Be Secure! Computer Security Incident Response Team (CSIRT) Guide. Plan Establish Connect. Maliha Alam Mehreen Shahid
|
|
- Lewis Hodges
- 6 years ago
- Views:
Transcription
1 Computer Security Incident Response Team (CSIRT) Guide Maliha Alam Mehreen Shahid Plan Establish Connect Be Secure! CSIRT Coordination Center Pakistan 2014 i
2 Contents 1. What is CSIRT? Policy, Plan and Procedure Creation Incidents and Events Incident Response Policy, Plan and Procedure CSIRT Framework Mission Statement Incident Response Team Structure CSIRT in different hierarchies and their relations CSIRT Services Reactive Services Proactive Services Security Quality Management Services Incident Management Incident Handling Phases Preparation Identification Containment Eradication Recovery Lessons learned Incident Handling Process Workflow Information Flow for CSIRT Incident Management Systems Need for Incident Management Systems Functional Overview of Incident Management Systems NUST CSIRT Mission Statement NUST CSIRT Website NUST CSIRT Services Incident Reporting methods Staying connected with NUST CSIRT References: ii
3 List of figures Figure 1 CSIRT Team Structure... 3 Figure 2 Organizational Hierarchy [Ref: CMU/SEI 2003 HB 002]... 4 Figure 3 CSIRT Services... 5 Figure 4 Relation of Framework Elements [Ref: CMU/SEI 2003 HB 002]... 6 Figure 5 Incident management... 7 Figure 6 Incident Handling Process Workflow... 9 Figure 7 Information Flow for CSIRT Figure 8 Incident Handling Process Figure 9 Overview incident magnet systems Figure 10 NUST CSIRT web page iii
4 1. What is CSIRT? CSIRT stands for Computer Security Incident Response Team. The term CSIRT is used predominantly in Europe for the protected term CERT, which is registered in the USA by the CERT Coordination Center (CERT/CC). There exist various abbreviations used for the same sort of teams: CERT or CERT/CC (Computer Emergency Response Team / Coordination Center) CSIRT (Computer Security Incident Response Team) IRT (Incident Response Team) CIRT (Computer Incident Response Team) SERT (Security Emergency Response Team) At the moment both terms (CERT and CSIRT) are used synonymously, with CSIRT being the more precise term. 2. Policy, Plan and Procedure Creation 2.1 Incidents and Events A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. A very common of example of an incident is an attacker commands a botnet (malicious code) to send high volumes of connection requests to a web server, causing it to crash. Any incident causing an observable occurrence in a system or network is generally addressed as an event. 2.2 Incident Response Policy, Plan and Procedure Organizations should have a formal, focused, and coordinated approach to responding to incidents, including an incident response plan that provides the roadmap for implementing the incident response capability. Policy: Policy governing incident response is highly individualized to the organization however they have mainly the same key elements in their policies. Some of these are as follows: Statement of management commitment Purpose and objectives of the policy Scope of the policy (to whom and what it applies and under what circumstances) Definition of computer security incidents and related terms Organizational structure and definition of roles, responsibilities, and levels of authority 1
5 Prioritization or severity ratings of incidents Reporting and contact forms Computer Security Incident response Team (CSIRT) Guide Plan Each organization needs a plan that meets its unique requirements, which relates to the organization s mission, size, structure, and functions. The plan should lay out the necessary resources and management support. The incident response plan should include the following elements: Mission Strategies and goals Senior management approval Organizational approach to incident response How the incident response team will communicate with the rest of the organization and with other organizations Roadmap for maturing the incident response capability Procedures Procedures should be based on the incident response policy and plan. Standard operating procedures (SOPs) are a delineation of the specific technical processes, techniques, checklists, and forms used by the incident response team. SOPs should be reasonably comprehensive and detailed to ensure that the priorities of the organization are reflected in response operations. In addition, following standardized responses should minimize errors, particularly those that might be caused by stressful incident handling situations. SOPs should be tested to validate their accuracy and usefulness, and then distributed to all team members. 3. CSIRT Framework In the search for a quick fix to establishing guidelines under which a new team will operate, many people go in search of existing CSIRT guidelines with the hope that they can simply be adopted for use in their environment. However, they soon realize that no single set of service definitions, policies, and procedures could be appropriate for any two CSIRTs. Moreover, teams with rigid guidelines in place find themselves struggling to adapt to the dynamic world of computer security incidents and attacks. To obtain that goal in a structured fashion, it is best to start with and to recognize a basic framework for a CSIRT. That framework consists of the questions what to do, for whom, in what local setting and in cooperation with whom. 3.1 Mission Statement An organization must define its mission statement in order to acquire basic understanding of what the team is trying to achieve; and more importantly, it will provide a focus for the overall 2
