Minutes of the 4th TF-CSIRT Meeting 28 September 2001 Manchester 1. Welcome and Apologies 2. Round of Introductions 3. Minutes of the 3rd TF-CSIRT Meeting 4. ‘Trusted Introducer’ Pilot Service * 4.1. Presentation of the new TI Review Board * 4.2. Status report - Don Stikvoort, Stelvio 5. Training Workshop for New (Staff of) CSIRTs and EC Project Proposal, Andrew Cormack 6. Relations with the CEC and funding possibilities by Karel Vietsch 7. Report on IRTContact entry in RIPE NCC Database by Wilfried Woeber 8. Update on FIRST Activities, David Crochemore 9. IODEF/ITDWG update - Jan Meijer 10. Clearinghouse for Incident Handling Tools: Questionnaire and follow-on activity by Yuri Demchenko 11. Report on yesterday's Seminar Sessions. Summary conclusions and follow-up actions 12. Other Work Items * 12.1. Encouraging and Assisting the Establishment of new CSIRTs: presentation of RU-CERT by Mikhail Ganev * 12.2. Legal Issues and Relations with Law Enforcement Agencies (UK - Andrew Powell) 13. Dates and Locations of the next meeting of TF-CSIRT 14. Any Other Business 15. New and Open Actions Appendix A. List of Attendees 1. Welcome and Apologies Apologies were received from: Pascal Delmoitie (BELNET) Robert Morgan, JANET-CERT 2. Round of Introductions A list of the 47 attendees for the meeting is attached as an annex to these minutes. 3. Minutes of the 3rd TF-CSIRT Meeting (Ljubljana, June 1, 2001) The minutes of the previous meeting held on 1 June 2001 were approved without change. Status of open actions from previous meetings ACTION STATUS 1-10 all Send pointers to legal ONGOING – information to Andrew REMINDER to all Cormack to send information 2-07 Andrew Prepare demonstration of Done Cormack Remedy System for September Seminar 2-10 Yuri Coordinate questionnaire Superceded by Demchenko on CSIRT tool usage new Action 4-10 3-01 M&I/Stelvio Prepare a contract with Done TERENA on the provision of the second year of the TI pilot 3-02 TI Review Develop a scheme on how Done, new Review Board to elect a new Review Board elected Board. 0-02 Mark Draft a list of the Done, M&I/Stelvio advantages of TI recommended to 3-03 accreditation by 15 June be used by 2001. CSIRTs 3-04 Andrew Contact Commission and Done Cormack remind them, of our specification for handbook contents and request their reply. 3-05 Gilles Make an outline for a Open André project proposal to the EC concerning secure emergency backup infrastructure for CSIRTs and software patents, and circulate it on the email distribution list 3-06 Andrew Make an internal Done, presented Powell investigation in UK at the meeting government to see if the information on prosecution requirements exists. Report back at the next TF-CSIRT meeting. 3-07 Academic Provide to Gareth Price Closed CSIRTs information on how academic CERTS fit into the academic structure. 3-08 Module Complete draft module Open; new Editors material 2 weeks before deadline 28 Oct. next TF meeting and mail 2001 to TERENA – DEADLINE 12 September 2001 3-09 TERENA Put Training material in Open; new Secretariat password protected area deadline 5 Nov. of web server 2001 3-10 Karel Draft a proposal to the Ongoing, to be Vietsch & Commission regarding the submitted before Andrew funding of a CSIRT October 17 Cormack training workshop deadline 3-11 TERENA Organise Training Superseded by Workshop Logistics new Action 4-1 3-12 Andrew Draw up Training Superseded by Cormack Workshop Programme and new Action 4-1 act as Programme Chair 4. ‘Trusted Introducer’ Pilot Service 4.1. Presentation of the new TI Review Board Karel reported on the election of the new TI Review Board. As recommended at the last TF-CSIRT meeting the new TI Review Board is formed now basically of Level 2 teams and representatives of TERENA and TF-CSIRT. The new TI Review Board consists of 5 members (http://www.ti.terena.nl/board.html): * Andrew Cormack, JANET-CERT * Jacques Schuurman, CERT-NL * Jimmy Arvidsson, Telia CERT * Gorazd Bozic, TF-CSIRT chair * Karel Vietsch, TERENA The first meeting of Level-2 teams was held yesterday. The question arises what additional things TI can do for Level 2 teams and which additional activities Level 2 teams can do together. It was decided to establish a mailing list for Level 2 teams to discuss this and other possible suggestions. 