CSIRT for managers

CSIRT for managers

AfNOG

&
AfriniNIC

Yaoundé
-

Cameroon, 19
-
25 November 2011

“If

you

think

technology

can

solve

your

security

problems,

then

you

don’t

understand

the

problems

and

you

don’t

understand

the

technology”
-

Bruce

Schneier

http
:
//think
.
securityfirst
.
web
.
id/?page_id=
12


Prologue

Getting to know each other

Facilitators

Participants (professional environment,
expectations)

Overview

Introduction

Understanding the threats

Needs for a global response

Creating and managing a CSIRT

Conclusion

References

ENISA, 2010,
Promoting information security as a
cultural and behavioral change

ENISA, 2010, Training material for small and medium
enterprises

Actions list for creating a CSIRT

ENISA, 2010,
Conseils en matière de sécurité de
l'information à l’intention des employés

ENISA, 2010, Clés USB: priorité à la sécurité

Contents

Titles

Pages

Introduction

2

Threats to the information assets

5

Needs for a global response

7

Defining information security

11

Confidentiality, Integrity, Availability

12

Accountability, authenticity and non
-
repudiation

13

CSIRT functions

14

CSIRT services

15

CSIRT benefits

18

Steps for creating
national CSIRT

19

Critical success factors

20

Law enforcement

21

Practical information

22

Conclusion

23

Threats to the information assets

1 / 2

Information assets:

value to the company. Institution,
organisation

not easily replaceable without cost, skill, time,
resources or a combination

Examples: Recipes, Clients & providers database,
Website, Internet
connexion

Why are those assets at risk?

Human error,

Money, value for competitors

Intelligence, value for nations

Terrorism, value for ideological groups

Anger
-
vengeance, value for disgruntled employees

Threats to the information assets

2 / 2

Some malicious acts:

Malware

Denial of Services

Unauthorized Access

Inappropriate Usage

Discussion on real life experience from
participants

Recent news

Impact of those crimes at national level:
economy, politics, social

Needs for a global response

1 / 4

Crime: an act or the commission of an act that is forbidden or
the omission of a duty that is commanded by a public law and
that makes the offender liable to punishment by that law.
http://www.merriam
-
webster.com/dictionary/crime


Cybercrime is 'crime' with some sort of 'computer' or 'cyber'
aspect.
http://us.norton.com/cybercrime/definition.jsp


Dealing with any crime:

Prevention is better than cure: education

Expertise for investigation on wrong doing, prosecution,
trial, punishment, etc.

Dealing with cybercrime: Key experts and personnel from
diverse area (law enforcement, regulators, country focal,
cybersecurity

experts, etc)

Needs for a global response

2 / 4

Number and diversity of actors involved

Threats are coming from all directions

Global Response Centre at local and national level,
cooperation at all levels

Local: Top management, Staff, HR, Unions, IT staff

National, experts from diverse area: Economy,
Politics, IT, Security, Law enforcement

International cooperation

Cybercrimes easily (and usually) ignore geographical
boundaries

The problem is global, it needs a
global solution

Needs for a global response

3 / 4

Framework for national and international cooperation

Legal aspects

Technical measures

Organizational structures (including policies and
strategies)

Capacity building

Global partnerships (unavoidable)

Understanding the level of vulnerability of the system at
the base of the global economy and individual well
-
being

Identifying and protecting the vulnerable targets

Learning from other experiences

Needs for a global response

4 / 4

The response is a Computer Security Incident Response
Team

(CSIRT)

A service organization that is responsible for
receiving
,
reviewing
, and
responding

to computer security incident
reports and activity. Their services are usually performed
for a
defined constituency

that could be a parent entity
such as a corporation, governmental, or educational
organization; a region or country; a research network; or a
paid client.
http://www.cert.org/csirts/csirt_faq.html



CSIRT

Computer Security Incident Response Team

CIRC

Computer Incident Response Capability

CIRT

Computer Incident Response Team

IRC

Incident Response Center or Incident Response Capability

IRT

Incident Response Team

SERT

Security Emergency Response Team

SIRT

Security Incident Response Team

Defining information security

1 / 3

Information security is the process of protecting
information and information systems from
unauthorized access, use, disclosure,
disruption, modification, perusal, inspection,
recording or destruction.
http://en.wikipedia.org/wiki/Information_security


Core principle are confidentiality, integrity, and
availability

Extension to accountability, authenticity and
non
-
repudiation

Defining information security

2 / 3

An excerpt from “Terms and definitions ISO/IEC
27000”.

