Day1 Enisa Settingupacsirt 100319035425 Phpapp02
Transcript of Day1 Enisa Settingupacsirt 100319035425 Phpapp02
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 1/57
INTODUCTION TO THE CSIRTSETTING UP GUIDE
http://www.enisa.europa.eu/act/cert/support/guide
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 2/57
Agenda
How it all started
What do CERTs do?
How is Incident Response functioning
CERT cooperation
ENISA and CERTs
2
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 3/57
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 4/57
The early days of internet
First idea of an Internet in1960:
"A network of such [computers], connected to one
another by wideband communication lines" which provided "the functions of present-day librariestogether with anticipated advances in informationstorage and retrieval and [other] symbiotic functions.” by .C.R. Licklider
Beginning of Internet by theDefense Advanced Research
Projects Agency (DARPA) in1981.
4
Map of the TCP/IP test network in January 1982
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 5/57
Today’s Internet
5
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 6/57
First incident on the Internet
2 November 1988: The MORRIS worm
First major outbreak , it spread swiftly aroundthe world
6000 major UNIX machines were infected
(of a total of 60.000 computers connected)
Estimated cost of damage $10M - 100M
Gene Spafford created a mailing list
coordinating the first Incident response
6
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 7/57
The First CERT
After incident people realized theywhere in need for:
Timely response
Structured and organized approach
Central coordination
This incident in the history of Internet security
led directly to the founding of the CERT/CC©
7
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 8/57
Europe and CSIRT’s
This model was soon adopted in Europe
1992 Surfnet launched the first CSIRT
in Europe SURFnet-CERT
At present ENISAs inventory of CERTactivities in Europe list over 140 CSIRTs
8
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 9/57
European CERT activities
9
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 10/57
CSIRT abbreviations
CERT© /CERT-CC (Computer EmergencyResponse Team)
CSIRT (Computer Security Incident ResponseTeam)
IRT (Incident Response Team)
CIRT (Computer Incident Response Team)SERT (Security Emergency Response Team)
Abuse Team (not a CSIRT)
Is a response facility, usually operated by an ISP,who professionally handles "Internet-abuse"reports or complaints.
10
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 11/57
CSIRT definition
CSIRT A team that responds to computer securityincidents
Providing necessary services to solve or
supporting the resolution of them.Is trying to prevent any computer securityincidents within its constituency orresponsibility.
Constituency
Customer base of a CSIRT
11
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 12/57
Benefits of having a CSIRT
A dedicated ICT-security team helps to mitigate and
prevent major incidents protecting your organization’svaluable assets.
Centralized coordination for ICT-security issues
Specialized organization in handling and responding toICT-incidents.
Dedicated support available, assisting in taking theappropriate steps and helping the constituent with quickrecovery of the ICT infrastructure.
Dealing with legal issues and preserving evidence in theevent of a lawsuit.
Educate organization on ICT-security
Stimulating cooperation within the constituency on ICT-security, preventing possible losses.
12
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 13/57
What kind of CSIRTS exists
Constituent depended sector CSIRTS In alphabetic order:
National / Governmental Sector
Academic Sector
Commercial
CIP/CIIP Sector
Internal
Military Sector
Small & Medium Enterprises (SME) Sector
Vendor Teams
…
13
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 14/57
CSIRT services 1/3
We can distinguish 4 kind of services
Responsive services
1. Reactive services
2. Proactive services
3. Artifact handling
4. Security quality management
14
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 15/57
CSIRT “Core” Services 2/3
Reactive Services Alerts and Warnings
Incident Handling
Incident analysis
Incident response support
Incident response coordination
Proactive Service
• Announcements
15
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 16/57
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 17/57
CSIRT services 4/4
First questions about services:
