The Case for National CSIRTs

Similar documents
CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

RFC2350 TLP1: WHITE. Έκδοση National CSIRT-CY RFC2350

Building Global CSIRT Capabilities

Presentation to the ITU on the Q-CERT Incident Management Team. Ian M Dowdeswell Incident Manager, Q-CERT

Directive on security of network and information systems (NIS): State of Play

RFC 2350 YOROI-CSDC. Expectations for Computer Security Incident Response. Date 2018/03/26. Version 1.0

Stakeholders Analysis

Information Security Controls Policy

Cyber Security Technologies

METHODOLOGY AND CRITERIA FOR THE CYBERSECURITY REPORTS

The latest version of this profile can be found on the location specified in 1.3

Network and Information Security Directive

CIRT: Requirements and implementation

NIS-Directive and Smart Grids

THE CYBER SECURITY ENVIRONMENT IN LITHUANIA

Defining Computer Security Incident Response Teams

Directive on Security of Network and Information Systems

Cybersecurity Strategy of the Republic of Cyprus

An overview of the CERT/CC and CSIRT Community

Bradford J. Willke. 19 September 2007

Discussion on MS contribution to the WP2018

Global Response Centre (GRC) & CIRT Lite. Regional Cyber security Forum 2009, Hyderabad, India 23 rd to 25 th September 2009

Centre for cybersecurity Belgium : Role, Missions et future capacities

Cyber Security Strategy

GARR-CERT. Update. Simona Venuti TF-CSIRT, Rome,

National Policy and Guiding Principles

Emergency Support Function #2 Communications Annex INTRODUCTION. Purpose. Scope. ESF Coordinator: Support Agencies: Primary Agencies:

CERT.LV activities, role in Latvia and globally. Baiba Kaskina, CERT.LV , Sofia, Bulgaria

Panel 1 National CSIRT Experience

Member of the County or municipal emergency management organization

ENISA EU Threat Landscape

National Cyber Security Strategy - Qatar. Michael Lewis, Deputy Director

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

Cyber Security Strategic Level Landscape in Poland. Krzysztof Silicki NASK Institute, Poland ENISA MB, EB

Croatian National CERT ACDC project Darko Perhoc, Head of National CERT CISSP, CEH, CCNP Security R&S,CCDP

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

The NIS Directive and Cybersecurity in

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Digital Health Cyber Security Centre

Itu regional workshop

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

SECURITY & PRIVACY DOCUMENTATION

Global cybersecurity and international standards

2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat

Protecting your data. EY s approach to data privacy and information security

About Issues in Building the National Strategy for Cybersecurity in Vietnam

CERT.be Brussels 2011

Swedish IT Incident Centre

Regional Workshop on Frameworks for Cybersecurity and CIIP Feb 2008 Doha, Qatar

RFD. for ICERT ( ) RESULTS-FRAMEWORK DOCUMENT. Department of Information Technology. Results-Framework Document (RFD) for CERT-In ( )

RESOLUTION 130 (REV. BUSAN, 2014)

OAS Cybersecurity Capacity Building Efforts

Securing Europe's Information Society

Mapping of the CVD models in Europe

Critical Information Infrastructure Protection. Role of CIRTs and Cooperation at National Level

RISING CYBER SECURITY CAPABILITY WITH A UNIQUE NETWORK OF TRUSTED PARTNERS. Jan De Blauwe Chairman Cyber Security Coalition Belgium

POSITION DESCRIPTION

2nd ENISA Workshop German CERT-Activities. 5 th October, 2006 Brussels

Package of initiatives on Cybersecurity

ENISA s Position on the NIS Directive

Security Director - VisionFund International

ENISA Operational security CERT relations. Update January Contact:

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Italian government CERT: INITIAL RESULTS

Critical Information Infrastructure Protection Law

Cybersecurity in the EU Steve Purser Head of Operational Departments, ENISA Regional Cybersecurity Forum Sofia, Bulgaria 29 th November 2016 European

RFC 2350 CSIRT-TEHTRIS [CERT-TEHTRIS]

Current procedures, challenges and opportunities for collection and analysis of Criminal Justice statistics CERT-GH

