This document discusses Computer Emergency Response Teams (CERTs) and the process of CERT certification. It describes what a CERT is and the types of services they provide, including reactive services like incident handling, and proactive services like security audits. The document outlines some of the challenges with certification, noting that certification alone does not guarantee performance and that poor performers can damage the reputation of certificate holders. It emphasizes that accreditation is also necessary to verify factors like a team's competence and procedures. The document provides information on the Trusted Introducer program which facilitates accreditation and information sharing between European CERTs.

1. May/Madrid 2007
Con la colaboración de
y el patrocinio de
CERT Certification
Vicente Aceituno

2.  As Louis Pasteur put it in a lecture in the
University of Lille: “In the fields of
observation chance favors only the prepared
mind”.

3. What?
 CERT or CERT/CC (Computer Emergency
Response Team / Coordination Center)
 CSIRT (Computer Security Incident Response
Team)
 IRT (Incident Response Team)
 CIRT (Computer Incident Response Team)
 SERT (Security Emergency Response Team)

4. CERT
 A Computer Security Incident Response Team (CSIRT)
is a service organization that is responsible for receiving,
reviewing, and responding to computer security incident
reports and activity.
 Their services are usually performed for a defined
constituency that could be a parent entity such as a
corporation, governmental, or educational organization;
a region or country; a research network; or a paid client.
(CERT/CC)

5. CERT - Benefits
 Centralized coordination for IT security issues within
the organization.
 Specialized handling of and response to IT incidents.
 Dealing with legal issues and preserving evidence in
the event of a lawsuit.
 Keeping track of developments in the security field.
 Stimulating cooperation within the constituency on IT
security (awareness building).

6. CERT - Types
 Academic Sector CSIRT
 Commercial CSIRT
 Governmental Sector CSIRT
 Internal CSIRT
 Military Sector CSIRT
 National CSIRT
 Small & Medium Enterprises (SME) Sector
CSIRT
 Vendor CSIRT

7. CERT - Services
 Reactive Services
 Alerts and Warnings
 Incident Handling
 Vulnerability Handling
 Artifact Handling

8. CERT - Services
 Proactive Services
 Technology Watch
 Announcements
 Security Audit or Assessments
 Configuration and Maintenance of Security
Tools, Applications and Infrastructures
 Development of Security Tools
 Intrusion Detection Services
 Security-Related Information Dissemination

9. CERT - Services
 Security Quality Management Services
 Risk Analysis
 Business Continuity & Disaster Recovery Planning
 Security Consulting
 Awareness Building
 Education / Training
 Product Evaluation or Certification

10. CERTs in Europe

11. Trust Building
 Team – Team
 Association
 Inter - Association
 Personal relationships.
 Certification - Trusted Introducer.
 Agreements:
 Code of Conduct.
 Memoranda of Understanding.
 SLAs.
 Adherence to standards.

12. Association - FIRST
 Mission:
 FIRST is an international confederation of trusted computer incident
response teams who cooperatively handle computer security
incidents and promote incident prevention programs.
 FIRST members develop and share technical information, tools,
methodologies, processes and best practices
 FIRST encourages and promotes the development of quality
security products, policies & services
 FIRST develops and promulgates best computer security practices
 FIRST promotes the creation and expansion of Incident Response
teams and membership from organizations from around the world
 FIRST members use their combined knowledge, skills and
experience to promote a safer and more secure global electronic
environment.

13. Certification - Trust
 A way to evidence the organization's stance on security;
 A part of a contract to ensure commitment by one of the
parties to security management;
 A mechanism to ensure mutual understanding of the
services obtained from a provider.
 Trust relationships with Third Parties, like Partners,
Customers and Suppliers.

