After the FIRST.org Annual Conference and AGM this year, I had the opportunity to be one of the ‘Lead Experts’ (aka facilitator) for the Best Practice Forum for Establishing and Supporting Computer Emergency Response Teams (CERTS) for Internet Security. This forum is part of the upcoming Internet Governance Forum 2014 in Istanbul, Turkey. The other two lead experts are Maarten Von Horeenbeck (from FIRST.org) and Cristine Hoopers (CERT.BR). Both are known the CERT/CSIRT community for their contributions.
Now although I have been involved with the CERT/CSIRT world for a while now, I have never participated in an IGF. However, the opportunity to contribute to this work was something that I could not say no to. After all, this was an opportunity to develop a reference document that will help relevant stakeholders to learn more about CERTs/CSIRTs and (operational) challenges that other have encountered in the past.
I also realized that we have a lot of colleagues in the CSIRT community who would be more than willing to share their experience and lessons learned on various topics related to establishing or running CSIRT operations.
So in the last month and a half, we had a pretty interesting discussion and information sharing in the mailing list and Webex sessions. If you an interested to join the discussion or read the threads, just go the to this link. Even better, the main discussion points have been documented and the IGF secretariat is inviting everyone to give feedback on how it could be improved (i.e. what other topics or question should it address). Head over to this link to review to draft document. The document and all feedback will be discussed in the Best Practice Forum session during IGF 2014.
Some of the questions addressed are quite relevant to APNIC Members who own resources and need to respond to queries related to abuses or security incidents on their network (read botnet C&C, port scanning, web defacement, phishing). To some extent, merely having a contact point in the WHOIS database (IRT object) is not sufficient. People (with the right skills), policy (how do we deal with incident X or Y) and technology (for automating the process or analyzing the incidents) must be put in place, and those have cost implications. Learning from others experience on how to go about this and what not to do might be a smart thing. This is exactly what the Best Practice forum on establishing and supporting CERTs intend to do.
Anyhow, do take a look at the document and I am looking forward to hearing your feedback on them.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.