Transcript Document

CREATING AND MANAGING
CERT
1
Internet Wonderful and Terrible
“The wonderful thing about the
Internet is that you’re connected to
everyone else.
The terrible thing about the Internet
is that you’re connected to everyone
else.”
Vint Cerf
2
Introduction
• Keeping organizational information assets
secure in today's interconnected computing
environment is a true challenge that
becomes more difficult with each new "e"
product and each new intruder tool.
3
Introduction
• Most organizations realize that there is no
one solution or panacea for securing
systems and data; instead a multi-layered
security strategy is required .
• One of the layers that many organizations
are including in their strategy today is the
creation of a Computer Security Incident
Response Team, generally called a CSIRT.
4
Motivation
• Motivators driving the establishment of CERT:
– A general increase in the number of computer security
incidents being reported.
– Organizations on the need for security policies and
practices as part of their overall risk-management
strategies.
– New laws and regulations.
– System and network administrators alone cannot
protect organizational systems and assets
– Prepared plan and strategy is required
5
What is a CERT?
• An organization or team that provides,
to a defined constituency, services and
support for both preventing and
responding to computer security
incidents.
6
Process versus Technology
• Incident handling is not just the application
of technology to resolve computer security
events
– It is the development of a plan of action.
– It is the establishment of processes for
• Notification and communication
• Collaboration and coordination
• Analysis and response
7
Benefits of CERT
• Reactive
– Focused response effort
– More rapid and standardized response
– Stable cadre of staff with incident handling
expertise, combined with functional business
knowledge.
– Coordination with others in security
community.
8
Benefits of CERT
• Proactive :
– - Enabler of organizational business goals.
– - Value-added services to business processes .
– - Input into product development cycle or
network operations .
– - Assistance in performing vulnerability
assessments and development of security
policies .
9
What Does a CERT Do?
• In general CERT
– Provides a single point of contact for reporting
local problems
– Assists the organizational constituency and
general computing community in preventing
and handling computer security incidents
– Shares information and lessons learned with
other response teams and other appropriate
organizations and sites
10
General Categories of CERT
• Internal CERT
– Educational
– Governmental
– Commercial
• Coordination Centers
– Country
– State
– Region
• Analysis Centers
• Vendor
• Incident response provider
11
Stages of CERT Development
•
•
•
•
•
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
Educating the organization
Planning effort
Initial implementation
Operational phase
Peer collaboration
12
Creating an Effective CERT
• To be effective, a CERT requires four basic
elements
–
–
–
–
An operational framework
A service and policy framework
A quality assurance framework
The capability to adapt to a changing
environment and changing threat profiles
13
Implementation
Recommendations
• Get Management buy-in and organizational
consensus
• Match goals to parent or constituent organizational
policies and business goals
• Select CERT development project team.
• Communicate throughout the process
• Start small and grow
• Use what exists, if appropriate. (Re-use is good.)
14
Implementation Steps:
•
•
•
•
•
Get approval and support from management
Identify who will need to be involved
Have an announcement sent out by management
Select a project team
Collect information
– Research what other organizations are doing
– Identify existing processes and workflows
– Interview key stakeholders and participants
15
Implementation Steps
• With input from stakeholders determine
– CERT mission
•
•
•
•
–
–
–
–
–
CERT range and levels of service
CERT reporting structure, authority and organizational model
Identify interactions with key parts of the constituency
Define roles and responsibilities for interactions
Create a plan based on the vision or framework.
Obtain feedback on the plan
Build CERT
Announce CERT
Get feedback
16
Common Problems
• Failure to
–
–
–
–
•
•
•
•
Include all involved parties
Achieve consensus
Develop and overall vision and framework
Outline and document policies and procedures
Organizational battles
Taking on too many services
Unrealistic expectations or perceptions
Lack of time staff, and funding
17
Think Big
Start Small
Scale Fast
!!!!!!!!!!!!
18
19