[Bp_certs] About types of CERTs

Andrew Cormack Andrew.Cormack at ja.net
Thu Jul 24 13:29:02 EDT 2014 

> -----Original Message-----
> From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf Of
> Robin M. Ruefle
> Sent: 24 July 2014 16:37
> To: Cristine Hoepers; bp_certs at intgovforum.org
> Subject: Re: [Bp_certs] About types of CERTs
> 
> Hello all,
> 
> This is a great discussion and certainly providing a lot of food for
> thought.  I hadn't really thought previously about the need to define
> different types of National CSIRTs, just like we define different types
> of CSIRTs.  I think outlining these different types would be very
> beneficial for the community to increase understanding but also to
> provide better awareness and training materials for not only those
> starting or deciding to start a CSIRT - but those in the government or
> other management areas who need to understand these differences and
> similarities - and the usefulness and "mission" of each type.

And to those trying to reach out to a particular CSIRT role in another country. In theory you should be able to tell the difference from the 'constituency' definition in RFC2350, but I suspect it'd be easier to have distinct names for each role so that 'national CERTs' could flag up which they were.
 
> I am reminded of a conversation I had recently about a CSIRT which was
> located within the Federal Police, even though they were acting as a
> National presence for certain activities, they were not interested in
> doing so for engaging the public, handling public incidents, or doing
> awareness and training and outreach. Instead they were actively
> encouraging the development of what I think you are calling the "good
> old CSIRT" to handle those particular activities.   The Federal Police
> CSIRT was more interested in threat intelligence and defense
> activities. But they wanted to see this other CSIRT in operation as a
> partner.  Now, I know some others with similar CSIRTs within law
> enforcement or intelligence, do not always feel that way.
> 
> I think it would be interesting to get some perspective from people in
> some of the countries where there are multiple CSIRT teams handling
> different communities.

In the past the UK has had separate CERTs for 'government network' and 'critical infrastructure' and the experience is confusing!

> Through this discussion I am really getting the feeling that defining
> these different types of National CSIRTs is an area that has been
> greatly lacking in the literature and that perhaps with more
> information available - people will have a better understanding.
> 
> There is a lot of good information in the emails that are being
> exchanged. I think we can take a lot of that information and put it
> into a document that gives an overall view of "National" CSIRTs, what
> they can be, their different activities, focus, and constituencies, and
> the general thought that having one is not enough in today's world. I
> know that might not be the goal of this forum work, but I think it can
> be a side benefit if we want.  I'd be happy as time permits, outside of
> the other work this forum is doing, to start to pull together some of
> the information and send it out for review (wouldn't be any time soon,
> but maybe within the next few months.)
 
Happy to help with that. As you may gather, I've felt the pain...

