CERT. Managed Security Services Security Solutions CERT – Computer Emergency Response Team Computer Emergency Response Team. Background. As computers play an ever-growing role in social In line with ITIL-compliant processes, T Systems CERT offers a single point of contact, the input point for all ICT security issues and problems of and business life, so does the risk of possible its customers. In addition to reactive and preven- cyber-vandalism. sulting services for the purpose of continuously danger from hackers, online theft, fraud and A successful attacker can corrupt or delete data, thereby causing not only high financial losses but also substantial damage to the image of the company affected. Drawing on experience in various areas of ICT security and that of T-Systems CERT, launched in 2003, Security Solutions provides services that enable adequate reaction to and prevention of tative services, Security Solutions also offers conimproving the security of its customers as part of T-Systems CERT. CERT Service contains: Intrusion Detection. The aim of Intrusion Detection is to develop methods for detecting attacks on computer sys- tems. For example, in the case of a "promising" such threats beyond the walls of the process-ori- threat of an attacker, an IDS/IPS would trigger sive know-how allows: Network-based IDS/IPS already cover most of ented company. T-Systems CERT's comprehenTargeted provision of high-quality security information on ICT vulnerabilities Detection of security risks and institution of an alarm and forward it to the appropriate units. the risks in a network environment. Host-based IDS/IPS should be used additionally in high security areas. preventive measures T-Systems CERT advises customers on all mat- tive measures and escalation as needed aged networks are permanently monitored; if Central coordination and tracking of prevenAnalysis and evaluation of ICT security incidents Introduction of countermeasures for ICT ters of projection, evaluation and piloting. Mananomalies are detected, appropriate countermeasures are introduced. security incidents Central coordination and tracking of measu- res in the event of ICT security incidents Business flexibility activities, and thus close interaction with other services, is typical of this service. First, the facts must be investigated. To do this, the aforementioned activities in vulnerability, critter and forensic analysis are undertaken. Meanwhile, however, all affected units must be informed so that preliminary results of analyses are available as well. This is important for many reasons - for example, if it turns out that not only the operating system affected first has a security gap but also others (e. g. manufacturer-specific or even technology-specific). Example for a network-based IDS Security audits & penetration. Forensic analysis. The CERT team has developed a web- and Forensic Analysis is intended to analyze the e-mail-based information tool for distributing the entire course of a security breach. This also in- portionate to the size of the company. In addition measures in individual customer areas. be retraced by a court. Although the documenta- training level of those responsible for the system Incident response. all systems is important to a company. Its aim is Incident Response represents the most compre- under civil or criminal law is necessary. Tracing To achieve this, information about existing securi- added value for our customers only occurs once a list of measures can be created from it. Security an adequate reaction to incidents has been guar- mation that can lead to the detection of other anteed. marginal parameters and changes and thus can pose. Security audits are conducted as struc- Thus high demands are made not only on the if necessary, conducts forensic analyses on be- term for legal intrusion attempts. nization and ability to assess incidents correctly. The complexity of a company's IT structure is proto a pronounced degree of heterogeneity, the also varies widely. However, the security status of to bring about a uniformly high level of security. ty gaps in the IT infrastructure is conveyed so that audits and penetration tests are used for this pur- tured surveys; penetration tests are an overall Announcements. Announcement refers to the dissemination of in- announcements that makes it easy to track the hensive and sophisticated task of a CERT. The team's technical capacities but also on its orga- mendations for action. the security breach can turn up much other inforform the basis for further corrections. The CERT Team, in cooperation with criminal prosecutions half of the customer. provide answers to your questions and further in- broken down into the following subsections: clear risk assessments, prioritization and recom- component if a complaint is filed or other action among various sections of the organization and among locations. This also includes the initial CERT Team of T-Systems views the relevant inforcustomers. The CERT reports form the basis of forensic analysis, securing evidence is a vital The concrete features of these services depend a wide range of activities, possibly distributed control of consequences. These are the actual mation, assesses it and forwards it to specific tion of processes and circumstances is part of Continued analysis prompts the coordination of formation about weak points and threats, and if necessary also measures to eliminate them. The cludes securing and assessing evidence that can on the specific customer. We will be happy to formation at any time. activities