01 09 2001TI Twelve months oldSlide 1 The Trusted Introducer Concept Brian Gilmore (TERENA)

01 09 2001 TI Twelve months old Slide 1

The Trusted IntroducerConcept

Brian Gilmore (TERENA)


Let’s assume we all know that ... (i)• Security is a problem on the

Internet• There’s lots of security incidents

worldwide• The police only comes in on a

small minority of incidents (for several reasons beyond scope here)


CSIRTS

• There are CSIRTs (dedicated team) and ISPs with CSIRT functions dealing with those problems

• There are now a few 100 of those around

CSIRT = Computer Security Incident Response Team a.k.a. CERT


Why a problem?

• If you are a member of one of these 100 teams:

• How do you know who to contact in another country?

» Academic CSIRT, ISP CSIRT, Gov CSIRT

• When you have established that, are you certain you are talking to the person you think you are?


What is the solution?

• So the CSIRT infrastructure is a major problem and becoming worse

• There is no worldwide solution for this yet

• FIRST is not involved at this level (or not yet), no other body, such as ISOC is engaged in this activity


1st Attempt

• Not really the first attempt, more like the 5th! But the first to make real headway!

• After advice from the community, TERENA set up the EuroCERT service


EuroCERT

• This service acted as a central focus point for all European CSIRTS.

• Ie, if one CSIRT had an incident from outside their sphere, they handed it to EuroCERT

• The service was funded by a subscription on the NRENs which hosted an (academic) CSIRT

• Ran for 15 months


Why did it stop?

• The level of demand was such that it was clear the service would need at least 5 staff to function properly.

• NRENs were not happy to subscribe at that level and preferred to fund their own CSIRTs


Attempt No 2

• TERENA then hosted the first of a series of meetings of CSIRTS in Europe.

• This is now a formal TERENA Task Force – TS-CSIRT

• Meetings have been very successful with over 40 participants

• Some 5 non-academic CSIRTs attend


So ...

• TF-CSIRT decided to start solving the problem itself, in Europe, ...

• ... hoping that other regions will join, or copy the effort, or improve on it

• They named their effort

TRUSTED INTRODUCER


TI mission statement

The Trusted Introducer must foster trust and cooperation between CSIRTs in Europe, both new and experienced. The vehicle used to achieve this is to invite CSIRTs to present themselves and describe their service according to an established baseline – thus enabling objectivity, which is regarded as the pre-requisite of trust.


Certification or Accreditation?

• The TI process is NOT a formal certification process for CSIRTS

• It IS a process of gathering information and documenting it to a certain standard

• It ASSISTS in helping teams enter ‘the web of trust’

• It COULD develop later into a more formal process


TI process (i)

• The TI registers “known” European CSIRT teams as Level 0

• Teams that decide to join the TI effort to foster European inter-CSIRT cooperation get invited by the TI to become Level 1

• The Level 1 team then has 3 months to work together with the TI to present their service according to the TI baseline


TI process (ii)

• If they succeed, the team is recognized by the TI as Level 2 and their baseline presentation is published in the TI repositories (only partially in the public repository)


TI process (iii)

• Any non-compliance in the above process results in a fallback to Level 0

• Max of 2 attempts in 12 months• The experiences to date have shown

that the fee charged is amply paid back in the form of the (otherwise) free consultancy that the team gets to help it define its services etc from the TI


TI process (iiii)

• Level 2 teams maintain their status by regularly (4 months) complying with their baseline presentation – or adapting it when due

• Otherwise, they will again be dropped to Level 0

• Essential to catch teams who, for example, lose their staff and are non-effective but don’t wish to admit this!


TI Level 2 criteria include ...

• Filling out well defined templates• Defining information handling policy• Agreeing to publication of supplied

information (only partially in public repository)

• Regularly maintaining supplied information• Cooperating with TI in matters above• Adherence to RFC-2350 recommended• Visiting FIRST and TF-CSIRT events

recommended


L2 Criteria

• For example• Cyber contact (at least) must be made

with a person representing the team• That person must prove that he can

represent the team and the team is corretly empowered by the parent organisation

• Proof is using good cryptography with an identity backed by a check of some personal ID


L2 Criteria

• The CSIRT provides statements of their composition and service.

