What Is a CSIRT vs. CERT vs. CIRT???
CSIRT—Computer Security Incident Response Team is a concrete organizational entity (i.e., one or more staff) that is assigned the responsibility for coordinating and supporting the response to a computer security event or incident.
CERT—Computer Emergency Response (Readiness) Team
CERT should not be generically used as an acronym because it’s a registered trademark in the United States Patent and Trademark Office, as well as other jurisdictions around the world. Alternative names fur such groups include computer emergency readiness team and computer security incident response team (CSIRT).
The name “Computer Emergency Response Team” was fist used in 1988 at Carnegie Mellon University (CMU). CERT is registered as a trademark by Carnegie Mellon University, and is licensed by CMU to mark various organizations that are performing the activities of a CSIRT.
Indeed, CMU encourages the use of CSIRT (Computer Security Incident Response Team) as a generic term for the handling of computer security incidents.
Various other acronyms and titles that have been given to CSIRT organizations over the years include [2]:
- CSIRC–Computer Security Incident Response Capability or Center
- CIRC–Computer Incident Response Capability or Center
- CIRT–Computer Incident Response Team
- IHT–Incident Handling Team
- IRC–Incident Response Center or Incident Response Capability
- IRT–Incident Response Team
- SERT–Security Emergency Response Team
- SIRT–Security Incident Response Team
Incident response is the process of detecting, analyzing and resolving security events and incidents involving network resources and information assets that are reported by end users, or are observed through proactive network and system monitoring.
“All of these titles, however, still refer to the same basic type of organization, one that provides services and support, to a defined constituency, for preventing, handling and responding to computer security incidents. Although their purpose and structure may be different, they still perform similar functions to detect, analyze, and mitigate computer security incidents. This ensures that critical business assets and data are protected and that incidents are handled in a repeatable, quality-driven manner. [2]
According to aCMU white-paper on “Defining Computer Security Incident Response Teams“[2], CSIRT incident handling activities include:
- determining the impact, scope and nature of the event or incident.
- what happened? Who is affected? How many people? How widespread? What immediate dangers? When did the incident first occur? How long has it been going on?
- understanding the technical cause of the event or incident
- identifying what else may have happened or other potential threats resulting from the event or incident
- researching and recommending solutions and workarounds
- coordinating and supporting the implementation of the response strategies with other parts of the enterprise or constituency (including IT groups and specialists, physical security groups, information security officers (ISOs), business managers, executive managers, public relations, human resources, and legal counsel.
- disseminating information on current risks, threats, attacks, exploits, and corresponding mitigation strategies through alerts, advisories, Web pages, and other technical publications
- coordinating and collaborating with external parties such as vendors, ISPs, other security groups and CSIRTs, and law enforcement
- maintaining a repository of incident and vulnerability data and activity related to the constituency that can be used for correlation, trending, and developing lessons learned to improve the security posture and incident management processes of an organization
The goal of a CSIRT is to minimize and control the damage resulting from incidents, provide effective response and recovery, and work to prevent future incidents from happening. [2]
CSIRT operations, as part of an incident management capability, should establish processes for:
- notification and communication
- analysis, response, and resolution
- collaboration and coordination
- maintenance and tracking of records
- evaluation and quality assurance
Incident Response Plan
An incident response plan will provide information to enable an efficient recovery from a security incident.
- Determine foundation for security monitoring, incident response processes, and what the organization is trying to protect.
- What are the assets that are being protected?
- What are the threats to the assets?
- How are threats detected?
- How will the organization respond to threats?
- Biblio:
- [1] Wikipedia–Computer emergency response team
- [2] Defining Computer Security Incident Response Teams, Carnegie Mellon University–Software Engineering Institute