Study on Current Status of Software Vulnerability Information Handling Scheme in the EU Region

Transcription

1 Study on Current Status of Software Vulnerability Information Handling Scheme in the EU Region Scheme in EU Region Programs and Initiatives Principal CERT Organizations April, 2007 INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN

2 Rheinstraße Darmstadt (Germany) Phone +49 (0)6151 / Fax +49 (0)6151 /

3 Management Summary This report presents the results of the Study on Current Status of Software performed by SIT on behalf of IPA. The report gives an overview of the current status of vulnerability handling schemes, strategies, programs and initiatives, and an overview of Computer Emergency Response Teams (CERTs) also called Computer Security Incident Response Teams (CSIRTs) in the EU region. The description of the CERT/CSIRT organizations of different European countries focuses on France, Germany, and the United Kingdom. The current situation and required further initiatives regarding vulnerability handling in the EU region can be summarized and classified by the following aspects: scope and complexity of vulnerability handling, lack of appropriate and standardized means of vulnerability handling, and the need for current and further initiatives. The security of communication networks, information systems, products, software, applications, data bases, and services is of increasing main concern for all areas of the society in the EU region, e.g. member states, governmental organizations, public administrations, research and educational institutions, businesses, and individuals. This situation is caused by several reasons, such as the technical and organizational complexity, wide dissemination of information and communication technology, increasing number of observed accidents, attacks and vulnerabilities to infrastructures, systems, software, applications and services, and the the effect of high financial damage and potential loss of user confidence. The deployment of security technologies, the provision of security management procedures, the execution of information campaigns and the initiation of research projects are the appropriate means to enhance network and information technology security. Currently many organizations, especially CSIRT organizations, exist in the EU region that are in charge of vulnerability handling. In addition many initiatives at the EU level as well as at national levels have been started in order to provide a set of security services for all sectors of the society. Comparing the tasks and activities of individual CSIRTs, it can be observed that they all provide quite similar services such as the following ones: Study on Current Status of Software iii

4 security advisory services, security advisory dissemination services, alert dissemination services, profiling services, advisory access/retrieval services, and value-added services, e.g. the use of intrusion detection systems, vulnerability scanning, patch update services, virus detection, firewall configuration services, remote server maintenance, administration, and patching. However, all these services offered, and tools used, are provided only or primarily to their own individual constituencies, i.e. organizations and customers. Detailed information about policies, procedures, technical and organizational aspects is closed as sensitive information to which only certain members have restricted access. From the global European viewpoint this situation has led to a situation that can be characterized by the following statements: big waste of work and resources, insufficient convergence of technologies including means of vulnerability handling, lack of clarity in standards and legal framework, and to a lack of cooperation on issues of interoperability. A single, common vulnerability handling scheme does currently not exist in the European region. First activities, done in this area, have been devoted to the development and standardization of the common advisory interchange format, and the so-called description and exchange formats including for example: intrusion detection, incident object, penetration testing, and vulnerability handling. Recently, further initiatives and activities have been launched at the European level as for example the establishment of the European Government CSIRTs Group EGC, the European Network Information Security Agency ENISA, and the creation of the European Task Force TF-CSIRT under the TERENA program in order to promote the collaboration between CSIRTs in Europe. Some of the main goals of TF-CSIRT are listed in the following set of tasks and activities: iv Study on Current Status of Software

5 provision of a forum for exchanging experiences and knowledge, organization of meetings and seminars for the exchange of experiences and the discussion of security issues, launching of pilot services for the European CSIRTs community, promotion of common and harmonized standards, concepts, schemes, and procedures for vulnerability handling, promotion of the development of sharable and harmonized data bases, and tools, assistance in creating new CSIRTs including the training of CSIRTs staff, and the coordination of joint initiatives, maintenance of a web-based clearing house for security software including free and commercial software, liaison with the Trusted Introducer joint initiative of European CSIRTs, and the investigation of the possibilities for collaboration with the international Forum of Incident Response and Security Teams (FIRST) organization, and other counterparts of TF-CSIRTs in other continents. Currently there are no concrete EU funded projects or initiatives for CERT related objectives or tasks. However the EC has recently proposed the following additional tasks for ENISA that may lead to new future projects: development of an appropriate data collection framework, including the procedures and mechanisms required to collect and to analyze EU-wide information on security incidents and consumer confidence, organization of the establishment of a strategic partnership between member states, the private sector and the research community to ensure the availability of data on the ICT security industry and on the evolving market trends for products and services in the EU region, and the clarification of the feasibility of the establishment of a European information sharing and alert system that provides information on threats, risks, alerts, and appropriate responses to existing and emerging security incidents to the European ICT security industry and the European market by means of a multilingual EU portal. Study on Current Status of Software v

