[Bp_certs] Private sector CSIRT/PSIRT teams

Mirosław Maj miroslaw.maj at cybsecurity.org
Mon Jul 21 07:08:15 EDT 2014 

Dear Colleagues,

Important topic mentioned by Jahangir.

IMHO one of the best solution to deal with this problem is to follow an 
official constituency of the particular (does not matter gov/national 
or private) CERT. Your authority of acting as a CERT for the 
constituency should be enough and required at the same time to 
ask/request/be_asked regarding this constituency.

Kind Regards
Miroslaw Maj
--
Cybersecurity Foundation
20 Tytoniowa Str
04-228 Warsaw, Poland
tel:    +48 22 112 0 800
mobile: +48 608 508 702
e-mail: miroslaw.maj at cybsecurity.org
www:    http://www.cybsecurity.org/




Dnia Mon Jul 21 12:15:10 2014 Jahangir Hossain pisze:
> Thanks maarten for sharing this information .
>
> I am Jahangir Hossain working in IP Transit/Solution provider  as
> technical person also involve couple civil society organization in BD
> . As a technical and civil society representative i have some
> observation about private sector CSIRT/PSIRT teams by considering
> developing country experience  where security aspect now growing  .
>
> For example , in our country like Bangladesh we have  active private
> sector CERT named Bangladesh Computer Emergency Response Team (bdCERT)
> which collaboratively working with APCERT , OIC-CERT and other also
> have government owned CERT named Bangladesh Computer Security Incident
> Response Team (BD-CSIRT) which also collaboratively working with
> APCERT , OIC-CERT  but  not so active .
>
> The problem is  to validate or authority the private CERT compare to
> Govt. owned CERT into local stakeholder specially national level to
> mitigate any security related issue . This is because initially Govt.
> owned organization like CERT have the authority to ask/share any
> information to other stakeholder . In private sector CERT also working
> fine in national level but they have a limitation about authority to
> ask/share any information of other stakeholder.
>
> For example ,  if a private sector CERT  (national level) request to
> share a information from google ,  microsoft ,yahoo or other
> international reputed Service provider  to mitigate attack which
> occurred in national level then most of time to unable  get the
> information on time because of their authority . I think we need to
> find out the way to resolve this but i am really happy to see member
> list of FIRST which makes new ERA in my mind . Personally it might be
> the same challenges in private enterprise CSIRT into developing country .
>
> Yes i am agree with your point i.e " National CSIRT teams can pass
> along reports to the enterprise CSIRT managing the network from which
> the attack originates " also  ISO/IEC can play important role
> regarding Regarding Product security (PSIRT).
>
>
>
>
> Regards //  Jahangir Hossain | BD
>
>
>
>
>
>
> On Wed, Jul 16, 2014 at 9:52 AM, Maarten Van Horenbeeck
> <maarten at first.org <mailto:maarten at first.org>> wrote:
>
>     Hi everyone,
>
>     I'd also like to thank you for participating in the IGF CERTs BPF.
>
>     Following up to Cristine's point, I briefly wanted to cover
>     another type of CSIRT team that contributes to internet security.
>     There are CSIRT teams which have a more narrow constituency and
>     because of that offer specialized contributions to internet security.
>
>     A great example of these are private sector, enterprise incident
>     response teams. Enterprise CSIRTs generally have as their
>     constituency either the customers of an enterprise, or the
>     employees and networks belonging to the enterprise.
>
>     There are two important roles an enterprise CSIRT generally elects
>     to take:
>
>     (i) Product security (PSIRT): Enterprises which develop software
>     or hardware products generally will have an incident response team
>     for product security issues- investigating and addressing
>     vulnerabilities or weaknesses in products which may be exploited
>     and expose their customers to risk.
>
>     (ii) Computer/Network security (CSIRT): Enterprises will often
>     maintain an incident response team to respond to security breaches
>     and incidents across their enterprise network.
>
>     In addition, some enterprise CSIRT teams provide incident response
>     services directly to customers of the enterprise. For instance, a
>     corporation which provides IT services may also provide incident
>     response services and develop a fully staffed and resourced
>     incident response team to support its customers.
>
>     While a national CSIRT will often take a coordinating role- and