1. Understand what a CSIRT is an what benefits it might
provide
2. To what sector is the CSIRT delivering it’s services?
3. Decide on the core services of your CSIRT
4. Start preparing your CSIRT,
Organizational, staff, legal, contracts, procedures
Deliver the core services according your standards and
agreements
17
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 18/57
Choosing the right approach
1. Define a communication approach to your
constituents2. Define the mission statement
3. Make a realistic implementation/project plan
4. Define your CSIRT services
5. Define the organizational structure6. Define the Information Security policy
7. Hire the right staff
8. Utilise your CSIRT office
9. Look for cooperation between other CSIRTs andpossible national initiatives
18
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 19/57
Analyzing your Constituency
Swot analysis
PEST analysis
19
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 20/57
Example SWOT analysis
Result in delivering the
following Core Services:
Alerts and Warnings
Incident handling Announcements
20
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 21/57
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 22/57
Mission statement
Important to have a mission statement
In communicating your existence to constituentsCommunicating it to your staff
Commercial use, elevator pitches, brochures,…
Examples:
“<Name of CSIRT> provides information and assistance to its<constituents (define your constituents)> in implementing proactive measures to reduce the risks of computer securityincidents as well as responding to such incidents when theyoccur.”
"To offer support to <Constituents> on the prevention of andresponse to ICT-related Security Incidents”
22
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 23/57
Developing a business plan
Defining a financial model
Cost model
Revenue model
Use of existing resources
Membership fee
Subsidy
23
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 24/57
Costs running a CSIRT
Staff 24x7 or office hours
Housing Normal secured or high secured facility
Equipment
Hosting facilities
Branding material (corporate style)
Brochures
24
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 25/57
Your organizational structure
A CSIRT organization could define the following roles General
General manager
Staff Office manager
Accountant
Communication consultant
Legal consultant
Operational Technical team Technical team leader
Technical CSIRT technicians, delivering the CSIRT services
Researchers External consultants, Hired when needed
25
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 26/57
Independent business model
26
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 27/57
The embedded model
27
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 28/57
The Campus model
28
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 29/57
The voluntary model
Group of people (specialists) that join togetherin case of emergency.
Loosely fitted
Example WARPS
29
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 30/57
Hiring the right staff(
the hot picks)
Flexible, creative, good teams spirit
Strong analytical skills,
Ability to explain difficult technical matter intoeasy wording
Good organizational skills and stress durable
Technical knowledge (deep specialist + broadgeneral internet technology knowledge)
Willingness to work 24x7
Loving to do the job! ;)
30
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 31/57
Utilization & equipping the office
Hardening the building
See ISO17799
Maintaining communication channels
Record tracking system(s)
Use the corporate style from the beginning! Foresee out-of-band communication in case of
attacks
Check redundancy on internet connectivity
and office in case of emergencies
31
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 32/57
Information security policy
Information handling policy1. How is incoming information "tagged" or
"classified"?
2. How is information handled, especially with
regard to exclusivity?
3. What considerations are adopted for the
disclosure of information "when what?"
especially incident related information passedon to other teams or to sites?
32
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 33/57
Information security policy
4. Are there legal considerations to take into
account with regard to information handling?
5. Do you have a policy on use of cryptography
to shield exclusivity & integrity in archives
and/or data communication, especially e-mail.
6. This policy must include possible legal
boundary conditions such as key escrow or
enforceability of decryption in case of
lawsuits.
33
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 34/57
Information Security policy
National
Laws on information technology Laws on data protection and privacy
Codes of conduct for corporate governance and ITGovernance
European directives
Directives on data protection and electroniccommunication
International
Basel II, Eu. Convention on Cybercrime
Standards
BS 7799
ISO 27001
34
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 35/57
ENISA
National initiatives
TF-CSIRT
WARPS
FIRST
Search for cooperation
35
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 36/57
Promoting your business plan
It visualizes the trends in IT
security, especially the decreasein the necessary skills to carryout increasingly sophisticatedattacks.