6 Table of Contents Table of Contents List of Figures List of Tables Abbreviations and Acronyms vi ix x xi 1 Introduction 15 2 General Aspects of Security Issues 16 3 European Organizations and Programs European Network Information Security Agency ENISA Legal Framework Tasks Structure and Roles Activities Working Groups Ad-hoc Working Group on CERT Services Ad-hoc Working Group on Awareness Raising Ad-hoc Working Group CERT Cooperation and Support Ad-hoc Working Group on Risk Assessment and Risk Management Publications European Information Security Promotion Program European Government CSIRTs Group European Task Force-CSIRT Research and Development Programs 47 vi Study on Current Status of Software

7 4 CERT Organizations in the EU Region France CERTA Cert-IST CERT-LEXSI CERT-RENATER Germany Bürger-CERT CERT-Bund CERTBw CERTCOM CERT-Verbund CERT-VW ComCERT dcert DFN-CERT D-Grid CERT Services GNS-CERT HHU-CERT Mcert PRE-CERT RUS-CERT S-CERT Secorvo secu-cert SIEMENS-CERT T-Com-CERT Telekom-CERT WWU-CERT United Kingdom BT SBS BTCERTCC CITIGROUP E-CERT EUCS-IRT 79 Study on Current Status of Software vii

8 4.3.6 JANET-CERT MLCIRT MODCERT OxCERT Q-CIRT UNIRAS, NISCC, and CPNI Other European CERTs Austria Belgium Denmark DK-CERT CSIRT.DK KMD IAC Finland Italy CERT-IT GARR-CERT Netherlands AMC-CERT CERT-IDC CERT-KUN GOVCERT.NL CERT-RUG SURFnet-CERT CERT-UU KPN-CERT UvA-CERT Norway NorCERT UNINETT CERT Spain escert-upc IRIS-CERT Sweden SITIC SUNet CERT TS-CERT Switzerland 106 viii Study on Current Status of Software

9 5 References Contact Information and Links 111 List of Figures Figure 1: Scope and Complexity of Vulnerability Handling 17 Study on Current Status of Software ix

10 List of Tables Table 1: Documents of European Community Legislation 19 Table 2: Overview of Activities and Major Events 25 Table 3: Overview of main ENISA documents 29 Table 4: Overview of CERTs With SME Services 39 Table 5: Overview of Immediacy Rating 44 Table 6: Overview of Impact Rating 44 Table 7: Overview of Current Impact Rating 44 Table 8: European CERT Organizations 49 Table 9: FIRST Activities 53 Table 10: CERTA Informations and Documents 54 Table 11: Cert-IST Informations and Documents 58 Table 12: CERT-LEXSI Informations and Documents 59 Table 13: CERT-RENATER Information and Documents 61 Table 14: DFN-CERT Activities 70 Table 15: PRE-CERT Activities 73 Table 16: JANET-CERT Information and Documents 79 Table 17: OxCERT Information and Documents 81 Table 18: UNIRAS/NISCC Information and Documents 84 Table 19: CERT-IT Information and Documents 96 Table 20: GARR-CERT Information and Documents 97 Table 21: SURFnet Information and Documents 99 Table 22: CERT-UU Information and Documents 100 Table 23: KPN-CERT Information and Documents 100 Table 24: escert-upc Information and Documents 103 Table 25: IRIS-CERT Information and Documents 104 Table 26: SITIC Information and Documents 105 Table 27: International Links 111 Table 28: European Links 112 Table 29: Contact Information about European Organizations 113 Table 30: Japanese Links 113 Table 31: French Links 114 Table 32: Contact Information about French Organizations 115 Table 33: German Links 116 Table 34: Contact Information about German Organizations 119 Table 35: United Kingdom Links 121 Table 36: Contact Information about Organizations in the United Kingdom 122 Table 37: Links of Other European Countries 124 Table 38: Contact Information about Other European Countries 126 x Study on Current Status of Software

