[Bp_certs] Contents of Bp_certs digest - Problem Management
Olawale Bakare
wales.baky at googlemail.com
Tue Jul 22 11:34:42 EDT 2014
Hi Everyone,
Let me make add this to the ongoing discussion.
The CERT practice discussion should vary and, evaluate the existing
practices either at regions or nations.
And i think, it is highly important to focus management strategies that are
in existence and currently being adopted by them, in particular on:
1. incidents occurrence
2. how do such systems work around problems? However, the objectives of
problem management should address:
a. the amount of reccuring incidents, do the systems eliminate them?
b. incidents impossible to resolve?
c. what level of impact of incidents that look so unavoidable?
Your thoughts?
Regards,
'Wale
On Mon, Jul 21, 2014 at 12:08 PM, <bp_certs-request at intgovforum.org> wrote:
> Send Bp_certs mailing list submissions to
> bp_certs at intgovforum.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
> or, via email, send a message with subject or body 'help' to
> bp_certs-request at intgovforum.org
>
> You can reach the person managing the list at
> bp_certs-owner at intgovforum.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bp_certs digest..."
>
>
> Today's Topics:
>
> 1. Re: About types of CERTs (Rohana Palliyaguru)
> 2. Re: Private sector CSIRT/PSIRT teams (Jahangir Hossain)
> 3. Re: Private sector CSIRT/PSIRT teams (Miros?aw Maj)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 21 Jul 2014 11:20:39 +0530
> From: Rohana Palliyaguru <rohana at cert.gov.lk>
> To: bp_certs at intgovforum.org
> Subject: Re: [Bp_certs] About types of CERTs
> Message-ID: <53CCAA2F.2000701 at cert.gov.lk>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Dear all,
>
> During the past 8 years we have observed the security incidents reported
> to us. It is found that if a particular sector such as banking and
> finance, education, health, military..etc is taken the incidents are
> very common.
>
> In some sectors they are very reluctant to report incidents to any other
> party because they do not need to damage their reputation at any cost.
> Specially in the banking sector there are frauds of milliions of bugs
> but they keep quiet and bare the loss. But as a national perspective it
> is a loss to the country?s economy. At the same time if they can share
> their incidents/information with a trusted body who will dissiminate the
> information to the other relevant parties without disclosing the
> original source, others can also prepare and escape from such incidents.
>
> In Sri Lanka we have developed a sector based CSIRT concept and alreay
> establised a BankCSIRT (www.bankcsirt.lk) for the banking and finalcial
> sector which may deal with reported incidnets independently. They do not
> need to report any incident/information to Sri Lanka CERT, unless they
> are expecting any support from us.
>
> As the national CERT we have already established many contacts with
> other international bodies and hence we support the bankCSIRT (or any
> sector based CSIRT) thorugh coordinating incidents if they request. Also
> we support them to develop and improve their IS standards compliance.
>
> >From the past experiance we have identified that any country who is
> seeking for support to resolve any information security matter related
> to a particular economy, normally contact the relevant POC of that
> country. The POC may its national CERT|CC, who will play the
> coordination role to support such requests. For example if it is related
> to any bank in our economy, we can easily coordinate with the BankCSIRT.
> Hence the internatinoal entities who need to get help for cyber security
> matters related to our economy do not need to keep a huge list of
> contacts (eg: ISPs, Banks etc).
>
> Best regards,
>
> --
> Rohana Palliyaguru
> Manager Operations & Principal Information Security Engineer
> Sri Lanka CERT|CC
> Room 4-112, BMICH, Bauddhaloka Mawatha, Colombo 07, Sri Lanka.
> Tel : +94 112 691 692 Fax: +94 112 691 064
> e-mail: rohana at cert.gov.lk Website: www.cert.gov.lk
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 21 Jul 2014 16:15:10 +0600
> From: Jahangir Hossain <jrjahangir at gmail.com>
> To: Maarten Van Horenbeeck <maarten at first.org>
> Cc: "bp_certs at intgovforum.org" <bp_certs at intgovforum.org>
> Subject: Re: [Bp_certs] Private sector CSIRT/PSIRT teams
> Message-ID:
> <
> CAG5EbHKMZcsiGnFGpesZhbGx9fi6Mn+LUpGv5vgdDzN6Pt8p+A at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Thanks maarten for sharing this information .