6 goals and objectives of the CSIRT. It should be non ambiguous and consist of at most three or four sentences specifying the mission with which the CSIRT is charged. A mission statement is the essence of CSIRT to establish a service and quality framework, precisely defining its goals, scope and the services. 3.2 Incident Response Team Structure An incident response team should be available for anyone who discovers or suspects that an incident involving the organization has occurred. One or more team members, depending on the magnitude of the incident and availability of personnel, will then handle the incident. Team Structure for CSIRT is as follows: Director Manager (Core Team) Manager (Tech Team) Incident Handlers Help Desk Website management Developers/ Solution providers Forensics Team Malware Team Pen testing Team Network Admin Figure 1 CSIRT Team Structure Incident handlers analyze the incident data, determine the impact of the incident, and act appropriately to limit the damage and restore normal services. They perform the coordination between all responsible departments for incident response. Help Desk is responsible to receive all the reported incidents to CSIRT from all means of communication made available to contact. The help desk then forwards the reported incident to the incident handlers after proper categorization and numbering of the incident reported. Website management is responsible for developing, updating and managing the CSIRT website that has been developed for required CSIRT services. Developers/ Solution Providers is a team of technical experts that develops independent patches to eradicate the cause of incident and complete recovery of the system or network. 3
7 Forensics, Malware, Pen test and Networking teams provide their services in their respective areas of technical expertise. 3.3 CSIRT in different hierarchies and their relations Different CSIRT(s) work in coordination and collaboration at organizational, national and international levels. The hierarchical level could have different scopes and responsibilities depending on the organization s size, structure and functions. Figure 2 Organizational Hierarchy [Ref: CMU/SEI 2003 HB 002] 4. CSIRT Services There are many services that a CSIRT can deliver, but so far no existing CSIRT provides all of them. So the selection of the appropriate set of services is a crucial decision. For a team to be considered a CSIRT, it must provide one or more of the incident handling services: incident analysis, incident response on site, incident response support, or incident response coordination. CSIRT services might be provided by the CSIRT alone or in cooperation with other organizational units (such as the IT or security department). These services are mainly categorized in three groups Reactive services, Proactive Services and Security Quality Management Services. 4
8 A CSIRT must take great care in choosing the services it will offer. The set of services provided will establish the resources, skill sets, and partnerships the team will need to function properly. NUST CSIRT services are talked about in section 6 of the document 4.1 Reactive Services Reactive services are designed to respond to requests for assistance, reports of incidents from the CSIRT constituency, and any threats or attacks against CSIRT systems. Some services may be initiated by third party notification or by viewing monitoring or intrusion detection system (IDS) logs and alerts. It is a response to the incident that has already occurred. 4.2 Proactive Services Proactive services are designed to improve the infrastructure and security processes of the constituency before any incident or event occurs or is detected. The main goals are to avoid incidents and to reduce their impact and scope when they do occur. 4.3 Security Quality Management Services These services are designed to improve the overall security of an organization. By leveraging the experiences gained in providing the reactive and proactive services described above, a CSIRT can bring unique perspectives to these quality management services that might not otherwise be available. These services incorporate feedback and lessons learned based on knowledge gained by responding to incidents, vulnerabilities, and attacks. The figure below lists these services: Figure 3 CSIRT Services 5
9 Governed by services, policies and quality procedures, the figure below shows that how elements are enacted. Figure 4 Relation of Framework Elements [Ref: CMU/SEI 2003 HB 002] 5. Incident Management Incident handling involves receiving, triaging and responding to requests and reports, and analyzing incidents and events. This section will describe the fundamental components of an incident handling service and incident management. Moreover, the procedures that needs to be in place to support them. Incident management is broadly categorized into four stages of preparation, detection analysis, containment eradication & recovery and Post incident activities. These stages are inter related and supportive to each other. The figure below shows the four categories and the relation between them: 6
