Of particular value are sections 5 and 6. The first lists and evaluates a range of services to help identify new threats as early as possible, and tools that can combat those threats. The second provides a reasoned evaluation and recommendation of the top 5 services (data feeds) for the early detection of network security incidents. These include the Shadowserver Foundation, the Zeus/SpyEye Tracker and Google Safe Browsing Alerts. It also includes the top ‘must have’ tools under standard, advanced and ‘upcoming tools and mechanisms’. The last are client honeypots, sandboxes and passive DNS monitoring (all of which are more relevant to a CERT than an average company).
While this first part of the report discusses how to improve rapid awareness of new threats, the second part discusses the effective use of that information. Section 7 isolates and analyses the primary existing shortcomings for effective proactive detection of incidents; and gives recommendations on how to improve matters. Shortcomings range from false positives and poor timeliness to the inadequate correlation of existing data. Data protection and privacy laws also hinder data exchange between CERTs.
Section 8 makes recommendations on how to improve matters. ENISA could, it offers, “advise the relevant EU and national bodies on how to reach a balance between privacy protection and security provision needs and clarifying how sensitive security data can be shared between data providers, consumers and intermediaries such as national CERTs.”
Overall, the study concludes that CERTs are currently not using all available external sources to their best effect; and that they neither collect nor adequately share incident data about other constituencies with other CERTs. Lack of effectively sharing data is the key finding of the report, and comes at a time when security experts believe that data sharing is their biggest weapon in the fight against cybercrime. Cyberwarfare is asymmetric warfare in favour of the criminals, and incident sharing is considered the best way to rebalance the battlefield.
The message of the ENISA report almost exactly mirrors the UK’s new Cyber Security Strategy, which states that by 2015, private organizations will work “in partnerships with each other, Government and law enforcement agencies, sharing information and resources, to transform the response to a common challenge, and actively deter the threats we face in cyberspace.”