Upload
dangdieu
View
219
Download
0
Embed Size (px)
Citation preview
CSIRT training course ©TERENA, 2002-9slide 1 of 21
CSIRT Organisational Issues
Dr. Claudia NatansonDon Stikvoort MSc CTNLP
CSIRT training course ©TERENA, 2002-9slide 2 of 21
Planning
Understand your organisationIdentify assets and risksUnderstand CSIRTs. Case study some teamsThink about your CSIRT constituency and serviceThink about where CSIRT sits in the organisation
Sell your idea to othersNeed management and user buy-inNeed permanent funding and a budgetWrite a concise proposal displaying vision
CSIRT training course ©TERENA, 2002-9slide 3 of 21
Understand Your Organisation
Why does it need a CSIRT?What does the organisation look like?
How do units relate to each other? Who is responsible?Who are the key people you need to persuade?
What already exists, internally or externally?IRTs? Security process? Policies? Regulators? Standards?
What benefits and barriers are there?Where is the CSIRT on the balance sheet?
Business overhead or Investment yielding a return?
CSIRT training course ©TERENA, 2002-9slide 4 of 21
Typical organisation (1)
Director SwedenDirector France Head of SecurityIT Director
CEO
CSIRT
Bank
Head of IT
Head Networks& Systems
Sysadmin
Head of IT
Head Networks& Systems
? ?
CSIRT training course ©TERENA, 2002-9slide 5 of 21
Typical organisation (2)
University
University
UniversityCollege
ResearchCollege
Operator CSIRT
€
National Research Network
CSIRT training course ©TERENA, 2002-9slide 6 of 21
Security Management Cycle
All organisations should have one
Organic growthCSIRT can contribute
To promotionTo developmentTo operation
CSIRT takes part in cycle
SecurityPolicy
RiskAnalysis
SecurityPlan
Implementation
Audit &Feedback
CSIRT training course ©TERENA, 2002-9slide 7 of 21
What Drives/Hinders Security?Different concerns in different organisationsFor security
Business operations reliant on information systemsLaws, standards and regulation, e.g.
Data Protection, ISO9000, ISO27000, Financial Services Regulator, SOx, Accountancy/Board auditability demands
Commercial contracts (risk of damage to partners)Return on investment (security should save money)
Against securityLimited resourcesLack of understanding/reluctance to change
Understand and address these
CSIRT training course ©TERENA, 2002-9slide 8 of 21
Where are the Biggest Holes ?
LoveBug, CodeRed, Nimda, Slammer,…Cost $1T worldwideNeed user help to spread:• Unexpected attachments• Unneeded programsUnwary users get caught
Viruses/Worms
Employees?
• Secure h/w & s/w?• Firewalls?• Anti-virus s/w?
Do you know?DTI* data indicates:• 68% suffered a malicious incident•Two thirds have no info security policy•57% have no contingency plan for incidents
* UK Department for Trade & Industry Information Security Breaches survey 2004
Customers/Students? Suppliers/Partners?
CSIRT training course ©TERENA, 2002-9slide 9 of 21
Sell the Idea to Others
Set a timetable with a launch dateTalk to the key people
Systems, Networks, IT directors, Security, Legal, etc.Business people (primary process)Find out their goals and concernsDevelop the proposal with them
Plan activities to remove barriers where possible
CSIRT training course ©TERENA, 2002-9slide 10 of 21
Write the Proposal
This document needs toEducate the constituency
Relevant overview of security risks and threatsInclude statistics (as relevant as possible)
Highlight non-compliance to standardsIf these have been found.
Review the current state of securityList benefits to all departments of having a CSIRT
CSIRT training course ©TERENA, 2002-9slide 11 of 21
Key reasons to have a CSIRTTo organise:1. Awareness
• CSIRT visibility on all levels focuses attention on IM 2. Authority
• What can the team do and by what right?• Who will back the team up when things get rough?