Another point to mention is thecontinuously shrinking timewindow between the availabilityof software updates forvulnerabilities and the starting
of attacks against them
36
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 37/57
Promoting your business plan
Viruses Timeline
Patch -> Exploit Spreading rate
Nimda 11 month Code red Days
Slammer 6 month Nimda Hours
Nachi 5 month Slammer Minutes
Blaster 3 weeks
Witty 1 day (!)
37
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 38/57
Business plan & Management
What is the problem?What would you like to achieve with
your constituents?
What happens if you do nothing?
What happens if you take action?
What is it going to cost?
What is going to gain?
When do you start and when is itfinished?
38
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 39/57
Short wrap-up
How is information handled within yourorganization
Do you have a Information security policy?
Do you know other CSIRTs?
Could you share incidents that can help thepromotion of a CSIRT business plan?
Discuss your potential business plan
39
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 40/57
Operational Procedures
Focus on basic services first! Alerts and Warnings
Incident handling
Announcements
40
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 41/57
Information process flow
41
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 42/57
Information process flow
Information Sources:• Vulnerability information
• Incident reports
• Public and closed sources
for vulnerability information:
- Public and closed mailing lists ! Vendor vulnerability
product information
- Websites
- Information on the Internet
-Public and private partnerships that providevulnerability information (FIRST, TF- CSIRT, CERT-CC, US-CERT.)
42
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 43/57
Information process flow
Identification Trustworthy source of information Correct information
• Cross checked with other sources
Relevance
Impact to the IT infrastructure of the constituent
Classification of information
Risk assessment & impact analysis
Impact = Risk x potential damage
43
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 44/57
Information process flow
Risk assessment & impact analysis
44
RISK
Is the vulnarabil ity widely known? No, l imited 1 Yes, public 2
Is the vulnarabil ity widely exploited? No 1 Yes 2
Is it easy to exploit the vulnerabil ity? No, hacker 1 Yes, script kiddie 2 11,12 High
Precondition: default configuration? No. specific 1 Yes, standard 2 8,9,10 Medium 0
Precondition: physical access required? Yes 1 No 2 6,7 Low
Precondition: user account required? Yes 1 No 2
Damage
Unauthorized access to data No 0 Yes, read 2 Yes, read + i 4 6 t/m 15 High
DoS No 0 Yes, non-critical 1 Yes, critical 5 2 t/m 5 Medium 0
Permissions No 0 Yes, user 4 Yes, root 6 0,1 Low
OVERALL
High Remote root >> Imediately action needed!
Local root exploi t (attacker has a user account on the ma chine)
Denial of ServiceMedium Remote user exploit >> Action within a week
Remote unautho rized access to data
Unauthorized obtaining data
Local un authorized access to dataLow Local unauthorized obtaining user-rights >> Include it in general process
Local user exploit
I f ti fl
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 45/57
Information process flow
Distribution of information
Website Email Reports Archiving and research
45
Title of the advisoryÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
Reference numberÉÉÉÉÉÉÉÉÉÉÉ Systems affected
- ÉÉÉÉÉÉÉÉÉÉÉ
- ÉÉÉÉÉÉÉÉÉÉÉ
Related OS + versionÉÉÉÉÉÉÉÉÉÉÉ
Risk (High-Medium-Low) ÉÉÉImpact/potenti al damage (High-Medium-Low) ÉÉÉ
External idÕs: (CVE, Vulnerability bulletin IDÕs)É ÉÉ É
Overview of vulnerabili tyÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉ
Impact
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
SolutionÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
Description (details )ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
Appendi x
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ É ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
Example of an Advisory
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 46/57
Incident handling process
46
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 47/57
Incident Handling process
1. Receiving incident reports
Phone
Fax
2. Incident Evaluation
Identification
Relevance
Classification
Triage
3. Take action
47
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 48/57
Incident handling process
Actions
Start incident ticket
Essential for solving the incident and communicating
with the involved constituents.
