The CERT Coordination Center (CERT/CC) is the coordination center of the
computer emergency response team
A computer emergency response team (CERT) is an expert group that handles computer security incidents. Alternative names for such groups include computer emergency readiness team and computer security incident response team (CSIRT). A more modern ...
(CERT) for the
Software Engineering Institute
The Software Engineering Institute (SEI) is an American research and development center headquartered in Pittsburgh, Pennsylvania. Its activities cover cybersecurity, software assurance, software engineering and acquisition, and component capabi ...
(SEI), a non-profit United States
federally funded research and development center
Federally funded research and development centers (FFRDCs) are public-private partnerships that conduct research and development for the United States Government. Under Federal Acquisition Regulationbr>§ 35.017 FFRDCs are operated by uni ...
. The CERT/CC researches software bugs that impact software and internet security, publishes research and information on its findings, and works with business and government to improve security of software and the internet as a whole.
History
The first organization of its kind, the CERT/CC was created in
Pittsburgh
Pittsburgh ( ) is a city in the Commonwealth (U.S. state), Commonwealth of Pennsylvania, United States, and the county seat of Allegheny County, Pennsylvania, Allegheny County. It is the most populous city in both Allegheny County and Wester ...
in November 1988 at
DARPA
The Defense Advanced Research Projects Agency (DARPA) is a research and development agency of the United States Department of Defense responsible for the development of emerging technologies for use by the military.
Originally known as the A ...
's direction in response to the
Morris worm incident. The CERT/CC is now part of the CERT Division of the Software Engineering Institute, which has more than 150 cybersecurity professionals working on projects that take a proactive approach to securing systems. The CERT Program partners with government, industry, law enforcement, and academia to develop advanced methods and technologies to counter large-scale, sophisticated cyber threats.
The CERT Program is part of the
Software Engineering Institute
The Software Engineering Institute (SEI) is an American research and development center headquartered in Pittsburgh, Pennsylvania. Its activities cover cybersecurity, software assurance, software engineering and acquisition, and component capabi ...
(SEI), a federally funded research and development center (
FFRDC
Federally funded research and development centers (FFRDCs) are public-private partnerships that conduct research and development for the United States Government. Under Federal Acquisition Regulationbr>§ 35.017 FFRDCs are operated by uni ...
) at
Carnegie Mellon University's main campus in Pittsburgh. CERT is a registered trademark of Carnegie Mellon University.
Confusion with US-CERT and other CERTs
In 2003, the
Department of Homeland Security
The United States Department of Homeland Security (DHS) is the U.S. federal executive department responsible for public security, roughly comparable to the interior or home ministries of other countries. Its stated missions involve anti-ter ...
entered into an agreement with Carnegie Mellon University to create
US-CERT. US-CERT is the national computer security incident response team (
CSIRT
A computer emergency response team (CERT) is an expert group that handles computer security incidents. Alternative names for such groups include computer emergency readiness team and computer security incident response team (CSIRT). A more moder ...
) for the United States of America. This cooperation often causes confusion between the CERT/CC and US-CERT. While related, the two organizations are distinct entities. In general, US-CERT handles cases that concern US national security, whereas CERT/CC handles more general cases, often internationally.
The CERT/CC coordinates information with US-CERT and other computer security incident response teams, some of which are licensed to use the name “CERT.” While these organizations license the "CERT" name from Carnegie Mellon University, these organizations are independent entities established in their own countries and are not operated by the CERT/CC.
The CERT/CC established FIRST, an organization promoting cooperating and information exchange between the various National CERTs and private
product security incident response teams (PSIRTs).
Capabilities
The research work of the CERT/CC is split up into several different Work Areas. Some key capabilities and products are listed below.
Coordination
The CERT/CC works directly with software vendors in the private sector as well as government agencies to address software vulnerabilities and provide fixes to the public. This process is known as coordination.
The CERT/CC promotes a particular process of coordination known as ''Responsible Coordinated Disclosure''. In this case, the CERT/CC works privately with the vendor to address the vulnerability before a public report is published, usually jointly with the vendor's own security advisory. In extreme cases when the vendor is unwilling to resolve the issue or cannot be contacted, the CERT/CC typically discloses information publicly after 45 days since first contact attempt.
Software vulnerabilities coordinated by the CERT/CC may come from internal research or from outside reporting. Vulnerabilities discovered by outside individuals or organizations may be reported to the CERT/CC using the CERT/CC's Vulnerability Reporting Form. Depending on severity of the reported vulnerability, the CERT/CC may take further action to address the vulnerability and coordinate with the software vendor.
Knowledge Base and Vulnerability Notes
The CERT/CC regularly publishes Vulnerability Notes in the CERT KnowledgeBase. Vulnerability Notes include information about recent vulnerabilities that were researched and coordinated, and how individuals and organizations may mitigate such vulnerabilities.
The Vulnerability Notes database is not meant to be comprehensive.
Vulnerability Analysis Tools
The CERT/CC provides a number of free tools to the security research community. Some tools offered include the following.
* CERT Tapioca—a pre-configured virtual appliance for performing man-in-the-middle attacks. This can be used to analyze network traffic of software applications and determine if the software uses encryption correctly, etc.
* BFF (Basic Fuzzer Framework)—a mutational file fuzzer for Linux
* FOE (Failure Observation Engine)—a mutational file fuzzer for Windows
* Dranzer—Microsoft ActiveX vulnerability discovery
Training
The CERT/CC periodically offers training courses for researchers, or organizations looking to establish their own PSIRTs.
Controversies
In the summer of 2014, CERT research funded by the
US Federal Government
The federal government of the United States (U.S. federal government or U.S. government) is the national government of the United States, a federal republic located primarily in North America, composed of 50 states, a city within a f ...
was key to the de-anonymization of
Tor, and information subpoenaed from CERT by the
FBI was used to take down
SilkRoad 2.0 that fall.
FBI denied paying to deanonymize users,
and CMU denied receiving funding for its compliance with the government's subpoena.
Despite indirectly contributing to taking down numerous illicit websites and the arrest of at least 17 suspects, the research raised multiple issues:
* about computer security research ethics as a concern to the Tor community
and others
* about being unreasonably searched online as related to the guarantee by the
US 4th amendment
* about
SEI/CERT acting at cross-purposes to its own missions, actions including withholding the vulnerabilities it had found from the software implementers and the public.
CMU said in a statement in November 2015 that "...the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance", even though
Motherboard
A motherboard (also called mainboard, main circuit board, mb, mboard, backplane board, base board, system board, logic board (only in Apple computers) or mobo) is the main printed circuit board (PCB) in general-purpose computers and other expand ...
reported that neither the FBI nor CMU explained how the authority first learned about the research and then subpoenaed for the appropriate information.
In the past, SEI had also declined to explain the nature of this particular research in response to press inquiries saying: "Thanks for your inquiry, but it is our practice not to comment on law enforcement investigations or court proceedings."
See also
*
CERT C Coding Standard The SEI CERT Coding Standards are software coding standards developed by the CERT Coordination Center to improve the safety, reliability, and security of software systems. Individual standards are offered for C, C++, Java, Android OS, and Perl. ...
*
Computer Emergency Response Team
A computer emergency response team (CERT) is an expert group that handles computer security incidents. Alternative names for such groups include computer emergency readiness team and computer security incident response team (CSIRT). A more modern ...
*
Computer security
Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...
References
External links
*
{{Pittsburgh
Computer security organizations
Carnegie Mellon University
Internet governance organizations
Organizations established in 1988