1 / 26

TRANSITS CSIRT Training David Collados, CERN IT/GD 5-6 July 2007, Sofia (Bulgaria)

TRANSITS CSIRT Training David Collados, CERN IT/GD 5-6 July 2007, Sofia (Bulgaria). Introduction. 5-6 July, Sofia, TRANSITS (Training of Network Security Incident Teams’ Staff) course.

shawna
Download Presentation

TRANSITS CSIRT Training David Collados, CERN IT/GD 5-6 July 2007, Sofia (Bulgaria)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TRANSITS CSIRT Training David Collados, CERN IT/GD 5-6 July 2007, Sofia (Bulgaria)

  2. Introduction • 5-6 July, Sofia, TRANSITS (Training of Network Security Incident Teams’ Staff) course. • TRANSITS: 2002, EU project to promote the establishment/enhancement of CSIRTs (Computer Security Incident Response Teams) by addressing the problem of the shortage of skilled CSIRT staff.

  3. Introduction • 2005, TERENA (Trans-European Research and Education Networking Association) and FIRST (Forum of Incident Response and Security Teams) joined to organise further training workshops. • Recent ones co-organised & sponsored by ENISA (the European Network and Information Security Agency)

  4. TRANSITS • To train staff of (new) CSIRTs in the organisational, operational, technical and legal issues involved in providing CSIRT services. • 4 trainers: • Don Stikvoort of S-CURE (The Netherlands), • Lionel Ferette of BELNET CERT (Belgium), • Serge Droz of SWITCH-CERT (Switzerland), • Andrew Cormack of JANET(UK)

  5. TRANSITS • 21 trainees from 14 countries. • Local assistance by the Bulgarian Academic CERT (Computer Emergency Response Team) • Workshop logistics organised by Jim Buddin from the TERENA Secretariat.

  6. Course structure ~18 hours work in 2 days 5 independent linked modules Practical exercises include • Analyse incidents • Organisational plan • Incident response plan Organisation Legal Operation Vulnerabilities Technical

  7. Course structure Organisation Legal Operation Vulnerabilities Technical

  8. Organisational Issues (Don Stikvoort) Introducing the concept of CSIRT: • Understanding your organization: hierarchy, security management cycle, biggest threat. • Sell the idea to systems, networks, IT directors, business people, etc. • Write the proposal: educate the constituency, highlight non-compliance to standards, review current security state & list benefits to all depts. of having a CSIRT.

  9. Organisational Issues How to establishing a CSIRT: • Planning (services) and recruitment (staff) • Incident resolution or handling: incident co-ordination, incident support, incident response on-site, incident analysis.

  10. Incident Handling Alerts & Warnings Vulnerability Handling Artefact Handling Announcements Technology Watch Audits/Assessments Configure and Maintain Tools/Applications/Infrastructure Security Tool Development Intrusion Detection Information Dissemination Risk Analysis Business Continuity Planning Security Consulting Awareness Building Education/Training Product Evaluation Many Things a CSIRT Can Do No-one does all of these

  11. Organisational Issues Working links & Funding: • Publicize your team • Meeting others (meetings, organizations, RFC2350) • Monitoring and reporting • CSIRT value for money

  12. Course structure Organisation Legal Operation Vulnerabilities Technical

  13. Operational Issues (Lionel Ferette) Needed resources to deliver a service: • People, and a place for them to work • Communications • E-mail, Telephone, (Fax), Web, Internal Comm. • Systems: Software and Hardware • RTIR, monitoring, firewalls, computers, testbeds

  14. Operational Issues Procedures to achieve effective response: • Pre-incident • Reducing risk of incidents • Need to know where risk is to do this effectively • Find out what risk assessment your organisation has done • Preparing both CSIRT and users for incidents • Incident Response • Documented steps to keep control of incident • Post-incident • Reviewing what happened • Learning lessons for constituency and CSIRT

  15. Course structure Organisation Legal Operation Vulnerabilities Technical

  16. Legal Issues (Andrew Cormack) CSIRTs must operate legally, but IT law is • Old: unclear, unsuitable, conflicting, …, and/or • New: untried, incomplete, inconsistent, volatile, … • Whose law is it anyway? Internet crosses borders

  17. Why does Law matter? Laws do exist (Act of God/Fact of Nature) • Abstract on paper, concrete when you run into them • Can’t avoid them: must be prepared CSIRTs can help make legislation better

  18. Course structure Organisation Legal Operation Vulnerabilities Technical

  19. Technical Issues (Serge Droz) Become familiar with • The technical concepts behind computer security incidents • The incident technical terminology used • How intruders work • What weaknesses are exploited • What CSIRTs can do

  20. Course structure Organisation Legal Operation Vulnerabilities Technical

  21. Vulnerabilities (Andrew Cormack) • Vulnerabilities cannot be avoided • Why do vulnerabilities happen? • Laws of Nature • Customer demands • Vendor pressures • Sources of information: Incident reports, Full disclosure community, Hackers, Vendors, Commercial services, Other CSIRTs

  22. Vulnerabilities • Information sources exist: • They are not always straightforward to use • Dealing with them is hard • Technically and especially politically • But every CSIRT can/should contribute (Distribution, Interpretation, Investigation, Coordination)

  23. Course structure Practical Exercises: • Special Topics • PGP Key Signing • Group Exercise Organisation Legal Operation Vulnerabilities Technical

  24. Glossary • CERT:Computer Emergency Response Team. • CSIRT:Computer Security Incident Response Team. • ENISA:European Network and Information Security Agency. • FIRST:Forum of Incident Response and Security Teams. • PGP:Pretty Good Privacy. • RTIR: Request Tracker for Incident Response. • TERENA:Trans-European Research and Education Networking Association • TRANSITS:Training of Network Security Incident Teams' Staff.

  25. Questions?

More Related