Professional Documents
Culture Documents
1
Discussion flow
• What is a CERT?
• What is a CSIRT?
• Organizational role in incident response
• What to share and what not to share
• Expertise needed
• Reflections
2
What is a CERT?
3
Bit of history
• 1988 Internet Worm incident
– caused the very first CERT to be created
• CERT stands for:
– Computer Emergency Readiness Team
– Originally called “response team”
• Coordinated incident handling with other teams
– Hence called CERT/CC
• Funded by DARPA
• Located at CMU
• Done as a project of SEI (Network Systems
Survivability programme) 4
Functions of CERT/CC
5
The change of need
• The Internet was not very much commercially
attractive in 80's
– However, 90's were a revolutionary time
– Ever since, it is an exponential growth
– Consequence: increase in attacks
– Underground economy emerged
• System & network admins alone cannot protect
information assets
• Today, social networks have made it even worse
• Other concerns:
– General response vs. focus areas
– New regulations & focused regulations
6
Emerged solution?
CSIRT?
7
The definition
8
Organizational role in incident
response
9
What should it do?
11
How to decide
13
Need of expertise
• Incident management
– Very high level of expertise
• Prepare:
– to provide quick response to any risks, threats, or attacks
• Protect infrastructure
• Detect suspicious activities & events
• Triage:
– sorting, categorizing, correlating, prioritizing, and assigning
incoming events, incident reports, vulnerability reports,
and other general information requests
• Respond
– steps taken to address, resolve, or mitigate
14
Technical response actions
• Analysing the event or incident information, data,
and supplemental material
– log files, malicious code, or other artifacts
• Researching corresponding mitigation strategies
and recovery options
• Developing advisories, alerts, and other
publications
– to provide guidance and advice for resolving or
mitigating the event or incident
15
Technical resp. cont.....
• Controlling any ongoing malicious activity
– make appropriate changes to the infrastructure
– e.g.
• disconnecting affected systems from the network
• changing security configurations
• filtering ports, services, IP addresses, or packet content
– The above may involve:
• firewalls, mail servers, routers, or other devices
• Eradicating or cleaning up any malicious
processes and files
• Repairing or recovering affected systems
16
Reflections
• CERTs have become vital for critical businesses
– CSIRTs also will help within the constituency
• Business operations are mostly within
constituency
– However, business scope span across
constituencies
• Threats come from outside constituencies
– hence, many incidents are across
constituencies
• Who can and will handle them?
• Can everyone set up CSIRTs/CERTs?
17
Thank you
Shantha & Chandana
Chartered Engineers
Senior Lecturers, Dept. of CSE, University of Moratuwa
Consultants, TechCERT
18
Q&A
19