11 Abbreviations and Acronyms AFNOR AMC-CERT APCERT ARCEP ASCII ASP BITKOM BMBF BMI BMWA BMWI BSI BSI BT SBS BTCERTCC CAF CAIF CEA CEISNE CERT CERTA CERTBw CERT-IDC CERT-IT CERT-KUN CERT-UU CESG CIRCA CLG CMSI CNES CNI Association Français de Normalisation, French Standardization Body Academic Medical Center CERT, NL Asia Pacific Computer Emergency Response Team Autorité de Régulation des Communications Electroniques et des Postes, Regulatory Authority for Telecommunications and Post, FRA American Standard Code for Information Interchange, USA Application Service Provider Bundesverband Informationswirtschaft, Telekommunikation und neue Medien, GER Bundesministerium für Bildung und Forschung, Federal Ministry of Education and Research, GER Bundesministerium des Innern, Federal Ministry of the Interior, GER Bundesministerium für Wirtschaft und Arbeit, Federal Ministry for Economics and Labor, GER Bundesministerium für Wirtschaft und Technologie, Federal Ministry of Economics and Technology, GER British Standards Institute, UK Bundesamt für Sicherheit in der Informationstechnik, Federal Office for Information Security, GER British Telecommunications Secure Business Services, UK British Telecommunications CERT Co-ordination Centre, UK Common Advisory Format Common Advisory Interchange Format Commissariat à l'énergie atomique, National Institute for Nuclear Research, FRA Co-operative European Information Security Network of Expertise Computer Emergency Response Team Centre d'expertise gouvernemental de Réponse et de Traitement des Attaques informatiques, Governmental Expert Center for Responding to and Handling of IT Attacks, FRA Computer Emergency Response Team Bundeswehr (=Federal Army), GER CERT-Internet Data Center, NL Italian CERT CERT Katholiek Universiteit Nijmegen, NL CERT of the University Utrecht, NL Communications Electronics Security Group, UK Computer Incident Response Coordination Austria Communities and Local Government, UK Common Model of System Information, GER Centre National d Etudes Spatiales, National Space Agency, FRA Critical National Infrastructure, UK Study on Current Status of Software xi

12 CNRS CO CORDIS CPNI CSIRT CSIRT.DK CVE DAF DANTE DCSSI DEF Defra DFN DfT DGI DH DIDS DK-CERT DoS DTC DTI E-CERT ecirt EGC EISPP ENISA escert EU EUCS-IRT EWIS FICORA FIRST FSA FSIE GIP GOVCERT.NL HHU HMT HTTP ICT IDDEF IDS Centre National de la Recherche Scientifique, National Center for Scientific Research, FRA Cabinet Office, UK Community Research and Development Information Service, EU Centre for the Protection of National Infrastructure, UK Computer Security Incident Response Team Denmark CIRT Common Vulnerabilities and Exposures Deutsches Advisory Format, GER Delivery of Advanced Network Technology to Europe, FRA Direction Centrale de la Sécurité des Systèmes d'information, Central Directorate for Information Systems Security, FRA Description and Exchange Formats Department for the Environment Food and Rural Affairs, UK Deutsches Forschungs-Netz, German Research Network Department for Transport, UK D-Grid Initiative, GER Department of Health, UK Distributed Intrusion Detection Systems, SWE Danmark CERT, DEN Denial of Service Dynamic Trade Centre, UK-Scotland Department of Trade and Industry, UK Energis Computer Emergency Response Team, UK European CIRTs European Government CSIRTs Group European Information Security Promotion Programme European Network Information Security Agency Equipo de Seguridad para la Coordinación de Emergenciasen Redes Telemáticas, CERT organization, ES European Union University of Edinburgh Computer Service Incident Response Team, UK European Warning and Information System Forum Finnish Communications Regulatory Authority, FIN Forum of Incident Response and Security Teams Food Standards Agency, UK Financial Services Information Exchange, UK Groupement d Intérêt Public, FRA Government CERT of the Netherlands Heinrich-Heine-University Düsseldorf, GER Her Majesty s Treasury, UK Hyper Text Transfer Protocol Information and Communication Technologies Intrusion Detection DEF Intrusion Detection System xii Study on Current Status of Software

13 INRA INRIA IODEF IPA IPS ISDN ISP IST JPCERT/CC LEXSI MINEFI MLCIRT MODCERT MSPIE NCF NIS NISCC NLO NREN NSAC NSIE NSM NSSF OECD OJEU OSVDB OTRS OxCERT PDA PGP PIIE PSG PTDEF Q-CIRT RTD RTIR S/MIME SCADA SCSIE SGDN Institut National de la Recherche Agronomique, National Institute for Agricultural Research, FRA Institut National de Recherche en Informatique et en Automatique, National Institute for Research in Computer Science and Control, FRA Incident Object Description and Exchange Format Information-Technology Promotion Agency, JAP Intrusion Prevention System Integrated Services Digital Network Internet Service Provider Information Society Technologies, EU Japan Computer Emergency Response Team Coordination Center Laboratoire d'expertise en Sécurité Informatique, Laboratory of IT Security Expertise, FRA Ministère de l Économie, des finances et de l industrie, Ministry of Economics, Finance and Industry, FRA Merrill Lynch Computer Security Incident Response Team, UK Ministry of Defence CERT, UK Managed Service Providers Information Exchange, UK Nordiskt CERT-Forum Network and Information Security, EU National Infrastructure Security Co-ordination Centre, UK National Liaison Officers, EU National Research and Education Network, BEL National Security Advice Centre, UK Network Security Information Exchange, UK Nasjonal sikkerhetsmyndighet, National Security Authority, NOR National Standardization Strategic Framework, UK Organisation for Economic Co-operation and Development Official Journal of the European Union Open Source Vulnerability Data Base Open Ticket Request System University of Oxford CERT Personal Digital Assistant Pretty Good Privacy Pharmaceutical Industries Information Exchange, UK Permanent Stakeholders Group, EU Penetration Testing DEF QinetiQ Computer Incident Response Team, UK Research & Technology Development, EU Request Tracker for Incident Response, EU Secure/Multipurpose Internet Mail Extensions Supervisory Control and Data Acquisition SCADA and Control Systems Information Exchange, UK Secrétariat Général de la Défense Nationale, General Secretary for National Defense, FRA Study on Current Status of Software xiii