• These could be checked for:• Authenticity• Actuality (reality now)• Correctness

• The first two are checked, the last is seen as part of a certification process


TI setup

• Stelvio (www.stelvio.nl) operates TI service (under a contract with TERENA)

• Klaus-Peter Kossakowski (TI service manager), Mark Koek, Erwan Smits, Don Stikvoort (Stelvio CEO) all parttime involved

• E-mail : [email protected]• Public site : http://www.ti.terena.nl/

http://www.stelvio.nl/

http://www.ti.terena.nl/


TI checks and balances (i)

• TERENA focal point to fund service• TERENA independent, www.terena.nl• TERENA experienced in helping setup

services, like RIPE NCC• TI not limited to TERENA constituency• TI Review Board reviews the TI work

and deals with special cases and problems

http://www.terena.nl/


TI checks and balances (ii)

• TI Review Board consists of representatives of Level 2 teams

• Initially was, however, of well known Eu network/security individuals:– Brian Gilmore, chair (Edinburgh university)– Karel Vietsch, secretary (TERENA SG)– Andrew Cormack (JANET-CERT)– Christoph Graf (SWITCH-CERT)– Wilfried Wöber (ACONET)


New TI Review Board

• A call was put out to the Level 2 teams for nominations for a new board. TERENA received 3 nominations but one person declined.

• The remaining two stand but the old board stays until we receive the third nomination

• Andrew Cormack • Jacques Schuurman• Vacancy


May 1st 2001 snapshot• Public website www.ti.terena.nl • 55 teams registered in repository• 8 Level 2 teams

– 3 pioneer teams: CERT-NL, GARR-CERT and JANET-CERT

– IRIS-CERT, SIEMENS-CERT, UniNett CERT, NORDUNET CERT, CSIRT.DK

– Special repository for only Level 2 teams available

• 4 Level 1 teams– TeliaCERT, SI-CERT, BTCERTCC, BT SBS




September 1st Snapshot

• 63 teams registered in repository

• NREN 27• Commercial 22• Other 3• Gov & Mil 11

• Includes L0, L1 and L2


L1 Teams

• Total L1 Teams 7• NREN 3• Commercial 2• Other 2• Gov & Mil 0

• Remember they have three months to achieve L2


L2 Teams

• Total L2 Teams 12• NREN 7• Commercial 5• Other 0• Gov & Mil 0


List of L2 Teams

• BTCERTCC (United Kingdom) - (1. June 2001) • BT SBS (United Kingdom) - (1. June 2001) • CERT-NL (The Netherlands) - (1. January 2001) • CSIRT.DK (Denmark) - (20. April 2001) • GARR-CERT (Italy) - (1. January 2001) • IRIS CERT (Spain) - (23. March 2001) • JANET-CERT (United Kingdom) - (1. January 2001) • NORDUNET CERT - (6. April 2001) • SI-CERT (Slovenia) - (3. July 2001) • SIEMENS-CERT (Germany) - (23. March 2001) • TeliaCERT(Sweden) - (12. July 2001) • UniNett CERT (Norway) - (1. April 2001)

http://www.ti.terena.nl/teams/bt-certcc.html

http://www.ti.terena.nl/teams/bt-sbs.html


TI does not offer you

• FIRST membership– FIRST: only worldwide CSIRT forum– FIRST offers nothing like TI yet– TI Level 2 teams are well prepared for

FIRST membership• A free ride

– Initial fee to go to Level 2 (mainly high level consultancy) of Euro 900

– Level 2 maintenance costs Euro 600 per year


TI does offer you• Public and maintained repository of all

“known” or “Level 0” European CSIRTs with contact info

• Formalized and published accreditation process for CSIRTs: those that pass it are “Level 2” CSIRTs --- maintenance is ensured

• Maintained trusted repository for Level 2 CSIRTs only, offering extended information on all members

• Management level material if you need it


How to achieve Level 2 ? (or be registered as Level 0)

• Go to www.ti.terena.nl and follow the logical route .......... OR ...........

• Ask [email protected] ......... OR ..........• Ask any of the TI crew:

– Erwan Smits– Mark Koek– Klaus-Peter Kossakowski (TI manager)– Don Stikvoort


mailto:[email protected]


Current Status

• The one year pilot has come to an end

• The CSIRT Co-ordination meeting (hosted by TERENA) agreed this service should continue

• TERENA and Stelvio have signed a contract to continue the service for a further year.


What are the Problems?

• The current service is funded by:• A subscription from L2 teams• A fee from a team at L1 (trying for L2)

• What are the cost drivers?• There is a significant effort on maintaining

the information on L0 teams but we can’t make them pay!

• Model is currently ok, but will need to be revisited (economies of scale?)


Summary

• Academic networks need a CSIRT just as much as other networks (if not more!)

• It is in your interest to register as a L0 team and join TF-CSIRT

• You should play your part in the community and strive to reach L2

01 09 2001TI Twelve months oldSlide 1 The Trusted Introducer Concept Brian Gilmore (TERENA)

Documents

Transcript of 01 09 2001TI Twelve months oldSlide 1 The Trusted Introducer Concept Brian Gilmore (TERENA)