4.2. Status report - Don Stikvoort, Stelvio Don Stikvoort made a presentation on the current status and recent developments at the Trusted Introducer. The ‘Trusted Introducer’ Pilot Service has now been running for more than one year. At the time of the report (28 September 2001) there were 63 CSIRT teams known in Europe and listed by TI as a Level 0 teams (http://www.ti.terena.nl/teams/level0.html). The directory of Level 1 teams (who have applied for being Level 2) consists of 5 teams, and the current number of Level 2 teams is 14. Up-to-date information about Level 2 teams may be found at http://www.ti.terena.nl/teams/level2.html. It is important that the TI is not limited to the TERENA constituency. Don described the TI process and revisited the current mission statement. Don explained that a very important element of the TI service is the maintenance, because of constantly changing information about known teams. It is also important to look for new CSIRTs that may appear in Europe. If moving to a permanent service, independent of TERENA financial support, TI will continue to offer different services: * Directory of Level 0 teams - public resource * Accreditation process - public information * Trusted resources about and for Level 2 teams - as complimentary service for accredited Level 2 teams paying membership fee. Damir Rajnovic proposed to check the old EuroCERT database of addresses and contacts . However, Don Stikvoort and Andrew Cormack clarified that this database had already been incorporated in the TI’s directory of Level-0 teams. 5. Training Workshop for New (Staff of) CSIRTs and EC Project Proposal, Andrew Cormack Andrew gave an update on the plans on developing training courses for New (Staff of) CSIRTs. The team of Training courses editors worked over the summer to complete the set of training materials that will provide basic information about CSIRT work on Incident response, together with basic technical information on Computer Security, computer breaks and system restoring. The team was committed to complete all work within 1 month from this meeting. It’s suggested that TERENA will hold the copyrights on the course materials, however some issues still need to be clarified. During the last weeks Andrew and Karel had been writing a Project proposal titled "TraCER - Training on Computer Emergency Response" to be submitted to the European Commission before the deadline for the next Call on October 17, 2001. Andrew outlined the main features of the proposal: * project description containing 15 pages * training materials will consist of 5 modules (organisational, operational, legal, technical and vulnerabilities) * budget includes costs for presenters and promotion/advertisement expenses * one review of the course material is proposed half-way the project duration * 6 workshops will be delivered over the project duration of 3 years. The proposal will be completed next week and delivered to the EC before the deadline of October 17, 2001. Although money may be available only after Easter, there is an intention to have a first rehearsal by organizing a first 2-days try-out training workshop for 10-20 people adjacent to the next TF-CSIRT meeting. Action 4-1. Andrew Cormack to organise first try-out workshop around the next TF-CSIRT meeting on January 24-25, 2002 in Stockholm. 6. Relations with the CEC and funding possibilities Karel gave an overview of EC documents related to Security issues in the context of the eEurope Action plan and recalled the history of TF-CSIRT (delegation) communication with the Commission: 1) The eEurope initiative was launched by CEC in December 1999 (http://europa.eu.int/information_society/eeurope/news_library/pdf_files/initiative_en.pdf). Subsequently the eEurope Action Plan was published in June 2000 (http://europa.eu.int/information_society/eeurope/action_plan/actionplantext/index_en.htm). These documents outlined measures for building the Information Society in Europe including Information Security issues. The first meeting between CEC officials and TF-CSIRT representatives on the eEurope 2002 Action Plan took place in Brussels on 16 November 2000. A briefing paper had been prepared and was presented at the meeting. The meeting was valued as useful and a response letter was sent back to the Commission on November 29, 2000. This stage of communications with the Commission was reported at the 2nd TF-CSIRT meeting in Barcelona (http://www.terena.nl/task-forces/tf-csirt/tf-csirt010119minutes-draft.html - 8.). 