Alerting-service services
Which services will you offer?
An alerting service, by definition, is going to be providing alerts on something. You will need to decide what type of alerts you will be providing, but in addition to that you will need to decide on any additional services. Below is a list of suggested services. Keep in mind that for each of these services you will also need to decide on very practical points such as hours of service and how to communicate (see also 'how will you deliver your message?').
- Alerts on vulnerabilities
- These are similar to advisories that most CSIRTs send out on a regular basis. This type of alert will need to be timely and accurate. Keep in mind that there are many hundreds of vulnerabilities every month and alerting on each of them will be a giant task. It is recommended to filter the vulnerabilities and only alert on a certain number. How you filter the vulnerabilities depends on your target audience, but may also depend on the severity of the vulnerability.
- Alerts on viruses and worms
- Again, very similar to warnings that certain CSIRTS send out. The number of viruses that appear every month also runs into the hundreds and many of them will never even appear in the wild. It is very important to establish ways of determining which viruses to alert on and which not. The severity of an outbreak, possible spread of the virus, novelty value of a virus or relevance to your target audience are possible characteristics to try and measure.
- Alerts on incidents
- You may want to alert on specific incidents, such as a Denial-of-Service attack against a well-known targetand for example phishing. You may decide what types of incidents you are going to alert on based on their relevance, their media profile or similar.
- Information on trends
- Information on trends could include developments in malicious activity, types of viruses or developments in the type of scanning activity. In order to generate good trending information, it is important to have statistically sound and relevant data. Trends or statistical information can be very valuable to support alerts or press releases.
- Background information
- This will include anything useful to your target audience, for example articles dealing with spyware or articles explaining how to back up the registry.
- Security advice
- Security advice may overlap with the previous service, background information, although security advice would obviously be more closely related to security.
- A reporting mechanism
- This could be used to gather trend information, although care needs to be taken to gather clean data. When building a reporting mechanism, it is very important to have a clear goal that can also be communicated to the target audience. You will also need to decide on the types of incidents you want to be reported as well as the level of technical expertise needed to report incidents.
- Helpdesk functionality
- Would you like your target audience to be able to call you or e-mail you with questions? If so, you need to decide what type of questions you will and won't answer.
- Product evaluations and/or recommendations
- The evaluation of products as well as specific recommendations on products.
Who is your target audience?
Defining your target audience takes some time. Possible choices include home users, small businesses, medium businesses or large enterprises. Each target groups will have its own needs and characteristics. Consider the type of software or hardware in use, the type of computer usage but also the technical knowledge as well as any likely security measures already in place.
Which sources of information will you use?
In order to deliver quality services, you will need a lot of quality information and quality information sources. You will need to know, for each of your sources of information, what type of information it delivers as well as what level of trust you assign to the information.