Andrew
 
> Robin
> 
> Robin Ruefle
> Team Lead, CSIRT Development and Training Team
> Enterprise Threat and Vulnerability Management Team
> CERT Program
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh, PA 15213-3890 U.S.A.
> 
> Email: rmr at cert.org
> http://www.cert.org/
> 
> 
> -----Original Message-----
> From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf Of
> Cristine Hoepers
> Sent: Thursday, July 24, 2014 10:42 AM
> To: bp_certs at intgovforum.org
> Subject: Re: [Bp_certs] About types of CERTs
> 
> Hi,
> 
> On Thu, Jul 24, 2014 at 03:12:05PM +0200, Miros??aw Maj wrote:
> > Dear All,
> >
> > Interesting discussion :)!
> 
> Excellent discussion indeed!
> 
> > W dniu 23/07/14 15:23, Andrew Cormack pisze:
> > > Cristine
> > >
> > > I was interested to see that "national CERTs" now think that term
> > means "teams whose constituency are networks/organizations/assets of
> > National importance".
> >
> > Exactly! Additionally we should respect the fact that "National
> > importance constituencies"  are protected more and more often not
> only
> > by nat/gov CERTs. Private CERTs are also delivering services to them.
> > BTW - the trend of establishing CERTs for critical infrastructures
> > also should be considered regarding this discussion.
> 
> That was exactly my point when I started this thread.
> 
> A "CSIRT with National Responsibility" is not necessarily a "Government
> CSIRT".  Although, we are seeing more and more governments that want to
> push the idea that to be a CSIRT serving "National importance
> constituencies", you have to be part of the government.
> 
> Also, we need to keep in ming the fact that if a CSIRT is serving a
> Government organization does not mean it has National responsibility.
> 
> I would characterize as CSIRTs with National Responsibility those
> serving any of these constituencies in a Coordination role:
> 
> - Critical infrastructures (e.g. ICS-CERT)
> 
> - Coordination Center for Government networks (e.g. GovCERT.AT in
>   Austria, CTIR Gov in Brazil, CERT.Gov.PL in Poland, etc)
> 
> - Teams of last resort, that usually also coordinate incidents with
>   major ISPs and private sector networks (e.g. CERT.at in Austria,
>   CERT.br in Brazil, CERT.PL (former CERT Polska) in Poland, etc)
> 
> Also, we are seeing more and more "Cyber commands" and "Cyber Defense
> Centers" being created, with the mission of "protecting the nation" --
> I still have mixed feelings about calling these organizations CSIRTs at
> all -- but there are countries that are pushing this.  Not to mention
> all the trend to have "National CSIRTs" under Intelligence
> organizations (if I'm not mistaken this is the case in Sweeden and
> Denmark), and under the Police (this is the case for Mexico, for
> example).
> 
> 
> > > That means we need another term for what I used to call the "CERT
> of
> > > last resort", for example if you have an incident in the UK and
> > > neither the FIRST, TI or RIPE directories give you a specific
> > > constituency CERT for the affected IP address, where (if anywhere)
> > > do you send it? Depending on the country, that may be something the
> > > "national CERT" does (I think Rohana was saying that in Sri Lanka
> it
> > > is), it may be done by someone else, or it may not be done by
> > > anyone.
> 
> That use to be my understanding of "National CERTs too" -- but the
> definition evolved after we got international government organizations
> more involved into this.  I saw this definition change a lot after we
> started having Organizations like ENISA, NATO, ITU and OAS recommending
> the creation of "National CERTs" -- each one with its own definition of
> it.  The countries that already had some CSIRTs by the time this
> recommendations came out, are just having more teams being added, some
> more local coordination to try to figure out, etc.  But I'm seeing more
> and more governments of countries that had fewer CSIRTs, trying to make
> all "National CSIRTs" inside government organizations.
> 
> It is a big confusion, to say the least.
> 
> And, going back to the panel on the National CSIRTs Meeting -- the
> discussion was exactly about the role of National Teams in the next 20
> years...
> 
> 
> > I like this description of "CERT of last resort". It is becoming a
> > kind of technical but very important function. My guessing is that it
> > does apply mostly to "good-old" CERTs which are very much recognized
> > by communities but for some reasons they stop to play formally the
> > official roles because of establishing national or governmental CERTs
> > in their countries.
> 
> Goes to my previous point.
> 
> And I think in these cases the governments are yet not understanding
> the role of a CSIRT, and they are missing the vital services that the
> "good-old" CERTs offer and, most importantly, the vital importance of
> "National CERTs" that are neutral, that can talk to all stakeholders
> without making them to think they are talking to a regulator or to the
> police.
> 
> 
> > BTW - besides of terms national and governmental there is another one
> > - "de facto national" and it is introduced by ENISA (see:
> > CERT type filter at:
> > https://www.enisa.europa.eu/activities/cert/background/inv/certs-by-
> country-interactive-map).
> > As much as I understand it - it is about CERTs which play a role of
> > national CERT but they are not officially legitimized by governments
> > of their countries.
> 
> Interesting term -- and looking at the teams that are listed when I
> choose this option, it gives me some of the most active teams, that we
> at CERT.br have a strong cooperation with, and that are teams we can
> count on when we need a partner.
> 
> But don't get me wrong, they are not the only ones -- but it is
> interesting that they are among the most active and reliable.
> 
> Best regards,
> Cristine
> 
> --
> Cristine Hoepers, D.Sc.
> General Manager
> CERT.br/NIC.br
> http://www.cert.br/
> 
> > Kind Regards
> > Miroslaw Maj
> > --
> > Cybersecurity Foundation
> > 20 Tytoniowa Str
> > 04-228 Warsaw, Poland
> > tel:    +48 22 112 0 800
> > mobile: +48 608 508 702
> > e-mail: miroslaw.maj at cybsecurity.org
> > www:    http://www.cybsecurity.org/
> >
> >
> > >
> > > Being that CERT is a pretty thankless job (I spent a year, many
> years ago, running a pilot "last resort" CERT for European academic
> networks!) but in terms of public perception of the Internet, it seems
> to me it's an important one. The really severe incidents may be the
> ones within the constituencies of national CERTs (as defined above) but
> I hope they are few and far between. The ones (viruses, fraud,
