[Bp_certs] Bp_certs Digest, Vol 2, Issue 21
Millar, Thomas
Thomas.Millar at hq.dhs.gov
Tue Jul 29 12:16:14 EDT 2014
I think Aaron / OECD's categories work pretty well, but they could be improved by making their mutual exclusivity more explicit in the definitions.
Tom Millar
http://www.us-cert.gov/
------------------
I am sent by the blackberry: +1-202-631-1915.
----- Original Message -----
From: Andrew Cormack [mailto:Andrew.Cormack at ja.net]
Sent: Tuesday, July 29, 2014 11:48 AM
To: Aaron.MARTIN at oecd.org <Aaron.MARTIN at oecd.org>; bp_certs at intgovforum.org <bp_certs at intgovforum.org>
Subject: Re: [Bp_certs] Bp_certs Digest, Vol 2, Issue 21
Aaron
Thanks for sharing your analysis. Though I think it highlights why there's a definition problem! If I've understood correctly then anything with a constituency of "all X in the country", whatever X you choose, could fit into one or other of those definitions :(
I wonder whether it might be helpful, both from a metrics and a services point of view, to divide them up based on the level of skills that can be expected of constituency members and the motivation for those members to join the constituency? Thus there are
*) CERTs that deal with skilled constituencies who are required to work with them (typically central government and critical infrastructure constituencies);
*) CERTs that deal with skilled constituencies who need to be persuaded to work with them (typically private and general public-sector, though when GOVCERT.nl/NCSC-NL started they had to sell their services to each government so would have fitted into this category, if I recall correctly);
*) CERTs that deal with unskilled constituencies (CERTs for citizens, etc).
But then those categories probably apply to things that *don't* call themselves "national CERT" as well?
Andrew
--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is
registered in England under No.2881024 and whose Registered Office is at Lumen House, Library
Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238
> -----Original Message-----
> From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf Of
> Aaron.MARTIN at oecd.org
> Sent: 29 July 2014 14:53
> To: bp_certs at intgovforum.org
> Subject: Re: [Bp_certs] Bp_certs Digest, Vol 2, Issue 21
>
> Hello all,
>
> I agree that the discussion on what is a national CSIRT, and the
> different kinds of national CSIRTs in operation, is very informative.
>
> We are trying to elaborate such a typology for our work on developing
> statistical guidance for national CSIRTs.
>
> We have found that, generally speaking, it may be possible to classify
> national CSIRTs' constituencies as follows:
>
> i) national CSIRTs with responsibility for all sectors in a
> country/economy
> ii) those that are responsible for all networks in a country/economy
> except those owned/operated by government or military
> iii) those that are only responsible for networks in the public sector,
> government and/or critical infrastructure; and
> iv) those responsible for private sector networks, particularly
> critical infrastructure.
>
> We would be happy to work with this community to elaborate and improve
> this basic typology. In fact, it is something that our delegates would
> greatly appreciate and would feed nicely into the guidance we are
> currently drafting.
>
> We look forward to the ongoing discussions.
>
> Best,
> Aaron Martin
> OECD
> Cybersecurity and Privacy
> Division for Digital Economy Policy
>
> +33 1 45 24 94 77
> aaron.martin at oecd.org
> www.oecd.org/sti/security-privacy
>
> -----Original Message-----
> From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf Of
> bp_certs-request at intgovforum.org
> Sent: 24 July, 2014 6:00 PM
> To: bp_certs at intgovforum.org
> Subject: Bp_certs Digest, Vol 2, Issue 21
>
> Send Bp_certs mailing list submissions to
> bp_certs at intgovforum.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum
> .org
> or, via email, send a message with subject or body 'help' to
> bp_certs-request at intgovforum.org
>
> You can reach the person managing the list at
> bp_certs-owner at intgovforum.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bp_certs digest..."
>
>
> Today's Topics:
>
> 1. Re: About types of CERTs (Robin M. Ruefle)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 24 Jul 2014 15:37:03 +0000
> From: "Robin M. Ruefle" <rmr at cert.org>
> To: Cristine Hoepers <cristine at cert.br>, "bp_certs at intgovforum.org"
> <bp_certs at intgovforum.org>
> Subject: Re: [Bp_certs] About types of CERTs
> Message-ID: <876A3A66C32D0A48AFECC0D0832FA1A1A45C518A at marathon>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello all,
>
> This is a great discussion and certainly providing a lot of food for
> thought. I hadn't really thought previously about the need to define
> different types of National CSIRTs, just like we define different types
> of CSIRTs. I think outlining these different types would be very
> beneficial for the community to increase understanding but also to
> provide better awareness and training materials for not only those
> starting or deciding to start a CSIRT - but those in the government or
> other management areas who need to understand these differences and
> similarities - and the usefulness and "mission" of each type.