14 SIRIOS SIT SITIC SIZ SME SMTP SPIT STDR SUNet-CERT TERENA TESTA TF-CSIRT TI TRANSITS TS-CERT TSIE UKERNA UPC VDI VEDEF VoIP WARP WG-CS WLAN WWU XML System for Incident Response in Operational Security Fraunhofer Institute for Secure Information Technology Swedish IT Incident Centre Sparkassen-Informationszentrum Small and Media Enterprises Simple Mail Transfer Protocol SPam over Internet Telephony Standards and Technical Regulations Directorate, UK Swedish University Network CERT Trans-European Research and Education Networking Association Trans-European Services for Telematics between Administrations Task Force CSIRT, EU Trusted Introducer, EU Training of Network Security Incident Teams Staff TeliaSonera CERT, SWE Transport Services Information Exchange, UK United Kingdom Education and Research Networking Association Universitat Politècnica de Catalunya, Politechnical University of Barcelona, ESP Varslingssystem for Digital Infrastruktur, alert and early warning system for digital infrastructure, NOR Vulnerability and Exploit DEF Voice over IP Warning Advise and Reporting Point Working Group CERT Services, EU Wireless Local Area Network Westfälisch Wilhelms-University Münster, GER extended Markup Language xiv Study on Current Status of Software

15 1 Introduction This report presents the results of the Study on Current Status of Software. The report gives an overview of the current status of vulnerability handling schemes and strategies in the EU region, and an overview of CERT organizations of different European countries focusing on France, Germany, and the United Kingdom. The style of this document is a high level description of these schemes and its related topics such as engaged organizations, schemes, procedures, strategies, programs and initiatives. The topics of this document are Vulnerability Handling Schemes and CERT Organizations in the EU region. The focus of this document is concentrating on vulnerability handling schemes and CERT organizations in France, Germany, and the United Kingdom. Major items that have been investigated include the following aspects: existence of one or more vulnerability handling schemes, type of operating the schemes, categorization of vulnerability handling organizations, activities developed by vulnerability handling organizations, and cooperation among the vulnerability handling organizations. The document is structured into chapters on general aspects of security issues, European organizations and programs, and on CERT organizations in the EU region. The chapter on general aspects of security issues gives an introduction into the objectives, scope and complexity of vulnerability handling. The chapter on European organizations and programs provides an overview of main European organizations and initiatives related to vulnerability handling. The chapter on CERT organizations in the EU region summarizes the main objectives, roles, schemes, and vulnerability handling related activities of CERT organizations in France, Germany, the United Kingdom, and in a subset of other European countries. Study on Current Status of Software 15

16 2 General Aspects of Security Issues The security of communication networks, information systems, products, software, applications, data bases, and services is of increasing main concern for all areas of the society in the EU region, e.g. member states, governmental organizations, public administrations, research and educational institutions, businesses, and individuals. This situation is caused by several reasons, such as the technical and organizational complexity, wide dissemination of information and communication technology, increasing number of observed accidents, attacks and vulnerabilities to infrastructures, systems, software, applications and services with the effect of high financial damage and potential loss of user confidence. The deployment of security technologies, the provision of security management procedures, the execution of information campaigns and the initiation of research projects are appropriate means to enhance network and information technology security. Many of the difficulties and problems of information and communication technology are well known, such as: insufficient convergence of technologies, lack of clarity in standards and legal framework, lack of cooperation on interoperability, need for tools that handle vulnerabilities, and the need for more expertise in vulnerability handling. Within the European action plan a European warning and information system is envisaged with the aim to provide up-do-date information to EU citizens regarding the latest security issues in order to avoid or to reduce the potential damage that observed vulnerabilities might cause. Within the European Union there is currently no plan for a single organization for centralized activities regarding ICT security. The European Commission instead takes measures to an increased networking and cooperation between national CSIRT organizations. New vulnerabilities have to be observed on a daily basis. The security of communication networks, information systems, products and software can only be assured, if they are regularly upgraded or patched. Precise and timely information about new vulnerabilities and adequate counter-measures is usually provided in the form of so-called security advisories, issued by vendors for their 16 Study on Current Status of Software

