[Bp_certs] Private sector CSIRT/PSIRT teams

[Maarten Van Horenbeeck]

Hi everyone,

I'd also like to thank you for participating in the IGF CERTs BPF.

Following up to Cristine's point, I briefly wanted to cover another type of
CSIRT team that contributes to internet security. There are CSIRT teams
which have a more narrow constituency and because of that offer specialized
contributions to internet security.

A great example of these are private sector, enterprise incident response
teams. Enterprise CSIRTs generally have as their constituency either the
customers of an enterprise, or the employees and networks belonging to the
enterprise.

There are two important roles an enterprise CSIRT generally elects to take:

(i) Product security (PSIRT): Enterprises which develop software or
hardware products generally will have an incident response team for product
security issues- investigating and addressing vulnerabilities or weaknesses
in products which may be exploited and expose their customers to risk.

(ii) Computer/Network security (CSIRT): Enterprises will often maintain an
incident response team to respond to security breaches and incidents across
their enterprise network.

In addition, some enterprise CSIRT teams provide incident response services
directly to customers of the enterprise. For instance, a corporation which
provides IT services may also provide incident response services and
develop a fully staffed and resourced incident response team to support its
customers.

While a national CSIRT will often take a coordinating role- and due to its
prominence will be the team internet users internationally often reach out
to in order to report an issue, many networks are privately owned, and
actual incident handling, investigations and forensic efforts may need to
be performed by the organization managing the network. This is often an
enterprise CSIRT. National CSIRT teams can pass along reports to the
enterprise CSIRT managing the network from which the attack originates
either manually, through personal contacts, or through automated mechanisms
(such as e-mail or more structured exchange mechanisms, driven using tools
such as AbuseHelper or Megatron).

In addition, most products are developed in the private sector. When a
vulnerability is exploited in such product, the victim under attack may
reach out to the corporation who built the exploited product, to notify
them of the vulnerability and request a fix. In some cases, when a
vulnerability affects many vendors, the victim may choose to report the
vulnerability to a vulnerability coordinator instead, who coordinates
addressing the issue. Many national CSIRT teams have a vulnerability
coordination role (often, but not always, indicated by /CC at the end of
the name, which stands for Coordination Center).

In those cases, the vulnerability coordinator will work with any private
sector product security response teams affected to ensure the vulnerability
is addressed (CERT-FI's vulnerability coordination policy is a good
example:
https://www.viestintavirasto.fi/images/certfipdftiedostot/5md66C89r/CERT-FI_Vulnerability_Coordination_Policy.pdf
).

Private sector CSIRT and PSIRT teams can also provide expertise in areas of
deep specialization. National CSIRT teams, due to the size and
heterogeneity of their constituency, have to support a wide set of
technologies. They tend to specialize in a few services and skills most
relevant to their constituency, and have wide coverage of technologies. In
the private sector, teams can specialize in specific technologies they have
unique knowledge of, as they build the technology or heavily rely on it
internally. This makes that they may be uniquely placed to assist national
CSIRT teams and the wider community in investigating an incident on a
particular platform or application. Product security teams also often
release advisories and bulletins notifying customers of new vulnerabilities
that have been identified or fixed. National CSIRT's can take that
information, and use it to advise their constituency accordingly on the
risks involved, sometimes localizing (both in language or technology
context) the information.

These private sector teams often work with the community of CSIRT's by
participating in the same forums many of the national CSIRT teams do. Two
examples of this are FIRST, the Forum of Incident Response and Security
Teams, and Trusted Introducer:

http://www.first.org/members/teams
https://www.trusted-introducer.org/directory/index.html

There are also more integrated organizations which develop cross-company
incident response plans for vulnerabilities which affect more than a single
vendor. An example of such an organization is ICASI (
http://www.icasi.org/projects#usirp) which developed a Unified Security
Incident Response Plan (USIRP) for use across its member companies.

Also of interest, there has recently been some work performed in the
International Organization for Standardization (ISO) to develop guidelines
on how to process and resolve vulnerability information in a product or
service (ISO/IEC 30111:2013) and on methods vendors should use to address
issues related to vulnerability disclosure (ISO/IEC 29147:2014).

I'm interested in hearing from the civil society members of this forum- do
you see similar teams developing in civil society? Do you work with
national or private sector incident response teams?

I look forward to continuing this discussion, and learning from everyone's
experiences.

Best regards,
Maarten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://intgovforum.org/pipermail/bp_certs_intgovforum.org/attachments/20140715/2786dcf4/attachment.htm>