2) A subsequent Communication from the EC "eEurope 2002: Creating a Safer Information Society by Improving the Security of Information Infrastructure and Combating Computer related Crime" was published on 26.01.2001 (this document is mostly oriented to law makers) - http://europa.eu.int/ISPO/eif/InternetPoliciesSite/Crime/CrimeCommEN.html The EC organised a Workshop on security of information infrastructures on February 2 in Brussels which was attended by some TF-CSIRT members; some specific actions were proposed by the Commission, e.g. a European Information Security Observatory, which was received very negatively by the meeting. Another meeting of a TF-CSIRT deputation with Commission officials took place in Brussels on Friday 23 February. Reports were sent to the cert-coord mailing list. 3) Another Communication from the EC "Network and Information Security: Proposal for a European Policy Approach" - was published on June 6, 2001 and was actually a response from the EC after the Stockholm European Council meeting on March 23-24, 2001 - http://europa.eu.int/eur-lex/en/com/cnc/2001/com2001_0298en01.pdf This last document gives an overview of Security threats and outlines the Commission’s proposal on measures to boost Security on the Internet. One of the key issues discussed is awareness raising. The document introduces the concept of EWIS (European Warning and Information System). The Commission proposes to launch discussions with industry, users, data protection authorities on the practical details of implementing the proposed actions. The deadline for comments was set by the end of August 2001. The document has been discussed on the cert-coord mailing list, and again at the meeting it was asked why the document doesn’t mention existing European CERTs/CSIRTs nor the previous experience with EuroCERT and the current activity of TF-CSIRT. Karel pointed out that the Commission seems to think that there exist National CERTs per country, and not just CERTs working for Government, networks or other constituencies. Michael Knight of Kings College London added that the Commission indeed is considering the advantages and disadvantages of regional or national CERTs. Claudia Natanson expressed her observation that the Commission wants to be involved (after they realized that the Internet is not just a toy but a serious thing) but they are limited to only two options: Actions on member states, or Project proposals. In this context they invited in May 2001 interested commercial companies and SMEs to cooperate in working out a viable structure for improving infrastructural Security on the Internet in Europe. This has resulted in submitting research project proposals in the form of a Center of Excellence for SMEs that will look closely at SME related Security issues (including PKI for SME, healthcare industry, etc.). Two project proposals will be submitted before the October 17th deadline: one called SEBEM and one in the area of health care. Claudia agreed to make a presentation on these Project proposals at the next TF-CSIRT meeting, if they will be accepted by the Commission. Karel was asked to contact the Commission and organise another meeting between EC representatives and a TF-CSIRT delegation. Andrew Cormack, Don Stikvoort, David Parker, Jacques Schuurman, Wilfried Woeber, Claudia Natanson and Gilles Andre expressed their interest to participate in that meeting. Action 4-2. Claudia Natanson to make presentation on Project proposals at the next TF-CSIRT meeting, if they will be accepted by the Commission. Action 4-3. Karel Vietsch to contact the Commission and organise meeting between EC representatives and TF-CSIRT delegation. 7. Report on IRTContact entry in RIPE NCC Database by Wilfried Woeber Wilfried briefed the meeting about the status of the proposal on including an IRTContact entry into the RIPE NCC Database and progress made so far. Wilfried coordinated this activity related to the Deliverable D in TF-CSIRT Term of Reference (http://www.terena.nl/task-forces/tf-csirt/tf-csirts-tor.html). He outlined the main stages of the process: 1) the first detailed discussion about a "Security Contact entry in the RIPE database" took place in Barcelona at the 2nd TF-CSIRT Seminar where he was mandated to present this project to RIPE community; 2) During IETF51 in London, a group of three people (Andrei Robachevski, Wilfried Woeber, Yuri Demchenko) met to discuss some details (e.g., query interface, access policy, key management, etc.); as a result the final proposal was drawn up and posted to cert-coord mailing list in August 2001 (see http://www.terena.nl/tech/task-forces/tf-csirt/docs/irtobject-ripencc.txt). 