>
> I am Jahangir Hossain working in IP Transit/Solution provider as technical
> person also involve couple civil society organization in BD . As a
> technical and civil society representative i have some observation about
> private sector CSIRT/PSIRT teams by considering developing country
> experience where security aspect now growing .
>
> For example , in our country like Bangladesh we have active private sector
> CERT named Bangladesh Computer Emergency Response Team (bdCERT) which
> collaboratively working with APCERT , OIC-CERT and other also have
> government owned CERT named Bangladesh Computer Security Incident Response
> Team (BD-CSIRT) which also collaboratively working with APCERT , OIC-CERT
> but not so active .
>
> The problem is to validate or authority the private CERT compare to Govt.
> owned CERT into local stakeholder specially national level to mitigate any
> security related issue . This is because initially Govt. owned organization
> like CERT have the authority to ask/share any information to other
> stakeholder . In private sector CERT also working fine in national level
> but they have a limitation about authority to ask/share any information of
> other stakeholder.
>
> For example , if a private sector CERT (national level) request to share
> a information from google , microsoft ,yahoo or other international
> reputed Service provider to mitigate attack which occurred in national
> level then most of time to unable get the information on time because of
> their authority . I think we need to find out the way to resolve this but i
> am really happy to see member list of FIRST which makes new ERA in my mind
> . Personally it might be the same challenges in private enterprise CSIRT
> into developing country .
>
> Yes i am agree with your point i.e " National CSIRT teams can pass along
> reports to the enterprise CSIRT managing the network from which the attack
> originates " also ISO/IEC can play important role regarding Regarding
> Product security (PSIRT).
>
>
>
>
> Regards // Jahangir Hossain | BD
>
>
>
>
>
>
> On Wed, Jul 16, 2014 at 9:52 AM, Maarten Van Horenbeeck <maarten at first.org
> >
> wrote:
>
> > Hi everyone,
> >
> > I'd also like to thank you for participating in the IGF CERTs BPF.
> >
> > Following up to Cristine's point, I briefly wanted to cover another type
> > of CSIRT team that contributes to internet security. There are CSIRT
> teams
> > which have a more narrow constituency and because of that offer
> specialized
> > contributions to internet security.
> >
> > A great example of these are private sector, enterprise incident response
> > teams. Enterprise CSIRTs generally have as their constituency either the
> > customers of an enterprise, or the employees and networks belonging to
> the
> > enterprise.
> >
> > There are two important roles an enterprise CSIRT generally elects to
> take:
> >
> > (i) Product security (PSIRT): Enterprises which develop software or
> > hardware products generally will have an incident response team for
> product
> > security issues- investigating and addressing vulnerabilities or
> weaknesses
> > in products which may be exploited and expose their customers to risk.
> >
> > (ii) Computer/Network security (CSIRT): Enterprises will often maintain
> an
> > incident response team to respond to security breaches and incidents
> across
> > their enterprise network.
> >
> > In addition, some enterprise CSIRT teams provide incident response
> > services directly to customers of the enterprise. For instance, a
> > corporation which provides IT services may also provide incident response
> > services and develop a fully staffed and resourced incident response team
> > to support its customers.
> >
> > While a national CSIRT will often take a coordinating role- and due to
> its
> > prominence will be the team internet users internationally often reach
> out
> > to in order to report an issue, many networks are privately owned, and
> > actual incident handling, investigations and forensic efforts may need to
> > be performed by the organization managing the network. This is often an
> > enterprise CSIRT. National CSIRT teams can pass along reports to the
> > enterprise CSIRT managing the network from which the attack originates
> > either manually, through personal contacts, or through automated
> mechanisms
> > (such as e-mail or more structured exchange mechanisms, driven using
> tools
> > such as AbuseHelper or Megatron).
