You are here: Home Our Activities CERT Support Running guide Introduction What is CSIRT
Personal tools
 

What is CSIRT

What is a CSIRT?

What is a CSIRT?

CSIRT stands for Computer Security Incident Response Team. The name CSIRT is the name used predominantly in Europe for the protected CERT© or CERT-CC name.

The following abbreviations are used for the same sort of teams:

  • CERT© or CERT-CC (Computer Emergency Response Team / Coordination Centre)
  • CSIRT (Computer Security Incident Response Team)
  • IRT (Incident Response Team)
  • CIRT (Computer Incident Response Team)
  • SERT (Security Emergency Response Team)

The first major outbreak of a worm in the global ICT infrastructure occurred in the late 1980s. This worm was named after his creator Morris and it spread swiftly, effectively infecting a great number of ICT systems around the world.

This incident acted as a wake-up call: suddenly people got aware of a strong need for cooperation and coordination between system administrators and IT managers in order to deal with cases like this. Due to the fact that time was a critical factor, a more organised and structural approach on handling IT security incidents had to be established. And so a few days after the “Morris-incident” the Defence Advanced Research Projects Agency (DARPA) established the first CSIRT: the CERT Coordination Centre (CERT/CC), located at the Carnegie Mellon University in Pittsburgh (Pennsylvania).

This model was soon adopted within Europe, and 1992 the Dutch Academic provider SURFnet launched the first CSIRT in Europe, named SURFnet-CERT. Many teams followed and at present ENISAs Inventory of CERT activities in Europe (ENISA Inventory) lists more than 100 known teams located in Europe.

Over the years CERTs extended their capacities from being a mere reaction force to a complete security service provider, including preventative services such as alerts, security advisories, training and security management services. The term “CERT” was soon considered insufficient. As a result, the new term “CSIRT” was established at the end of the1990s. At the moment both terms (CERT and CSIRT) are used synonymously, with CSIRT being the more precise term.

Definition of a CSIRT

From now on the (in the CSIRT communities) well established term ‘constituency’ will be used to refer to the customer base of a CSIRT. A single customer will be addressed as "constituent", a group as "constituents".

A CSIRT is a team that responds to computer security incidents by providing all necessary services to solve the problem(s) or to support the resolution of them. In order to mitigate risks and minimize the number of required responses, most CSIRTs also provide preventative and educational services for their constituency. They issue advisories on vulnerabilities and viruses in the soft- and hardware running on their constituent’s systems. These constituents can therefore quickly patch and update their systems.

This definition is very important for setting the borders on what the CSIRT can and will deliver and for ensuring that the needs of the constituency are properly understood. The constituents on their side should also clearly understand what the CSIRT will deliver and what are the focal points (“manage expectations”).

 

 
videos

 

CERT exercise video

View or download
the CERT Exercise video

related sites

logo cert eu
CERT-EU

logo apcert
Asian Pacific CERT

logo cert
CERT Coordination Centre

logo first
FIRST

logo nato
NATO CIRC

logo terena
Terena TF-CSIRT

logo ti
Trusted Introducer

 
IPv6 ready - http://www.ipv6forum.com/