ENISA Operational security CERT relations. Update January Contact:

Similar documents
ENISA & Cybersecurity. Steve Purser Head of Technical Competence Department December 2012

Achieving Global Cyber Security Through Collaboration

Securing Europe's Information Society

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

Cyber Security in Europe

ENISA s Position on the NIS Directive

The Case for National CSIRTs

Discussion on MS contribution to the WP2018

EU policy on Network and Information Security & Critical Information Infrastructures Protection

ENISA EU Threat Landscape

EISAS Enhanced Roadmap 2012

Valérie Andrianavaly European Commission DG INFSO-A3

CSIRT capacity building Andrea Dufkova CSIRT-relations, COD1 NLO meeting Athens June 8. European Union Agency for Network and Information Security

CERT.LV activities, role in Latvia and globally. Baiba Kaskina, CERT.LV , Sofia, Bulgaria

Directive on security of network and information systems (NIS): State of Play

13967/16 MK/mj 1 DG D 2B

Package of initiatives on Cybersecurity

Security and resilience in Information Society: the European approach

Security and resilience in the Information Society: the role of CERTs/CSIRTs in the context of the EU CIIP policy

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

ENISA S WORK ON ICS AND SMART GRID SECURITY

ENISA & Cybersecurity. Dr. Udo Helmbrecht Executive Director, European Network & Information Security Agency (ENISA) 25 October 2010

ITU-IMPACT Capacity Building for Least Developed & Developed Countries

RFC2350 TLP1: WHITE. Έκδοση National CSIRT-CY RFC2350

CEF Telecom Calls: CEF-TC : Cyber Security TZAFALIAS ARISTOTELIS POLICY OFFICER DG CONNECT

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

European Union Agency for Network and Information Security

UCD Centre for Cybersecurity & Cybercrime Investigation

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Directive on Security of Network and Information Systems

NEW INNOVATIONS NEED FOR NEW LAW ENFORCEMENT CAPABILITIES

Stakeholders Analysis

Call for Expressions of Interest

ENISA Cooperation in the EU / NIS Directive

Network and Information Security Directive

Global Response Centre (GRC) & CIRT Lite. Regional Cyber security Forum 2009, Hyderabad, India 23 rd to 25 th September 2009

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Cyber Security Beyond 2020

Introductory Speech to the Ramboll Event on the future of ENISA. Speech by ENISA s Executive Director, Prof. Dr. Udo Helmbrecht

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

The NIS Directive and Cybersecurity in

2nd ENISA Workshop German CERT-Activities. 5 th October, 2006 Brussels

COMMISSION RECOMMENDATION. of on Coordinated Response to Large Scale Cybersecurity Incidents and Crises

CERT community. Recognition mechanisms and schemes. November European Union Agency for Network and Information Security.

The commission communication "towards a general policy on the fight against cyber crime"

Response to the Security of Network and Information Systems Public Consultation Compiled on behalf of the UK Computing Research Committee, UKCRC.

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

Infrastructures and Service Dimitra Liveri Network and Information Security Expert, ENISA

Resilience, Deterrence and Defence: Building strong cybersecurity for the EU

Bradford J. Willke. 19 September 2007

Critical Information Infrastructure Protection. Role of CIRTs and Cooperation at National Level

Strategic and operational threat analysis at Europol's EC3

Cybersecurity & Digital Privacy in the Energy sector

Croatian National CERT ACDC project Darko Perhoc, Head of National CERT CISSP, CEH, CCNP Security R&S,CCDP

Italian government CERT: INITIAL RESULTS

INCEPTION IMPACT ASSESSMENT. A. Context, Problem definition and Subsidiarity Check

NIS Country Reports Overview Document

EUROPEAN ICT PROFESSIONAL ROLE PROFILES VERSION 2 CWA 16458:2018 LOGFILE

Way to new challenges

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

UN General Assembly Resolution 68/243 GEORGIA. General appreciation of the issues of information security

THE CYBER SECURITY ENVIRONMENT IN LITHUANIA

Cybersecurity in the EU Steve Purser Head of Operational Departments, ENISA Regional Cybersecurity Forum Sofia, Bulgaria 29 th November 2016 European

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Business Model for Global Platform for Big Data for Official Statistics in support of the 2030 Agenda for Sustainable Development

