1 / 29

ThaiCERT Formation & Thailand Incident Report

ThaiCERT Formation & Thailand Incident Report. By Miss Siriwan Apisiridej (siriwan@nectec.or.th) NECTEC Seminar on Information Security Technologies 19 November 2003. Mail bomb. Hacking. Internet. Root compromise. DDoS. Information Warfare. What is IR Team?.

morrisa-dacian
Download Presentation

ThaiCERT Formation & Thailand Incident Report

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ThaiCERT Formation &Thailand Incident Report By Miss Siriwan Apisiridej (siriwan@nectec.or.th) NECTEC Seminar on Information Security Technologies 19 November 2003

  2. Mail bomb Hacking Internet Root compromise DDoS Information Warfare

  3. What is IR Team? IR Team : Incident Response Team - is a capability responsible for dealing with potential or real information security incidents - is assigned a set of duties related to bringing each security-related incident to a conclusion, ideally in accordance with the goal of the organization it serves

  4. What is IR Team? Many incident response teams have many team members, each with a specialized role. Some of the members : daily operations receiving reports of incidents attempting to identify the type, source, impact, and other facets of security-related incidents that are reported

  5. What is IR Team? • Others : • deal with vendors to close known vulnerabilities in operating system Others : examine data to identify and project incident trends, something that is more related to research

  6. Definition of “CERT” ComputerEmergencyResponseTeam CERT An organization or a team that provides, to defined constituency, services and support for both preventing and responding the computer security incidents.

  7. ThaiCERT Formation • NECTEC launched the project of Forming Thai • Computer Emergency Response Team (ThaiCERT) since April, 2000 • Apply CERT/CC, USA (1st CERT in the world) as the model of ThaiCERT formation Currently, there are 10 team members 1 management 8 technical staffs 1 general coordinate staff

  8. ThaiCERT Formation (Cont.) Objective : - In order to handle the computer crime and coordinate with the related organizations. - To gain the knowledge and skill in the information security which is the factor effects to the stability of Thailand. To establish the team, which can handle the incidence of computer security and develop personnel’s skill because the international organization cannot support every cases for us.

  9. Scope ofThaiCERT’s Role Major Role 1. Incident Response General Role 1. Distribute security knowledge & alert through Mailing List and Website: http://www.thaicert.nectec.or.th 2. Analyze and Response to system vulnerabilities and security risks 3. Analyze computer security incident

  10. Scope of ThaiCERT’s Role (Cont.) 4. Provide training and seminar 5. Follow the computer security news 6. Intrusion detection 7. Computer forensic 8. Computer security consultant 9. Develop security tools i.e. Web Scan 10. Coordinate and support

  11. ThaiCERT Incident ResponseCases Types of Incidents 170 Port Scan & Probe Virus 36 Spam Mail 29 Other (Hacks, DDos, ...) 23 Number of Cases (Jan 2003 – Present) [ Total = 258 cases ]

  12. Why Form an IR Team? Ability to coordinate Expertise Efficiency Ability to work proactively Ability to meet agency or corporate requirements Serving a liaison function Ability to deal with institutional barriers

  13. Issues in Forming a Response Team Policy Whether or not a team is really necessary Defining and communicating with a constituency Defining functional requirements Defining the role of the incident response team Staffing the team appropriately Creating and updating operational procedures

  14. Policy Policy Example : • No employee make contact with or answer questions from the press unless that person obtains written approval from the head of public relations department. No system being attacked can stay connected to the network if it holds extremely valuable resources.

  15. Policy (Cont.) No team member can spread information about any incident outside of the immediate team without the direct permission of the team leader.

  16. Is a team really necessary? Alternative Approach : To have individuals who are not part of an incident response team but who are available when incidents occur. Advantage of this alternative approach : Smaller organization generally do not need a team Few resources might be available Incident response might work better as a distributed effort

  17. Who is Constituency? • Determining exactly whom you are supporting • to be able to communicate with that constituency • to learn the needs that exist • to know how to better focus your efforts 2. Establishing communication channel is essential (2-way communication)

  18. CEO CERT Have contact no. i.e. home phone no., mobile phone no., and E-Mail Two way communication Who is Constituency? Attacker SIRM = Site Incident Response Manager SIRO = Site Incident Response Officer

  19. Functional Requirements and Roles • Basic Requirements : providing incident response support to the constituency - Go to a site or area within a facility and take over all incident response efforts - Control sharing – both the incident response team and operations or business unit staff - Provide indirect rather than direct support in the form of advice - Do something only when its constituency requests

  20. Functional Requirements and Roles (Cont.) • Additional Requirements - Interagency/corporation coordination/liaison - Serving as a clearinghouse : a central repository for information, patches, tools, and so forth - Contingency planning and business continuity services - Information security tool development - Incident response planning and analysis - Training and awareness

  21. Staffing Issues • Team size • Minimum : 1 management, 1 technical staff • Add staff to broaden the range of expertise as funding allows

  22. Staffing Issues (Cont.) • Team skills • 1. Management skills • 2. Technical skills • 3. People skills • 4. Teamwork skills • 5. Communication skills

  23. Staffing Issues (Cont.) • Location of Staff Should all team members reside at one location, or be divided to different location?

  24. Creating Operating Procedures Issues that any set of procedures must address : - Purpose of the procedure - To whom or what the procedures apply and under what conditions • - Lines of authority within the IR team and the organization it serves - Restrictions on the kinds of actions in which team members can and cannot engage - How information and evidence must be documented

  25. Creating Operating Procedures - Who can contact outside entities (i.e. media, law enforcement agencies) and under what conditions • - Priorities is response efforts (i.e. protecting the lives of humans, keeping systems and networks operational) - What to do in case of incidents in highly valuable, sensitive, proprietary, or classified systems and/or networks - Kinds of information that can and cannot be disseminated outside - Management’s role with respect to the response team and its activities

  26. Creating Operating Procedures - When and how the procedures must be changed - How the procedures are to be distributed

  27. via E-Mail 2 Incident Confirmation Process 1 3 Victim Incident Report Receiving Process via Telephone 5 NO 4 Analyze Scope of responsibility Coordinate and give advice to the related organization YES 6 - Analyze the incident - Technical support - Coordinate and response Incident Response Process

  28. Cooperation is necessary!!

  29. Contact ThaiCERT URL : http://www.thaicert.nectec.or.thE-mail : thaicert@nectec.or.thTelephone : 0-2564-6868 Fax : 0-2564-6871

More Related