What Is a CERT Incident?

The Need for CERTs

• Keeping an organization’s information assets and network infrastructure secure in today's complex and interconnected computing environment is an enormous challenge. The world depends on computers to the extent that if any operation is hindered, whether by a technical malfunction or a malicious attack on a system, organizations can grind to a halt. Management officials know there is no single solution for securing systems and data; rather, a multi-pronged security strategy is required that touches nearly every part of the organization. One of the layers many organizations include in their strategy is the CERT.

Typical Security Incidents

• End users may be insulated, but computer networks everywhere face frequent attacks to their security. These include malicious hacking and cracking by a person, team, competitor or country trying to gain unauthorized access to the network to steal or alter data and even well-meaning authorized users who make mistakes that threaten network security.

  In general, the types of incidents to which CERTs commonly respond include attempts by outsiders to get inside the system or access its data; disruption or denial of service, or any activity by outsiders that sends so many transactions to a network that they effectively shut it down for regular users; unauthorized use of a system for processing or storing data; and changes to system hardware or software.

Reporting Systems

• CERTs set up many methods to detect vulnerabilities in a system, identify threats and incidents and "triage" real problems to find a solution to them. This often begins with computer security software and a team that regularly monitors the system and updates and patches software and gaps in security. In addition, CERT incidents require training staff to be alert for security problems, especially less obvious forms, such as sharing or writing down passwords or losing organizational equipment. CERT incidents also require setting up policies and a system through which others can report issues to the IT team.

Incident Handling

• CERTs have many services they can choose to offer. CERTs differ in incident handling based on the mission and purpose with which they were created. Typically, CERTs offer reactive, proactive and quality assurance services. Most incident handling falls under reactive services, that is, CERT incidents trigger a coordinated response to resolve a problem. This usually involves taking steps to protect systems and networks affected or threatened by intruder activity; offering solutions and ways to mitigate problems; monitoring for intruder activity on other parts of the network; filtering network traffic; reconstructing systems; updating, patching or repairing systems; and developing other workaround strategies.

Comprehensive Model for CERT Incidents

• CERT incidents are not always limited to the purview of IT teams. Attacks on computer systems may represent a serious, malicious act through a large, wide-scale and coordinated effort or a determined attempt to steal information. Therefore, CERT incidents may need to involve human resources (especially if an insider is implicated), legal counsel, law enforcement and an organization's external communications department. CERT teams also may need to share and liaise on large incidents with other businesses and government agencies.