Computer Emergency Response Teams (or “CERTs”) are organizations that handle security incidents related to computers and networks. A CERT can be deployed to support private networks (example: in a multi-national company or an organization like NATO which operates its NCIRC) or organized by federal authorities in regions or countries. CERTs offer services which could be classified in three “activity” areas:
- Reaction : communication in case of security incidents (notifications via multiple defined channels).
- Pro-activity : continuously monitoring new trends, technologies or tools and communicate about them.
- Awareness : trainings, security campaign, …
The recurrent keywork across all these areas is “communication”. A CERT is first of all some kind of communication agency focused on security.
In several countries, public CERTs have been deployed with the support of the authorities like in Austria (cert.at), Finland (cert.fi) or Estonia (cert.ee). The situation in Belgium is more complex (like usual in our small country!). The Belgian Federal Research Network (Belnet) operates a CERT dedicated to all its “customers” (universities, public libraries and administration). I already blogged about them a few months ago. They are motivated guys and do a good job but, their status is not clearly defined by the Belgian authorities as a public service. Thinks have to change.
The Dutch CERT (govcert.nl) released an interesting guide called “CERT-in-a-box” to help other organizations or countries to deploy they own CERT and avoid mistakes. The covered topics are:
- Introduction to setting up a CSIRT
- Organisation
- Finance
- CSIRT services
- Alerting-service services
- Communication
- Legal
- Processes
- Technology
- Planning
- Bibliography, useful reading
It’s really interesting to read the big steps and tips to implement a CERT from scratch. Particularly the topics related to finance and legal aspects. All projects require money! Strong budget exercises must be performed before the launch but also to keep activities. A CERT is running 24×7, needs infrastructure (servers, Internet access), access to security events or resources are often expensive. How many FTE (Full Time Employee) will be required?
The legal aspect is crucial. A CERT must have a legal status and be recognized and pushed by authorities as a competence center for all topics related to security. Responsibilities, tasks and competences must be clearly established. An agreement must list the aims of the CERT (products & services to be delivered). As you can imagine, deploying a CERT is not only building a team of high-skilled people and a bunch of servers.
In September 2008, an initiative made of private associations and academic institutions launched a white paper called “Towards a Belgian Strategy on Information Security“. The goal was to draw intention of the government and public authorities to six major security points. One of them is the establishment of a real CERT:
“A Belgian CERT (Computer Emergency Response Team) needs to be established quickly. Its mission should be to protect the nation’s Internet infrastructure and to coordinate protection against and responses to cyber attacks across the country. All this needs to happen in close collaboration with industry, building on the expertise already present there. Collaboration with BELNET and inspiration from initiatives in various sectors (e.g. financial sector), coordination with ECSA (www.ecsa-eu.org) and CFS-CSF (www.csf-cfs.be) is strongly recommended in this area.
The law on electronic communication (Law of 13 June 2005, Art 113 and 114) is unclear on the operational role of BIPT/IBPT with regards to the national CERT. This lack of clarity could result in inaction.”
(Source: Towards a Belgian Strategy on Information Security – page 7)
Note that ENISA, the European Network and Information Security Agency, also released a document called “A step-by-step approach on how to set up a CSIRT“. (available here).
So, what’s next with our CERT?