The Internet Governance Forum

		[Back to Best Practice Forums] 
[Link to Session]

IGF 2015 Session

Mailing List

Community

Lead Experts

Resources

Documents

Review Platform

IGF 2015 Session
This year, the IGF launched a Best Practices effort on the establishment of CERT teams for Internet Security. Over the last two months, three Lead experts supported by an independent consultant engaged with a community of participants from major stakeholder groups to exchange existing CSIRT development practices and discussed ways to further collaborate. A draft document was developed based on these initial discussions. The topics identified as part of this multi-stakeholder preparatory process will be further discussed and finalized during this 90 minute session.
CERT or CSIRT (Computer Security Incident Response Teams) are organizations of information security personnel who aim to address security incidents as they arise, whether at an organizational, pan-organizational or even national level.  They follow defined processes, combined with engineering ingenuity, to ensure security incidents are properly identified, contained and remediated. By nature, many incidents have impact beyond the constituency of one CSIRT, and thus teams often partner with other teams, as well as with private sector, government, civil society and the technical community to protect users of the internet.
This round table session will cover the various opportunities and challenges involved in the establishment of Computer Emergency Response Teams to improve internet security.  
Topics to be discussed will include the role of a CSIRT teams in private sector and government, what a “national CSIRT” truly means, and the high level collaboration processes involved in coordinating widespread incidents. As output of this session, a summary document will be published by the IGF, with recommendations and next-steps on topics ripe for further multi-stakeholder debate between the technical community, government, civil society and private sector.
The session will be led by lead experts Christine Hoepers (of CERT.br), Adli Wahid and Maarten Van Horenbeeck (of FIRST) and supported by UN consultant Wout De Natris. We strongly invite participants from all stakeholder groups to attend the session and contribute. No technical experience in the CSIRT community is required, though we recommend making yourself familiar with the preparatory document shared on the IGF web site to be prepared for the discussion.
Videos and Transcripts

Establishing and supporting CERTs for Internet security (BPF3)

      - Link to Transcript
     - Link to YouTube

Mailing List
http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org 

Community
Join Establishing and supporting Computer Emergency Response Teams (CERTs) for Internet security in our Community Section

Lead Experts
- Lead-expert, Maarten Van Horenbeeck, Director of Security at Fastly
- Cristine Hoepers, Manager CERT Brazil

- Adli Wahid, Security Specialist at APNIC

- Yuri Ito, manager CERT Japan

- Jean-Robert Hountomey, Africa CERT 

Resources

Links to associations of CSIRT teams
Forum of Incident Response and Security Teams
http://www.first.org
Asia Pacific Computer Emergency Response Team
http://www.apcert.org
Task Force for Computer Security Incident Response Teams
http://www.tf-csirt.org
Organisation of the Islamic Cooperation - Computer Emergency Response Team
http://www.oic-cert.org
African Forum of Computer Incident Response Teams
http://www.africacert.org

Directories of CSIRT
List of FIRST member CSIRT
http://www.first.org/members/teams
List of Trusted Introducer listed CSIRT
https://www.trusted-introducer.org/directory/index.html

Incident Response Exercises
OIC-CERT drill 2014
http://www.oic-cert.org/v1/news/01_2014.pdf
APCERT drill 2014
http://www.apcert.org/documents/pdf/APCERTDrill2013PressRelease_AP.pdf

Guidance on establishing CSIRT capability
8 steps of creating a CERT (by CERT/CC)
http://www.cert.org/incident-management/products-services/creating-a-csirt.cfm?
ENISA CERT inventory by country
https://www.enisa.europa.eu/activities/cert/background/inv/certs-by-country-interactive-map
RFC 2350: Expectations for Computer Security Incident Response
https://www.ietf.org/rfc/rfc2350.txt
CSIRT Services list (by CERT/CC)
http://www.cert.org/incident-management/services.cfm
Blog entry on government CSIRT and information sharing
https://community.ja.net/blogs/regulatory-developments/article/government-certs-and-information-sharing
ENISA CSIRT Best Practices documentation
http://www.enisa.europa.eu/activities/cert/support
ENISA Repository on CSIRT
https://www.enisa.europa.eu/activities/cert
CERT/CC Incident Management Publications
http://cert.org/incident-management/publications/index.cfm
ENISA "A step-by-step approach on how to setup a CSIRT"
https://www.enisa.europa.eu/activities/cert/support/guide
CSIRT Frequently Asked Questions
http://www.cert.org/incident-management/csirt-development/csirt-faq.cfm
Creating a Computer Security Incident Response Team: A Process for Getting Started 
http://www.cert.org/incident-management/products-services/creating-a-csirt.cfm
Action List for Developing a Computer Security Incident Response Team (CSIRT)
http://www.cert.org/incident-management/csirt-development/action-list.cfm
CSIRT Services
http://www.cert.org/incident-management/services.cfm
Staffing Your Computer Security Incident Response Team -   What Basic Skills Are Needed? 
http://www.cert.org/incident-management/csirt-development/csirt-staffing.cfm
Handbook for CSIRTs
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=6305
Defining Incident Management Processes for CSIRTs: A Work in Progress
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=7153
Incident Management Capability Metrics (IMCM)
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=8379
Mission Risk Diagnostic for Incident Management Capabilities
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=91452
Organizational Models for Computer Security Incident Response Teams
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=6295
Incident Management topics on the Build Security In (BSI) website
https://buildsecurityin.us-cert.gov/articles/best-practices/incident-management/incident-management
Defining Computer Security Incident Response Teams
https://buildsecurityin.us-cert.gov/articles/best-practices/incident-management/defining-computer-security-incident-management-teams
Avoiding the Trial-by-Fire Approach to Security Incidents
http://www.sei.cmu.edu/library/abstracts/news-at-sei/securitymattersmar99.cfm
State of the Practice of Computer Security Incident Response Teams
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=6571
NCSC New Zealand Best Practice Guide for starting up a CSIRT
http://www.ncsc.govt.nz/assets/NCSC-Documents/New-Zealand-Security-Incident-Management-Guide-for-Computer-Security-Incident-Response-Teams-CSIRTs.pdf
ENISA Collection on National Cyber Security Strategies
http://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss
ENISA Cert Cooperation and its further facilitation by relevant stakeholders
https://www.enisa.europa.eu/activities/cert/background/coop
NIST Guide on Computer Security Incident Handling
http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
Summary of ISO 27035 on Incident Security Management
http://www.iso27001security.com/html/27035.html
Document on collaboration between CSIRTs and WARPs (ISACs)
http://www.warp.gov.uk/downloads/WARPCSIRT%20handout.pdf
CERT-in-a-box (by GovCERT.nl/NCSC-NL)
http://www.first.org/_assets/resources/guides/cert-in-a-box.zip