10 Figure 5 Incident management 5.1 Incident Handling Phases Keeping these stages in mind, SysAdmin, Audit, Network and Security (SANS) defined standard 6 phases of incident handling. These phases are listed and briefly explained as under: Preparation This phase as its name implies deals with the preparing a team to be ready to handle an incident at a moment s notice. There are several key elements to have implemented in this phase in order to help mitigate any potential problems that may hinder one s ability to handle an incident. These majorly includes definition of roles and responsibilities, complete organizational structure of CSIRT, defining service and quality frameworks, determining ways to report incident, making policies and response strategies, developing technical skills with training and certifications Identification This phase deals with the detection and determination of whether a deviation from normal operations within an organization is an incident, and its scope assuming that the deviation is indeed an incident. Other than determining the type and level (e.g. network/system/routers/firewalls) of the incident, identification phase also covers for the initial assessment of the incident. This is known as triage. Triage The goal of triage function is to ensure that all information destined for the incident handling service is channeled through a single focal point regardless of the method by which it arrives (e.g., by , fax, telephone, or postal service) for appropriate redistribution and handling within the service. Different tools are used in CSIRTs to carry out the triage function. 7
11 The results reflect the impact and urgency of the incident for incident responders. Triage is also helpful in efficient use of tracking numbers for incident handling process Containment The primary purpose of this phase is to limit the damage and prevent any further damage from happening. It is the first course of action once the incident has been identified. One thing to understand here is that it is important to both limit the damage and keep the system in running state. An essential part of containment is decision making (e.g., shut down a system, disconnect it from a network, and disable certain functions). Such decisions are much easier to make if there are predetermined strategies and procedures for containing the incident. Organizations should define acceptable risks in dealing with incidents and develop strategies accordingly. Containment strategies also vary based on the type of incident Eradication Eradication is the phase that deals with the actual removal and restoration of affected systems. The cleanup can take many forms. In a simple situation it could just be running a virus or spyware scanner to remove the offending files & services and updating signatures. Or in a complex situation the system might need restoring from backup and then apply patches. Technical experts are required for eradication as the incident may require developing specific patches for completely removing the root cause. This phase is also the point where defenses should be improved after learning what caused the incident and ensure that the system cannot be compromised again (e.g. installing patches to fix vulnerabilities that were exploited by the attacker, etc) Recovery The purpose of this phase is to bring affected systems in operational state carefully, as to insure that it will not lead another incident. It is essential to test, monitor, and validate the systems that are being put back into production to verify that they are not being reinfected by malware or compromised by some other means Lessons learned The purpose of this phase is to complete any documentation that was not done during the incident, as well as any additional documentation that may be beneficial in future incidents. It is a follow up on all that was done during the incident handling process. The overall goal is to learn from the incidents that occurred within an organization to improve the team s performance and provide reference materials in the event of a similar incident. The documentation can also be used as training materials for new team members. 8
12 5.2 Incident Handling Process Workflow Based on the 6 step approach to incident handling NUST CSIRT has developed its own process flow for incident handling. The figure below shows the flow of information from receiving an incident to responding back to the reporter with a solution. Figure 6 Incident Handling Process Workflow Multiple reporters from a defined scope report to the CSIRT by four means of communication. These ways to report an incident include fax/telephone, , incident reporting forms and collaboration with international CERT(s). They are available on the NUST CSIRT website () Every reported incident is given a ticket (numbering system to manage incidents) After identification and triage by incident handlers, the ticket is then forwarded to the respective CSIRT s supporting technical teams as a verified incident. The technical experts of the CSIRT support teams come up with relevant fixes, patches or solutions to eradicate the possible cause of the incident. Support teams then send the complete solution and course of action back to the incident handlers at CSIRT coordination centers. Incident handlers at CISRT coordination center are responsible to send the solution, provided by technical teams, to respective customers/reporters. 9
