[Bp_certs] Bp_certs Digest, Vol 2, Issue 23
BEUGRE Jacques
beugre.jacques at artci.ci
Fri Jul 25 08:24:23 EDT 2014
Sorry
I would like to know how can we show the makers of under-develop the importance of CERT.
TANOH BEUGRE JACQUES
Ingénieur en Sécurité Informatique
Direction TIC, Système d'Information , Sécurité Réseaux
DSIT
Tél : +225 01 00 88 52
________________________________________
De : Bp_certs [bp_certs-bounces at intgovforum.org] de la part de bp_certs-request at intgovforum.org [bp_certs-request at intgovforum.org]
Date d'envoi : vendredi 25 juillet 2014 12:11
À : bp_certs at intgovforum.org
Objet : Bp_certs Digest, Vol 2, Issue 23
Send Bp_certs mailing list submissions to
bp_certs at intgovforum.org
To subscribe or unsubscribe via the World Wide Web, visit
http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
or, via email, send a message with subject or body 'help' to
bp_certs-request at intgovforum.org
You can reach the person managing the list at
bp_certs-owner at intgovforum.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bp_certs digest..."
Today's Topics:
1. Re: Publicly Accessible Resources on CERTs/CSIRTs
(Robin M. Ruefle)
2. Re: About types of CERTs (Robin M. Ruefle)
3. Re: About types of CERTs (Damir Rajnovic)
4. Re: About types of CERTs (Andrew Cormack)
5. Re: About types of CERTs (Damir Rajnovic)
6. Re: About types of CERTs (Andrew Cormack)
----------------------------------------------------------------------
Message: 1
Date: Thu, 24 Jul 2014 19:30:38 +0000
From: "Robin M. Ruefle" <rmr at cert.org>
To: "bp_certs at intgovforum.org" <bp_certs at intgovforum.org>
Cc: "discussion_questions at intgovforum.org"
<discussion_questions at intgovforum.org>
Subject: Re: [Bp_certs] Publicly Accessible Resources on CERTs/CSIRTs
Message-ID: <876A3A66C32D0A48AFECC0D0832FA1A1A45C6397 at marathon>
Content-Type: text/plain; charset="us-ascii"
I forgot to include another best practice guide for standing up a CSIRT. It is located at
http://www.ncsc.govt.nz/assets/NCSC-Documents/New-Zealand-Security-Incident-Management-Guide-for-Computer-Security-Incident-Response-Teams-CSIRTs.pdf
It was a guide done to help the ministries within the New Zealand government stand up their CSIRTs, based on a mandate within the government.
Robin
Robin Ruefle
Team Lead, CSIRT Development and Training Team
Enterprise Threat and Vulnerability Management Team
CERT Program
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890 U.S.A.
Email: rmr at cert.org
http://www.cert.org/
------------------------------
Message: 2
Date: Thu, 24 Jul 2014 19:36:09 +0000
From: "Robin M. Ruefle" <rmr at cert.org>
To: Andrew Cormack <Andrew.Cormack at ja.net>, "bp_certs at intgovforum.org"
<bp_certs at intgovforum.org>
Subject: Re: [Bp_certs] About types of CERTs
Message-ID: <876A3A66C32D0A48AFECC0D0832FA1A1A45C641C at marathon>
Content-Type: text/plain; charset="us-ascii"
Andrew,
-----Original Message-----
From: Andrew Cormack [mailto:Andrew.Cormack at ja.net]
Sent: Thursday, July 24, 2014 1:29 PM
To: Robin M. Ruefle; Cristine Hoepers; bp_certs at intgovforum.org
Subject: RE: [Bp_certs] About types of CERTs
>And to those trying to reach out to a particular CSIRT role in another country. In theory you should be able to tell the >difference from the 'constituency' definition in RFC2350, but I suspect it'd be easier to have distinct names for each role so >that 'national CERTs' could flag up which they were.
[Robin Ruefle] Oh good point! Having distinctive names for each role and some description of the role and benefit would be very handy indeed.
