TOPICS TO BE COVERED: First Workshop for Computer Security Incident Management Experts

Transcription

1 TOPICS TO BE COVERED: First Workshop for Computer Security Incident Management Experts February 24-27, 2010/ Montevideo, Uruguay. Page 1

2 1 Recommended guidelines and actions for the creation of a Computer Security Incident Response Center 1.1 Recommendations regarding the organization and regulations of the future CSIRT s host organization, including at least: Recommended computer security policies at host organization level Recommended incident escalation and reporting policies Recommendations on the possible insertion of the CSIRT within the organization and possible relationship charts. 1.2 General recommendations regarding the physical infrastructure required during the initial stages, considering: Physical and environmental safety recommendations Recommendations for the CSIRT's network architecture, including their link to the host organization and the Internet, this item shall include a minumum standard installation design Computer services that must be initially available, (for example: request tracker, secure , secure communications systems, honeypots, etc.). 1.3 Analysis and description of the benefits obtained by implementing an Incident Response Center at an organization that makes intensive use of IT and the Internet Cost-benefit analyses shall be promoted for organizations of different types and sizes, to be defined by the specialist. training sessions conducted at the dissemination workshops. Their duration shall be 4 2 Types of Response Centers, their mission and strategic guidelines 2.1 Detailed description of the most common organizational models February 24-27, 2010/ Montevideo, Uruguay. Page 2

3 2.1.1 Analysis of the relationship between the host organization's mission and the type of response center to be developed. 2.2 Description of different ways to define the target beneficiary/client community and its relation with the host organization's mission Recommendations shall be made as to which are the best strategies for achieving high levels of relevance, legitimacy, and visibility within the target community. 2.3 Types of services that the Response Center may provide to the target community Recommendations shall be made regarding which services may be provided and their chronological development, as a means for achieving a better insertion within the community. training sessions conducted at the dissemination workshops. Their duration shall be 3 3 Description of the different functions within a Response Center 3.1 Proposal for the specialization of functions within a Response Center Segregation of functions within a Response Center Description of said functions in accordance with best practices Developing manuals and procedures relating to the main functions detailed in the preceding item Designing an end-to-end flowchart of the incident management process. 3.2 Proposals for the main policies and procedures required for the operation of a Response Center Code of ethics proposals Computer security policy proposals. February 24-27, 2010/ Montevideo, Uruguay. Page 3

4 3.2.3 Physical and environmental security policy proposals Incident management policy proposals. 3.3 Information management policy proposal Policy proposal regarding team members' access to information Policy proposals regarding the protection of digital and paper media Information dissemination policy proposals Information storage policy proposals. training sessions conducted at the dissemination workshops. Their duration shall be 4 4 Response Center risk management policies 4.1 Best practices will be proposed for risk control at the future response centers, as a way to orient proactive actions and future projects Proposed risk management methodology for this type of organizations Description of the main processes that will be managed using the proposed methodology Developing the risk management procedure and its implications in relation to the community. 4.2 The required skills of the members of the Response Center shall be detailed Staff selection and hiring procedures Profile definition and proposal Policies for protecting against the risks inherent to human resources Necessary training. February 24-27, 2010/ Montevideo, Uruguay. Page 4

5 training sessions conducted at the dissemination workshops. Their duration shall be 3 5 Preparing for computer incident management 5.1 Developing and setting up a honeypot (3 hours) A utilization manual for an open source honeypot and the methodological guide necessary for its subsequent installation and maintenance shall be developed, as well as the materials necessary for conducting a 3-hour workshop that will allow an in-depth understanding of how these devices are handled. 5.2 Incident management workshop (3 hours) An exercise simulating an actual phishing attack will be conducted in which participants will have to analyze code and use malware tools. The dynamics of the exercise shall encourage participants to research and discover the incident, and will include a closing report with a detailed presentation. 5.3 Incident management workshop II (4 hours) An exercise simulating an actual botnet attack will be conducted in which participants will be required to interact among several CSIRTs, perform log analyses, and make real-time decisions. The need to cooperate and share information when faced with an attack situation shall be particularly stressed. The dynamics of the exercise shall encourage participants to research and discover the incident, and will include a closing report with a detailed presentation. 5.4 Developing a computer forensics analysis workshop (3 hours) A manual shall be developed that may serve as the protocol to be followed in those cases where it is necessary to conduct standard computer forensics analysis activities. This manual shall place particular emphasis on preserving evidence for legal purposes. A workshop shall be prepared where this protocol will be placed into practice and the efficiency of having a specific methodology for these activities will be demonstrated. February 24-27, 2010/ Montevideo, Uruguay. Page 5