13 5.3 Information Flow for CSIRT The incident handling service usually includes other activities that support the delivery of the service, consisting of the triage, handling, announcement, and feedback functions. These functions and their relationships are shown in the figure below (According to CMU): Figure 7 Information Flow for CSIRT In light of the incident handling phases, incident handling workflow flow designed and effective flow of information by SANS, a flowchart has been developed to present a clear step by step approach to any incident that may occur and its outcomes. The flowchart is given below: 10
14 Computer Security Incident response Team (CSIRT) Guide Figure 8 Incident Handling Process 11
15 5.4 Incident Management Systems Computer Security Incident response Team (CSIRT) Guide Need for Incident Management Systems Incident management systems enable organizations to accurately collect monitors, analyze, and identify security threats to their environment within a single integrated solution. It s of utmost importance that the managers, investigators, analysts, engineers and operators are on the same page of knowledge of what is going on. These systems are able to connect logs to organizational regulations, policy, plan, procedures, organizational divisions, and even by individual project requirements. Alerts can be personalized to correlate between identified events, known threats, and critical assets. Reports can be automated and customized to fit any manner of output requirements rather than being limited hand made spreadsheets Functional Overview of Incident Management Systems Different technologies such as endpoint systems, network systems, data inventories, application infrastructures etc. act as data sources for varied scenarios. The data is then collected and summarized to be analyzed in detail. In the data correlation layer malicious summarized data is compared to the authentic unaffected data to find out the possible cause of the incident. This data is fed to Incident handling process. The figure given below shows an overview of CSIRT inputs, its layers of process and incident management. Figure 9 Overview incident magnet systems 12
16 6. NUST CSIRT 6.1 Mission Statement NUST CSIRT is a National; Government sponsored Computer Security Incident Response Team. It addresses the Nations security & cyber fronts of Pakistan to achieve technological excellence. NUST CSIRT is committed to secure use of technology through standards, best practices, and risk & threat mitigation being at the front end to disseminate the information. 6.2 NUST CSIRT Website A website has been developed as an interface for NUST CSIRT () to provide its reactive & proactive services. Figure 10 NUST CSIRT web page 6.3 NUST CSIRT Services Services provided on the NUST CSIRT website are as follows: Incident Handling (Means of reporting incident) Information Dissemination: Alerts and warnings Vulnerability/ Security updates 13
17 Latest News on cybercrimes Technical documents to enhance knowledge base Computer Security Incident response Team (CSIRT) Guide Recommended tools for supporting incident handling and management Newsletters CVE database 6.4 Incident Reporting methods Following incident reporting methods are available on the website in the helpdesk section: Incident report form Contact via Telephone Contact via Fax Incidents can be reported to NUST CSIRT through these input methods. 6.5 Staying connected with NUST CSIRT Keep yourself updated about latest news, threat alerts, warnings and security updates by subscribing to NSUT CSIRT via and SMS subscription. Moreover, NSUT CSIRT is connected to the world over social media as well. Follow us on: Facebook: NUST CSIRT ( CSIRT/ ) ( ) 14
18 References: An Incident Handling Process for Small and Medium Businesses: SANS Institute National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide Special Publication [Revision 2] ENISA: A Step By Step Approach on How to Set Up a Csirt CMU Handbook for Computer Security Incident Response Teams (CSIRTs) [CMU/SEI 2003 HB 002] SANS Incident Handler's Handbook Building Global CSIRT Capabilities Southeast Europe Conference SANS Reading Room room ENISA Publications NIST Standard Reference Materials 15
RFC2350 TLP1: WHITE. Έκδοση National CSIRT-CY RFC2350
Έκδοση 1.2-2018.02.14 TLP1: WHITE 1 TLP Sources may use TLP: WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.
More informationDefining Computer Security Incident Response Teams
Defining Computer Security Incident Response Teams Robin Ruefle January 2007 ABSTRACT: A computer security incident response team (CSIRT) is a concrete organizational entity (i.e., one or more staff) that
More informationIncident Response. Is Your CSIRT Program Ready for the 21 st Century?