Documentation on tooling and data sources
ENISA/CERT Polska - Proactive detection of incidents
http://www.enisa.europa.eu/activities/cert/support/proactive-detection
ENISA Solutions for Improving Threat Data Exchange among CERTs
https://www.enisa.europa.eu/activities/cert/support/data-sharing

Policies mentioning CSIRT teams
African Union Convention on Cyber Security and Personal Data Protection
http://pages.au.int/infosoc/cybersecurity
EU Cybersecurity strategy
http://ec.europa.eu/digital-agenda/en/pillar-iii-trust-security/action-38-member-states-establish-pan-european-computer-emergency-response
ITU Resolution 130
https://www.itu.int/osg/csd/intgov/resoultions_2010/PP-10/RESOLUTION_130.pdf

Case Studies of CSIRTs that were created:
Colombia
http://www.cert.org/incident-management/publications/case-studies/colombia.cfm
Tunisia
http://www.cert.org/incident-management/publications/case-studies/tunisia.cfm
Financial Institution
http://www.cert.org/incident-management/publications/case-studies/afi-case-study.cfm

Materials for National CSIRTs
Steps for Creating National CSIRTs
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=53062
Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability (Version 2.0)
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=9999
Establishing a National CSIRT
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=34434 (podcast)
Tackling Security at the National Level: A Resource for Leaders
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=34478 (podcast)

Existing cooperation initiatives
The importance of a Multistakeholder Approach to Cybersecurity Effectiveness (by the Brazilian Internet Steering Committee - CGI.br)
http://content.netmundial.br/contribution/the-importance-of-a-multistakeholder-approach-to-cybersecurity-effectiveness/180
Towards an open, free and robust internet for the future. (by Walid Al-Saqaf of ISOC-Yemen)
http://content.netmundial.br/contribution/towards-an-open-free-and-robust-internet-for-the-future/115
Google Submission for NETMundial conference. (by Google Inc.)
http://content.netmundial.br/contribution/google-submission-for-netmundial-conference/147

Examples of existing CSIRT services
CERT-FI's Vulnerability Coordination Policy
https://www.viestintavirasto.fi/images/certfipdftiedostot/5md66C89r/CERT-FI_Vulnerability_Coordination_Policy.pdf
ICASI Unified Security Incident Response Plan
http://www.icasi.org/projects#usirp

Contributed examples of use case information sharing
Driving Toward More Effective Sharing Models:
http://www.rsaconference.com/blogs/478/moriarty/driving-towards-more-effective-sharing-models
Article on ISAC effectiveness
http://www.govtech.com/federal/Some-Governments-Unaware-of-Special-DHS-Cybersecurity-Program.html
Anti Phishing Working Group (APWG)
http://www.apwg.com/
MAAWG- Mail abuse via ARF agents
http://maawg.org/sites/maawg/files/news/M3AAWG_Feedback_Reporting_Recommendation_BP-2014-02.pdf
http://www.maawg.org/sites/maawg/files/news/M3AAWG_Spamtrap_Operations_BCP-2013-10.pdf
http://blog.returnpath.com/blog/jd-falk/arf-demystified
ACDC- Advanced Cyber Defence Centre
http://ec.europa.eu/information_society/apps/projects/factsheet/index.cfm?project_ref=325188
Notification of network configuration issues
https://datatracker.ietf.org/doc/draft-ietf-dnsop-as112-dname/
http://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc6304bis/

Literature List

Review Platform
http://review.intgovforum.org/second-draft-report-bpf-on-establishing-and-supporting-computer-security-incident-response-teams-csirt-for-internet-security-2015/

The Internet Governance Forum

Establishing and supporting Computer Incident Security Response Teams (CSIRTs) for Internet security

IGF 2015 Session