Creating a CERT at WARP Speed


Published on

My presentation at BruCON and Source Barcelona on how I set up the Irish CERT (IRISSCERT using the WARP platform

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 2004 I identified that Ireland had no CERT. I felt that this was a major weakness in our security infrastructure at both an economic and national security point of view. In 2004 I took the decision to pursue the reasons why we had no CERT and based on the responses determine if we needed one. If it was determined we should have one then outline a way forward for Ireland to have a CERT
  • ISSA & UCD “CyberCrime Survey 2006”98% of all Companies Impacted90% impacted by computer virus infection20% suffered losses > €100,00033% suffered losses > €50,00052% of incidents resulted in 10 man days to recover25% of incidents resulted in 50 man days to recover55% lost data as a direct result90% suffered loss in productivity12% of internal misuse resulted in criminal cases
  • I met with the various stakeholders;Department of Communications responsible for Internet securitySubsequent meetings withAn Garda Siochana (Irish Police)Chambers IrelandIrish Business and Employers Confederation Enterprise IrelandIrish Small & Medium Enterprises Association Internet Service Provider Association of Ireland Science Foundation IrelandHEAnet CERTCenter for Cybercrime Investigation - University College Dublin ISSA IrelandIrish Information Systems Security ForumThe SANS Institute EuropeENISA (the European Network and Information Security Agency )Numerous Organisations of Varying Sizes
  • I conducted a survey to elicit people’s requirements from a CERT.That information was invaluable to the project
  • Based on the feedback I got and the results of the survey the resounding response is that Ireland did need a CERT.Centre for Cybercrime in UCD were willing to host the CERTI developed a business plan which was presented to the Dept outlining the research, the reasons behind the recommendations and suggested costs. I felt my work here was done and now a CERT would certainly happen.However, nothing happened. Despite numerous calls and emails progress was very, very slow.
  • Until the summer of 2007 and the DDOS attacks on Estonia.Now the phone calls and emails were coming to me!!Concern in Irish government sources that Ireland could be impacted in a similar fashion.
  • But then progress ground back to its usual pace.I got very frustrated with what I saw as a lack of progress. This was capped off when a member of a CERT team in another country told me that within the CSIRT community it was felt that China was more responsive to cyber crime issues than Ireland.
  • So I set up IRISS.IRISS is a registered not for profit company. Business Day coverageContactable by email & web.Part Time Volunteer StaffIrish Focused Security Information
  • In the main has been very positiveBy membersBy PressOther CERTsSome telco providers have been very positive and responsive to working with us.Others not so cooperative.
  •  Depending on FundingPromote services so more people are aware of us.Promote community involvement – online discussion forumsBlogTwitterConduct more research on Irish information security issuesExpand range of servicesBecome more involved in International CERT communityTF-CSIRTListedNow seeking accreditationFIRSTAnnual conference
  • Who are your key stakeholders?Internal to your organisations Senior Management IT Business ManagersExternal Clients Partners Vendors
  • Who will be your constituency?Internal users?By community type?By industry type?By geographical location?
  • Incident ResponseForensicsIncident Co-ordinationAlertingTraining & AwarenessMalware analysisVulnerability ManagementAuditingResearchBest PractisesProviding Guidelines
  • What will you need to make your CSIRT successful?LocationEquipmentCommunications Email? Phone? Fax? IM?StaffTrainingLegal expertiseDocumentationToolsAuthority and Autonomy Can you shut systems/networks down? If so what are the repercussions?
  • Secure EmailCall logging and incident tracking systemMonitoring toolsMalware handling toolsVulnerability managementForensics and investigative toolsProcesses and ProceduresTrainingCERT NetSA Security Suite for Incident Handling Tools
  • StaffingHostingPremisesSoftware & HardwareTelecomsInsuranceLegal CounselTraining & ResearchTravel & Seminars
  • Run drills on staffDesktop exercisesSimulate incidentsTake part in national and international exercises
  • Be Easily AccessibleEnsure Staff Are Trained Properly.Remember Soft Skills are Essential !!Market the IRT and its ServicesCreate and Maintain RelationshipsLaw EnforcementOther CERTsLegal CounselGovernment Departments and AgenciesRepresentative Bodies
  • Be Easily AccessibleEnsure Staff Are Trained Properly.Remember Soft Skills are Essential !!Market the IRT and its ServicesCreate and Maintain RelationshipsLaw EnforcementOther CERTsLegal CounselGovernment Departments and AgenciesRepresentative Bodies
  • Remember - You Will be NeededLearn from MistakesHighlight the PositivesMeasure Your EffectivenessNumber of incidentsType of IncidentsCostsReducing over timeCommunicate RegularlyClients & Stakeholders
  • Patience is a VirtueFunding or Lack ofBe Aware of Vested InterestsThe CERT Community is Close KnitManagement IndifferenceYour Reputation Could be at Stake
  • I did not have the funds outlined in the original proposal. I needed a solution that;Was cost effective – remember I had no money could be tailored to suit the requirements of the communityWould provide support for a virtual teamCould get the services up and running quickly.Would support a community based approach
  • Creating a CERT at WARP Speed