>
> I am reminded of a conversation I had recently about a CSIRT which was
> located within the Federal Police, even though they were acting as a
> National presence for certain activities, they were not interested in
> doing so for engaging the public, handling public incidents, or doing
> awareness and training and outreach. Instead they were actively
> encouraging the development of what I think you are calling the "good
> old CSIRT" to handle those particular activities. The Federal Police
> CSIRT was more interested in threat intelligence and defense
> activities. But they wanted to see this other CSIRT in operation as a
> partner. Now, I know some others with similar CSIRTs within law
> enforcement or intelligence, do not always feel that way.
>
> I think it would be interesting to get some perspective from people in
> some of the countries where there are multiple CSIRT teams handling
> different communities.
>
> Through this discussion I am really getting the feeling that defining
> these different types of National CSIRTs is an area that has been
> greatly lacking in the literature and that perhaps with more
> information available - people will have a better understanding.
>
> There is a lot of good information in the emails that are being
> exchanged. I think we can take a lot of that information and put it
> into a document that gives an overall view of "National" CSIRTs, what
> they can be, their different activities, focus, and constituencies, and
> the general thought that having one is not enough in today's world. I
> know that might not be the goal of this forum work, but I think it can
> be a side benefit if we want. I'd be happy as time permits, outside of
> the other work this forum is doing, to start to pull together some of
> the information and send it out for review (wouldn't be any time soon,
> but maybe within the next few months.)
>
>
> Robin
>
> Robin Ruefle
> Team Lead, CSIRT Development and Training Team Enterprise Threat and
> Vulnerability Management Team CERT Program Software Engineering
> Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 U.S.A.
>
> Email: rmr at cert.org
> http://www.cert.org/
>
>
> -----Original Message-----
> From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf Of
> Cristine Hoepers
> Sent: Thursday, July 24, 2014 10:42 AM
> To: bp_certs at intgovforum.org
> Subject: Re: [Bp_certs] About types of CERTs
>
> Hi,
>
> On Thu, Jul 24, 2014 at 03:12:05PM +0200, Miros??aw Maj wrote:
> > Dear All,
> >
> > Interesting discussion :)!
>
> Excellent discussion indeed!
>
> > W dniu 23/07/14 15:23, Andrew Cormack pisze:
> > > Cristine
> > >
> > > I was interested to see that "national CERTs" now think that term
> > means "teams whose constituency are networks/organizations/assets of
> > National importance".
> >
> > Exactly! Additionally we should respect the fact that "National
> > importance constituencies" are protected more and more often not
> only
> > by nat/gov CERTs. Private CERTs are also delivering services to them.
> > BTW - the trend of establishing CERTs for critical infrastructures
> > also should be considered regarding this discussion.
>
> That was exactly my point when I started this thread.
>
> A "CSIRT with National Responsibility" is not necessarily a "Government
> CSIRT". Although, we are seeing more and more governments that want to
> push the idea that to be a CSIRT serving "National importance
> constituencies", you have to be part of the government.
>
> Also, we need to keep in ming the fact that if a CSIRT is serving a
> Government organization does not mean it has National responsibility.
>
> I would characterize as CSIRTs with National Responsibility those
> serving any of these constituencies in a Coordination role:
>
> - Critical infrastructures (e.g. ICS-CERT)
>
> - Coordination Center for Government networks (e.g. GovCERT.AT in
> Austria, CTIR Gov in Brazil, CERT.Gov.PL in Poland, etc)
>
> - Teams of last resort, that usually also coordinate incidents with
> major ISPs and private sector networks (e.g. CERT.at in Austria,
> CERT.br in Brazil, CERT.PL (former CERT Polska) in Poland, etc)
>
> Also, we are seeing more and more "Cyber commands" and "Cyber Defense
> Centers" being created, with the mission of "protecting the nation" --
> I still have mixed feelings about calling these organizations CSIRTs at
> all -- but there are countries that are pushing this. Not to mention
> all the trend to have "National CSIRTs" under Intelligence
> organizations (if I'm not mistaken this is the case in Sweeden and
> Denmark), and under the Police (this is the case for Mexico, for
> example).
>
>
> > > That means we need another term for what I used to call the "CERT
> of
> > > last resort", for example if you have an incident in the UK and
> > > neither the FIRST, TI or RIPE directories give you a specific
> > > constituency CERT for the affected IP address, where (if anywhere)
> > > do you send it? Depending on the country, that may be something the
> > > "national CERT" does (I think Rohana was saying that in Sri Lanka
> it
> > > is), it may be done by someone else, or it may not be done by
> > > anyone.