Centre for cybersecurity Belgium : Role, Missions et future capacities

CYBER RESILIENCE & INCIDENT RESPONSE

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

Towards a European Cloud Computing Strategy

The Republic of Korea. economic and social benefits. However, on account of its open, anonymous and borderless

Google Cloud & the General Data Protection Regulation (GDPR)

WELCOME. to the 1 st online DG CONNECT NIPS Study workshop. July 25, 2013

Cyber Security Strategic Level Landscape in Poland. Krzysztof Silicki NASK Institute, Poland ENISA MB, EB

ITU-ACMA Asia Pacific Regulators Roundtable July 2014

CCISO Blueprint v1. EC-Council

This report was prepared by the Information Commissioner s Office, United Kingdom (hereafter UK ICO ).

Be Secure! Computer Security Incident Response Team (CSIRT) Guide. Plan Establish Connect. Maliha Alam Mehreen Shahid

RESOLUTION 130 (REV. BUSAN, 2014)

NIS Directive : Call for Proposals

WHO-ITU National ehealth Strategy Toolkit

Cybersecurity Strategy of the Republic of Cyprus

Commonwealth Cyber Declaration

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

Itu regional workshop

European Cybersecurity PPP European Cyber Security Organisation - ECSO

The Network and Information Security Directive - ENISA's contribution

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

ISO/ IEC (ITSM) Certification Roadmap

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

IPv6 deployment, European Commission involvement. RIPE 60 Prague 4May Per Blixt

Rohana Palliyaguru Director -Operations Sri Lanka CERT CC APCERT AGM and Conference, 24 th October 2018 Shanghai, China MINISTRY OF TELECOMMUNICATION

Building a Resilient Security Posture for Effective Breach Prevention

H2020 WP Cybersecurity PPP topics

Transcription:

ENISA Operational security CERT relations Update January 2013 Contact: opsec@enisa.europa.eu 1

How to navigate on our website? Fast links to 2012 reports: http://www.enisa.europa.eu/media/2012-fast-links 2

Supporting the CERT and other operational communities (WS3) 3

National/governmental CERTs the situation has changed in 2005 in 2013 ESTABLISHED IN 2005: Finland France Germany Hungary The Netherlands Norway Sweden UK Baseline capabilities of n/g CERTs - Initially defined in 2009 (operational aspects) - In 2010 Policy recommendations drafted - In 2012 ENISA continues to work on a harmonisation together with MS Status Report 2012 National/governmental CERT capabilities updated recommendations 2012 ENISA s new CERT interactive map: http://www.enisa.europa.eu/activities/cert/background/inv/certs-by-country-interactive-map

Project Background and Objectives 2009 & 2010 ENISA carried out its very first attempt to define a minimum set of baseline capabilities for a n/g CERT. http://www.enisa.europa.eu/activities/cert/support/baseline-capabilities Current Project ENISA conducted a stock-taking Further definition and deployment of baseline capabilities for national / governmental CERTs with two principal objectives: to assess the level of compliance of n/g CERTs in EU Member States with currently defined baseline capabilities and to provide a status report on the level of deployment of the current set of baseline capabilities; to further discuss the baseline capabilities with CERTs, and where appropriate adjust and extend the currently defined baseline capabilities with a focus on national and regional cooperation. Project Results The final results of the current project have been published in two reports Final Status Report on Deployment of Baseline Capabilities of National / Governmental CERTs Baseline Capabilities of National / Governmental CERTs, Update Recommendations, 2012 5

Status Report 2012 Some initial statistics Total: 45 responses to the questionnaire (25 from n/g CERTs; 20 from other CERTs and other stakeholders) Self-Assessment of the Maturity Status of National / Governmental CERTs 30% 5% 10% 15% 30% 10% Initial Repeatable Defined Managed Optimised Other Years of Operation of National / Governmental CERT Up to one year 1-2 years 3-5 years 6-8 years Over 8 years 16% 32% 4% 20% 28% Interviewed teams assessed themselves as either governmental or national/governmental CERTs indicated the years of operations between: 4 months and 11 years.

