2nd ENISA Workshop German CERT-Activities 5 th October, 2006 Brussels
Overview Hosting Organisation CERT-Bund Background Projects CERT Services German CERT Activities International Cooperation Lessons Learned Jedlicka Hans-Peter 5 th October 2006 Folie 2
Bundesamt für Sicherheit in der Informationstechnik (BSI) Federal Office for Information Security www.bsi.bund.de Jedlicka Hans-Peter 5 th October 2006 Folie 3
Facts and Figures about BSI Established in 1991 Federal Superior Authority part of to the Federal Ministry of the Interior 430 staff (computer scientists, engineers, mathematicians, physicists) Budget: some 51 million Euro Jedlicka Hans-Peter 5 th October 2006 Folie 4
Customer Focus on Government and Administration Security consulting and support R & D of encryption devices Emission Security, Counter-Eavesdropping Operation of the Berlin-Bonn government net CERT Support of the e-government initiative Citizens Awareness campaign common user orientated give away CD BSI - web site www.bsi.bund.de www.bsi-fuer-buerger.de Frequent articles in computer magazines Science Cooperation with universities Research contracting Trend analysis Private sector Promotion of electronic signatures IT Grundschutz as an industry standard Certification of IT-products Critical infrastructures IT Security partnership Promotion of biometric methods Jedlicka Hans-Peter 5 th October 2006 Folie 5
Section 121 CERT-Bund www.bsi.de/certbund/index.htm Jedlicka Hans-Peter 5 th October 2006 Folie 6
Background (1) hosted by the Federal Office for Information Security (BSI) part of the Federal Ministry of Interior (BMI) initially created as virtual team 1994, named as BSI-CERT mainly focused on information gathering shift in paradigms in 2000 preparing to set up a real Computer Emergency Response Team Jedlicka Hans-Peter 5 th October 2006 Folie 7
Background (2) officialy established on 1st September 2001 renamed as CERT-Bund governmental CERT for the Federal Administration becoming the national CERT Jedlicka Hans-Peter 5 th October 2006 Folie 8
Department 1 Strategic Applications, Internet Security Organizational Chart Division 11 Strategic Applications Section 112 Network Platforms and Infrastructures, IVBB Division 12 Internet Security Section 121 Federal Government CERT, Crisis Response Centre Section 122 Internet Security Analysis and Security Procedures Core team 10 people Section 125 IT-Penetration Centre Section 126 Critical Infrastructures Close cooperation with other sections based on a case by case situation. Jedlicka Hans-Peter 5 th October 2006 Folie 9
Team of CERT-Bund 1 Team Leader 3 Senior Advisor 5 Security Specialists 1 Secretary Jedlicka Hans-Peter 5 th October 2006 Folie 10
Services provided by CERT-Bund Providing central PoC 24/7 for the Federal Administration Running a Situation Centre for monitoring public sources Analyzing incoming incident reports and other information about vulnerabilities Supporting the investigation of incidents and the recovery process Coordinating incident handling & malware reports Jedlicka Hans-Peter 5 th October 2006 Folie 11
Services provided by CERT-Bund Disseminating advisories or information on counter measures and/or workarounds by running a Warning & Information Service Running a telephone based Alerting Service for the Federal Administration New: Providing the national PoC for international Cooperation Coming soon: Running the National Crisis Response Centre Jedlicka Hans-Peter 5 th October 2006 Folie 12
Strategic Objectives National Plan for Information Infrastructure Protection (NPSI) http://www.bsi.de/english/themes/kritis/kritis_e.htm Prevention: Protecting information infrastructure adequately Preparedness: Responding effectively to IT security incidents Sustainability: Enhancing German competence in IT security Setting international standards Jedlicka Hans-Peter 5 th October 2006 Folie 13
Main Tasks Goal 8: Identifying, registering and evaluating incidents [...] will play the role of a national command, control and analysis centre that will be able to provide a reliable assessment of the current IT security situation in Germany at any time [...]. Goal 10: Responding to IT security incidents [...] to respond rapidly to serious incidents. It provides incident analyses and assessments to all relevant bodies and coordinates the cooperation [...] Jedlicka Hans-Peter 5 th October 2006 Folie 14
German CERT Activities Jedlicka Hans-Peter 5 th October 2006 Folie 15
History of CERTs in Germany Since 1991 many german CERTs / CSIRTs emerged. 1991 Micro-BIT 1993 DFN-CERT (University of Karlsruhe) (German Research Network) 1994 BSI-CERT / CERT-Bund (Federal Office for Information Security)... and the process of creating Emergency Response Teams is going on... 2002 CERT-Bw (German Armed Forces) 2003 Mcert (Small & Medium Enterprises) 2005 Bürger-CERT (easy to understand Alert & Warning Service for the average citizen) 200x other CERTs within different Sectors and important Global Players are still following up Jedlicka Hans-Peter 5 th October 2006 Folie 16
