams/dk-cert.html Denmark

KMD IAC 2002-03-21 http://www.trusted-introducer.nl/teams/kmd-iac.html

Cisco PSIRT 2003-05-01 http://www.trusted-introducer.nl/teams/cisco-psirt.html

DAN-CERT http://www.trusted-introducer.nl/teams/teams-d.html#DANCERT

ESACERT 2004-05-13 http://www.trusted-introducer.nl/teams/teams-e.html#ESACERT

IBM ERS http://www.trusted-introducer.nl/teams/teams-i.html#IBMERS

Europe

SunCERT http://www.trusted-introducer.nl/teams/teams-s.html#SUNCERT

CERT-FI 2004-05-24 http://www.trusted-introducer.nl/teams/teams-c.html#CERT-FI

ETSIRT 2005-11-25 http://www.trusted-introducer.nl/teams/etsirt.html

Funet CERT 2002-04-21 http://www.trusted-introducer.nl/teams/funet-cert.html

Finland

Nokia NIRT 2005-07-10 http://www.trusted-introducer.nl/teams/nokia-nirt.html



LINK

CERTA 2002-03-25 http://www.trusted-introducer.nl/teams/certa.html

Cert-IST 2006-03-14 http://www.trusted-introducer.nl/teams/cert-ist.html

CERT-LEXSI http://www.trusted-introducer.nl/teams/teams-c.html#CERT-LEXSI

France

Renater CERT 2001-09-39 http://www.trusted-introducer.nl/teams/cert-renater.html

CERT-Bund formerly known

as BSI-CERT

http://www.trusted-introducer.nl/teams/teams-c.html#CERT-BUND

CERTBw http://www.trusted-introducer.nl/teams/teams-c.html#CERTBW

CERTCOM http://www.trusted-introducer.nl/teams/teams-c.html#CERTCOM

CERT-VW 2003-12-02 http://www.trusted-introducer.nl/teams/cert-vw.html

ComCERT http://www.trusted-introducer.nl/teams/teams-c.html#COMCERT

dCERT 2004-09-14 http://www.trusted-introducer.nl/teams/dcert.html

DFN-CERT 2001-11-14 http://www.trusted-introducer.nl/teams/dfn-cert.html

GNS-CERT 2004-10-18 http://www.trusted-introducer.nl/teams/gns-cert.html

PRE-CERT 2002-06-12 http://www.trusted-introducer.nl/teams/pre-cert.html

RUS-CERT 2002-03-15 http://www.trusted-introducer.nl/teams/rus-cert.html

S-CERT 2002-10-10 http://www.trusted-introducer.nl/teams/s-cert.html

secu-CERT http://www.trusted-introducer.nl/teams/teams-s.html#SECUCERT

SIEMENS-CERT 2001-03-23 http://www.trusted-introducer.nl/teams/siemens-cert.html

T-Com-CERT http://www.trusted-introducer.nl/teams/teams-t.html#T-Com-CERT formerly known as T-NETWORK-CERT

Germany

Telekom-CERT 2004-10-01 http://www.trusted-introducer.nl/teams/telekom-cert.html

AUTH-CERT http://www.trusted-introducer.nl/teams/teams-a.html#AUTH-CERT Greece

GRNET-CERT 2003-04-07 http://www.trusted-introducer.nl/teams/grnet-cert.html

CERT-Hungary 2006-02-14 http://www.trusted-introducer.nl/teams/vert-hungary.html

Hungary HUN-CERT http://www.trusted-introducer.nl/teams/teams-

h.html#HUN-CERT



LINK

Hungary NIIF-CSIRT http://www.trusted-introducer.nl/teams/teams-n.html#NIIF-CSIRT formerly known as HUNGARNet-CERT

Iceland RHnet CERT http://www.trusted-introducer.nl/teams/teams-r.html#RHNET-CERT

Ireland HEANET-CERT http://www.trusted-introducer.nl/teams/teams-h.html#HEANET-CERT

Israel ILAN CERT http://www.trusted-introducer.nl/teams/teams-i.html#ILANCERT

CERT-IT http://www.trusted-introducer.nl/teams/teams-c.html#CERT-IT Italy

GARR-CERT 2001-01-01 http://www.trusted-introducer.nl/teams/garr-cert.html

Lithuania LITNET CERT 2005-01-27 http://www.trusted-introducer.nl/teams/teams-l.html#LITNET-CERT formerly known as LITNET NOC-CERT

Malta mtCERT 2004-05-24 http://www.trusted-introducer.nl/teams/mtcert.html

AMC-CERT http://www.trusted-introducer.nl/teams/teams-a.html#AMCCERT

CERT-IDC http://www.trusted-introducer.nl/teams/teams-c.html#CERT-IDC

CERT-KUN http://www.trusted-introducer.nl/teams/teams-c.html#CERT-KUN

CERT-RUG 2002-06-10 http://www.trusted-introducer.nl/teams/govcert-nl.html, formerly known as CERT-RO

CERT-RUG 2002-08-13 http://www.trusted-introducer.nl/teams/cert-rug.html formerly known as seckern

CERT-UU http://www.trusted-introducer.nl/teams/teams-c.html#CERTUU

KPN-CERT 2001-01-01 http://www.trusted-introducer.nl/teams/surfnet-cert.html, formerly known as CERT-NL

KPN-CERT 2005-07-10 http://www.trusted-introducer.nl/teams/kpn-cert.html formerly known as UNI-CERT

Netherlands

UvA-CERT http://www.trusted-introducer.nl/teams/teams-u.html#UVACERT

NorCERT 2006-10-01 http://www.trusted-introducer.nl/teams/teams-n.html#NORCERT Norway

UNINETT CERT 2001-04-01 http://www.trusted-introducer.nl/teams/uninettcert.html

Abuse TP S. A. http://www.trusted-introducer.nl/teams/teams-a.html#ABUSETPSA

Poland

CERT POLSKA 2001-11-22 http://www.trusted-introducer.nl/teams/cert-polska.html, formerly known as CERT-NASK



LINK

Poland PIONIER-CERT http://www.trusted-introducer.nl/teams/teams-p.html#PIONIER-CERT formerly known as POL34-CERT

Portugal CERT.PT 2004-05-24 http://www.trusted-introducer.nl/teams/cert-pt.html formerly known as RCCN CERT

NORDUNET CERT

2001-04-06 http://www.trusted-introducer.nl/teams/nordunetcert.html

RU-CERT 2005-07-10 http://www.trusted-introducer.nl/teams/ru-cert.html Russian Federation

WebPlus ISP http://www.trusted-introducer.nl/teams/teams-w.html#WEBPLUS

Slovenia SI-CERT 2001-07-03 http://www.trusted-introducer.nl/teams/si-cert.html

esCERT-UPC 2001-09-30 http://www.trusted-introducer.nl/teams/escert-upc.html

IRIS CERT 2001-03-23 http://www.trusted-introducer.nl/teams/iris-cert.html Spain

SIAPI-CERT http://www.trusted-introducer.nl/teams/siapi-cert.html

SITIC 2005-07-10 http://www.trusted-introducer.nl/teams/sitic.html

SUNet CERT 2002-05-23 http://www.trusted-introducer.nl/teams/sunet-cert.html Sweden

TS-CERT 2001-07-12 http://www.trusted-introducer.nl/teams/ts-cert.html

formerly known as TCERT or TeliaCERT

CC-SEC http://www.trusted-introducer.nl/teams/teams-c.html#CC-SEC

CERN CERT http://www.trusted-introducer.nl/teams/teams-c.html#CERNCERT

IP+ CERT http://www.trusted-introducer.nl/teams/teams-i.html#IPPLUSCERT

OS-CIRT http://www.trusted-introducer.nl/teams/teams-o.html#OS-CIRT

Switzerland

SWITCH-CERT 2001-09-20 http://www.trusted-introducer.nl/teams/switch-cert.html

Turkey TR-CERT http://www.trusted-introducer.nl/teams/teams-t.html#TR-CERT

BT SBS 2001-06-01 http://www.trusted-introducer.nl/teams/bt-sbs.html

BTCERTCC 2001-01-01 http://www.trusted-introducer.nl/teams/bt-certcc.html

CITIGROUP http://www.trusted-introducer.nl/teams/teams-c.html#CITIGROUP

E-CERT http://www.trusted-introducer.nl/teams/teams-e.html#E-CERT

United Kingdom

EUCS-IRT http://www.trusted-introducer.nl/teams/teams-e.html#EUCS-IRT


COUNTRY ORGANIZATION ACCREDITATION

DATE LINK

JANET-CERT 2001-01-01 http://www.trusted-introducer.nl/teams/janet-cert.html

MLCIRT http://www.trusted-introducer.nl/teams/teams-m.html#MLCIRT

MODCERT http://www.trusted-introducer.nl/teams/teams-m.html#MODCERT

OxCERT http://www.trusted-introducer.nl/teams/teams-o.html#OXCERT

Q-CIRT http://www.trusted-introducer.nl/teams/teams-q.html#Q-CIRT

United Kingdom

UNIRAS 2002-04-21 http://www.trusted-introducer.nl/teams/uniras.html

International Cooperation

Many of the European CERT organizations are members of the international Forum of Incident Response and Security Teams (FIRST). FIRST, established in 1990, is a global international network of computer security incident response teams dealing with computer security problems and the usage of measures for their prevention. FIRST provides a forum for a broad area of computer security incident response teams from governmental, commercial, research and educational organizations. Currently FIRST has more than 170 members from America, Asia, Europe and Oceania. The main goals and tasks of FIRST in order to promote a safer and more secure global electronic environment include the following activities:

• promotion of cooperation and coordination in incident prevention, • stimulation of rapid reactions to incidents, • promotion of information sharing among members, • development and sharing of technical information, tools, methodologies,

processes, and best practices, • provision of access to best practices, tools, and trusted communication with

member teams. • promotion of the development of quality security products, policies and

services, • promotion of the creation and expansion of CERTs and membership, and the • promotion of a safer and more secure global electronic environment. More detailed information about FIRST activities can be found at the links listed in Table 9.

Table 9: FIRST Activities


TOPIC LINK

Annual Incidents Response Conferences http://www.first.org/conference/

Best Practices Documents http://www.first.org/resources/guides/

Publications http://www.first.org/publications/

Special Interest Groups http://www.first.org/about/organization/committees.html

Technical Colloquia for Security Experts http://www.first.org/events/colloquia/

4.1 France

This section provides an overview of CERT organizations and their activities that have been established in France including CERTA (see section 4.1.1), Cert-IST (see section 4.1.2), CERT-LEXSI (see section 4.1.3) and CERT-RENATER (see section 4.1.4). It should be noted that most of the information provided by these organizations is only available in French language.

4.1.1 CERTA

The “Centre d'Expertise gouvernemental de Réponse et de Traitement des Attaques informatiques” (CERTA, Governmental Expert Center for Responding to and Handling of IT Attacks), established in October 1999, is a governmental CERT organization hosted by the “Direction Centrale de la Sécurité des Systèmes d'Information” (DCSSI, Central Directorate for Information Systems Security) of the “Secrétariat Général de la Défense Nationale” (SGDN, General Secretary for National Defense). CERTA offers security services to the French administration community, i.e. to all French public offices and services, as well as to local territorial offices. CERTA is a member of EGC and of FIRST since October 2000. CERTA provides the following set of services to its users:

• provision of alarms in order to cope with actual security incidents, • provision of advices: les avis sont des documents faisant état de vulnérabilités et

des moyens de s'en prémunir, • provision of archives containing alarms and advices, • provision of information notices: les notes d'information font état de

phénomènes à portée générale, and • publication of bulletins: les bulletins d'actualités fournissent une illustration par

l'actualité récente de certaines mesures pragmatiques à appliquer. A subset of latest security information, documentation, and other information provided by CERTA is listed in Table 10.

Table 10: CERTA Informations and Documents


TOPIC TITLE LINK

Vulnérabilité de Microsoft PowerPoint, October 2006

http://www.certa.ssi.gouv.fr/site/CERTA-2006-ALE-012/index.html

Multiples vulnérabilités de produits Microsoft, October 2006


Vulnérabilité dans Internet Explorer, October 2006


Vulnérabilité de la librairie MSO.DLL dans Microsoft Office, July 2006


Alarms

Vulnérabilité dans Microsoft Excel, July 2006


Vulnérabilité de OpenSSH, October 2006 http://www.certa.ssi.gouv.fr/site/CERTA-2006-AVI-453/index.html

Vulnérabilité dans Cahier de Texte, October 2006

http://www.certa.ssi.gouv.fr/site/CERTA-2006-AVI-452/index.html

Multiples vulnérabilités dans IBM Websphere, October 2006


Vulnérabilité dans le noyau Linux 2.4.x, October 2006


Vulnérabilité dans les copieurs Xerox, October 2006


Vulnérabilité de systrace sous OpenBSD, October 2006


Multiples vulnérabilités d'OpenSSL sous OpenBSD, October 2006


Vulnérabilité de httpd sous OpenBSD, October 2006


Vulnérabilité dans Microsoft Windows Object Packager, October 2006


Advices

Vulnérabilités dans la gestion d'IPv6 sous Windows, October 2006


Les systèmes et logiciels obsolètes, October 2006

http://www.certa.ssi.gouv.fr/site/CERTA-2005-INF-003/index.html

Migration IPv6 : enjeux de sécurité, October 2006


Les mots de passe, September 2006 http://www.certa.ssi.gouv.fr/site/CERTA-2005-INF-001/index.html

Notices

Terminologie d'usage au CERTA, April 2006



TOPIC TITLE LINK

Notices Filtrage et pare-feux, January 2006


Bulletins Bulletin d'actualité numéro 041 de l'année 2006, October 2006

http://www.certa.ssi.gouv.fr/site/CERTA-2006-ACT-041.pdf

Année 2006 http://www.certa.ssi.gouv.fr/site/2006index.html Archives

Année 2005 http://www.certa.ssi.gouv.fr/site/2005index.html

Contacts Contacter le CERTA http://www.certa.ssi.gouv.fr/certa/contact.html

Investigations Recherche sur le site http://www.certa.ssi.gouv.fr/cgi-bin/recherche

Les notes d'informations http://www.certa.ssi.gouv.fr/site/index_inf.html

Année en cours http://www.certa.ssi.gouv.fr/site/2006index.html Information

Flux XML-RSS http://www.certa.ssi.gouv.fr/site/certa.rss

Que faire en cas d'intrusion? http://www.certa.ssi.gouv.fr/site/CERTA-2002-INF-002/index.html

Les mémentos du CERTA http://www.certa.ssi.gouv.fr/site/CERTA-2005-INF-002/index.html

Les systèmes obsolètes, obsolete systems


Information

Liens utiles, link to tools http://www.certa.ssi.gouv.fr/certa/liens.html

4.1.2 Cert-IST

The “ CERT Industries, Services & Tertiaire” (Cert-IST, Industry, Services and Tertiary Sectors), established in January 1999, is a commercial CERT organization hosted by Alcatel CIT. Cert-IST offers security services to customers from industry, and to services and tertiary sectors in France such as ALCATEL, CNES, FRANCE TELECOM, SANOFI AVENTIS, TOTAL, and numerous smaller customers. Two kinds of members are distinguished. These are the:

• partner members that are members participating in the Cert-IST steering committee, and that have the advantage of all the services provided by the Cert-IST, and the

• adherent members that are members that have access to the Cert-IST services they have subscribed to.

Cert-IST is a member of FIRST since August 2000, and an accredited member of TF-CSIRT since March 2006. Cert-IST was the coordinator of the "European Information Security Promotion Program" EISPP project of the EU. At the national level, Cert-IST cooperates under the control of French SSI organizations (SGDN and DCSSI) with CERT-RENATER (research and educational CERT), and with CERTA (governmental CERT). Cert-IST provides the following set of services to its users:


• center for alerts and reactions to computer attacks, • provision of counter-measures for adherent risk prevention services and

assistance for incident handling, • provision of security advisories whose content is only accessible to Cert-IST

members, • information exchange between partners, • sharing of resources between partners, • protection of confidentiality of private member information, • notification of vendors via e-mail about new vulnerabilities that have not been

published in a public forum, • publication of advisories after the completion of a 30 days discovery process, • preparation of all information necessary to enable the vendors to qualify the

vulnerability, e.g. the problem description, the tested versions, the code used, and all technical information,

• personalized dissemination of security advisories and alerts under different formats,

• preparation of results based on the analysis of information that is daily collected from many sources and their qualification using objective criteria,

• release of more than 400 advisories, around ten alerts, and updates of more than 500 vulnerabilities per year,

• provision of security articles (in French only) for public use by monthly bulletins, • compliance of products and services with CVE version 20040901, • specification of a responsible disclosure policy regarding security vulnerabilities

with the aim to ensure the security for the Cert-IST constituency, and to enable vendors to develop fast solutions for their security problems,

• monthly release of a security bulletin with the recording of released or not released vulnerabilities,

• presentation of actual topics through specific studies, • weekly release of a security bulletin with focus on the vulnerability evolutions, • provision of access to the vulnerability multi-criteria search database which

covers most used hardware and software components in information systems, • storing of vulnerabilities related to more than 500 products with the

management of associated versions, • provision of access to forums to inform and/or to alert as soon as possible, • provision of access to a hotline for the clarification of released advisories, • provision of access to an incident handling service, • establishment of a trusted relationship that allows the handling of security

problems by the − explanation of reported problems, − identification of their causes and the origin, and the − provision of various recommendations to cope with the incident and to

improve the general security level, and the • provision of specialized trainings.