Confidentiality: property that information is not
made available or disclosed to unauthorized
individuals, entities, or processes

Integrity: property of protecting the accuracy
and completeness of assets

Availability: property of being accessible and
usable upon demand by an authorized entity

Defining information security

3 / 3

Authenticity: property that an entity is what it
claims to be

Authentication: provision of assurance that a
claimed characteristic of an entity is correct

Accountability: responsibility of an entity for its
actions and decisions

Non
-
repudiation: ability to prove the occurrence
of a claimed event or action and its originating
entities, in order to resolve disputes about the
occurrence or non
-
occurrence of the event or
action and involvement of entities in the event


CSIRT functions


Single point of contact to report security incidents

Assistance to the Constituency in preventing and
handling computer security incidents

Sharing information and experience with other
response teams

Collaboration with Law enforcement & Local
authority bodies

CSIRT services

1 / 3

CSIRT services defined during creation process

CSIRT services, but also covered by “security
team”

Great care while choosing services, impact on:

resources

skills sets

partnerships

Quality / Quantity

Think big, start small and ...scale fast

CSIRT services

2 / 3

Reactive services

services are triggered by an event or request

services aim at cure of compromised system

Proactive services

prepare, protect, and secure

reduce the number of incidents

Security quality management services

improve the overall security

reduce the number of incidents

CSIRT services

3 / 3

Many cross links of services

Services offered must be tailored to the specific
needs and prospective evolution of the
constituency

Services offered must be tailored to resources
available: financial, organizational, human

Dissemination of information is very important

Prevention is better than cure

CSIRT benefits

Centralised

coordination for IT security issues

Centralised

and
specialised

handling of and response
to IT incidents: systematic respond to incidents with
appropriate steps

Expertise to support users for quick and
eficient

recovery from incidents, minimum loss or theft of
information and disruption of services

Learning from experience, better preparation for
handling future incidents

Expertise with legal issues, evidence handling

Up to date with developments in security fields

Stimulation of cooperation within constituency

Steps for creating national CSIRTs

Iteration, evaluation, flexibility

1.
Obtain management support and buy
-
in : constituency,
stakeholders and participants

2.
Obtain management support and sponsorship

3.
Design the CSIRT vision

4.
Determine the CSIRT strategic plan

5.
Create an implementation plan and solicit feedback

6.
Communicate the CSIRT vision and operational plan

7.
Decide on the range and level of services the CSIRT will offer

8.
Identify required resources such as staff, equipment, and
infrastructure

9.
Secure funding for CSIRT operations

10.
Begin CSIRT implementation , announce the operational CSIRT

Critical success factors

Country’s commitment at the highest level

Relevant Agency involvement supported by the highest level of the
country

Communicate the strategic value to the Country’s
Cybersecurity

Programme

Design and communicate a relevant National CSIRT vision and
operational plan to fit the country

Implement National CSIRT tools and processes in line with the above
vision and operational plan

Announce the National CSIRT Operations to the country

Continue the CSIRT periodic assessment activity on its effectiveness

Periodic reviews and adjustments to the National CSIRT
Development Roadmap

Keep improvement of trust of network with the constituency

Law enforcement

How is law in your country dealing with

Identity thief

Web defacement

Unauthorised

access

Money extortion

How is law in your country dealing with criminal activities
by your citizens, perpetrated against foreigners

How is the society viewing people who perpetrate extortion
against foreigners

What are the evidences that are accepted

How are investigators, prosecutors, judges, etc. trained

Practical information

Minimum staffing

CERTification
-
Certified Computer Security Incident
Handler (CSIH)

Equipment should have when starting

Equipment better have later on

Lectures of must

Learning what other CSIRT do:
http://first.org/members/teams/


Conclusion

Investigation is just as good as the skills, team, resources,
technology available. Prosecution is just as good as evidences.

Prevention better than cure: pro
-
active versus reactive
approach:

Share of resources

Partnering

Training and transfer of skills

Educating the public

What are the achievements of the various cybercrime
commissions in Africa

What are the impacts of the various cybercrime related Acts in
Africa

“If

you

think

technology

can

solve

your

security

problems,

then

you

don’t

understand

the

problems

and

you

don’t

understand

the

technology”
-

Bruce

Schneier


http
:
//think
.
securityfirst
.
web
.
id/?
page_id=
12