CERT Coordination Center

Last updated

CERT Coordination Center
Company type FFRDC (part of Software Engineering Institute)
IndustrySoftware and Network Security
Founded1988
Headquarters Pittsburgh, PA, United States
Key people
US AF Brigadier General (ret) Gregory J. Touhill
Director
Website sei.cmu.edu/about/divisions/cert/index.cfm

The CERT Coordination Center (CERT/CC) is the coordination center of the computer emergency response team (CERT) for the Software Engineering Institute (SEI), a non-profit United States federally funded research and development center. The CERT/CC researches software bugs that impact software and internet security, publishes research and information on its findings, and works with businesses and the government to improve the security of software and the internet as a whole.

Contents

History

The first organization of its kind, the CERT/CC was created in Pittsburgh in November 1988 at DARPA's direction in response to the Morris worm incident. [1] The CERT/CC is now part of the CERT Division of the Software Engineering Institute, which has more than 150 cybersecurity professionals working on projects that take a proactive approach to securing systems. The CERT Program partners with government, industry, law enforcement, and academia to develop advanced methods and technologies to counter large-scale, sophisticated cyber threats.

The CERT Program is part of the Software Engineering Institute (SEI), a federally funded research and development center (FFRDC) at Carnegie Mellon University's main campus in Pittsburgh. CERT is a registered trademark of Carnegie Mellon University. [2]

Confusion with US-CERT and other CERTs

In 2003, the Department of Homeland Security entered into an agreement with Carnegie Mellon University to create US-CERT. [3] US-CERT is the national computer security incident response team (CSIRT) for the United States of America. This cooperation often causes confusion between the CERT/CC and US-CERT. While related, the two organizations are distinct entities. In general, US-CERT handles cases that concern US national security, whereas CERT/CC handles more general cases, often internationally.

The CERT/CC coordinates information with US-CERT and other computer security incident response teams, some of which are licensed to use the name "CERT". [4] While these organizations license the "CERT" name from Carnegie Mellon University, these organizations are independent entities established in their own countries and are not operated by the CERT/CC.

The CERT/CC established FIRST, an organization promoting cooperation and information exchange between the various National CERTs and private product security incident response teams (PSIRTs).

Capabilities

The research work of the CERT/CC is split up into several different Work Areas. [5] Some key capabilities and products are listed below.

Coordination

The CERT/CC works directly with software vendors in the private sector as well as government agencies to address software vulnerabilities and provide fixes to the public. This process is known as coordination.

The CERT/CC promotes a particular process of coordination known as Responsible Coordinated Disclosure. In this case, the CERT/CC works privately with the vendor to address the vulnerability before a public report is published, usually jointly with the vendor's own security advisory. In extreme cases when the vendor is unwilling to resolve the issue or cannot be contacted, the CERT/CC typically discloses information publicly 45 days after the first contact attempt. [6]

Software vulnerabilities coordinated by the CERT/CC may come from internal research or from outside reporting. Vulnerabilities discovered by outside individuals or organizations may be reported to the CERT/CC using the CERT/CC's Vulnerability Reporting Form. [7] Depending on the severity of the reported vulnerability, the CERT/CC may take further action to address the vulnerability and coordinate with the software vendor.

Knowledge Base and Vulnerability Notes

The CERT/CC regularly publishes Vulnerability Notes in the CERT Knowledge Base. [8] [9] Vulnerability Notes include information about recent vulnerabilities that were researched and coordinated, and how individuals and organizations may mitigate such vulnerabilities.

The Vulnerability Notes database is not meant to be comprehensive.

Vulnerability Analysis Tools

The CERT/CC provides a number of free tools to the security research community. [10] Some tools offered include the following.