>> There is a lot of good information in the emails that are being
>> exchanged. I think we can take a lot of that information and put it
>> into a document that gives an overall view of "National" CSIRTs, what
>> they can be, their different activities, focus, and constituencies,
>> and the general thought that having one is not enough in today's
>> world. I know that might not be the goal of this forum work, but I
>> think it can be a side benefit if we want. I'd be happy as time
>> permits, outside of the other work this forum is doing, to start to
>> pull together some of the information and send it out for review
>> (wouldn't be any time soon, but maybe within the next few months.)
>Happy to help with that. As you may gather, I've felt the pain...
[Robin Ruefle] Great! That would be wonderful. You and I can talk off-line about the best way to go about this.
Thanks!
Robin
------------------------------
Message: 3
Date: Fri, 25 Jul 2014 08:31:26 +0100
From: Damir Rajnovic <gausix at gmail.com>
To: bp_certs at intgovforum.org
Subject: Re: [Bp_certs] About types of CERTs
Message-ID: <20140725073126.GA451 at MacGaus.local>
Content-Type: text/plain; charset=us-ascii
Hi all,
It seems to me that I have joined mid-stream into this thread
a few days ago so I am probably missing the initial context.
This is fascinating discussion but I have one very simple
question which is about importance of being "national CERT"?
(sorry, could not help myself)
A team can call itself whatever they like - national, CNI,
semi-national or Exalted CERT for Official Monster Raving Loony
Party - all that it matters is what is their constitency. If
an incident involves that constituency (or a subset of it),
then that team is who you need.
I can understand that for the team itself there might be a
significance if it can attach a specific title to itself because
then the team can get more funding or prestige. But is that
really what is important? We can certainly list all known
names and we can invent a few more but what is the end goal?
Thank you,
Gaus
On Thu, Jul 24, 2014 at 05:29:02PM +0000, Andrew Cormack wrote:
> And to those trying to reach out to a particular CSIRT role in
> another country. In theory you should be able to tell the
> difference from the 'constituency' definition in RFC2350, but
> I suspect it'd be easier to have distinct names for each role
> so that 'national CERTs' could flag up which they were.
==============
Damir Rajnovic <gausix at gmail.com>
Telephone: +44 7825 049 500
==============
There are no insolvable problems.
The question is can you accept the solution?
Incident Response and Product Security
http://www.ciscopress.com/bookstore/product.asp?isbn=1587052644
------------------------------
Message: 4
Date: Fri, 25 Jul 2014 09:25:43 +0000
From: Andrew Cormack <Andrew.Cormack at ja.net>
To: Gaus <gausix at gmail.com>, "bp_certs at intgovforum.org"
<bp_certs at intgovforum.org>
Subject: Re: [Bp_certs] About types of CERTs
Message-ID: <61E52F3A5532BE43B0211254F13883AEA4AF0C80 at EXC001>
Content-Type: text/plain; charset="us-ascii"
Hi Gaus
I'd see two benefits:
1) Telling governments that there are multiple functions (however they want to divide them up) that should be considered when planning "CERT(s) for my country"
2) Since there are already teams calling themselves "national CERT" out there, helping them to describe more accurately which of those functions they actually provide, so a "national CERT" that is actually only dealing with Government and/or critical networks doesn't get swamped with reports about problems in its citizen IP address ranges. Also saving those who report to it some frustration.
I agree that the second of those ought to be covered by close reading of the RFC2350 constituency definition but I suspect most reporters who try for, for example, google("uk national cert") will make all sorts of wrong assumptions about something that describes itself as "national computer emergency response team in the United Kingdom" ;-)
Does that make sense, or am I just showing my old scars?
Andrew
> -----Original Message-----
> From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf Of
> Damir Rajnovic
> Sent: 25 July 2014 08:31
> To: bp_certs at intgovforum.org
> Subject: Re: [Bp_certs] About types of CERTs
>
> Hi all,
>
> It seems to me that I have joined mid-stream into this thread
> a few days ago so I am probably missing the initial context.
>
> This is fascinating discussion but I have one very simple
> question which is about importance of being "national CERT"?
> (sorry, could not help myself)
>
> A team can call itself whatever they like - national, CNI,
> semi-national or Exalted CERT for Official Monster Raving Loony
> Party - all that it matters is what is their constitency. If
> an incident involves that constituency (or a subset of it),
> then that team is who you need.
>
> I can understand that for the team itself there might be a
> significance if it can attach a specific title to itself because
> then the team can get more funding or prestige. But is that
> really what is important? We can certainly list all known
> names and we can invent a few more but what is the end goal?
