CERT-RO Romanian Approach in Cyber Security


Published on

Romanian Approach in Cyber Security

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

CERT-RO Romanian Approach in Cyber Security

  1. 1. CERT-RO Romanian Approach in Cyber Security Catalin PATRASCU catalin.patrascu@cert-ro.eu http://www.cert-ro.eu
  2. 2. About CERT–RO  COM (2010) 2020: Europe 2020 Strategy & COM (2010) 245: A Digital Agenda for Europe – Action area #3, Trust and Security: Member States should establish by 2012 a well-functioning network of CERTs at national level covering all of Europe  H.G. 494 / 2011 – Prevent, analyze, identify and react to cyber security incidents related to public IT&C infrastructure (not military, public safety, national security) – National contact point for similar structures – Elaborate and distribute public cyber security policies – Analyze technical and procedural problems within cyber infrastructures.
  3. 3. CERT-RO Partenrs
  4. 4. CERT-RO Services Proactive Reactive Support • Alerts on new threats and vulnerabilities that may affect national cyberspace. • Notices regarding the possibility of major cyber security incidents occurrence. • Study guides and documentation on recent developments in the field of IT & C. security. • Security assessment for partners (audits, network and application pentests etc.). • Alerts and warnings on the occurrence of major attacks preceding activities. • Alerts and warnings related to cyber security incidents occurrence. • Management of a database with national cyber security incidents. • Security incidents investigation and results dissemination. • Awareness activities for the government and partners. • Risk assessments • Support the partners in development of their own CERT teams. • Consulting services for securing critical infrastructures. • Development of the national policy and security strategy with partners.
  5. 5. Ticketing System CERT-RO uses Request Tracker for Incident Response (RTIR), a customised user interface which sits on top of Request Tracker (RT), a popular ticketing system. Everyday use of RTIR is through a web interface and does not require any additional software to be installed on the user’s machine. RT and RTIR are open-source projects supported by Best Practical Solutions LLC and can be obtained from the company website: http://bestpractical.com/rt/ - current stable release is RT 4.0.17 http://bestpractical.com/rtir/ - current stable release is RTIR 3.0.0
  6. 6. RTIR Interface - homepage
  7. 7. Incident Handling Workflow RTIR’s incident handling system relies primarily on e-mail. E-mail messages reporting incidents, called Incident Reports, are sent to an email address configured by CERT/CSIRT (alerts@cert-ro.eu). Messages that constitute on-going correspondence in the handling of a ticket include a number in the form [CERT-RO #34159] and are automatically appended to the corresponding RTIR ticket. All new messages that do not include a number in the form [CERT-RO #34159] are stored as new Incident Reports and appear in the New unlinked Incident Reports section of the RTIR homepage.
  8. 8. Incident Handling Workflow
  9. 9. Dealing with Structured Data Feeds CERT-RO receives daily reports (files with structured data) that together contain 50,000 to 100,000 records related to cyber security events. For that amount of data is needed an automated processing system. Currently we use an in house developed solution to automatically: • collect all data feeds; • store them in a relational database (MySQL); • perform data enrichment; • distribute alerts to the affected parties Right now we are working on adopting STIX (Structured Threat Information eXpression) - http://stix.mitre.org/, supported by MITRE, which is a collaborative community-driven effort to define and develop a standardized language to represent structured cyber threat information.
  10. 10. Report on cyber security alerts received by CERT-RO in the first 6 months of 2013
  11. 11. Report on cyber security alerts received by CERT-RO in the first 6 months of 2013 Number of alerts Number of unique IP’s
  12. 12. Advanced Persistent Threaths – APT’s In the first two months of 2013 where discovered two cyber espionage campaigns that targeted public institutions from Romania.  Red October (ROCRA) • Infection vector: email message with malicious document attached • Exploited vulnerabilities: CVE-2009-3129 (Excel), CVE-2010-3333 (Word), CVE-2012-0158 (Word)  MiniDUKE • Infection vector : email message with malicious document attached • Exploited vulnerabilities : exploit 0-day CVE-2013-0640/641 (Adobe Reader)
  13. 13. Conclusions Based on the analysis of data held by CERT-RO, it appears that computer science threats to the national cyberspace have diversified and evolutionary trends was observed, both in terms of quantity and in terms of technical complexity.
  14. 14. THANK YOU!