of Incident Response. They can be Limiting the incident Eliminating causes Recovering operations Pulished by: Contact: Corporate Marketing & Communications Security Solutions 60325 Frankfurt am Main, Germany Phone: +49 (0)6151 8186105 T-Systems Enterprise Services GmbH Mainzer Landstrasse 50 Responsible for content: Security Solutions T-Systems Enterprise Services GmbH E-Mail: security-solutions@t-systems.com Product Marketing Manager: Andreas Brasching Date of publication 10/2006; subject to change without notice; printed on chlorine-free paper, typix A high degree of parallelism between various CERT Advisory Services. Modern Business would be simply unimaginable Audits security aspects get more and more important Security checks without internet technologies. In the last decade for companies (see following chart). Number of security cases (US companies) in thousands: Managed Security Services Security Improvement Services CERT CERT Advisory Services Penetration tests Execution of risk analyses Security concepts Product evaluations Forensic analyses (Source CERT Coordination Center) Determining the critical points in a company and choosing the correct measures and technologies Audits. ways easy, however. Audits are structured surveys aimed at recording T-Systems supports its customers in this task (IT) infrastructure. The survey permits graphic to counter the threats ranged against it is not al- through competent consultation and services. Included are: and evaluating possible deficits in the existing representation of either the definition of concrete measures or the security level for management, Business flexibility cific security needs in terms of availability, con- fidentiality and integrity, something that is not always easy to assess. As part of product evaluation, software and hardware products are exam- ined with regard to their adequacy in complying with these requirements. Forensic analysis. Forensic analysis is used to analyze the entire process of a security violation. This includes the legally permissible preservation and evaluation of evidence. Although documentation of the processes and facts is the main component of forensic analysis, the preservation of evidence gleaned according to standard criteria (see chart overleaf). The degree of detail is oriented toward customer wishes. Audits according to BS 7799, BSI Basic Protection Handbook or system-specific audits are possible. Penetration tests. Penetration tests are another way of evaluating the security of IT systems or IT safeguards such scanning the corporate network under investigation. reported or criminal or civil proceedings consid- Security concepts are designed to ensure that can also lead to recognition of many borderline Security concepts. the risks of using and operating an IT application or service falls within reasonable bounds. In addition, a security concept covers the following points: of additional modifications. Execution of risk analyses. checks) represent a risk. Within the context of Risk analysis ploy in order to demonstrate real danger points. parameters and changes and thus form the basis Threat analysis possible – while not checking the actual system hand, involve the same methods as hackers em- understanding how a security breach occurs and Identified danger points (for instance within the Analysis of protection requirements configuration. Penetration tests, on the other ered. Much more information can be gleaned by Description of the system environment as firewalls. Audits operate on the principle of viewing the system in question as holistically as is an indispensable element if a crime is to be Measures Remaining risks In this context white and black box penetration Hence, ideally, a security concept is drafted the tester is familiar with the system configura- detailed concept – in order to integrate neces- scope of audits, penetration tests and security a risk analysis and based on the experience gained by the specialists conducting them, these risks are specified with regard to the possible ex- tent of damage and the likelihood of occurrence. This enables a selection of protective measures, before implementation – i.e. as a result of the whose efficiency bears a reasonable relationship sary security measures into the overall design characteristics of these services are principally Security checks. shows, once the overall solution has been put your questions and provide further information. Security checks are aimed at determining the at great expense or only partially. structure in order to judge the threat posed and Product evaluations. cause. Security checks are usually conducted by Besides supporting business processes, modern tests are possible. This means that in one case tion, in the other case not. extent of known flaws within a company’s IT infrapossible damage that their exploitation could with as little effort as possible. As experience in place, measures can only be implemented to the time and expense involved. The actual customer-specific. We are always glad to answer Published by: Contact: Corporate Marketing & Communications Security Solutions 60325 Frankfurt am Main, Germany Phone: +49 (0)6151 8186105 T-Systems Enterprise Services GmbH Mainzer Landstrasse 50 Responsible for content: Security Solutions T-Systems Enterprise Services GmbH E-Mail: security-solutions@t-systems.com Product Marketing Manager: Andreas Brasching Date of publication 10/2006; subject to change without notice; printed on chlorine-free paper, typix IT solutions must also fulfill the customer’s spe-