The Trusted Introducer Concept

1
The Trusted IntroducerConcept

• Brian Gilmore (TERENA)

2
Lets assume we all know that ... (i)

• Security is a problem on the Internet
• Theres lots of security incidents worldwide
• The police only comes in on a small minority of
  incidents (for several reasons beyond scope here)

3
CSIRTS

• There are CSIRTs (dedicated team) and ISPs with
  CSIRT functions dealing with those problems
• There are now a few 100 of those around
• CSIRT Computer Security Incident Response Team
• a.k.a. CERT

4
Why a problem?

• If you are a member of one of these 100 teams
• How do you know who to contact in another
  country?
• Academic CSIRT, ISP CSIRT, Gov CSIRT
• When you have established that, are you certain
  you are talking to the person you think you are?

5
What is the solution?

• So the CSIRT infrastructure is a major problem
  and becoming worse
• There is no worldwide solution for this yet
• FIRST is not involved at this level (or not yet),
  no other body, such as ISOC is engaged in this
  activity

6
1st Attempt

• Not really the first attempt, more like the 5th!
  But the first to make real headway!
• After advice from the community, TERENA set up
  the EuroCERT service

7
EuroCERT

• This service acted as a central focus point for
  all European CSIRTS.
• Ie, if one CSIRT had an incident from outside
  their sphere, they handed it to EuroCERT
• The service was funded by a subscription on the
  NRENs which hosted an (academic) CSIRT
• Ran for 15 months

8
Why did it stop?

• The level of demand was such that it was clear
  the service would need at least 5 staff to
  function properly.
• NRENs were not happy to subscribe at that level
  and preferred to fund their own CSIRTs

9
Attempt No 2

• TERENA then hosted the first of a series of
  meetings of CSIRTS in Europe.
• This is now a formal TERENA Task Force TS-CSIRT
• Meetings have been very successful with over 40
  participants
• Some 5 non-academic CSIRTs attend

10
So ...

• TF-CSIRT decided to start solving the problem
  itself, in Europe, ...
• ... hoping that other regions will join, or copy
  the effort, or improve on it
• They named their effort
• TRUSTED INTRODUCER

11
TI mission statement

• The Trusted Introducer must foster trust and
  cooperation between CSIRTs in Europe, both new
  and experienced. The vehicle used to achieve this
  is to invite CSIRTs to present themselves and
  describe their service according to an
  established baseline thus enabling objectivity,
  which is regarded as the pre-requisite of trust.

12
Certification or Accreditation?

• The TI process is NOT a formal certification
  process for CSIRTS
• It IS a process of gathering information and
  documenting it to a certain standard
• It ASSISTS in helping teams enter the web of
  trust
• It COULD develop later into a more formal process
  

13
TI process (i)

• The TI registers known European CSIRT teams as
  Level 0
• Teams that decide to join the TI effort to foster
  European inter-CSIRT cooperation get invited by
  the TI to become Level 1
• The Level 1 team then has 3 months to work
  together with the TI to present their service
  according to the TI baseline

14
TI process (ii)

• If they succeed, the team is recognized by the TI
  as Level 2 and their baseline presentation is
  published in the TI repositories (only partially
  in the public repository)

15
TI process (iii)

• Any non-compliance in the above process results
  in a fallback to Level 0
• Max of 2 attempts in 12 months
• The experiences to date have shown that the fee
  charged is amply paid back in the form of the
  (otherwise) free consultancy that the team gets
  to help it define its services etc from the TI

16
TI process (iiii)

• Level 2 teams maintain their status by regularly
  (4 months) complying with their baseline
  presentation or adapting it when due
• Otherwise, they will again be dropped to Level 0
• Essential to catch teams who, for example, lose
  their staff and are non-effective but dont wish
  to admit this!

17
TI Level 2 criteria include ...

• Filling out well defined templates
• Defining information handling policy
• Agreeing to publication of supplied information
  (only partially in public repository)
• Regularly maintaining supplied information
• Cooperating with TI in matters above
• Adherence to RFC-2350 recommended
• Visiting FIRST and TF-CSIRT events recommended

18
L2 Criteria

• For example
• Cyber contact (at least) must be made with a
  person representing the team
• That person must prove that he can represent the
  team and the team is corretly empowered by the
  parent organisation
• Proof is using good cryptography with an identity
  backed by a check of some personal ID

19
L2 Criteria

• The CSIRT provides statements of their
  composition and service.
• These could be checked for
• Authenticity
• Actuality (reality now)
• Correctness
• The first two are checked, the last is seen as
  part of a certification process