17 own products and/or by CSIRTs for the products that are of interest to their constituencies. Computer Security Incident Response Teams (CERTs/CSIRTs) play a major role in the area of information communication technology security. Their tasks include the following activities: prevention of security breaches, limitation of the damage resulting from a violation, immediate recovery from a breach, provision of assistance to victims of attacks, execution of vulnerability assessments, awareness raising, and promotion of best practices. Currently, a high number of CERTs/CSIRTs already exist in Europe that provide security services. These services, however, cannot satisfy the needs of all users. The establishment of further incident management teams within organizations and the expansion of CERT communities and improvement of information sharing capabilities is needed and supported by EU activities. The cooperation between existing CERTs/CSIRTs with different scopes and constituencies is essential and has to be enforced. A main task for strong cooperation between CERT/CSIRTs is to increase the mutual trust between these teams, the promotion of best practices, and the harmonization of applied methods. These aspects regarding the current status of vulnerability handling schemes in the EU region have been illustrated in Figure 1 and will be discussed in the following chapters. Figure 1: Scope and Complexity of Vulnerability Handling EU Region Countries of Counter Measures V S U Tools E Adminstrations L I Education Research N Sectors of Society T E National CERTs Business Citizens I R L A I B Information Cooperations Exchange Schemes EU Initiatives Member States Study on Current Status of Software 17

18 3 European Organizations and Programs This chapter provides an overview of main European organizations and initiatives related to vulnerability handling, including the European Network Information Security Agency (see section 3.1), the European Information Security promotion Program see section 3.2), the European Government CSIRT Group (see section 3.3),the European Task Force CSIRT (see section 3.4), and new research and technologies development programs such as CORDIS and ICT research under the 7 th Framework Program (see section 3.5). 3.1 European Network Information Security Agency (ENISA) Legal Framework The European Network Information Security Agency (ENISA) has been established in order to support the development of a culture of security by ensuring a high and effective level of network and information security. In order to achieve this goal the agency shall enhance the capability of the community, the member states, and the business sector in order to prevent the occurrence of damages, and to address and respond to important network and information security issues. ENISA shall be enabled to provide assistance and to deliver advice to the commission for the purpose of updating and developing the legislation in the field of network and information security and its member states. ENISA is also responsible for the development of a high level of expertise, supported by national and community efforts, and shall use this expertise to stimulate a broad cooperation between organizations from the public and the private sectors. ENISA s tasks, as described in the 2005 work program, include the collection of best practices, the sharing of information and the facilitation of cooperation of different European initiatives that contribute to the achievement of a common level of security. ENISA has been established within the eeurope action plan as a new agency of the European Union in March 2004 based on the Regulation EC No 460/2004 of the European Parliament and of the Council (see [EC REG ENISA]). An overview of further requirements and regulations of the European Union related to the agency s field of operations is provided in Table Study on Current Status of Software

19 Table 1: Documents of European Community Legislation DOCUMENT ID DATE PURPOSE OF DOCUMENT Communication COM/2004/61/01 Communication COM/2004/0028 Regulation (EC) No 1882/2003 Regulation (EC) No 1645/2003 Resolution 2003/C 48/01 Proposal COM/2003/0063 Regulation (EC, Euratom) No 2343/2002 and Corrigendum Communication COM/2002/718 Decision 2002/627/EC Directive 2002/58/EC Regulation (EC, Euratom) No 1605/2002 and Corrigendum Directive 2002/19/EC Directive 2002/20/EC Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions: "Connecting Europe at high speed: recent developments in the sector of electronic communications" Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on unsolicited commercial communications or 'spam' European Parliament and Council: adapting to Council Decision 1999/468/EC the provisions relating to committees which assist the Commission in the exercise of its implementing powers laid down in instruments subject to the procedure referred to in Article 251 of the EC Treaty Council: amending Regulation (EC) No 2965/94 setting up a Translation Centre for the bodies of the European Union European Council: on a European approach towards a culture of network and information security European Parliament and Council: Establishing the European Network and Information Security Agency Commission: on the framework Financial Regulation for the bodies referred to in Article 185 of Council Regulation (EC, Euratom) No 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities Commission: The operating framework for the European Regulatory Agencies European Commission: establishing the European Regulators Group for Electronic Communications Networks and Services (Text with EEA relevance) European Parliament and Council: concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) Council: on the Financial Regulation applicable to the general budget of the European Communities European Parliament and Council: on access to, and interconnection of, electronic communications networks and associated facilities (Access Directive) European Parliament and Council: on the authorisation of electronic communications networks and services (Authorisation Directive) Study on Current Status of Software 19

