What is a CSIRT/CERT?
CSIRT stands for Computer Security Incident Response Team.. The term CSIRT is often used in Europe instead of the protected term CERT, registered in the US by the CERT Coordination Center (CERT/CC). Different abbreviations are used for the same type of equipment:
- CERT o CERT/CC (Computer Emergency Response Team / Coordination Center)
- CSIRT (Computer Security Incident Response Team)
- IRT (Incident Response Team)
- CIRT (Computer Incident Response Team)
- SERT (Security Emergency Response Team)
In general, these define a team of people dedicated to the implementation and management of technological measures with the aim of mitigating the risk of attacks against the systems of the community to which the service is provided. Carnegie Mellon University in the United States created the first such team in 1988. Since then, Centers have been formed all over the world and in different areas of society (Administration, University, research, business, etc.).
Who can be a full member of the CSIRT.es Forum?
Any Spanish CSIRT that complies with the generic definition offered by ENISA, FIRST or Trusted Introduced for this type of team (as described on this website or wikipedia).
Additional requisites for being a member of the Forum are to provide service to a community of users in Spain, to have the capability to react to security incidents and to have missions and objectives which by law or organizational decision aim to enhance the security of technologies and communications in the Community they serve.
It is also a requirement for admission to the group to be a member of the FIRST forum or to be accredited to the Trusted Introducer forum. As an exception, Public centers can apply for membership if two members vouch for them. State Security Forces and Corps (FFCCS) have automatic membership approval. Only one group (CSIRT, response group) per NIF or entity will be admitted as a member of CSIRT.es. The request for the registration of a new member of the forum must be made by its legal representative through an email to the email account which appears in the contact section of the forum's website.
What are the rights of members?
Full members will have the following rights:
- They may vote at Forum meetings or by e-mail if required. One vote per full member.
- They will be able to participate in the distribution lists associated with the Forum.
- They will have passwords to access the private Web area set up for the Forum.
- They may propose initiatives.
- They may participate in working groups and initiatives.
- They will be able to attend the meetings.
- They may propose new members.
- They may propose special guests to the meetings.
- Members may be elected to the Coordinating Committee.
What are the obligations of members?
Full members shall have the following obligations:
- Keep your contact information - public and private - up to date for the rest of the Forum members, including the GPG keys of each of the representatives.
- Provide all information that may be of use to the other members of the Forum or to the Spanish community unless the rules and procedures established in the Organization to which they belong prevent the full dissemination of such information.
- Ensure that this information is up to date.
- Promote the creation of new CSIRTs in the national territory.
- Improve the visibility of the CSIRTs members of the Forum and of the Forum itself in the Spanish and international community.
- Keep information shared on the list and at meetings private unless express permission is given to share it with others. The traffic light protocol for information exchange (TLP) within the Forum is available on the Forum page.
- Participate and collaborate in the working groups and initiatives of the Forum.
- Promote activities within the Forum.
- Attend at least one Forum meeting per year.
- Ratify the Code of Ethics defined for the Forum to be found on the forum page
- Provide a team status update about projects such as CSIRT, new personnel and other items, at least once a year in one of the face-to-face meetings
What is an incident?
It is an unplanned interruption of or reduction in the quality of an Information Technology service. It is also the failure of a configuration item that has not yet impacted the service or any anomaly that affects or could affect data security.
What services can a CSIRT provide?
There are many services that a CSIRT can provide, but no CSIRT currently provides them all. The selection of an appropriate package of services is therefore a crucial decision. Below is a brief overview of all known CSIRT services as defined in the "CSIRT Manual" published by the CERT/CC.
Reactive services (treatment of incidents and mitigation of resulting damage)
- Alerts and warnings
- Incident handling
- Incident analysis
- Incident response support
- Incident response coordination
- On-site Incident Response
- Addressing vulnerability
- Vulnerability analysis
- Responding to vulnerability
- Coordination of the response to vulnerability
Proactive services (aimed at incident prevention through raising awareness and training)
- Technology Observatory
- Security assessments or audits
- Security configuration and maintenance
- Development of security tools
- Intrusion Detection Services
- Dissemination of safety-related information
Instance management (includes the analysis of any file or object found in a system that may come into play in malicious actions, such as virus remains, worms, scripts, Trojans, etc.)
- Instance analysis
- Response to instances
- Coordination of authorities’ response
Security quality management (with longer term objectives including consultancy and educational measures)
- Risk analysis
- Business Continuity and Disaster Recovery
- Security Consulting
- Awareness raising
- Education / Training
- Product evaluation or certification
What other CSIRT forums are currently available?
- Forum of Incident Response and Security Teams, FIRST (Forum of Incident Response and Security Teams), is the first and foremost of the existing international organizations, with over 180 members from Europe, the Americas, Asia and Oceania, from governmental, economic, educational, business and financial worlds (https://www.first.org)
- Trusted Introducer,the main European forum for CERTs in which the continent's leading CERTs collaborate, innovate and share information, is part of TERENA, the Trans-European Association for Research and Network Education. More than fifty European CERTs are part of the Trusted Introducer (TI). (http://www.trusted-introducer.nl)
- EGC (European Government CERTs (EGC) group.roup is the organization that brings together the main government CERTs in Europe (http://www.egc-group.org)
- Agencia Europea de la Seguridad de las Redes y la Información (ENISA - European Network & Information Security Agency) de la Unión Europea. (http://www.enisa.europa.eu).