A subset of latest security information, documentation, and other information provided by Cert-IST is listed in Table 11.

Table 11: Cert-IST Informations and Documents

TOPIC TITLE LINK

Bulletins security articles http://www.cert-ist.com/eng/ressources/Publications_ArticlesBulletins/

indication of incident http://www.cert-ist.com/eng/contacts/declarerIncident/

indication of vulnerability http://www.cert-ist.com/eng/contacts/declarerVulnerabilite/

Contacts

member registration http://www.cert-ist.com/eng/contacts/conditionAdhesion/

Members Association Statutes http://www.cert-ist.com/documents/Document_Cert-IST_000058.pdf

Partners cooperations http://www.cert-ist.com/eng/presentation/Partenariat/

CERT-IST policy http://www.cert-ist.com/documents/Document_Cert-IST_000074.txt

Policies policy_draft-christey-wysopal-vuln-disclosure-00

http://www.cert-ist.com/documents/Document_Cert-IST_000074.txt

Clearswift: MAILsweeper content security solution

http://www.clearswift.com/ Sponsors

Sophos: Sophos Anti-Virus solution http://www.sophos.com/

Threats medium risk http://www.cert-ist.com/eng/vigilance/

"libX11" vulnerability on Solaris 8, 9 and 10 (v1.0)

https://wws.cert-ist.com/fast-cgi/AV/Details.cgi?lang=eng&action=1&format=3&ref=CERT-IST/AV-2006.366

KDE-PAM vulnerability on Linux Fedora 5 (v1.0)


Vulnerability in "Sun Java System Messaging Server" (v1.0)


Vulner-abilities

Vulnerability in IBM Lotus Notes (v1.0) https://wws.cert-ist.com/fast-cgi/AV/Details.cgi?lang=eng&action=1&format=3&ref=CERT-IST/AV-2006.363


TOPIC TITLE LINK

Vulner-abilities

Vulnerability in Ipswitch IMail 2006 (v1.0)


4.1.3 CERT-LEXSI

CERT-LEXSI is a commercial CERT organization hosted by the “Laboratoire d'EXpertise en Sécurité Informatique” (LEXSI, Laboratory of IT Security Expertise). Cert-LEXSI offers security services to CSI subscribers, SERENIS subscribers, and any other private companies.

A group Exedis within CERT-LEXSI has been selected by Association Français de NORmalisation (AFNOR, French Standardization Body) in order to perform a study on cyber crime (details see Table 12).

A subset of latest security information, documentation, and other information provided by CERT-LEXSI is listed in Table 12.

Table 12: CERT-LEXSI Informations and Documents

TOPIC TITLE LINK

actual alerts https://www.lexsi.com/abonnes/actualites/alertes.php

Plusieurs vulnérabilités corrigées par les bulletins de sécurité Microsoft, October 2006

https://www.lexsi.com/abonnes/warn.php?id=146

Alerting

Vulnérabilité non corrigée (0day WebViewFolderIcon ActiveX) dans Microsoft Internet Explorer

https://www.lexsi.com/abonnes/warn.php?id=145

Atouts http://www.lexsi.com/societe_atouts.html

Fondateur http://www.lexsi.com/societe_fondateur.html

general information http://www.lexsi.com/societe.html

references http://www.lexsi.com/societe_references.html

Associations

Savoir-Faire http://www.lexsi.com/societe_savoirfaire.html

Companies Exedis http://www.exedis.fr/

contact information http://www.lexsi.com/contact.html

coordonnées http://www.lexsi.com/contact_coordonnees.html Contacts

recruitment http://www.lexsi.com/contact_recrutement.html

actual information http://www.lexsi.com/actualite.html General Information editorials http://www.lexsi.com/actualite_editorial.html


TOPIC TITLE LINK

events http://www.lexsi.com/actualite_evenement.html

press http://www.lexsi.com/actualite_presse.html

services http://www.lexsi.com/services.html

General Information

subscription information https://www.lexsi.com/abonnes/

conseil http://www.lexsi.com/services_conseil.html

formation http://www.lexsi.com/services_formation.html

Supervision of SERENIS http://www.lexsi.com/services_supervision_serenis.html Services

veille http://www.lexsi.com/services_veille.html

Studies Cyber crime http://www.lexsi.com/telecharger/gambling_cybercrime_2006.pdf

actual vulnerabilities https://www.lexsi.com/abonnes/actualite_vulns.php

Apple Xcode WebObjects / OpenBase SQL multiple vulnerabilities

https://www.lexsi.com/abonnes/vulns/vuln.php?id=7630

Clam AntiVirus CHM Unpacker and PE Rebuilding Vulnerabilities

https://www.lexsi.com/abonnes/vulns/vuln.php?id=7623 vulnerability

Mozilla Bugzilla XSS Vulnerabilities

https://www.lexsi.com/abonnes/vulns/vuln.php?id=7624

4.1.4 CERT-RENATER

CERT-RENATER, established in 1993 by the major academic and research institutions from France, is an educational and research CERT organization hosted by "Groupement d’Intérêt Public" (GIP) RENATER whose main task is to provide telecommunication infrastructures for research and education.

Currently more than 800 sites are connected to RENATER via campus, metropolitan or regional networks. RENATER offers national and international connectivity, and evolves accordingly to technological improvements and available capacity infrastructure.

CERT-RENATER offers internal security services to its members that are the Ministry of Education, the Ministry of Research, the Centre National de la Recherche Scientifique (CNRS, National Center for Scientific Research), the National Committee of Scientific Research, the Commissariat à l'énergie atomique (CEA, National Institute for Nuclear Research), the Institut National de Recherche en Informatique et en Automatique (INRIA, National Institute for Research in Computer Science and Control), the Centre National d’Etudes Spatiales (CNES, National Space Agency), and the Institut National de la Recherche Agronomique (INRA, National Institute for Agricultural Research). CERT-RENATER is an accredited


member of FIRST, a member of TERENA, and an accredited member of TF-CSIRT since September 2001.

CERT-RENATER provides the following support and services to its customers:

• provision of actual information about security problems and vulnerabilities, • provision of actual information about alerts, and the • publication of security information in bulletins. A subset of latest security information, documentation, and other information provided by CERT-RENATER is listed in Table 13.

Table 13: CERT-RENATER Information and Documents

TOPIC TITLE LINK

Businesses call for tenders http://www.renater.fr/rubrique.php3?id_rubrique=51

AFNIC http://www.afnic.fr/

Aristote association http://www.aristote.asso.fr/

DANTE http://www.dante.net/ Cooperations

international activities http://www.renater.fr/rubrique.php3?id_rubrique=12

Events information about events http://www.renater.fr/rubrique.php3?id_rubrique=50

general information, information about research activities, and new services

http://www.renater.fr/rubrique.php3?id_rubrique=14 News

latest security news http://www.renater.fr/spip.php?rubrique160

Organization coordonnées, organismes membres, équipe

http://www.renater.fr/rubrique.php3?id_rubrique=11

Policies acceptable use policy http://www.renater.fr/IMG/pdf/charte_en.pdf

Portals the CERT RENATER portal http://www.renater.fr/spip.php?rubrique19

Research research and innovation http://www.renater.fr/rubrique.php3?id_rubrique=13

announcements http://www.renater.fr/rubrique.php3?id_rubrique=49

declaring security problems http://www.renater.fr/spip.php?article115

global internet eXchange http://www.renater.fr/rubrique.php3?id_rubrique=15

security information http://www.renater.fr/spip.php?article79

Services

service de connectivité et autres http://www.renater.fr/rubrique.php3?id_rubrique=156


TOPIC TITLE LINK

Trainings training courses http://www.renater.fr/rubrique.php3?id_rubrique=45

Users current and future users http://www.renater.fr/rubrique.php3?id_rubrique=1

4.2 Germany

The current situation of security threats and vulnerabilities in Germany is described in the technical report “The IT-Situation in Germany 2005” (details see [BSI ITSG]) that has been published by the Federal Office for Information Security and that was based on results of studies done by various IT security companies.

The results of this survey have shown that viruses and malicious software continue to be the largest cause of security breaches for all sectors of the German society, e.g. citizens, businesses, and federal administrations. The report covers topics such as

• IT security awareness, • IT security competences and skills, • vulnerabilities and security gaps, • malware including viruses, worms, spyware, and Trojan horses, • Denial of Service (DoS) attacks, • spam, • bot-networks, • phishing, • dialers, • Voice over IP (VoIP), • Wireless Local Area Networks (WLAN), • Supervisory Control and Data Acquisition systems (SCADA), and • mobile phones and Personal Digital Assistants (PDA). The Federal Cabinet has passed a general IT security strategy on July 2005 that has been further elaborated by the Ministry of the Interior to become the “National Plan for Information Infrastructure Protection” (details see [BMI NPIIP]). The strategic main goals shall be achieved by the following objectives and actions:

• prevention of security risks in IT applications by − supporting awareness raising initiatives,


− increasing the knowledge about threats and means of protection, − creating security management, − implementing security counter measures, and by − developing and using trustworthy procedures, products and systems,

• preparedness to cope with security incidents by − identifying, collecting, registering and evaluating security incidents, − providing warning and alerting of affected organizations and individuals,

and by − applying appropriate measures to reduce and minimize potential

vulnerabilities, • sustainability to strengthening the long-term stability of IT security by

− enabling the technical competencies and skills of IT security staff, − providing the framework conditions for trustworthy IT services, products

and systems, − promoting research and development, and by − cooperation with the private sector, and international organizations and

standardization bodies.

This section provides an overview of CERT organizations and their activities that have been established in Germany. Currently the following set of German CERT organizations, listed in alphabetical order, exists:

• Bürger-CERT (CERT for German citizens: Bürger = citizen, see section 4.2.1), • CERT-Bund (federal governmental CERT: formerly known as BSI-CERT, see

section 4.2.2), • CERTBw (CERT for German army, see section 4.2.3), • CERTCOM (commercial CERT, see section 4.2.4), • CERT-Verbund (German CERT alliance, see section 4.2.5), • CERT-VW (commercial CERT, see section 4.2.6), • ComCERT (commercial banking CERT, see section 4.2.7), • dCERT (commercial CERT, see section 4.2.8), • DFN-CERT (educational and research CERT, see section 4.2.9), • GNS-CERT (commercial CERT, see section, 4.2.11), • Mcert (joint commercial and governmental CERT for SMEs, see 4.2.13), • Micro-BIT (educational and research CERT), • PRE-CERT (commercial CERT, see section, 4.2.14), • RUS-CERT (educational and research CERT, see section 4.2.15), • S-CERT (commercial banking CERT, see section 4.2.16), • secu-CERT (commercial CERT, see section 4.2.18), • Siemens-CERT (commercial CERT, see section 4.2.19), • T-Com-CERT (commercial CERT, see section 4.2.20), • Telekom-CERT (commercial CERT, see section 4.2.21), and • WWU-CERT (educational and research CERT, see section 4.2.22).


4.2.1 Bürger-CERT

Bürger-CERT has been recently established by the “Bundesministerium des Inneren” (BMI, Federal Ministry of the Interior) and the German IT industry. Bürger-CERT is jointly operated by the “Bundesamt für Sicherheit in der Informationstechnik” (BSI, Federal Office for Information Security) and the “Deutsche Gesellschaft für IT-Sicherheit” (Mcert, German Association for IT Security) which is a subsidiary company of BITKOM. Current partners of Bürger-CERT are the following companies and organizations: Aladdin Knowledge Systems GmbH, BITKOM, Check Point Software Technologies, Computer Associates CA, DATEV eG, German Telekom, Fujitsu Siemens Computers, Interoute Managed Services, Microsoft, SAP AG, STRATO Medien AG, and Sun Microsystems Inc.

Bürger-CERT currently provides the following neutral and free of charge security services for German citizens and small enterprises:

• provision of a warning and information service, • actual and understandable information about security gaps and Internet

threats, • provision of solutions and concrete support at the link http://www.buerger-

cert.de/, and the • support from members of the CERT-Verbund (see section 4.2.5). Bürger-CERT offers the following three types of different warning services for registered citizens via e-mail subscription:

• online newsletter “Sicher Informiert” (=securely informed) that provides regularly 14 days overviews of the most important security news, and special editions give extra warnings in the case of extreme time-critical security gaps and Internet threats,

• an Internet page that provides actual and comprehensive information about Internet threats, and a

• news archive for investigations of old news.

4.2.2 CERT-Bund

The CERT-Bund, formerly known as BSI-CERT and established in 2001 within the Bundesamt für Sicherheit in der Informationstechnik (BSI, Federal Office for Information Security), is a governmental CERT that provides services to federal governmental departments in Germany. In addition to its permanent hotline that is primarily used for emergency situations CERT-Bund is providing a warning and information service. Within its warning and information service CERT-Bund is managing several mailing lists for different security issues using S/MIME or PGP


signed messages in order to protect the authenticity and integrity of information. These mailing lists include the following types of information:

• mailing list “virinfo” for the distribution of actual warnings related to viruses, worms, and other vulnerabilities,

• mailing list “kurzinfo” (= notices) for rapid and comprehensive distribution of current information regarding IT security gaps of systems, and the

• mailing list “advisories” for federal administrations that provide actual information about security-relevant incidents and appropriate counter-measures.

The information exchange between CERT-Bund and governmental agencies is based on digitally signed and optionally encrypted E-Mails in order to protect the authenticity, integrity and confidentiality of exchanged information. Further tasks of CERT-Bund include the following activities:

• collection of attack scenarios and security gaps, • analysis of attack methods and security gaps, • documentation and statistics, • development of preventive measures and strategies, • development of evaluation methods and tools, • provision of a warning and information service including

− hints and advisories related to security gaps, − classification of incidents related to the observed vulnerabilities, − classification of actual risks, and the − provision of references to security relevant patches of manufacturers or

vendors. CERT-Bund is a member of CERT-Verbund, a full member of FIRST, and a member of TF-CSIRT and EGC. It provides its services primarily to governmental organizations. Vulnerability handling policies and especially disclosure policies have not been published so far by CERT-Bund. Vulnerability reports originated by producers will be evaluated, assessed and published by CERT-Bund at latest one day after their occurrence. As a principle rule, any incident related information will be handled confidential, not be passed to others or not be published. Security related information will only be published or passed to third parties for further processing if all involved parties explicitly agree to this procedure.

As described in the previous section the BSI also provides a comparable service with its Bürger-CERT for citizens and SMEs.

4.2.3 CERTBw

The Computer Emergency Response Team Bundeswehr (CERTBw, CERT of the Federal Army) is hosted by the department of defense of Germany. CERTBw is a


member of CERT-Verbund and of FIRST. It is a governmental organization that provides internal services for its host organization.

4.2.4 CERTCOM

CERTCOM AG is a company for products and services in the area of active business IT security. As commercial CERT it offers security services to medium-size and large enterprises of the German economy regarding network and computer security.

CERTCOM provides products and services such as a standardized base service, an extended base service for alarms, warnings, emergency calls, and assistance and penetration tests. The work of CERTCOM is documented by regular management summaries in order to fulfill the KonTraG and Basel II requirements.

Cooperation partners of CERTCOM are CamData GmbH, Interxion Deutschland, NIFIS e.V., and Presecure Consulting GmbH. CERTCOM is a member of CERT-Verbund.

