Building CSIRT Capabilities
advertisement
Building Global CSIRT Capabilities Barbara Laswell, Ph.D. September 2003 CERT® Centers Software Engineering Institute Carnegie Mellon Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense 1 2003 Carnegie Mellon University CERT Coordination Center The CERT/CC was established in 1988 with a mission to: • respond to security emergencies on the Internet, • serve as a focal point for reporting and facilitating the corrections to security vulnerabilities, • analyze security-related data to develop and disseminate countermeasures and prevention techniques, • serve as a model to help others establish incident response teams, • raise awareness and understanding of security trends and issues 2 2003 Carnegie Mellon University Growth in Number of Incidents Reported to the CERT/CC 3 2003 Carnegie Mellon University Growth in Number of Vulnerabilities Reported to the CERT/CC 4 2003 Carnegie Mellon University Growth in CSIRTs 5 2003 Carnegie Mellon University Response Teams Around the World 6 2003 Carnegie Mellon University Impact on CSIRTs Today’s dynamic environment means less time for CSIRTs to react. Therefore, teams require • a method for quick notification • established and understood policies and procedures • automation of incident handling tasks • methods to collaborate and share information with others • easy and efficient way to sort through all incoming information 7 2003 Carnegie Mellon University Current Situation Many organizations do not have a formalized incident response capability. There is a shortage of effective CSIRTs and trained staff to respond to current and emerging computer security threats. A growing number of organizations are • being mandated or required by laws/regulations to have an incident response plan in place • proactively seeking to implement a CSIRT as a part of their information security program. 8 2003 Carnegie Mellon University Stages of CSIRT Development Stage 1 Educating the organization Stage 2 Planning effort Stage 3 Initial implementation Stage 4 Operational phase Stage 5 Peer collaboration Expert Novice 9 Stage 1 Stage 2 Stage 3 Stage 4 Education Planning Implementation Operation 2003 Carnegie Mellon University Stage 5 Collaboration General Categories of CSIRTs Internal CSIRT • Educational • Governmental • Commercial Coordination Centers • Country • State • Region Analysis Centers Vendor Incident Response Provider 10 2003 Carnegie Mellon University CSIRT Organization Examples CERT Coordination Center (CERT/CC) http://www.cert.org/ Forum of Incident Response and Security Teams (FIRST) Department of Defense CERT (DOD-CERT) http://www.cert.mil/ German Research Network CERT (DFN-CERT) http://www.cert.dfn.de/ http://www.first.org/ Federal Computer Incident Response Center (FedCIRC) http://www.fedcirc.gov/ Australian Computer Emergency Response Team (AusCERT) http://www.auscert.org.au/ 11 2003 Carnegie Mellon University Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) http://www.jpcert.or.jp/ IBM Business Continuity and Recovery Services (IBM-ERS) http://www.ers.ibm.com/ http://www-1.ibm.com/services/ continuity/recover1.nsf/mss/ incident+management CSIRT Collaborations FIRST: http://www.first.org/team-info/ European CSIRT Directory: http://www.ti.terena.nl/teams/index.html Asia Pacific: http://www.singcert.org.sg/apsirc/ 12 2003 Carnegie Mellon University Range of CSIRT Services Mandatory Services: • Incident Handling Common CSIRT Services: • Alerts and Announcements • Vulnerability Analysis and Response • Artifact Analysis • Education and Training • Incident Tracing • Intrusion Detection 13 2003 Carnegie Mellon University • Auditing and Penetration Testing • Security Consulting • Risk Analysis • Security Product Development • Collaboration • Coordination Information Flow 14 2003 Carnegie Mellon University What is Reported? 15 2003 Carnegie Mellon University Incident Handling Life Cycle Other Email IDS Triage Information Request Incident Report Hotline/ Phone Analyze Vulnerability Report Obtain Contact Information Coordinate Information and Response Provide Technical Assistance 16 2003 Carnegie Mellon University CSIRT Related Projects State of the Practice of CSIRTs IETF Incident Handling Working Group (INCH WG) and Intrusion Detection Working Group (IDWG) Automated Incident Reporting (AirCERT) Incident Detection, Analysis, and Response (IDAR) Project Clearing House for Incident Handling Tools (CHIHT) Common Advisory Interchange Format (CAIF) Best Practices Documents 17 2003 Carnegie Mellon University Current CSIRT Discussion Topics Legal issues and impacts Automation and standardization of CSIRT tools Data sharing and collaboration Certification for incident handlers and teams • http://www.cert.org/certification/ Regionalization efforts 18 2003 Carnegie Mellon University Visit www.cert.org/csirts/ Publications and links to resources to help you create and manage your CSIRT Creating a Computer Security Incident Response Team: A Process for Getting Started Creating a Financial Institution CSIRT: A Case Study The Handbook for Computer Security Incident Response Teams (CSIRTs) (pdf) CSIRT Services CSIRT Frequently Asked Questions Responding to Intrusions Expectations for Computer Security Incident Response (RFC 2350) Forming an Incident Response Team (AusCERT Publication) Avoiding the Trial-by-Fire Approach to Security Incidents NIST: Computer Systems Laboratory Bulletin NIST: Establishing a Computer Security Incident Response Capability 19 2003 Carnegie Mellon University For More Information CERT® Centers Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 USA +1 (412) 268-7090 http://www.cert.org/training http://www.cert.org/csirts/ 20 2003 Carnegie Mellon University