20
TI setup

• Stelvio (www.stelvio.nl) operates TI service
  (under a contract with TERENA)
• Klaus-Peter Kossakowski (TI service manager),
  Mark Koek, Erwan Smits, Don Stikvoort (Stelvio
  CEO) all parttime involved
• E-mail ti_at_stelvio.nl
• Public site http//www.ti.terena.nl/

21
TI checks and balances (i)

• TERENA focal point to fund service
• TERENA independent, www.terena.nl
• TERENA experienced in helping setup services,
  like RIPE NCC
• TI not limited to TERENA constituency
• TI Review Board reviews the TI work and deals
  with special cases and problems

22
TI checks and balances (ii)

• TI Review Board consists of representatives of
  Level 2 teams
• Initially was, however, of well known Eu
  network/security individuals
• Brian Gilmore, chair (Edinburgh university)
• Karel Vietsch, secretary (TERENA SG)
• Andrew Cormack (JANET-CERT)
• Christoph Graf (SWITCH-CERT)
• Wilfried Wöber (ACONET)

23
New TI Review Board

• A call was put out to the Level 2 teams for
  nominations for a new board. TERENA received 3
  nominations but one person declined.
• The remaining two stand but the old board stays
  until we receive the third nomination
• Andrew Cormack
• Jacques Schuurman
• Vacancy

24
May 1st 2001 snapshot

• Public website www.ti.terena.nl
• 55 teams registered in repository
• 8 Level 2 teams
• 3 pioneer teams CERT-NL, GARR-CERT and
  JANET-CERT
• IRIS-CERT, SIEMENS-CERT, UniNett CERT, NORDUNET
  CERT, CSIRT.DK
• Special repository for only Level 2 teams
  available
• 4 Level 1 teams
• TeliaCERT, SI-CERT, BTCERTCC, BT SBS

25
September 1st Snapshot

• 63 teams registered in repository
• NREN 27
• Commercial 22
• Other 3
• Gov Mil 11
• Includes L0, L1 and L2

26
L1 Teams

• Total L1 Teams 7
• NREN 3
• Commercial 2
• Other 2
• Gov Mil 0
• Remember they have three months to achieve L2

27
L2 Teams

• Total L2 Teams 12
• NREN 7
• Commercial 5
• Other 0
• Gov Mil 0

28
List of L2 Teams

• BTCERTCC (United Kingdom) - (1. June 2001)
• BT SBS (United Kingdom) - (1. June 2001)
• CERT-NL (The Netherlands) - (1. January 2001)
• CSIRT.DK (Denmark) - (20. April 2001)
• GARR-CERT (Italy) - (1. January 2001)
• IRIS CERT (Spain) - (23. March 2001)
• JANET-CERT (United Kingdom) - (1. January 2001)
• NORDUNET CERT - (6. April 2001)
• SI-CERT (Slovenia) - (3. July 2001)
• SIEMENS-CERT (Germany) - (23. March 2001)
• TeliaCERT(Sweden) - (12. July 2001)
• UniNett CERT (Norway) - (1. April 2001)

29
TI does not offer you

• FIRST membership
• FIRST only worldwide CSIRT forum
• FIRST offers nothing like TI yet
• TI Level 2 teams are well prepared for FIRST
  membership
• A free ride
• Initial fee to go to Level 2 (mainly high level
  consultancy) of Euro 900
• Level 2 maintenance costs Euro 600 per year

30
TI does offer you

• Public and maintained repository of all known
  or Level 0 European CSIRTs with contact info
• Formalized and published accreditation process
  for CSIRTs those that pass it are Level 2
  CSIRTs --- maintenance is ensured
• Maintained trusted repository for Level 2 CSIRTs
  only, offering extended information on all
  members
• Management level material if you need it

31
How to achieve Level 2 ? (or be registered as
Level 0)

• Go to www.ti.terena.nl and follow the logical
  route .......... OR ...........
• Ask ti_at_stelvio.nl ......... OR ..........
• Ask any of the TI crew
• Erwan Smits
• Mark Koek
• Klaus-Peter Kossakowski (TI manager)
• Don Stikvoort

32
Current Status

• The one year pilot has come to an end
• The CSIRT Co-ordination meeting (hosted by
  TERENA) agreed this service should continue
• TERENA and Stelvio have signed a contract to
  continue the service for a further year.

33
What are the Problems?

• The current service is funded by
• A subscription from L2 teams
• A fee from a team at L1 (trying for L2)
• What are the cost drivers?
• There is a significant effort on maintaining the
  information on L0 teams but we cant make them
  pay!
• Model is currently ok, but will need to be
  revisited (economies of scale?)

34
Summary

• Academic networks need a CSIRT just as much as
  other networks (if not more!)
• It is in your interest to register as a L0 team
  and join TF-CSIRT
• You should play your part in the community and
  strive to reach L2