CERT Polska Experiences in incident handling The CLOSER Project
description
Transcript of CERT Polska Experiences in incident handling The CLOSER Project
![Page 1: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/1.jpg)
CERT Polska
Experiences in incident handlingThe CLOSER Project
Mirosław Maj
Chisinau, 11/10/2004
![Page 2: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/2.jpg)
Agenda
Who we are?
Not too much about NASK
A bit of history.
We look to the past but not only
What do we do and for whom?
Incidnet handling
Some projects
Why bother with security?
How to be CLOSER?
A few words about CLOSER project
![Page 3: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/3.jpg)
Who we are?
NASK is the Research and Academic Network in Poland
Academic background
Commercial services
Administrator of the top-level domain - *.pl
CERT Polska is the incident handling team within NASK
We ARE NOT incident handling team for NASK!
![Page 4: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/4.jpg)
A bit of history
June 1995 – First contact with CERT/CC
INET conference and pre-conference NATO sponsored networking workshop for developing countries: Security Track lead by Barbra Fraser (CERT/CC): idea of Incident Response was introduced
September 1995 – First contact with FIRST
4th FIRST conference in Karlsruhe
1996 – establishing CERT NASK
Visit to DFN-CERT to learn best practices
1997 – joining FIRST (sponsored by DFN-CERT)
2000 – extending the formula of our IRT
new roadmap to introduce new project for polish constituency
Changing the name to CERT Polska
2001 – joining TERENA TF CSIRT
![Page 5: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/5.jpg)
Who we are?
Krzysztof Silicki Mirosław Maj Przemek Jaroszewski Piotr Kijewski
Irek Parafjańczuk Andrzej Dereszowski Dariusz Sobolewski
![Page 6: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/6.jpg)
Who we are?
FIRST (Forum of Incident Response and Security Teams)
http://www.first.org/
TERENA TF-CSIRT (Trans European Reaserch and
Academic Networks Association – Task Force Computer Security
Incident Response Teams)
http://www.terena.nl/tech/task-forces/tf-csirt/
Trusted Introducer (Team Level 2)
http://www.ti.terena.nl/
![Page 7: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/7.jpg)
What do we do and for whom?
Our goals:
providing a single, trusted point of contact in Poland for the NASK customers community and other networks in Poland to deal with network security incidents and their prevention
responding to security incidents in networks connected to NASK and networks connected to other Polish providers reporting of security incidents
providing security information and warnings of possible attacks cooperation with other incident response teams all over the world
![Page 8: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/8.jpg)
Incident Handling
Number of incidents 1996 - 2003
105 126
741
1013
1196
100*75*50*
0
200
400
600
800
1000
1200
1400
1996 1997 1998 1999 2000 2001 2002 2003
![Page 9: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/9.jpg)
Incident handling
Types of the incidents
81,6
6,7 4,81,8 1,7 1,6 1,3 0,4 0,2
0
10
20
30
40
50
60
70
80
90
InformationGathering
MaliciousCode
AbusiveContent
Fraud Availability Intrusions InformationSecurity
IntrusionAttempts
Other
procent
![Page 10: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/10.jpg)
Incident Handling
Sources (reporter victim attacker)
0
10
20
30
40
50
60
70
80
CSIRT ISP Abuse Other security Government Research &Education
Commercial Other Non-Commercial
Private
procent
Zgłaszający Poszkodow any Atakujący
![Page 11: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/11.jpg)
Incident Handling
Frome where are the reports?
unknown1%
foreign90%
domestic9%
Frome where are the attackers?
domestic89%
unknow n9%
foreign2%
Freome where are the victims?
unknow n6%
foreign83%
domestic11%
![Page 12: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/12.jpg)
Some projects
Security vortal: http://www.cert.pl/
ARAKIS Project: http://arakis.cert.pl/
Hotline: just started…
![Page 13: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/13.jpg)
So… why bother with security?
Security threats are real:
Do not just think about your infrastructure – think also about security of your end users
Source: http://isc.sans.org/
![Page 14: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/14.jpg)
So… why bother with security?From: "Susie Ward" <[email protected]>
To: xxxxxxx
CC: xxxxxxx
Subject: S p a m - H o s t i n g - 2 5 0 $
Date: Tue, 17 Feb 2004 19:57:18 +0300
Hello.
Spam Hosting.
Location: Korea
OS: FreeBSD
Port: 100mbit.
IP: +
PHP, CGI, MYSQL, 500MB, cPanel.
250$/mesyac.
Fraud Hosting.
Location: Korea
OS: FreeBSD
Port: 100mbit.
IP: +
PHP, CGI, MYSQL, 500MB, cPanel.
450$/mesyac.
Dedicated form 500$ per mounth.
Contacts:
ICQ: 0000000
------------
extant brisk abbot ancestor swift cavitate gourd crisscross spool assay
acapulco empiric brandon citrus classmate berserk
![Page 15: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/15.jpg)
Why bother with security?
Ignoring threats cost resources
D(D)oS - It costs to be offline
Data theft – Backups do not help much when sensitive information is stolen
Compromise – How much does your reputation cost?
.. So what is an idea for a solution?
![Page 16: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/16.jpg)
The CLOSER project
CLuster Of SEcurity Resources
3rd call IST 6FP
Goals:
Learn and describe current situation in Europe
Build and strengthen awareness of security overall and the incident handling services in particular
Exchanging experiences of the existing CSIR Teams
Transferring these experiences and knowledge to newly established teams
![Page 17: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/17.jpg)
The CLOSER project
TPF
![Page 18: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/18.jpg)
The CLOSER project
![Page 19: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/19.jpg)
The CLOSER project
Final remarks
NRENs are tidbits for hackers
Regardless of it will be CERT or just CERT’s services – having it will pay off
We do not know whether the CLOSER project will be approved or not
Anyway we promise to help anybody who is interesing as much as possible
Daddy, I can see that hackers don’t sleep!
![Page 20: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/20.jpg)
CERT Polska
Daddy, I can see that hackers don’t sleep!
![Page 21: CERT Polska Experiences in incident handling The CLOSER Project](https://reader035.fdocuments.in/reader035/viewer/2022062409/56814956550346895db6a969/html5/thumbnails/21.jpg)