A few weeks ago, there was some kind debate in Belgium about the need of a CERT (Computer Emergency Response Team). With the growing number of computers and networks incidents reported today, everybody agree to request the setup of a strong CERT infrastructure per country and managed by legal authorities! But what’s the status today? Here is a personal case.
Date: Wed, 08 Oct 2008 13:29:58 +0200 From: xxx xxx
To: email@example.com Cc: "firstname.lastname@example.org" Subject: [BELNET TT #xxxx] Compromised FTP account ... Dear, We are BELNET-CERT, the Computer Emergency Response Team for the BELNET-constituency. As a CERT team we handle and coordinate security events (intrusions, hacking, ...) that occur in our network, whether we are a victim or the source of an incident. Our colleagues from CERT/CC forwarded us a list of log entries of compromised FTP accounts. Unfortunately we do not have accurate timestamps for the data, log entries within the data start as far back as 2007-11-19, which would appear to be based on the server system time which we can not confirm is set accurately. We have attached a log file for a site for which you are, according to our records, the site administrator. We forward you this information to take appropriate actions.
My first impression was very positive! They are at least some control of what happend on the Belgian part of the Internet but… The Belnet CERT operational domain is not clear: they define them as a CERT team that can handle and coordinate security events (intrusions, hacking, …) that occur in THEIR networks. The incident report they created has no relation with the Belnet network! (my IP address belongs to a commercial ISP).
The Belnet CERT is accredited at Trusted Introducer and the guys @ Belnet achieve a great job. Keep up the good work! They provide useful information (mailing list, weekly newsletter) but on their website, it’s clearly stated that their business hours are 8h-18h Monday to Friday. Is there a followup (on-duty contact) outside of this period of time? How do they exchange information with other CERTs? (European or worldwide?)
About “my” own incident reported above, the logs they provided were received from the CERT/CC. They analyzed compromized hosts and discovered log entries with my (old) shell server which was re-installed more than one year ago! Case closed!
So, do we have a CERT in Belgium? My answer is yes. There is a structure and contacts with other worldwide CERTs and organization. They can already help you to investigate incidents or notify you. But they require a broaden scope of authority (not only the “Belnet” network), more money and human resources…