Results of the GOVCERT.NL project
Making it structured and improving quality is important.
We have made a number of " interactive" process-flows, which are available for download.
The GOVCERT.NL technical team consists of 7 people: 1 technical team manager and 6 specialists.
We have two operational shifts. An active shift from 09:00 - 23:00 and a standby shift
from 23:00 till 09:00 by mobile phone.
The active shift checks all the sources, websites,
mailing lists and other information. If it is important, the technical specialist writes an advisory.
A " front-office" duty officer checks inboxes and system mail and writes advisories first to help
the person on call.
In the GOVCERT.NL project we put a lot of effort into our national and international network with CSIRTs
and other relevant players in the ICT-security world.
Illustration: Basic process and sources
Our basic process is the collection of data from various sources, processing it and writing advisories and alerts about vulnerabilities in software and hardware, viruses and worms and other relevant information.
We collect this information from open and closed sources on the Internet.
We check all the sources for new items every two hours. We collect every mailing list in a separate folder (subscription mailinglistname + specific mailfoldername). This is useful for tracking and tracing when it goes wrong!
For websites, we use websitewatcher, an inexpensive tool that automatically browses all the bookmarks and highlights all the changes, saving a lot of time. There are also open source scripts on the internet with the same functionality.
We will describe the basic process designed for GOVCERT.NL below. This process consists of the following steps:
- Relevance
- Identification
- Classification
- Filtering
- Media mix
Relevance
As we collect all the information, we first ask ourselves the question, 'Is it relevant information?”
Illustration: Determining relevance
Identification
We check that the source is trustworthy. We have made a list of all our sources and have classified them. Is the source trusted, can we check it, can we implicitly trust the source and start writing immediately? We have written down a procedure on how to check the variable sources. See process flow scheme.
Illustration: Identification
Classification
We handle a variety of information, mainly classified, trusted, public. We have rules for how to treat this kind of information.
If it was sent encrypted we store it encrypted and check for trusted pgp-keys, trusted information is handled with care and marked as trusted information. We handle every kind of information differently. It's important to be very cautious about information and how to handle it, what you can make public or whether there are any disclosure rules attached to it. It's also very wise to have a list of all the different organisations and describe the rules that that organisation uses for distributing information.
Illustration: Classification
Filtering
We use a 'photo”. In this photo we have a list of all the software and servers that are used by our constituents. On that basis we are able to filter the information according to relevance to our customers, so customers only get the information that concerns them. We have also made a list for the Waarschuwingsdienst, describing mainly end user products.
Illustration: Filtering
Illustration: Snap shot of our ‘photo'.
The media matrix
After our filtering step to assure that it is relevant for our constituents, we use two matrixes.
For De Waarschuwingsdienst (public and SME's)
The first is the media mix matrix which describes what actions to take. It has two axes. One is the objective impact, technical assessment, is it really a vulnerability and does it really have an impact on the product and impact on security.
The other axis is subjective impact, what is the feeling of the public and is it picked up by the media. So this axis is a more subjective approach to the information. As a national alerting service it's wise to consider such things, because you also have to deal with the potential commotion that some information can have on society.
Illustration: Media Matrix
The GOVCERT.NL matrix
Illustration: GOVCERT.NL Matrix (click for the .xls fill-out matrix)
We thought a lot about this matrix and approached it from different perspectives but finally we came up with this one. We think this is it, simple, efficient and easy to use, and also very understandable for our constituents.
We carry out a risk analysis on the information by asking ourselves the questions above. We distinguish between risk and damage.
How it works is simple, just score all the questions according to the values and count them. Then on the right you see what kind of severity level the incident has.
The overall box describes the risk of actual exploitation. Our advice is as follows:
- High: patch immediately
- Medium: within the same day
- Low: patch it but do so in the regular patch sequence
Output
Our output for GOVCERT.NL is an advisory. With a high level we start calling our customers and point them to the send advisory.
Illustration: Output
The illustration below shows an example of output. In this case an e-mail alert.
Illustration: Example of output
The complete process flow
We produced a very complementary interactive process flow.
It describes the task and steps that have to be taken and point you to the necessary documents and procedures.
It also describes who should carry out the tasks and on what systems.
Illustration: Interactive process flow
Intrested in the compleet clickable sheet?
Included is a .zip file with all the needed structure in it and 2 visio files for your own cope and replace ;) ,
click here!