> >
> > In addition, most products are developed in the private sector. When a
> > vulnerability is exploited in such product, the victim under attack may
> > reach out to the corporation who built the exploited product, to notify
> > them of the vulnerability and request a fix. In some cases, when a
> > vulnerability affects many vendors, the victim may choose to report the
> > vulnerability to a vulnerability coordinator instead, who coordinates
> > addressing the issue. Many national CSIRT teams have a vulnerability
> > coordination role (often, but not always, indicated by /CC at the end of
> > the name, which stands for Coordination Center).
> >
> > In those cases, the vulnerability coordinator will work with any private
> > sector product security response teams affected to ensure the
> vulnerability
> > is addressed (CERT-FI's vulnerability coordination policy is a good
> > example:
> >
> https://www.viestintavirasto.fi/images/certfipdftiedostot/5md66C89r/CERT-FI_Vulnerability_Coordination_Policy.pdf
> > ).
> >
> > Private sector CSIRT and PSIRT teams can also provide expertise in areas
> > of deep specialization. National CSIRT teams, due to the size and
> > heterogeneity of their constituency, have to support a wide set of
> > technologies. They tend to specialize in a few services and skills most
> > relevant to their constituency, and have wide coverage of technologies.
> In
> > the private sector, teams can specialize in specific technologies they
> have
> > unique knowledge of, as they build the technology or heavily rely on it
> > internally. This makes that they may be uniquely placed to assist
> national
> > CSIRT teams and the wider community in investigating an incident on a
> > particular platform or application. Product security teams also often
> > release advisories and bulletins notifying customers of new
> vulnerabilities
> > that have been identified or fixed. National CSIRT's can take that
> > information, and use it to advise their constituency accordingly on the
> > risks involved, sometimes localizing (both in language or technology
> > context) the information.
> >
> > These private sector teams often work with the community of CSIRT's by
> > participating in the same forums many of the national CSIRT teams do. Two
> > examples of this are FIRST, the Forum of Incident Response and Security
> > Teams, and Trusted Introducer:
> >
> > http://www.first.org/members/teams
> > https://www.trusted-introducer.org/directory/index.html
> >
> > There are also more integrated organizations which develop cross-company
> > incident response plans for vulnerabilities which affect more than a
> single
> > vendor. An example of such an organization is ICASI (
> > http://www.icasi.org/projects#usirp) which developed a Unified Security
> > Incident Response Plan (USIRP) for use across its member companies.
> >
> > Also of interest, there has recently been some work performed in the
> > International Organization for Standardization (ISO) to develop
> guidelines
> > on how to process and resolve vulnerability information in a product or
> > service (ISO/IEC 30111:2013) and on methods vendors should use to address
> > issues related to vulnerability disclosure (ISO/IEC 29147:2014).
> >
> > I'm interested in hearing from the civil society members of this forum-
> do
> > you see similar teams developing in civil society? Do you work with
> > national or private sector incident response teams?
> >
> > I look forward to continuing this discussion, and learning from
> everyone's
> > experiences.
> >
> > Best regards,
> > Maarten
> >
> > _______________________________________________
> > Bp_certs mailing list
> > Bp_certs at intgovforum.org
> > http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
> >
> >
>
>
> --
> ?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://mail.intgovforum.org/pipermail/bp_certs_intgovforum.org/attachments/20140721/16a43748/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 3
> Date: Mon, 21 Jul 2014 13:08:15 +0200
> From: Miros?aw Maj <miroslaw.maj at cybsecurity.org>
> To: Jahangir Hossain <jrjahangir at gmail.com>
> Cc: "bp_certs at intgovforum.org" <bp_certs at intgovforum.org>
> Subject: Re: [Bp_certs] Private sector CSIRT/PSIRT teams
> Message-ID: <53CCF49F.2090002 at cybsecurity.org>
> Content-Type: text/plain; charset=UTF-8
>
> Dear Colleagues,
>
> Important topic mentioned by Jahangir.
>
> IMHO one of the best solution to deal with this problem is to follow an
> official constituency of the particular (does not matter gov/national
> or private) CERT. Your authority of acting as a CERT for the
> constituency should be enough and required at the same time to
> ask/request/be_asked regarding this constituency.