Training

The CERT/CC periodically offers training courses for researchers, or organizations looking to establish their own PSIRTs. [11]

Controversies

In the summer of 2014, CERT research funded by the US Federal Government was key to the de-anonymization of Tor, and information subpoenaed from CERT by the FBI was used to take down SilkRoad 2.0 that fall. FBI denied paying CMU to deanonymize users, [12] and CMU denied receiving funding for its compliance with the government's subpoena. [13]

Despite indirectly contributing to taking down numerous illicit websites and the arrest of at least 17 suspects, the research raised multiple issues:

CMU said in a statement in November 2015 that "...the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance", even though Motherboard reported that neither the FBI nor CMU explained how the authority first learned about the research and then subpoenaed for the appropriate information. [13] In the past, SEI had also declined to explain the nature of this particular research in response to press inquiries saying: "Thanks for your inquiry, but it is our practice not to comment on law enforcement investigations or court proceedings." [16]

See also

Related Research Articles

<span class="mw-page-title-main">Software Engineering Institute</span> Federally funded research center in Pittsburgh, Pennsylvania, United States

Software Engineering Institute (SEI) is a federally funded research and development center in Pittsburgh, Pennsylvania, United States. Founded in 1984, the institute is now sponsored by the United States Department of Defense and the Office of the Under Secretary of Defense for Research and Engineering, and administrated by Carnegie Mellon University. The activities of the institute cover cybersecurity, software assurance, software engineering and acquisition, and component capabilities critical to the United States Department of Defense.

<span class="mw-page-title-main">Carnegie Mellon University</span> Private research university in Pittsburgh, Pennsylvania, U.S.

Carnegie Mellon University (CMU) is a private research university in Pittsburgh, Pennsylvania. The institution was established in 1900 by Andrew Carnegie as the Carnegie Technical Schools. In 1912, it became the Carnegie Institute of Technology and began granting four-year degrees. In 1967, it became Carnegie Mellon University through its merger with the Mellon Institute of Industrial Research, founded in 1913 by Andrew Mellon and Richard B. Mellon and formerly a part of the University of Pittsburgh.

<span class="mw-page-title-main">Carnegie Mellon School of Computer Science</span> School for computer science in the United States

The School of Computer Science (SCS) at Carnegie Mellon University in Pittsburgh, Pennsylvania, US is a school for computer science established in 1988. It has been consistently ranked among the best computer science programs over the decades. As of 2024 U.S. News & World Report ranks the graduate program as tied for No. 1 with Massachusetts Institute of Technology, Stanford University and University of California, Berkeley.

A computer emergency response team (CERT) is an expert group that handles computer security incidents. Alternative names for such groups include cyber emergency response team, computer emergency readiness team, and computer security incident response team (CSIRT). A more modern representation of the CSIRT acronym is Cyber Security Incident Response Team.

In programming and software development, fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. Typically, fuzzers are used to test programs that take structured inputs. This structure is specified, e.g., in a file format or protocol and distinguishes valid from invalid input. An effective fuzzer generates semi-valid inputs that are "valid enough" in that they are not directly rejected by the parser, but do create unexpected behaviors deeper in the program and are "invalid enough" to expose corner cases that have not been properly dealt with.

<span class="mw-page-title-main">Carnegie Mellon Silicon Valley</span> Branch campus in California

Carnegie Mellon Silicon Valley is a degree-granting branch campus of Carnegie Mellon University located in Mountain View, California. It was established in 2002 at the NASA Ames Research Center in Moffett Field.

Software assurance (SwA) is a critical process in software development that ensures the reliability, safety, and security of software products. It involves a variety of activities, including requirements analysis, design reviews, code inspections, testing, and formal verification. One crucial component of software assurance is secure coding practices, which follow industry-accepted standards and best practices, such as those outlined by the Software Engineering Institute (SEI) in their CERT Secure Coding Standards (SCS).

Cert or CERT may refer to:

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.

The economics of information security addresses the economic aspects of privacy and computer security. Economics of information security includes models of the strictly rational “homo economicus” as well as behavioral economics. Economics of security addresses individual and organizational decisions and behaviors with respect to security and privacy as market decisions.

<span class="mw-page-title-main">Robert C. Seacord</span> American computer security expert (born 1963)

Robert C. Seacord is an American computer security specialist and writer. He is the author of books on computer security, legacy system modernization, and component-based software engineering.

The Qatar Computer Emergency Response Team was created in December 2006 by CERT/CC and ictQATAR. It is Qatar's coordination center in dealing with internet security problems.

The Information Networking Institute (INI) was established by Carnegie Mellon in 1989 as the nation's first research and education center devoted to information networking.

<span class="mw-page-title-main">Kathleen Carley</span> American social scientist

Kathleen M. Carley is an American computational social scientist specializing in dynamic network analysis. She is a professor in the School of Computer Science in the Carnegie Mellon Institute for Software Research at Carnegie Mellon University and also holds appointments in the Tepper School of Business, the Heinz College, the Department of Engineering and Public Policy, and the Department of Social and Decision Sciences.

An insider threat is a perceived threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems.

Angel G. Jordan was a Spanish-born American electronics and computer engineer known as the founder of the Software Engineering Institute (SEI) and co-founder of the Robotics Institute at Carnegie Mellon University (CMU) and served on its faculty for 55 years, since 2003 as Emeritus. He was instrumental in the formation of the School of Computer Science (SCS) at Carnegie Mellon. He has made contributions to technology transfer and institutional development. He served as Dean of Carnegie Mellon College of Engineering and later as the provost of Carnegie Mellon University.

<span class="mw-page-title-main">Larry Druffel</span> American engineer (born 1940)

Larry E. Druffel is an American engineer, Director Emeritus and visiting scientist at the Software Engineering Institute (SEI) at Carnegie Mellon University. He has published over 40 professional papers/reports and authored a textbook. He is best known for leadership in: (1) bringing engineering discipline and supporting technology to software design and development, and (2) addressing network and software security risks.

The Carnegie Mellon CyLab Security and Privacy Institute is a computer security research center at Carnegie Mellon University. Founded in 2003 as a university-wide research center, it involves more than 50 faculty and 100 graduate students from different departments and schools within the university. It is "one of the largest university-based cyber security research and education centers in the U.S."

<span class="mw-page-title-main">Farnam Jahanian</span> American computer scientist

Farnam Jahanian is an Iranian-American computer scientist, entrepreneur, and academic. He serves as the 10th president of Carnegie Mellon University.

Robert K. Cunningham is an American computer scientist and engineer. In 2021 he became Vice Chancellor for Research Infrastructure at the University of Pittsburgh. He is a fellow of the Institute of Electrical and Electronics Engineers.

References

  1. "About Us: The CERT Division". Software Engineering Institute. Carnegie Mellon University. Retrieved March 9, 2015.
  2. "Trademarks and Service Marks". Software Engineering Institute. Carnegie Mellon University. Retrieved December 7, 2014.
  3. "U.S. Department of Homeland Security Announces Partnership with Carnegie Mellon's CERT Coordination Center". SEI Press Release. Carnegie Mellon University. September 15, 2003. Retrieved December 7, 2014.
  4. "National CSIRTs". Carnegie Mellon University. September 18, 2014. Retrieved March 9, 2015.
  5. CERT/CC. "The CERT Division" . Retrieved March 9, 2015.
  6. "Vulnerability Disclosure Policy". Software Engineering Institute. Carnegie Mellon University. Retrieved March 9, 2015.
  7. "CERT Coordination Center".
  8. "Vulnerability Notes Database". Software Engineering Institute. Carnegie Mellon University. Retrieved October 27, 2017.
  9. Cory Bennett (November 3, 2014). "New initiative aims to fix software security flaws". The Hill . Retrieved December 6, 2014.
  10. "Vulnerability Analysis Tools". Software Engineering Institute. Carnegie Mellon University. Retrieved March 9, 2015.
  11. "CERT Training Courses". Software Engineering Institute. Carnegie Mellon University. Retrieved March 9, 2015.
  12. "FBI: 'The allegation that we paid CMU $1M to hack into Tor is inaccurate'". Ars Technica. November 14, 2015.
  13. 1 2 "US defence department funded Carnegie Mellon research to break Tor". The Guardian . February 25, 2016.
  14. 1 2 Dingledine, Roger (November 11, 2015). "Did the FBI Pay a University to Attack Tor Users?". Tor Project. Retrieved November 20, 2015.
  15. 1 2 Felten, Ed (July 31, 2014). "Why were CERT researchers attacking Tor?". Freedom to Tinker, Center for Information Technology Policy, Princeton University.
  16. "Court Docs Show a University Helped FBI Bust Silk Road 2, Child Porn Suspects". Motherboard. November 11, 2015. Retrieved November 20, 2015.