[Bp_certs] About types of CERTs

Andrew Cormack Andrew.Cormack at ja.net
Fri Jul 25 08:11:02 EDT 2014 

> -----Original Message-----
> From: Damir Rajnovic [mailto:gausix at gmail.com]
> Sent: 25 July 2014 12:00
> To: Andrew Cormack
> Cc: Gaus; bp_certs at intgovforum.org
> Subject: Re: [Bp_certs] About types of CERTs
> 
> Hello Andrew,
> 
> On Fri, Jul 25, 2014 at 09:25:43AM +0000, Andrew Cormack wrote:
> > 1) Telling governments that there are multiple functions (however
> > they want to divide them up) that should be considered when
> > planning "CERT(s) for my country"
> 
> I read this as "define your constituency" (Paf's step #1).
> Simple as that. You can then give numerous examples how
> constituency can be defined.

Yes! And with a strong message that "we are the national CERT" isn't sufficient to define your constituency
 
> > 2) Since there are already teams calling themselves "national
> > CERT" out there, helping them to describe more accurately which
> > of those functions they actually provide, so a "national CERT"
> > that is actually only dealing with Government and/or critical
> > networks doesn't get swamped with reports about problems in its
> > citizen IP address ranges. Also saving those who report to it
> > some frustration.
> 
> And this (and your subsequent paragraph) I read as "once you
> define your constitunecy and agree on functions that you will
> provide (Paf's step #2) - publish them your web site on a
> prominent place".

No, I'm only talking about constituencies at the moment, though we could move on to services later if you want. Part 2 (actually possibly more on-topic for this group) is a message to the Government - who may have heard from an international forum or wherever that they need a "national CERT" - that there's more to improving the security of your country than setting up a CERT for the internal Government network.

> How is your 2) different if we consider a CERT in an academic
> world? We have many teams calling themselves academic but they
> provide different services to its constituency. So we should
> then do the same for them as we want to do for "national CERTs".

No - because "academic CERT" does roughly define the constituency. "National CERT" doesn't. So the latter need more help.
 
> > I agree that the second of those ought to be covered by close
> > reading of the RFC2350 constituency definition but I suspect most
> > reporters who try for, for example, google("uk national cert")
> > will make all sorts of wrong assumptions about something that
> > describes itself as "national computer emergency response team
> > in the United Kingdom" ;-)
> >
> > Does that make sense, or am I just showing my old scars?
> 
> Both :)
> 
> I am afraid that I still do not see a magic in attaching a word
> "national" to a team (unless you get a big budget and _that_
> would be magical indeed).

Nor do I. But there are lots of them popping up, serving lots of different constituencies, and that's confusing, maybe dangerously so.

> I do understand that every government would like to have a team
> that they own and control. They would also like it to be the most
> prominent in a country and by attaching "national" to it they
> hope to achieve that goal. That is perfectly understandable and
> fine. But I still fail to see why national teams are so special
> that we need to focus on them specifically.
> 
> The point I am trying to make is that (to me) "national CERT"
> is not a special type of a team. It is just the same as any other
> CERT. Obviously I have not read all papers published on this
> topic but I am pretty sure that if you would remove words
> "national" and "government" from them that you would end up
> with a document that can be used to establish a CERT in a
> non-profit organization or a bank.

With the exception of "CERT-of-last-resort", which I think *is* a different service, then I mostly agree. They may be more likely to have special relationships with police/legislators/security services, though.

> I am not against that a team calls itself "national CERT" but
> when we are creating best practices why we would not make them
> universal instead trying to constrain ourselves to a niche
> which (to me) is virtual.

Because the term "national cert" is moving from confusing to downright misleading. I hate to think how many hours I've wasted on discussions about "security" when noone actually defined what they meant by that term. To my mind "national CERT" has nearly as much potential for misunderstandings :(

Andrew

> Thanks,
> 
> Gaus
> 
> 
> 
> 
> >
> > Andrew
> >
> >
> > > -----Original Message-----
> > > From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf
> Of
> > > Damir Rajnovic
> > > Sent: 25 July 2014 08:31
> > > To: bp_certs at intgovforum.org
> > > Subject: Re: [Bp_certs] About types of CERTs
> > >
> > > Hi all,
> > >
> > > It seems to me that I have joined mid-stream into this thread
> > > a few days ago so I am probably missing the initial context.
> > >
> > > This is fascinating discussion but I have one very simple
> > > question which is about importance of being "national CERT"?
> > > (sorry, could not help myself)
> > >
> > > A team can call itself whatever they like - national, CNI,
> > > semi-national or Exalted CERT for Official Monster Raving Loony
> > > Party - all that it matters is what is their constitency. If
> > > an incident involves that constituency (or a subset of it),
> > > then that team is who you need.
> > >
> > > I can understand that for the team itself there might be a
> > > significance if it can attach a specific title to itself because
> > > then the team can get more funding or prestige. But is that
> > > really what is important? We can certainly list all known
> > > names and we can invent a few more but what is the end goal?
> > >
> > > Thank you,
> > >
> > > Gaus
> > >
> > > On Thu, Jul 24, 2014 at 05:29:02PM +0000, Andrew Cormack wrote:
> > > > And to those trying to reach out to a particular CSIRT role in
> > > > another country. In theory you should be able to tell the
> > > > difference from the 'constituency' definition in RFC2350, but
> > > > I suspect it'd be easier to have distinct names for each role
> > > > so that 'national CERTs' could flag up which they were.
> > >
> > >
> > >
> > >
> > > ==============
> > > Damir Rajnovic <gausix at gmail.com>
> > > Telephone: +44 7825 049 500
> > > ==============
> > > There are no insolvable problems.
> > > The question is can you accept the solution?
> > >
> > >
> > > Incident Response and Product Security
> > > http://www.ciscopress.com/bookstore/product.asp?isbn=1587052644
> > >
> > >
> > > _______________________________________________
> > > Bp_certs mailing list
> > > Bp_certs at intgovforum.org
> > >
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
> 
> ==============
> Damir Rajnovic <gausix at gmail.com>
> Telephone: +44 7825 049 500
> ==============
> There are no insolvable problems.
> The question is can you accept the solution?
> 
> 
> Incident Response and Product Security
> http://www.ciscopress.com/bookstore/product.asp?isbn=1587052644

More information about the Bp_certs mailing list