Logo of the European Computer Security Incident Response Team Network (eCSIRT.net)

CSIRT and CSIRT Co-operation

     
     
eCSIRT.net > Background > CSIRTs  
 

The Role of CSIRTs

Regardless their name - Computer Emergency Response Teams / CERTs, Computer Security Incident Response Teams / CSIRTs, or simply Security Teams - CSIRTs, as they will be referred to here, provide an IT security incident centred service to their constituency, whether it be prevention, detection, correction, repression or awareness building - usually some combination of those aspects.

The services that CSIRTs offer all focus on combatting attacks or "diseases" (passive attacks) that propagate via the Internet and tunnel their way to extranets, intranets and indeed - the computer systems at our desk or beside our television set.

The best way to fight attacks is to prevent them from happening: that is why CSIRTs are deeply involved in "spreading the news", reporting to their constituencies on recently discovered vulnerabilities and how to prevent those "holes" from being exploited. Other functions like reporting on hacking trends and best practices in security and network/system management, and the "prevention" service of CSIRTs are more examples what CSIRTs can do.

The "awareness raising" service is really a preventive task as well, but with a different target audience and therefore also with different content: it targets e.g. CEO levels, product development managers, marketeers, but also end-users and even the public, depending on what kind of CSIRT one is talking about.

The "detection" service is the logical next step: once incidents occur they have to be detected. The classical detection which is still the most widely adopted by CSIRTs is simply waiting for incident reports to come in and then act on those. Nowadays, the rising popularity of Intrusion Detection Systems (IDS), has given CSIRTs a more pro-active means of detecting incidents. However, use of IDS is still mostly limited to internal security organisations, because of lack of experience on how to deploy a bigger IDS scheme, and last but not least, lacking standardisation.

The best known service that CSIRTs offer is that of "correction", that is combatting the harmful results of security incidents, trying to take away their direct cause and preferably find their origin. If the origin is a legal entity or person, and further steps can be taken towards that entity, then "repression" starts - though that is usually the domain of local (company/institution) authorities or justice.

CSIRTs tailor their services to the needs of their constituencies and parent organizations, of course taking into account local legislation - but not only local, because CSIRTs have to deal with cross-border incidents, where different laws apply.

 

Previous Co-Operation among CSIRTs

The oldest and most experienced CSIRTs in Europe are found within the European NRENs. Traditionally, since the early days of the RARE CERT Task Force in 1992, European research network CSIRTs have been building the backbone of incident response activity within Europe. Today 50% of all European teams (see http://www.trusted-introducer.org/ for a complete list) are within the research area and are for many countries still the one and only CSIRT available. In addition in various countries European research network teams have been instrumental in the setup and initiation of new CSIRTs, in the government and commercial areas - and have helped these newcomers to gain (inter)national acceptance and join international fora like FIRST, TF-CSIRT and the Trusted Introducer.

It is clear from previous discussions, that there is no need for yet another CSIRT service for constituencies that already are served by one. The need to have new CSIRTs for constituencies yet unserved, has been well recognized and addressed by existing CSIRTs since 1992 in Europe - this comes almost natural to CSIRTs whose constituencies simply suffer most from those areas where no incident management arrangements have yet been made. All international fora mentioned in the previous paragraph have been set-up by existing CSIRTs with the intention of, apart from exchanging information and jointly improving the quality of service, reaching out to new CSIRTs.

 

Read on: Background on the eCSIRT.net project

 

eCSIRT.net > Background > CSIRTs  
     
eCSIRT.net eCSIRT.net
The European Computer Security Incident Response Team Network
News | Sitemap | Impress | Contact | Top
Last changed: February 5, 2003 / AL
Copyright © 2002-2003 by PRESECURE Consulting GmbH, Germany
Signed with PGP!This page is digitally signed with PGP! eCSIRT.net