CERT Polska

Experiences in incident handlingThe CLOSER Project

Mirosław Maj

miroslaw.maj@cert.pl

Chisinau, 11/10/2004

Agenda

Who we are?

Not too much about NASK

A bit of history.

We look to the past but not only

What do we do and for whom?

Incidnet handling

Some projects

Why bother with security?

How to be CLOSER?

A few words about CLOSER project

Who we are?

NASK is the Research and Academic Network in Poland

Academic background

Commercial services

Administrator of the top-level domain - *.pl

CERT Polska is the incident handling team within NASK

We ARE NOT incident handling team for NASK!

A bit of history

June 1995 – First contact with CERT/CC

INET conference and pre-conference NATO sponsored networking workshop for developing countries: Security Track lead by Barbra Fraser (CERT/CC): idea of Incident Response was introduced

September 1995 – First contact with FIRST

4th FIRST conference in Karlsruhe

1996 – establishing CERT NASK

Visit to DFN-CERT to learn best practices

1997 – joining FIRST (sponsored by DFN-CERT)

2000 – extending the formula of our IRT

new roadmap to introduce new project for polish constituency

Changing the name to CERT Polska

2001 – joining TERENA TF CSIRT

Who we are?

Krzysztof Silicki Mirosław Maj Przemek Jaroszewski Piotr Kijewski

Irek Parafjańczuk Andrzej Dereszowski Dariusz Sobolewski

Who we are?

FIRST (Forum of Incident Response and Security Teams)

http://www.first.org/

TERENA TF-CSIRT (Trans European Reaserch and

Academic Networks Association – Task Force Computer Security

Incident Response Teams)

http://www.terena.nl/tech/task-forces/tf-csirt/

Trusted Introducer (Team Level 2)

http://www.ti.terena.nl/

What do we do and for whom?

Our goals:

providing a single, trusted point of contact in Poland for the NASK customers community and other networks in Poland to deal with network security incidents and their prevention

responding to security incidents in networks connected to NASK and networks connected to other Polish providers reporting of security incidents

providing security information and warnings of possible attacks cooperation with other incident response teams all over the world

Incident Handling

Number of incidents 1996 - 2003

105 126

741

1013

1196

100*75*50*

0

200

400

600

800

1000

1200

1400

1996 1997 1998 1999 2000 2001 2002 2003

Incident handling

Types of the incidents

81,6

6,7 4,81,8 1,7 1,6 1,3 0,4 0,2

0

10

20

30

40

50

60

70

80

90

InformationGathering

MaliciousCode

AbusiveContent

Fraud Availability Intrusions InformationSecurity

IntrusionAttempts

Other

procent

Incident Handling

Sources (reporter victim attacker)

0

10

20

30

40

50

60

70

80

CSIRT ISP Abuse Other security Government Research &Education

Commercial Other Non-Commercial

Private

procent

Zgłaszający Poszkodow any Atakujący

Incident Handling

Frome where are the reports?

unknown1%

foreign90%

domestic9%

Frome where are the attackers?

domestic89%

unknow n9%

foreign2%

Freome where are the victims?

unknow n6%

foreign83%

domestic11%

Some projects

Security vortal: http://www.cert.pl/

ARAKIS Project: http://arakis.cert.pl/

Hotline: just started…

So… why bother with security?

Security threats are real:

Do not just think about your infrastructure – think also about security of your end users

Source: http://isc.sans.org/

So… why bother with security?From: "Susie Ward" <XZSZQCSTQLD@cardingworld.net>

To: xxxxxxx

CC: xxxxxxx

Subject: S p a m - H o s t i n g - 2 5 0 $

Date: Tue, 17 Feb 2004 19:57:18 +0300

Hello.

Spam Hosting.

Location: Korea

OS: FreeBSD

Port: 100mbit.

IP: +

PHP, CGI, MYSQL, 500MB, cPanel.

250$/mesyac.

Fraud Hosting.

Location: Korea

OS: FreeBSD

Port: 100mbit.

IP: +

PHP, CGI, MYSQL, 500MB, cPanel.

450$/mesyac.

Dedicated form 500$ per mounth.

Contacts:

ICQ: 0000000

------------

extant brisk abbot ancestor swift cavitate gourd crisscross spool assay

acapulco empiric brandon citrus classmate berserk

Why bother with security?

Ignoring threats cost resources

D(D)oS - It costs to be offline

Data theft – Backups do not help much when sensitive information is stolen

Compromise – How much does your reputation cost?

.. So what is an idea for a solution?

The CLOSER project

CLuster Of SEcurity Resources

3rd call IST 6FP

Goals:

Learn and describe current situation in Europe

Build and strengthen awareness of security overall and the incident handling services in particular

Exchanging experiences of the existing CSIR Teams

Transferring these experiences and knowledge to newly established teams

The CLOSER project

TPF

The CLOSER project

The CLOSER project

Final remarks

NRENs are tidbits for hackers

Regardless of it will be CERT or just CERT’s services – having it will pay off

We do not know whether the CLOSER project will be approved or not

Anyway we promise to help anybody who is interesing as much as possible

Daddy, I can see that hackers don’t sleep!

CERT Polska

Daddy, I can see that hackers don’t sleep!