[Back to Best Practice Forums]
{tab IGF 2015 Session}
This year, the IGF launched a Best Practices effort on the establishment of CERT teams for Internet Security. Over the last two months, three Lead experts supported by an independent consultant engaged with a community of participants from major stakeholder groups to exchange existing CSIRT development practices and discussed ways to further collaborate. A draft document was developed based on these initial discussions. The topics identified as part of this multi-stakeholder preparatory process will be further discussed and finalized during this 90 minute session.
CERT or CSIRT (Computer Security Incident Response Teams) are organizations of information security personnel who aim to address security incidents as they arise, whether at an organizational, pan-organizational or even national level. They follow defined processes, combined with engineering ingenuity, to ensure security incidents are properly identified, contained and remediated. By nature, many incidents have impact beyond the constituency of one CSIRT, and thus teams often partner with other teams, as well as with private sector, government, civil society and the technical community to protect users of the internet.
This round table session will cover the various opportunities and challenges involved in the establishment of Computer Emergency Response Teams to improve internet security.
Topics to be discussed will include the role of a CSIRT teams in private sector and government, what a “national CSIRT” truly means, and the high level collaboration processes involved in coordinating widespread incidents. As output of this session, a summary document will be published by the IGF, with recommendations and next-steps on topics ripe for further multi-stakeholder debate between the technical community, government, civil society and private sector.
The session will be led by lead experts Christine Hoepers (of CERT.br), Adli Wahid and Maarten Van Horenbeeck (of FIRST) and supported by UN consultant Wout De Natris. We strongly invite participants from all stakeholder groups to attend the session and contribute. No technical experience in the CSIRT community is required, though we recommend making yourself familiar with the preparatory document shared on the IGF web site to be prepared for the discussion.
Videos and Transcripts
Establishing and supporting CERTs for Internet security (BPF3)
{tab Mailing List}
http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
{tab Community}
Join Establishing and supporting Computer Emergency Response Teams (CERTs) for Internet security in our Community Section
{tab Lead Experts}
- Lead-expert, Maarten Van Horenbeeck, Director of Security at Fastly
- Cristine Hoepers, Manager CERT Brazil
- Adli Wahid, Security Specialist at APNIC
- Yuri Ito, manager CERT Japan
- Jean-Robert Hountomey, Africa CERT
{tab Resources}
Links to associations of CSIRT teams
Forum of Incident Response and Security Teams
Asia Pacific Computer Emergency Response Team
Task Force for Computer Security Incident Response Teams
Organisation of the Islamic Cooperation - Computer Emergency Response Team
African Forum of Computer Incident Response Teams
Directories of CSIRT
List of FIRST member CSIRT
http://www.first.org/members/teams
List of Trusted Introducer listed CSIRT
https://www.trusted-introducer.org/directory/index.html
Incident Response Exercises
OIC-CERT drill 2014
http://www.oic-cert.org/v1/news/01_2014.pdf
APCERT drill 2014
http://www.apcert.org/documents/pdf/APCERTDrill2013PressRelease_AP.pdf
Guidance on establishing CSIRT capability
8 steps of creating a CERT (by CERT/CC)
http://www.cert.org/incident-management/products-services/creating-a-csirt.cfm?
ENISA CERT inventory by country
https://www.enisa.europa.eu/activities/cert/background/inv/certs-by-country-interactive-map
RFC 2350: Expectations for Computer Security Incident Response
https://www.ietf.org/rfc/rfc2350.txt
CSIRT Services list (by CERT/CC)
http://www.cert.org/incident-management/services.cfm
Blog entry on government CSIRT and information sharing
ENISA CSIRT Best Practices documentation
http://www.enisa.europa.eu/activities/cert/support
ENISA Repository on CSIRT
https://www.enisa.europa.eu/activities/cert
CERT/CC Incident Management Publications
http://cert.org/incident-management/publications/index.cfm
ENISA "A step-by-step approach on how to setup a CSIRT"
https://www.enisa.europa.eu/activities/cert/support/guide
CSIRT Frequently Asked Questions
http://www.cert.org/incident-management/csirt-development/csirt-faq.cfm
Creating a Computer Security Incident Response Team: A Process for Getting Started
http://www.cert.org/incident-management/products-services/creating-a-csirt.cfm
Action List for Developing a Computer Security Incident Response Team (CSIRT)
http://www.cert.org/incident-management/csirt-development/action-list.cfm
CSIRT Services
http://www.cert.org/incident-management/services.cfm
Staffing Your Computer Security Incident Response Team - What Basic Skills Are Needed?