4.2.5 CERT-Verbund

CERT-Verbund is an alliance of German security and computer emergency teams that was created by CERT-Bund, DFN-CERT, IBM BCRS, Siemens-CERT, S-CERT and Telekom-CERT. CERT-Verbund is open to all German CERTs, and it currently consists of the following set of members (name of CERT and hosting organization):

• Bayern-CERT, Landesamt für Statistik und Datenverarbeitung (State Office for Statistics and Data Processing),

• BFK Consulting GmbH, • CERT Baden-Württemberg, Innenministerium Baden-Württemberg (State

Ministry of the Interior), • CERT-Bund, BSI • CERT-NRW, Landesamt für Datenverarbeitung und Statistik NRW (State Office

for Statistics and Data Processing), • CERT-VW, Volkswagen AG, • CERTBw, Bundeswehr (German Army), • CERTCOM AG, • ComCERT, Commerzbank AG, • DFN-CERT Services GmbH, • GNSec, • IBM BCRS, • Mcert Deutsche Gesellschaft für IT-Sicherheit mbH, • PRESECURE Consulting GmbH, • RUS-CERT, University Stuttgart,


• S-CERT, SIZ Informatikzentrum der Sparkassenorganisation GmbH, • secunet Security Networks AG, • Siemens-CERT, SIEMENS AG, and • Telekom-CERT, DTAG. The main goal of CERT-Verbund is a strong cooperation between the different teams in order to collect and to analyze all required information. The individual teams are responsible for providing their security services to their target groups. The established alliance represents a common base for the cooperation between its members. Additionally the following global aims (details see http://www.cert-verbund.de/coc.html) are envisaged:

• ensuring the protection of national IT networks, and the • provision of measures and capabilities for joint and fast reaction in the case of

security incidents. The goals of CERT-Verbund shall be achieved by the definition of unique organizational and technical interfaces needed for information exchange, and the development of a system for IT incident handling and alerting. A central part of the system is the statistical documentation of incident handling and its gained strategic experiences.

The policies of CERT-Verbund can be characterized by the following issues:

• voluntary cooperation that can be terminated at any time, • business models of members shall not be negatively affected by the

cooperation, • highest priority is given to the confidentiality of customer data, • continuing improvement of services, • optimization of working processes of the members, • support for regular information exchange, • support for regular professional training and education, and the • protection of information and interests of other members. CERT-Verbund and its members are engaged in many national and international initiatives and research programs with the aim to develop and to improve tools, standards and procedures. Examples of such initiatives are the CarmentiS, DAF, CMSI, and the SIRIOS projects.

CarmentiS is a project during which members of CERT-Verbund are testing the base infrastructure for a German early warning system. CarmentiS also serves as a test bed to prove new concepts and strategies for visualizing and detection of new threats. CarmentiS represents an organization-spanning platform with the capability for integrating arbitrary sensor networks and information sources. More details on the CarmentiS project can be found at the link http://www.cert-


verbund.de/carmentis/index.html. In this context another activity is envisaged that tries to establish a virtual competence center in which analysts are enabled to cooperate.

The Deutsches Advisory Format (DAF, German advisory format) is an exchange format for security advices tailored to the needs of German CERTs. DAF has been developed and maintained by CERT-Bund, DFN-CERT, PRESECURE and Siemens-CERT. DAF has been based on a common interpretation of evaluation schemes and useful extensions of the EISPP common advisory interchange format (CAIF). The exchange of data between CAIF and DAF is granted. More details on the DAF project can be found at the link http://www.cert-verbund.de/daf/daf_description.html.

The Common Model of System Information (CMSI) has been developed to improve the cooperation between CERTs. CMSI provides a common model for the description of IT systems including operating systems and applications. It allows

• automatic processing of information about IT systems, and the • automatic distribution of security advisories based on user profiles. The model itself has been finished, but the creation of a data base that contains all actual IT systems is still under work. The categorization of systems is sub-structured into a hierarchically organized so-called “category area” that contains similar products in different layers, and a “product area” for which the standardization of the naming space for product categories is essential. More details on the CMSI project can be found at the link http://www.cert-verbund.de/cmsi/index.html. CMSI has been incorporated into the incident handling and vulnerability management tool SIRIOS.

The System for Incident Response in Operational Security (SIRIOS) is a modular framework for incident handling and vulnerability management in CERTs. The software has been developed as open source code since 2003 funded by CERT-Bund and CERT-Verbund. SIRIOS is licensed under the GNU general public license.

The software of SIRIOS is based on “Open Ticket Request System” (OTRS), and its system kernel is installed as OTRS extension. SIRIOS offers base functions to organize incoming information by means of a flexible workflow-engine and a role model for rights assignment.

The modular architecture of SIRIOS allows the adding of further functionality to the system kernel. New modules can be developed and easily integrated into the system, since all interfaces have been documented. The installation is supported by a packet manager that is provided via a public online repository for the following set of modules:


• incidents module for the conforming collection and processing of security incidents,

• crypto module with PGP- und S/MIME-capabilities for encryption, decryption, and processing of digital signatures,

• advisory module as system to produce and to publish security advisories in the CAIF format,

• vulnerability data base as archival for information on vulnerabilities with an import interface for “Common Vulnerabilities and Exposures” (CVE) and “Open Source Vulnerability Data Base” (OSVDB),

• artifact data base as archival for patches, log files and demo exploits, • web watcher as monitor to control and observe arbitrary online resources

regarding modifications, • system category - tree as tree structure to organize system categories, and • Integrated Services Digital Network (ISDN) module as interface for the

transmission of voice messages to mobiles/phones via ISDN. SIRIOS also provides a user manual with installation instructions, and packages for source code and binaries. More details on the SIRIOS project can be found at the link http://www.cert-verbund.de/sirios/.

4.2.6 CERT-VW

CERT-VW, established in 2002, is a commercial CERT organization hosted by the German car producer Volkswagen AG. CERT-VW offers internal security services to its host organization.

CERT-VW is a member of CERT-Verbund, an accredited member of TF-CSIRT since December 2003, and a member of FISRT since June 2004.

4.2.7 ComCERT

ComCERT is a commercial banking CERT organization hosted by the Commerzbank Group - IT Production. ComCERT offers internal security services to its host organization. ComCERT is a member of CERT-Verbund and a full member of FIRST.

4.2.8 dCERT

dCERT, established in 1999, is a commercial CERT organization hosted by T-Systems GEI GmbH, and Business Unit ITC Security. dCERT offers internal security services to its host organizations and customers of the services. dCERT is a member of FIRST since November 2001, and an accredited member of TF-CSIRT since September 2004.


The services provided by dCERT to its customers include the following information and activities:

• daily information about network and computer security, • forwarding of analyzed and assessed information and counter-measures via e-

mail, • provision of monthly overview reports, • permanent publication of distributed information on the web, • permanent emergency call service, • support for specific network and computer problems, • provision of an electronic discussion forum in order to support the information

exchange between all members and the IT security experts, and the • regular organization of IT security seminars.

4.2.9 DFN-CERT

DFN-CERT, established in January 1993, is a CERT organization that is composed of educational institutions and research facilities. It is hosted by the DFN-Verein (= DFN-Society). The DFN-CERT services are provided by the DFN-CERT Services GmbH Hamburg to its members of the DFN-Verein that are German universities, educational and research facilities, or industrial research facilities.

DFN-CERT is a member of CERT-Verbund, a member of FIRST since June 1993 and an accredited member of TF-CSIRT since November 2001. More information about the DFN-CERT can be found at the web links listed in Table 14.

Table 14: DFN-CERT Activities

TOPIC LINK

Assistance regarding security problems

http://www.dfn-cert.de/dfncert/hilfebei.html

Documents ftp://ftp.cert.dfn.de/pub/docs/

Events http://www.dfn-cert.de/events/aktuell.html

Firewalls ftp://ftp.cert.dfn.de/pub/firewalls/

General information about DFN-CERT

http://www.dfn-cert.de/eng/dfncert/info.html

Incident response http://www.dfn-cert.de/dfncert/incident-response/index-print.html

Mailing lists ftp://ftp.cert.dfn.de/pub/mail-lists/

Members of the DFN-CERT http://www.dfn-cert.de/eng/team/

Reports and proceedings http://www.dfn-cert.de/dfn/berichte/

Security issues http://www.dfn-cert.de/dfncert/dfn-mit2.html

Security tools ftp://ftp.cert.dfn.de/pub/tools/

Workshops http://www.dfn-cert.de/events/ws/


DFN-CERT provides the following set of services and performs the following set of tasks:

• competent support and assistance for DFN members in implementing preventive measures to increase the security of used systems,

• fast and efficient help as reaction to observed incidents, • preparation of information and conduct of analysis needed for prevention

measures and the checking of security notices, • provision of security utilities and tools, • cooperations with other CERTs, • international exchange of experiences, • training of German CERTs, • communication with producers regarding the fast availability of actual security-

relevant information, • promotion of the public key infrastructure, • maintenance of the following mailing lists:

− win-sec for general discussions of security problems, and − win-sec-ssc for fast information of technical staff and other CERTs via

advisories, • publication of information in the form of bulletins, guidelines, articles, manuals,

documentations, and reports, • organization of working groups, and the • organization of tutorials, seminars and workshops.

4.2.10 D-Grid CERT Services

The D-Grid initiative (DGI), funded by the Bundesministerium für Bildung und Forschung (BMBF, Federal Ministry of Education and Research), has been started in September 2005 with the aim to realize a German Grid infrastructure for the scientific community. DGI requires the development and provision of new Grid-specific CERT services that are needed for the future D-Grid infrastructure with new security issues and requirements which cannot be satisfied by classical CERT services. Within DGI a “Grid-specific CERT Services” working package has been defined to meet the following aims:

• usage of classical CERT services in the D-Grid communities, • development of new services to meet Grid-specific requirements in close

collaboration with D-Grid communities, and the • launching of a pilot of the new Grid-specific services using existing technical

and organizational CERT infrastructures.

4.2.11 GNS-CERT

GNS-CERT, established in January 2004, is a commercial CERT organization hosted by Global Network Security GmbH. GNS-CERT offers internal security services to its


host organization, associated partners and customers. GNS-CERT is a member of CERT-Verbund, a member of FIRST since May 2004, and an accredited member of TF-CSIRT since October 2004.

4.2.12 HHU-CERT

HHU-CERT is an educational and research CERT organization hosted by the Heinrich-Heine-University Düsseldorf that has the following set of tasks:

• support of university staff for the realization of preventive measures to increase the security of used systems,

• provision of fast and effective help as reaction to observed incidents, • gathering of information required for prevention, and for the analysis of

advices regarding security problems, • provision of adequate tools or references to down-loadable tools, • close cooperation and information exchange between system administrators

of the faculties and central facilities of the university via a closed mailing list, • cooperation with other CERTS which is planned on the national and

international level, and the • communication with security software and service providers.

4.2.13 Mcert

Mcert has been jointly established as a Public Private Partnership (PPP) by the “Bundesverband Informationswirtschaft, Telekommunikation und neue Medien” (BITKOM, Federal Association of the Information Economy, Telecommunications and New Media), the Bundesministerium des Innern (BMI, Federal Ministry of the Interior) and the Bundesministerium für Wirtschaft und Arbeit (BMWA, Federal Ministry for Economics and Labor). Mcert provides its security services to Small and Medium Enterprises including the following tasks:

• provision of reliable security information, • provision of an independent, trustworthy and simply usable data base that can

be used to find adequate IT security service providers that fulfill the Mcert quality requirements,

• provision of clear recommendations in order to prevent attacks and security gaps,

• support for proactive measures, • distribution of warnings, and the • provision of clear instructions in order to close security gaps. Mcert is a member of CERT-Verbund.


4.2.14 PRE-CERT

PRE-CERT, established in January 2001, is a commercial CERT organization hosted by PRESECURE Consulting GmbH. PRE-CERT offers internal security services to its host organization, associated partners and customers. PRE-CERT is a member of CERT-Verbund, a member of FIRST since April 2002 and an accredited member of TF-CSIRT since June 2002. PRE-CERT cooperates with the following organizations: BSI, CERT Coordination Center, DFN-CERT, FIRST, GE CompuNet, German Ministry of Economics and Technology, M&I/Stelvio bv, Secunet Security Networks, and SIZ - Informatikzentrum der Sparkassenorganisation.

In the area of incident response handling PRE-CERT offers the following services and supports:

• identification of security events such as attacks or attempted intrusions, • understanding and execution of appropriate responses, • identification of new and existing threats and vulnerabilities, • development of a strategy for corporate-wide security and incident response

activities, • support for the planning, building, or enhancing incident response teams, • training of security teams to deal with attacks and incidents, • fortification of intrusion detection teams to deal with attacks and incidents, • organization of incident report and data analysis efforts, • consulting with other parties about topics in incident response, • responsibility for leading organizational risk and security management, • organization of workshops, presentations, and round tables, • organization of training, tutorials, and incidence response team courses, • consulting and project management, • serving as a negotiator for managed security and incident response services, • ongoing support, coaching, and monitoring, and the • provision of other customer-tailored services. Information about the PRE-CERT can be found at the web links listed in Table 15.

Table 15: PRE-CERT Activities

TOPIC LINK

Courses and workshops

http://www.pre-secure.com/ir/courses/mcsirt.html http://www.pre-secure.com/ir/courses/csih.html http://www.pre-secure.com/ir/courses/ccsirt.html http://www.pre-secure.com/ir/courses/mcsirt.html http://www.pre-secure.com/ir/courses/csih.html

Description of PRE-CERT http://www.pre-secure.com/pre-secure.pdf

Presentations FIRST conference FIRST technical colloquium

http://www.pre-secure.com/paper/index.html#FIRST-2003 http://www.pre-secure.com/paper/index.html#FIRST-TC-0402


TOPIC LINK TF-CSIRT meeting http://www.pre-secure.com/paper/index.html#TF-CSIRT-20030925

4.2.15 RUS-CERT

RUS-CERT, established March 1998, is an educational and research CERT organization hosted by the University of Stuttgart. RUS-CERT offers internal security services to its host organization. RUS-CERT is a member of CERT-Verbund, FIRST and an accredited member of TF-CSIRT since March 2002. RUS-CERT is responsible for computer and network security of the University of Stuttgart.

RUS-CERT publishes actual news related to computer and network security on its web page http://cert.uni-stuttgart.de/ticker/. Further information about RUS-CERT is provided at the link http://cert.uni-stuttgart.de/presse/.

4.2.16 S-CERT

S-CERT, established in January 2001, is a commercial banking CERT organization hosted by the Sparkassen-Finanzgruppe (German Savings Banks Organization), and operated by Sparkassen-Informationszentrum (SIZ, IT product and consulting company). S-CERT offers internal security services to the members of the German Savings Banks Organization which are country banks, saving banks, and insurers. S-CERT is a member of FIRST and CERT-Verbund.

S-CERT provides the following support and services to its customers:

• provision of daily information about newest security gaps and proposed solutions,

• provision of comprehensive information for decision makers, • support for coping with IT security problems, • provision of a web-based data base that contains security vulnerabilities and

incidents, as well as proposals for solutions, • structured and fast exchange of information regarding security problems via a

web-based forum in order to get fast responses to security questions, • emergency support and necessary coordination with manufacturers, providers

and other CERTs, and • training and support for improving quality management needed for the

establishment of emergency teams. Details regarding the S-CERT concept and S-CERT services can be found at the web links

• http://www.siz.de/siz-produkte/sicherheitstechnologie/aktive-sicherheit/s-cert/s-cert-produktkonzept.htm, and


• http://www.siz.de/siz-produkte/sicherheitstechnologie/aktive-sicherheit/s-cert/s-cert-dienstleistungen.htm.

4.2.17 Secorvo

The Secorvo Security Consulting GmbH is a commercial organization that offers organizational and technical support for the establishment and the operation of company CERTs including the following aspects:

• development of operation and organization concepts for the operation of a CERT including − securing all relevant business processes, − description of company-wide applicable procedures and processes, − clarification of legal framework conditions, and the − technical and organizational integration of the CERT into existing company

structures, • specification of the requirements for the establishment, the composition and

the structure of the team, • definition of roles and responsibilities, the development of a crisis management,

and the definition of clear communication paths, • definition of services including the identification and selection of the CERT

services to be offered, and their availability and quality, • support for the production of the documentation and working instructions

including the − establishment of adequate knowledge data bases, − categorization and prioritization of incidents and security gaps, − provision of information via public media, and the − production of comprehensive statistics on incidents,

• operative support of the CERT in incident handling, e.g. − coordination and assessment of incidents and security gaps, − establishment of adequate preventive, reactive and proactive measures, − support of diverse technologies, − provision of effective mechanisms for indicating incidents, − classification of individual incidents within superior attack scenarios, − selection of appropriate counter measures, − provision of suitable patches and hot fixes, and the − distribution of warnings,

• support for operation of the CERT including the − sensitization of the users, − awareness raising, − cooperation with other external CERTs, and the

• realization of security measures within the CERT including the − prevention of internal and external attacks, − detection of security gaps, and the − conception and creation of an own Intrusion Detection System (IDS).