>
> Kind Regards
> Miroslaw Maj
> --
> Cybersecurity Foundation
> 20 Tytoniowa Str
> 04-228 Warsaw, Poland
> tel: +48 22 112 0 800
> mobile: +48 608 508 702
> e-mail: miroslaw.maj at cybsecurity.org
> www: http://www.cybsecurity.org/
>
>
>
>
> Dnia Mon Jul 21 12:15:10 2014 Jahangir Hossain pisze:
> > Thanks maarten for sharing this information .
> >
> > I am Jahangir Hossain working in IP Transit/Solution provider as
> > technical person also involve couple civil society organization in BD
> > . As a technical and civil society representative i have some
> > observation about private sector CSIRT/PSIRT teams by considering
> > developing country experience where security aspect now growing .
> >
> > For example , in our country like Bangladesh we have active private
> > sector CERT named Bangladesh Computer Emergency Response Team (bdCERT)
> > which collaboratively working with APCERT , OIC-CERT and other also
> > have government owned CERT named Bangladesh Computer Security Incident
> > Response Team (BD-CSIRT) which also collaboratively working with
> > APCERT , OIC-CERT but not so active .
> >
> > The problem is to validate or authority the private CERT compare to
> > Govt. owned CERT into local stakeholder specially national level to
> > mitigate any security related issue . This is because initially Govt.
> > owned organization like CERT have the authority to ask/share any
> > information to other stakeholder . In private sector CERT also working
> > fine in national level but they have a limitation about authority to
> > ask/share any information of other stakeholder.
> >
> > For example , if a private sector CERT (national level) request to
> > share a information from google , microsoft ,yahoo or other
> > international reputed Service provider to mitigate attack which
> > occurred in national level then most of time to unable get the
> > information on time because of their authority . I think we need to
> > find out the way to resolve this but i am really happy to see member
> > list of FIRST which makes new ERA in my mind . Personally it might be
> > the same challenges in private enterprise CSIRT into developing country .
> >
> > Yes i am agree with your point i.e " National CSIRT teams can pass
> > along reports to the enterprise CSIRT managing the network from which
> > the attack originates " also ISO/IEC can play important role
> > regarding Regarding Product security (PSIRT).
> >
> >
> >
> >
> > Regards // Jahangir Hossain | BD
> >
> >
> >
> >
> >
> >
> > On Wed, Jul 16, 2014 at 9:52 AM, Maarten Van Horenbeeck
> > <maarten at first.org <mailto:maarten at first.org>> wrote:
> >
> > Hi everyone,
> >
> > I'd also like to thank you for participating in the IGF CERTs BPF.
> >
> > Following up to Cristine's point, I briefly wanted to cover
> > another type of CSIRT team that contributes to internet security.
> > There are CSIRT teams which have a more narrow constituency and
> > because of that offer specialized contributions to internet security.
> >
> > A great example of these are private sector, enterprise incident
> > response teams. Enterprise CSIRTs generally have as their
> > constituency either the customers of an enterprise, or the
> > employees and networks belonging to the enterprise.
> >
> > There are two important roles an enterprise CSIRT generally elects
> > to take:
> >
> > (i) Product security (PSIRT): Enterprises which develop software
> > or hardware products generally will have an incident response team
> > for product security issues- investigating and addressing
> > vulnerabilities or weaknesses in products which may be exploited
> > and expose their customers to risk.
> >
> > (ii) Computer/Network security (CSIRT): Enterprises will often
> > maintain an incident response team to respond to security breaches
> > and incidents across their enterprise network.
> >
> > In addition, some enterprise CSIRT teams provide incident response
> > services directly to customers of the enterprise. For instance, a
> > corporation which provides IT services may also provide incident
> > response services and develop a fully staffed and resourced
> > incident response team to support its customers.