Incident Response Is Your CSIRT Program Ready for the 21 st Century? Speaker Bio Traditional Response Concepts Technical Incidents Requiring Technical Responses Virus/ Malware Network Intrusion Disaster
More informationCSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague
Brmlab, hackerspace Prague Lightning talks, November 2016 in general in general WTF is an? in general WTF is an? Computer Security in general WTF is an? Computer Security Incident Response in general WTF
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationCSIRT SERVICES. Service Categories
CSIRT SERVICES One of the primary issues to be addressed in creating a computer security incident response team (CSIRT) is deciding what services the CSIRT will provide to its constituency. This process
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationCybersecurity: Incident Response Short
Cybersecurity: Incident Response Short August 2017 Center for Development of Security Excellence Contents Lesson 1: Incident Response 1-1 Introduction 1-1 Incident Definition 1-1 Incident Response Capability
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationIncident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles
Incident Response Lessons From the Front Lines Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles 1 Conflict of Interest Nolan Garrett Has no real or apparent conflicts of
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationCIRT: Requirements and implementation
CIRT: Requirements and implementation By : Muataz Elsadig Sudan CERT Joint ITU-ATU Workshop on Cyber-security Strategy in African Countries Khartoum, Republic of Sudan, 24 26 July 2016 There is no globally
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationTechnology Risk Management and Information Security A Practical Workshop
Technology Risk Management and Information Security A Practical Workshop Paul Doelger Chief Risk Officer - Technology and Business Partners BNY Mellon Email: paul.doelger@bnymellon.com Oct 1, 2010 Oct
More informationO N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationInformation Security and Cyber Security
Information Security and Cyber Security Policy NEC recognizes that it is our duty to protect the information assets entrusted to us by our customers and business partners as well as our own information
More informationCyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS
Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Continual disclosed and reported
More informationSecurity Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:
Position: Reports to: Location: Security Monitoring Engineer / (NY or NC) Director, Information Security New York, NY or Winston-Salem, NC Position Summary: The Clearing House (TCH) Information Security
More informationPresentation to the ITU on the Q-CERT Incident Management Team. Ian M Dowdeswell Incident Manager, Q-CERT
Presentation to the ITU on the Q-CERT Incident Management Team Ian M Dowdeswell Incident Manager, Q-CERT 2 Q-CERT Mission The Mission of Q-CERT is to be a world-class center of excellence providing expert
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationCertified Information Security Manager (CISM) Course Overview
Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationReal-world Practices for Incident Response Feb 2017 Keyaan Williams Sr. Consultant
Real-world Practices for Incident Response Feb 2017 Keyaan Williams Sr. Consultant Agenda The Presentation Beginning with the end. Terminology Putting it into Action Additional resources and information
More informationCybersecurity Auditing in an Unsecure World
About This Course Cybersecurity Auditing in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that cybersecurity
More informationPanelists. Moderator: Dr. John H. Saunders, MITRE Corporation
SCADA/IOT Panel This panel will focus on innovative & emerging solutions and remaining challenges in the cybersecurity of industrial control systems ICS/SCADA. Representatives from government and infrastructure
More informationOverview of the. Computer Security Incident Response Plan. Process Resource Center
Overview of the Computer Security Incident Response Plan Process Resource Center Mobilized CSIRP: Visually Intuitive, Accurate, Complete, Succinct Content Available On-the-Go Process Resource Centers:
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationRole of BC / DR in CISRP. Ramesh Warrier Director ebrp Solutions
Role of BC / DR in CISRP Ramesh Warrier Director ebrp Solutions You have been HACKED Now what? Incident Response Incident HANDLING Incident RESPONSE Incident HANDLING Assessment Containment Eradication
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More information6.6 INCIDENT RESPONSE MANAGEMENT SERVICES (INRS) (L )
6.6 INCIDENT RESPONSE MANAGEMENT SERVICES (INRS) (L.34.1.6) Qwest INRS provides Agencies with a proven, reliable set of people, processes and tools to effectively prepare for and respond to computer security
More informationContinuous protection to reduce risk and maintain production availability
Industry Services Continuous protection to reduce risk and maintain production availability Managed Security Service Answers for industry. Managing your industrial cyber security risk requires world-leading
More informationNEN The Education Network
NEN The Education Network School e-security Checklist This checklist sets out 20 e-security controls that, if implemented effectively, will help to ensure that school networks are kept secure and protected
More informationRFC 2350 YOROI-CSDC. Expectations for Computer Security Incident Response. Date 2018/03/26. Version 1.0
RFC 2350 YOROI-CSDC Expectations for Computer Security Incident Response Title RFC 2350 YOROI-CSDC Document Type Specification Date 2018/03/26 Version 1.0 Yoroi S.r.l. Parte del gruppo MAM www.yoroi.company
More informationCyber Security For Business
Cyber Security For Business In today s hostile digital environment, the importance of securing your data and technology cannot be overstated. From customer assurance, liability mitigation, and even your
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationCyber Hygiene: A Baseline Set of Practices
[DISTRIBUTION STATEMENT A] Approved for public Cyber Hygiene: A Baseline Set of Practices Matt Trevors Charles M. Wallen Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Copyright
More informationSOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM
SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM OVERVIEW The Verizon 2016 Data Breach Investigations Report highlights that attackers are regularly outpacing the defenders.
