CERT-RO Romanian Approach in Cyber Security
-
Upload
se-cts-cert-gov-md -
Category
Technology
-
view
454 -
download
1
description
Transcript of CERT-RO Romanian Approach in Cyber Security
CERT-RO
Romanian Approach in Cyber Security
Catalin PATRASCU
http://www.cert-ro.eu
About CERT–RO
COM (2010) 2020: Europe 2020 Strategy & COM (2010) 245: A
Digital Agenda for Europe
– Action area #3, Trust and Security: Member States should establish by 2012
a well-functioning network of CERTs at national level covering all of Europe
H.G. 494 / 2011
– Prevent, analyze, identify and react to cyber security incidents related to
public IT&C infrastructure (not military, public safety, national security)
– National contact point for similar structures
– Elaborate and distribute public cyber security policies
– Analyze technical and procedural problems within cyber infrastructures.
CERT-RO Partenrs
CERT-RO Services
Proactive Reactive Support
• Alerts on new threats and vulnerabilities that may affect national cyberspace.
• Notices regarding the possibility of major cyber security incidents occurrence.
• Study guides and documentation on recent developments in the field of IT & C. security.
• Security assessment for partners (audits, network and application pentests etc.).
• Alerts and warnings on the occurrence of major attacks preceding activities.
• Alerts and warnings related to cyber security incidents occurrence.
• Management of a database with nationalcyber security incidents.
• Security incidents investigation and results dissemination.
• Awareness activities for the government and partners.
• Risk assessments• Support the partners in
development of their own CERT teams.
• Consulting services forsecuring criticalinfrastructures.
• Development of the national policy and security strategy with partners.
Ticketing System
CERT-RO uses Request Tracker for Incident Response (RTIR), a customised
user interface which sits on top of Request Tracker (RT), a popular ticketing
system.
Everyday use of RTIR is through a web interface and does not require any
additional software to be installed on the user’s machine.
RT and RTIR are open-source projects supported by Best Practical Solutions LLC
and can be obtained from the company website:
http://bestpractical.com/rt/ - current stable release is RT 4.0.17
http://bestpractical.com/rtir/ - current stable release is RTIR 3.0.0
RTIR Interface - homepage
Incident Handling Workflow
RTIR’s incident handling system relies primarily on e-mail.
E-mail messages reporting incidents, called Incident Reports, are sent to an
email address configured by CERT/CSIRT ([email protected]).
Messages that constitute on-going correspondence in the handling of a ticket
include a number in the form [CERT-RO #34159] and are automatically
appended to the corresponding RTIR ticket.
All new messages that do not include a number in the form [CERT-RO #34159]
are stored as new Incident Reports and appear in the New unlinked Incident
Reports section of the RTIR homepage.
Incident Handling Workflow
Dealing with Structured Data Feeds
CERT-RO receives daily reports (files with structured data) that together
contain 50,000 to 100,000 records related to cyber security events.
For that amount of data is needed an automated processing system.
Currently we use an in house developed solution to automatically:
• collect all data feeds;
• store them in a relational database (MySQL);
• perform data enrichment;
• distribute alerts to the affected parties
Right now we are working on adopting STIX (Structured Threat Information
eXpression) - http://stix.mitre.org/, supported by MITRE, which is a
collaborative community-driven effort to define and develop a standardized
language to represent structured cyber threat information.
Report on cyber security alerts received by
CERT-RO in the first 6 months of 2013
Report on cyber security alerts received by
CERT-RO in the first 6 months of 2013
Number of alerts
Number of unique IP’s
Advanced Persistent Threaths – APT’s
In the first two months of 2013 where discovered two cyber espionage campaigns that targeted public institutions from Romania.
Red October (ROCRA)• Infection vector: email message with malicious document attached• Exploited vulnerabilities: CVE-2009-3129 (Excel), CVE-2010-3333 (Word), CVE-2012-0158 (Word)
MiniDUKE• Infection vector : email message with malicious document attached• Exploited vulnerabilities : exploit 0-day CVE-2013-0640/641 (Adobe Reader)
Conclusions
Based on the analysis of data held by CERT-RO, it appears that computer
science threats to the national cyberspace have diversified and evolutionary
trends was observed, both in terms of quantity and in terms of technical
complexity.
THANK YOU!