CSIRT for managers
AfNOG
&
AfriniNIC
Yaoundé
-
Cameroon, 19
-
25 November 2011
“If
you
think
technology
can
solve
your
security
problems,
then
you
don’t
understand
the
problems
and
you
don’t
understand
the
technology”
-
Bruce
Schneier
http
:
//think
.
securityfirst
.
web
.
id/?page_id=
12
Prologue
Getting to know each other
Facilitators
Participants (professional environment,
expectations)
Overview
Introduction
Understanding the threats
Needs for a global response
Creating and managing a CSIRT
Conclusion
References
ENISA, 2010,
Promoting information security as a
cultural and behavioral change
ENISA, 2010, Training material for small and medium
enterprises
Actions list for creating a CSIRT
ENISA, 2010,
Conseils en matière de sécurité de
l'information à l’intention des employés
ENISA, 2010, Clés USB: priorité à la sécurité
Contents
Titles
Pages
Introduction
2
Threats to the information assets
5
Needs for a global response
7
Defining information security
11
Confidentiality, Integrity, Availability
12
Accountability, authenticity and non
-
repudiation
13
CSIRT functions
14
CSIRT services
15
CSIRT benefits
18
Steps for creating
national CSIRT
19
Critical success factors
20
Law enforcement
21
Practical information
22
Conclusion
23
Threats to the information assets
1 / 2
Information assets:
value to the company. Institution,
organisation
not easily replaceable without cost, skill, time,
resources or a combination
Examples: Recipes, Clients & providers database,
Website, Internet
connexion
Why are those assets at risk?
Human error,
Money, value for competitors
Intelligence, value for nations
Terrorism, value for ideological groups
Anger
-
vengeance, value for disgruntled employees
Threats to the information assets
2 / 2
Some malicious acts:
Malware
Denial of Services
Unauthorized Access
Inappropriate Usage
Discussion on real life experience from
participants
Recent news
Impact of those crimes at national level:
economy, politics, social
Needs for a global response
1 / 4
Crime: an act or the commission of an act that is forbidden or
the omission of a duty that is commanded by a public law and
that makes the offender liable to punishment by that law.
http://www.merriam
-
webster.com/dictionary/crime
Cybercrime is 'crime' with some sort of 'computer' or 'cyber'
aspect.
http://us.norton.com/cybercrime/definition.jsp
Dealing with any crime:
Prevention is better than cure: education
Expertise for investigation on wrong doing, prosecution,
trial, punishment, etc.
Dealing with cybercrime: Key experts and personnel from
diverse area (law enforcement, regulators, country focal,
cybersecurity
experts, etc)
Needs for a global response
2 / 4
Number and diversity of actors involved
Threats are coming from all directions
Global Response Centre at local and national level,
cooperation at all levels
Local: Top management, Staff, HR, Unions, IT staff
National, experts from diverse area: Economy,
Politics, IT, Security, Law enforcement
International cooperation
Cybercrimes easily (and usually) ignore geographical
boundaries
The problem is global, it needs a
global solution
Needs for a global response
3 / 4
Framework for national and international cooperation
Legal aspects
Technical measures
Organizational structures (including policies and
strategies)
Capacity building
Global partnerships (unavoidable)
Understanding the level of vulnerability of the system at
the base of the global economy and individual well
-
being
Identifying and protecting the vulnerable targets
Learning from other experiences
Needs for a global response
4 / 4
The response is a Computer Security Incident Response
Team
(CSIRT)
A service organization that is responsible for
receiving
,
reviewing
, and
responding
to computer security incident
reports and activity. Their services are usually performed
for a
defined constituency
that could be a parent entity
such as a corporation, governmental, or educational
organization; a region or country; a research network; or a
paid client.
http://www.cert.org/csirts/csirt_faq.html
CSIRT
Computer Security Incident Response Team
CIRC
Computer Incident Response Capability
CIRT
Computer Incident Response Team
IRC
Incident Response Center or Incident Response Capability
IRT
Incident Response Team
SERT
Security Emergency Response Team
SIRT
Security Incident Response Team
Defining information security
1 / 3
Information security is the process of protecting
information and information systems from
unauthorized access, use, disclosure,
disruption, modification, perusal, inspection,
recording or destruction.
http://en.wikipedia.org/wiki/Information_security
Core principle are confidentiality, integrity, and
availability
Extension to accountability, authenticity and
non
-
repudiation
Defining information security
2 / 3
An excerpt from “Terms and definitions ISO/IEC
27000”.
