CSIRT service - Jisc Digifest 2016
Transcript of CSIRT service - Jisc Digifest 2016
![Page 1: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/1.jpg)
CSIRT service
Helping you keep your network, data and reputation safe
![Page 2: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/2.jpg)
CSIRT?
»Names may vary;› CSIRT (Computer Security Incident Response Team)› IRT (Incident Response Team)› CERT (Computer Emergency Response Team)
![Page 3: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/3.jpg)
Overview
»Coordinate with our community and other CERTs, ISPs, third parties as necessary
»Provide advice and assistance in relation to security
»Investigate security incidents on Janet
![Page 4: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/4.jpg)
Why?
»Enforce Janet Security Policy / AUP»Protect the availability of the Janet network»Preserve reputation of the Janet network and our community
![Page 5: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/5.jpg)
What do we do?
»Abuse Desk› RIPE Abuse contact› [email protected]
»Examples› UBE / Spam› Scanning› Misuse› Law enforcement enquiries
![Page 6: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/6.jpg)
What do we do?
»Threat reporting› Shadowserver› Google alerts
»Examples› Google Safe Browsing› Service misconfiguration› Malware sinkhole connections
![Page 7: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/7.jpg)
What do we do?
»Incident coordination› Janet customers› Third parties
»Examples› Phishing› Denial of service› Compromised systems
![Page 8: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/8.jpg)
Incident statistics – Feb’16
![Page 9: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/9.jpg)
Organisation security
»Who is responsible for security?› Everyone is.
»Security can’t be fixed by technology alone
![Page 10: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/10.jpg)
![Page 11: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/11.jpg)
Organisation security
»Who is responsible for security?› Everyone is.
»Security can’t be fixed by technology alone› Advocate good security practices
![Page 12: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/12.jpg)
Security Practices
»Promote strong passwords› Even better – use password managers!
»2factor authentication where possible»Software updates»Up-to-date antivirus»Allow only what you need on firewalls»Accurate logging»Mail filters/spam/attachment filtering
![Page 13: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/13.jpg)
Organisation security
»Who is responsible for security?› Everyone is.
»Security can’t be fixed by technology alone› Advocate good security practices› Raise awareness
![Page 14: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/14.jpg)
Awareness
»People will be people› They will open things they shouldn’t› They will click on things they shouldn’t› It happens
»How you react is just as important…
![Page 15: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/15.jpg)
Incident response process
![Page 16: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/16.jpg)
»Then…› Find knowledge gaps› Identify where you can help› Culprit or victim?
– Targeted attacks work because of the effort behind them– It’s too easy to blame the user
– It will make them less likely to admit an incident has happened– It’s not the best thing for your organisation long-term
– Everyone makes mistakes, and it can happen to anyone.
![Page 17: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/17.jpg)
Awareness
»Internal workshops
»OpenDNS phishing quiz
»Create your own phishing tests› GoPhish – open source phishing toolkit
»Incident response exercises
![Page 18: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/18.jpg)
Organisation security
»Who is responsible for security?› Everyone is.
»Security can’t be fixed by technology alone› Advocate good security practices› Raise awareness› Ensure your staff have the tools and resources they
need
![Page 19: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/19.jpg)
»Security incidents do and will happen.› Be prepared› Be as open as possible› Learn from them
»Engage in the community to help and learn from others
![Page 20: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/20.jpg)
Community
»UK-security mailing list› Request access via Jiscmail or email [email protected]
»CiSP – Cyber Information Sharing Partnership› Part of CERT-UK
– Joint industry government initiative› Membership by sponsor only
![Page 21: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/21.jpg)
Other resources
»SANS critical controls› Basic to intermediate options
»Jisc training› Courses, webinars, workshops
»ESISS - Education Shared Information Security Service› Pen testing & manual/automated vulnerability
scanning› [email protected]
![Page 22: CSIRT service - Jisc Digifest 2016](https://reader035.fdocument.pub/reader035/viewer/2022081517/58f174b61a28ab227a8b45a7/html5/thumbnails/22.jpg)
Things to think about
»What are your key assets?› How do you protect them?
»When a security incident occurs:› Do you have a response plan in place?› Do your IT staff have the tools and information
available to investigate?– Logs– Appropriate contact information
› Lessons learned exercises