Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Developing national CSIRT capabilities ‘‘Tunisia’s case’’ Haythem EL MIR

advertisement 
Developing national CSIRT
capabilities
‘‘Tunisia’s case’’
Haythem EL MIR
CERT -TCC
Introduction
CERT-TCC is a CSIRT with national responsibility acting to provide incident
management services for:
-Government
-Public and Private Sector
Î Free charge services
-Home users
-Professional
-Banks
-…
The CERT-TCC tries to ensure:
¾A centralized coordination for IT security issues (Trusted Point of
Contact).
¾ Centralized and specialized unit for incident response.
¾Technology and security watch
¾Cyberspace monitoring
¾The expertise to support and assist to quickly recover from security
incidents.
¾Awareness of all categories of users
CERT -TCC
Staff : 42
Historical Overview
Staff : 25
Staff : 19
Staff : 15
Staff : 6
Staff : 5
National Survey
National project
Wide Awareness campaigns
High level decisions
Mailing-list
‰IS security Law
‰Creation of NACS
‰Creation of cert-Tcc
‰Definition of the
administrative
Framework
‰Sensitive national
projects
‰Developping IR
capabilities
‰Starting the
monitoring activities
‰Budget
‰Recruting technicall staff
‰Setting up of SAHER
‰WSIS
‰Training activities (World
Bank)
‰Setting up of the
collaboration network
‰Associative collaboration
‰website
‰NACS joined the network
of center of excellence
(UNCTAD)
‰More training
‰Cert-Tcc joined the FIRST
Network
‰NACS reached its maturity
‰International collaboration
‰Setting up of the Security
center facilities
‰OIC-CERT
‰Strong international
collaboration
Staff : 3
National Strategy
Awarness activities
2002
2003
2004
2005
2006
2007
2008
CERT -TCC
What do we need to set up a CSIRT?
1. Constitency : Define a clear relation
2. Define the mission statement
3. Financial model: Funding and revenue
4. Define list of services to run (Starting, intermidiate and maturity)
5. Poeple: mainly technical staff
6. Training: technical issues and others
7. Procedures: technical and organizational
8. Tools and equipements (Monitoring, IR, …)
9. Identify potential Parteners
10.Identify Source of information
We need also:
11.People motivation and dedicated to the project
12.Demonstrated a ROSI fo decision makers to take part of the project
CERT -TCC
Tunisian CERT presentation
Constituency
National CSIRT
Mission statementg
Defined by law : protection the
Tunisian cyberspace
Offred Services
To be detailed
Funding
Gouvernement
Revenue
Free charge services
Number and quality of staff to
be employed
50 for NACS
20 for cert-Tcc
Authority
Partial authority (Law N°5/2004)
Service hours
24/7
CERT -TCC
Services
Mandatory service Î Incident handling
Core services Î Alerts and Warnings
Incident Handling
Incident analysis
Incident response support
Incident response coordination
Announcements
Service to provide Î According to the mission statement
Choose the right services : a decision based on the quality of services
and feed-backs
1. Starting phase : core services
2. Extension : additional phase
3. Maturity : extra services
CERT -TCC
Services (According to the CERT/CC model)
Main services
Incident analysis
Incident response on site
Incident response support
Publish advisories or alerts
Vulnerability and Virus
handling
Provide and answer a
hotline
Monitor IDS
Training or security
awareness
Technology watch or
monitoring service
Track and trace intruders
Penetration testing
Incident response
coordination
Secondary services
Produce technical
Security policy development documents
Vulnerability assessments
Artifact analysis
Forensics evidence
collection
Pursue legal investigations
Vulnerability scanning
Security product
development
Monitoring network and
system logs
CERT -TCC
Staffing: Skills
Personal skills
Written communication
Oral communication
Presentation skills
Diplomacy
Ability to follow policies and procedures
Team skills
Integrity
Knowing one’s limits
Coping with stress
Problem solving
Time management
Technical skills
Security principals (CIA)
Security threats and vulnerabilities
Internet technologies
Risk assassement
Network protocols
Network application and services
Network security issues
System security issues
Malicious code
Programming
Incident handling
Local team policies and procedures
Intrusion techniques
Incident analysis
CERT -TCC
Incident Handling (CSIRT)
CSIRT team
Collaboration network
•Trained Team
•Technical means (Investigation)
•Procedural means
•Platform of incident management
•Information exchange
•Attack Tracking
•Assistance
Reporting incident System 24/7
CSIRT
Watch
•Email : cert-tcc@ansi.tn
•Call center: 71 843200
•Email : incident@ansi.tn
•Web : on line forms
•Tel: : 71 846020
ISAC
•Massive attack Detection
•Critical failure Detection
•Web site attack Detection
Incident Analysis and handling
CERT -TCC
Reporting
Vulneratility
IDS alert
Phone / FAX / SMS
Incident
Email
Feedback
Paper Form
Log
Web Form
Question
IDS
Analysing the information
Escalation
Handling process
CERT -TCC
Types of Incident
Incident classification
Incident
Incident
Severity
Cond1
Cond2
Cond3
Spam
S1
S2
S2
Harassment
S2
S3
S3
Pedophilia/Pornography/Vi
olence/..
