IGF Best Practices Forum on "Establishing and Supporting CERTS for Internet security

Transcription

1 IGF Best Practices Forum on "Establishing and Supporting CERTS for Internet security Report 7. Private CSIRT/PSIRT teams Note. This report joins the comments on the online forum. As there were distinctive topics that were discussed, they are presented separately. Entries are presented in the order of arrival. First the contributor is mentioned and where appropriate within brackets the person responding to is mentioned, e.g. (Wout). The affiliation of a respondent is not mentioned, as he/she may be giving a personal point of view or not. As consultant to the group this is impossible and not necessary to ascertain. Maarten van Horenbeeck (outline) I'd also like to thank you for participating in the IGF CERTs BPF. Following up to Cristine's point, I briefly wanted to cover another type of CSIRT team that contributes to internet security. There are CSIRT teams which have a more narrow constituency and because of that offer specialized contributions to internet security. A great example of these are private sector, enterprise incident response teams. Enterprise CSIRTs generally have as their constituency either the customers of an enterprise, or the employees and networks belonging to the enterprise. There are two important roles an enterprise CSIRT generally elects to take: (i) Product security (PSIRT): Enterprises which develop software or hardware products generally will have an incident response team for product security issues- investigating and addressing vulnerabilities or weaknesses in products which may be exploited and expose their customers to risk. (ii) Computer/Network security (CSIRT): Enterprises will often maintain an incident response team to respond to security breaches and incidents across their enterprise network. In addition, some enterprise CSIRT teams provide incident response services directly to customers of the enterprise. For instance, a corporation which provides IT services may also provide incident response services and develop a fully staffed and resourced incident response team to support its customers. While a national CSIRT will often take a coordinating role- and due to its prominence will be the team internet users internationally often reach out to in order to report an issue, many networks are privately owned, and actual incident handling, investigations and forensic efforts may need to

2 be performed by the organization managing the network. This is often an enterprise CSIRT. National CSIRT teams can pass along reports to the enterprise CSIRT managing the network from which the attack originates either manually, through personal contacts, or through automated mechanisms (such as or more structured exchange mechanisms, driven using tools such as AbuseHelper or Megatron). In addition, most products are developed in the private sector. When a vulnerability is exploited in such product, the victim under attack may reach out to the corporation who built the exploited product, to notify them of the vulnerability and request a fix. In some cases, when a vulnerability affects many vendors, the victim may choose to report the vulnerability to a vulnerability coordinator instead, who coordinates addressing the issue. Many national CSIRT teams have a vulnerability coordination role (often, but not always, indicated by /CC at the end of the name, which stands for Coordination Center). In those cases, the vulnerability coordinator will work with any private sector product security response teams affected to ensure the vulnerability is addressed (CERT-FI's vulnerability coordination policy is a good example: FI_Vulnerability_Coordination_Policy.pdf. Private sector CSIRT and PSIRT teams can also provide expertise in areas of deep specialization. National CSIRT teams, due to the size and heterogeneity of their constituency, have to support a wide set of technologies. They tend to specialize in a few services and skills most relevant to their constituency, and have wide coverage of technologies. In the private sector, teams can specialize in specific technologies they have unique knowledge of, as they build the technology or heavily rely on it internally. This makes that they may be uniquely placed to assist national CSIRT teams and the wider community in investigating an incident on a particular platform or application. Product security teams also often release advisories and bulletins notifying customers of new vulnerabilities that have been identified or fixed. National CSIRT's can take that information, and use it to advise their constituency accordingly on the risks involved, sometimes localizing (both in language or technology context) the information. These private sector teams often work with the community of CSIRT's by participating in the same forums many of the national CSIRT teams do. Two examples of this are FIRST, the Forum of Incident Response and Security Teams, and Trusted Introducer: There are also more integrated organizations which develop cross-company incident response plans for vulnerabilities which affect more than a single vendor. An example of such an organization is ICASI ( which developed a Unified Security Incident Response Plan (USIRP) for use across its member companies.