    1. 1. Creating A CERT at WARP Speed<br />
    2. 2. 2004 – The Journey Begins<br />Copyright © 2010 IRISS www.irissie<br />2<br />
    3. 3. What’s Missing?<br />3<br />Copyright © 2010 IRISS www.irissie<br />
    4. 4. Situation<br /><ul><li>Knowledge Economy
    5. 5. “Silicon Valley” Europe
    6. 6. Over 97% of Irish Businesses are SME
    7. 7. <50 Employees and Annual Turnover <€10m
    8. 8. Ever Increasing Dependence on ICT
    9. 9. No Independent Source of InfoSec information
    10. 10. Economy At Risk
    11. 11. National Security and CNI at Risk
    12. 12. Lack of Data for Law Enforcement
    13. 13. Soft Back Door to UK CNI</li></ul>4<br />Copyright © 2010 IRISS www.irissie<br />
    14. 14. Not a Fair Fight !<br />5<br />Copyright © 2010 IRISS www.irissie<br />
    15. 15. Stakeholders<br />6<br />Copyright © 2010 IRISS www.irissie<br />
    16. 16. Does Ireland Need a CERT?<br />7<br />Copyright © 2010 IRISS www.irissie<br />
    17. 17. 8<br />Job Complete?<br />Copyright © 2010 IRISS www.irissie<br />
    18. 18. 9<br />Estonia Effect<br />Copyright © 2010 IRISS www.irissie<br />
    19. 19. 10<br />Job Complete?<br />Copyright © 2010 IRISS www.irissie<br />
    20. 20. 11<br />IRISS Is Born<br />Copyright © 2010 IRISS www.irissie<br />
    21. 21. Who is IRISS-CERT?<br /><ul><li>Ireland’s First CSIRT(Computer Security Incident Response Team)
    22. 22. Provide Services On Information Security
    23. 23. Services Provided Free of Charge
    24. 24. Not For Profit Organisation</li></ul>12<br />Copyright © 2010 IRISS www.irissie<br />
    25. 25. Services Offered<br />Irish Focused Alerts and Warnings<br />Vulnerability Awareness<br />Incident Awareness<br />Sanitised Attack Notifications<br />Coordination Service<br />Irish Focused Research<br />Trends and Metrics<br />General Awareness<br />Knowledge Sharing<br />Informal discussion<br />Information Sharing & Dissemination<br />13<br />Copyright © 2010 IRISS www.irissie<br />
    26. 26. We Serve<br />Government Bodies and Agencies<br />Private Sector Companies<br />SME Sector <br />Industry Bodies<br />Other CERTs<br />14<br />Copyright © 2010 IRISS www.irissie<br />
    27. 27. 15<br />IRISS Associations<br />Copyright © 2010 IRISS www.irissie<br />
    28. 28. 16<br />Sponsors<br />Copyright © 2010 IRISS www.irissie<br />
    29. 29. Reaction<br />17<br />Copyright © 2010 IRISS www.irissie<br />
    30. 30. The Future<br />18<br />Copyright © 2010 IRISS www.irissie<br />
    31. 31. 19<br />Planning Your CERT<br />Copyright © 2010 IRISS www.irissie<br />
    32. 32. 20<br />Engage With Stakeholders<br />Copyright © 2010 IRISS www.irissie<br />
    33. 33. 21<br />Identify Your Clients<br />Copyright © 2010 IRISS www.irissie<br />
    34. 34. 22<br />Identify Services<br />Copyright © 2010 IRISS www.irissie<br />
    35. 35. 23<br />Establish Your Requirements<br />Copyright © 2010 IRISS www.irissie<br />
    36. 36. 24<br />Identify Tools<br />Copyright © 2010 IRISS www.irissie<br />
    37. 37. 25<br />Get Funding & Support<br />Copyright © 2010 IRISS www.irissie<br />
    38. 38. 26<br />Practise, Practise, Practise<br />Copyright © 2010 IRISS www.irissie<br />
    39. 39. 27<br />Establish the IRT<br />Copyright © 2010 IRISS www.irissie<br />
    40. 40. 28<br />Deliver Your Services<br />Copyright © 2010 IRISS www.irissie<br />
    41. 41. 29<br />Be Prepared<br />Copyright © 2010 IRISS www.irissie<br />
    42. 42. 30<br />Hurdles<br />Copyright © 2010 IRISS www.irissie<br />
    43. 43. 31<br />IRISS Is A WARP<br />Copyright © 2010 IRISS www.irissie<br />
    44. 44. 32<br />What Is A WARP?<br />Copyright © 2010 IRISS www.irissie<br />
    45. 45. 33<br />WARP MSP<br />Copyright © 2010 IRISS www.irissie<br />
    46. 46. 34<br />WARP MSP<br />Copyright © 2010 IRISS www.irissie<br />
    47. 47. 35<br />WARP MSP<br />Copyright © 2010 IRISS www.irissie<br />
    48. 48. 36<br />WARP MSP<br />Copyright © 2010 IRISS www.irissie<br />
    49. 49. 37<br />WARP FWA<br />Copyright © 2010 IRISS www.irissie<br />
    50. 50. 38<br />Copyright © 2010 IRISS www.irissie<br />
    51. 51. Why A WARP?<br />39<br />Copyright © 2010 IRISS www.irissie<br />
    52. 52. 40<br />More Resources<br />ENISA - A step-by-step approach on how to set up a CSIRT <br /><br />CERT-in-a-box<br /><br />Handbook for CSIRTs (CERT/CC)<br /><br />Forming an Incident Response Team<br /><br />NIST Computer Security Incident Handling Guide<br /><br />CSIRT Starter Kit <br /><br />Trusted Introducer for CSIRTs in Europe<br /><br />Warning Advice and Warning Point (WARP)<br /><br />Copyright © 2010 IRISS www.irissie<br />
    53. 53. Questions ?<br />