S4
S4
S4
Malware (Virus, Warm,
Trojan, Spyware, Dialer,
Keylogger)
S1
S3
S4
Scan
S3
S4
S4
Sniff
S3
S4
S4
Social Engineering
S3
S3
S3
Vulnerability Exploit
S3
S4
S4
Brute Force
S3
S4
S4
Defacement
S2
S4
S5
DoS
S4
S5
S5
DDoS
S5
S5
S5
Sabotage
S3
S4
S4
Copyright
S2
S2
S2
Identity theft
S2
S3
S3
Phishing
S4
S5
S5
Classification
Escalation criteria (Cond1 Cond2 - Cond3)
Severity?
Ignore or
to handle
by the help desk
To handle by the CERT
CERT -TCC
Incident handling operational procedures
Incident reporting
Spam
Ticket management
Harassment
Incident verification
Pedophilia/Pornography/Violence/.
Incident classification
Incident referencing
Malware (Virus, Warm, Trojan,
Spyware, Dialer, Keylogger)
Incident documentation
Scan
Incident response termination
Sniff
Incident triage
Social Engineering
Specific incident response
Vulnerability Exploit
Document classification
Brute Force
Data storage
Defacement
Data back-up
DoS
Data destruction
DDoS
Documentary management
Sabotage
Incident follow-up
Copyright
Incident report form
Identity theft
Incident reporting guidelines
Phishing
Document templates
CERT -TCC
Tools
•
•
•
•
•
•
•
•
•
•
•
•
Dedicated Server and network
Incident tracking system
Network analysis software
Log analysis software
Forensics tools :CD HELIX ; SYSINTERNELS, …
Linux Livecd : BACKTRACK, PENTOO
Data recovery tools
Security scanner
Integrity checker (HIDS)
Vmware
PGP
…
•Hard drives, CD & DVD, Duplicators, Write blockers.
•Cables, connectors, etc.
CERT -TCC
Tools
CERT -TCC
Incident coordination
CSO / CIO
CEO
Internal business managers
Human Resources Department
Physical Security Department
Audit or Risk Management Department
IT or Telecommunications Department
Legal Department
Public Relations Department
Marketing Department
Law Enforcement
Government organization / agencies
Investigators
Other CERTs
Other security experts
CERT -TCC
Watch
Publication of vulnerabilities,
exploits, 0days
Antivirus suppliers
Collaboration network
Collaboration
program
Collect
information
Watch professionals
Trend
indicators
Professional
community
Equipments constructors
CERT -TCC
Alert & warning process
Collect information
Evaluation
Identificatiuon
Classification
Distribution
Public website
Closed member
area on the
website
Mailing lists
Risk assassment
Personalised
e-mail
Phone / Fax
Impact analysis
SMS
Monthly or
annual reports
Metric
Media
Home user
Professional
Customer
CSO
Manager
Webmaster
Programmer
Administrator
etc
Severity
Vulnerability, Malware, Attack
CERT -TCC
Alert & Warning
Professional
community
Antivirus
suppliers
Vulnerabilities,
Internet Services Providers
Managers, Decision makers
exploits, 0days
Web masters, Security
Admin., Developers
Collaboration network
Internet Community
SCP
Mailing List, Web Site, Call Center, Media (TV, Radio, Press)
CERT -TCC
Information Share, Analysis & Collect (ISAC)
SAHER
IDS
SAHER
Web
SAHER
DNS, POP
SMTP
Collect
Analyze
Call Center