>
> Thank you,
>
> Gaus
>
> On Thu, Jul 24, 2014 at 05:29:02PM +0000, Andrew Cormack wrote:
> > And to those trying to reach out to a particular CSIRT role in
> > another country. In theory you should be able to tell the
> > difference from the 'constituency' definition in RFC2350, but
> > I suspect it'd be easier to have distinct names for each role
> > so that 'national CERTs' could flag up which they were.
>
>
>
>
> ==============
> Damir Rajnovic <gausix at gmail.com>
> Telephone: +44 7825 049 500
> ==============
> There are no insolvable problems.
> The question is can you accept the solution?
>
>
> Incident Response and Product Security
> http://www.ciscopress.com/bookstore/product.asp?isbn=1587052644
>
>
> _______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
------------------------------
Message: 5
Date: Fri, 25 Jul 2014 11:59:46 +0100
From: Damir Rajnovic <gausix at gmail.com>
To: Andrew Cormack <Andrew.Cormack at ja.net>
Cc: "bp_certs at intgovforum.org" <bp_certs at intgovforum.org>
Subject: Re: [Bp_certs] About types of CERTs
Message-ID: <20140725105946.GO408 at MacGaus.local>
Content-Type: text/plain; charset=us-ascii
Hello Andrew,
On Fri, Jul 25, 2014 at 09:25:43AM +0000, Andrew Cormack wrote:
> 1) Telling governments that there are multiple functions (however
> they want to divide them up) that should be considered when
> planning "CERT(s) for my country"
I read this as "define your constituency" (Paf's step #1).
Simple as that. You can then give numerous examples how
constituency can be defined.
> 2) Since there are already teams calling themselves "national
> CERT" out there, helping them to describe more accurately which
> of those functions they actually provide, so a "national CERT"
> that is actually only dealing with Government and/or critical
> networks doesn't get swamped with reports about problems in its
> citizen IP address ranges. Also saving those who report to it
> some frustration.
And this (and your subsequent paragraph) I read as "once you
define your constitunecy and agree on functions that you will
provide (Paf's step #2) - publish them your web site on a
prominent place".
How is your 2) different if we consider a CERT in an academic
world? We have many teams calling themselves academic but they
provide different services to its constituency. So we should
then do the same for them as we want to do for "national CERTs".
> I agree that the second of those ought to be covered by close
> reading of the RFC2350 constituency definition but I suspect most
> reporters who try for, for example, google("uk national cert")
> will make all sorts of wrong assumptions about something that
> describes itself as "national computer emergency response team
> in the United Kingdom" ;-)
>
> Does that make sense, or am I just showing my old scars?
Both :)
I am afraid that I still do not see a magic in attaching a word
"national" to a team (unless you get a big budget and _that_
would be magical indeed).
I do understand that every government would like to have a team
that they own and control. They would also like it to be the most
prominent in a country and by attaching "national" to it they
hope to achieve that goal. That is perfectly understandable and
fine. But I still fail to see why national teams are so special
that we need to focus on them specifically.
The point I am trying to make is that (to me) "national CERT"
is not a special type of a team. It is just the same as any other
CERT. Obviously I have not read all papers published on this
topic but I am pretty sure that if you would remove words
"national" and "government" from them that you would end up
with a document that can be used to establish a CERT in a
non-profit organization or a bank.
I am not against that a team calls itself "national CERT" but
when we are creating best practices why we would not make them
universal instead trying to constrain ourselves to a niche
which (to me) is virtual.
Thanks,
Gaus
>
> Andrew
>
>
> > -----Original Message-----
> > From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf Of
> > Damir Rajnovic
> > Sent: 25 July 2014 08:31
> > To: bp_certs at intgovforum.org
> > Subject: Re: [Bp_certs] About types of CERTs
> >
> > Hi all,
> >
> > It seems to me that I have joined mid-stream into this thread
> > a few days ago so I am probably missing the initial context.
> >
> > This is fascinating discussion but I have one very simple
> > question which is about importance of being "national CERT"?
> > (sorry, could not help myself)
> >
> > A team can call itself whatever they like - national, CNI,
> > semi-national or Exalted CERT for Official Monster Raving Loony
> > Party - all that it matters is what is their constitency. If
> > an incident involves that constituency (or a subset of it),
> > then that team is who you need.