> >
> > While a national CSIRT will often take a coordinating role- and
> > due to its prominence will be the team internet users
> > internationally often reach out to in order to report an issue,
> > many networks are privately owned, and actual incident handling,
> > investigations and forensic efforts may need to be performed by
> > the organization managing the network. This is often an enterprise
> > CSIRT. National CSIRT teams can pass along reports to the
> > enterprise CSIRT managing the network from which the attack
> > originates either manually, through personal contacts, or through
> > automated mechanisms (such as e-mail or more structured exchange
> > mechanisms, driven using tools such as AbuseHelper or Megatron).
> >
> > In addition, most products are developed in the private sector.
> > When a vulnerability is exploited in such product, the victim
> > under attack may reach out to the corporation who built the
> > exploited product, to notify them of the vulnerability and request
> > a fix. In some cases, when a vulnerability affects many vendors,
> > the victim may choose to report the vulnerability to a
> > vulnerability coordinator instead, who coordinates addressing the
> > issue. Many national CSIRT teams have a vulnerability coordination
> > role (often, but not always, indicated by /CC at the end of the
> > name, which stands for Coordination Center).
> >
> > In those cases, the vulnerability coordinator will work with any
> > private sector product security response teams affected to ensure
> > the vulnerability is addressed (CERT-FI's vulnerability
> > coordination policy is a good example:
> >
> https://www.viestintavirasto.fi/images/certfipdftiedostot/5md66C89r/CERT-FI_Vulnerability_Coordination_Policy.pdf
> ).
> >
> > Private sector CSIRT and PSIRT teams can also provide expertise in
> > areas of deep specialization. National CSIRT teams, due to the
> > size and heterogeneity of their constituency, have to support a
> > wide set of technologies. They tend to specialize in a few
> > services and skills most relevant to their constituency, and have
> > wide coverage of technologies. In the private sector, teams can
> > specialize in specific technologies they have unique knowledge of,
> > as they build the technology or heavily rely on it internally.
> > This makes that they may be uniquely placed to assist national
> > CSIRT teams and the wider community in investigating an incident
> > on a particular platform or application. Product security teams
> > also often release advisories and bulletins notifying customers of
> > new vulnerabilities that have been identified or fixed. National
> > CSIRT's can take that information, and use it to advise their
> > constituency accordingly on the risks involved, sometimes
> > localizing (both in language or technology context) the information.
> >
> > These private sector teams often work with the community of
> > CSIRT's by participating in the same forums many of the national
> > CSIRT teams do. Two examples of this are FIRST, the Forum of
> > Incident Response and Security Teams, and Trusted Introducer:
> >
> > http://www.first.org/members/teams
> > https://www.trusted-introducer.org/directory/index.html
> >
> > There are also more integrated organizations which develop
> > cross-company incident response plans for vulnerabilities which
> > affect more than a single vendor. An example of such an
> > organization is ICASI (http://www.icasi.org/projects#usirp) which
> > developed a Unified Security Incident Response Plan (USIRP) for
> > use across its member companies.
> >
> > Also of interest, there has recently been some work performed in
> > the International Organization for Standardization (ISO) to
> > develop guidelines on how to process and resolve vulnerability
> > information in a product or service (ISO/IEC 30111:2013) and on
> > methods vendors should use to address issues related to
> > vulnerability disclosure (ISO/IEC 29147:2014).
> >
> > I'm interested in hearing from the civil society members of this
> > forum- do you see similar teams developing in civil society? Do
> > you work with national or private sector incident response teams?
> >
> > I look forward to continuing this discussion, and learning from
> > everyone's experiences.
> >
> > Best regards,
> > Maarten
> >
> > _______________________________________________
> > Bp_certs mailing list
> > Bp_certs at intgovforum.org <mailto:Bp_certs at intgovforum.org>
> >
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
> >
> >
> >
> >
> > --
> > ?
> >
> >
> >
> >
> >
> > _______________________________________________
> > Bp_certs mailing list
> > Bp_certs at intgovforum.org
> > http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
>
>
> ------------------------------
>
> End of Bp_certs Digest, Vol 2, Issue 16
> ***************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://intgovforum.org/pipermail/bp_certs_intgovforum.org/attachments/20140722/fc0a50b9/attachment.htm>
More information about the Bp_certs
mailing list