Highlights: Mandate & Strategy Clarification of the Mandates for N/G CERTs The role of n/g CERTs is supported by mandates (only two n/g CERT respondents did not refer to any kind of mandate), the details and form of which vary greatly across Member States. Are all responsibilities of n/g CERTs considered clear in the mandate? 100% 80% 60% 40% 20% 0% 6 5 12 11 National/Governmental CERTs YES NO n=34 (18 n/g CERTs + 16 other stakeholders) Other stakeholders 63 percent of n/g CERTs claimed that the roles and responsibilities of their teams are clearly defined and that no major changes are needed. This is broadly in line with the sentiment of other stakeholders, almost 70 percent of which agree with this statement. Areas where more more clarity might be necessary: The scope of services described in the mandate does not correspond to the team's capacity. Although constituents are requested to report incidents, problems can arise when the law is not sufficiently clear and ISPs and operators do not know to whom they should report incidents. Clarification might be required in the future with regard to collaboration with LEAs. The provision and funding of so-called GovCERT services have so far not been adequately addressed. 7

Highlights: Service Portfolio Scope of Services Provided by N/G CERTs The scope of support (proactive services, reactive and security quality management services) the teams provide to their constituents depends on the type of constituent, or customer respectively. Satisfaction of constituents with services Highlights: provided by n/g CERTs Service Portfolio 27% 73% n=11 other stakeholders (other than n/g CERTs) YES NO The more mature the n/g CERT is, the more reactive services it tends to provide to its constituents. Telecommunication operators and government institutions in general regard the activities of n/g CERTs positively One of their opinions is illustrative: Despite a lack of empowerment from the government institutions there is a good coordination effort and a very good sense or responsibility and coordination between the members. The increasing focus on proactive services is reflected in the way that n/g CERTs deploy these services. It is now common for n/g CERTs to publish advisories for events and incidents that are considered to be of special importance to its constituents. 8

Highlights: Operational Capabilities Budgetary Limitations of N/G CERTs N/g CERTs' limited budgets often do not allow for significant investments that are needed to provide additional and innovative services. Nevertheless, the necessary staff training and education is taken care of mostly within the teams, including participation in international seminars and conferences. Funding Considered as Sufficient YES 45% NO 55% n=11 n/g CERTs The budgetry situation is improving as new strategies and mandates envisage an enhanced role for the n/g CERTs, which should also result in increased funding. A slight majority of n/g CERTs who commented on this topic believe that the current level of funding is sufficient for them to fulfil their expected tasks. However, many n/g CERTs still reported a lack of funds, especially in the newer Member States of the EU. Funding for n/g CERTs usually comes from governmental bodies and host organisations. Where n/g CERTs are hosted by NRAs, a part of the budget directly flows from the operators in a form of a small portion of their yearly turnover. But a few n/g CERTs are also actively seeking and generating funds from other sources. 9

Highlights: Cooperation Engagement in International CERT Initiatives and Bilateral Cooperation The n/g CERTs are firmly anchored in international structures and they also engage in fruitful bilateral cooperation with their counterparts within Europe and beyond. Factors Supporting Cooperation with n/g CERTs in Other Member States 38% 25% n=16 n/g CERTs 37% Regional synergy Maturity stage both Membership in various CERT initiatives is widespread throughout the EU. With a couple of exceptions, all n/g CERT s surveyed indicated that they are members of one or more of them. The most common structures that n/g CERTs belong to are Trusted Introducer, FIRST, and TF-CSIRT. Other popular structures included EGC Group, ENISA s workshops and working groups and the Anti-Phishing Working Group. The nature of bilateral coordination is typically informal, particularly in cases where n/g CERTs want to exchange experiences and best practices. Two key factors supporting cooperation with n/g CERTs in other EU Member States include regional synergies, and also the maturity level of the other n/g CERT. 10

11 Report Overview: Baseline Capabilities of National / Governmental CERTs, Update Recommendations, 2012 Target of Recommendations Policymakers Heads of N/G CERTs Operational Teams Best Practices in Cooperation The gaps identified in the baseline deployment study served as the basis for an updated set of recommendations, the objective of which is to provide n/g CERTs with guidance needed to address the gaps, better meet their deployment capabilities, and identify best practices for national, regional and international cooperation. The recommendations were published in the report Baseline Capabilities of National / Governmental CERTs, Update Recommendations, 2012. Recommendations to overcome gaps and achieve deployment objectives were formulated in line with responsibilities of relevant stakeholders, such as policymakers, heads of n/g CERTs, and members of n/g operational teams. Recommendations were also made in line with developing best practices for national, regional and international cooperation among n/g CERTs, their constituents and other stakeholders.

