[Bp_certs] Private sector CSIRT/PSIRT teams

Jahangir Hossain jrjahangir at gmail.com
Mon Jul 21 06:15:10 EDT 2014 

Thanks maarten for sharing this information .

I am Jahangir Hossain working in IP Transit/Solution provider  as technical
person also involve couple civil society organization in BD . As a
technical and civil society representative i have some observation about
private sector CSIRT/PSIRT teams by considering developing country
experience  where security aspect now growing  .

For example , in our country like Bangladesh we have  active private sector
CERT named Bangladesh Computer Emergency Response Team (bdCERT) which
collaboratively working with APCERT , OIC-CERT and other also have
government owned CERT named Bangladesh Computer Security Incident Response
Team (BD-CSIRT) which also collaboratively working with APCERT , OIC-CERT
but  not so active .

The problem is  to validate or authority the private CERT compare to Govt.
owned CERT into local stakeholder specially national level to mitigate any
security related issue . This is because initially Govt. owned organization
like CERT have the authority to ask/share any information to other
stakeholder . In private sector CERT also working fine in national level
but they have a limitation about authority to ask/share any information of
other stakeholder.

For example ,  if a private sector CERT  (national level) request to share
a information from google ,  microsoft ,yahoo or other international
reputed Service provider  to mitigate attack which occurred in national
level then most of time to unable  get the information on time because of
their authority . I think we need to find out the way to resolve this but i
am really happy to see member list of FIRST which makes new ERA in my mind
. Personally it might be the same challenges in private enterprise CSIRT
into developing country .

Yes i am agree with your point i.e " National CSIRT teams can pass along
reports to the enterprise CSIRT managing the network from which the attack
originates " also  ISO/IEC can play important role regarding Regarding
Product security (PSIRT).




Regards //  Jahangir Hossain | BD






On Wed, Jul 16, 2014 at 9:52 AM, Maarten Van Horenbeeck <maarten at first.org>
wrote:

> Hi everyone,
>
> I'd also like to thank you for participating in the IGF CERTs BPF.
>
> Following up to Cristine's point, I briefly wanted to cover another type
> of CSIRT team that contributes to internet security. There are CSIRT teams
> which have a more narrow constituency and because of that offer specialized
> contributions to internet security.
>
> A great example of these are private sector, enterprise incident response
> teams. Enterprise CSIRTs generally have as their constituency either the
> customers of an enterprise, or the employees and networks belonging to the
> enterprise.
>
> There are two important roles an enterprise CSIRT generally elects to take:
>
> (i) Product security (PSIRT): Enterprises which develop software or
> hardware products generally will have an incident response team for product
> security issues- investigating and addressing vulnerabilities or weaknesses
> in products which may be exploited and expose their customers to risk.
>
> (ii) Computer/Network security (CSIRT): Enterprises will often maintain an
> incident response team to respond to security breaches and incidents across
> their enterprise network.
>
> In addition, some enterprise CSIRT teams provide incident response
> services directly to customers of the enterprise. For instance, a
> corporation which provides IT services may also provide incident response
> services and develop a fully staffed and resourced incident response team
> to support its customers.
>
> While a national CSIRT will often take a coordinating role- and due to its
> prominence will be the team internet users internationally often reach out
> to in order to report an issue, many networks are privately owned, and
> actual incident handling, investigations and forensic efforts may need to
> be performed by the organization managing the network. This is often an
> enterprise CSIRT. National CSIRT teams can pass along reports to the
> enterprise CSIRT managing the network from which the attack originates
> either manually, through personal contacts, or through automated mechanisms
> (such as e-mail or more structured exchange mechanisms, driven using tools
> such as AbuseHelper or Megatron).
>
> In addition, most products are developed in the private sector. When a
> vulnerability is exploited in such product, the victim under attack may
> reach out to the corporation who built the exploited product, to notify
> them of the vulnerability and request a fix. In some cases, when a
> vulnerability affects many vendors, the victim may choose to report the
> vulnerability to a vulnerability coordinator instead, who coordinates
> addressing the issue. Many national CSIRT teams have a vulnerability
> coordination role (often, but not always, indicated by /CC at the end of
> the name, which stands for Coordination Center).
>
> In those cases, the vulnerability coordinator will work with any private
> sector product security response teams affected to ensure the vulnerability
> is addressed (CERT-FI's vulnerability coordination policy is a good
> example:
> https://www.viestintavirasto.fi/images/certfipdftiedostot/5md66C89r/CERT-FI_Vulnerability_Coordination_Policy.pdf
> ).
>
> Private sector CSIRT and PSIRT teams can also provide expertise in areas
> of deep specialization. National CSIRT teams, due to the size and
> heterogeneity of their constituency, have to support a wide set of
> technologies. They tend to specialize in a few services and skills most
> relevant to their constituency, and have wide coverage of technologies. In
> the private sector, teams can specialize in specific technologies they have
> unique knowledge of, as they build the technology or heavily rely on it
> internally. This makes that they may be uniquely placed to assist national
> CSIRT teams and the wider community in investigating an incident on a
> particular platform or application. Product security teams also often
> release advisories and bulletins notifying customers of new vulnerabilities
> that have been identified or fixed. National CSIRT's can take that
> information, and use it to advise their constituency accordingly on the
> risks involved, sometimes localizing (both in language or technology
> context) the information.
>
> These private sector teams often work with the community of CSIRT's by
> participating in the same forums many of the national CSIRT teams do. Two
> examples of this are FIRST, the Forum of Incident Response and Security
> Teams, and Trusted Introducer:
>
> http://www.first.org/members/teams
> https://www.trusted-introducer.org/directory/index.html
>
> There are also more integrated organizations which develop cross-company
> incident response plans for vulnerabilities which affect more than a single
> vendor. An example of such an organization is ICASI (
> http://www.icasi.org/projects#usirp) which developed a Unified Security
> Incident Response Plan (USIRP) for use across its member companies.
>
> Also of interest, there has recently been some work performed in the
> International Organization for Standardization (ISO) to develop guidelines
> on how to process and resolve vulnerability information in a product or
> service (ISO/IEC 30111:2013) and on methods vendors should use to address
> issues related to vulnerability disclosure (ISO/IEC 29147:2014).
>
> I'm interested in hearing from the civil society members of this forum- do
> you see similar teams developing in civil society? Do you work with
> national or private sector incident response teams?
>
> I look forward to continuing this discussion, and learning from everyone's
> experiences.
>
> Best regards,
> Maarten
>
> _______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
>
>


-- 
​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://intgovforum.org/pipermail/bp_certs_intgovforum.org/attachments/20140721/16a43748/attachment.htm>

More information about the Bp_certs mailing list