The 23rd CENTR Security Workshop was held on February 23. The main topics of the meeting were certification, audit, and recertification for compliance with ISO 27001; modernization of software and hardware infrastructure of registries; promotion and modernization of DNSSEC.
Of particular interest to the participants was the issue of motivation for the implementation of DNSSEC. .SK Registry Representative (Slovakia) Daniela LALIŠOVÁ has presented their discount system for registrars, which motivates them to implement DNSSEC. Thanks to this program, more than 50% of domains in the .SK zone use DNSSEC today. Dirk Jumpertz, a representative of the .EU (European Union) domain registry, shared his experience in implementing DNSSEC. He also noted that in such schemes it is important to carefully control the correctness and completeness of DNSSEC implementation. Otherwise unscrupulous registrars can provide an arbitrary DS record to receive a discount on the domain, without actually having the rest of the DNSSEC components for it.
CENTR representative Polina Malaja described the most discussed aspects of NIS2/CER/DSA from the perspective of the domain industry. Participants also noted that the ISO 3100 and ISA/IEC 27005 risk management standards would require significant costs for European registries to rebuild their current models.
Dirk Jumperz delivered the news on the TLD-ISAC (Information Sharing and Analysis Center) project, an initiative designed to unite the efforts of TLD registries in terms of information sharing and analytics in the field of cyber threats. He spoke on the benefits of participating in the project, its prospects, and plans.
Tom Wouters, Registrar of Estonia .BE domain, told colleagues about a recently discovered vulnerability in Apache web server's LOG4J Java logging utility. It allows malicious code to be injected into a vulnerable system using the Java Naming and Directory Interface (JNDI). He also shared the chronology of the vulnerability discovery events before the release of the update that closes it. In addition, he said about the measures taken in the Belgian DNS to protect against this attack, including work with internal components, and interaction with participants, of the system that encompasses the Belgian DNS.
Pascal Schulz, an invited specialist from Intigriti, a platform that consolidates specialists and tools in the field of positive hacking, vulnerability search, and security threat analysis of various systems, in his report, dwelled on the capabilities of the platform, and also described the LOG4J vulnerabilities from the perspective of Intigriti and said about the actions they have taken to notify customers, preparing materials to eliminate vulnerabilities in customer systems, and ways to identify vulnerable systems.
Andreas Steyrer from the Austrian .AT Registry shared his experience in conducting an ISO 27001 Security Information Management System (ISMS) audit. He said about the consolidation of NIC .AT's efforts with DENIC and SWITCH to develop an audit program and to conduct it.
The meeting concluded with a presentation by Kristof Tuyteleers (.BE) announcing the next CENTR Member Security Maturity Model's (CM-SMM) study in 2022.