>
> That use to be my understanding of "National CERTs too" -- but the
> definition evolved after we got international government organizations
> more involved into this. I saw this definition change a lot after we
> started having Organizations like ENISA, NATO, ITU and OAS recommending
> the creation of "National CERTs" -- each one with its own definition of
> it. The countries that already had some CSIRTs by the time this
> recommendations came out, are just having more teams being added, some
> more local coordination to try to figure out, etc. But I'm seeing more
> and more governments of countries that had fewer CSIRTs, trying to make
> all "National CSIRTs" inside government organizations.
>
> It is a big confusion, to say the least.
>
> And, going back to the panel on the National CSIRTs Meeting -- the
> discussion was exactly about the role of National Teams in the next 20
> years...
>
>
> > I like this description of "CERT of last resort". It is becoming a
> > kind of technical but very important function. My guessing is that it
> > does apply mostly to "good-old" CERTs which are very much recognized
> > by communities but for some reasons they stop to play formally the
> > official roles because of establishing national or governmental CERTs
> > in their countries.
>
> Goes to my previous point.
>
> And I think in these cases the governments are yet not understanding
> the role of a CSIRT, and they are missing the vital services that the
> "good-old" CERTs offer and, most importantly, the vital importance of
> "National CERTs" that are neutral, that can talk to all stakeholders
> without making them to think they are talking to a regulator or to the
> police.
>
>
> > BTW - besides of terms national and governmental there is another one
> > - "de facto national" and it is introduced by ENISA (see:
> > CERT type filter at:
> > https://www.enisa.europa.eu/activities/cert/background/inv/certs-by-
> country-interactive-map).
> > As much as I understand it - it is about CERTs which play a role of
> > national CERT but they are not officially legitimized by governments
> > of their countries.
>
> Interesting term -- and looking at the teams that are listed when I
> choose this option, it gives me some of the most active teams, that we
> at CERT.br have a strong cooperation with, and that are teams we can
> count on when we need a partner.
>
> But don't get me wrong, they are not the only ones -- but it is
> interesting that they are among the most active and reliable.
>
> Best regards,
> Cristine
>
> --
> Cristine Hoepers, D.Sc.
> General Manager
> CERT.br/NIC.br
> http://www.cert.br/
>
> > Kind Regards
> > Miroslaw Maj
> > --
> > Cybersecurity Foundation
> > 20 Tytoniowa Str
> > 04-228 Warsaw, Poland
> > tel: +48 22 112 0 800
> > mobile: +48 608 508 702
> > e-mail: miroslaw.maj at cybsecurity.org
> > www: http://www.cybsecurity.org/
> >
> >
> > >
> > > Being that CERT is a pretty thankless job (I spent a year, many
> years ago, running a pilot "last resort" CERT for European academic
> networks!) but in terms of public perception of the Internet, it seems
> to me it's an important one. The really severe incidents may be the
> ones within the constituencies of national CERTs (as defined above) but
> I hope they are few and far between. The ones (viruses, fraud,
> phishing, spam, ...) that affect the vast majority of Internet users,
> every day, and make them worry whether the Internet is a safe place to
> do business/work/education don't come from those constituencies.
> > >
> > > So if one of our objectives is to suggest how governments should
> > > build public confidence in the Internet, it seems to me that they
> > > ought to be thinking about how to provide some sort of incident
> > > response/victim support for those constituencies too. I'm afraid
> > > it's not something we've cracked in the UK - at the moment we have
> > > getsafeonline.org providing advice to the citizen - but the policy
> > > on where to report online frauds etc. seems to change frequently
> and
> > > isn't at all well publicised :(
> > >
> > > So I'm very interested to hear about the Kenyan approach of using
> the telcom association and internet exchange as a hub. That sounds a
> bit like the German initiative https://www.botfrei.de/en/ that has
> advice for end users but also (if I understand correctly) provides a
> helpdesk that ISPs can direct customers to where they've spotted
> traffic that suggests a botnet infection. That seemed to me like a nice
> mix of automation for the majority of customers with detailed human
> help for the few that need it.
> > >
> > > Best wishes
> > > Andrew
> > >
> > > --
> > > Andrew Cormack
> > > Chief Regulatory Adviser, Janet
> > > t: +44 1235 822302
> > > b: https://community.ja.net/blogs/regulatory-developments
> > > Janet(UK) is a trading name of Jisc Collections and Janet Limited,
> a
> > > not-for-profit company which is registered in England under
> > > No.2881024 and whose Registered Office is at Lumen House, Library
> > > Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No.
