Italian government CERT: INITIAL RESULTS

Transcription

1 Italian government CERT: INITIAL RESULTS ISCOM Conference on Network and Information Security: Political and Technical Challenges Gianluigi Moxedano GovCERT.it National Center for Informatics in Public Administration - CNIPA

2 The CERT-AM Excerpts from Ministerial Directive 16/1/2002 A procedure must be established for the management of incidents and a specific organizational group must be created called CERT-AM: Computer Emergency Response Team for the Administration. An incident management team must be constituted, so as to be able to limit and prevent incidents in an effective and economical way. The incident management team must be prepared to find and to react to the incidents while ensuring: Effective and competent response Centralization and not duplication of efforts Awareness-raising for users regarding threats. Roma 4 novembre

3 The missing piece DIRECTIVE 16/1/2002 CERT-AM CERT-AM AND LOCAL UNITS IN CENTRAL P.A. CERT-AM CERT-AM ESTABLISHMENT OF GovCERT.it CERT-AM Coordination CERT CERT-AM GOVERNMENT COORDINATION CSIRT CERT-AM CERT-AM CENTRAL P.A. CERT-AM Roma 4 novembre

4 GovCERT.it Constituency Central Public Administration Authority level No authority Organizational model Coordinating CSIRT Roma 4 novembre

5 Priority actions Set up and stabilization of relations with the Constituency Design, development and delivery of the most useful, effective and economically efficient services Cooperation and information sharing agreements with other federal agencies, similar institutions and with product vendors and service providers Roma 4 novembre

6 Constituency Stable and operative relations with 30 Administrations (out of 59); in addition to voluntary participation by some other organizations. For each Administration we have the following types of contacts: INTITUTIONAL Advisors to the Ministers for ICT security, ICT Security Committee, Information Systems Directors REFERENCE ICT Security Officers OPERATING Security teams CNIPA is creating a restricted work group to draw up guidelines for the CSIRT in the Central P.A. and to regulate relations between CERT-AMs and GovCERT.it; the WG will also act as a contact group for the Administrations Roma 4 novembre

7 Services REACTIVE Alerts & Warnings Incident Handling Incident response support Incident response coordination Artifact Handling Artifact response coordination PROACTIVE Technology Watch Security Assessments Information Dissemination Information Gathering & Sharing SECURITY QUALITY Awareness Education/Training Roma 4 novembre

8 Services planning EARLY WARNING PROVISIONAL COMPLETE ADVANCED INCIDENT SUPPORT PROVISIONAL COMPLETE INFORMATION GATHERING PROVISIONAL COMPLETE TECHNOLOGY WATCH INFORMATION DISSEMINATION WEB ASSESSMENT WEB SITE JAN 2005 JUL 2005 OCT 2005 JAN 2006 DEC 2006 Roma 4 novembre

9 Bulletins issued are: Early Warning in Italian, with set formats digitally-signed based on information coming from private and public sources Starting from January bulletins on new critical or important vulnerabilities 10 bulletins concerning the presence in the Network or in some Administration networks of high/medium risky malware Expanding the range of technologies being observed Metrics and technology profile of Administrations Roma 4 novembre

10 VULNERABILITA RILEVATE NEL 2004 E NEL 2005 Aggregazione Anno 2004 nr. vulnerabilità scoperte 1 semestre 2004 nr. vulnerabilità scoperte 1 semestre 2005 nr. vulnerabilità scoperte Diff. nr. vuln. 1 semestre % 1 semestre 2004/2005 TOTALE vulnerabilità % 1 semestre semestre Totale Totale semestre semestre 2005

11 Tipologia categoria ANNO SEMESTRE SEMESTRE 2005 tot. vuln. tot. vuln. tot. vuln. Diff. nr. vuln. 1 semestre % 1 semestre 04/05 Sistemi operativi % Web % Network security % Database % Apparati di rete % Applicazioni lato client % Applicazioni lato server % 3% 4% 8% 19% 6% 2% Anno % 1 semestre semestre Sistemi operativi Network security Apparati di rete Applicazioni lato server Web Database Applicazioni lato client Roma 4 novembre

12 Incident Support Starting January 2005 Web defacement detection in the web sites of the Constituency, Regions and main districts (Digitally signed and encrypted messages) 16 web defacements detected and communicated Some incident reports received One of these required code analysis At the beginning of next year we will open a small Contact Center that will also be the Point of Contact for players outside the constituency Roma 4 novembre

13 Information gathering Constituency Register Questionnaires for CNIPA Annual Report WG CSIRT in Central P.A. Contact Center and Point of Contact Knowledge Base of ICT Security in Central P.A. Roma 4 novembre

14 Technology watch Other services Periodic publishing of status reports on vulnerabilities and threats Ad hoc articles on current issues regarding general ICT security First issue expected on November 15 th 2005 Information dissemination Web site in development phase Web assessment On-demand vulnerability scans of web sites in our constituency Roma 4 novembre

15 Relationships Software vendors CNIPA and Committee TF-CSIRT FIRST EGC TLC Operators GovCERT.it Law Enforcement ISPs EUROPEAN BODIES Other CSIRTs MEDIA Roma 4 novembre

16 Government CSIRT in EUROPE Roma 4 novembre

17 European Bodies We are present in the restricted CERT cooperation WG, a recent initiative of ENISA (European Network and Information Security Agency) First task: CSIRT inventory in EU countries The first meeting of Italian CERTs took place last October 11 th. This meeting was organized by the GovCERT.it in cooperation with CERT-IT University of Milan. Roma 4 novembre

18 Italian CERTs 15 Italian CERTs were present at this first meeting, representing: Central and local P.A.s Defense University and Research Bank system Telecommunication operators Manufacturers Religious Institutions The new Italian CERT community is based on Web of trust Information sharing Cooperation Roma 4 novembre

19 An optimist thinks this is the best of all possible worlds. The pessimist knows that it is. (Oscar Wilde) Thank you for your attention