GRID Security Workshop, 5-6 December 2002 ©The JNT Association, 2002

Computer Emergency Response Teams

Andy BoneJANET-CERT Managera.bone@ukerna.ac.uk

©

CERTs

GRID Security Workshop, 5-6 December 2002 ©The JNT Association, 2002

What’s in a name

CERTS come in many shapes and sizes, they can have many names: Some of the more common are:

CSIRT - Computer Security Incident Response Team SIRT - Security Incident Response Team IRT - Incident Response teams CERT is a registered trademark to CERT CC situated at Carnegie Melon

University, Pittsburgh. The original CERT created by the US Government in 1988 after a major internet worm attack. www.cert.com

INCIDENT RESPONSE

GRID Security Workshop, 5-6 December 2002 ©The JNT Association, 2002

Types of CERT Internal CERTs - Janet CERT

• provide services for their parent organisation. Co-ordination Centers – CERT CC

• coordinates across other CERT’s tend to work on a bigger scale such as country, world stage.

Analysis Centers• focus on trends to provide early warning of attacks.

Vendor Teams• track and provide early warnings for vulnerabilities, they may also perform incident

handling within their organisation. Incident Handling Providers

• Independent providing services for profit

GRID Security Workshop, 5-6 December 2002 ©The JNT Association, 2002

Why a CERT

JANET-CERT Enquiries

0

2000

4000

6000

8000

10000

1 2 3 4 5 6

Year

Enquiries

1997 19991998 200220012000

GRID Security Workshop, 5-6 December 2002 ©The JNT Association, 2002

What can a CERT Offer

Co-ordination of world wide as well as local incidents It is know and is trusted (vital) by its constituency Current specialist knowledge and resources Speedy response (in line with SLA) Triage of Incidents Protects its constituents, their reputation and the network Central point to gather and disseminate information Has access to internal/external sources and contacts Can tailor and distribute relevant information to its own

constituency

GRID Security Workshop, 5-6 December 2002 ©The JNT Association, 2002

JANET-CERT

Service Level Agreement through the JISC Response

• Receive and co-ordinate incident reports until completion.• Offer advice to our constituents on corrective actions.• Liaison with both internal/external sites/agencies including

other CERTS and law enforcement to resolve differences.

Protect the networkAuthorised to disconnect or block sites or equipment that pose a threat

GRID Security Workshop, 5-6 December 2002 ©The JNT Association, 2002

JANET-CERT Information

• We provide two mailing lists providing information (CERT Contacts)– UK-Security-Announce (Read only external to CERT)

» CERT advisories of new threats/solutions or announcements– UK-Security (Cert Contacts and related recommended constituents)

» Security related discussion and the information provided above.» Technical, policy and minor legal Support.

• Web site (http://www.ja.net/CERT/)

• Papers, reports, articles, guides and notes.– In Paper and digital form at http://www.ukerna.ac.uk

GRID Security Workshop, 5-6 December 2002 ©The JNT Association, 2002

JANET-CERT Awareness

• Training courses• Conferences & Workshops• Presentations

Liaison• Other CERTS (UK-CERT, TF-CSIRT and FIRST)• Law enforcement and the security services.• External network operators and ISPs• Anyone else that asks to share mutual information.

GRID Security Workshop, 5-6 December 2002 ©The JNT Association, 2002

JANET-CERT ResourcesStaffing

Currently 8 personnelManned

From 0800 – 1800 Mon-Fri Oncall 1800 – 2359 weeknights and 0900 – 1700 weekends

excluding UK bank holidays, Xmas day, boxing day and Easter Sunday.

Communications Email: cert@cert.ja.net Telephone: +44 (0)1235 822340 Fax: +44 (0)1235 822398

GRID Security Workshop, 5-6 December 2002 ©The JNT Association, 2002

Questions