>     due to its prominence will be the team internet users
>     internationally often reach out to in order to report an issue,
>     many networks are privately owned, and actual incident handling,
>     investigations and forensic efforts may need to be performed by
>     the organization managing the network. This is often an enterprise
>     CSIRT. National CSIRT teams can pass along reports to the
>     enterprise CSIRT managing the network from which the attack
>     originates either manually, through personal contacts, or through
>     automated mechanisms (such as e-mail or more structured exchange
>     mechanisms, driven using tools such as AbuseHelper or Megatron).
>
>     In addition, most products are developed in the private sector.
>     When a vulnerability is exploited in such product, the victim
>     under attack may reach out to the corporation who built the
>     exploited product, to notify them of the vulnerability and request
>     a fix. In some cases, when a vulnerability affects many vendors,
>     the victim may choose to report the vulnerability to a
>     vulnerability coordinator instead, who coordinates addressing the
>     issue. Many national CSIRT teams have a vulnerability coordination
>     role (often, but not always, indicated by /CC at the end of the
>     name, which stands for Coordination Center).
>
>     In those cases, the vulnerability coordinator will work with any
>     private sector product security response teams affected to ensure
>     the vulnerability is addressed (CERT-FI's vulnerability
>     coordination policy is a good example:
>     https://www.viestintavirasto.fi/images/certfipdftiedostot/5md66C89r/CERT-FI_Vulnerability_Coordination_Policy.pdf).
>
>     Private sector CSIRT and PSIRT teams can also provide expertise in
>     areas of deep specialization. National CSIRT teams, due to the
>     size and heterogeneity of their constituency, have to support a
>     wide set of technologies. They tend to specialize in a few
>     services and skills most relevant to their constituency, and have
>     wide coverage of technologies. In the private sector, teams can
>     specialize in specific technologies they have unique knowledge of,
>     as they build the technology or heavily rely on it internally.
>     This makes that they may be uniquely placed to assist national
>     CSIRT teams and the wider community in investigating an incident
>     on a particular platform or application. Product security teams
>     also often release advisories and bulletins notifying customers of
>     new vulnerabilities that have been identified or fixed. National
>     CSIRT's can take that information, and use it to advise their
>     constituency accordingly on the risks involved, sometimes
>     localizing (both in language or technology context) the information.
>
>     These private sector teams often work with the community of
>     CSIRT's by participating in the same forums many of the national
>     CSIRT teams do. Two examples of this are FIRST, the Forum of
>     Incident Response and Security Teams, and Trusted Introducer:
>
>     http://www.first.org/members/teams
>     https://www.trusted-introducer.org/directory/index.html
>
>     There are also more integrated organizations which develop
>     cross-company incident response plans for vulnerabilities which
>     affect more than a single vendor. An example of such an
>     organization is ICASI (http://www.icasi.org/projects#usirp) which
>     developed a Unified Security Incident Response Plan (USIRP) for
>     use across its member companies.
>
>     Also of interest, there has recently been some work performed in
>     the International Organization for Standardization (ISO) to
>     develop guidelines on how to process and resolve vulnerability
>     information in a product or service (ISO/IEC 30111:2013) and on
>     methods vendors should use to address issues related to
>     vulnerability disclosure (ISO/IEC 29147:2014).
>
>     I'm interested in hearing from the civil society members of this
>     forum- do you see similar teams developing in civil society? Do
>     you work with national or private sector incident response teams?
>
>     I look forward to continuing this discussion, and learning from
>     everyone's experiences.
>
>     Best regards,
>     Maarten
>
>     _______________________________________________
>     Bp_certs mailing list
>     Bp_certs at intgovforum.org <mailto:Bp_certs at intgovforum.org>
>     http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
>
>
>
>
> --
>>
>
>
>
>
> _______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org

More information about the Bp_certs mailing list