3) To proceed further, the proposal must be approved by next RIPE40 meeting in Prague; the proposal already had been discussed by the RIPE NCC Database department and they are ready to put this development into their workplan. 4) After the implementation phase, the remaining issue will be marketing and promotion of the new IRTContact entry’s use by ISPs. When asked about the possible use of the new IRTContact entry in RIPE NCC Database by CSIRTs, Wilfried explained that any information in RIPE NCC Database may only be registered or changed by the ISP owning the particular IP-addresses block, and any CERT willing to be listed in this database must contact its constituency’s ISP (which was noted to create uncertainties for some CSIRTs that are not linked to a particular ISP, like governmental CSIRTs). Another limitation of the database is that it doesn’t allow bulk information access that may be necessary in some cases when a CSIRT would like to obtain a list of contacts for specific IP-range (e.g. that relates to their constituency). However, these cases may be handled by special agreement with the RIPE NCC. Action 4-4. Wilfried to present IRT Contact proposal to Database WG at the next RIPE40 meeting in Prague. Action 4-5. TERENA Secretariat and Wilfried Woeber to prepare proposal about promotion of use of IRTContact information in the RIPE NCC Database by ISPs and CSIRTs. 8. Update on FIRST Activities, David Crochemore David Crochemore gave a short summary of the last FIRST-13 Conference in Toulouse where he chaired the Programme Committee. He told that the Conference was widely attended by European CSIRTs, there was a majority of presentations by Europeans, including presentations about TF-CSIRT by Gorazd Bozic and about the Pilot Trusted Introducer service by Don Stikvoort; two BOFs were organised by TF-CSIRT on IODEF and CSIRT’s Workflow management. He regretted that not a single tutorial was presented by European lecturers. David informed the meeting about the next 14th Annual Computer Security Incident Handling Conference that will take place on June 24-28, 2002 in Hawaii. The conference will discuss the most recent practical issues in computer and network security, focusing on incident response. Details of the conference can be found at http://www.first.org/conference/2002/. David distributed the Call for papers and invited TF-CSIRT members to submit papers and tutorials. 9. IODEF/ITDWG update - Jan Meijer Jan presented a summary of the IODEF WG meeting that took place on Wednesday and Thursday. The WG discussed an update to the IODEF WG Charter that mostly concerned new Deliverables and the timetable. The Charter will be updated shortly after meeting; a request for comments will be sent to the cert-coord and iodef mailing lists. Two WG’s deliverables are expected to be published as Informational RFCs: IODEF Data Model and XML Document Type Definition (to be published to IODEF mailing list shortly after meeting) and IODEF Usage Guide (to be drafted later). It was also decided that before going public the proposed IODEF Data Model and XML DTD should pass reality checking against typical examples of Incident reports. Jan will collect anonymised Incident reports from CSIRTs that volunteered to contribute and will prepare a report about completeness and possible changes to IODEF DM and XML DTD. This will be put as a separate IODEF WG Action with deadline of mid-November. The updated IODEF Data Model and XML Data Type Definition document is expected to be submitted to the IETF in December 2001. Yuri Demchenko will continue as an editor of this document. A draft proposal on the content of another IODEF document (IODEF Management summary or IODEF Usage guidelines) that is intended to help IODEF implementation by CSIRTs, will be discussed later on the IODEF mailing list. Jimmy Arvidsson will act as an editor of this document. Two more actions were agreed in the meeting: to organise a BoF at the next IETF52 to discuss future development of the IODEF in the framework of the IETF, and to present the IODEF work at the next FIRST Workshop in February 2002. Jan also informed the meeting that the Pilot project on pilot implementation of IODEF by two CSIRTs (JANET-CERT and CERT-NL) had been started in September. The intention of the project is to design an IODEF-Gateway to the Remedy-based Incident Handling System (used by the two mentioned CSIRTs) and develop re-usable software modules (IODEF API and IODEF XML Library) to allow Incident information exchange in IODEF format. Action 4-6. Jan to update the IODEF WG Charter and send request for comments to the IODEF mailing list. Action 4-7. Yuri to publish the current pre-draft version of the IODEF Data Model and XML Data Type Definition document on the IODEF mailing list. Action 4-8. IODEF WG to request BoF at the next IETF52 in Salt Late City. Action 4-9. Jan to present the IODEF work at the next FIRST Workshop in February 2002. 