Scribd Logo
Upload

Welcome to Scribd!

  • Lec 04 C CERTs Vs CSIRTs Intro

    Uploaded by

    kavisandeepani
    9 views19 pages
    This document discusses CERTs and CSIRTs, which are teams that handle computer security incidents. A CERT (Computer Emergency Readiness Team) was first created in 1988 to coordinate response to the Internet Worm incident. A CSIRT (Computer Security Incident Response Team) provides services like incident prevention, handling, and response for a defined constituency. They review incident reports, respond to incidents, and provide security guidance. CSIRTs need expertise in incident management, technical response actions, and researching mitigation strategies. While organizations can set up internal CSIRTs, threats often cross constituencies, so independent teams may be needed to coordinate multi-organizational incident response.

    Original Description:

    Original Title

    Lec-04-c-CERTs-vs-CSIRTs-intro

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses CERTs and CSIRTs, which are teams that handle computer security incidents. A CERT (Computer Emergency Readiness Team) was first created in 1988 to coordinate response to the Internet Worm incident. A CSIRT (Computer Security Incident Response Team) provides services like incident prevention, handling, and response for a defined constituency. They review incident reports, respond to incidents, and provide security guidance. CSIRTs need expertise in incident management, technical response actions, and researching mitigation strategies. While organizations can set up internal CSIRTs, threats often cross constituencies, so independent teams may be needed to coordinate multi-organizational incident response.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    9 views19 pages

    Lec 04 C CERTs Vs CSIRTs Intro

    Uploaded by

    kavisandeepani
    This document discusses CERTs and CSIRTs, which are teams that handle computer security incidents. A CERT (Computer Emergency Readiness Team) was first created in 1988 to coordinate response to the Internet Worm incident. A CSIRT (Computer Security Incident Response Team) provides services like incident prevention, handling, and response for a defined constituency. They review incident reports, respond to incidents, and provide security guidance. CSIRTs need expertise in incident management, technical response actions, and researching mitigation strategies. While organizations can set up internal CSIRTs, threats often cross constituencies, so independent teams may be needed to coordinate multi-organizational incident response.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 19

    CERTs & CSIRTs

    What are they?

    Shantha & Chandana

    1
    Discussion flow

    • What is a CERT?
    • What is a CSIRT?
    • Organizational role in incident response
    • What to share and what not to share
    • Expertise needed
    • Reflections

    2
    What is a CERT?

    3
    Bit of history
    • 1988 Internet Worm incident
    – caused the very first CERT to be created
    • CERT stands for:
    – Computer Emergency Readiness Team
    – Originally called “response team”
    • Coordinated incident handling with other teams
    – Hence called CERT/CC
    • Funded by DARPA
    • Located at CMU
    • Done as a project of SEI (Network Systems
    Survivability programme) 4
    Functions of CERT/CC

    • Response to computer security incidents


    • Providing security alerts
    • Preparation of guidelines for:
    – incident handling
    – Incident avoiding
    • Conducting public awareness campaigns
    • Facilitating research on computer security

    5
    The change of need
    • The Internet was not very much commercially
    attractive in 80's
    – However, 90's were a revolutionary time
    – Ever since, it is an exponential growth
    – Consequence: increase in attacks
    – Underground economy emerged
    • System & network admins alone cannot protect
    information assets
    • Today, social networks have made it even worse
    • Other concerns:
    – General response vs. focus areas
    – New regulations & focused regulations
    6
    Emerged solution?
    CSIRT?

    7
    The definition

    • Several variants exist


    • Newer definition is:
    – a capability or team that provides services and
    support to a defined constituency for
    preventing, handling and responding to
    computer security incidents

    8
    Organizational role in incident
    response

    9
    What should it do?

    • Be a service organization that is


    responsible for:
    • receiving computer security incident reports
    • reviewing incident reports and activities performed
    • responding to computer security incident reports
    • new trend: to be proactive as well
    • Have a clearly defined constituency
    – e.g.: military, bank, university, govt. organisation
    • Identify a focus area:
    • based on the business goals of the constituent or
    parent organization
    10
    What to share and what not to share
    with a CSIRT

    11
    How to decide

    • See whether the CSIRT is truly internal to


    your organization:
    – Less problems in managing information leaking
    • What if competitors also have access to
    your information?
    – Classification and tagging is a must
    – Should have proper agreements with
    information custodians
    • If inter-organisational in a sector, better to have an
    independent party managing it
    – Still need to keep an eye
    12
    Can everyone do it?

    13
    Need of expertise

    • Incident management
    – Very high level of expertise
    • Prepare:
    – to provide quick response to any risks, threats, or attacks
    • Protect infrastructure
    • Detect suspicious activities & events
    • Triage:
    – sorting, categorizing, correlating, prioritizing, and assigning
    incoming events, incident reports, vulnerability reports,
    and other general information requests
    • Respond
    – steps taken to address, resolve, or mitigate

    14
    Technical response actions
    • Analysing the event or incident information, data,
    and supplemental material
    – log files, malicious code, or other artifacts
    • Researching corresponding mitigation strategies
    and recovery options
    • Developing advisories, alerts, and other
    publications
    – to provide guidance and advice for resolving or
    mitigating the event or incident

    15
    Technical resp. cont.....
    • Controlling any ongoing malicious activity
    – make appropriate changes to the infrastructure
    – e.g.
    • disconnecting affected systems from the network
    • changing security configurations
    • filtering ports, services, IP addresses, or packet content
    – The above may involve:
    • firewalls, mail servers, routers, or other devices
    • Eradicating or cleaning up any malicious
    processes and files
    • Repairing or recovering affected systems
    16
    Reflections
    • CERTs have become vital for critical businesses
    – CSIRTs also will help within the constituency
    • Business operations are mostly within
    constituency
    – However, business scope span across
    constituencies
    • Threats come from outside constituencies
    – hence, many incidents are across
    constituencies
    • Who can and will handle them?
    • Can everyone set up CSIRTs/CERTs?
    17
    Thank you
    Shantha & Chandana
    Chartered Engineers
    Senior Lecturers, Dept. of CSE, University of Moratuwa
    Consultants, TechCERT

    18
    Q&A

    19

    You might also like