Further details on Secorvo CERT support can be found at the link http://www.secorvo.de/leistungen/cert.html

4.2.18 secu-CERT

secu-CERT, established in 1998, is commercial CERT organization hosted by the company secunet Security Networks AG. secu-CERT offers internal security services to its hosting organization and customers. secu-CERT is a full member of FIRST since July 2001, a member of TF-CSIRT, and a member of CERT-Verbund. secu-CERT provides support for its customers regarding the establishment of their preventive and reactive services, such as:

• consultancy for the development of CERT services, • provision of advisory management systems, • development of early warning systems, • support for security incidents handling, • support for forensic analysis, • technical training of CERT employees, and the • development of concepts for target group-oriented security awareness

programs.

4.2.19 SIEMENS-CERT

Siemens-CERT, established in April 1998, is a commercial CERT organization hosted by the company Siemens AG. Siemens-CERT, located in Germany and in the USA, offers internal security services to its hosting organization and customers worldwide. Siemens-CERT is a member of FIRST since May 1998, an accredited member of TF-CSIRT since March 2001, and a member of CERT-Verbund. Siemens-CERT performs the following tasks:

• provision of timely information about vulnerabilities and remediation measures, • development of checklists and security policies, • provision of security tools, • contacts with colleagues and manufacturers worldwide, and the • handling of security incidents.

4.2.20 T-Com-CERT

T-Com-CERT, formerly known as T-NETWORK-CERT, is a commercial CERT organization hosted by the German Telekom AG. T-Com-CERT offers internal network security services for the network infrastructure of the German Telekom. T-Com-CERT is an accredited member of TF-CSIRT since October 2004.


4.2.21 Telekom-CERT

Telekom-CERT, established in July 2001, is a commercial CERT organization hosted by the company German Telekom AG – Group Security. Telekom-CERT offers internal security services to its hosting organization, subsidiary companies and associated companies. Telekom-CERT is a member of CERT-Verbund, a member of FIRST since October 2001, and an accredited member of TF-CSIRT since October 2004.

4.2.22 WWU-CERT

WWU-CERT, established in July 2001, is an educational and research CERT organization hosted by the Westfälisch Wilhelms-University Münster (WWU). WWU-CERT offers internal security services to its hosting organization, subsidiary companies and associated companies. WWU-CERT is a member of DFN-CERT. WWU-CERT performs the following tasks:

• fast and efficient help as reaction to the occurrence of security incidents, • removal of the systems from the network in the case of critical incidents, • sending of information about incidents including countermeasures to the

responsible persons via e-mail, • disconnection of effected communication links in the case of incidents

regarding (VPN, teleport, modem, etc.), and prevention of reconnections, • sending of information about incidents including countermeasures to the

responsible persons via digitally signed (PGP, or GnuPG) e-mail, • preparation of information and execution of investigations required for

preventive measures or the approval of indications of security violations, • processing of cases of infringement of copyright including checking and

suitable reactions, • processing of inquiries from attorneys or the police, • operation of Intrusion Detection Systems (IDS), and Intrusion Prevention

Systems (IPS), and the • cooperation regarding the conception of security-related regulations.

4.3 United Kingdom

The current situation of security threats and vulnerabilities in the UK is described in the technical report “Information Security Breaches Survey 2006” (details see [DTI ISBS06]) that has been sponsored by the Department of Trade and Industry (DTI). The results of this survey have shown that viruses and malicious software continue to be the largest cause of security breaches for UK businesses.


This section provides an overview of CERT organizations and their activities that have been established in the United Kingdom. Currently the following set of UK CERT organizations exists:

• BT SBS (see section 4.3.1), • BTCERTCC (see section 4.3.2), • CITIGROUP (see section 4.3.3), • E-CERT (see section 4.3.4), • EUCS-IRT (see section 4.3.5), • JANET-CERT (see section 4.3.6), • MLCIRT (see section 0), • MODCERT (see section 4.3.8), • OxCERT (see section 4.3.9), • Q-CERT (see section 4.3.10), • UNIRAS, NISSC, and CPNI (see section 4.3.11).

4.3.1 BT SBS

British Telecommunications Secure Business Services (BT SBS), established in February 2001, is a commercial CERT organization hosted by the British Telecommunications Ignite Global Services. BT SBS offers its security services to its customers who have subscribed to the secure business service product range and have taken the CSIRT option. BT SBS is an accredited member of FIRST since March 2001, and an accredited member of TF-CSIRT since June 2001. BT SBS is responding to all incidents related to the customers’ networks and systems.

4.3.2 BTCERTCC

British Telecommunications CERT Co-ordination Centre (BTCERTCC), established in March 1999, is a commercial CERT organization hosted by the British Telecommunications PLC. BTCERTCC offers its internal security services to its hosting organization involving BT's own-use computer systems and networks. BTCERTCC is an accredited member of FIRST since August 2000, and an accredited member of TF-CSIRT since June 2001. BTCERTCC performs the following tasks:

• provision of permanent monitoring services for BT's key networks, • issuance of regular vulnerability bulletins, • assistance in providing high levels of security practice, • provision of incident handling, and the • handling of all reported CERT incidents.


4.3.3 CITIGROUP

Citigroup is a commercial CERT organization. It is a full member of FIRST, and a member of TF-CSIRT.

4.3.4 E-CERT

Energis Computer Emergency Response Team (E-CERT) is a commercial CERT organization, hosted by Energis Squared Limited that provides its security services to the own company, and its customers. E-CERT is a full member of FIRST since January 2002.

4.3.5 EUCS-IRT

The University of Edinburgh Computer Service Incident Response Team (EUCS-IRT) is an educational and research CERT organization, hosted by the University of Edinburgh that provides its security services to its host. EUCS-IRT is a member of TF-CSIRT since April 2002.

4.3.6 JANET-CERT

JANET-CERT, established in 1993, is an educational and research CERT organization, hosted by JNT Association Ltd, trading as United Kingdom Education and Research Networking Association (UKERNA). JANET-CERT provides its security services for customers of the JANET network; and higher and further education and research organizations in the UK. JANET-CERT is an accredited member of FIRST since 31 August 2000, and an accredited member of TF-CSIRT since January 2001. The tasks of JANET-CERT include the following activities:

• ensuring the current and future security of JANET and its customers, • taking the leader-ship on the JANET security policy, • coordination of security responses, • development of security resources, • maintaining leading-edge skills, • providing incident coordination, • providing training and advice for JANET organizations, and • cooperation with other CERT organizations. A subset of latest security information, documentation, and other information provided by JANET-CERT is listed in Table 16.

Table 16: JANET-CERT Information and Documents

TOPIC TITLE LINK

Abuses e-mail abuse report http://www.ja.net/cert/email/report.html


TOPIC TITLE LINK

e-mail abuse, UBE (spam) and viruses http://www.ja.net/cert/email/abuse.html

reporting abuse http://www.ja.net/cert/abuse/

a range of information on good practice http://www.ja.net/cert/bcp/detail.html

advice on good practice http://www.ja.net/cert/bcp/ Advices

the simplest security advice http://www.ja.net/cert/bcp/basic.html

Contacts contact information about JANET-CERT http://www.ja.net/cert/team/contactus.html

Cooperations external relationships http://www.ja.net/cert/ext/

details on courses http://www.ja.net/cert/courses/200702/ Courses

training and courses http://www.ja.net/cert/courses/

general information about JANET-CERT http://www.ja.net/cert/team/janet.html

general information about JANET-CERT http://www.ja.net/cert/team/

information about JANET-CERT team http://www.ja.net/cert/team/ Information

relation between JANET and JANET-CERT http://www.ja.net/cert/team/janet.html

Legislation complying with UK and other legislation http://www.ja.net/cert/policy/legal.html

Policies security and other policies http://www.ja.net/cert/policy/

Reports management reports on JANET-CERT activity – reports and statistics

http://www.ja.net/cert/stats/

Security security considerations when building a network connected to JANET

http://www.ja.net/cert/bcp/build.html

Members list of team members http://www.ja.net/cert/team/certmembers.html

deliberate attacks http://www.ja.net/cert/threats/attack.html

reporting DoS attacks http://www.ja.net/cert/threats/reportdos.html

reporting scanning activity http://www.ja.net/cert/threats/reportscan.html

the threats to networks http://www.ja.net/cert/threats/

threats from own users http://www.ja.net/cert/threats/users.html

Threats

viruses and worms http://www.ja.net/cert/threats/virus.html

advice on network issues http://www.ja.net/cert/bcp/

Apache mod_rewrite bug http://www.ja.net/cert/advsris/20060802.html

Centrino security bug http://www.ja.net/cert/advsris/20060810.html Vulnerabilities

Microsoft patches KB920683, KB921883 http://www.ja.net/cert/advsris/20060811.html

4.3.7 MLCIRT

Merrill Lynch Computer Security Incident Response Team (MLCIRT) is a commercial CERT organization, hosted by Merrill Lynch that provides its security services for all employees, contractors and staff of Merrill Lynch. MLCIRT is a full member of FIRST since November 2001.


4.3.8 MODCERT

The Ministry of Defence CERT (MODCERT) is a governmental CERT organization, hosted by the Ministry of Defense of the UK that provides its security services for its customers. MODCERT is a full member of FIRST, and a member of TF-CSIRT. Its main tasks include the following activities:

• coordination of the Ministry of Defence's response to computer security incidents (joint security coordination center),

• monitoring and reporting (monitoring and reporting centers), • operation of warning, advice and reporting points, and the • cooperation with the UK Government CERT (GCERT) at UNIRAS.

4.3.9 OxCERT

University of Oxford CERT (OxCERT) is an educational and research CERT organization, hosted by the University of Oxford that provides its internal security services to its hosting organization. OxCERT is a full member of FIRST since January 2002.

A subset of latest security information, documentation, and other information provided by OxCERT is listed in Table 17.

Table 17: OxCERT Information and Documents

TOPIC TITLE LINK

BugTraq mailing list - announcement and discussion of vulnerabilities

http://www.securityfocus.com/archive/1

CERT Current Activity, Vulnerabilities, Incidents and Fixes

http://www.cert.org/nav/index_red.html

Incidents, security updates and news for Microsoft operating systems only

http://www.microsoft.com/security/default.mspx

Latest advisories for most Linux distributions

http://www.linuxsecurity.com/content/blogcategory/0/76/

Latest security issues and articles for Microsoft products

http://www.windowsitpro.com/WindowsSecurity/

Advisories

Several mailing lists for discussions of latest news, exploits

http://www.securityfocus.com/archive/1

Articles Outline of concrete actions to take when dealing with a compromised system,

http://www.ict.ox.ac.uk/oxford/compsecurity/nix_intrusion.pdf


inclusion of links to essential tools

Data Protection at the University of Oxford http://www.admin.ox.ac.uk/councilsec/oxonly/dp/

Excerpts from the Proctors' Memorandum concerning Computer Misuse and the Data Protection Act

http://www.ict.ox.ac.uk/oxford/rules/proctors.xml#dpp

Other Rules for Computer Use http://www.ict.ox.ac.uk/oxford/rules/other.xml

Regulations Relating to the use of Information Technology Facilities

http://www.admin.ox.ac.uk/statutes/regulations/196-052.shtml

Rules regarding Peer-to-Peer software http://www.ict.ox.ac.uk/oxford/rules/p2p.xml

Policies

University of Oxford Statement of IT Security and Privacy Policy

http://www.ict.ox.ac.uk/oxford/secpriv/policy.xml

Resources

Step-by-step guidance to secure desktops and web servers, to detect signs of intrusion, to deploy firewalls and other issues

http://www.cert.org/security-improvement/

Security collection of documents, software, and links to other services relating to general security and privacy

http://www.ict.ox.ac.uk/oxford/compsecurity/

McAfee Virus Information Library http://vil.nai.com/vil/default.asp

Sophos Virus Information http://www.sophos.com/virusinfo/ Vulnerabilities Symantec Security Response http://securityresponse.symantec.com/avcenter

/vinfodb.html#threat_list

4.3.10 Q-CIRT

QinetiQ Computer Incident Response Team (Q-CIRT) is a commercial CERT organization, hosted by QinetiQ, Britain's largest independent science and technology company that provides its security services for the own company, and its security service clients. Q-CIRT is a full member of FIRST since October 2002.

4.3.11 UNIRAS, NISCC, and CPNI

UNIRAS, established in 1992, is a governmental CERT organization, hosted by the National Infrastructure Security Co-ordination Centre (NISCC) that provides its security services to the central government, critical national infrastructure organizations and government contractors. UNIRAS is a member of EGC, an accredited member of FIRST since August 2000 an accredited member of TF-CSIRT since April 2002.

NISCC works with government departments and agencies, commercial organizations and the academic community in the research of vulnerabilities and potential threats to IT systems especially where they may have an impact on the Critical National Infrastructure (CNI). It also coordinates the public disclosure


process where a particular problem extends across a number of software products.

NISCC, established in 1999, is an inter-departmental center working closely with a wide range of government departments, agencies, commercial organizations, and the academic community. UNIRAS and NISCC have the following aims:

• support for research and development managed by the NISCC Capability Development and Research group (CD&R) which is also responsible for the provision of ICT services with the following activities: − studies in order to support questions and issues raised by NISCC business

activities, − research by internal support from CESG and DSTL, and by collaboration or

contract with research institutions, governmental parties, and the industry focusing on investigations of new threats and vulnerabilities ,and the

− development of technical tools, • organization of incident management courses, • provision of statistical information and analysis from security incidents, • provision of assistance to other organizations that plan to set up incident

response teams, • investigation, assessment and disruption of threats, • promotion of information sharing, offering of advices and fostering of best

practices, • support for the following types of incident reports:

− network probes and scans based on frequently monitoring of firewall logs, router logs, and the audit logs,

− blocked hacking attacks through alerts from intrusion detection systems, − blocked malicious software (worms, viruses, Trojans and rootkits) infection, − actual malicious software infection, − successful hacking attacks discovered through the use of IDSs or through

anomalies in system behavior, − malicious denial of service attacks, and − data interception and monitoring attacks,

• warning of new threats, advising on mitigation, managing disclosure of vulnerabilities, and support for recovering from attacks,

• Warning, Advice and Reporting Point (WARP) website that provides details on how to establish and to operate a WARP by using the WARP toolbox,

• provision of a free of charge WARP toolbox that can be used with the written permission of NISCC,

• design of appropriate techniques and methods for vulnerability handling. • research in computer vulnerabilities or weaknesses, • cooperation with vendors, ISPs and open source distributors to provide

software patches through a policy of responsible disclosure, • alerting of communities at the most appropriate time through minimizing the

risk of potential exploitation,


• generation of briefings that contain general information and details of software vulnerabilities and patches,

• provision of vulnerability advisory notices, • publication of alerts and related information that should be acted upon

immediately, • redistribution of computer security briefings authored by other CERTs, vendors,

and other groups concerned about IT security, • provision of technical notes that offer practical advice for key vulnerability issues, • publication of viewpoint papers that provide an overview of emerging

technologies and other IT related issues, • conduction of assessments with the full participation and agreement of the

company under assessment, and the production of assurance reports consisting of the following parts: − company overview, − critical services provided by the company, − impact of loss of these services on the UK, − corporate assurance indicators, − critical systems assurance indicators, − dependencies and interdependencies, − vulnerability assessment by identifying possible scenarios of electronic

attacks, − threat assessment tailored to the specifics of the company and its

vulnerabilities, − recommendations to improve resilience, and the − planning of revisit and review milestones.

• provision of support for Supervisory Control and Data Acquisition (SCADA) systems,

• support for the creation of Information Exchanges (mechanisms for sharing information about electronic threats and attacks within a small, discrete community, and that are based on the personal trust of the representatives) for the following sectors: − Financial Services Information Exchange (FSIE), − Managed Service Providers Information Exchange (MSPIE), − Network Security Information Exchange (NSIE) including telecoms, data

and mobile communications, − Pharmaceutical Industries Information Exchange (PIIE), − SCADA and Control Systems Information Exchange (SCSIE), and the − Transport Services Information Exchange (TSIE), and the

• international cooperation in the field of incident management related to virus infections and hacking attacks.

More details and information about the activities of UNIRAS and NISSC can be found at the links listed in Table 18.