More informationBuilding Global CSIRT Capabilities
Building Global CSIRT Capabilities Barbara Laswell, Ph.D. September 2003 CERT Centers Software Engineering Institute Carnegie Mellon Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense 1 2003
More informationCYBER THREAT INTELLIGENCE TOWARDS A MATURE CTI PRACTICE
CYBER THREAT INTELLIGENCE TOWARDS A MATURE CTI PRACTICE Richard Kerkdijk December 7th 2017 A WORD ABOUT TNO Dutch innovation and advisory body, founded by law in 1932 and currently comprising some 2800
More informationCA Security Management
CA Security CA Security CA Security In today s business environment, security remains one of the most pressing IT concerns. Most organizations are struggling to protect an increasing amount of disparate
More informationSymantec Security Monitoring Services
24x7 real-time security monitoring and protection Protect corporate assets from malicious global threat activity before it impacts your network. Partnering with Symantec skilled and experienced analysts
More informationFunction Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments 1 ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The
More informationNebraska CERT Conference
Nebraska CERT Conference Security Methodology / Incident Response Patrick Hanrion Security Center of Excellence Sr. Security Consultant Agenda Security Methodology Security Enabled Business Framework methodology
More informationBUILDING AND MAINTAINING SOC
BUILDING AND MAINTAINING SOC Digit Oktavianto KOMINFO 7 December 2016 digit dot oktavianto at gmail dot com 1 Digit Oktavianto Profile in 1 Page Currently working as a Security Architect Professional Certifications:
More informationNational Cyber Security Operations Center (N-CSOC) Stakeholders' Conference
National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference Benefits to the Stakeholders A Collaborative and Win-Win Strategy Lal Dias Chief Executive Officer Sri Lanka CERT CC Cyber attacks
More informationA company built on security
Security How we handle security at Flywheel Flywheel was founded in 2012 on a mission to create an exceptional platform to help creatives do their best work. As the leading WordPress hosting provider for
More informationGlobal Response Centre (GRC) & CIRT Lite. Regional Cyber security Forum 2009, Hyderabad, India 23 rd to 25 th September 2009
Global Response Centre (GRC) & CIRT Lite Regional Cyber security Forum 2009, Hyderabad, India 23 rd to 25 th September 2009 IMPACT Service offerings Global Response Centre CIRT Lite Need for GRC Access
More informationRSA NetWitness Suite Respond in Minutes, Not Months
RSA NetWitness Suite Respond in Minutes, Not Months Overview One can hardly pick up a newspaper or turn on the news without hearing about the latest security breaches. The Verizon 2015 Data Breach Investigations
More informationIndustrial Defender ASM. for Automation Systems Management
Industrial Defender ASM for Automation Systems Management INDUSTRIAL DEFENDER ASM FOR AUTOMATION SYSTEMS MANAGEMENT Industrial Defender ASM is a management platform designed to address the overlapping
More informationAn overview of the CERT/CC and CSIRT Community
An overview of the CERT/CC and CSIRT Community Jason A. Rafail October 2007 2007 Carnegie Mellon University Overview CERT/CC CSIRTs with National Responsibility Partnerships and Trust Training Conclusion
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationCurrent procedures, challenges and opportunities for collection and analysis of Criminal Justice statistics CERT-GH
Current procedures, challenges and opportunities for collection and analysis of Criminal Justice statistics CERT-GH International Workshop on Criminal Justice Statistics on Cybercrime and Electronic Evidence
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationFDIC InTREx What Documentation Are You Expected to Have?