10. Clearinghouse for Incident Handling Tools: Questionnaire and follow-on activity by Yuri Demchenko Yuri Demchenko informed the meeting about the current status of the Questionnaire. Since his last report at the 3rd TF-CSIRT meeting in Ljubljana, 5 more responses have been received, bringing the total to 10 responses. This selection already allows to make assumptions about CSIRTs’ visions of and expectations from the Clearinghouse: 1) main groups of tools used by CSIRT in their practice: * Data/Evidence collection (Forensics) - 60% of responders * Incident Investigation - 60% * Incident tracking and reporting - 80% * Pro-active tools - 80% 2) expected Clearinghouse components: * List of tools (forensic, investigative, proactive, data recovery, tracking, etc.) - 100% * Repository/Archive of popular tools - 50% * Description/use of tools - 80% * Collection/Repository of Incident Handling procedures (forensic, recovery, investigative) - 60% Finishing his presentation Yuri summarised his overall impression that a Clearinghouse is seen by CSIRTs as a useful resource and they endorse further development. However, further work on a Clearinghouse needs to be taken over by a dedicated team of CSIRT representatives in the form of a CHIHT (tentatively) Working Group. Andrew Cormack of JANET-CERT and Marco Thorbruegge of DFN-CERT volunteered to take over this activity for the benefits of CSIRT community, Yuri will participate from the TF-CSIRT Secretariat. Action 4-10. CHIHT WG to report to the next TF-CSIRT meeting about deliverables and timetables. 11. Report on yesterday's Seminar Sessions. Summary conclusions and follow-up actions The Seminar Programme this time was mostly arranged by local hosts JANET-CERT and BT CERTCC. It was agreed that such practice was quite positive and the seminar as a whole was successful. Yuri asked all seminar contributors to send their presentation materials to him in order to make them available on the TERENA web server. Because of some expected accompanying meetings before and during the next TF-CSIRT meeting, Gorazd asked that all who plan other meetings around the two days TF-CSIRT Programme will inform the local organiser and the TF-CSIRT secretariat about their plans, to allow proper scheduling. 12. Other Work Items 12.1. Encouraging and Assisting the Establishment of new CSIRTs: presentation of RU-CERT by Mikhail Ganev Mikhail Ganev made a presentation about RU-CERT. He started from its history and explained the current status of RU-CERT, employing now 4 part-time workers. RU-CERT’s web site http://www.cert.ru/eng/ is mostly in Russian but contact information and Incident reporting pages are also available in English. He answered questions from the audience. His presentation is available from the meeting proceedings page at http://www.terena.nl/task-forces/tf-csirt/docs/RU-CERT_manchester.html Finally, Gorazd expressed the meeting’s common opinion in welcoming the RU-CERT team to the TF-CSIRT community. 12.2. Legal Issues and Relations with Law Enforcement Agencies (UK - Andrew Powell) Andrew Powell presented his findings about existing regulations and studies on Legal Issues and Relations with Law Enforcement Agencies. One of documents mentioned was the study "Legal Aspects of Computer-related Crime in the Information Society - COMCRIME." The study was prepared by Prof. U. Sieber of the University of Würzburg under contract with the European Commission. The final report is available at http://europa.eu.int/ISPO/legal/en/crime/crime.html. Andrew mentioned that direct contacts with the study’s author would be useful. Klaus Moeller told that he can arrange contact with Prof. U. Sieber via DFN. Another document that Andrew discovered is an Interpol manual , which is available to TF-CSIRT members on request. The essential part of this Manual contains a table by type of crime and related legislation in European countries. Action 4-11. Klaus Moeller to contact COMCRIME study’s authors via DFN. 13. Dates and Locations of