Table 18: UNIRAS/NISCC Information and Documents


TOPIC TITLE LINK

Activity Coordinated assault upon scammers and spammers

http://www.gnn.gov.uk/content/detail.asp?ReleaseID=147254&NewsAreaID=2

Advices NISCC General advice: Protecting Your Network

http://www.niscc.gov.uk/niscc/docs/re-20020301-00476.pdf

Advisories Latest vulnerability advisory notices

http://www.niscc.gov.uk/niscc/vulnAdv-en.html

Coordination and disclosure of ProCheckUp's vulnerability research

http://www.procheckup.com/press160205.htm

Partnership agreement with Verisign

http://www.niscc.gov.uk/niscc/docs/re-20041231-00959.pdf Cooperations

Partnership promoting the coordination of vulnerability discoveries

http://www.corsaire.com/news/040521-niscc.html


TOPIC TITLE LINK

Cooperations

Partnership with NGS Software in the field of responsible vulnerability disclosure

http://www.ngssoftware.com/press-releases/ngssofware-announce-partnership-with-niscc/

Development Vulnerability and exploit description and exchange format

http://www.niscc.gov.uk/niscc/vedef-en.html

Generic assurance report http://www.niscc.gov.uk/niscc/docs/re-20040601-00394.pdf

Government approach for dealing with the various risks and threats facing information systems across the UK

http://www.knowledgenetwork.gov.uk/co/kimscsia.nsf/0/1ED888FF8B9C96DA80256EB60059F3E2/$FILE/CSIA%20booklet.pdf?openelement

Incident report form http://www.niscc.gov.uk/niscc/docs/Incident_Report.doc

Documents

Information exchange rules http://www.niscc.gov.uk/niscc/docs/re-20040601-00395.pdf

A good practice guide: Firewall deployment for SCADA and Process Control Networks


A good practice guide: Process Control and SCADA Security


Botnets - the threat to the Critical National Infrastructure

http://www.niscc.gov.uk/niscc/docs/botnet_11a.pdf

Mitigation of malicious software

http://www.niscc.gov.uk/niscc/docs/currentAdvice.pdf

Secure web applications http://www.niscc.gov.uk/niscc/docs/secureWebApps.pdf

Social engineering against information systems

http://www.niscc.gov.uk/niscc/docs/SocialEngineering08a06.pdf

Targeted Trojan email attacks http://www.niscc.gov.uk/niscc/docs/ttea.pdf

The Pharming Guide - understanding and preventing pharming attacks

http://www.niscc.gov.uk/niscc/docs/pharming_guide.pdf

Guidance

The Phishing Guide - understanding and preventing phishing attacks

http://www.niscc.gov.uk/niscc/docs/phishing_guide.pdf

WARPs and Information Sharing

http://www.warp.gov.uk/Marketing/WARPs%20&%20toolbox%20flyer.pdf

Information Virus incident spreadsheet http://www.niscc.gov.uk/niscc/docs/Virus_Incidents_-

_example.xls

Development of information and communication technologies

http://www.gnn.gov.uk/Content/Detail.asp?ReleaseID=119060&NewsAreaID=2 Initiative

ITsafe initiative http://www.itsafe.gov.uk/


TOPIC TITLE LINK

National campaign “Get Safe Online”

http://www.getsafeonline.org/

Financial services information exchange

http://www.niscc.gov.uk/niscc/FSIE-en.html

Managed service providers information exchange

http://www.niscc.gov.uk/niscc/MSPIE-en.html

Network Security Information Exchange

http://www.niscc.gov.uk/niscc/NSIE-en.html

Pharmaceutical Industries Information Exchange

http://www.niscc.gov.uk/niscc/PIIE-en.html

Provision of expert advice to help businesses to protect themselves against security threats

http://www.gnn.gov.uk/Content/Detail.asp?ReleaseID=115927&NewsAreaID=2

SCADA and Control Systems Information Exchange

http://www.niscc.gov.uk/niscc/SCSIE-en.html

Transport Services Information Exchange

http://www.niscc.gov.uk/niscc/TSIE-en.html

Warning, Advice and Reporting Points

http://www.securekent.com/section.asp?catId=61

Services

DTI Information Security Breaches Survey 2006

http://www.pwc.com/extweb/pwcpublications.nsf/docid/7FA80D2B30A116D7802570B9005C3D16

Vulnerabilities New vulnerabilities discovered or patched

http://www.sans.org/top20/Q1-2005update/

The Centre for the Protection of National Infrastructure (CPNI) has been recently created through the merging of NISCC and the National Security Advice Centre (NSAC, part of MI5). Its official website has been launched on 1st February 2007.

CPNI is a governmental authority operating under the Director General of the Security Service (MI5) that cooperates with the following governmental departments and agencies that are responsible for specific services and sectors of the critical national infrastructure:

• communications sector: Department of Trade & Industry (DTI), • emergency sector

− ambulance: Department of Health (DH), − fire and rescue: Communities and Local Government (CLG), − maritime: Department for Transport (DfT), − police: Home Office,

• energy sector: Department of Trade & Industry (DTI), • financial sector: Her Majesty Treasury (HMT) • food sector: Department for the Environment Food and Rural Affairs (Defra)

and Food Standards Agency (FSA),


• government: Cabinet Office (CO), • health sector: Department of Health (DH), • transport sector: Department for Transport (DfT), and the • water sector: Department for the Environment Food and Rural Affairs (Defra) CPNI primarily provides protective security advice to the industry and organizations that are responsible for the critical national infrastructure. CPNI has the following main aims and tasks:

• reduction of the vulnerability of the national infrastructure, • safety improvement of essential services for the communications, energy,

finance, food, government, health, transport and water sectors, • provision of advice and information on computer network defense and other

information assurance issues, • provision of advice on physical security and personnel security issues, including

− risk assessment, − identification of vulnerabilities and the potential impact of exploitation, − creation of security plans, − awareness raising, − mail-handling procedures − electronic security measures, and − creation and testing of business continuity plans,

• cooperation with international partners, governmental departments, businesses, and the police,

• funding of partnerships with academia, other government agencies, research institutions and the private sector,

• execution of research programs to improve the security of critical sites and assets covering physical, personnel and electronic security,

• development of applications in order to reduce potential vulnerabilities, • support for the establishment of teams of sector based and specialist advisers, • support for training, and the • provision of online information. CPNI provides the following set of publications:

• urgent InfoSec Advisories: addressing potential IT security problems that should be acted on immediately,

• general protective security publications: provision of clear and concise advice, • information security briefings: highlighting risks of the national infrastructure, • information security technical notes: provision of practical advice on important

information security issues, • security vulnerability disclosures: determination of threats, identification of

problems, and collaboration with vendors to provide software patches, and the


• good practice guidelines: promotion of best practices via information sharing.


4.4 Other European CERTs

This section provides an overview of other European CERT organizations and their activities that have been established in the EU region. The following set of countries and organizations are taken into account:

• Austria: ACOnet-CERT (see section 4.4.1), • Belgium: BELNET CERT (see section 4.4.2), • Denmark: DK-CERT (see section 4.4.3.1),

CSIRT.DK (see section 4.4.3.2), and KMD IAC (see section 4.4.3.3),

• Finland: CERT-FI (see section 4.4.4), • Italy: CERT-IT (see section 4.4.5.1), and

GARR-CERT (see section 4.4.5.2), • Netherlands: AMC-CERT (see section 4.4.6.1),

CERT-IDC (see section 4.4.6.2), CERT-KUN (see section 4.4.6.3), GOVCERT.NL (see section 4.4.6.4), CERT-RUG (see section 4.4.6.5), SURFnet-CERT (see section 4.4.6.6), CERT-UU (see section 4.4.6.7), KPN-CERT (see section 4.4.6.8), and UvA-CERT (see section 4.4.6.9),

• Norway: NorCERT (see section 4.4.7.1), and UNINETT CERT (see section 4.4.7.2),

• Spain: esCERT-UPC (see section 4.4.8.1), and IRIS-CERT (see section 4.4.8.2),

• Sweden: SITIC (see section 4.4.9.1), SUNet-CERT (see section 4.4.9.2), and TS-CERT (see section 4.4.9.3), and

• Switzerland: SWITCH-CERT (see section 4.4.10).


4.4.1 Austria

ACOnet-CERT is an educational and research CERT organization, hosted by the Vienna University Computer Center that coordinates security efforts and incident responses for security problems for its customers. ACOnet-CERT is a member of FIRST since April 2003, an accredited member of TF-CSIRT since March 2003, and a member of Computer Incident Response Coordination Austria (CIRCA). The tasks of ACOnet-CERT include the following activities:

• provision of services on a best effort base and available resources, however, not using a framework of service level agreements,

• addressing of all types of computer security incidents which occur, or potentially may occur,

• provision of different levels of support depending on the − type and severity of the incident or issue, − type of constituent, − size of the user community affected, and the − current available resources of ACOnet-CERT's,

• cooperation with other organizations via the exchange of information regarding security incidents and vulnerabilities,

• protection of the privacy of their customers, • operation complying with the Austrian law, • secure communication via PGP-encrypted e-mail, • coordination of incident prevention, incident handling and the generation of

responses, including the following steps: − determination of the authenticity of incidents and of the involved actors, − contacting the involved organizations to investigate the incident and to take

the appropriate steps, − facilitation of contact with appropriate law enforcement officials, if necessary, − sending of reports to other CSIRTs (incident reporting forms are currently

not supported), and the − composition of announcements to users, if applicable,

• performing incident resolution by the following steps: − assurance that incidents have been properly handled by the affected

organizations via feed-back of reports, − performing of appropriate steps within the backbone network of ACOnet, if

required, − collection of evidence, if law enforcement is involved, − sending of final reports back to the affected organizations stating that the

incident was resolved, and the − collection of statistics about incidents within the constituency,

• coordination and maintenance of the following services for its customers: − information services, − listing of the security contacts of the organizations of the constituency, and

the


− provision of mailing lists for informing the constituency of important security issues,

• provision of proactive services in the framework of ArgeSecur, which is a part of ACOnet-CERT representing a group of security experts mainly of Austrian universities with the goal to cooperate in the field of IT security,

the tasks of ArgeSecur include the following activities: − training for the university's staff, − technological watch and discussion, − exchange of information and experience, − establishment of a web of trust, − co-operation in security audits, and the − establishment of a corporate information platform regarding security

information.

4.4.2 Belgium

BELNET CERT is an educational and research CERT organization, hosted by BELNET, the Belgian National Research and Education Network (NREN). BELNET CERT provides security services for all Belgian research centers, museums and libraries, for all national ministries, and other federal or regional institutions. BELNET CERT is a member of FIRST since April 2003, an accredited member of TF-CSIRT since September 2004. The tasks of BELNET CERT include the following activities:

• provision of security-related information to the BELNET community, • provision of support for handling computer and network security incidents, • coordination of investigations and information flow regarding security

incidents of affected constituencies, • description of the full services offered in the “Service Description Document”

(details see http://cert.belnet.be/index.php?module=documents&JAS_DocumentManager_op=viewDocument&JAS_Document_id=2),

• provision of the following two mailing lists for: − announces: see link http://lists.belnet.be/wws/info/cert-announces, and − alerts: see link http://lists.belnet.be/wws/info/cert-alerts), and

• digitally signed communication coming from BELNET CERT,


4.4.3 Denmark

CERT organizations in Denmark include DK-CERT, CSIRT.DK, and KMD IAC.

4.4.3.1 DK-CERT

The Denmark CERT (DK-CERT), established in 1999, is an educational and research CERT organization, hosted by UNI-C the Danish IT center for education and research, which in turn is a national organization under the Danish ministry of education. DK-CERT provides security services for companies and institutions. DK-CERT is a member of FIRST since April 2003, a member of CERT CC, and a member of TF-CSIRT. The tasks of DK-CERT include the following activities:

• establishment of international cooperation based on the original concept of CERT CC in the US,

• monitoring and handling of IT security incidents, • provision of free information services, • support of a special notification form regarding security incidents, • analysis of notifications from persons who have been exposed to security

incidents, • proposal of solutions to the problems and warning of others that might be

potential targets for similar incidents depending on the wish of the parties involved for anonymity and confidentiality,

• coordination of information between the involved parties and other organizations, such as foreign response teams, and the police,

• operating in an advisory role and not in an authority role to order or instruct any part,

• acting in an intermediary role of information between different parties wishing to remain anonymous,

• establishment of confidential communication between different national and international parties regarding the handling of information about incidents and vulnerability,

• provision of advices regarding potential security risks, • provision of assistance regarding analysis of log files, • provision of instruction on how an affected system can be restored and

possible damage remedied, • provision of preventive measures, • regularly publication of articles with alerts, advisories and news, and the • publication of information regarding security vulnerability in software and

network, as well as precautionary measures relating to security incidents.

4.4.3.2 CSIRT.DK

The Denmark CIRT (CSIRT.DK), established in 1999, is a commercial CERT organization, hosted by TDC A/S (Tele Denmark Communications A/S, formerly


Tele Denmark A/S) that provides security services for its customers. CSIRT.DK is a member of FIRST since December 1999, and a member of TF-CSIRT since April 2001. The tasks of CSIRT.DK include the following activities:

• handling of cases of IT security incidents, • provision of advices and information to recover from incidents and to improve

the security of systems, • preparation of information on latest IT security threats, • handling of reports that will normally be answered only by an auto reply, • provision of guidelines regarding the handling of reports on internet abuse, • provision of different levels of support depending on the

− type and the severity of the incident or issue, − the type of constituent, and the − size of the user community affected,

• assignment of resources according to the following decreasing order of priorities: − threats to the physical safety of human beings, − root or system-level attacks on any machine either multi-user or dedicated-

purpose, − compromise of restricted confidential service accounts or software

installations, in particular those with authorized access to confidential data, − denial of service attacks, − threats at other sites, originating from Tele Denmark customers, − large-scale attacks of any kind, for which multiple reports from different

reporting entities and/or attacks involving several machines and/or services for a single constituent are to be considered,

− compromise of individual user accounts by unauthorized access to a user or service account, and

− forgery and misrepresentation, and other security-related violations of local rules and regulations.

4.4.3.3 KMD IAC

KMD IAC, established in August 1997, is a commercial CERT organization, hosted by KMD that provides security services to its hosting organization and customers. KMD IAC is a member of FIRST since November 2001, and an accredited member of TF-CSIRT since March 2002.

4.4.4 Finland

CERT-FI, established in January 2002, is a governmental CERT organization, hosted by the Finnish Communications Regulatory Authority (FICORA) that provides security services to the whole country of Finland. CERT-FI is a member of EGC and an accredited member of TI since May 2004. The tasks of CERT-FI include the following activities:


• handling of cases of IT security incidents, • provision of technical help regarding observed security incidents, • promotion of security in the information society, • cooperation with national and international CERTs and with representatives of

trade, industry and public administrations, • implementation of nationwide monitoring of incidents, and their

documentation and statistics, • analyses of information security threats, • provision and distribution of recommendations, advices and guidelines on

vulnerabilities in order to improve the ICT security, • support for solving information security problems, • cooperation with suppliers of equipment, networks and software, • cooperation with the police and other authorities in information security

matters, • publication of quarterly and annual ICT security reports, and • publication and distribution of warnings (e.g. see:

http://www.ficora.fi/suomi/tietoturva/varoitukset.htm)

4.4.5 Italy

CERT organizations in Italy include CERT-IT, and GARR-CERT.

4.4.5.1 CERT-IT

The Italian CERT (CERT-IT), established in February 1994, is an educational and research CERT organization, hosted by the University of Milan that provides security services to its hosting organization and Internet connected sites in Italy. CERT-IT is a member of FIRST since 1995, and a member of TF-CSIRT. The tasks of CERT-IT include the following activities:

• development of a security culture, • provision of technical expertise, • promotion of research and development in computer security, • collection and publication of statistics for different types of attack, hacking

techniques, main system vulnerabilities, and most common methods of intervention,

• performing of incident handling, • provision of general information, and contact information regarding technical

questions and incident reporting, • detection of vulnerabilities of applications and system services, and the • development of tools for secure communications.


A subset of latest security information, documentation, and other information provided by CERT-IT is listed in Table 19.

Table 19: CERT-IT Information and Documents

TOPIC TITLE LINK

collection of statistics http://security.dsi.unimi.it/activities.en.html#statistics

research and development http://security.dsi.unimi.it/activities.en.html#research Activities

technical expertise http://security.dsi.unimi.it/activities.en.html#tech

Information general information http://security.dsi.unimi.it/activities.en.html#information

Services incident handling http://security.dsi.unimi.it/activities.en.html#incidents

4.4.5.2 GARR-CERT

The GARR-CERT, established in March 1999, is an educational and research CERT organization, hosted by the GARR Network that provides security services to its hosting organization and institutions connected to the GARR network. GARR-CERT is a member of FIRST since 1995, and an accredited member of TF-CSIRT October 2001. The tasks of GARR-CERT include the following activities:

• handling of computer and network security incidents including the following steps: − investigation of the nature and extent of the incident, − determination of the initial cause of the vulnerability exploited, − contacting other involved sites, − reporting to other CSIRTs, and − support for removing the vulnerability,

• assistance for users in responding to security incidents, • assistance for users of the GARR network in implementing proactive measures, • coordination of the handling of security incidents, • dissemination of information about vulnerabilities and recommended security

measures, • provision of proactive measures, including mailing lists and auditing services, • testing and the development of security tools, • use of incident reporting forms, • operation complying with defined policy, • provision of different levels of support according to the severity of incidents,

without direct support for end-users, • cooperation with affected parties regarding the resolution of security incidents

problem, • filtering of compromised nodes on the GARR network border routers, • provision of information on potential vulnerabilities, possibly before they are

actively exploited, and the


• transmission of low-sensitivity data via phone and unencrypted e-mail, and the transmission of high sensitivity data by e-mail using PGP.

