FORTH CERTcoordinates with government
agencies, internet service providers
and software and hardware vendors. It offers a number of services
to its members
and the general public.
In summary, these services include the following:
- Provide computer security incident response
- Provide research on computer security incidents
- Works with other CSIRTs
- Collect and disseminates information on computer security
issues such
as vulnerabilities and security fixes.
- Publish alerts and warnings
- Increase awareness on information security issues
In more detail, FORTH CERT offers the following:
Alerts, Warnings and Announcements
This service involves disseminating information that describes
an intruder attack, security vulnerability,
intrusion alert, computer virus, or hoax. It provides any
short-term recommended course of action for dealing with the
resulting problem. The alert, warning, or advisory is sent
as a reaction to the current problem to notify constituents
of the activity. It also provides guidance for protecting
their systems or recovering any systems that were affected.
Information may be created by the CSIRT or may be redistributed
from vendors, other CSIRTs or security experts, or other parts
of the constituency.
Read more
This includes, but is not limited to, intrusion alerts, vulnerability
warnings, and security advisories. Such announcements inform
constituents about new developments with medium- to long-term
impact, such as newly found vulnerabilities or intruder tools.
Announcements enable constituents to protect their systems
and networks against newly found problems before they can
be exploited.
Read more
Incident Handling, Response and Coordination
Incident handling involves receiving, triaging, and responding
to requests and reports,
and analyzing incidents and events. Particular response activities
can include
- Taking action to protect systems and networks affected
or threatened by intruder activity
- Providing solutions and mitigation strategies from relevant
advisories or alerts
- Looking for intruder activity on other parts of the network
- Filtering network traffic
- Rebuilding systems
- Patching or repairing systems
- Developing other response or workaround strategies
Since incident handling activities are implemented in various
ways by different types
of CSIRTs, this service is further categorised based on the
type of activities performed
and the type of assistance given as follows:
The CSIRT assists and guides the victim(s) of the attack in
recovering from an incident
via phone, email, fax, or documentation. This can involve
technical assistance
in the interpretation of data collected, providing contact
information, or relaying guidance on mitigation and recovery
strategies. It does not involve direct, on-site incident response
actions as described above. The CSIRT instead provides guidance
remotely so site personnel can perform the recovery themselves.The
CSIRT coordinates the response effort among parties involved
in the incident.
This usually includes the victim of the attack, other sites
involved in the attack,
and any sites requiring assistance in the analysis of the
attack. It may also include
the parties that provide IT support to the victim, such as
internet service providers,
other CSIRTs, and system and network administrators at the
site.
The coordination work may involve collecting contact information,
notifying sites
of their potential involvement (as victim or source of an
attack), collecting statistics
about the number of sites involved, and facilitating information
exchange and analysis. Part of the coordination work may involve
notification and collaboration with an organisation's legal
counsel, human resources or public relations departments.
It would also include coordination with law enforcement. This
service does not involve direct, on-site incident response.
|