3. Escalation• Pre-agreed route through/past hierarchy• To reach board, press contacts, risk management
4. External Contacts (CSIRTs, police, etc.)• Use effort effectively and efficiently• Avoid contradictory messages/actions
CSIRT training course ©TERENA, 2002-9slide 12 of 21
CSIRT FrameworkEssential to define service and prevent argumentsMission Statement – high level presentation of
What the team will doAnd what the team will not do (and who does it instead)Be realistic – the best CSIRTs do a few things well
ConstituencyWho the team will do it for
Place in organisationRelation to other teams
From CSIRT Handbookwww.cert.org/archive/pdf/csirt-handbook.pdf
CSIRT training course ©TERENA, 2002-9slide 13 of 21
Many Things a CSIRT Can Do
Incident HandlingAlerts & WarningsVulnerability HandlingArtefact HandlingAnnouncementsTechnology WatchAudits/AssessmentsConfigure and Maintain Tools/Applications/Infrastructure
Security Tool DevelopmentIntrusion DetectionInformation DisseminationRisk AnalysisBusiness Continuity PlanningSecurity ConsultingAwareness BuildingEducation/TrainingProduct Evaluation
List from CERT-CCNo-one does all of these
CSIRT training course ©TERENA, 2002-9slide 14 of 21
Different Types of Service1. Incident prevention
• Awareness raising, audits, port/vulnerability scans, advisories, …
2. Incident detection• IDS sensors, firewall alerts, point-of-contact, …
3. Incident resolution• Incident co-ordination, on site handling, …
4. Incident post-processing• Punishment (with care), lessons learned, …• Feeds back to incident prevention
CSIRT training course ©TERENA, 2002-9slide 15 of 21
Incident Resolution or Handling
Essential function to call yourself a CSIRTMay consist of any or all of:
Incident co-ordinationIncident supportIncident response on-siteIncident analysis
Forensic evidence collectionTracing or tracking
CSIRT training course ©TERENA, 2002-9slide 16 of 21
Recruiting StaffWhat skill sets are needed?
General: common sense, communication, diplomatic, learns, works under pressure, team player, integrity, owns up to mistakes, problem solving, time management,…Technical: to match the activities the CSIRT will offer
What checks on history do you need?CSIRT staff must be trustworthyBuilding trust is an ongoing process
Discuss confidentiality requirement with team members and associates
CSIRT training course ©TERENA, 2002-9slide 17 of 21
Publicise Your TeamGetting yourself known (inside & outside)
Link from organisational Security Web PageUse conferences, talks, workshops, newsletters, etc.Link activities into organisational IRP
Join trusted directories (so others can find you)Trusted Introducer accreditation processFIRST membership processRIPE IRT object
Establish working relationshipsE.g. with vulnerability alerting organisations
CSIRT training course ©TERENA, 2002-9slide 18 of 21
Meeting OthersOrganisations to check out
www.terena.org/tf-csirt/ www.trusted-introducer.orgwww.first.org
Budget to attend meetings of these organisationsFace to face networking is essentialFor secure working and to develop your teamNational workshops can be very effective too
External website also helps to keep contactUse RFC-2350 to tell others who your CSIRT is
CSIRT training course ©TERENA, 2002-9slide 19 of 21
Funding the CSIRT
CSIRT must have sound, long-term fundingNot an annual project that can stop any time
Usually centrally funded, as part of ICT/security overhead
A GOOD CSIRT SET-UP WILL SAVE YOU TIME, MONEY, HEADACHES AND WORSE
CSIRT training course ©TERENA, 2002-9slide 20 of 21
CSIRT Value for MoneyKnow what incidents you have prevented
And their real costs to the organisationReduced business & staff disruptionProtected reputation of organisation
Know what happens to othersShare anonymised case studiesContribute to Best Current PracticeLook at headlines, and explain why it didn’t happen here
Keep up to dateWith user requirements as well as technology
CSIRT training course ©TERENA, 2002-9slide 21 of 21
Talking the right languageDifferent tasks in the organisation
CEO: to maximise shareholder valuePR officer: to present a good image to the pressCorporate Risk: to care about liabilities, good accounting, etc.CSIRT: to prevent and resolve incidents
Don’t assume these interests automatically coincide - but with your help, they can !