http://www.cert.org/incident-management/csirt-development/csirt-staffing.cfm
Handbook for CSIRTs
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=6305
Defining Incident Management Processes for CSIRTs: A Work in Progress
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=7153
Incident Management Capability Metrics (IMCM)
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=8379
Mission Risk Diagnostic for Incident Management Capabilities
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=91452
Organizational Models for Computer Security Incident Response Teams
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=6295
Incident Management topics on the Build Security In (BSI) website
https://buildsecurityin.us-cert.gov/articles/best-practices/incident-management/incident-management
Defining Computer Security Incident Response Teams
Avoiding the Trial-by-Fire Approach to Security Incidents
http://www.sei.cmu.edu/library/abstracts/news-at-sei/securitymattersmar99.cfm
State of the Practice of Computer Security Incident Response Teams
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=6571
NCSC New Zealand Best Practice Guide for starting up a CSIRT
ENISA Collection on National Cyber Security Strategies
http://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss
ENISA Cert Cooperation and its further facilitation by relevant stakeholders
https://www.enisa.europa.eu/activities/cert/background/coop
NIST Guide on Computer Security Incident Handling
http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
Summary of ISO 27035 on Incident Security Management
http://www.iso27001security.com/html/27035.html
Document on collaboration between CSIRTs and WARPs (ISACs)
http://www.warp.gov.uk/downloads/WARPCSIRT%20handout.pdf
CERT-in-a-box (by GovCERT.nl/NCSC-NL)
http://www.first.org/_assets/resources/guides/cert-in-a-box.zip
Documentation on tooling and data sources
ENISA/CERT Polska - Proactive detection of incidents
http://www.enisa.europa.eu/activities/cert/support/proactive-detection
ENISA Solutions for Improving Threat Data Exchange among CERTs
https://www.enisa.europa.eu/activities/cert/support/data-sharing
Policies mentioning CSIRT teams
African Union Convention on Cyber Security and Personal Data Protection
http://pages.au.int/infosoc/cybersecurity
EU Cybersecurity strategy
ITU Resolution 130
https://www.itu.int/osg/csd/intgov/resoultions_2010/PP-10/RESOLUTION_130.pdf
Case Studies of CSIRTs that were created:
Colombia
http://www.cert.org/incident-management/publications/case-studies/colombia.cfm
Tunisia
http://www.cert.org/incident-management/publications/case-studies/tunisia.cfm
Financial Institution
http://www.cert.org/incident-management/publications/case-studies/afi-case-study.cfm
Materials for National CSIRTs
Steps for Creating National CSIRTs
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=53062
Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability (Version 2.0)
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=9999
Establishing a National CSIRT
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=34434 (podcast)
Tackling Security at the National Level: A Resource for Leaders
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=34478 (podcast)
Existing cooperation initiatives
The importance of a Multistakeholder Approach to Cybersecurity Effectiveness (by the Brazilian Internet Steering Committee - CGI.br)
Towards an open, free and robust internet for the future. (by Walid Al-Saqaf of ISOC-Yemen)
Google Submission for NETMundial conference. (by Google Inc.)
http://content.netmundial.br/contribution/google-submission-for-netmundial-conference/147
Examples of existing CSIRT services
CERT-FI's Vulnerability Coordination Policy
ICASI Unified Security Incident Response Plan
http://www.icasi.org/projects#usirp
Contributed examples of use case information sharing
Driving Toward More Effective Sharing Models:
http://www.rsaconference.com/blogs/478/moriarty/driving-towards-more-effective-sharing-models
Article on ISAC effectiveness
http://www.govtech.com/federal/Some-Governments-Unaware-of-Special-DHS-Cybersecurity-Program.html
Anti Phishing Working Group (APWG)
MAAWG- Mail abuse via ARF agents
http://maawg.org/sites/maawg/files/news/M3AAWG_Feedback_Reporting_Recommendation_BP-2014-02.pdf
http://www.maawg.org/sites/maawg/files/news/M3AAWG_Spamtrap_Operations_BCP-2013-10.pdf
http://blog.returnpath.com/blog/jd-falk/arf-demystified
ACDC- Advanced Cyber Defence Centre
http://ec.europa.eu/information_society/apps/projects/factsheet/index.cfm?project_ref=325188
Notification of network configuration issues
https://datatracker.ietf.org/doc/draft-ietf-dnsop-as112-dname/
http://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc6304bis/
{tab Documents}
{tab Review Platform}
{/tabs}