> phishing, spam, ...) that affect the vast majority of Internet users,
> every day, and make them worry whether the Internet is a safe place to
> do business/work/education don't come from those constituencies.
> > >
> > > So if one of our objectives is to suggest how governments should
> > > build public confidence in the Internet, it seems to me that they
> > > ought to be thinking about how to provide some sort of incident
> > > response/victim support for those constituencies too. I'm afraid
> > > it's not something we've cracked in the UK - at the moment we have
> > > getsafeonline.org providing advice to the citizen - but the policy
> > > on where to report online frauds etc. seems to change frequently
> and
> > > isn't at all well publicised :(
> > >
> > > So I'm very interested to hear about the Kenyan approach of using
> the telcom association and internet exchange as a hub. That sounds a
> bit like the German initiative https://www.botfrei.de/en/ that has
> advice for end users but also (if I understand correctly) provides a
> helpdesk that ISPs can direct customers to where they've spotted
> traffic that suggests a botnet infection. That seemed to me like a nice
> mix of automation for the majority of customers with detailed human
> help for the few that need it.
> > >
> > > Best wishes
> > > Andrew
> > >
> > > --
> > > Andrew Cormack
> > > Chief Regulatory Adviser, Janet
> > > t: +44 1235 822302
> > > b: https://community.ja.net/blogs/regulatory-developments
> > > Janet(UK) is a trading name of Jisc Collections and Janet Limited,
> a
> > > not-for-profit company which is registered in England under
> > > No.2881024 and whose Registered Office is at Lumen House, Library
> > > Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No.
> > > 614944238
> > >
> > >
> > >> -----Original Message-----
> > >> From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf
> > >> Of Cristine Hoepers
> > >> Sent: 16 July 2014 00:37
> > >> To: bp_certs at intgovforum.org
> > >> Subject: [Bp_certs] About types of CERTs
> > >>
> > >> Dear all,
> > >>
> > >> First of all, thanks for the interest in the IGF CERTs BPF!
> > >>
> > >> I would like to share some thoughts, considering discussions I
> > >> participated in previous IGF and pre-IGF events, and the
> discussion
> > >> that took place in the mailing list a few days ago, about CSIRTs
> > >> with national responsibility (in short "National CSIRTs" or
> > >> "National CERTs"), which has also brought a little bit of
> > >> discussion about other types of CSIRTs.
> > >>
> > >> There is no right or wrong about who hosts a National CSIRT, or
> > >> which services it should provide.  From experience, each country
> > >> will need to identify what works best in its case, as well as
> > >> consider other issues like services, funding, local internet
> > >> governance structure and cultural issues, among other factors that
> might impact the decision.
> > >>
> > >> Also, several countries have more than one National CSIRT, and the
> > >> number is growing each year.  In the last National CSIRTs meeting,
> > >> about 2 weeks ago, there was a very interesting discussion about
> > >> the future of National CSIRTs and their role.  In this panel there
> > >> was an agreement that National CSIRTs are teams whose constituency
> > >> are networks/organizations/assets of National importance, and that
> > >> the number of such teams tend to increase.
> > >>
> > >> I would like to share some examples of National CSIRTs that are
> > >> operated by different stakeholders -- note that the focus of the
> > >> information is to give examples of different hosting organization,
> > >> not the constituency served by each team:
> > >>
> > >> - CERT.br - is operated by NIC.br, a not for profit organization
> that
> > >>   implements the decisions and projects defined by the Brazilin
> > >>   Internet Steering Committee - CGI.br.  And CGI.br is the
> > >>   multi-stakeholder internet governance body in Brazil.  All
> funding
> > >>   comes from <.br> domain name registration.
> > >>
> > >> - CERT.PL (previously CERT Polska) - is operated by NASK (Research
> and
> > >>   Academic Computer Network), a research institute which conducts
> > >>   scientific studies, operates the national .pl domain registry
> and
> > >>   provides advanced IT services.
> > >>
> > >> - JPCERT/CC - is an independent non-profit organization.
> > >>
> > >> - CARICERT - is sponsered by the Curaçao Bureau Telecommunication
> and
> > >>   Post (BT&P).
> > >>
> > >> - Egyptian CERT - is operated by the Ministry of Communications
> and
> > >>   Information Technology.
> > >>
> > >> - CERT-EE - operated by the Estonian Information System Authority
> > >>   (RIA), a subdivision of the Estonian Ministry of Economic
> Affairs
> > >>   and Communications.
> > >>
> > >> A more complete list of CSIRTs that have responsibility for an
> > >> economy or a country can be found here:
> > >> http://cert.org/incident-management/national-csirts/national-
> csirts
> > >> .cfm
> > >>
> > >> I'll not get this e-mail even longer, but there are CSIRTs in many
> > >> different organizations, with different missions and services.
> The
> > >> most important of all is that these CSIRTs work in cooperation to
> > >> make the Internet more stable and secure.  A list of teams that
> are
> > >> members of FIRST (the Forum of Incident Response and Security
> > >> Teams) can be found here: http://first.org/members/teams
> > >>
> > >> I personally think the work of the CERT BPF is a great opportunity
> > >> for us all to share experiences, best practices, questions, case
> > >> studies, but most of all it is a great opportunity for us to
> > >> identify challenges and try to find a way to start answering the
> > >> open questions.
> > >>
> > >>
> > >> Best regards,
> > >> Cristine
> > >>
> > >> --
> > >> Cristine Hoepers, D.Sc.
> > >> General Manager
> > >> CERT.br/NIC.br
> > >> http://www.cert.br/
> > >>
> > >> _______________________________________________
> > >> Bp_certs mailing list
> > >> Bp_certs at intgovforum.org
> > >>
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.o
> > >> rg
> > > _______________________________________________
> > > Bp_certs mailing list
> > > Bp_certs at intgovforum.org
> > >
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.or
> > > g
> >
> >
> > _______________________________________________
> > Bp_certs mailing list
> > Bp_certs at intgovforum.org
> > http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
> 
> _______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
> 
> _______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org

More information about the Bp_certs mailing list