> > > 614944238
> > >
> > >
> > >> -----Original Message-----
> > >> From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf
> > >> Of Cristine Hoepers
> > >> Sent: 16 July 2014 00:37
> > >> To: bp_certs at intgovforum.org
> > >> Subject: [Bp_certs] About types of CERTs
> > >>
> > >> Dear all,
> > >>
> > >> First of all, thanks for the interest in the IGF CERTs BPF!
> > >>
> > >> I would like to share some thoughts, considering discussions I
> > >> participated in previous IGF and pre-IGF events, and the
> discussion
> > >> that took place in the mailing list a few days ago, about CSIRTs
> > >> with national responsibility (in short "National CSIRTs" or
> > >> "National CERTs"), which has also brought a little bit of
> > >> discussion about other types of CSIRTs.
> > >>
> > >> There is no right or wrong about who hosts a National CSIRT, or
> > >> which services it should provide. From experience, each country
> > >> will need to identify what works best in its case, as well as
> > >> consider other issues like services, funding, local internet
> > >> governance structure and cultural issues, among other factors that
> might impact the decision.
> > >>
> > >> Also, several countries have more than one National CSIRT, and the
> > >> number is growing each year. In the last National CSIRTs meeting,
> > >> about 2 weeks ago, there was a very interesting discussion about
> > >> the future of National CSIRTs and their role. In this panel there
> > >> was an agreement that National CSIRTs are teams whose constituency
> > >> are networks/organizations/assets of National importance, and that
> > >> the number of such teams tend to increase.
> > >>
> > >> I would like to share some examples of National CSIRTs that are
> > >> operated by different stakeholders -- note that the focus of the
> > >> information is to give examples of different hosting organization,
> > >> not the constituency served by each team:
> > >>
> > >> - CERT.br - is operated by NIC.br, a not for profit organization
> that
> > >> implements the decisions and projects defined by the Brazilin
> > >> Internet Steering Committee - CGI.br. And CGI.br is the
> > >> multi-stakeholder internet governance body in Brazil. All
> funding
> > >> comes from <.br> domain name registration.
> > >>
> > >> - CERT.PL (previously CERT Polska) - is operated by NASK (Research
> and
> > >> Academic Computer Network), a research institute which conducts
> > >> scientific studies, operates the national .pl domain registry
> and
> > >> provides advanced IT services.
> > >>
> > >> - JPCERT/CC - is an independent non-profit organization.
> > >>
> > >> - CARICERT - is sponsered by the Cura?ao Bureau Telecommunication
> and
> > >> Post (BT&P).
> > >>
> > >> - Egyptian CERT - is operated by the Ministry of Communications
> and
> > >> Information Technology.
> > >>
> > >> - CERT-EE - operated by the Estonian Information System Authority
> > >> (RIA), a subdivision of the Estonian Ministry of Economic
> Affairs
> > >> and Communications.
> > >>
> > >> A more complete list of CSIRTs that have responsibility for an
> > >> economy or a country can be found here:
> > >> http://cert.org/incident-management/national-csirts/national-
> csirts
> > >> .cfm
> > >>
> > >> I'll not get this e-mail even longer, but there are CSIRTs in many
> > >> different organizations, with different missions and services.
> The
> > >> most important of all is that these CSIRTs work in cooperation to
> > >> make the Internet more stable and secure. A list of teams that
> are
> > >> members of FIRST (the Forum of Incident Response and Security
> > >> Teams) can be found here: http://first.org/members/teams
> > >>
> > >> I personally think the work of the CERT BPF is a great opportunity
> > >> for us all to share experiences, best practices, questions, case
> > >> studies, but most of all it is a great opportunity for us to
> > >> identify challenges and try to find a way to start answering the
> > >> open questions.
> > >>
> > >>
> > >> Best regards,
> > >> Cristine
> > >>
> > >> --
> > >> Cristine Hoepers, D.Sc.
> > >> General Manager
> > >> CERT.br/NIC.br
> > >> http://www.cert.br/
> > >>
> > >> _______________________________________________
> > >> Bp_certs mailing list
> > >> Bp_certs at intgovforum.org
> > >>
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.o
> > >> rg
> > > _______________________________________________
> > > Bp_certs mailing list
> > > Bp_certs at intgovforum.org
> > >
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.or
> > > g
> >
> >
> > _______________________________________________
> > Bp_certs mailing list
> > Bp_certs at intgovforum.org
> > http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
>
> _______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
>
>
> ------------------------------
>
> End of Bp_certs Digest, Vol 2, Issue 21
> ***************************************
>
> _______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
_______________________________________________
Bp_certs mailing list
Bp_certs at intgovforum.org
http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
More information about the Bp_certs
mailing list