> >
> > I can understand that for the team itself there might be a
> > significance if it can attach a specific title to itself because
> > then the team can get more funding or prestige. But is that
> > really what is important? We can certainly list all known
> > names and we can invent a few more but what is the end goal?
> >
> > Thank you,
> >
> > Gaus
> >
> > On Thu, Jul 24, 2014 at 05:29:02PM +0000, Andrew Cormack wrote:
> > > And to those trying to reach out to a particular CSIRT role in
> > > another country. In theory you should be able to tell the
> > > difference from the 'constituency' definition in RFC2350, but
> > > I suspect it'd be easier to have distinct names for each role
> > > so that 'national CERTs' could flag up which they were.
> >
> >
> >
> >
> > ==============
> > Damir Rajnovic <gausix at gmail.com>
> > Telephone: +44 7825 049 500
> > ==============
> > There are no insolvable problems.
> > The question is can you accept the solution?
> >
> >
> > Incident Response and Product Security
> > http://www.ciscopress.com/bookstore/product.asp?isbn=1587052644
> >
> >
> > _______________________________________________
> > Bp_certs mailing list
> > Bp_certs at intgovforum.org
> > http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
==============
Damir Rajnovic <gausix at gmail.com>
Telephone: +44 7825 049 500
==============
There are no insolvable problems.
The question is can you accept the solution?
Incident Response and Product Security
http://www.ciscopress.com/bookstore/product.asp?isbn=1587052644
------------------------------
Message: 6
Date: Fri, 25 Jul 2014 12:11:02 +0000
From: Andrew Cormack <Andrew.Cormack at ja.net>
To: Gaus <gausix at gmail.com>
Cc: "bp_certs at intgovforum.org" <bp_certs at intgovforum.org>
Subject: Re: [Bp_certs] About types of CERTs
Message-ID: <61E52F3A5532BE43B0211254F13883AEA4AF1815 at EXC001>
Content-Type: text/plain; charset="us-ascii"
> -----Original Message-----
> From: Damir Rajnovic [mailto:gausix at gmail.com]
> Sent: 25 July 2014 12:00
> To: Andrew Cormack
> Cc: Gaus; bp_certs at intgovforum.org
> Subject: Re: [Bp_certs] About types of CERTs
>
> Hello Andrew,
>
> On Fri, Jul 25, 2014 at 09:25:43AM +0000, Andrew Cormack wrote:
> > 1) Telling governments that there are multiple functions (however
> > they want to divide them up) that should be considered when
> > planning "CERT(s) for my country"
>
> I read this as "define your constituency" (Paf's step #1).
> Simple as that. You can then give numerous examples how
> constituency can be defined.
Yes! And with a strong message that "we are the national CERT" isn't sufficient to define your constituency
> > 2) Since there are already teams calling themselves "national
> > CERT" out there, helping them to describe more accurately which
> > of those functions they actually provide, so a "national CERT"
> > that is actually only dealing with Government and/or critical
> > networks doesn't get swamped with reports about problems in its
> > citizen IP address ranges. Also saving those who report to it
> > some frustration.
>
> And this (and your subsequent paragraph) I read as "once you
> define your constitunecy and agree on functions that you will
> provide (Paf's step #2) - publish them your web site on a
> prominent place".
No, I'm only talking about constituencies at the moment, though we could move on to services later if you want. Part 2 (actually possibly more on-topic for this group) is a message to the Government - who may have heard from an international forum or wherever that they need a "national CERT" - that there's more to improving the security of your country than setting up a CERT for the internal Government network.
> How is your 2) different if we consider a CERT in an academic
> world? We have many teams calling themselves academic but they
> provide different services to its constituency. So we should
> then do the same for them as we want to do for "national CERTs".
No - because "academic CERT" does roughly define the constituency. "National CERT" doesn't. So the latter need more help.
> > I agree that the second of those ought to be covered by close
> > reading of the RFC2350 constituency definition but I suspect most
> > reporters who try for, for example, google("uk national cert")
> > will make all sorts of wrong assumptions about something that
> > describes itself as "national computer emergency response team
> > in the United Kingdom" ;-)
> >
> > Does that make sense, or am I just showing my old scars?