3 Also of interest, there has recently been some work performed in the International Organization for Standardization (ISO) to develop guidelines on how to process and resolve vulnerability information in a product or service (ISO/IEC 30111:2013) and on methods vendors should use to address issues related to vulnerability disclosure (ISO/IEC 29147:2014). I'm interested in hearing from the civil society members of this forum- do you see similar teams developing in civil society? Do you work with national or private sector incident response teams? I look forward to continuing this discussion, and learning from everyone's experiences. Shreedeep Rayamajhi I am not an expert but one thing that really interested me was the concept of how private sector is progressing in regards of developing new standard and technology in terms of online security. My name is Shreedeep and i work in a software company that works as an agent for outsourcing where we do follow protocols at times of need. But when it comes to the practice of government online security it is very less prioritize in this part of the world, to be precise we use all the latest technology and equipment but at national level there no mechanism to counter such disaster. May be its because of the lack of online system which is gradually picking up or maybe we are not so much dependent on online systems. No matter what with mobile phone and 3g connection popularly used I surely see a need of national online security protocol but still the government is least bothered about it. My concern about it is Nepal lies in between China and India both superpowers. India has its share of development and China has its own, Nepal in between lacks proper online strategy and mechanism and that certain makes it vulnerable in stressing the situation. in the past national and government websites have been hacked but with no protocols to follow it has landed up in awkward situation. The next generation of power is all about online security and if there are no strict mechanism then you certainly have to pay the price. Like such Cyber Warfare & Cyber Terrorism are some of the burning issues which threats the cyberspace and its operations Research paper: Warfare-by-Shreedeep-Rayamajhi Jahangir Hossain

4 I am Jahangir Hossain working in IP Transit/Solution provider as technical person also involve couple civil society organization in BD. As a technical and civil society representative i have some observation about private sector CSIRT/PSIRT teams by considering developing country experience where security aspect now growing. For example, in our country like Bangladesh we have active private sector CERT named Bangladesh Computer Emergency Response Team (bdcert) which collaboratively working with APCERT, OIC-CERT and other also have government owned CERT named Bangladesh Computer Security Incident Response Team (BD-CSIRT) which also collaboratively working with APCERT, OIC-CERT but not so active. The problem is to validate or authority the private CERT compare to Govt. owned CERT into local stakeholder specially national level to mitigate any security related issue. This is because initially Govt. owned organization like CERT have the authority to ask/share any information to other stakeholder. In private sector CERT also working fine in national level but they have a limitation about authority to ask/share any information of other stakeholder. For example, if a private sector CERT (national level) request to share a information from google, microsoft,yahoo or other international reputed Service provider to mitigate attack which occurred in national level then most of time to unable get the information on time because of their authority. I think we need to find out the way to resolve this but i am really happy to see member list of FIRST which makes new ERA in my mind. Personally it might be the same challenges in private enterprise CSIRT into developing country. Yes i am agree with your point i.e " National CSIRT teams can pass along reports to the enterprise CSIRT managing the network from which the attack originates " also ISO/IEC can play important role regarding Regarding Product security (PSIRT). Miroslav Maj Important topic mentioned by Jahangir. IMHO one of the best solution to deal with this problem is to follow an official constituency of the particular (does not matter gov/national or private) CERT. Your authority of acting as a CERT for the constituency should be enough and required at the same time to ask/request/be_asked regarding this constituency. Rosiah Just to share, in MyCERT, we have the SOC which does Incident Response. We also have another team within MyCERT that does operational research, threat analysis and develop tools.

5 Eun Ojedeji I like the fact that you include the 2 option possibility of a "national CERT". To trust a CERT IMO should go beyond whether the CERT provides accurate/reliable data to its peers, it also includes "how the CERT gets its data" and what type of analysis it does with it. Which if you ask me brings some level of privacy concerns in place and in turn will mean some level of policy making/awareness should be set in place before implementation of a national cert