the next meeting of TF-CSIRT 5th Meeting 24-25 January, 2002 hosted by Telia in Stockholm, Sweden 6th Meeting 23-24 May, 2002 hosted by DK-CERT in Copenhagen, Denmark 14. Any Other Business Karel Vietsch informed the meeting about the next TERENA Networking Conference TNC2002 that will take place in Limerick, Ireland on 3 - 6 June 2002. The Call for Papers is published at http://www.terena.nl/tnc2002/CfP.html. Karel invited interested TF-CSIRT members to present their papers. There will also be a possibility to present recent developments in TF-CSIRT in the form of a short presentation at a special session on the TERENA Technical Programme. Yuri mentioned that his request to the cert-coord list about "early warning system for TERENA community" returned diverse responses but still definite interest from some members. It was decided to prepare discussion on this issue at the next TF-CSIRT meeting. Action 4-12. TF-CSIRT Secretariat to prepare discussion on "Early warning system for TERENA community" (tentative title) at the next TF-CSIRT meeting. 15. New and Open Actions ACTION STATUS 1-10 all Send pointers to legal Ongoing action information to Andrew Cormack 3-05 Gilles Make an outline for a Andre project proposal to the EC concerning secure emergency backup infrastructure for CSIRTs and software patents, and circulate it on the email distribution list 3-08 Module Complete draft module and Deadline 28 editors mail to TERENA October 2001 3-09 TERENA Put Training material in Deadline 5 Secretariat password protected area of November 2001 web server 3-10 Karel Draft a proposal to the To be Vietsch & Commission regarding the submitted Andrew funding of a CSIRT before October Cormack training workshop 17 deadline 4-01 Andrew Organise first try-out Cormack workshop around the next TF-CSIRT meeting on January 24-25, 2002 in Stockholm. 4-02 Claudia Make presentation on Natanson Project proposals at the next TF-CSIRT meeting, if they will be accepted by Commission 4-03 Karel Contact Commission and Vietsch organise meeting between EC representatives and TF-CSIRT delegation. 4-04 Wilfried Present IRT Contact Woeber proposal to Database WG at the next RIPE40 meeting in Prague 4-05 TERENA and Prepare proposal about W.Woeber marketing/promotion the use of IRTContact information in the RIPE NCC Database 4-06 Jan Meijer Update IODEF WG Charter and send request for comments to IODEF mailing list. 4-07 Yuri Publish current pre-draft Demchenko version of IODEF Data Model and XML Data Type Definition document on IODEF mailing list. 4-08 IODEF WG Request BoF at the next IETF52 in Salt Late City 4-09 Jan Meijer Present IODEF work at the next FIRST Workshop in February 2002 4-10 CHIHT WG Report to the next TF-CSIRT meeting about deliverables and timetables 4-11 Klaus Contact COMCRIME study’s Moeller authors via DFN. 4-12 TF-CSIRT Prepare discussion on Secretariat "Early warning system for TERENA community" (tentative title) at the next TF-CSIRT meeting. Appendix A. List of Attendees 4th TF-CSIRT Meeting 29 September 2001, Manchester 1 Rajnovic, Damir PSIRT, Cisco Systems 2 Maj, Miroslaw CERT POLSKA 3 Silicki, Krzysztof CERT POLSKA 4 Glavor, Natasa CARNet CERT 5 Monserrat, Francisco IRIS-CERT 6 Malagón, Chelo IRIS-CERT 7 Xarhoulacos, Steven GRNET-CERT 8 Arvidsson, Jimmy TeliaCERT 9 Thorbruegge, Marco DFN-CERT 10 Schuurman, Jacques CERT-NL 11 Meijer, Jan CERT-NL 12 Natanson, Claudia BT Ignite-Solutions 13 Wictorin, Torbjorn SUNET-CERT 14 Stridh, Thomas SUNET-CERT 15 Pohjolainen, Leila FUNET CERT 16 Gustafsson, Pege TeliaCERT 17 Stikvoort, Don Stelvio/Trusted Introducer Service 18 Andre, Gilles CERTA 19 Dupuy, Michel CERTA 20 Enstad, Per Arne UNINETT CERT 21 Etrich, Matthias Deutsche Telekom-CERT 22 Moeller, Klaus DFN-CERT GmbH 23 Bozic, Gorazd SI-CERT 24 Cormack, Andrew JANET-CERT 25 Crochemore, David CERT Renater 26 Danho, Michelle CERT Renater 27 Andersen, Preben DK-CERT 28 Bivesand, Peter SESIC 29 Roses, Stephane Cert-IST 30 Lima, francoise-Marie MODCERT 31 Cecchini, Roberto GARR-CERT 32 Dooley, Gary Consignia 33 Mike Kadylak BT CERTCC 34 Graf, Christoph SWITCH 35 Pomfret, Ian BTCERTCC 36 Price, Gareth BT Ignite - Solutions 37 Woeber, Wilfried ACONet 38 Ganev, Mikhail RU-CERT 39 Linde, Sergey RU-CERT 40 Knights, Michael King’s College London 41 Bevilacqua, Matias esCERT 42 Powell, Andrew UNIRAS 43 Parker, Dave UNIRAS 44 Nolan, Stephen Dept. of Public Enterp., Irish Gov. 45 King, Dave Consignia 46 Vietsch, Karel TERENA 47 Demchenko, Yuri TERENA