CERTs and CIRTs: homonyms but not synonyms, Part 1

Opinion
Jan 13, 20053 mins

* The difference between CERTs and CIRTs

One of my fellow instructors in the Master of Science in Information Assurance program at Norwich University recommended this paper by Staff Sergeant Cory Mazzola of the U.S. Air Force. Here is his article in two parts.

* * *

Although the terms CERT (Computer Emergency Response Team) and CIRT (Computer Incident Response Team) are often interchanged synonymously, there exists a distinct difference between the two.

The “CERT” acronym is registered in the U.S. Patent and Trademark Office for exclusive use by the Software Engineering Institute at Carnegie Mellon University. As such, the term is typically reserved for the predominant computer security organizations and entities throughout the various global sectors of government, commerce, and academia. All organizations wishing to use “CERT” in their team name must request permission through the CERT/CC authorities.

The term “CIRT,” in comparison, is much more generic and has often been adopted and used by many outside organizations, both large and small. It is also sometimes spelled CSIRT, for “Computer Security Incident Response Team.” A striking difference is in the breadth and scope of duty and responsibility, as illustrated in these CERT and CSIRT charters:

“The CERT charter is to work with the Internet community to facilitate its response to computer security events involving Internet hosts, to take proactive steps to raise the community’s awareness of computer security issues and to conduct research targeted at improving the security of existing systems,” explains HyperDictionary.com. “CERT products and services include 24-hour technical assistance for responding to computer security incidents, product vulnerability assistance, technical documents and tutorials.”

https://www.hyperdictionary.com/dictionary/Computer+Emergency+Response+Team

“A Computer Security Incident Response Team (CSIRT) is a service organization that is responsible for receiving, reviewing, and responding to computer security incident reports and activity. Their services are usually performed for a defined constituency that could be a parent entity such as a corporation, governmental, or educational organization; a region or country; a research network; or a paid client,” according to the CERT/CC. “A CSIRT can be a formalized team or an ad hoc team. A formalized team performs incident response work as its major job function. An ad hoc team is called together during an ongoing computer security incident or to respond to an incident when the need arises.”

https://www.cert.org/csirts/csirt_faq.html#1

Evolution of the CERT Function and Naming Convention

CERT/CC’s background documentation details the beginnings of the CERT:

“Following the Morris worm incident, which brought 10% of internet systems to a halt in November 1988, the Defense Advanced Research Projects Agency (DARPA) charged the SEI with setting up a center to coordinate communication among experts during security emergencies and to help prevent future incidents.”

https://www.cert.org/meet_cert/meetcertcc.html

The following month, the CERT Coordination Center (CERT/CC) was founded within the SEI at Carnegie Mellon University. The CERT/CC, which has generally become known as _the_ CERT, has accrued a longstanding reputation as a global leader in coordinated response, vulnerability analysis, security practices and evaluations, survivability analysis and research, and training and education.

The CERT/CC plays an indispensable role in protecting and governing high-level security processes and practices at the Internet and global information grid level, often exporting its expertise and invention to the benefit of the computer security community, as well as the parent organization and world. The security umbrella of the CERT/CC, and subsequent CERTs founded around the world following the model of the CERT/CC, greatly outweighs the limited capabilities demonstrated by many CIRTs.

More in the second part of this article.