A subset of latest security information, documentation, and other information provided by GARR-CERT is listed in Table 20.

Table 20: GARR-CERT Information and Documents

TOPIC TITLE LINK

institutions connected to the GARR network

http://www.garr.it/garr-b-home-engl.shtml Institutions

detailed general information http://www.cert.garr.it/

filtering of compromised nodes

http://www.cert.garr.it/incidenti.php3

methods of GARR-CERT's incident response services

http://www.cert.garr.it/GARR-CERT-descr-rfc.html#2.11#2.11 Services

mailing lists http://www.cert.garr.it/mailing.php3

Reporting incident reporting forms http://www.cert.garr.it/incident-report-form.php3

4.4.6 Netherlands

CERT organizations in the Netherlands include AMC-CERT, CERT-IDC, CERT-KUN, GOVCERT.NL, CERT-RUG, SURFnet-CERT, CERT-UU, KPN-CERT, and UvA-CERT.

4.4.6.1 AMC-CERT

The Academic Medical Center CERT (AMC-CERT) is a medical CERT organization, hosted by the academic medical center at the University of Amsterdam that provides security services to its hosting organization. AMC-CERT is a member of SURFnet (see section 4.4.6.6).

4.4.6.2 CERT-IDC

The CERT-Internet Data Center (CERT-IDC) is a commercial banking CERT organization, hosted by Energis N.V. that provides security services to its banking organizations and about 500 Dutch industry organizations. CERT-IDC is a member of TERENA’s Trusted Introducer.


4.4.6.3 CERT-KUN

The CERT Katholiek Universiteit Nijmegen (CERT-KUN) is an educational and research CERT organization, hosted by the University of Nijmegen that provides security services to its hosting organization and employees.

4.4.6.4 GOVCERT.NL

The Government CERT of the Netherlands (GOVCERT.NL), established by the Ministry of the Interior and Kingdom Relations in June 2002, is a governmental CERT organization, hosted by ICTU - the Dutch organization for information and communication technology in the public sector. GOVCERT.NL provides security services to all governmental bodies. GOVCERT.NL is a member of EGC, FIRST and a member of member of TERENA’s Trusted Introducer since June 2002. The tasks of GOVCERT.NL include the following activities:

• preventing and dealing with ICT-related security incidents, • coordination of activities as central emergency point dealing with ICT-related

security incidents, such as computer viruses, hacking and vulnerabilities in applications and hardware,

• provision of timely information to appropriate parties, • assistance of government officials in preventing security incidents and

responding appropriately, • provision of a range of services for the areas of prevention, knowledge

exchange and incident handling, • provision of security scan and advice, • production of reports including information on improvements, • cooperation and exchange of information at an international level, • provision of a data base of relevant documents and best practices, • regular organization of meetings to exchange knowledge and ideas on

current affairs, • provision of assistance in case of incidents in dealing with all sorts of incidents,

ranging from spam mail to large scale network attacks, • watching of incident reports by non-participating organizations and passing of

such information to own members, and the • promotion of the development of shared standards and specialization in

different areas.

4.4.6.5 CERT-RUG

The CERT-RUG, established in March 1999, is an educational and research CERT organization, hosted by the Computing Center, University of Groningen that provides security services to its hosting organization and institutions. CERT-RUG is an accredited member of TERENA’s Trusted Introducer since August 2002.


4.4.6.6 SURFnet-CERT

The SURFnet-CERT, formerly known as CERT-NL and established in 2003, is an educational and research CERT organization, hosted by SURFnet, the Internet provider of higher education institutes and many research organizations in the Netherlands. SURFnet-CERT provides security services to different universities connected to SURFnet. SURFnet-CERT is a member of FIRST since July 1992, and an accredited member of TERENA’s Trusted Introducer since January 2001. Members of SURFnet are the following CERT organizations:

• CERT-AMC Academic Medical Centre Amsterdam, • CERT-RU (Radboud University at Nijmegen, • CERT-RUG University of Groningen, • CERT-UU University of Utrecht, • CERT-UvA University of Amsterdam, and the • UvT-CERT University of Tilburg. The tasks of SURFnet-CERT include the following activities:

• handling of all cases of computer security incidents in which customers are involved,

• dissemination of security related information to customers via security advisories,

• provision of a format to report a port scan incident, • provision of incident statistics, • regular distribution of security bulletins, • publication of actual news on security issues, and the • provision of an archive of distribution lists. A subset of latest security information, documentation, and other information provided by SURFnet is listed in Table 21.

Table 21: SURFnet Information and Documents

TOPIC TITLE LINK

Archives archive of distribution list http://listserv.surfnet.nl/archives/cert-bulletins.html

Bulletins security bulletins http://cert.surfnet.nl/s/indexs.shtml

News security news http://cert.surfnet.nl/n/index.shtml

Organization general information about http://cert.surfnet.nl/r/index.shtml


TOPIC TITLE LINK the organization

Reporting form to report a port scan incident

http://cert.surfnet.nl/report-an-incident/portscan.shtml

Statistics incident statistics http://cert.surfnet.nl/statistics.shtml

4.4.6.7 CERT-UU

The CERT of the Utrecht University (CERT-UU) is an educational and research CERT organization, hosted by the University of Utrecht that provides security services to its organizations. CERT-UU is a member of TERENA’s Trusted Introducer, and a member of SURFnet-CERT. A subset of latest security information, documentation, and other information provided by CERT-UU is listed in Table 22.

Table 22: CERT-UU Information and Documents

TOPIC TITLE LINK

Information general security information

http://www.uu.nl/uupublish/homeuu/diensten/homeubend/universitairebes/bestuursdienst/directieinformat/watwedoen/informatiebeveil/certuu/samenwerking/14319main.html

Regulation policy information

http://www.uu.nl/uupublish/homeuu/diensten/homeubend/universitairebes/bestuursdienst/directieinformat/watwedoen/reglementictmidd/14300main.html

4.4.6.8 KPN-CERT

The KPN-CERT, established in June 1995, is a commercial CERT organization, hosted by the KPN that provides security services to its customers. KPN-CERT is a member of FIRST since 1996, and an accredited member of TERENA’s Trusted Introducer since July 2005. The tasks of KPN-CERT include the following activities:

• support of proactive measures for clients, • ensuring the security of company networks and networks over which KPN

offers it's services, • collection and analysis of data from incidents, and the • provision of advices on how to avoid incidents. A subset of latest security information, documentation, and other information provided by KPN-CERT is listed in Table 23.

Table 23: KPN-CERT Information and Documents

TOPIC TITLE LINK


TOPIC TITLE LINK

Secunia SA20717: Microsoft Windows Object Packager Dialog Spoofing Vulnerability, October 2006

http://www.kpn-cert.nl/index.php?page=advisory.view&advisory_id=1646&PHPSESSID=843b7fa0e4493b4d4eb6438ee8b263d6

Secunia SA22341: Microsoft Windows Multiple IPv6 Denial of Service Vulnerabilities, October 2006


Secunia SA21276: Microsoft Windows Server Service DoS and Privilege Escalation, October 2006


Secunia SA22339: Microsoft Office Multiple Code Execution Vulnerabilities, October 2006


Secunia SA22333: Microsoft XML Core Services Information Disclosure and Code Execution, October 2006


Secunia SA22159: Microsoft Windows Shell Code Execution Vulnerability, October 2006


Secunia SA21735: Microsoft Word Code Execution Vulnerabilities, October 2006


Secunia SA20268: Microsoft Excel Multiple Buffer Overflow Vulnerabilities, October 2006


Vulnerabilities

Secunia SA22127: Microsoft PowerPoint Code Execution Vulnerability, October 2006


4.4.6.9 UvA-CERT

The UvA-CERT is an educational and research CERT organization, hosted by the University of Amsterdam that provides security services to its institutions. UvA-CERT is a member of SURFnet-CERT, and a member of TERENA’s Trusted Introducer.

4.4.7 Norway

CERT organizations in Norway include NorCERT, and UNINETT CERT.


4.4.7.1 NorCERT

NorCERT is a governmental CERT organization, hosted by the Nasjonal sikkerhetsmyndighet (NSM, Norwegian National Security Authority) that provides security services to the whole country of Norway. NorCERT is a member of EGC, a full member of FIRST, and an accreditation candidate member of TERENA’s Trusted Introducer since October 2006. The tasks of NorCERT include the following activities:

• provision of an alert and early warning system for digital infrastructure (VDI, Varslingssystem for Digital Infrastruktur),

• identification and classification of, and notification about IT security attacks, • handling of incidents, • coordination of responses to serious ICT security, • collection of information related to serious ICT security incidents, • coordination of early patching of serious vulnerabilities, • sharing of information about new threats with other CERTs, • conduction of assessments, • support and assistance for other Norwegian response teams, and • Norway’s point of contact for international CERTs. More details about NorCERT can be found at the link: http://www.nsm.stat.no/Arbeidsomrader/Internettsikkerhet-NorCERT/Internettsikkerhet---NorCERT/NorCERT/English/

4.4.7.2 UNINETT CERT

UNINETT CERT, established in May 1995, is an educational and research CERT organization that is hosted by UNINETT AS and funded by the Royal Norwegian Ministry for Church, Education and Research. UNINETT CERT provides security services to the members of the Norwegian Academic Network for Research & Education, i.e. to all Norwegian universities and colleges, non-commercial research institutions and other research and educational institutions. UNINETT CERT is an accredited member of TERENA’s Trusted Introducer since April 2001 and a member of FIRST since March 2000. UNINETT CERT has published the following documents:

• policy and service level statement (see http://cert.uninett.no/policy.html), incident report form (see http://cert.uninett.no/report-form.txt), and

• security pages (see http://cert.uninett.no/sik-top.html).

4.4.8 Spain

CERT organizations in Spain include esCERT-UPC, and IRIS-CERT.


4.4.8.1 esCERT-UPC

The Equipo de Seguridad para la Coordinación de Emergenciasen Redes Telemáticas (esCERT-UPC), established in October 1994, is an educational and research CERT organization, hosted by the Universitat Politècnica de Catalunya (UPC, Politechnical University of Barcelona). esCERT-UPC provides security services to its institutions and employees. esCERT-UPC is a member of FIRST and an accredited member of TERENA’s Trusted Introducer since September 2001. A subset of latest security information, documentation, and other information provided by esCERT-UPC is listed in Table 24.

Table 24: esCERT-UPC Information and Documents

TOPIC TITLE LINK

information about abuses http://escert.upc.es/index.php/web/es/index.html Information

Relación UPC http://escert.upc.es/index.php/web/es/upc.html

journal http://escert.upc.edu/index.php/web/es/publicacion,412,2.html

actual news http://escert.upc.es/index.php/web/es/publicaciones,2.html Publications

security information http://escert.upc.es/index.php/web/es/publicaciones,1.html

preventive support http://escert.upc.es/index.php/web/es/upc_preventivo.html

security information http://escert.upc.es/index.php/web/es/upc_gestionado.html Services

reactive support http://escert.upc.es/index.php/web/es/upc_reactivo.html

Trainings training information http://escert.upc.es/index.php/web/es/formacion.html

Acceso remoto en HP Version Control Agent

https://escert.upc.edu/altair/vulnera_descr.php?RN=ALTAIR-610-02755

Escalada de privilegios en Sun Solaris Netscape Portable Runtime API


Salto de restricciones en PHP


Vulnerabilities

Múltiples vulnerabilidades en el kernel de Linux



TOPIC TITLE LINK

Vulnerabilities Aumento de privilegios en systrace en sistemas BSD


4.4.8.2 IRIS-CERT

IRIS-CERT, established in November 1995, is an educational and research CERT organization, hosted by RedIRIS - a Spanish research and academic network that provides security services to all organizations connected by RedIRIS. IRIS-CERT is a member of FIRST since February 1997, and an accredited member of TERENA’s Trusted Introducer since March 2001. The tasks of IRIS-CERT include the following activities:

• early detection of security incidents affecting RedIRIS centers, • coordination of incident handling, • development of proactive measures involving timely warning of potential

problems, technical advice, training and related services, • provision of an IRIS-CERT archive, • provision of tools, and the • publication of security news. A subset of latest security information, documentation, and other information provided by IRIS-CERT is listed in Table 25.

Table 25: IRIS-CERT Information and Documents

TOPIC TITLE LINK

Archives archives via FTP access http://ftp.rediris.es/ftp/rediris/cert

Members contact information http://www.rediris.es/cert/servicios/iris-cert/contact.en.html

News Actual information http://www.rediris.es/cert/nove.en.html

Policies RedIRIS Policy Certification Authority

http://www.rediris.es/cert/proyectos/iris-pca/index.en.html

formal description of the IRIS-CERT services according to the RFC 2350

http://www.rediris.es/cert/servicios/iris-cert/rfc-2350.en.html

PGP public key server http://www.rediris.es/cert/servicios/keyserver/index.en.html Services

time-stamp http://www.rediris.es/cert/cert/cuco

Tools index of tools http://www.rediris.es/cert/tools/index.en.html


4.4.9 Sweden

CERT organizations in Sweden include SITIC, SUNet-CERT, and TS-CERT.

4.4.9.1 SITIC

The Swedish IT Incident Center (SITIC), established in January 2003, is a governmental CERT organization, hosted by the National Post and Telecom Agency (PTS). SITIC provides security services to all governmental organizations, regional authorities, municipalities, companies, and additional target groups. SITIC is a member of EGC, and FIRST since May 2005, an accredited member of TERENA’s Trusted Introducer since July 2005, and a member TF-CSIRT. The tasks of SITIC include the following activities:

• incident reporting to SITIC on a voluntary basis, • provision of responses and actions complying with the assignments given by

the government to individual reports, • assessment and publication of information about threats, • provision of a function for information exchange about IT-incidents among

society's organizations, • dissemination of information in the society about new security problems

regarding IT systems, • use of Distributed Intrusion Detection System (DIDS) that represent a system of

connected intrusion detection systems, • submission of information and advice about preventive measures, • collection and publication of statistics as a base for continuous improvements

in the preventive work, • professional training of personnel, and the • use of competence from PTS regarding administrative, legal, and human

resource questions. A subset of latest security information, documentation, and other information provided by SITIC is listed in Table 26.

Table 26: SITIC Information and Documents

TOPIC TITLE LINK

collaboration group for information security (SAMFI)

http://www.sitic.se/in-english/folder.2006-08-18.5821448318/collaboration-group-for-information-security-samfi/ Collaboration

Nordic CERT-forum (NCF) http://www.sitic.se/in-english/folder.2006-08-18.5821448318/nordic-csirt-forum-ncf/

Vulnerabilities SA04-002 - Apache config file env variable buffer overflow

http://www.sitic.se/in-english/vulnerabilities/sitic-vulnerability-advisories_archive/sa04-002-apache-config-file-env-variable-buffer-overflow


TOPIC TITLE LINK

Vulnerabilities SA05-001 - Evolution multiple remote format string bugs

http://www.sitic.se/in-english/vulnerabilities/sitic-vulnerability-advisories_archive/sa05-001-evolution-multiple-remote-format-string-bugs

4.4.9.2 SUNet CERT

The Swedish University Network CERT (SUNet CERT), established in October 2000, is an educational and research CERT organization, hosted by the University of Uppsala and operating under the Swedish research council - an agency under the Ministry of Education and Science. SUNet CERT provides security services to all connected universities, higher education organizations, and research organizations in Sweden. SUNet CERT is a member of FIRST and an accredited member of TERENA’s Trusted Introducer since May 2002. The tasks of SUNet CERT include the following activities:

• provision of support for the university, colleges and other organizations connected to SUNET network regarding the coordination of incidents,

• professional training, and the • cooperation with other ISPs in Sweden and the cooperation with national and

international CERT organizations.

4.4.9.3 TS-CERT

The TeliaSonera CERT (TS-CERT), established in 1997, is a commercial CERT organization, hosted by TeliaSonera AB and located in Sweden, Finland, Norway, and Denmark. TS-CERT provides security services to its hosting organizations and customers. TS-CERT is a member of FIRST August 2000 and an accredited member of TERENA’s Trusted Introducer since July 2003.