Confidentiality: property that information is not
made available or disclosed to unauthorized
individuals, entities, or processes
Integrity: property of protecting the accuracy
and completeness of assets
Availability: property of being accessible and
usable upon demand by an authorized entity
Defining information security
3 / 3
Authenticity: property that an entity is what it
claims to be
Authentication: provision of assurance that a
claimed characteristic of an entity is correct
Accountability: responsibility of an entity for its
actions and decisions
Non
-
repudiation: ability to prove the occurrence
of a claimed event or action and its originating
entities, in order to resolve disputes about the
occurrence or non
-
occurrence of the event or
action and involvement of entities in the event
CSIRT functions
Single point of contact to report security incidents
Assistance to the Constituency in preventing and
handling computer security incidents
Sharing information and experience with other
response teams
Collaboration with Law enforcement & Local
authority bodies
CSIRT services
1 / 3
CSIRT services defined during creation process
CSIRT services, but also covered by “security
team”
Great care while choosing services, impact on:
resources
skills sets
partnerships
Quality / Quantity
Think big, start small and ...scale fast
CSIRT services
2 / 3
Reactive services
services are triggered by an event or request
services aim at cure of compromised system
Proactive services
prepare, protect, and secure
reduce the number of incidents
Security quality management services
improve the overall security
reduce the number of incidents
CSIRT services
3 / 3
Many cross links of services
Services offered must be tailored to the specific
needs and prospective evolution of the
constituency
Services offered must be tailored to resources
available: financial, organizational, human
Dissemination of information is very important
Prevention is better than cure
CSIRT benefits
Centralised
coordination for IT security issues
Centralised
and
specialised
handling of and response
to IT incidents: systematic respond to incidents with
appropriate steps
Expertise to support users for quick and
eficient
recovery from incidents, minimum loss or theft of
information and disruption of services
Learning from experience, better preparation for
handling future incidents
Expertise with legal issues, evidence handling
Up to date with developments in security fields
Stimulation of cooperation within constituency
Steps for creating national CSIRTs
Iteration, evaluation, flexibility
1.
Obtain management support and buy
-
in : constituency,
stakeholders and participants
2.
Obtain management support and sponsorship
3.
Design the CSIRT vision
4.
Determine the CSIRT strategic plan
5.
Create an implementation plan and solicit feedback
6.
Communicate the CSIRT vision and operational plan
7.
Decide on the range and level of services the CSIRT will offer
8.
Identify required resources such as staff, equipment, and
infrastructure
9.
Secure funding for CSIRT operations
10.
Begin CSIRT implementation , announce the operational CSIRT
Critical success factors
Country’s commitment at the highest level
Relevant Agency involvement supported by the highest level of the
country
Communicate the strategic value to the Country’s
Cybersecurity
Programme
Design and communicate a relevant National CSIRT vision and
operational plan to fit the country
Implement National CSIRT tools and processes in line with the above
vision and operational plan
Announce the National CSIRT Operations to the country
Continue the CSIRT periodic assessment activity on its effectiveness
Periodic reviews and adjustments to the National CSIRT
Development Roadmap
Keep improvement of trust of network with the constituency
Law enforcement
How is law in your country dealing with
Identity thief
Web defacement
Unauthorised
access
Money extortion
How is law in your country dealing with criminal activities
by your citizens, perpetrated against foreigners
How is the society viewing people who perpetrate extortion
against foreigners
What are the evidences that are accepted
How are investigators, prosecutors, judges, etc. trained
Practical information
Minimum staffing
CERTification
-
Certified Computer Security Incident
Handler (CSIH)
Equipment should have when starting
Equipment better have later on
Lectures of must
Learning what other CSIRT do:
http://first.org/members/teams/
Conclusion
Investigation is just as good as the skills, team, resources,
technology available. Prosecution is just as good as evidences.
Prevention better than cure: pro
-
active versus reactive
approach:
Share of resources
Partnering
Training and transfer of skills
Educating the public
What are the achievements of the various cybercrime
commissions in Africa
What are the impacts of the various cybercrime related Acts in
Africa
“If
you
think
technology
can
solve
your
security
problems,
then
you
don’t
understand
the
problems
and
you
don’t
understand
the
technology”
-
Bruce
Schneier
http
:
//think
.
securityfirst
.
web
.
id/?
page_id=
12
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Comments 0
Log in to post a comment