Australian Government Cyber-security Activities in the Pacific

Be Secure! Computer Security Incident Response Team (CSIRT) Guide. Plan Establish Connect. Maliha Alam Mehreen Shahid

Global Alliance Against Child Sexual Abuse Online 2014 Reporting Form

Call for Expressions of Interest

The Common Controls Framework BY ADOBE

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Commonwealth Cyber Declaration

CENTER FOR SECURITY STUDIES

Canada Life Cyber Security Statement 2018

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

The Republic of Korea. economic and social benefits. However, on account of its open, anonymous and borderless

CYBER INCIDENT REPORTING GUIDANCE. Industry Reporting Arrangements for Incident Response

Google Cloud & the General Data Protection Regulation (GDPR)

Emergency response plan in the event of an attack against information systems or. a technical flaw in the information systems

Cyber Security Program

CSIRT capacity building Andrea Dufkova CSIRT-relations, COD1 NLO meeting Athens June 8. European Union Agency for Network and Information Security

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Implementing a National Strategy : the case of the Tunisian CERT

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Creating and Managing Computer Security Incident Response Teams (CSIRTs)

G8 Lyon-Roma Group High Tech Crime Subgroup

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

EU policy on Network and Information Security & Critical Information Infrastructures Protection

APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

NATIONAL STRATEGY:- MALAYSIAN EXPERIENCE

Security

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Global Security Consulting Services, compliancy and risk asessment services

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

Developing a National Emergency Telecommunications Plan. The Samoan Experience November 2012

Transcription:

The Case for National CSIRTs ENOG 12 Yerevan 3-4 Oct 2016

What is a CERT (CSIRT)? A Computer Security Incident Response Team (CSIRT) is a service organization that is responsible for receiving, reviewing, and responding to computer security incident reports and activity. Their services are usually performed for a defined constituency that could be a parent entity such as a corporation, governmental, or educational organization; a region or country; a research network; or a paid client. (CERT/CC)

What is a CSIRT? Team within an organisation that prevents, manages and responds to information security incidents Nominated person(s), typically in smaller organisations Specialist team Defined contact point internally and externally Historically responsive, CSIRTs increasingly focus on: Prevention and Detection Alerting Vulnerability Analysis Development of business continuity plans Coordination with other CSIRTs

Recognised CSIRTs in ENOG region Country CSIRT Type TI Status Armenia CERT-AM National? Accredited Azerbaijan AzScienceCERT R&E Accredited CERT.AZ National? Accredited CERT.GOV.AZ Government Accredited Georgia CERT-GE R&E Listed CERT-GOV-GE Government Accredited Kazahkstan KAZRENA-CERT R&E Listed KZ-CERT Government Listed Moldova CERT-GOV-MD Government Accredited MD-CERT R&E Listed Russia CERT-GIB cctld Accredited Gov-CERT.RU Government - RU-CERT National? Accredited WebPlus ISP ISP Commercial Listed Uzbekistan UZ-CERT Government - Kyrgyzstan None? Taijikistan None? Turkmenistan None?

Why are CSIRTs important? Security threats are real and ongoing Ignoring threats costs resources Denial-of-Service Data Theft Compromises reputations Prevention is better than cure Small things often prevent disasters End user awareness reduces problems CSIRTs save more than they cost, and offer possibility to offer value-added services

Why the need for National CSIRTs? CSIRTs usually serve particular constituencies (e.g. government, academic, private sector) Many security incidents are cross-constituency and international Need for official national points of contact Need for national focal point within country to coordinate incidents Operational requirements for national constituencies can be different to other constituencies (e.g. 24 x 7 is more likely needed) Key elements of Critical Infrastructure Protection

Why the need for National CSIRTs? Internet has become critical to national economies Share knowledge, resources and tools Compare working practices Develop common best practices and standards Encourage development of CSIRTs and/or organisational points of contact. Improve coordination with law enforcement, security and military agencies Provision of technical advice on cybersecurity to policy makers. EU called on all member states to establish National CSIRTs by 2011.

