Day1 Enisa Settingupacsirt 100319035425 Phpapp02

8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02

http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 1/57

INTODUCTION TO THE CSIRTSETTING UP GUIDE

http://www.enisa.europa.eu/act/cert/support/guide





Agenda

How it all started

What do CERTs do?

How is Incident Response functioning

CERT cooperation

ENISA and CERTs

2



The early days of internet

First idea of an Internet in1960:

"A network of such [computers], connected to one

another by wideband communication lines" which provided "the functions of present-day librariestogether with anticipated advances in informationstorage and retrieval and [other] symbiotic functions.” by .C.R. Licklider

Beginning of Internet by theDefense Advanced Research

Projects Agency (DARPA) in1981.

4

Map of the TCP/IP test network in January 1982

http://en.wikipedia.org/wiki/TCP/IP

http://en.wikipedia.org/wiki/TCP/IP



Today’s Internet

5



First incident on the Internet

2 November 1988: The MORRIS worm

First major outbreak , it spread swiftly aroundthe world

6000 major UNIX machines were infected

(of a total of 60.000 computers connected)

Estimated cost of damage $10M - 100M

Gene Spafford created a mailing list

coordinating the first Incident response

6



The First CERT

After incident people realized theywhere in need for:

Timely response

Structured and organized approach

Central coordination

This incident in the history of Internet security

led directly to the founding of the CERT/CC©

7



Europe and CSIRT’s

This model was soon adopted in Europe

1992 Surfnet launched the first CSIRT

in Europe SURFnet-CERT

At present ENISAs inventory of CERTactivities in Europe list over 140 CSIRTs

8



European CERT activities

9



CSIRT abbreviations

CERT© /CERT-CC (Computer EmergencyResponse Team)

CSIRT (Computer Security Incident ResponseTeam)

IRT (Incident Response Team)

CIRT (Computer Incident Response Team)SERT (Security Emergency Response Team)

Abuse Team (not a CSIRT)

Is a response facility, usually operated by an ISP,who professionally handles "Internet-abuse"reports or complaints.

10



CSIRT definition

CSIRT A team that responds to computer securityincidents

Providing necessary services to solve or

supporting the resolution of them.Is trying to prevent any computer securityincidents within its constituency orresponsibility.

Constituency

Customer base of a CSIRT

11



Benefits of having a CSIRT

A dedicated ICT-security team helps to mitigate and

prevent major incidents protecting your organization’svaluable assets.

Centralized coordination for ICT-security issues

Specialized organization in handling and responding toICT-incidents.

Dedicated support available, assisting in taking theappropriate steps and helping the constituent with quickrecovery of the ICT infrastructure.

Dealing with legal issues and preserving evidence in theevent of a lawsuit.

Educate organization on ICT-security

Stimulating cooperation within the constituency on ICT-security, preventing possible losses.

12



What kind of CSIRTS exists

Constituent depended sector CSIRTS In alphabetic order:

National / Governmental Sector

Academic Sector

Commercial

CIP/CIIP Sector

Internal

Military Sector

Small & Medium Enterprises (SME) Sector

Vendor Teams

…

13



CSIRT services 1/3

We can distinguish 4 kind of services

Responsive services

1. Reactive services

2. Proactive services

3. Artifact handling

4. Security quality management

14



CSIRT “Core” Services 2/3

Reactive Services Alerts and Warnings

Incident Handling

Incident analysis

Incident response support

Incident response coordination

Proactive Service

• Announcements

15



CSIRT services 4/4

First questions about services:

1. Understand what a CSIRT is an what benefits it might

provide

2. To what sector is the CSIRT delivering it’s services?

3. Decide on the core services of your CSIRT

4. Start preparing your CSIRT,

Organizational, staff, legal, contracts, procedures

Deliver the core services according your standards and

agreements

17



Choosing the right approach

1. Define a communication approach to your

constituents2. Define the mission statement

3. Make a realistic implementation/project plan

4. Define your CSIRT services

5. Define the organizational structure6. Define the Information Security policy

7. Hire the right staff

8. Utilise your CSIRT office

9. Look for cooperation between other CSIRTs andpossible national initiatives

18



Analyzing your Constituency

Swot analysis

PEST analysis

19



Example SWOT analysis

Result in delivering the

following Core Services:

Alerts and Warnings

Incident handling Announcements

20



Mission statement

Important to have a mission statement

In communicating your existence to constituentsCommunicating it to your staff

Commercial use, elevator pitches, brochures,…

Examples:

“<Name of CSIRT> provides information and assistance to its<constituents (define your constituents)> in implementing proactive measures to reduce the risks of computer securityincidents as well as responding to such incidents when theyoccur.”

"To offer support to <Constituents> on the prevention of andresponse to ICT-related Security Incidents”

22



Developing a business plan

Defining a financial model

Cost model

Revenue model

Use of existing resources

Membership fee

Subsidy

23



Costs running a CSIRT

Staff 24x7 or office hours

Housing Normal secured or high secured facility

Equipment

Hosting facilities

Branding material (corporate style)

Brochures

24



Your organizational structure

A CSIRT organization could define the following roles General

General manager

Staff Office manager

Accountant

Communication consultant

Legal consultant

Operational Technical team Technical team leader

Technical CSIRT technicians, delivering the CSIRT services

Researchers External consultants, Hired when needed

25



Independent business model

26



The embedded model

27



The Campus model

28



The voluntary model

Group of people (specialists) that join togetherin case of emergency.

Loosely fitted

Example WARPS

29



Hiring the right staff(

the hot picks)

Flexible, creative, good teams spirit

Strong analytical skills,

Ability to explain difficult technical matter intoeasy wording

Good organizational skills and stress durable

Technical knowledge (deep specialist + broadgeneral internet technology knowledge)

Willingness to work 24x7

Loving to do the job! ;)

30



Utilization & equipping the office

Hardening the building

See ISO17799

Maintaining communication channels

Record tracking system(s)

Use the corporate style from the beginning! Foresee out-of-band communication in case of

attacks

Check redundancy on internet connectivity

and office in case of emergencies

31



Information security policy

Information handling policy1. How is incoming information "tagged" or

"classified"?

2. How is information handled, especially with

regard to exclusivity?

3. What considerations are adopted for the

disclosure of information "when what?"

especially incident related information passedon to other teams or to sites?

32



Information security policy

4. Are there legal considerations to take into

account with regard to information handling?

5. Do you have a policy on use of cryptography

to shield exclusivity & integrity in archives

and/or data communication, especially e-mail.

6. This policy must include possible legal

boundary conditions such as key escrow or

enforceability of decryption in case of

lawsuits.

33



Information Security policy

National

Laws on information technology Laws on data protection and privacy

Codes of conduct for corporate governance and ITGovernance

European directives

Directives on data protection and electroniccommunication

International

Basel II, Eu. Convention on Cybercrime

Standards

BS 7799

ISO 27001

34



ENISA

National initiatives

TF-CSIRT

WARPS

FIRST

Search for cooperation

35



Promoting your business plan

It visualizes the trends in IT

security, especially the decreasein the necessary skills to carryout increasingly sophisticatedattacks.

Another point to mention is thecontinuously shrinking timewindow between the availabilityof software updates forvulnerabilities and the starting

of attacks against them

36



Promoting your business plan

Viruses Timeline

Patch -> Exploit Spreading rate

Nimda 11 month Code red Days

Slammer 6 month Nimda Hours

Nachi 5 month Slammer Minutes

Blaster 3 weeks

Witty 1 day (!)

37



Business plan & Management

What is the problem?What would you like to achieve with

your constituents?

What happens if you do nothing?

What happens if you take action?

What is it going to cost?

What is going to gain?

When do you start and when is itfinished?

38



Short wrap-up

How is information handled within yourorganization

Do you have a Information security policy?

Do you know other CSIRTs?

Could you share incidents that can help thepromotion of a CSIRT business plan?

Discuss your potential business plan

39



Operational Procedures

Focus on basic services first! Alerts and Warnings

Incident handling

Announcements

40



Information process flow

41




Information Sources:• Vulnerability information

• Incident reports

• Public and closed sources

for vulnerability information:

- Public and closed mailing lists ! Vendor vulnerability

product information

- Websites

- Information on the Internet

-Public and private partnerships that providevulnerability information (FIRST, TF- CSIRT, CERT-CC, US-CERT.)

42




Identification Trustworthy source of information Correct information

• Cross checked with other sources

Relevance

Impact to the IT infrastructure of the constituent

Classification of information

Risk assessment & impact analysis

Impact = Risk x potential damage

43




Risk assessment & impact analysis

44

RISK

Is the vulnarabil ity widely known? No, l imited 1 Yes, public 2

Is the vulnarabil ity widely exploited? No 1 Yes 2

Is it easy to exploit the vulnerabil ity? No, hacker 1 Yes, script kiddie 2 11,12 High

Precondition: default configuration? No. specific 1 Yes, standard 2 8,9,10 Medium 0

Precondition: physical access required? Yes 1 No 2 6,7 Low

Precondition: user account required? Yes 1 No 2

Damage

Unauthorized access to data No 0 Yes, read 2 Yes, read + i 4 6 t/m 15 High

DoS No 0 Yes, non-critical 1 Yes, critical 5 2 t/m 5 Medium 0

Permissions No 0 Yes, user 4 Yes, root 6 0,1 Low

OVERALL

High Remote root >> Imediately action needed!

Local root exploi t (attacker has a user account on the ma chine)

Denial of ServiceMedium Remote user exploit >> Action within a week

Remote unautho rized access to data

Unauthorized obtaining data

Local un authorized access to dataLow Local unauthorized obtaining user-rights >> Include it in general process

Local user exploit

I f ti fl




Distribution of information

Website Email Reports Archiving and research

45

Title of the advisoryÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ

Reference numberÉÉÉÉÉÉÉÉÉÉÉ Systems affected

- ÉÉÉÉÉÉÉÉÉÉÉ

- ÉÉÉÉÉÉÉÉÉÉÉ

Related OS + versionÉÉÉÉÉÉÉÉÉÉÉ

Risk (High-Medium-Low) ÉÉÉImpact/potenti al damage (High-Medium-Low) ÉÉÉ

External idÕs: (CVE, Vulnerability bulletin IDÕs)É ÉÉ É

Overview of vulnerabili tyÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉ

Impact

ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ

SolutionÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ

Description (details )ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ

ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ

ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ

Appendi x

ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ É ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ

Example of an Advisory



Incident handling process

46



Incident Handling process

1. Receiving incident reports

Email

Phone

Fax

2. Incident Evaluation

Identification

Relevance

Classification

Triage

3. Take action

47



Incident handling process

Actions

Start incident ticket

Essential for solving the incident and communicating

with the involved constituents.

Solve the incident

Preserving any information which may needed for

prosecution takes carefully planned action!

Incident handling report

Archiving

NOTE: Each type of incident calls for different actions!

48



Wrap-up1. Understanding what a CSIRT is.

2. What sector do you deliver your services to?

3. What kinds of services can a CSIRT provide to itsconstituents?

- Analysis of the environment and constituents

- Defining the mission statement

4. Defining your goals- Defining your Cost model

- Defining the organizational model

- Starting to hire your staff

- Utilizing your office

- Defining the needed Security policy

- Looking for cooperation partners

5. Dealing with matters of project management- Have the business case approved

- Fit everything into a project plan

6. Making the CSIRT operational.- Creating workflows

- Implementing CSIRT tooling

The next step is: training your staff

49

W kfl 2 d l



Workflow 2nd example

Producing an advisory

50

Bulletin

Identifier

Microsoft Security Bullet in MS06-042

Bulletin Title Cumulative Security Update for Internet Explorer (918899)

Executive

Summary

This update resolves several vulnerabilities in Internet Explorer that

could allow remote code execution.

Maximum

Severity Rating

Critical

Impact of

Vulnerability

Remote Code Exec ution

Affected

Software

Windows, Internet Explorer. For more information, see the Affected

Software and Download Locations sec tion.

W kfl 2nd l



Collecting vulnerabilityinformation

Verify the authenticity on

vendor website

Gather more details on

The vulnerability

Affected systems

51


W kfl 2nd l



Evaluate information

Assess the risk

52

RISK

Is the vulnerability well known? Y

Is the vulnerability widespread? Y

Is it easy to exploit thevulnerability?

Y

Is it a remotely exploitablevulnerability?

Y

DamageRemote accessibility and chance of remote code execution.This vulnerability contains multiple issues which make the damagerisk HIGH.


W kfl 2nd l



Distribution of information

53

Title of advisory

Multiple vulnerabilities found in Internet explorer

Reference number

082006-1

Systems affected1. All desktop systems that run Microsoft

Related OS + version Microsoft Windows 2000 Service Pack 4

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server

2003 with SP1 for Itanium-based Systems

Microsoft Windows Server 2003 x64 Edition

Risk (High-Medium-Low)

HIGHImpact/potenti al damage (High-Medium-Low)

HIGH

External idÕs: (CVE, Vulnerability bulletin IDÕs)

MS-06-42

Overview of vulnerabili tyMicrosoft has found several critical vulnerabilities in Internet Explorer which can lead too remote

code execution.

ImpactAn attacker could take complete control over the system, installing programs, adding users and vie,

change or delete data. Mitigating factor is that the above only can take place if the user is logged in

with administrator rights. Users logged on with less rights could be less impacted.

SolutionPatch your IE immediately

Description (details)See for more information ms06-042.mspx

AppendixSee for more information ms06-042.mspx




ENISA and CSIRTs

Mission

Promote and facilitate good practice in setting-up and running of

CSIRTs / WARPs / Abuse Teams / etc.

Encourage cooperation between different actors

Develop relations to the various CERT/CSIRT communities

Support their activities

Run a Working-Group with external experts



How ENISA supports CSIRT community?Promote best practice!

2005:Stocktaking

2006:Setting up & Cooperation

2007:SupportOperation

QualityAssurance

2008:CERT Exercises

2009:CERT BaselineCapabilitiesDocument

[…]

2009:CERTExercisesReport

St i t h ith ENISA!



http://www.enisa.europa.eu/act/certStay in touch with ENISA!

http://www.enisa.europa.eu/act/cert

http://www.enisa.europa.eu/act/cert



Contact:

Andrea DUFKOVA

Section for Computer Security andIncident ResponseENISA

[email protected]

THANK YOU!

mailto:[email protected]




Day1 Enisa Settingupacsirt 100319035425 Phpapp02

Documents

Transcript of Day1 Enisa Settingupacsirt 100319035425 Phpapp02