The Boxing projects CERT-in-a-Box Alerting-Service-in-a-Box · CERT-in-a-Box and Alerting-Service-in-a-box The Boxing principles • An effort to preserve the lessons learned while

CERT-in-a-Box and Alerting-Service-in-a-box

“The Boxing projects”

CERT-in-a-Box

&

Alerting-Service-in-a-Box

Douwe Leguit


The Boxing principles

• An effort to preserve the lessons learned while setting up “De Waarschuwingsdienst”, the Dutch national Alerting service, and GOVCERT.NL, the Dutch government CERT.

• The goal is to help others starting a CSIRT(CERT) or an Alerting Service by

– getting them up to speed faster– help them to avoid making the same mistakes


Target audience (you?)

• People who plan to set up– a CSIRT– an Alerting service– a WARP?

•If they are– governmental– academic– commercial (CIP?)

• What would they like to hear?


Quick Overview of “The Boxing projects”

Presented at the GOVCERT.NL Symposium 2005•CERT-in-a-Box•Alerting-Service-in-a-Box

Recent Changes GOVCERT.NL & Waarschuwingsdienst•Project organisation is now landing•Business Continuity Management implemented•More attention for Information Security (Policies)

(both tactical and strategic level)•Focus on Non-Central Government, e.g. States and Cities


History and future…

• 2001 report: Vulnerability on the Internet– a social obligation to inform the Dutch public– set up a CERT for the Dutch Central Government (GOVCERT.NL)– Membership is optional– look into feasibility of having this CERT function as alerting service

• 2002, June: GOVCERT.NL• 2003, February: De Waarschuwingsdienst• 2005: trusted party for constituency and relations• 2006: consolidation organisation and services


The organisations

• GOVCERT.NL– Focus on IT Security– “Up to the minute” Advisories 24x7– Advice & Security Scans– Incident Handling and Response 24x7– Knowledge Centre

• De WaarschuwingsdienstAn alerting service for IT security related incidents aimed at Dutch home users and small companies (up to 10 PCs)– independent– quick & accurate– free

GeneralManager

ManagerTechnical Team

TechnicalSpecialist

Technical team

TechnicalSpecialist

TechnicalSpecialist

TechnicalSpecialist

TechnicalSpecialist

TechnicalSpecialist

ProgramSecretary

CommunicatieAdvisor

OfficeManager


Funding

• GOVCERT.NL – standard services:– Ministry of the Interior– Operational budget for central government bodies– Other governments bodies pay cost price– Non standard Products: at cost price

• Alerting service:– Ministry of Economic Affairs– Operational budget for awareness campaign and

alerting service

• Demonstrating success to stakeholders– Start immediately with producing good statistics!


Development of Products

Successful:• Advisories• Forums• Quick Scans• E-mail alerts• Websites• Incident handling• Cybercrime manual• Symposium

Less successful:• Knowledge base• Central incident

reporting point• SMS-alerts• Pricing• Good statistics


GOVCERT.NL ConstituentsPrimary focus:• Pilot constituents• Central government bodies• Use general terms and conditions• Use general service• Trust level of staffing (AIVD A-screening)

Less easy:• Ministry of Defence• Ministries which outsourced all IT• Non central government bodies; states and cities• CIP-players in the private sector

Note local regulations for government services competing on a free market


Organizational aspects of implementing a CERT

• People• Processes• Systems• Legal issues• Communication & PR• International network


Processes & people

• Processes:– Formalize operations fast, step by step, but be open for

changes on the way– Establish escalation procedures– Set up a matrix for qualification of incidents– Set up a media matrix for the Alerting service– Revise your information and operational processes – Implement Business Continuity Management

• People:– Technical and non technical employees – 1 FTE communication, 7 FTE technical after 2 years– 24 x 7 on a rotating schedule, once every six weeks.

Active duty: 09:00 – 23:00; on call: 23:00 – 09:00– Technical profile + communication and project skills


Systems & legal issues

• Systems:– Use proven technology– Share and use knowledge with other CERT’s– Security demands checked by Dutch national security

agency– Redundancy (Business Continuity Management)

• Legal issues– Use (external) legal advise during set-up – Develop General terms & conditions– Develop Privacy policy and disclaimers– Take position in Market regulation issues– Develop Contracts and Service Level Agreements and

Non Disclosure Agreements


Communications & PR -International network• Communication and PR

– Organize production and editing of all content– Organize co-writing of advisories for website and e-

mail– Organize campaign management & free publicity– Use media contacts– Handle questions from the press

• International network– Establish contacts fast– Decide which value you will add to the network– Start working together


Processes (boxing project)

Gives an overview of:• Operational process (step by step)• GOVCERT.NL matrix: qualification of incidents• Waarschuwingsdienst media matrix• Escalation process• Job Profiles• Tips and tricks• Templates and process-flows• Future improvement


Tips and Tricks

Share knowledge & expertise with CERT’s=> the Boxing project ;)

Integrate the Alerting service in the processes of your CERT

Start with alerting to build credits first: be quick and accurate!

Stay in close contact with your target group to improve the quality of your alerts and incident handling

Start a Newsletter service for people who are not specifically interested in alerting, but need to be aware

Establish good contacts with (national) press in case escalationis needed



Downloadable

On the GOVCERT.NL websitehttp://www.govcert.nl/render.html?it=69

On the FIRST websitehttp://www.first.org/resources/guides/

Or send an e-mail [email protected]


Thank you

Douwe [email protected]

www.govcert.nlwww.waarschuwingsdienst.nl

Documents

The Boxing projects CERT-in-a-Box Alerting-Service-in-a-Box · CERT-in-a-Box and Alerting-Service-in-a-box The Boxing principles • An effort to preserve the lessons learned while