csirt organisational issues - terena · csirt organisational issues ... accountancy/board...

CSIRT training course ©TERENA, 2002-9slide 1 of 21

CSIRT Organisational Issues

Dr. Claudia NatansonDon Stikvoort MSc CTNLP


Planning

Understand your organisationIdentify assets and risksUnderstand CSIRTs. Case study some teamsThink about your CSIRT constituency and serviceThink about where CSIRT sits in the organisation

Sell your idea to othersNeed management and user buy-inNeed permanent funding and a budgetWrite a concise proposal displaying vision


Understand Your Organisation

Why does it need a CSIRT?What does the organisation look like?

How do units relate to each other? Who is responsible?Who are the key people you need to persuade?

What already exists, internally or externally?IRTs? Security process? Policies? Regulators? Standards?

What benefits and barriers are there?Where is the CSIRT on the balance sheet?

Business overhead or Investment yielding a return?


Typical organisation (1)

Director SwedenDirector France Head of SecurityIT Director

CEO

CSIRT

Bank

Head of IT

Head Networks& Systems

Sysadmin

Head of IT

Head Networks& Systems

? ?


Typical organisation (2)

University

University

UniversityCollege

ResearchCollege

Operator CSIRT

€

National Research Network


Security Management Cycle

All organisations should have one

Organic growthCSIRT can contribute

To promotionTo developmentTo operation

CSIRT takes part in cycle

SecurityPolicy

RiskAnalysis

SecurityPlan

Implementation

Audit &Feedback


What Drives/Hinders Security?Different concerns in different organisationsFor security

Business operations reliant on information systemsLaws, standards and regulation, e.g.

Data Protection, ISO9000, ISO27000, Financial Services Regulator, SOx, Accountancy/Board auditability demands

Commercial contracts (risk of damage to partners)Return on investment (security should save money)

Against securityLimited resourcesLack of understanding/reluctance to change

Understand and address these


Where are the Biggest Holes ?

LoveBug, CodeRed, Nimda, Slammer,…Cost $1T worldwideNeed user help to spread:• Unexpected attachments• Unneeded programsUnwary users get caught

Viruses/Worms

Employees?

• Secure h/w & s/w?• Firewalls?• Anti-virus s/w?

Do you know?DTI* data indicates:• 68% suffered a malicious incident•Two thirds have no info security policy•57% have no contingency plan for incidents

* UK Department for Trade & Industry Information Security Breaches survey 2004

Customers/Students? Suppliers/Partners?


Sell the Idea to Others

Set a timetable with a launch dateTalk to the key people

Systems, Networks, IT directors, Security, Legal, etc.Business people (primary process)Find out their goals and concernsDevelop the proposal with them

Plan activities to remove barriers where possible


Write the Proposal

This document needs toEducate the constituency

Relevant overview of security risks and threatsInclude statistics (as relevant as possible)

Highlight non-compliance to standardsIf these have been found.

Review the current state of securityList benefits to all departments of having a CSIRT


Key reasons to have a CSIRTTo organise:1. Awareness

• CSIRT visibility on all levels focuses attention on IM 2. Authority

• What can the team do and by what right?• Who will back the team up when things get rough?

3. Escalation• Pre-agreed route through/past hierarchy• To reach board, press contacts, risk management

4. External Contacts (CSIRTs, police, etc.)• Use effort effectively and efficiently• Avoid contradictory messages/actions


CSIRT FrameworkEssential to define service and prevent argumentsMission Statement – high level presentation of

What the team will doAnd what the team will not do (and who does it instead)Be realistic – the best CSIRTs do a few things well

ConstituencyWho the team will do it for

Place in organisationRelation to other teams

From CSIRT Handbookwww.cert.org/archive/pdf/csirt-handbook.pdf


Many Things a CSIRT Can Do

Incident HandlingAlerts & WarningsVulnerability HandlingArtefact HandlingAnnouncementsTechnology WatchAudits/AssessmentsConfigure and Maintain Tools/Applications/Infrastructure

Security Tool DevelopmentIntrusion DetectionInformation DisseminationRisk AnalysisBusiness Continuity PlanningSecurity ConsultingAwareness BuildingEducation/TrainingProduct Evaluation

List from CERT-CCNo-one does all of these


Different Types of Service1. Incident prevention

• Awareness raising, audits, port/vulnerability scans, advisories, …

2. Incident detection• IDS sensors, firewall alerts, point-of-contact, …

3. Incident resolution• Incident co-ordination, on site handling, …

4. Incident post-processing• Punishment (with care), lessons learned, …• Feeds back to incident prevention


Incident Resolution or Handling

Essential function to call yourself a CSIRTMay consist of any or all of:

Incident co-ordinationIncident supportIncident response on-siteIncident analysis

Forensic evidence collectionTracing or tracking


Recruiting StaffWhat skill sets are needed?

General: common sense, communication, diplomatic, learns, works under pressure, team player, integrity, owns up to mistakes, problem solving, time management,…Technical: to match the activities the CSIRT will offer

What checks on history do you need?CSIRT staff must be trustworthyBuilding trust is an ongoing process

Discuss confidentiality requirement with team members and associates


Publicise Your TeamGetting yourself known (inside & outside)

Link from organisational Security Web PageUse conferences, talks, workshops, newsletters, etc.Link activities into organisational IRP

Join trusted directories (so others can find you)Trusted Introducer accreditation processFIRST membership processRIPE IRT object

Establish working relationshipsE.g. with vulnerability alerting organisations


Meeting OthersOrganisations to check out

www.terena.org/tf-csirt/ www.trusted-introducer.orgwww.first.org

Budget to attend meetings of these organisationsFace to face networking is essentialFor secure working and to develop your teamNational workshops can be very effective too

External website also helps to keep contactUse RFC-2350 to tell others who your CSIRT is


Funding the CSIRT

CSIRT must have sound, long-term fundingNot an annual project that can stop any time

Usually centrally funded, as part of ICT/security overhead

A GOOD CSIRT SET-UP WILL SAVE YOU TIME, MONEY, HEADACHES AND WORSE


CSIRT Value for MoneyKnow what incidents you have prevented

And their real costs to the organisationReduced business & staff disruptionProtected reputation of organisation

Know what happens to othersShare anonymised case studiesContribute to Best Current PracticeLook at headlines, and explain why it didn’t happen here

Keep up to dateWith user requirements as well as technology


Talking the right languageDifferent tasks in the organisation

CEO: to maximise shareholder valuePR officer: to present a good image to the pressCorporate Risk: to care about liabilities, good accounting, etc.CSIRT: to prevent and resolve incidents

Don’t assume these interests automatically coincide - but with your help, they can !

csirt organisational issues - terena · csirt organisational issues ... accountancy/board...

Documents