Information
E-mail
Service
Share
Incident
Report
Attack
Trends
Vius
Spread
CERT -TCC
SAHER System : main mission
Identified events
Information sources
Monitoring System
Potential big Threats
ISPs & Data Centers
Massive attacks
Call center
Incident declaration
CERTs alerts
ISAC
Virus spread
SAHER
Botnets
Security Mailing-lists
Intrusions
Antivirus venders alerts
Web defacement
Software venders alerts
System breakdown
CERT -TCC
SAHER : The technical platform
System developed based on a set of Open
Source tools
Saher––Web:
Web:DotTN
DotTNWeb
WebSites
Sites
Saher
Web
monitoring
monitoring
Saher––SRV:
SRV:Internet
Internetservices
services
Saher
SRV
availabilitymonitoring
monitoring(Mail
(Mailserver,
server,
availability
DNS,…)
DNS,…)
SAHER–IDS:Massive
Massiveattack
attackdetection
detection
SAHER–IDS:
SAHER–HONEYNET:Malware
Malwaregathering
gathering
SAHER–HONEYNET:
• Web defacement
• DoS Web
• Deterioration of web access
•…
• Mail Bombing
•Breakdown of DNS servers
• DNS POISONING…
POISONING…
• Viral attack
• Intrusion
• DDoS
•…
• Viral attack
•Scan
•Possible attacks
CERT -TCC
SAHER-IDS : central node
Sensor
Data base
Sensor
Firewall
VPN
Events gathering unit
INTERNET
Sensor
correlation units
Sensor
Synchronization server
Update server
Project participants
•Government : Ministries Sensor
•Financial institutions : banks
•Health, Transport, Energy
•ISP : Private and public
Sensor
CERT -TCC
SAHER-IDS : Correlation
Sources
Targets
Correlation engine
Network behavior
Attack signature
Central base
Time Window
Massive attacks
Potential sources
Distributed attacks
Infection areas
…
Threats knowledge base
IDS
IDS
IDS
IDS
•Vertical correlation (Reduce false positive)
•Horizontal correlation (different sensors)
•Cross-correlation (different detection tools)
•15 Shell - SQL script for correlation
CERT -TCC
SAHER-Web : List of Tests
Initialize
Check
• Comparaison tests
– Full/ Partial (dynamic sites)
– Images : Full / Partial
Validate
Based on risk calculation
algorithmes
– Keyword analysis (Hacked, Defaced, Owned, Own3d, ….)
– HTML code & Components size
• HTML to Image
– Convert the web page to an image
– Compares images to a threshold
CERT -TCC
Saher-HoneyNet
CERT -TCC
National and international collaboration
Security
Authority
other
CERTs
Finance and Banks
Transport
Sector
CERT
ISPs
regional
CERTs
FIRST
Telecom
Operators
CERT
coordination
National Reaction
Plan against
massive attacks
Industry
Sectors
Vendors Administration
ISPs &
operators
Integrators
National
Authority
Health
Sector
Energy
Sector
Incident
Coordination
procedures
Constructors
Vendors
Media
Crisis management
Share information
Respond to incident
Share experience
CERT -TCC
National Reaction Plan
- “Formal” Global Reaction Plan.
NACS
Cert-Tcc
ISPs
Finance and Banks
Telecom
Operators
Transport
Sector
Industry
Sectors
Health
Sector
coordination
- Establishment of Coordinating
Crisis Cells ( ISPs, IDCs, Acess
Providers).
