[Bp_certs] About types of CERTs

Damir Rajnovic gausix at gmail.com
Fri Jul 25 06:59:46 EDT 2014 

Hello Andrew,

On Fri, Jul 25, 2014 at 09:25:43AM +0000, Andrew Cormack wrote:
> 1) Telling governments that there are multiple functions (however 
> they want to divide them up) that should be considered when 
> planning "CERT(s) for my country"

I read this as "define your constituency" (Paf's step #1).
Simple as that. You can then give numerous examples how
constituency can be defined.

> 2) Since there are already teams calling themselves "national 
> CERT" out there, helping them to describe more accurately which 
> of those functions they actually provide, so a "national CERT" 
> that is actually only dealing with Government and/or critical 
> networks doesn't get swamped with reports about problems in its 
> citizen IP address ranges. Also saving those who report to it 
> some frustration.

And this (and your subsequent paragraph) I read as "once you
define your constitunecy and agree on functions that you will
provide (Paf's step #2) - publish them your web site on a 
prominent place".

How is your 2) different if we consider a CERT in an academic
world? We have many teams calling themselves academic but they
provide different services to its constituency. So we should
then do the same for them as we want to do for "national CERTs".


> I agree that the second of those ought to be covered by close 
> reading of the RFC2350 constituency definition but I suspect most 
> reporters who try for, for example, google("uk national cert") 
> will make all sorts of wrong assumptions about something that 
> describes itself as "national computer emergency response team 
> in the United Kingdom" ;-)
> 
> Does that make sense, or am I just showing my old scars?

Both :)

I am afraid that I still do not see a magic in attaching a word 
"national" to a team (unless you get a big budget and _that_
would be magical indeed).

I do understand that every government would like to have a team
that they own and control. They would also like it to be the most
prominent in a country and by attaching "national" to it they
hope to achieve that goal. That is perfectly understandable and
fine. But I still fail to see why national teams are so special
that we need to focus on them specifically.

The point I am trying to make is that (to me) "national CERT"
is not a special type of a team. It is just the same as any other
CERT. Obviously I have not read all papers published on this
topic but I am pretty sure that if you would remove words
"national" and "government" from them that you would end up
with a document that can be used to establish a CERT in a
non-profit organization or a bank.

I am not against that a team calls itself "national CERT" but
when we are creating best practices why we would not make them
universal instead trying to constrain ourselves to a niche
which (to me) is virtual.

Thanks,

Gaus




> 
> Andrew
> 
> 
> > -----Original Message-----
> > From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf Of
> > Damir Rajnovic
> > Sent: 25 July 2014 08:31
> > To: bp_certs at intgovforum.org
> > Subject: Re: [Bp_certs] About types of CERTs
> > 
> > Hi all,
> > 
> > It seems to me that I have joined mid-stream into this thread
> > a few days ago so I am probably missing the initial context.
> > 
> > This is fascinating discussion but I have one very simple
> > question which is about importance of being "national CERT"?
> > (sorry, could not help myself)
> > 
> > A team can call itself whatever they like - national, CNI,
> > semi-national or Exalted CERT for Official Monster Raving Loony
> > Party - all that it matters is what is their constitency. If
> > an incident involves that constituency (or a subset of it),
> > then that team is who you need.
> > 
> > I can understand that for the team itself there might be a
> > significance if it can attach a specific title to itself because
> > then the team can get more funding or prestige. But is that
> > really what is important? We can certainly list all known
> > names and we can invent a few more but what is the end goal?
> > 
> > Thank you,
> > 
> > Gaus
> > 
> > On Thu, Jul 24, 2014 at 05:29:02PM +0000, Andrew Cormack wrote:
> > > And to those trying to reach out to a particular CSIRT role in
> > > another country. In theory you should be able to tell the
> > > difference from the 'constituency' definition in RFC2350, but
> > > I suspect it'd be easier to have distinct names for each role
> > > so that 'national CERTs' could flag up which they were.
> > 
> > 
> > 
> > 
> > ==============
> > Damir Rajnovic <gausix at gmail.com>
> > Telephone: +44 7825 049 500
> > ==============
> > There are no insolvable problems.
> > The question is can you accept the solution?
> > 
> > 
> > Incident Response and Product Security
> > http://www.ciscopress.com/bookstore/product.asp?isbn=1587052644
> > 
> > 
> > _______________________________________________
> > Bp_certs mailing list
> > Bp_certs at intgovforum.org
> > http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org

==============
Damir Rajnovic <gausix at gmail.com>
Telephone: +44 7825 049 500
==============
There are no insolvable problems. 
The question is can you accept the solution? 


Incident Response and Product Security
http://www.ciscopress.com/bookstore/product.asp?isbn=1587052644

More information about the Bp_certs mailing list