20 DOCUMENT ID DATE PURPOSE OF DOCUMENT Directive 2002/21/EC Directive 2002/22/EC Resolution 2002/C 43/02 Communication COM/2001/0298 final Regulation (EC) No 1049/2001 Regulation (EC) No 45/2001 Directive 2000/31/EC Communication COM/2000/890 Directive 1999/93/EC Regulation (EC) No 1073/1999 and Corrigendum Directive 98/34/EC Directive 97/66/EC Directive 95/46/EC Regulation (EC) No 2965/ European Parliament and Council: on a common regulatory framework for electronic communications networks and services lays down the tasks of national regulatory authorities, which include cooperating with each other and the Commission in a transparent manner to ensure the development of consistent regulatory practice, contributing to ensuring a high level of protection of personal data and privacy, and ensuring that the integrity and security of public communications networks are ensured European Parliament and Council: on universal service and users' rights relating to electronic communications networks and services (Universal Service Directive) European Council: on a common approach and specific actions in the area of network and information security Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions - Network and Information Security: Proposal for A European Policy Approach European Parliament and Council: regarding public access to European Parliament, Council and Commission documents European Parliament and Council: on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data European Parliament and Council: on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce) Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions, creating a safer Information Society by improving the Security of Information Infrastructures and combating Computer-related Crime European Parliament and Council: on a Community framework for electronic signatures European Parliament and Council: concerning investigations conducted by the European Anti-Fraud Office (OLAF) European Parliament and Council: laying down a procedure for the provision of information in the field of technical standards and regulations European Parliament and Council: concerning the processing of personal data and the protection of privacy in the telecommunications sector. Directive repealed and replaced by Directive 2002/58/EC European Parliament and Council: on the protection of individuals with regard to the processing of personal data and on the free movement of such data Council: setting up a Translation Centre for bodies of the European Union 20 Study on Current Status of Software

21 3.1.2 Tasks The tasks of ENISA include the following activities: provision of advice and recommendations, execution of data analysis, support for awareness raising, support for cooperation by the EU bodies and member states building on national and community efforts, and the usage of expertise to stimulate the cooperation between actions from the public and private sectors. Among these and other activities, ENISA provides strong assistance to the commission and the member states regarding their communication with the industry in order to address security-related problems in hardware and software products. ENISA also takes care of the development of standards. It promotes risk assessment activities by the member states and interoperable risk management routines. ENISA also produces studies on security issues within public and private sector organizations. Information exchange and cooperation include the following items risk assessment and risk management, promotion of CERT cooperation, track standardization, promotion of best practices, and awareness rising. ENISA serves as a centre of expertise for both member states and EU institutions, to provide advice in Network and Information Security (NIS) matters. ENISA supports the capability of the member states, the EU institutions and the business sector to prevent, address and respond to network and information security problems. ENISA activities in this context are focused on: provision of advise and assistance for the commission and the member states on information security, addressing of security-related problems in hardware and software products in dialogue with the industry, collection and analysis of data on security incidents in Europe and emerging risks, promotion of risk assessment and risk management methods to enhance the capability to deal with information security threats, exchange of best practices in awareness-raising, cooperation between different organizations in the information security field, especially by developing public private partnerships with industry, and Study on Current Status of Software 21

22 tracking of the development of standards for products and services on network and information society. The main role of ENISA within Europe is to support the European market by enabling and promoting cooperations and the exchange of information related to network and information security within the European community for the benefits of its citizens, consumers, and the business and public sector organizations. ENISA shall become a center of expertise in security. The main tasks of ENISA include: support for the commission in the technical preparatory work for legislation related to network and information security, provision of services for member states, the business community and European institutions, development of high expertise related to network and information security, prevention, detection and solving of network and information security problems, sampling and analysis of information on known security incidents and emerging risks in Europe, raising security awareness, promotion of methods for risk assessment and risk management to cope with network and information security threats, promotion of the cooperation with the public and the private IT security sectors in Europe, cooperation with the industry to clarify security-related problems in hardware and software products, keeping track of the development of standards for products and services on network and information society, and the development of private-public partnerships with the industry in the area of IT security. ENISA will not only have the task of collecting information but will also play a strong advising role on decision making at the EU level. At the international level the agency can provide the necessary support for a stronger European positioning ensuring both security and data protection Structure and Roles It is essential for ENISA to establish, maintain and develop relationships with and between the EU bodies and member states. Acting as a center of excellence, ENISA is advising and assisting the EU bodies and member states through fostering the information exchange and cooperation between all stakeholders. Consequently, delegates for the EU member states, the commission, as well as stakeholders are therefore found in the organizational structure of the ENISA management board. 22 Study on Current Status of Software