FDIC InTREx What Documentation Are You Expected to Have? Written by: Jon Waldman, CISA, CRISC Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity, LLC Since the FDIC rolled-out the
More informationComputer Security Incident Response Plan. Date of Approval: 23-FEB-2014
Computer Security Incident Response Plan Name of Approver: Mary Ann Blair Date of Approval: 23-FEB-2014 Date of Review: 31-MAY-2016 Effective Date: 23-FEB-2014 Name of Reviewer: John Lerchey Table of Contents
More informationCreating and Managing Computer Security Incident Response Teams (CSIRTs)
Creating and Managing Computer Security Incident Response Teams (CSIRTs) CERT Coordination Center Networked Systems Survivability Program Software Engineering Institute Carnegie Mellon University Pittsburgh,
More informationGDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ
GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool Contact Ashley House, Ashley Road London N17 9LZ 0333 234 4288 info@networkiq.co.uk The General Data Privacy Regulation
More informationBusiness Continuity Management Standards A Side-by-Side Comparison
Business Continuity Standards A Side-by-Side Comparison By Brian Zawada (CBCP) & Jared Schwartz (CBCP) Whether your organization has begun a grassroots initiative to develop a business continuity plan
More informationDATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI
DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI EXECUTIVE SUMMARY The shortage of cybersecurity skills Organizations continue to face a shortage of IT skill
More informationABB Ability Cyber Security Services Protection against cyber threats takes ability
ABB Ability Cyber Security Services Protection against cyber threats takes ability In today s business environment, cyber security is critical for ensuring reliability of automation and control systems.
More informationBERGRIVIER MUNICIPALITY
BERGRIVIER MUNICIPALITY PATCH MANAGEMENT POLICY APRIL 2012 C:\Users\HJanuarie\Desktop\New folder (6)\INFORMATION TECHNOLOGY\Patch Management Policy.docx/cmd 1 CONTENTS Version Control.. Document History.
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationCarbon Black PCI Compliance Mapping Checklist
Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More informationRSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief
RSA Solution Brief The RSA Solution for VMware View: Managing Securing the the Lifecycle Virtual of Desktop Encryption Environment Keys with RSA Key Manager RSA Solution Brief 1 According to the Open Security
More informationStandard for Security of Information Technology Resources
MARSHALL UNIVERSITY INFORMATION TECHNOLOGY COUNCIL Standard ITP-44 Standard for Security of Information Technology Resources 1 General Information: Marshall University expects all individuals using information
More informationSecurity of Information Technology Resources IT-12
Security of Information Technology Resources About This Policy Effective Dates: 11-28-2007 Last Updated: 10-23-2017 Responsible University Administrator: Office of the Vice President for Information Technology
More informationAligning with the Critical Security Controls to Achieve Quick Security Wins
Aligning with the Critical Security Controls to Achieve Quick Security Wins Background The Council on CyberSecurity s Critical Security Controls for Effective Cyber Defense provide guidance on easy wins
More informationHow AlienVault ICS SIEM Supports Compliance with CFATS
How AlienVault ICS SIEM Supports Compliance with CFATS (Chemical Facility Anti-Terrorism Standards) The U.S. Department of Homeland Security has released an interim rule that imposes comprehensive federal
More informationBoston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018
Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security BRANDEIS UNIVERSITY PROFESSOR ERICH SCHUMANN MAY 2018 1 Chinese military strategist Sun Tzu: Benchmark If you know your
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More informationCyber Resilience. Think18. Felicity March IBM Corporation
Cyber Resilience Think18 Felicity March 1 2018 IBM Corporation Cyber Resilience Cyber Resilience is the ability of an organisation to maintain its core purpose and integrity during and after a cyber attack
More informationThreat and Vulnerability Assessment Tool
TABLE OF CONTENTS Threat & Vulnerability Assessment Process... 3 Purpose... 4 Components of a Threat & Vulnerability Assessment... 4 Administrative Safeguards... 4 Logical Safeguards... 4 Physical Safeguards...
