Training for CSIRT staff - TERENA · PDF fileTraining for CSIRT staff Andrew Cormack, ......
Transcript of Training for CSIRT staff - TERENA · PDF fileTraining for CSIRT staff Andrew Cormack, ......
(C) 2000 BT plc
Training for CSIRT staff
Andrew Cormack, Jacques Schuurman, Claudia Natanson, Wilfried Woeber, Gareth Price
TF-CSIRT
(C) 2000 BT plc
CSIRT staff are different
Not just sysadminsNot just network techiesThough we take both of those for grantedn Or learn them elsewhere
Filling in the gaps is important
(C) 2000 BT plc
Target Audience
Members of new teamsNew members of existing teamsAssumed already to know how the Internet worksn Course teaches how it breaks
Based in Europen CERT-CC series of 3&4 day courses in USA
(C) 2000 BT plc
Course Objectives
Students should learnn Tasks involved in operating a CSIRTn Skills needed by CSIRT staffn Tools and techniques of incident responsen Need for links with other organisations
(C) 2000 BT plc
Course Modules
Legal IssuesOrganisational IssuesTechnical IssuesMarket IssuesOperational IssuesSystems Issues
(C) 2000 BT plc
Legal Issues
Rules & lawsHarmonisationJurisdictionPowers of investigationContacts with law enforcementAccess to and use of restricted tools
(C) 2000 BT plc
Organisational Issues
Your ISPYour constituencyAssets and risksRisk managementSecurity policy templatesnFor your customersnFor your team
RFC2350Public functionsPress contactsSister organisationsFIRST etc.Staffing issues
(C) 2000 BT plc
Technical Issues
Operating SystemsnAbout the OSnNetwork stacksnVulnerabilities & back doorsnIntegrity
Forensics & Data mining
NetworksnIP/ICMPnTCP/UDPnHigher level protocolsnMasquerading & hijacking
EncryptionCertificates & PKI
(C) 2000 BT plc
Market Issues
VendorsCommercial teamsSecurity bulletinsUndisclosed vulnerabilitiesOther sources of information
(C) 2000 BT plc
Operational Issues
An operational frameworkIncident responsenReporting templatesnTracking & BookkeepingnTaxonomy
Management reportsOther activities
Trust brokersFinding contactsOther (reliable) sources of information
(C) 2000 BT plc
Systems Issues
RecoveryMonitorAuditOther activities
(C) 2000 BT plc
Back To Basics
e-mail address and telephone numberoperating hours (9 to 5, 24 x 7 x 365)publicity for these three itemsguidance on what to dosomewhere for them to workpeople to react to messagesa customer
(C) 2000 BT plc
Building
Access levels and hours of accessAccess Control LocksAlarm - intrusion, fireGuard - access control and visitor managementCamerasPower
(C) 2000 BT plc
Office
LockAlarmCameraSecured areaSeparate area for servers, backups, forensic, secure store
(C) 2000 BT plc
Furniture
Locks - key, code or combinationDesks, workbenchs, rackingPedestalsFiling CabinetsSecurity tethers for expensive hardware
(C) 2000 BT plc
Welfare
Heating - working hoursLighting - DSEHealth and Safety - arriving, working and leavingCatering - canteen or machinesCleaning - monitored or clear desk
(C) 2000 BT plc
E-mail - access, using mail, using pgpMulti-user access, auditConnected to local network or standalone Internet connected
(C) 2000 BT plc
Telephone Number
Free or paidAutomatic Call DiversionPBX, DEL backupanswer phone, divertincoming and outgoing on separate lineshandsfree, wirefree, mobile
(C) 2000 BT plc
Reporting Templates
Paper for faxing or snail-mailingScripts/Forms for telephone callsE-mailWeb-based - to e-mailWeb-based - direct into database
(C) 2000 BT plc
Work Management
Off the shelf or customGet as much automation as you can affordApplication - access, admin, usingInternet or Local Network only
(C) 2000 BT plc
Performance Monitoring And Reports
Terms of Reference/Charter/Contract (RFC2350)Reporting agreementsMemos of UnderstandingService Level AgreementsWork monitoringReportsQuality related work
(C) 2000 BT plc
Finding Contacts
RegularnTF-CSIRTnFIRST
Per IncidentnARIN, RIPE, APNICnTF-CSIRTnFIRST
(C) 2000 BT plc
Trust Brokers
TIFIRST
(C) 2000 BT plc
Transferring incident information
Reporting templatesTaxonomy
(C) 2000 BT plc
Reliable Information Sources
Other (reliable) sources of information
(C) 2000 BT plc
Course format
Modular to ease delivery and maintenanceModules includen Presentationsn Workshopsn Discussion
Full course takes two daysn Allows informal discussion in evening
(C) 2000 BT plc
Progress and plans
Initial development by TF-CSIRT sub-groupDraft syllabus for discussion in January 2001Development of modules by communityn Perhaps professional advice for legal section!
Aim for delivery during 2001