>
> Both :)
>
> I am afraid that I still do not see a magic in attaching a word
> "national" to a team (unless you get a big budget and _that_
> would be magical indeed).
Nor do I. But there are lots of them popping up, serving lots of different constituencies, and that's confusing, maybe dangerously so.
> I do understand that every government would like to have a team
> that they own and control. They would also like it to be the most
> prominent in a country and by attaching "national" to it they
> hope to achieve that goal. That is perfectly understandable and
> fine. But I still fail to see why national teams are so special
> that we need to focus on them specifically.
>
> The point I am trying to make is that (to me) "national CERT"
> is not a special type of a team. It is just the same as any other
> CERT. Obviously I have not read all papers published on this
> topic but I am pretty sure that if you would remove words
> "national" and "government" from them that you would end up
> with a document that can be used to establish a CERT in a
> non-profit organization or a bank.
With the exception of "CERT-of-last-resort", which I think *is* a different service, then I mostly agree. They may be more likely to have special relationships with police/legislators/security services, though.
> I am not against that a team calls itself "national CERT" but
> when we are creating best practices why we would not make them
> universal instead trying to constrain ourselves to a niche
> which (to me) is virtual.
Because the term "national cert" is moving from confusing to downright misleading. I hate to think how many hours I've wasted on discussions about "security" when noone actually defined what they meant by that term. To my mind "national CERT" has nearly as much potential for misunderstandings :(
Andrew
> Thanks,
>
> Gaus
>
>
>
>
> >
> > Andrew
> >
> >
> > > -----Original Message-----
> > > From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf
> Of
> > > Damir Rajnovic
> > > Sent: 25 July 2014 08:31
> > > To: bp_certs at intgovforum.org
> > > Subject: Re: [Bp_certs] About types of CERTs
> > >
> > > Hi all,
> > >
> > > It seems to me that I have joined mid-stream into this thread
> > > a few days ago so I am probably missing the initial context.
> > >
> > > This is fascinating discussion but I have one very simple
> > > question which is about importance of being "national CERT"?
> > > (sorry, could not help myself)
> > >
> > > A team can call itself whatever they like - national, CNI,
> > > semi-national or Exalted CERT for Official Monster Raving Loony
> > > Party - all that it matters is what is their constitency. If
> > > an incident involves that constituency (or a subset of it),
> > > then that team is who you need.
> > >
> > > I can understand that for the team itself there might be a
> > > significance if it can attach a specific title to itself because
> > > then the team can get more funding or prestige. But is that
> > > really what is important? We can certainly list all known
> > > names and we can invent a few more but what is the end goal?
> > >
> > > Thank you,
> > >
> > > Gaus
> > >
> > > On Thu, Jul 24, 2014 at 05:29:02PM +0000, Andrew Cormack wrote:
> > > > And to those trying to reach out to a particular CSIRT role in
> > > > another country. In theory you should be able to tell the
> > > > difference from the 'constituency' definition in RFC2350, but
> > > > I suspect it'd be easier to have distinct names for each role
> > > > so that 'national CERTs' could flag up which they were.
> > >
> > >
> > >
> > >
> > > ==============
> > > Damir Rajnovic <gausix at gmail.com>
> > > Telephone: +44 7825 049 500
> > > ==============
> > > There are no insolvable problems.
> > > The question is can you accept the solution?
> > >
> > >
> > > Incident Response and Product Security
> > > http://www.ciscopress.com/bookstore/product.asp?isbn=1587052644
> > >
> > >
> > > _______________________________________________
> > > Bp_certs mailing list
> > > Bp_certs at intgovforum.org
> > >
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
>
> ==============
> Damir Rajnovic <gausix at gmail.com>
> Telephone: +44 7825 049 500
> ==============
> There are no insolvable problems.
> The question is can you accept the solution?
>
>
> Incident Response and Product Security
> http://www.ciscopress.com/bookstore/product.asp?isbn=1587052644
------------------------------
Subject: Digest Footer
_______________________________________________
Bp_certs mailing list
Bp_certs at intgovforum.org
http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
------------------------------
End of Bp_certs Digest, Vol 2, Issue 23
***************************************
More information about the Bp_certs
mailing list