CERTs hindered by lack of sharing, says EU agency

Computer emergency response teams are not sharing enough data, hampering global security responses to malware, according to the European network information security agency

Computer emergency response teams around the globe often fall short on effective responses to cyber-threats by not sharing data about malware, according to European Union security advisory agency ENISA.

The main technical gaps in computer emergency response teams' (CERTs) response include a lack of standard formats, tools, resources and skills, ENISA said in a report on Wednesday.

"National CERT managers should... overcome identified shortcomings, by using more external sources of incident information, and additional internal tools to collect information to plug the gaps," said the agency executive director Udo Helmbrecht in a statement.

ENISA polled 45 CERTs around the world about detection of network security incidents. The agency declined to name the teams that were polled.

CERTs do not always share information about security incidents, even when infections or attacks directly affect other CERTs' jurisdictions, ENISA operational security expert Agris Belasovs told ZDNet UK on Wednesday.

"Even if they detect incidents, not all CERTs share data with those CERTs whose constituencies are affected," said Belasovs.

Legal concerns, a lack of trust, or simply not knowing who to contact, may inhibit information-sharing, said Belasovs. "Some CERTs don't want to reveal they can detect such incidents," he said. "Many teams only share data with teams they have established trust relationships with."

Even if they detect incidents, not all CERTs share data with those CERTs whose constituencies are affected.

– Agris Belasovs, ENISA

One legal problem concerns privacy considerations across jurisdictions. An IP address is judged as personally identifiable information by the European Data Protection Supervisor, and informing a CERT about an infected computer using a certain IP address may contravene privacy laws in some jurisdictions.

Data that is provided may not be of sufficiently high quality and contain false positives, ENISA said in its report. In addition, data about incidents may not be timely and may rely on reporting mechanisms such as blacklists, which rapidly go out of date.

ENISA said on Tuesday that critical infrastructure organisations were not sufficiently prepared for threats such as Duqu, a type of information-stealing malware.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All