carnet cert - terenacarnet cert • first member since 1996 • tf – csirt participants • ti –...
TRANSCRIPT
CARNet CERT8th TF-CSIRT meeting
January 23rd 2003, Zagreb
23.01.2003 8th TF-CSIRT meeting, Zagreb 2/16
CARNet – Croatian Academic and Research Network
• In 1991 - CARNet inititated as a Ministry of Science and Technology project
• In 1995 - CARNet institute established• Funded by the Ministry of Science and
Technology
23.01.2003 8th TF-CSIRT meeting, Zagreb 3/16
CARNet backbone
23.01.2003 8th TF-CSIRT meeting, Zagreb 4/16
CARNet network, international link
23.01.2003 8th TF-CSIRT meeting, Zagreb 5/16
23.01.2003 8th TF-CSIRT meeting, Zagreb 6/16
CARNet network• 169 faculties, research and other
academic institutions connected to CARNet network
• Each instition’s system administrator serves as a security contact
• Dedicated security contacts at some larger institutions
23.01.2003 8th TF-CSIRT meeting, Zagreb 7/16
CARNet CERT• Established in 1996• Currently three employers full time• Constituency national based - .hr
domain
23.01.2003 8th TF-CSIRT meeting, Zagreb 8/16
CARNet CERT• FIRST member since 1996• TF – CSIRT participants• TI – level 2 (acredited) team since
September 2002
23.01.2003 8th TF-CSIRT meeting, Zagreb 9/16
Cooperation with other teams• CARNet CERT is currently the only CERT
team in Croatia• We act as a contact point to other providers
and other security teams• There are 10 ISP-s in Croatia• Close cooperation with ISP’s abuse teams
23.01.2003 8th TF-CSIRT meeting, Zagreb 10/16
Services we offer• Announcements (vulnerability warnings
and advisories)• Vulnerability scanning on demand,
(limited only to CARNet affiliates)• Publishing security related documents• Incident response• Incident response support• Incident response coordination
23.01.2003 8th TF-CSIRT meeting, Zagreb 11/16
Handling incidents• Incident handling according to priority• Constant improvement of our “home
made” incident tracking system• Automate tasks as much as possible
23.01.2003 8th TF-CSIRT meeting, Zagreb 12/16
main incident_handling() {new_mail_arrived();if (mail_about_incident) {
if !(existing_incident || new_incident_reported_via_web) {open_new_incident();send_mail(inc_reporter, confirmation);
}coordinate_incident();if (incident_solved) exit();
} else if (ask_for_advice) answer();else general_respond();
}
function coordinate_incident() {if (first_mail_on_that_incident) {
find_contact_of_source_network();send_mail(attack_source, report_incident);
} else respond_or_contact_other_side();
}
23.01.2003 8th TF-CSIRT meeting, Zagreb 13/16
Incidents handled by CARNet CERT
020406080
100120140
1 2 3 4 5 6 7 8 9 10 11 12
Month
Num
ber o
f inc
iden
ts
2000.2001.2002.
23.01.2003 8th TF-CSIRT meeting, Zagreb 14/16
Incident statistics
44
12
61
44
5
19
143
306
66
0 50 100 150 200 250 300 350
denial of service
mail relay
mail spam
unauthorized access
news spam
root account break in
port scanning
virus
other
Types of incidents in 2002
23.01.2003 8th TF-CSIRT meeting, Zagreb 15/16
Incident statistics
33,6%
24%
15,8%
7,9%4,65% 4,65%
9,4%
0
5
10
15
20
25
30
35
[ % ]
Opaserv Nimda/CodeRed
Yaha Klez Bugbear Hybris-B Other
Virus reports in 2002
23.01.2003 8th TF-CSIRT meeting, Zagreb 16/16
Questions, comments?• http://www.CERT.hr• [email protected]