4.4.10 Switzerland

SWITCH-CERT, established in January 1995, is an educational and research CERT organization, hosted by SWITCH the Swiss Education & Research Network. SWITCH-CERT provides security services to customers of SWITCH. SWITCH-CERT is a member of EGC, an accredited member of TERENA’s Trusted Introducer since September 2001 and a member of FIRST since April 1998. The tasks of SWITCH-CERT include the following activities:


• establishment of a security working group for operational security issues, • sharing of information, experiences, and knowledge related to CERT issues, • identification of areas of common interest for further cooperation, • organization of security workshops (e.g. latest workshop:

http://www.switch.ch/security/security-wg/events/ws2006-2.html), • provision of security services (see: http://www.switch.ch/security/security-

wg/members/ssh-bruteforce/, and http://www.switch.ch/security/incident-handling/resources/SysInfoExtractor.bat),

• handling of incidents (see http://www.switch.ch/de/security/incident-handling/),

• provision of information with protected authentication and integrity about important security-related events and activities via e-mail distribution lists, and the

• forwarding of security alarms and security advisories.


5 References

[AER 05] Annual Economic Report for 2005, Federal Ministry of Economics and Labor, Germany

[BMI NPIIP] BMI Ministry of the Interior: National Plan for Information Infrastructure Protection, October 2005

[BSI ITSG] BSI Federal Office for Information Security: The IT-Security Situation in Germany 2005, July 2005

[CEISNE MP] CEISNE Model and Processes, Version 1.0, December 2003 http://www.eispp.org/CEISNE_model_1_0.pdf

[COBRA] CoBrA Recommendations to the eEurope Advisory Group: “eGovernment beyond 2005 – Modern and Innovative Public Administrations in the 2020 Horizon”, September 2004

[DTI ISBS06] DTI: Technical Report - Information Security Breaches Survey 2006, PriceWaterhouseCoopers, April 2006

[EC COM DPE] COM/2006/251: Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions: "A strategy for a Secure Information Society - "Dialogue, Partnership and Empowerment", May 2006

[EC REG ENISA] Regulation EC No 460/2004 of the European Parliament and of the Council, 10th March 2004

[EISPP CAF] Common Advisory Format for Vulnerabilities Advisories, Version 2.0, May 2005, http://www.eispp.org/commonformat_2_0.pdf

[EISPP RES] EISPP Results, Version 1.0, May 2004

[EISPP SME] EISPP SME Service description, Version 2.0, May 2004, http://www.eispp.org/SME_service_2_0.pdf

[ENISA ARLG] Awareness Raising for Local Governments, December 2005, http://www.enisa.eu.int/doc/pdf/deliverables/WGAR/AWARENESS%20RAISING%20Local%20Government%20FINAL.pdf


[ENISA ARM] Awareness Raising for Media, December 2005, http://www.enisa.eu.int/doc/pdf/deliverables/WGAR/AWARENESS%20RAISING%20MEDIA%20FINAL.pdf

[ENISA ARSME] Awareness Raising for SMEs, December 2005, http://www.enisa.eu.int/doc/pdf/deliverables/WGAR/AWARENESS%20RAISING%20SMEs%20FINAL.pdf

[ENISA ARSS] Awareness Raising for Silver Surfers, December 2005, http://www.enisa.eu.int/doc/pdf/deliverables/WGAR/AWARENESS%20RAISING%20Silver%20Surfers%20FINAL.pdf

[ENISA GR05] ENISA General Report 2005, http://www.enisa.eu.int/doc/pdf/deliverables/general_report_2005_final.pdf

[ENISA IPSME] Information Packages for Small and Medium Sized Enterprises (SMEs), March 2006, http://www.enisa.eu.int/doc/pdf/deliverables/WGRARM/ENISA_RM-Deliverable2-Final-Version-v1.0-2006-03-30.pdf

[ENISA IRAM] Inventory of Risk Assessment and Risk Management Methods, March 2006, http://www.enisa.eu.int/doc/pdf/deliverables/WGRARM/ENISA_RM-Deliverable1-Final-version-v1.0-2006-03-30.pdf

[ENISA NISA] Who is Who Directory on Network and Information Security, Relevant actors in NIS topics in all EU member states, Version 1.0, December 2005 http://www.enisa.eu.int/doc/pdf/deliverables/enisa_Who-is-Who-Directory_v1.0.pdf

[ENISA PSGL] Complete List of Current PSG Members, EUNISA, 2006, http://www.enisa.eu.int/doc/pdf/stakeholders/psgSep2006.pdf

[ENISA PSGR] Rules regarding the Establishment and Operation of the Permanent Stakeholders’ Group of the European Network and Information Security Agency – ENISA, October 2004, http://www.enisa.eu.int/doc/pdf/stakeholders/PSG.pdf

[ENISA RM] Road Map, March 2006, http://www.enisa.eu.int/doc/pdf/deliverables/WGRARM/ENISA_RM-Deliverable3-Final-Version-v1.0-2006-03-30.pdf

[ENISA RNISA] Information Package - Raising Network and Information Security Awareness, March 2006, http://www.enisa.eu.int/doc/pdf/deliverables/WGAR/Information%20package%2003012006%20FINAL.pdf


[ENISA VIS] ‘THE PSG VISION FOR ENISA’ Permanent Stakeholders Group (PSG), May 2006, http://www.enisa.eu.int/doc/pdf/news/psgvisionforenisafinaladoptedmay2006version.pdf

[ENISA WGR] Report of ad hoc Working Group on CERT co-operation and support, February 2006, http://www.enisa.eu.int/doc/pdf/deliverables/CERT/20060227_chair_wg_cert_report.pdf

[i2010] EU Initiative i2010 http://europa.eu.int/information_society/eeurope/i2010/index_en.htm

[ICT FP7] Information Communications Technologies FP7 Work Program, 2007-2013 ftp://ftp.cordis.lu/pub/fp7/ict/docs/ict-wp-2007-08-draft-ist-2006.pdf

[IPA 05] SIT Fraunhofer Study for IPA on “Electronic Signature Laws and PKI Projects in European Union and Germany, February 2005

[PER-P-01] France: Enrolment and Qualification of Personal

[PPP PUDS] Federal Ministry of the Interior, Federal Ministry of Economics and Labor: Public-Private Partnership to Promote the Use of Digital Signatures, March 2003

[QUA-P-01] France: Procedure for management review

[TF-CSIRT ToR] TERENA: Terms of Reference, June 2006


6 Contact Information and Links

This chapter contains a set of pairs of tables with each pair for a specific country or supra-national organization that provides links for distinct objectives and organizations, and contact information respectively.

Table 27: International Links

ORGANIZATION OR TOPIC ACRONYM OR LOGO

LINK

BIAC Business and Industry Advisory Committee http://www.biac.org/

CERT Coordination Center CERT CC E-COAT European Cooperation of Abuse fighting Teams

http://www.cert.org/ http://www.cert.org/csirts/csirt_faq.html

CVE Common Vulnerabilities and Exposures

http://cve.mitre.org/

FIRST Forum of Incident Response and Security Teams Common Vulnerabilities Exposure CVE Common Vulnerability Scoring System CVSS

http://www.first.org/ http://www.first.org/cvss/cvss-guide.html http://www.first.org/cvss/cvss-guide.html

ISO International Standardization Organization

http://www.iso.org

ITU International Telecommunication Union http://www.itu.int/home

OECD, Organisation for Economic Co-operation and Development Anti-Spam Toolkit Culture of Security Working Party on Information Security and Privacy

http://www.oecd.org/ http://www.oecd-antispam.org/ http://webdomino1.oecd.org/COMNET/STI/IccpSecu.nsf?OpenDatabase http://www.oecd.org/department/0,2688,en_2649_34255_1_1_1_1_1,00.html

OSVDB Open Source Vulnerability Data Base http://osvdb.org/

Security Focus - Vulnerability Data Base http://www.securityfocus.com/

WITSA, World Information Technology and Services Alliance

http://www.witsa.org/


Table 28: European Links


LINK

Community Legislation Official Journal European Law

http://europa.eu.int/eur-lex/en/index.html http://europa.eu.int/eur-lex/en/oj http://www.curia.eu.int/index.htm

ECSIRT European CSIRT Network

http://www.ecsirt.net/

EISPP European Information Security Promotion Program

http://www.eispp.org

ENISA European Network and Information Security Agency Publications Country Pages

http://www.enisa.eu.int/ http://www.enisa.eu.int/publications/index_en.htm http://www.enisa.eu.int/country_pages/index_en.htm

EuroISPA European Internet Services Providers Association

http://www.euroispa.org/

European Initiatives i2010 eEurope 2005 eEurope 2002

http://europa.eu.int/information_society/eeurope/i2010/index_en.htm http://europa.eu.int/information_society/eeurope/2005/index_en.htm http://europa.eu.int/information_society/eeurope/2005/doc/all_about/acte_en_version_finale.pdf http://europa.eu.int/information_society/eeurope/2002/index_en.htm

European Union EU Single Market, Agencies Safer Internet Programme Awareness Raising

http://www.europa.eu.int/ http://ec.europa.eu/internal_market/index_en.htm http://www.europa.eu.int/agencies/index_en.htm http://europa.eu.int/information_society/activities/sip/index_en.htm

JRC Joint research centre

http://www.jrc.cec.eu.int/

TF-CSIRT Task Force CSIRT TERENA Trans-European Research and Education Networking Association

http://www.terena.nl/tech/task-forces/tf-csirt/ http://www.terena.nl/tech/task-forces/tf-csirt/



LINK

TI Trusted Introducer for CSIRTs in Europe

http://www.trusted-introducer.nl

TRANSITS Training of Network Security Incident Teams Staff

http://www.ist-transits.org/

VTE CERT Virtual Training Environment https://www.vte.cert.org/vtelibrary.html

CORDIS Community Research and Development Information Service

http://cordis.europa.eu/en/home.html

IST Information Society Technologies

http://cordis.europa.eu/ist/

Table 29: Contact Information about European Organizations

ACCREDITATION BODY PHONE FAX ADDRESS / E-MAIL

ENISA European Network Information Security Agency

+30 28 1039 1280

+30 28 1039 1410

Science and Technology Park of Crete (ITE), Vassilika Vouton, 70013 Heraklion, Greece [email protected]

Table 30: Japanese Links


LINK

IPA Information-Technology Promotion Agency

http://www.ipa.go.jp/security/index-e.html

JPCERT/CC Japan Computer Emergency Response Team Coordination Center

http://www.jpcert.or.jp/english/


Table 31: French Links


LINK

AFNOR Standardization Body

http://www.afnor.fr/portail.asp

ARCEP Regulatory Authority for Telecommunications and Post

http://www.arcep.fr

CEA National Institute for Nuclear Research

http://www.cea.fr/

CERTA CERT Organization Government Website DCSSI European Legal Context Industrial relationships Regulation

http://www.certa.ssi.gouv.fr http://www.ssi.gouv.fr http://www.ssi.gouv.fr/en/dcssi/index.html http://www.ssi.gouv.fr/en/regulation/europe.html http://www.ssi.gouv.fr/en/regulation/rid_contact.html

Cert-IST CERT Organization

http://www.cert-ist.com

CERT-LEXSI CERT Organization

http://www.lexsi.com

CNES National Space Agency

http://www.cnes.fr/html/_455_460_3773_.php

CNRS National Center for Scientific Research

http://www2.cnrs.fr/en/8.htm

Country Page France ENISA http://www.enisa.eu.int/doc/pdf/Country%20Pages/France.pdf

INRA National Institute for Agricultural Research

http://www.inra.fr/

INRIA National Institute for Research in Computer Science and Control

http://www.inria.fr/index.en.html



LINK

MINEFI Ministry of Economics, Finance and Industry

http://www.minefi.gouv.fr

Renater CERT CERT Organization

http://www.renater.fr

SECUSER Security vulnerabilities and news http://www.secuser.com/index.htm

Table 32: Contact Information about French Organizations

ORGANIZATION PHONE FAX ADDRESS / E-MAIL

AFNOR Association Français de NORmalisation

+33 1 42 91 5555

+33 1 42 91 5656

Tour Europe, 92049 Paris La Defense Cedex 7

CERTA Computer Emergency Response Team

+33 1 71 7584 50

+33 1 71 7584 70

SGDN/DCSSI/CERTA 51, boulevard de La Tour-Maubourg, 75700 Paris, France

[email protected]

Cert-IST CERT Industries, Services & Tertiaire

+33 5 3435 3388

+33 5 3435 3389

Cert-IST, C/O Alcatel CIT26 avenue JF Champollion, BP 63576, F-31035 Toulouse Cedex 1 France

[email protected]

CERT-LEXSI +33 1 5586 8214

+33 1 5586 8889

CERT-LEXSI, 12, 16 rue de Vincennes, 93100 MONTREUIL, France

[email protected]

DCSSI Central Directorate for Information System Security

+33 1 41 463720

+33 1 41 463701

18, rue du Docteur Zamenhof 92 131 Issy-Les-Moulieaux, France

[email protected]

Renater CERT +33 1 5394 2044

+33 1 5394 2031

c/o ENSAM 151 boulevard de l'Hôpital, 75013 Paris, France

[email protected]


Table 33: German Links


LINK

Aladdin Knowledge Systems IT security company

http://www.aladdin.de/

BITKOM IT Industry Organization

http://www.bitkom.org/

BMBF Federal Ministry of Education and research

http://www.bmbf.de/en/index.php

BMI Federal Ministry of the Interior

http://www.bmi.bund.de

BMWI Federal Ministry of Economics and Technology

http://www.bmwi.de/English/Navigation/root.html

BSI Federal Office for Information Security, GER

http://www.bsi.bund.de/

Bürger-CERT CERT Organization

http://www.buerger-cert.de/

CERT-Bund CERT Organization

http://www.bsi.bund.de/certbund/

CERTBw CERT Organization

http://www.first.org/members/teams/certbw/

CERTCOM CERT Organization

http://www.certcom.de/

CERT-Verbund CERT Organization

http://www.cert-verbund.de/

CERT-VW, CERT Organization CERT-VW http://www.first.org/members/teams/cert-vw/



LINK

Check Point Software Technologies IT security company

http://www.checkpoint.de

ComCERT CERT Organization

http://www.commerzbank.com http://www.commerzbank.de

Computer Associates IT security company

http://www.ca.com/germany

Country Page Germany ENISA http://www.enisa.eu.int/doc/pdf/Country%20Pages/Germany.pdf

D-Grid CERT D-Grid specific CERT services http://www.d-grid.de/

DATEV IT security company

http://www.datev.de

dCERT, CERT Organization dCERT http://www.dcert.de/

Deutsche Telekom telecommunications company

http://www.telekom.de

DFN-CERT CERT Organization

http://www.cert.dfn.de http://www.dfn-cert.de/

Federal Administration

http://www.bund.de/nn_174028/Fremdsprachen/Struktur/EN/Startseite-en-knoten.html__nnn=true

Fujitsu Siemens Computers IT security company

http://www.fujitsu-siemens.de/

GNS-CERT, CERT Organization GNS-CERT http://www.gnsec.net

HHU-CERT CERT Organization

http://www.uni-duesseldorf.de/cert/

Interoute Managed Services company for IP-based services

http://www.psineteurope.de

Mcert CERT Organization

http://www.mcert.de/

Microsoft IT security company http://www.microsoft.de

Open Ticket Request System OTRS http://otrs.org/



LINK

PRE-CERT CERT Organization

https://www.pre-secure.de https://www.pre-secure.com

RUS-CERT CERT Organization http://cert.uni-stuttgart.de

SAP AG IT security company

http://www.sap.com

S-CERT CERT Organization

http://www.s-cert.de

Secorvo IT security company http://www.secorvo.de/

secu-CERT CERT Organization http://www.secunet.de/

SIEMENS-CERT CERT Organization

http://w4.siemens.de/ct/en/technologies/ic/beispiele/cert.html

STRATO Medien AG IT security company http://www.strato.de

Sun Microsystems GmbH computer systems company

http://www.sun.de

System for Incident Response in Operational Security

SIRIOS http://www.sirios.org/

T-Com-CERT CERT Organization

T-Com-CERT http://www.trusted-introducer.nl/teams/teams-t.html#T-Com-CERT

Telekom-CERT CERT Organization Telekom-CERT http://www.trusted-introducer.nl/teams/telekom-

cert.html

TeleTrusT Deutschland e.V.

