Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

ThaiCERT Formation & Thailand Incident Report By Ms

advertisement 
ThaiCERT Formation
&
Thailand Incident Report
By
Miss Siriwan Apisiridej
(siriwan@nectec.or.th)
NECTEC
Seminar on Information Security Technologies
19 November 2003
Information Warfare
Mail bomb
Terminal
Hacking
Internet
Terminal
Terminal
Root compromise
Terminal
DDoS
What is IR Team?
IR Team : Incident Response Team
- is a capability responsible for dealing with potential or
real information security incidents
- is assigned a set of duties related to bringing each
security-related incident to a conclusion, ideally in
accordance with the goal of the organization it serves
What is IR Team?
Many incident response teams have many team
members, each with a specialized role.
Some of the members :
– daily operations
– receiving reports of incidents
– attempting to identify the type, source, impact,
and other facets of security-related incidents that
are reported
What is IR Team?
Others :
– deal with vendors to close known vulnerabilities
in operating system
Others :
– examine data to identify and project incident
trends, something that is more related to research
Definition of “CERT”
CERT
Computer Emergency Response Team
An organization or a
team that provides, to
defined constituency,
services and support for
both preventing and
responding the
computer security
incidents.
ThaiCERT Formation
• NECTEC launched the project of Forming Thai
Computer Emergency Response Team (ThaiCERT)
since April, 2000
• Apply CERT/CC, USA (1st CERT in the world)
as the model of ThaiCERT formation
• Currently, there are 10 team members
– 1 management
– 8 technical staffs
– 1 general coordinate staff
ThaiCERT Formation (Cont.)
Objective :
- In order to handle the computer crime and coordinate
with the related organizations.
- To gain the knowledge and skill in the information security
which is the factor effects to the stability of Thailand.
- To establish the team, which can handle the incidence of
computer security and develop personnel’s skill because
the international organization cannot support every cases
for us.
Scope of ThaiCERT’s Role
Major Role
1. Incident Response
General Role
1. Distribute security knowledge & alert
through Mailing List and Website:
http://www.thaicert.nectec.or.th
2. Analyze and Response to system
vulnerabilities and security risks
3. Analyze computer security incident
Scope of ThaiCERT’s Role (Cont.)
4. Provide training and seminar
5. Follow the computer security news
6. Intrusion detection
7. Computer forensic
8. Computer security consultant
9. Develop security tools i.e. Web Scan
10. Coordinate and support
ThaiCERT Incident Response
Cases
Types of Incidents
170
Port Scan & Probe
Virus
36
Spam Mail
29
Other
(Hacks, DDos, ...)
23
0
50
100
150
200
Number of Cases (Jan 2003 – Present)
[ Total = 258 cases ]
Why Form an IR Team?
• Ability to coordinate
• Expertise
• Efficiency
• Ability to work proactively
• Ability to meet agency or corporate
requirements
• Serving a liaison function
• Ability to deal with institutional barriers
Issues in Forming a Response
Team
• Policy
• Whether or not a team is really necessary
• Defining and communicating with a constituency
• Defining functional requirements
• Defining the role of the incident response team
• Staffing the team appropriately
• Creating and updating operational procedures
Policy
Example :
Policy
• No employee make contact with or answer questions
from the press unless that person obtains written
approval from the head of public relations department.
• No system being attacked can stay connected to the
network if it holds extremely valuable resources.
Policy (Cont.)
• No team member can spread information about
any incident outside of the immediate team without
the direct permission of the team leader.
Is a team really necessary?
Alternative Approach :
To have individuals who are not part of an
incident response team but who are available when
incidents occur.
Advantage of this alternative approach :
– Smaller organization generally do not need a team
– Few resources might be available
– Incident response might work better as a distributed
effort
Who is Constituency?
1. Determining exactly whom you are supporting
–
to be able to communicate with that constituency
to learn the needs that exist
–
to know how to better focus your efforts
2. Establishing communication channel is essential
(2-way communication)
Who is Constituency?
Attacker
CEO
SIRM = Site Incident Response Manager
CERT
Two way communication
SIRO = Site Incident Response Officer
Have contact no. i.e. home phone no.,
mobile phone no., and E-Mail
Functional Requirements and
Roles
• Basic Requirements : providing incident
response support to the constituency
- Go to a site or area within a facility and take over all
incident response efforts
- Control sharing – both the incident response team and
operations or business unit staff
- Do something only when its constituency requests
- Provide indirect rather than direct support in the form of
advice
Functional Requirements and
Roles (Cont.)
•Additional Requirements
- Interagency/corporation coordination/liaison
- Serving as a clearinghouse : a central repository for
information, patches, tools, and so forth
- Contingency planning and business continuity services
- Information security tool development
- Incident response planning and analysis
- Training and awareness
Staffing Issues
• Team size
– Minimum : 1 management, 1 technical staff
– Add staff to broaden the range of expertise
as funding allows
Staffing Issues (Cont.)
• Team skills
1. Management skills
2. Technical skills
3. People skills
4. Teamwork skills
5. Communication skills
Staffing Issues (Cont.)
• Location of Staff
Should all team members reside at one
location, or be divided to different location?
Creating Operating Procedures
Issues that any set of procedures must address :
- Purpose of the procedure
- To whom or what the procedures apply and under
what conditions
- Lines of authority within the IR team and the organization
it serves
- Restrictions on the kinds of actions in which team members
can and cannot engage
- How information and evidence must be documented
Creating Operating Procedures
- Who can contact outside entities (i.e. media, law enforcement
agencies) and under what conditions
- Priorities is response efforts (i.e. protecting the lives of humans,
keeping systems and networks operational)
- What to do in case of incidents in highly valuable, sensitive,
proprietary, or classified systems and/or networks
- Kinds of information that can and cannot be disseminated
outside
- Management’s role with respect to the response team and
its activities
Creating Operating Procedures
- When and how the procedures must be changed
- How the procedures are to be distributed
Incident Response Process
2
via E-Mail
1
Victim
Incident Report
Receiving Process
3
Incident Confirmation
Process
via Telephone
5
Coordinate and give advice to
the related organization
NO
Analyze Scope
of responsibility
YES
- Analyze the incident
- Technical support
- Coordinate and response
4
6
Cooperation is necessary!!
Contact ThaiCERT
URL :
http://www.thaicert.nectec.or.th
E-mail
:
thaicert@nectec.or.th
Telephone :
0-2564-6868
Fax
0-2564-6871
:
Related documents
Critically incident technique The Critical Incident Technique (or CIT
Critically incident technique The Critical Incident Technique (or CIT
IRB: Incident Report
IRB: Incident Report
Near Miss Incident Reporting and Investigation
Near Miss Incident Reporting and Investigation
ACADEMIC INTEGRITY VIOLATION FORM
ACADEMIC INTEGRITY VIOLATION FORM
Incident Reporting Form
Incident Reporting Form
PN Incident Powerpt
PN Incident Powerpt
Developmental Pathways-Early Intervention Incident Report
Developmental Pathways-Early Intervention Incident Report
Download
advertisement