|
|
CSIRT Resources |
|
Date: 27 February 2004 Original URL: http://www.auscert.org.au/render.html?cid=1920&it=3896 IntroductionWith the increased complexity of incidents the need for a formalised incident response capability in organisations is growing more important all the time. Here we provide pointers to some Internet resources for those people interested in designing, developing and implementing a Computer Security Incident Response Team (CSIRT). Developing a CSIRTCERT/CC ResourcesCERT/CC CSIRT Development resources The CERT/CC maintains an extensive CSIRT development site based on their own materials and many pointers to other Internet resources. The many useful resources there include: A detailed guide covering all the major areas of CSIRT development and implementation including CSIRT frameworks, policies, incident and vulnerability handling, and team operations. Written by very well experienced CSIRT staff from well established teams. State of the practice of computer security incident response What to know how real CSIRTs are structured, what services they provide, their funding models, staffing and many other details about their operations? Then check this report out. Based on the results of surveys sent to CSIRTs and their own vast experiences in the CSIRT community the authors provide a useful look in the current state of practice for CSIRTs around the world. Includes real examples of incident reporting forms and a useful bibiography. Other useful CERT/CC documents include: Creating a Computer Security Incident Response Team: A Process for Getting Started Staffing Your Computer Security Incident Response Team - What Basic Skills Are Needed?
Sun Security BlueprintsResponding to Customer's Security Incidents--Part 1: Establishing Teams and a Policy" A guide for setting up a CSIRT within a corporate environment. The Responding to Customer's Security Incidents series continues with a number of other blueprints relating to setting up, implementing and doing incident response for organisations. See below for more details.
AusCERT papersForming an Incident Response Team This paper describes the formation of AusCERT and provides a lot of practical information in terms of setting up a CSIRT.
CSIRT regional initiatives and forumsLooking for a CSIRT that may be able to assist you on an incident you are working on? All the groups below maintain a list of their members that you might be able to use as a starting point. Forum of Incident Response and Security Teams (FIRST) FIRST is a coalition of CSIRTs around the world including national, corporate, government and many industry sectors. FIRST provides a forum for CSIRTs to exchange and resolve incidents on an international basis. They also hold an annual conference dedicated to CSIRTs. The Asia Pacific Computer Emergency Response Teams are a coalition of CSIRTs in Asia Pacific. They also an annual conference dedicated to CSIRTs. Trusted Introducer for CSIRTs in Europe The Trusted Introducer for CSIRTs in Europe maintains a list of all known European CSIRTs.
CSIRT TrainingThe following organisations provide a variety of training targeted specifically to CSIRTs including development, design, implementation and operations. Training of Network Security Incident Teams Staff (TRANSITS)
Incident Handling Guidelines
CERT/CC ResourcesCERT/CC Security Improvements Modules The CERT/CC have produced many technical publications (security improvement modules) dealing with operational and implementation of various security processes. These include modules describing preparing for, detecting and responding with computer intrusions. Sun Security BlueprintsSun have prepared a number of technical documents (blueprints) which provide practical recommendations on many areas including security. Amongst the numerous other security blueprints the following describe CSIRT operations and response: Responding to Customer's Security Incidents--Part 1: Establishing Teams and a Policy Responding to Customer's Security Incidents--Part 2: Executing a Policy Responding to Customer's Security Incidents--Part 3: Following Up After an Incident Responding to a Customer's Security Incidents--Part 4: Processing Incident Data National Institute of Standards and Technology (NIST)NIST SP 800-61 Computer Security Incident Handling Guide Adobe Acrobat Reader .pdf file (2.71MB) This 148 page document provides extensive examples, guidelines and recommendations for handling many different guides of incidents including denial of service, unauthorised access and inappropriate usage. It also has a useful selection of appendices including recommendations, scenarios, print and online resources, and FAQ.
ToolsCHIHT - Clearing House for Incident Handling ToolsContains an extensive list of security tools which may be useful to CSIRTs divided into useful categories such as tools for gathering evidence, implementing CSIRT operational procedures, proactive tools for detecting vulnerabilities and other threats. Insecure.org's Top 75 Security Tools A list of the most popular security tools based on a survey of various security professionals and users. |