CONTACTINFORMATIONNIEUWSSEARCHENGLISH
HomeTechnology
CERT-in-a-Box

The project 'CERT-in-a-Box' and 'Alerting service-in-a-Box' is an initiative of GOVCERT.NL to preserve the lessons learned from setting up GOVCERT.NL and 'De Waarschuwingsdienst', the Dutch national Alerting service.

contactinformation

Visiting address:
Wilhelmina van Pruisenweg 104
2595 AN Den Haag
Travel information

Postal address:
Postbus 84011
2508 AD Den Haag

Telephone: (070) 888 75 55
Fax: (070) 888 75 50
E-mail: info@govcert.nl
participant to:

'CERT-in-a-Box' and 'Alerting service-in-a-Box'
21 / 07 / 2006

Results for GOVCERT.NL and 'de Waarschuwingsdienst'

We use the same environment for GOVCERT.NL and 'de Waarschuwingsdienst'.
For our desktop environment we use laptops with Microsoft OS, we browse with Firefox and read email with Thunderbird due to the verifiability of this software and the fact that the bad guys pay less attention to those products. Of course, we encrypt our laptop hard disks with encryption software approved by the AIVD (the Dutch Intellegence service). Due to our on-call shifts we had to make an exception to our general policy that no sensitive data should be accessible from outside the office and approve home working. We use strong VPN software with PKI token authentication. The benefit of this software is that it closes down the network adaptor for normal traffic; only allowing traffic to the endpoint of a VPN connection. We also do not allow full access to all services: only those needed for the on-call shift are available.

For connection with the outside world we use a standard business set-up with a couple of systems like mail relay, proxy and DNS. We followed the belt and braces set-up. The " Belt and Braces" approach to security installs redundant layers of security to the system.  The idea being that if your belt gives way, the braces are still there to hold your trousers up.  An analogy for understanding the belt and braces approach is when a user both needs to have something and know something in order to access a system.  For example, the user must have a key to turn the handle, but must also know and enter an identification code to release the deadbolt.

The belt and braces approach forces an attacker to be adept at compromising multiple, different types of security just to compromise a single link in the chain.  Even if this approach does not completely stop an attacker it may buy the defender some time to detect and respond to an attack.

In short we don't allow direct connections from the outside to our production network and vice versa. We have hardened our systems and closed them down as far as the essential ports used for the application on that server.

We have also completely separated our test and production networks and therefore use different ISPs. We all have separate test machines running on our desks. We  also make use of coloured LAN cables, green for production and red for our test network. It sounds silly and simple but it has proven to be a good solution.

Applications and CSIRT tooling:

Desktop
We use a separate firewall and anti-virus scanner on the laptops. It can be updated manually (when you are at home) and remotely. Our systems undergo a thorough daily scan and reports are sent to the log server. We also have essential documents for on call duty stored locally on our encrypted system.

Mailing list software
When setting up a mailing list be careful with the configuration, you don't want to send out malicious or infected emails. We use a popular mailing list product and have configured it to send out only plain text, up to a maximum size in Kb and with no attachments allowed. You have to determine your own default settings of course!

Email
We use PGP and PKI solutions for encrypting and signing our email. Our policy is that we endorse secure data transmission and therefore offer our constituents various options to use. We have a PGP procedure and like most CSIRTS we do the PGP signing on personal trust. In the future we want to use a PGP remailer, which encrypts and decrypts email sent to a confidential mailing list. Another benefit is that you can use the same key ring for all your CSIRT members.

PGP
We use PGP to sign and to encrypt email. All advisories are signed with the CSIRT year key so the constituency is able to verify that we are indeed the sender of that advisory. The year key is also used for encryption of confidential email, to other CSIRTS for example. A new year key is created every January and expires in February of the next year.
The year key is signed by the master key. The master key is stored on floppy disk and on a CD in a safe. The moment of signing the new year key is the only moment that the master key leaves the safe. The year key is signed on a computer that runs Knoppix from a CD and without a network connection. The private key of the master key is not stored on any computer.
Every team member gets his own copy of the private and public key pair for the year key.

Reporting
Unfortunately we started late with this one. Start collecting data and reporting on sent advisories, caught viruses on the email relay and the anti-virus scanner right at the beginning. So think carefully  and start making your reports as soon as possible. For now, we have implemented the above and started correlating incidents and our advisories.
This is also very beneficial for the security scans we produce for our constituents. Using the same information that we have sent to them for marketing is a great way to reuse your own information.
Also think about setting up a separate logging server to collect and preserve all logging information, to be used for reporting and troubleshooting and to see if the system code has changed (tripwire products)

CMS
We started using a content management system for our websites. It was built by Auscert and it's very secure and robust. It gives a better and structured way of controlling all the content on your websites, especially when publishing 2 ~ 4 alerts a day on our alerting service. Look for a good CMS tool that gives you enough freedom to place content but be aware of the security aspects that come with that freedom.

< knip plaatje>

Screenshot CMS tool

Templates
We started early with using templates, at the beginning we started with good old excel spreadsheets. We have developed a couple of templates for producing advisories and alerts. They provide a handle for producing the same layout and force you to ask yourself the right questions and fill in the content. They are simple but very useful and are freely available (see the Tools chapter for the code).
We also use a waiting room database tool, which gives us the opportunity to administer the advisories that are waiting for more info before producing an advisory or letting other members of the team write an advisory about that topic. It is also very useful for handing over the active tasks to the next person in line.

          

Screenshot advisory template                   Screenshot alert template

Screenshot of the Waiting room tool

Right now, we are busy developing a new internal product that combines a common contact database, our 'photo' (a 'photograph' with the configuration of our constituents), an advisory writing template and a CRM tool. With this tool we can write an advisory and it will filter out the configuration and the right constituents by itself and send it to them. So there will be fewer mistakes and it will be much easier to administer because it is one central database.
It also gives the opportunity to search all the advisories and generate a report on who they were sent to. This will enable us to carry out better analyses on our internal information and use this information to improve our services.

Screenshot advisory tool

Intrested?
Let us know if you are interested in the source code, we are happy to provide you with the template-code!



Index
References