http://www.teletrust.de

WWU-CERT CERT Organization

http://www.uni-muenster.de/ZIV/inforum/2005-3/a01.html


Table 34: Contact Information about German Organizations


BMI Federal Ministry of the Interior

+49 1888 681 0

+49 1888 681 2926

Alt-Moabit 101 D, 10559 Berlin, Germany

[email protected]

BSI Federal Office for Information Security

+49 228 9582 141

+49 228 9582 455

P.O.Box: 200363, 53133 Bonn Germany

CERT-Bund +49 1888 9582 222

+49 1888 9582 427

Bundesamt für Sicherheit in der Informationstechnik, Referat I 2.1 / CERT-Bund Postfach 200363, D-53133 Bonn, Germany, [email protected]

CERTBw +49 2251 953 3110

+49 2251 953 3103

IT-Zentrum der Bundeswehr, CERTBw, Kommernerstr 188, D-53879 Euskirchen, Germany, [email protected]

CERTCOM +49 231 476469 60

+49 231 476469 89

CERTCOM AG, CERT Department, Stockholmer Allee 32c, D-44269 Dortmund, Germany, [email protected]

CERT-VW +49 5361 897 5200

+49 5361 897 5222

Volkswagen AG CERT-VW, Letter box 1804, D-38436 Wolfsburg, Germany, [email protected]

ComCERT +49 69 136 26740

+49 69 136 40808

Commerzbank AG, ZIT P 3.5, D-60261 Frankfurt, Germany [email protected]

dCERT +49 228 9841 550

+49 228 9841 60

T-Systems GEI GmbH, CERT, Rabinstrasse 8, D-53111 Bonn, Germany, [email protected]

DFN-CERT +49 40 80 80 77 555

+49 40 80 80 77 556

DFN-CERT Services GmbH, Heidenkampsweg 41, D-20097 Hamburg, Germany [email protected]

GNS-CERT +49 6475 9140 0

+49 6475 9140 22

Global Network Security GmbH, Bornbachstr. 65, 35789 Weilmuenster, Germany, [email protected]

PRE-CERT +49 40 8080778 00

+49 40 8080778 77

PRESECURE Consulting GmbH, P.O.Box 105141, 20035 Hamburg, Germany, [email protected]

RUS-CERT +49 711 121 3678

+49 711 121 3688

RUS-CERT Stuttgart University, Breitscheidstrasse 2, 70174 Stuttgart, Germany, [email protected]

S-CERT + 49 228 4495 432

+ 49 228 4495 431

S-CERT, c/o Informatikzentrum der Sparkassenorganisation GmbH, Simrockstr.4, 53113 Bonn, Germany, [email protected]

secu-CERT +49 40 696 599 0

+49 40 696 599 29

secunet Security Networks AG, Kronprinzenstr. 30, 45128 Essen, Germany, [email protected]

SIEMENS-CERT +49 89 636 48940

+49 89 636 41166

Siemens AG CT IC CERT, 81730 Munich, Germany, [email protected]

T-Com-CERT +49 234 505 7800

+49 2151 3660 4770

Deutsche Telekom AG. T-Com-CERT, Marderweg 9, 44892 Bochum, Germany, [email protected]



Telekom-CERT +49 228 181 75213

+49 228 181 75559

Deutsche Telekom AG Group Security / Telekom-CERT, Friedrich Ebert-Allee 140, D-53113 Bonn, Germany, [email protected]

TeleTrusT Deutschland e.V. +49 361 3460 531

+49 361 3453 957

Chamissostraße 11, 99096 Germany / [email protected]


Table 35: United Kingdom Links


LINK

BSI British Standards Institute

http://www.bsi-global.com/News/Information/British+Standards.xalter

BTCERTCC CERT Organization

BTCERTCC http://www.btcert.bt.com

Country Page UK ENISA http://www.enisa.eu.int/doc/pdf/Country%20Pages/United%20Kingdom.pdf

CPNI Centre for the Protection of National Infrastructure

http://www.cpni.gov.uk

DTI Department of Trade and Industry Government Initiatives

http://www.dti.gov.uk http://www.dti.gov.uk/strd/nssf.html http://www.dti.gov.uk/innovation-group/pressrel-271102.htm

E-CERT CERT Organization E-CERT http://www.first.org/members/teams/e-cert/

EUCS-IRT CERT Organization EUCS-IRT http://www.trusted-introducer.nl/teams/teams-

e.html#EUCS-IRT

ITSafe Government Service

http://www.itsafe.gov.uk/

IWAR Warfare Security Awareness

http://www.iwar.org.uk/comsec/resources/sa-tools/

JANET-CERT of UKERNA CERT Organization

http://www.ja.net/cert/

MLCIRT CERT Organization

MLCIRT http://www.first.org/members/teams/mlcirt/

MODCERT CERT Organization MODCERT http://www.bipsolutions.com/briefings/Briefings20

02/Brief02_19.php

NSSF National Standardization Strategic Framework

http://www.nssf.info http://www.nssf.info/index.xalter

OxCERT CERT Organization

http://www.ict.ox.ac.uk/oxford/compsecurity/oxcert/



LINK

Q-CIRT CERT Organization

http://www.qinetiq.com/

UNIRAS CERT Organization Warning, Alerting and Reporting Points WARPs

www.uniras.gov.uk http://www.uniras.gov.uk/niscc/index-en.html http://www.warp.gov.uk/

Table 36: Contact Information about Organizations in the United Kingdom


BT SBS +44 1255 220719

+44 113 244 5657

Bt Secure Business Services PP 1.14 Sevenoaks Workstyle Building, 160 London Road, Sevenoaks, TN13 1BT, United Kingdom

[email protected]

BTCERTCC +44 1908 641100

+44 1908 230343

Bt CERTCC PP LF16 Libra House, Sunrise Parkway, Linford Wood, Milton Keynes, Bucks MK14 6PH, United Kingdom

[email protected]

CESG Communications Electronics Security Group Fast Track Assessment Portal CAPS Policy

+44 1242 221491 ext 39365

+44 1242 221491 ext 39365

Hubble Road, Cheltenham Gloucestershire GL51 OEX, UK [email protected] [email protected] [email protected] [email protected]

CITIGROUP +44 20 7500 4215

+44 20 7500 4610

[email protected]

Centre for the Protection of National Infrastructure CPNI

+44 20 7233 8182

Central Support, PO Box 60628, SW1 9HA

Department of Trade and Industry DTI

+44 171 215 1962

+44 171 931 7194

Response Centre 1 Victoria Street, London SW1H 0ET, UK / [email protected]

E-CERT +44 113 207 6002

+44-113-207-6027 [email protected]



EUCS-IRT +44 131 507 750

[email protected]

JANET-CERT +44 1235 822 200

+44 1235 822 398

UKERNA, Atlas Centre, Fermi Avenue, Chilton, Didcot, OX11 0QS, United Kingdom [email protected]

MLCIRT +44 207 995 565

Merrill Lynch, MLISP, 570 Washington Street, 4th Floor, New York, NY 10014, USA [email protected]

MODCERT +44 207 218 0117

+44 207 218 1165

St Giles Court, 1-13 St Giles High Street, London WC2H8LD, England [email protected]

OxCERT +44 1865 273200

+44 1865 273275

OxCERT, Oxford University Computing Services, 13 Banbury road, Oxford, OX2 6NN, United Kingdom, [email protected]

Q-CIRT +44 1684 895000

+44 1684 896744

Q-CIRT, G305, QinetiQ, St Andrews Road, Malvern, WR14 3PS, United Kingdom, [email protected]

STRD Standards & Technical Regulations Directorate Department of Trade and Industry

+44 208 996 7370

NSSF Programme Manager, NSSF British Standards House, 389 Chiswick High Road, London W4 4AL, UK [email protected]

UNIRAS +44 870 487 0748

+44 870 487 0749

UNIRAS, PO Box 832, London SW1P 1BG, United Kingdom, [email protected]


Table 37: Links of Other European Countries

COUNTRY TOPIC ORGANIZATION LINK

CERT Organization ACOnet-CERT http://cert.aco.net/ http://www.circa.at/ Austria

Country Page ENISA http://www.enisa.eu.int/doc/pdf/Country%20Pages/Austria.pdf

CERT Organization BELNET CERT http://cert.belnet.be/ Belgium

Country Page ENISA http://www.enisa.eu.int/doc/pdf/Country%20Pages/Belgium.pdf

Cyprus

Country Page ENISA http://www.enisa.eu.int/doc/pdf/Country%20

Pages/Cyprus.pdf

Czech Republic


Pages/Czech%20Republic.pdf

CSIRT.DK http://kundeservice.tdc.dk/artikel.php?dogtag=tdc_k_e_kontakt_csirt_uk

DK-CERT UNI-C

https://www.cert.dk/ http://www.uni-c.com/

CERT Organization

KMD-IAC http://www.kmd.dk/

Denmark

Country Page ENISA http://www.enisa.eu.int/doc/pdf/Country%20Pages/Denmark.pdf

Estonia


Pages/Estonia.pdf

Finland

Country Page CERT Organization

ENISA CERT-FI

http://www.enisa.eu.int/doc/pdf/Country%20Pages/Finland.pdf http://www.ficora.fi/englanti/tietoturva/cert.htm, http://www.cert.fi

Greece


Pages/Greece.pdf

Hungary


Pages/Hungary.pdf

Ireland

Country Page Information Systems Security Association

ENISA ISSA

http://www.enisa.eu.int/doc/pdf/Country%20Pages/Ireland.pdf http://www.issaireland.org/

CERT-IT http://security.dsi.unimi.it// CERT Organization

GARR-CERT http://www.cert.garr.it/ Italy

Information security association

CLUSIT http://www.inet.it/



Application infrastructure provider

I.Net http://www.inet.it/ Italy


Pages/Italy.pdf

Latvia


Pages/Latvia.pdf

Lithuania


Pages/Lithuania.pdf

Luxembourg


Pages/Luxemburg.pdf

Malta


Pages/Malta.pdf

AMC-CERT http://www.amc.uva.nl/cert/

CERT-IDC http://www.energis-idc.net

CERT-KUN http://www.kun.nl/cert

CERT-RUG http://www.rug.nl/rc/security

CERT-UU http://www.cs.ruu.nl/cert-uu/

CERT-UvA http://ic.uva.nl/cert/

GOVCER.NL http://www.govcert.nl/

KPN-CERT http://www.kpn-cert.nl/

CERT Organization

SURFnet-CERT http://cert.surfnet.nl

Country Page ENISA http://www.enisa.eu.int/doc/pdf/Country%20Pages/The%20Netherlands.pdf

Netherlands

Trusted Introducer TI http://www.trusted-introducer.nl/

NorCERT [email protected] Norway

CERT Organization

UNINETT CERT http://cert.uninett.no

Poland


Pages/Poland.pdf

Portugal


Pages/Portugal.pdf

Slovakia


Pages/Slovakia.pdf

Slovenia


Pages/Slovenia.pdf



esCERT-UPC http://escert.upc.es CERT Organization

IRIS CERT http://www.rediris.es/cert/index.en.html

Security products and services company InetSecur http://www.inetsecur.com/

Spain

Country Page ENISA http://www.enisa.eu.int/doc/pdf/Country%20Pages/Spain.pdf

SITIC http://www.sitic.se

SUNet CERT http://www.cert.sunet.se CERT Organization

TS-CERT http://www.teliasonera.com

IT security consultance

Callineb Consulting http://wwwcallineb.se/

Sweden

Country Page ENISA http://www.enisa.eu.int/doc/pdf/Country%20Pages/Sweden.pdf

Switzerland

CERT Organization SWITCH-CERT http://www.switch.ch/cert/

Table 38: Contact Information about Other European Countries

COUNTRY ORGANIZATION PHONE FAX ADDRESS / E-MAIL

Austria

ACOnet-CERT

+43 1 4277 14045

+43 1 4277 9140

ACOnet-CERT, Vienna University Computer Center, Universitaetsstrasse 7, A-1010 Vienna, Austria, [email protected]

Belgium

BELNET CERT +32 2 790

33 85 +32 2 790 33 75

BELNET CERT, Rue de la Science 4, B-1000 Brussels, Belgium, [email protected]

CSIRT TDC +45 89 45 96 38

+45 89 45 96 39

Danish Computer Security Incident Response Team, Sletvej 2, 8310 Tranbjerg, Denmark [email protected]

DK-CERT +45 35 87 88 87

+45 35 87 88 27

Danish Computer Emergency Response Team, Vermundsgade 5, DK-2100 København, Denmark, [email protected]

Denmark

KMD-IAC +45 44 60 10 00

+45 44 60 22 48

KMD IAC - Internet Alarm Center, Hadsundvej 184, DK-9100 Aalborg, Denmark [email protected]

Finland

CERT-FI +358 9

6966 510 +358 9 6966 515

Finnish Communications Regulatory Authority, CERT-FI, P.O. Box 313 FI-00181 Helsinki, Finland [email protected]



CERT-IT +39 02 5835 6300

+39 02 5835 6373

CERT-IT, c/o Dipartimento di Scienze dell' Informazione, Via Comelico 39/41, 20135 Milano, Italy, [email protected] Italy

GARR-CERT +39 055

4572 723 +39 055 4572 364

GARR-CERT, c/o INFN, Via Sansone 1, I 50019 Sesto Fiorentino (FI), Italy [email protected]

AMC-CERT +31 20 566 2378

+31 20 566 9020

Academic Medical Center, ADB/ICT, Attn: AMC-CERT, Meibergdreef 9, 1105 AZ Amsterdam, The Netherlands, [email protected]

CERT-IDC +31 297 885109

+31 297 885243

Energis IDC, Lakenblekerstraat 13, 1411 GE Aalsmeer, The Netherlands [email protected]

CERT-KUN +31 24 361 0818

+31 24 361 0818

CERT-KUN, P.O.Box 9101, NL - 6500 HB Nijmegen, The Netherlands, [email protected]

CERT-RUG +31 70 888 7 851

+31 70 888 7 815

Computing Center, University of Groningen, c/o dr. F. B. Brokken, PO Box 11044, 9700 CA Groningen, the Netherlands, [email protected]

CERT-UU +31 3 253 7777

+31 3 253 1633

Academic Computer Centre Utrecht, Attn: CERT-UU, P. O. Box 80.011, 3508 TA Utrecht, The Netherlands, [email protected]

CERT-UvA +31 20 525 3322

University of Amsterdam, Informatiseringscentrum, Attn: CERT, Herengracht 182 1016 BR Amsterdam The Netherlands, [email protected]

GOVCERT.NL +31 70 888 7 851

+31 70 888 7 815

GOVCERT.NL, Postbus 84011, NL 2508 AA Den Haag, The Netherlands, [email protected]

KPN-CERT +31-70-451-3500

+31-70-451-1180

Koninklijke KPN N.V., T.a.v.: KPN-CERT, Kamer HV4/A526, P.O. Box 30000, 2500 GA, Den Haag, The Netherlands, [email protected]

Netherlands

SURFnet-CERT +31 302 305 305

+31 302 305 329

SURFnet bv, attn. SURFnet-CERT, P.O.Box 19035, NL-3501 DA, Utrecht, The Netherlands, [email protected]

NorCERT +47 99 21 58 19

+47 23 09 25 88

NSM-NorCERT, Akershus Fortess, building 12, N-0015 Oslo mil, Norway [email protected]

Norway

UNINETT CERT +47 73 55

7900 +47 73 55 7901

UNINETT CERT, Abels gate 5, N7465 Trondheim, Norway, [email protected]

esCERT-UPC +34 93 401 5795

+34 93 401 7055

Politechnical University of Barcelona, C/ Jordi Girona 1-3 Modul D6 007, E-08034, Barcelona, Spain, [email protected] Spain

IRIS-CERT

+34 91 212 7625/20

+34 91 556 8864

IRIS-CERT, Dep. RedIRIS, Entidad Pública Empresarial Red.es, Edificio Bronce - 2a planta, Plaza Manuel Gómez Moreno, s/n, E-28020 Madrid, Spain, [email protected]



SITIC +46 8 678 5799

+46 8 678 5505

Swedish IT Incident Centre, SITIC, P O Box 5398, SE-102 49 Stockholm, Sweden [email protected]

SUNet CERT +46 18 471 7900

+46 18 471 7876

SUNet CERT, Uppsala university, IST, Box 887, S751 08 Uppsala Sweden [email protected]

Sweden

TS-CERT +46 8 504 38505

+46 8 568 38440

TeliaSonera AB, RCC / Corporate Security, TeliaSoneraCERT CC, Marbackagatan 11, Building 0, SE-123 86 Farsta, Sweden [email protected]

Switzerland

SWITCH-CERT +41 44 268 1540

+41 44 268 1578

SWITCH-CERT, Limmatquai 138, CH-8021 Zürich, Switzerland, [email protected]