CONTACTINFORMATIONNIEUWSSEARCHENGLISH
HomeProcesses
CERT-in-a-Box

The project 'CERT-in-a-Box' and 'Alerting service-in-a-Box' is an initiative of GOVCERT.NL to preserve the lessons learned from setting up GOVCERT.NL and 'De Waarschuwingsdienst', the Dutch national Alerting service.

contactinformation

Visiting address:
Wilhelmina van Pruisenweg 104
2595 AN Den Haag
Travel information

Postal address:
Postbus 84011
2508 AD Den Haag

Telephone: (070) 888 75 55
Fax: (070) 888 75 50
E-mail: info@govcert.nl
participant to:

'CERT-in-a-Box' and 'Alerting service-in-a-Box'
21 / 07 / 2006

Results of the GOVCERT.NL project

Making it structured and improving quality is important.
We have made a number of " interactive" process-flows, which are available for  download.

The GOVCERT.NL technical team consists of 7 people: 1 technical team manager and 6 specialists.
We have two operational shifts. An active shift from 09:00 - 23:00 and a standby shift
from 23:00 till 09:00 by mobile phone. The active shift checks all the sources, websites,
mailing lists and other information. If it is important, the technical specialist writes an advisory.
A " front-office" duty officer checks inboxes and system mail and writes advisories first to help
the person on call.

In the GOVCERT.NL project we put a lot of effort into our national and international network with CSIRTs
and other relevant players in the ICT-security world.

Illustration: Basic process and sources

Our basic process is the collection of data from various sources, processing it and writing advisories and alerts about vulnerabilities in software and hardware, viruses and worms and other relevant information.

We collect this information from open and closed sources on the Internet.
We check all the sources for new items every two hours. We collect every mailing list in a separate folder (subscription mailinglistname + specific mailfoldername).  This is useful for tracking and tracing when it goes wrong!

For websites, we use websitewatcher, an inexpensive tool that automatically browses all the bookmarks and highlights all the changes, saving a lot of time. There are also open source scripts on the internet with the same functionality.  

We will describe the basic process designed for GOVCERT.NL below. This process consists of the following steps:

  • Relevance
  • Identification
  • Classification
  • Filtering
  • Media mix
Relevance
As we collect all the information, we first ask ourselves the question, 'Is it relevant information?”

Illustration: Determining relevance

Identification
We check that the source is trustworthy. We have made a list of all our sources and have classified them. Is the source trusted, can we check it, can we implicitly trust the source and start writing immediately? We have written down a procedure on how to check the variable sources. See process flow scheme.

Illustration: Identification

Classification
We handle a variety of information, mainly classified, trusted, public. We have rules for how to treat this kind of information.
If it was sent encrypted we store it encrypted and check for trusted pgp-keys, trusted information is handled with care and marked as trusted information. We handle every kind of information differently. It's important to be very cautious about information and how to handle it, what you can make public or whether there are any disclosure rules attached to it. It's also very wise to have a list of all the different organisations and describe the rules that that organisation uses for distributing information.

Illustration: Classification

Filtering
We use a 'photo”. In this photo we have a list of all the software and servers that are used by our constituents. On that basis we are able to filter the information according to relevance to our customers, so customers only get the information that concerns them. We have also made a list for the Waarschuwingsdienst, describing mainly end user products.


Illustration: Filtering


Illustration: Snap shot of our ‘photo'.

The media matrix
After our filtering step to assure that it is relevant for our constituents, we use two matrixes.
For De Waarschuwingsdienst (public and SME's)
The first is the media mix matrix which describes what actions to take. It has two axes. One is the objective impact, technical assessment, is it really a vulnerability and does it really have an impact on the product and impact on security. The other axis is subjective impact, what is the feeling of the public and is it picked up by the media. So this axis is a more subjective approach to the information. As a national alerting service it's wise to consider such things, because you also have to deal with the potential commotion that some information can have on society.

Illustration: Media Matrix

The GOVCERT.NL matrix

Illustration: GOVCERT.NL Matrix (click for the .xls fill-out matrix)

We thought a lot about this matrix and approached it from different perspectives but finally we came up with this one. We think this is it, simple, efficient and easy to use, and also very understandable for our constituents.

We carry out a risk analysis on the information by asking ourselves the questions above. We distinguish between risk and damage.

How it works is simple, just score all the questions according to the values and count them. Then on the right you see what kind of severity level the incident has. The overall box describes the risk of actual exploitation. Our advice is as follows:

  • High: patch immediately
  • Medium: within the same day
  • Low: patch it but do so in the regular patch sequence

Output
Our output for GOVCERT.NL is an advisory. With a high level we start calling our customers and point them to the send advisory.

Illustration: Output

The illustration below shows an example of output. In this case an e-mail alert.

Illustration: Example of output

The complete process flow
We produced a very complementary interactive process flow.
It describes the task and steps that have to be taken and point you to the necessary documents and procedures. It also describes who should carry out the tasks and on what systems.

Illustration: Interactive process flow

Intrested in the compleet clickable sheet? Included is a .zip file with all the needed structure in it and 2 visio files for your own cope and replace ;) , click here!



Index
References