Different models for National CSIRTs Host organisation National Telecommunications Regulatory Body Government CSIRT Academic CSIRT (often these are the first CSIRTs established in a country) Establishment of National Cybersecurity Centre Voluntary vs Regulated Relies on willingness of constituents to cooperate, or constituents are required to implement measures to counter threats (only in emergency situations?) Cooperation Bi/multi-lateral or Community

Examples of National CSIRTs CERT-GOV-MD (Moldova) Operated by State Center for Special Telecommunications, provider of secure communications between government institutions NCSC-NL (Netherlands) Operated by Ministry of Security and Justice NorCERT (Norway) Operated by National Security Authority (NSM), under the Ministry of Defence CERT.be (Belgium) Operated by BELNET, the National Research & Education Network

How to establish a CSIRT? Define basic framework Mission Statement (what to do?) Definition of Constituency (for whom?) Relationship with others (who to cooperate with, and whom to trust?) Establish policies Determine what services to offer Train staff Establish incident handling system Raise awareness of CSIRT in your community Establish contacts with other teams

Types of CSIRT services Reactive Vulnerability handling alerts Incident & artefacts handling Proactive Announcements & information dissemination Security audits Development of security tools Configuration & maintenance Intrusion detection Security Quality Risk analysis Disaster recovery planning Consulting Education Product evaluation

The need to allocate resources to a CSIRT Handling security is a service activity Incidents require timely and effective response Roles and responsibilities are important A formal CSIRT structure is a requirement to join the Security Community and benefit from it There must be somebody handling a security problem, whose priority is to solve the problem, or at least to take effective countermeasures Establishing a minimal Service Level requires a minimal allocation of resources Some incidents cannot be handled best effort style

The benefits of allocating resources to a CSIRT Roles are defined, procedures are established People know what to do and how Increase in confidence by the community towards the CSIRT Increase in confidence by the community towards the host organisation Money costing resources (network infrastructure, data, computer services, manpower) are preserved and protected Better reputation means better collaboration

The requirements for an operational CSIRT Provide and keep updated information about itself and its services Trusted Introducer Listing Accomplish a list of operational requirements MUST, SHOULD, MAY lists Having operational tools that can solve/neutralize/mitigate security incidents Belong to the Web-of-Trust of Security Teams Trusted Introducer Accreditation process FIRST membership

MUST Provide and make available PGP team and members keys Provide and keep up-to-date Web site with contact information Acknowledge incoming incidents and issue Trouble Tickets or Unique Identifiers Inform external teams of unexpected security related discovered information Provide incident closure information to the team who opened it Use encryption to protect sensitive or personal data in incident handling information exchange Keep all incident information confidential and not disclosed beyond the scope of incident handling Sign all e-communications with PGP keys

SHOULD Document and publish Best Common Practices (BCP) Make available its Communication and Authentication Policy for keys and certificates Acknowledge incoming incident handling requests, and state its own Severity classification Inform the external team about progress in handling incidents Use a Trouble Ticket System (or equivalent) in handling procedures Have PGP keys countersigned by other teams Install and use security tools

MAY Inform the external team who opened an incident about the internal escalation procedures used Redirect the external team who opened an incident to a more appropriate Security Team Include automated information (IODEF-like) in reports exchanged with other teams Make available X.509 team and members certificates to other teams, including information about the Issuing Certification Authority, in case of Self Signed CA

Trusted Introducer CSIRTs rely on notion of trust whether contacts are trustworthy Trusted Introducer service was introduced to establish higher level of trust CSIRTs must provide specific information about personnel and services Prospective CSIRTs must have support of at least two other TIaccredited CSIRTs, and others can object to acceptance Accredited CSIRTs are contacted 3 times per year, and must respond to maintain accreditation TI service is operated by TF-CSIRT, the European Forum of Computer Incident Response Teams, but open to all teams

TRANSITS Training TF-CSIRT has produced training material for CSIRTs seeking relevant training TRANSITS-I is 2-day basic course covering organisational, technical operational and legal issues TRANSITS-II is 3-day advanced course covering traffic flow analysis, forensics, communication and incident handling exercises Usually 2 x TRANSITS-I and 1 x TRANSITS-II workshop per year in Europe/Mediterranean/Middle East TRANSITS materials adopted by FIRST who run workshops elsewhere in the world, and other organisations may also use materials under licence for their own training events TRANSITS trainers can be hired for dedicated workshops

Thank You! Kevin Meynell meynell@isoc.org

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback