As technology becomes more complex and security threats more sophisticated, it’s a challenge for even the largest organisations to keep their online working environment secure.
Our CSIRT service helps create a more secure network, responds to security incidents and provides expert advice and guidance.
Visit our experts in this surgery session to help trouble shoot any challenges you’re currently facing and to help you manage the risks.
3. Overview
»Coordinate with our community and other CERTs, ISPs,
third parties as necessary
»Provide advice and assistance in relation to security
»Investigate security incidents on Janet
4. Why?
»Enforce Janet Security Policy / AUP
»Protect the availability of the Janet network
»Preserve reputation of the Janet network and our
community
5. What do we do?
»Abuse Desk
› RIPE Abuse contact
› abuse@ja.net
»Examples
› UBE / Spam
› Scanning
› Misuse
› Law enforcement enquiries
6. What do we do?
»Threat reporting
› Shadowserver
› Google alerts
»Examples
› Google Safe Browsing
› Service misconfiguration
› Malware sinkhole connections
7. What do we do?
»Incident coordination
› Janet customers
› Third parties
»Examples
› Phishing
› Denial of service
› Compromised systems
11. Organisation security
»Who is responsible for security?
› Everyone is.
»Security can’t be fixed by technology alone
› Advocate good security practices
12. Security Practices
»Promote strong passwords
› Even better – use password managers!
»2factor authentication where possible
»Software updates
»Up-to-date antivirus
»Allow only what you need on firewalls
»Accurate logging
»Mail filters/spam/attachment filtering
13. Organisation security
»Who is responsible for security?
› Everyone is.
»Security can’t be fixed by technology alone
› Advocate good security practices
› Raise awareness
14. Awareness
»People will be people
› They will open things they shouldn’t
› They will click on things they shouldn’t
› It happens
»How you react is just as important…
16. »Then…
› Find knowledge gaps
› Identify where you can help
› Culprit or victim?
– Targeted attacks work because of the effort behind them
– It’s too easy to blame the user
– It will make them less likely to admit an incident has happened
– It’s not the best thing for your organisation long-term
– Everyone makes mistakes, and it can happen to anyone.
18. Organisation security
»Who is responsible for security?
› Everyone is.
»Security can’t be fixed by technology alone
› Advocate good security practices
› Raise awareness
› Ensure your staff have the tools and resources they need
19. »Security incidents do and will happen.
› Be prepared
› Be as open as possible
› Learn from them
»Engage in the community to help and learn from others
20. Community
»UK-security mailing list
› Request access via Jiscmail or email irt@csirt.ja.net
»CiSP – Cyber Information Sharing Partnership
› Part of CERT-UK
– Joint industry government initiative
› Membership by sponsor only
21. Other resources
»SANS critical controls
› Basic to intermediate options
»Jisc training
› Courses, webinars, workshops
»ESISS - Education Shared Information Security Service
› Pen testing & manual/automated vulnerability scanning
› info@esiss.ac.uk
22. Things to think about
»What are your key assets?
› How do you protect them?
»When a security incident occurs:
› Do you have a response plan in place?
› Do your IT staff have the tools and information available to
investigate?
– Logs
– Appropriate contact information
› Lessons learned exercises
A traditional CERT team responds to security incidents in an organisation or for a particular service. Typical activities could be looking at intrusion logs, carry out network and/or host forensics, investigating a compromised host, tracking malware and much more.
We are a team of 5+1student with a range of backgrounds. 2 vacant positions.
We have over 900 connected organisations which keeps us pretty busy.
Why do we exist? What’s our purpose?
Preserve reputation by keeping security incidents to a minimum and resolve investigations promptly.
Help and support customers
RIPE has a database of IP address allocation to organisation mappings. Any security incidents relating to Janet IP space and it’s customers will (or should) come through us.
Shadowserver – charity foundation comprised of volunteers with a desire to try and clean up the internet.
Without our threat reporting and trusted relationships, many security incidents would likely go unnoticed. This could lead to further network compromise, potential reputational damage.
By working with these organisations, we can pass this on to customers to enable them to clean up their networks, and ideally provide early detection.
Efficient notification– providing it so customers don’t need to go searching.
Work with customers to resolve incidents promptly and mitigate risk – we’re there.
Intermediary service to make sure the right people get the right information at the right time.
Trust between certain third parties and our customers.
Security does not just sit within IT. Everyone has a responsibility, whether it be physical security or computer and internet security.
When it comes to security, a lot of organisations tend to buy “security-in-a-box products” to fix their security problems.
These products are good and you should have them in your organisation but only fix or detect a certain amount of issues.
1Password, keepass, last pass as examples
RSA Securid, Google Authenticator, Yubikey, Duo.
People have an element of trust as part of human nature. If someone believes something to be true, they’ll run with it.
If someone receives an email from a name they know, they’ll likely trust it, but not always validate the message or request they’ve received. Finance example.
Everyone makes mistakes, and it can happen to anyone.
Learn from mistakes.
Emails do not always work. They get missed, and too many emails becomes noise.
Periodic workshops that are interesting and well presented are often more memorable and hopefully drill these topics home.
Tools and resources – good logging to be able to investigate incidents, training, contacts (both internal and external).
If someone really wants to target your organisation, they will do. Your best bet is to be prepared and have the right procedures in place. Are your organisation contacts with Jisc up-to-date?
Brushing incidents under the carpet is not the best method in dealing with incidents. If you’re open with your stakeholders, they will trust you more.
UK-SEC – have a question you want answered about security, or want advice on a certain product? Someone will no doubt have some experience that will help you.
CiSP – private and public UK organisations
Janet CSIRT will sponsor known security contacts.
There is an academia section.
Wealth of knowledge amongst both communities that you can exploit and use for the benefit of your organisation.
If you experience a security incident, talk to us about it. As well as being able to help you, we may have information to help with the investigation, or your information may help us with other incidents.
Any intelligence you can provide relating to an incident will be appreciated and collectively, could make the sector more secure.