With CERT/TCC acting as a
coordinator between them
Deployed several times:
Administration
Vendors
Energy
Sector
Media
2004: African Football Cup
2004: 5+5 summit
2004: Sasser & MyDoom worms
2004: Presidential election
2005: Suspicious hacking activity 2005
2005: WSIS
2005: Arab League
2006 : Hand Ball World Cup
2009: Conficker
CERT -TCC
Awareness
Awareness material
+
+
+
+
+
+
+
+
Decision makers
Professionals
Flyers
Posters
Emails
Teachers
Students
Radio Emission
Cartoon Video Spot
Home users
Journalists
Lawyers
Attack Simulation
Guide
Customers
CERT -TCC
Awareness
Various content
¾Seminar
□ Applying operating patches/updates
¾Conference
□ Antivirus software and updates
□ Protecting sensitive personal and proprietary ¾Exhibition
¾Training
information
□ Phishing and identity theft
¾National event
□ Spywares and Trojans
¾Media
□ Software copyright and license compliance
¾Web
□ Spam
¾Mailing-list
□ Business continuity
□ Physical security
□ Security policies, standards, procedures, laws and/or
regulations
CERT -TCC
Chocking : Attack simulation
Trojans horse attack
Remote intrusion
Vulnerability Exploits
+
+
+
+
+
+
+
Decision makers
Professionals
Teachers
Students
Home users
Journalists
Lawyers
Phishing attacks
XSS
SQL Injection
Password and email Sniff
Password cracking
CMS hacking
Wi-fi hacking
Session hijacking
Web defacement
CERT -TCC
Awareness
• Content development
• Media information (Radio, TV)
• Seminars (Presentations)
Weekly
participation in 8
National Radios
+Saturday night
on KNET
4 cdroms
8 booklets
CERT -TCC
National Projects
9AMEN
9CNI
-E-Government
-Madania, ADEB, INSAF
-National Backup-Center
9E- (Justice, health, handicap, …)
9CNSS, CNRPS, CNAM
9LA POSTE (e-dinar)
9EDUNET
9CCK
-Orientation
-Inscription
-Student portal
9Sector CSIRT (Postal Service: La Poste, Telecom
Operator: Tunisie Telecom, Banks: APB)
9Banks projects
CERT -TCC
Training
9Awareness Training
9Children and parents
9Home users
9Professional
9Hacking techniques
9Security management
9Security audit : Standards and methods
9Risk assessment
9Network security : risk and solutions
9Open source solution for network security
9Linux security
9Windows security
9Application security
9Web application security
9Access control requirements and techniques
9Introduction to cryptography
9Communication encryption
9Business continuity & disaster recovery
9Incident handling & computer forensics
9Vulnerability assessment and Pentesting
CERT -TCC
Development of policies and guides
9Government security policy
9E-Government security charter
9Security Audit requirement guides
9Commercial security solution
specification models
9Best practices (IIS, Apache, CISCO, …)
9Security audit guidelines
9Vulnerability assessment methodology
9Penetration test methodology
9Open source security tools guides
CERT -TCC
Key points of the Tunisian experience
Defined strategy with clear objectives
Having the power of law and the high level support
Limited resources (Adopting a low cost approach:
open source)
Making the awareness as one the first priorities
Improving Training and education
Relying on local capacities
Relying on the collaboration with national partners
(All sectors) and ensuring PPP
Providing free technical support (Incident
management capabilities)
CERT -TCC
Experience Sharing
Experience sharing with others courtiers to set-up
security center using the same approach:
• 2007: Rwanda (Experience Sharing)
• 2008: Senegal (Training)
• 2008: Center of Excellence with UNCTAD
• 2009: South Africa (ECS-CSIRT)
OIC-CERT
CERT-AFRICA
CERT -TCC
Conclusion : problems and challenges
Problems come from:
¾Taking on too many services
¾Lack of time, staff and funding
¾Coordination
¾Constituency support
¾Incident reporting
Challenges:
¾Automatic incident handling process
¾Automatic vulnerability handling process
¾Deploying efficient sources of information
¾Collaborate and share information with others
¾Set-up trusted way for data exchange
¾Integration between processes
Issues:
¾Return on investment
¾Certification / Recognition
¾Legal issues
¾Data sharing
¾CERT tools
CERT -TCC
Thank you
haythem.elmir@ansi.tn
CERT -TCC
Related documents
Cristine Hoepers is a Senior Security Analyst and General Manager... CERT.br, the Brazilian National CERT, maintained by NIC.br, from the
Cristine Hoepers is a Senior Security Analyst and General Manager... CERT.br, the Brazilian National CERT, maintained by NIC.br, from the
Survey of Designing Web and Tools
Survey of Designing Web and Tools
Implementing a National Strategy : the case of the Tunisian CERT
Implementing a National Strategy : the case of the Tunisian CERT
Assessment Thursday Notes December 6 , 2012
Assessment Thursday Notes December 6 , 2012
Download
advertisement