More informationCybersecurity Risk Mitigation: Protect Your Member Data. Introduction
Cybersecurity Risk Mitigation: Protect Your Member Data Presented by Matt Mitchell, CISSP Knowledge Consulting Group Introduction Matt Mitchell- Director Risk Assurance 17 years information security experience
More informationSecurity Information & Event Management (SIEM)
Security Information & Event Management (SIEM) Datasheet SIEM in a nutshell The variety of cyber-attacks is extraordinarily large. Phishing, DDoS attacks in combination with ransomware demanding bitcoins
More informationNational Cyber Security Strategy - Qatar. Michael Lewis, Deputy Director
National Cyber Security Strategy - Qatar Michael Lewis, Deputy Director 2 Coordinating a National Approach to Cybersecurity ITU Pillars of Cybersecurity as a Reference Point providing the collected best
More informationRFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template
RFP/RFI Questions for Managed Security Services Sample MSSP RFP Template Table of Contents Request for Proposal Template Overview 1 Introduction... 1 How to Use this Document... 1 Suggested RFP Outline
More informationTHE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM
THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM Modern threats demand analytics-driven security and continuous monitoring Legacy SIEMs are Stuck in the Past Finding a mechanism to collect, store
More informationISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence that
More informationRFC 2350 CSIRT-TEHTRIS [CERT-TEHTRIS]
RFC 2350 CSIRT-TEHTRIS [CERT-TEHTRIS] 1 Document information... 2 1.1 Date of Last Update... 2 1.2 Distribution List for Notifications... 2 1.3 Locations where this Document May Be Found... 2 1.4 Authenticating
More informationMedical Device Vulnerability Management
Medical Device Vulnerability Management MDISS / NH-ISAC Process Draft Dale Nordenberg, MD June 2015 Market-based public health: collaborative acceleration Objectives Define a trusted and repeatable process
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More informationInformation Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events
Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events Location: Need the right URL for this document https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/detect/ndcbf_i
More informationAn Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)
An Operational Cyber Security Perspective on Emerging Challenges Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL) Johns Hopkins University Applied Physics Lab (JHU/APL) University
More informationSANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045
Critical Security Control Solution Brief Version 6 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable,
More informationINCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER
INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER 1 INCIDENT RESPONDER'S FIELD GUIDE TABLE OF CONTENTS 03 Introduction
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationPROCEDURE COMPREHENSIVE HEALTH SERVICES, INC
PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC APPROVAL AUTHORITY: President, CHSi GARY G. PALMER /s/ OPR: Director, Information Security NUMBER: ISSUED: VERSION: APRIL 2015 2 THOMAS P. DELAINE JR. /s/ 1.0
More informationWhite Paper. How to Write an MSSP RFP
White Paper How to Write an MSSP RFP https://www.solutionary.com (866) 333-2133 Contents 3 Introduction 3 Why a Managed Security Services Provider? 5 Major Items to Consider Before Writing an RFP 5 Current
More informationSECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi Desember 12,13, 2017
SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi Desember 12,13, 2017 1 Outline Organizational Security Concept Security Operations Center (SOC) Concept SOC Models SOC
More informationProtection Levels, Holistic Approach. ISA-99 WG 3 TG 3 Protection Levels
Protection Levels, Holistic Approach Security is about technology, processes and people Policies and procedures Functional security measures Competency A holistic security protection concept has to include
More informationMANAGEMENT OF INFORMATION SECURITY INCIDENTS
MANAGEMENT OF INFORMATION SECURITY INCIDENTS PhD. Eng Daniel COSTIN Polytechnic University of Bucharest ABSTRACT Reporting information security events. Reporting information security weaknesses. Responsible
More informationDetecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC
Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC Agenda Introduction to JPCERT/CC About system-wide intrusions
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationHow security intelligence can be used for incident management. Volker Rath, Techn. Lead Consulting Services
How security intelligence can be used for incident management Volker Rath, Techn. Lead Consulting Services Safety and protection matters Lots of news about threats and diseases. Which immunizations? Spreading
More informationReinvent Your 2013 Security Management Strategy
Reinvent Your 2013 Security Management Strategy Laurent Boutet 18 septembre 2013 Phone:+33 6 25 34 12 01 Email:laurent.boutet@skyboxsecurity.com www.skyboxsecurity.com What are Your Key Objectives for
More information