14. CERT Certification
 What is certification good for?
 It is a driver for implementation of better IS
practices.

15. Certification - Trust
 What is certification good for?
 Establishing trust relationships.

16. Certification - Challenges
 Challenges
 Certification doesn’t guarantee performance.
Performance depends on the budget, the capability
and the commitment of those involved in running it.
 Certification only guarantees that the cause of faults
is not poor process design.
 Poor performers and bogus certifications lower the
reputation of the certification and damage the
reputation of all certificate holders.

17. Certification - Challenges
Specification

18. Certification - Challenges
Different
Implementations

19. Certification - Challenges
If you get the
same certificate

20. Certification - Challenges
For different
implementations

21. Certification - Challenges
The market
reputation you
will get is that of
the worst
implementation

22. Certification - Challenges
 Challenges:
 Some threats fall out of the scope of information
security:
– Human error;
– Incompetence;
– Fraud;
– Corruption.

23. Certification - Challenges

24. Certification - Summary
 Certification doesn’t guarantee
performance.
 Bad performers damage the
reputation of all certificate holders.

25. Accreditation
Accreditation Entity Accreditation Entity
Certification Entity
Final User

26. Trusted Introducer (TERENA)
 The Trusted Introducer (TI) is a trust broker for
European CERTs with three levels:
 Listed – any team identified within the scope of
TI
 Accreditation Candidate – a team which received
and accepted invitation for Accreditation process
 Accredited – a team which successfully
completed accreditation / verification process

27. Certification – Challenges
 Certification is not enough!
 Accreditation is necessary:
 Verification of personnel's competence.
 Verification of team's procedures and policies
 Verification of financial stability and
sustainability.
 Verification of basic operational factors, such
as reachability or response times.

28. Sources
 CMU/SEI Handbook for Computer Security Incident Response Teams (CSIRTs)
 ENISA’s CERT in Europe v1.4
 ENISA’s CERT cooperation and its further facilitation by relevant stakeholders.
 ENISA’s Information Security Certification Schemes Workshop 2006 Minutes, materials
and Report.
 ENISA’s Inventory of CERT activities in Europe.
 ENISA www.enisa.europa.eu/cert%5Finventory/index_inventory.htm
 EA 7/03 Guidelines for the Accreditation of Bodies Operating Certification/Registration of
Information Security Management Systems.
 FIRST - www.first.com
 ISM3 v2.00
 ISO/IEC 27001:2005 Information technology — Security techniques — Information
security management systems — Requirements
 Information Security Management Maturity Model v2.00
 ISO/IEC 19011:2002 Guidelines for quality and/or environmental management systems
auditing
 Terena’s Trusted Introducer Service (TI)
 Terena’s TF-CSIRT.
 Terena’s A Trusted CSIRT Introducer in Europe.

29. May/Madrid 2007
Con la colaboración de
y el patrocinio de
THANKS

30. Creative Commons Attribution-NoDerivs 2.0
You are free:
•to copy, distribute, display, and perform this work
•to make commercial use of this work
Under the following conditions:
Attribution. You must give the original author credit.
No Derivative Works. You may not alter, transform, or build upon this
work.
For any reuse or distribution, you must make clear to others the license terms of this work.
Any of these conditions can be waived if you get permission from the author.
Your fair use and other rights are in no way affected by the above.
This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy
of this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to Creative
Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

31. Trusted Introducer (TERENA)
 An invitation to start the accreditation process can be sent to a "Listed" team
upon its request or e.g. by recommendation of an already "Accredited" CERT.
The process of accreditation requires the team to declare its support for a
number of criteria and provide a standardized set of information about itself.
This data is then kept and maintained by the TI to ensure it is correct and up to
date. Gaining the "Accredited" level results in access to numerous services,
e.g. a database of in-depth operational contacts of all accredited teams, the TI
mailing lists open to accredited CERTs only, PGP key signing, etc. The
services of the TI are provided by an independent contractor appointed by
TERENA and supervised by TI Review Board consisting of 5 members: a
TERENA representative, three members elected by accredited teams and the
chair of TERENA TF-CSIRT ex officio.