CERT Exercises and training material ENISA CERT training/exercise material, used since 2009, was extended to host 23 different topics and training exercises including: technical aspects (mobile devices forensics based on Android emulator, investigation of DDoS traces, netflow analysis, deployment of Honeypots etc.); organisational aspects (developing CERT infrastructure, establishing external contacts etc.); operational aspects (triage & basic incident handling, automation in incident handling, calculating cost of information security incident and its return on security investment (ROSI) etc.).

CERT Exercises expanded 19. CERT participation in incident handling related to the Article 13a obligations 20. CERT participation in incident handling related to the Article 4 obligations 21. Assessing and Testing Communication Channels between CERTs and all their stakeholders 22. Social networks used as an attack vector for targeted attacks

CERT Exercises expanded Existing 12 exercises improved 10 exercises added: 13. Incident handling during attack on CII 14. Proactive incident detection 15. Cost of ICT incident calculation 16. Mobile incident handling 17. Incident Handling In the Cloud 18. Advanced Persistent Threat incident handling

Additionally a Roadmap was created to answer: how could ENISA provide more proactive and efficient CERT training? Based on live consultations & survey 10 proposals identified Planning window 2013 2017 ENISA legal environment & mandate taken into account while analysing proposals Proposals: 1. ENISA support to the TRANSITS Framework and other suitable training programs 2. ENISA CERT Exercises at Universities 3. ENISA as co-provider of CERT trainers and trainings 4. CERT Training Information Desk 5. Video material by ENISA how to organise the exercises 6. Fire Drills for the CERT community 7. ENISA CERT Training Hubs (ECTH) 8. ENISA CERT Exercises Certified Provider (ECTCP) 9. Recommendations for Public Administration Organisations 10. Certification Paths Roadmap

Survey: Perception of TRANSITS

Survey: Comparative perceptions Average scores on a scale of 1 to 10 : SANS security trainings : 6.5 (*) CERT/CC CSIRT trainings : 7.0 As compared to TRANSITS courses : TRANSITS I : 8.7 TRANSITS II : 9.5 Train-the-trainers: 8.0 (*) the low SANS score was unexpected and not clearly explained

Survey: Other useful trainings Outside TRANSITS, SANS and CERT/CC the most mentioned training providers were : International Information Systems Security Certification Consortium: (ISC)² Information Systems Audit and Control Association: ISACA Internet Systems Consortium: ISC NATO Cooperative Cyber Defence Centre of Excellence: CCDCOE

EISAS 2012 Large scale pilot European Information Sharing and Alert System introduced in COM(2006) 251: Communication on a strategy for a Secure Information Society In 2012: Pilot Project for collaborative Awareness Raising for EU Citizens and SMEs Gathered n/g CERTs, governmental agencies and private companies in 6 different MS Cross-border awareness raising campaign Reached more than 1.700 people in 5 months Social networks involved 19

Providers, Disseminators Information Provider Deutsche Telekom AG NorSIS LMU 1. Social Engineering Movie 2. ID Theft Quiz 3. Securing PCs against Botnets Information Disseminator CESICAT (Catalonia) LaCaixa (Catalonia) CERT Hungary CERT Poland NorSIS all three all three all three all three No. 1, SE Movie

Main goals: Define key concepts Describe the technical and legal/regulatory aspects of the fight against cybercrime Compile an inventory of operational, legal/regulatory and procedural barriers and challenges and possible ways to overcome these challenges Collect existing good and best practices Develop recommendations Focus on CERT-LEA cooperation Differences: Definitions cybercrimes/attacks Meanings of sharing Character of the organizations Objectives Types of information Directions of requests Cybercrime project 2012 21

Cybercrime project 2012 Legal obstacles CERT legitimacy, scope, remit and competences CERTs as evidence holders Legal pitfalls of data sharing/data Protection Legal know-how and awareness Laws as a barrier to receive information 22