23 Accordingly to the basic act the organizational structure of ENISA comprises an executive director, a management board, and a permanent stakeholders group. The executive director is in charge of managing the agency performing his duties independently. One main task is to establish a permanent stakeholders' group composed of experts representing the relevant stakeholders, such as Information and Communication Technologies (ICT) industry, consumer groups and academic experts in network and information security. The tasks of the management board include the: establishment of the budget, verification of its execution, adoption of the appropriate financial rules, establishment of transparent working procedures for decision making by the agency, approval of the agency's work program, adoption of its own rules of procedure and the agency's internal rules of operation, and the appointment and removal of the executive director. The management board is ensuring that the agency carries out its tasks under conditions which enable it to serve in accordance with the founding regulations. The board is composed of representatives from the member states, the commission, and of the stakeholders. It shall adopt the agency s internal rules of operation on the basis of a proposal created by the commission. The Permanent Stakeholders Group (PSG), currently composed of 30 high-level experts from all over Europe, is a group of leading experts that gives advice to the executive director in preparing a proposal for the agency's work program, and in ensuring the communication with the relevant stakeholders on all issues related to the work program. PSG members are appointed ad personally, and are selected solely on the basis of their special expertise in NIS. A complete list of the current PSG members and the internal rules of operation governing their work can be found in the documents [ENISA PSGL] and [ENISA PSGR] respectively. PSG advises the agency in order to achieve the following objectives: recognized group of European NIS interests in global cooperation, development of necessary relationships to forward European interests with a clearly defined role relative to the commission and to individual member states, European center of excellence in network and information security, trusted expert body whose opinion is regarded in key projects of both the public and private sectors, Study on Current Status of Software 23

24 3.1.4 Activities advanced driving force behind the creation, development and dissemination of trusted secure information security technology, enabling the consumers in both the public and private sectors to use digital technology without undue security risks, and recognized consultation center for the EU bodies and member states as well as for other international standardization and legislative bodies. In consultation with the PSG the executive director establishes so-called ad hoc working groups that in turn are composed of experts. These ad hoc working groups are addressing specific technical and scientific ICT security matters. ENISA has started its work on network and information security for the EU and the member states for which it provides advice in NIS-matters. For EU members or stakeholders ENISA may be a broker for advice on suitable contacts in the member states or the EU institutions. The agency can guide towards the best practice of a member state suitable for particular requests, or can direct to the responsible institution of each member state. Relevant organizations regarding NIS topics in all EU member states are listed in the document [ENISA NISA]. A summary of the activities of ENISA can be found in its general report [ENISA GR05]. The PSG is analyzing current and future network security threats and risks of both technical and non technical character. PSG has presented a visions document [ENISA VIS] as an input and an advice to the executive director of ENISA from the NIS stakeholders. For the current and foreseen security issues, the PSG analyses in detail a number of risks and threats of both technical character e.g., malware, worms, rootkits, botnets, identity theft, attacks on mobile and wireless networks, spam and SPIT, and of non technical character such as lack of security awareness, professionalism of cyber criminals, and increased reliance on the internet and network resources. ENISA is regularly co-organizing the training of network security incident teams. These courses deal with the operational, organizational and legal aspects of incident responses. Its target groups are professionals who either are members of existing computer security teams, or who are involved in the establishment of such a team within their organization. Courses may also be organized jointly with the Trans-European Research and Education Networking Association (TERENA) and/or the Forum for Incident Response and Security Teams (FIRST). ENISA supports knowledge sharing by conducting and/or participation in professional workshops on specific topics, such as the 24 Study on Current Status of Software

25 information security policy makers workshop: Brussels, Belgium, December 2005, CERTs and awareness raising workshop: Brussels, Belgium, December 2005, ENISA-BSI information security management days: Bonn, Germany, November 2005, Italian Information Security Seminar: Rome, Italy, November 2005, technological conference of "Polish Secure", Warsaw, Poland, 2005, regional seminar on cyber security: Riga, Latvia, May 2005, OECD working party on information security and privacy (WPISP),Seoul, South Korea, May 2006, or APCERT 2006 conference in Beijing, China An overview of main activities and events is provided in Table 2. Table 2: Overview of Activities and Major Events DATE ACTIVITY/EVENT LINK Communication and Multimedia Security Conference tml Co-organization of the ISSE conference Co-organization of the 2nd Awareness Raising dissemination workshop ENISA - Joint Research Centre (JRC) meeting with presentations of the JRC's and ENISA activities in NIS, to investigate synergies and possible future collaborations Joint Software and Service Development, Security and Dependability Workshop Publication of Awareness Raising Guide Mobile & Wireless Communications Summit Information Security Certificates _2nd_ar_dissemination_ws_2006.htm on=com_content&task=view&id=28&it emid=31&lang=en _press_2006_08_10_enisa_publishin g_awareness_raising_guide.htm /servlet/org.nkpap.visualizer.main?item =24 ficates.html Third DIMVA Conference ISSA conference Security and Privacy in Dynamic Environments Conference th WPISP Meeting Presentation of the ENISA General Report 2005 at the European Council's Working Party on d/brochure_iie_2006_rome.pdf 0,2340,en_2649_34255_ _1 _1_1_1,00.html Study on Current Status of Software 25