National Network of CERTs CERTs of Companies / Enterprises CERT-Bw Commercial CERTs Equal amongst equals! CERTs der Bundesländer CERTs for akademic Sector CERT-Bund Jedlicka Hans-Peter 5 th October 2006 Folie 17
CERT-Cooperations within Germany CERT Working Group ( CERT-Arbeitsgruppe ) about 30 german CERTs organised in an inofficial working group regular meetings 2 per year CERT Alliance ( CERT-Verbund ) 19 very closely cooperating CERTs, based on signed Code of Conduct & NDA http://www.cert-verbund.de Jedlicka Hans-Peter 5 th October 2006 Folie 18
Jedlicka Hans-Peter 5 th October 2006 Folie 19
Jedlicka Hans-Peter 5 th October 2006 Folie 20
Projects German Advisory Format (DAF) special exchange format for advisories based on EISPP Common Advisory Format Description (http://www.eispp.org/documents) standardized Common Model of System Information (CMSI) incorporated in SIRIOS Incident Handling System (SIRIOS) initiated and funded by CERT-Bund modular application framework focused on incident management and vulnerability handling licensed under the GNU General Public License (GPL) National Early Warning Capability ( CarmentiS ) initiated and funded by CERT-Bund to test the concept for the infrastructure to test new forms of visualization and automatic detection co-operative Information Management and Analysis Platform to recognize and assess current threats in a timely matter Jedlicka Hans-Peter 5 th October 2006 Folie 21
Jedlicka Hans-Peter 5 th October 2006 Folie 22
Early Warning in the German Internet ( CarmentiS ) Jedlicka Hans-Peter 5 th October 2006 Folie 23
Closing the Gaps Mcert Big companies & enterprises usually well protected traditional risk assessment & risk management established procedures professional IT administration What about Small & medium enterprises? Jedlicka Hans-Peter 5 th October 2006 Folie 24
Mcert Jedlicka Hans-Peter 5 th October 2006 Folie 25
Closing the Gaps Bürger-CERT For? Citizens and Small Business Companies From? Federal Office for Information Security (BSI) and Mcert German Association for IT-Security sponsored by leading business-partners such as: Why? Awareness raising; pointing out the dangers and risks of the Internet use; providing timely Alerts & Warnings; advising counter measures; How? Understandable safety information How much? Free Where? www.buerger-cert.de Jedlicka Hans-Peter 5 th October 2006 Folie 26
Bürger-CERT Jedlicka Hans-Peter 5 th October 2006 Folie 27
International Cooperation Jedlicka Hans-Peter 5 th October 2006 Folie 28
International CERT-Cooperation bilateral projects European Governmental CERT (EGC)- Group Cooperation between TERENA / TF-CSIRT An Initiative of TERENA - Trans-European Research and Education Networking Association http://www.terena.nl/tech/task-forces/tf-csirt/ APCERT Asia Pacific Computer Emergency Response Team http://www.apcert.org FIRST Global Coalition forming the Forum of Incident Response and Security Teams http://www.first.org/ Jedlicka Hans-Peter 5 th October 2006 Folie 29
European Governmental CERT Group Finland - CERT-FI France - CERTA Germany - CERT-Bund Netherlands - GOVCERT.NL Norway - NorCERT Sweden - SITIC Switzerland - SWITCH-CERT United Kingdom - UNIRAS/NISCC Jedlicka Hans-Peter 5 th October 2006 Folie 30
European Governmental CERT Group EGC is based on common interests strengthens the member organisations is an operational group is based on active participation is part of an international environment welcomes external contacts maintains a public web site (coming soon) http://www.egc-group.org can be reached via chair @ egc-group.org Jedlicka Hans-Peter 5 th October 2006 Folie 31
Lessons learned Jedlicka Hans-Peter 5 th October 2006 Folie 32
Lessons Learned (1) Prepare as much as possible Preparing analysis of constituency Critical scrutiny of services to be provided Definition of Service-Level-Agreements Definition of policies Clarification of mandate Clarification of authority Providing human, technical and financial resources Acquiring and extending competence Not everything can be envisioned right from the start Objectives might change over time Jedlicka Hans-Peter 5 th October 2006 Folie 33
Lessons Learned (2) Do not underestimate promotion of the team and the services Coordination with partners and constituency travel budget, human resources, time Initiating and extending relations to national and international CERTs, providers and law enforcement Progress is sometimes very slow IT security is not for free! But you can start small and grow with your responsibilty Jedlicka Hans-Peter 5 th October 2006 Folie 34