Operational obstacles Governance Different /unknown policies and procedures Absence of clearly defined policies have a negative impact on sharing information Financial burden, opportunity cost or competing priorities Processes Security clearance/certification Language barriers Different/incompatible/unknown workflows Duplication Information misdirection Tools and technology Lack of early warning/knowledge Management tools Lack of common case management tools Lack of secure communication channels Administrative problems: inappropriate time stamp Information Cybercrime project 2012 Lack of clarity on what other party will do with information Insufficient detail/inappropriate detail Lack of service catalogues Lack of information on understanding of role & parameters for co-operation 23

Cybercrime project 2012 Operational obstacle Personnel and training Lack of known & trusted personnel/inexperience Previous poor experience in sharing information Lack of confidence/clarity in your/their official status Recommendations Training For CERTs: training element on how to deal with LEAs (TRANSITS?) For LEA: how to deal with CERTs (EC3?) Structures Facilitation & Collaboration Best Practice development Harmonisation/clarification of legal and regulatory aspects 24

ENISA Honeypots study An increasing number of complex attacks demand improved early warning detection capabilities for CERTs. By having threat intelligence collected without any impact on production infrastructure, CERTs can better defend their constituencies assets. Honeypots are powerful tools that can be used to achieve this goal. Long but good! (179 pages) Additionally ENISA Honeypots excercise (another 60 pages) 25

Motivation for conducting the study 50 45 40 35 30 25 20 15 10 5 0 Survey responses concerning categories of tools used for network security incident gathering No answer I never used it and will not use it. I used it in the past, but dropped it. I don't use it but plan to use it in future. I use it 26

Honeypots vs other tools Honeypots vs sandboxes Honeypots vs darknets Honeypots vs Intrusion Detection / Prevention Systems Honeypots and web security proxies 27

General Recommendations for CERTs Overall, the study has found that honeypot technologies, while sometimes difficult to handle, are a good source of threat intelligence information for CERTs. 28

General Recommendations for CERTs CERTs are encouraged to explore the possibility of deploying honeypots across their constituencies. Less privacy concerns than with other technologies. CERTs need to cooperate and develop large scale interconnected sensor networks in order to collect threat intelligence from multiple geographic areas. Honeypots are a good choice for such solutions. CERTs should plan for how they will handle any vulnerabilities discovered or incidents within their network discovered through the use of a honeypot. CERTs are encouraged to take part in the development of honeypots and in providing feedback to honeypot developers. This will lead to the creation of better tools. 29

Paper on Return on security investments The aim of this document is to initiate a discussion among CERTs to create basic tools and best practices to calculate their Return on Security Investment (ROSI). This key notion is essential when justifying costs engagement and budgets for those entities that deal with security on a regular basis (security departments, CERTs, etc.) FIRST Metrics SIG works to better the metrics and evaluation methods for internal evaluation of CERTs. As part of this work, the Metrics SIG is addressing the topic of cost of incidents and return on security investment Note: New exercise scenario on calculating cost of information security incident and its return on security investment (ROSI) 30

Other activities - 7th ENISA workshop CERTs in Europe Part I. - > technical training for n/g CERT experts hands-on training exclusively for the EU national/governmental CERT teams 2 days of deep technical dive into topics like botnets, mobile malware and other interesting topics. Part II. - > 2 nd time jointly organised with EUROPOL on 16/17 October Goal: to facilitate better cooperation between n/g CERTs and LEA in MS. Continuation of the first workshop (6 th ENISA workshop in 2011) Interactive sessions n/g CERTs and LEAs group exercise Final report is published Supported TRANSITS in Prague and Porto in 2012. 31

Our activities in 2013 - Workshops: 8 th annual CERT workshop I. tentatively in Q2; in Romania; co-located with TF-CSIRT meeting; hands-on training II. Tentatively in Q4; with EC3 (EUROPOL) in The Hague; cybercrime theme (CERT&LEA) III. Continue supporting TRANSITS trainings 32

Our activities in 2013 - Projects: I. n/g CERT harmonisation of the baseline capabilities framework + provision on ICS CERT capabilities II. III. IV. Exercise material extension to cybercrime scenarios EISAS deployment study CERT services - Alerts, Warnings and Announcements V. Secure communication solutions for CERTs; (requirements and stocktaking) VI. Information sharing and international incident handling harmonisation of legal frameworks VII. Practical implementation of the Directive on attacks against IS 33

Thank you for your attention! 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback