[Bp_certs] Launch - IGF Best Practices - CERTS

Robert Guerra rguerra at privaterra.org
Wed Jul 2 09:23:12 EDT 2014 

I echo the concerns others have mentioned in regards to national (ie. govt
) run certs.

We have seen the surveillance revelations over the last year document a
weakening of standards and a severe loss of trust . This needs to be
regained .

IMHO this can only happen with CERTs and the larger technical community
readjusting their threat model, being more independent from govt, and
improving collaboration and share best practices with a larger audience.

Some of these issues were discussed at a workshop session that I moderated
at last year's igf in Bali.

If I recall well, Yuri Ito with JP cert certain mentioned her great concern
with trust being lost and sharing of reported critical vulnerabilities
being  withheld due to national security interests in more than one country.

The session came up with a set of recommendations, which i believe would be
good to discuss ..

Regards

Robert


Sent from my iPhone

On Jul 2, 2014, at 7:56 AM, Jahangir Hossain <jrjahangir at gmail.com> wrote:

1+ Niel   but if we think national CERT then initial thinking would be
government owned CERT because they have acceptance and rights to all
stakeholder .




​​Regards //  Jahangir Hossain | Bangladesh
                  http://bd.linkedin.com/in/jrjahangir
​

On Wed, Jul 2, 2014 at 5:13 PM, Niel Harper <harper at isoc.org> wrote:

> Hello Asama,
>
> There are many types of CERTs which are in operation across the world.
> There are private sector CERTs that respond to cybersecurity incidents that
> within small, medium and large enterprises, and provide a range of services
> to resolve said issues. There are also academic CERTs that are generally
> comprised of universities, colleges, other schools, and NRENs. Commercial
> CERTs provide their services to anyone who is willing to pay for them. This
> is by no means an exhaustive list, but just to demonstrate the range and
> diversity of CERTs.
>
> The national CERT comprises all sectors,  and in the case of computer
> security incidents, it serves as the overall point of contact for every
> person and organization within the country and particularly for those
> making formal requests from outside of the country. It coordinates the
> relationships with other CERTs in the country, and facilitates the exchange
> of information and best practices to augment the overall national response
> to cybersecurity incidents.
>
> The term "eligibility" doesn't necessarily apply, because a national CERT
> should be willing to work with any other legitimate CERT, and this
> legitimacy will come from the CERT's constituency who accepts its authority
> and responsibility for addressing and resolving cybersecurity incidents
> within that specific domain.
>
> Hope this helps.
>
> Regards,
>
> -----------------------------
> Niel Harper
> Senior Manager, Next Generation Leaders Programmes
> Internet Society
> 1775 Wiehle Avenue
> Reston, VA
> Email: harper at isoc.org
> Skype: OlokunBB
> http://www.linkedin.com/in/nielharper
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 2 Jul 2014 02:59:54 +0000
> From: Karen Mulberry <mulberry at isoc.org>
> To: excel asama <excelasama at yahoo.fr>
> Cc: "bp_certs at intgovforum.org" <bp_certs at intgovforum.org>
> Subject: Re: [Bp_certs] Launch - IGF Best Practices - CERTS
> Message-ID: <5762D5C8-319D-4417-9679-7EB71D873BC7 at isoc.org>
> Content-Type: text/plain; charset="windows-1252"
>
> Dear Asama,
>
> I am only familiar with national and regional CERTs so that was the
> context in which i provided my thoughts.  I think that the fundamental
> premise that a CERT is built upon is trust.  Trust in its members and in
> the information that is exchanged.  As for other organizations or groups
> such as civil society, yes - I think they too could develop a trust based
> CERT to exchange information and provide risk assessment and support to
> others who are under attack.
>
>
> Karen Mulberry
> Policy Advisor
> Internet Society
> mulberry at isoc.org<mailto:mulberry at isoc.org>
> tel: +1.303.668.8855
> www.isoc.org<http://www.isoc.org>
>
> On Jul 1, 2014, at 5:45 PM, excel asama <excelasama at yahoo.fr<mailto:
> excelasama at yahoo.fr>> wrote:
>
> Hi Karen,
>
> I agree with your proposition. Permit me add that it is also important to
> clarify or define issues at this fundamental stage of our conversation.
> My doubts are related to the words "national" and "regional" CERTs.
> When you talk of national CERTS, are you referring to the government owned
> CERTs?
>
> Can civil society and or private sectors develop acceptable CERTS to this
> alliance?
> What are the eligibility criteria etc.
>
>
> _______________________________
> ASAMA  A. EXCEL
> Netsquared/Techsoup Ambassador-Africa
> Founding President, I-Vission International.
> Box 13040, DOUALA-CAMEROON
> Tel: (+237) 76 14 26 23
> My blog: www.excelasama.wordpress.com<http://www.excelasama.wordpress.com/
> >
> Website:  www.ivission.net<http://www.ivission.net/>
> Photos Album: www.flickr.com/ivission<http://www.flickr.com/ivission>
> Twitter: www.twitter.com/ivission<http://www.twitter.com/ivission>
>
>
> Le Mercredi 2 juillet 2014 1h01, Karen Mulberry <mulberry at isoc.org<mailto:
> mulberry at isoc.org>> a ?crit :
>
>
> Constance,
>
> Thank you for getting the group organized.
>
> I think the best approach to get us started might be to start a discussion
> on the definition of the issue under the ?Establishing and supporting
> Computer Emergency Response Teams (CERTS) for internet security?
>
> We need to identify what it is that we will be framing in a draft outcome
> report for the IGF meeting in September.
>
> Here are some thoughts on CERTs to start the exchange:
>
> - The formation of national and regional CERTS provide an early warning
> system to company?s and users on monitoring and reporting the detection of
> security vulnerabilities and intrusion attempts.
> - The details shared through the CERT by trusted providers assist
> investigators, forensics and law enforcement in dealing with cyber crime
> and in supporting network security responses to threats encountered on the
> Internet
>
> The issue as I see it is that without the secure and trusted information
> exchanged though the CERT, the exchange of encountered data threats, early
> warning notices and support for the risks encountered will not be there for
> networks, ISPs and law enforcement to work together to deal with the threat
> to the Internet and its users.
>
> I would welcome more expert insight on the issue of CERTs and how the
> problem statement should be framed for the work going forward in this group.
>
> Karen Mulberry
> Policy Advisor
> Internet Society
> mulberry at isoc.org<mailto:mulberry at isoc.org>
> tel: +1.303.668.8855
> www.isoc.org<http://www.isoc.org/>
>
> On Jun 30, 2014, at 1:58 PM, Constance Bommelaer <bommelaer at isoc.org
> <mailto:bommelaer at isoc.org>> wrote:
>
>
> Dear colleagues,
>
> Thank you for joining the preparatory process of the IGF Best Practices
> Forum on "Establishing and Supporting CERTS for Internet security ".
>
> I would like to start by introducing the Lead Experts of this process,
> Christine <https://www.linkedin.com/pub/cristine-hoepers/8/b4a/513>
> Hoepers <https://www.linkedin.com/pub/cristine-hoepers/8/b4a/513>
> (General Manager of the Brazilian CERT), Maarten Van Horenbeeck<
> https://www.linkedin.com/profile/view?id=1118895&authType=NAME_SEARCH&authToken=8a7I&locale=en_US&srchid=19223731404158138028&srchindex=1&srchtotal=1&trk=vsrp_people_res_name&trkInfo=VSRPsearchId%3A19223731404158138028%2CVSRPtargetId%3A1118895%2CVSRPcmpt%3Aprimary>
> (Chair of FIRST) and Adli Wahid<
> https://www.linkedin.com/profile/view?id=17789531&authType=NAME_SEARCH&authToken=04BU&locale=en_US&srchid=19223731404158185107&srchindex=1&srchtotal=3&trk=vsrp_people_res_name&trkInfo=VSRPsearchId%3A19223731404158185107%2CVSRPtargetId%3A17789531%2CVSRPcmpt%3Aprimary>
> (member of the FIRST SC).
>
> The Lead Experts, supported by independent consultants, will engage with
> the community in a view to exchanging on existing practices and discussing
> ways to further collaborate. A discussion of unintended consequences, both
> positive and negative, of mistakes that were made and of lessons learned
> will further enrich an understanding of what has been accomplished. The
> means employed to achieve a solution are as important as a learning
> experience as the actual ends achieved (see attachment).
> Between now and beginning of September, the communities will work through
> mailing lists and online virtual meetings.The discussion will be documented
> by independent experts and feed into five 90 minute sessions in Istanbul,
> that will in turn report into a Best Practices wrap up session.  A summary
> booklet/handout on each Best Practice discussions/sessions is also one of
> the intended outcomes to be published after the IGF 2014 meeting.
>
> Immediate asks to all participants:
>
>   *   Respond to the questions attached in the common template for Best
> Practices Forums.
>   *   Send contributions on existing Best Practices, either from the
> public or the private sector, to start documenting the discussion.
>   *   Invite other colleague experts to join this list:
> http://www.intgovforum.org/cms/open-call-to-join-igf-best-practices-forums-preparatory-process
>
> Next Steps:
>
>   *   Lead Experts will conduct the discussions on this list.
>   *   They will also work with the IGF Secretariat to set-up regular
> webinars including all participants.
>
> Best regards,
>
> --
> Constance Bommelaer
> Senior Director, Global Policy Partnerships
> The Internet Society
> www.isoc.org<http://www.isoc.org/>
>
>
>
>
> <BPF-Reporting-Template.docx>_______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org<mailto:Bp_certs at intgovforum.org>
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
>
>
> _______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org<mailto:Bp_certs at intgovforum.org>
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://mail.intgovforum.org/pipermail/bp_certs_intgovforum.org/attachments/20140702/3069aa13/attachment.html
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
>
>
> ------------------------------
>
> End of Bp_certs Digest, Vol 2, Issue 5
> **************************************
> _______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
>



-- 




 _______________________________________________
Bp_certs mailing list
Bp_certs at intgovforum.org
http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://intgovforum.org/pipermail/bp_certs_intgovforum.org/attachments/20140702/5b76f872/attachment.htm>

More information about the Bp_certs mailing list