Solve the incident
Preserving any information which may needed for
prosecution takes carefully planned action!
Incident handling report
Archiving
NOTE: Each type of incident calls for different actions!
48
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 49/57
Wrap-up1. Understanding what a CSIRT is.
2. What sector do you deliver your services to?
3. What kinds of services can a CSIRT provide to itsconstituents?
- Analysis of the environment and constituents
- Defining the mission statement
4. Defining your goals- Defining your Cost model
- Defining the organizational model
- Starting to hire your staff
- Utilizing your office
- Defining the needed Security policy
- Looking for cooperation partners
5. Dealing with matters of project management- Have the business case approved
- Fit everything into a project plan
6. Making the CSIRT operational.- Creating workflows
- Implementing CSIRT tooling
The next step is: training your staff
49
W kfl 2 d l
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 50/57
Workflow 2nd example
Producing an advisory
50
Bulletin
Identifier
Microsoft Security Bullet in MS06-042
Bulletin Title Cumulative Security Update for Internet Explorer (918899)
Executive
Summary
This update resolves several vulnerabilities in Internet Explorer that
could allow remote code execution.
Maximum
Severity Rating
Critical
Impact of
Vulnerability
Remote Code Exec ution
Affected
Software
Windows, Internet Explorer. For more information, see the Affected
Software and Download Locations sec tion.
W kfl 2nd l
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 51/57
Collecting vulnerabilityinformation
Verify the authenticity on
vendor website
Gather more details on
The vulnerability
Affected systems
51
Workflow 2nd example
W kfl 2nd l
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 52/57
Evaluate information
Assess the risk
52
RISK
Is the vulnerability well known? Y
Is the vulnerability widespread? Y
Is it easy to exploit thevulnerability?
Y
Is it a remotely exploitablevulnerability?
Y
DamageRemote accessibility and chance of remote code execution.This vulnerability contains multiple issues which make the damagerisk HIGH.
Workflow 2nd example
W kfl 2nd l
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 53/57
Distribution of information
53
Title of advisory
Multiple vulnerabilities found in Internet explorer
Reference number
082006-1
Systems affected1. All desktop systems that run Microsoft
Related OS + version Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server
2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Risk (High-Medium-Low)
HIGHImpact/potenti al damage (High-Medium-Low)
HIGH
External idÕs: (CVE, Vulnerability bulletin IDÕs)
MS-06-42
Overview of vulnerabili tyMicrosoft has found several critical vulnerabilities in Internet Explorer which can lead too remote
code execution.
ImpactAn attacker could take complete control over the system, installing programs, adding users and vie,
change or delete data. Mitigating factor is that the above only can take place if the user is logged in
with administrator rights. Users logged on with less rights could be less impacted.
SolutionPatch your IE immediately
Description (details)See for more information ms06-042.mspx
AppendixSee for more information ms06-042.mspx
Workflow 2nd example
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 54/57
ENISA and CSIRTs
Mission
Promote and facilitate good practice in setting-up and running of
CSIRTs / WARPs / Abuse Teams / etc.
Encourage cooperation between different actors
Develop relations to the various CERT/CSIRT communities
Support their activities
Run a Working-Group with external experts
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 55/57
How ENISA supports CSIRT community?Promote best practice!
2005:Stocktaking
2006:Setting up & Cooperation
2007:SupportOperation
QualityAssurance
2008:CERT Exercises
2009:CERT BaselineCapabilitiesDocument
[…]
2009:CERTExercisesReport
St i t h ith ENISA!
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 56/57
http://www.enisa.europa.eu/act/certStay in touch with ENISA!
8/17/2019 Day1 Enisa Settingupacsirt 100319035425 Phpapp02
http://slidepdf.com/reader/full/day1-enisa-settingupacsirt-100319035425-phpapp02 57/57
Contact:
Andrea DUFKOVA
Section for Computer Security andIncident ResponseENISA
THANK YOU!