26 DATE ACTIVITY/EVENT LINK Telecommunications and Information Society Dutch Digibewust conference on e-security with discussions on the ENISA Work Programme for Baltic IT&T 2006 Forum Training of Network Security Incident Teams Third Annual Worldwide Security Conference, "Protecting People and Infrastructure: Achievements, Challenges and Future Tasks Information Security policy makers workshop European Network and Information Security Conference Readiness for Handling Network and Information Security Incidents First Pan-European ENISA - EU25 meeting with National Liaison Officers ENISA-BSI Information Security Management Days Identity Theft Seminar d=185 orum2006/main.nsf?opendatabase _news_2005_12_12_workshop_in_br ussels.htm _news_2005_11_18_1st_pan_europe an_enisa.htm /index.htm tml Working Groups Currently the following three working groups have been created and are operational: working group on CERT services, working group on risk management and risk assessment, and the working group on regulatory aspects of network and information security Ad-hoc Working Group on CERT Services The ad-hoc Working Group CERT Services (WG-CS), established in 2005, deals with issues that are related to the provision of security services, also called CERT services for specific categories or groups of users. In this context ENISA intends to provide information about measures for assuring an appropriate level of service quality in order to support these communities in their activities, and recommendations for the EU member states and the EU bodies regarding the coverage of specific groups of IT users with appropriate security services. 26 Study on Current Status of Software

27 The tasks of this group include the analysis of possible measures for the assurance of an appropriate level of quality for providing security services by CSIRTs and similar facilities (to be delivered in 2007), categorization of users and user groups for CERT services, provision of a list of the appropriate facilities needed for these services, and short-term and low-effort actions that are suitable to close some of the gaps in the coverage with security services observed in the gap analysis of the 2005 working group. The output of this group will include the following set of deliverables: inventory of publicly available sources for security information, revised list of CERT services, list of providers of CERT services such as CSIRTs, Warning Advise and Reporting Points (WARP), abuse teams, vendors, and a list of provided CERT services, list of categories of users or user groups of IT systems connected to the Internet, and user or user group specific tables listing the actions that support the active CSIRTs, WARPs, and abuse teams in serving their constituency, and an analysis of the expected outcomes of each proposed action. Current WG-CS members are experts from France, The Netherlands, Germany, Poland, Italy, Norway, United Kingdom, and Hungary Ad-hoc Working Group on Awareness Raising The main task of the ad hoc Working Group on Awareness Raising, established in 2005, is to support the agency in addressing particular matters in the awareness raising area regarding the following objectives: development of a customized information package including the description of selected target groups, their communication objectives, samples of messages, channels and benchmarking, recognition of information on good examples of European awareness raising programs and initiatives for the following priority target groups: silver surfers (citizens sector), Small and Media Enterprises (SMEs, economic sector), local government authorities (institutional sector), and media (other specific sector), and production of guidelines on the use and dissemination of the information package for member states. Study on Current Status of Software 27

28 The current output of the working group can be found in the deliverables, [ENISA RNISA] [ENISA ARSS], [ENISA ARSME], [ENISA ARM], and [ENISA ARLG] Ad-hoc Working Group CERT Cooperation and Support The main task of the special ad hoc Working Group CERT Cooperation and Support, established in 2005, is to support ENISA in the area of CERT co-operation regarding the following objectives: validation of an initial inventory on CERTs/CSIRTs in Europe and their services (drafted by ENISA), provision of information concerning on-going cooperation between existing CERTs/CSIRTs and similar organizations, recommendations for enhancing further cooperation between CERTs/CSIRTs, regarding relevant international and European organizations and their rules, gap analysis of CERT/CSIRT cooperation, best practice models for CERT/CSIRT cooperation methods for building trust in order to be able to participate in existing CERT networks, and the analysis of the needs for early warning cooperation systems, gap analysis of geographical and business areas that are not covered by CERT or similar organizations, provision of a checklist or guidelines on how to establish a CERT/CSIRT or a similar body, and the production of recommendations for training of skills for newly created CERTs/CSIRTs or similar bodies. The current output of the working group can be found in its report [ENISA WGR]. The establishment of and the cooperation between CERTs/CSIRTs is currently facilitated by several organizations and initiatives e.g. TERENA, FIRST, and the European Government CERT group (see section 3.3) Ad-hoc Working Group on Risk Assessment and Risk Management The ad-hoc Working Group on Risk Assessment and Risk Management, established in 2005, provides expertise in different existing risk assessment and risk management methods. The tasks of this working group include the following activities: production of an overview and a comparison of existing risk assessment and risk management methods, including the identification of important organizations in this area and their relationships, 28 Study on Current Status of Software