1

CREATING AND MANAGING CERT

2

Internet Wonderful and Terrible

“The wonderful thing about the Internet is that you’re connected to everyone else.The terrible thing about the Internet is that you’re connected to everyone else.”Vint Cerf

3

Introduction

• Keeping organizational information assets secure in today's interconnected computing environment is a true challenge that becomes more difficult with each new "e" product and each new intruder tool.

4

Introduction

• Most organizations realize that there is no one solution or panacea for securing systems and data; instead a multi-layered security strategy is required .

• One of the layers that many organizations are including in their strategy today is the creation of a Computer Security Incident Response Team, generally called a CSIRT.

5

Motivation

• Motivators driving the establishment of CERT:– A general increase in the number of computer security

incidents being reported.– Organizations on the need for security policies and

practices as part of their overall risk-management strategies.

– New laws and regulations.– System and network administrators alone cannot

protect organizational systems and assets – Prepared plan and strategy is required

6

What is a CERT?

• An organization or team that provides, to a defined constituency, services and support for both preventing and responding to computer security incidents.

7

Process versus Technology

• Incident handling is not just the application of technology to resolve computer security events – It is the development of a plan of action. – It is the establishment of processes for

• Notification and communication • Collaboration and coordination • Analysis and response

8

Benefits of CERT

• Reactive – Focused response effort – More rapid and standardized response – Stable cadre of staff with incident handling

expertise, combined with functional business knowledge.

– Coordination with others in security community.

9

Benefits of CERT

• Proactive : – - Enabler of organizational business goals.– - Value-added services to business processes .– - Input into product development cycle or

network operations .– - Assistance in performing vulnerability

assessments and development of security policies .

10

What Does a CERT Do?

• In general CERT – Provides a single point of contact for reporting

local problems – Assists the organizational constituency and

general computing community in preventing and handling computer security incidents

– Shares information and lessons learned with other response teams and other appropriate organizations and sites

11

General Categories of CERT • Internal CERT

– Educational – Governmental – Commercial

• Coordination Centers – Country – State – Region

• Analysis Centers • Vendor • Incident response provider

12

Stages of CERT Development

• Stage 1 Educating the organization • Stage 2 Planning effort • Stage 3 Initial implementation • Stage 4 Operational phase • Stage 5 Peer collaboration

13

Creating an Effective CERT

• To be effective, a CERT requires four basic elements – An operational framework – A service and policy framework – A quality assurance framework – The capability to adapt to a changing

environment and changing threat profiles

14

Implementation Recommendations

• Get Management buy-in and organizational consensus

• Match goals to parent or constituent organizational policies and business goals

• Select CERT development project team. • Communicate throughout the process • Start small and grow • Use what exists, if appropriate. (Re-use is good.)

15

Implementation Steps:

• Get approval and support from management • Identify who will need to be involved • Have an announcement sent out by management • Select a project team • Collect information

– Research what other organizations are doing – Identify existing processes and workflows – Interview key stakeholders and participants

16

Implementation Steps

• With input from stakeholders determine – CERT mission

• CERT range and levels of service • CERT reporting structure, authority and organizational model • Identify interactions with key parts of the constituency • Define roles and responsibilities for interactions

– Create a plan based on the vision or framework. – Obtain feedback on the plan – Build CERT – Announce CERT – Get feedback

17

Common Problems

• Failure to – Include all involved parties – Achieve consensus – Develop and overall vision and framework – Outline and document policies and procedures

• Organizational battles • Taking on too many services • Unrealistic expectations or perceptions • Lack of time staff, and funding

18

Think Big

Start Small

Scale Fast!!!!!!!!!!!!

19