Tuesday, June 12, 2012

Cyber-Security: Steps towards NP-CERT

I think laziness is directly proportional with age. it seems, it is applied to my case. while getting older, i become more and more lazy day by day. However there might be several other factors like hottest Kathmandu temperature, country's bad condition might be the part into my laziness. its been almost one month since i am back from USA attending the cyber security workshop. taking into account, i tried to write an article towards the formation of Nepal-CERT for better protection of Nepalese cyber space. Into my following articles, i mentioned the necessary steps that Nepal can take to protect its cyber space on behalf of US cyber security training/workshop. I hope this article would be helpful to those policy makers of Nepal to fulfill its objective(s). anybody is allowed to copy this article, however, i request to put my credit in your work if this article is fruitful to you in the same way like i am putting credit to the site: http://www.cert.org/csirts/Creating-A-CSIRT.html from which i copied principle(s) for CERT development.

Table of Contents
List of Abbreviations
Background
US-Cyber Security Training: Brief Overview
NP-CERT: Motivating Factors
CERT Objectives
CERT: Establishment Steps
Steps Towards NP-CERT
Recommendation & Conclusion

List of Abbreviations
ccTLD    Country Code Top Level Domain      
CERT    Computer Emergency Response Team      
DNS    Domain Name Service      
HLS    Home Land Security      
ICT    Information and Communication Technology      
IMPACT    International Multilateral Partnership Against Cyber Threat      
MoIC    Ministry of Information and Communication       
NP    Nepal      
NRB    Nepal Rastra Bank      
NTA    Nepal Telecommunications Authority      
US    United States      
       
 
1.0 Background:
With the advancement of technology implementation and continued growth in system automation via the use of information and communication/network technology, the security into the system/technology should also be enforced in a proper way.  Networks systems are quite vulnerable with change of technology which we need to protect against possible attack. This is our pleasure that group of Nepalese delegates have attended the training sequence “Cyber Security and ICT Policy Making” in United States of America with the invitation by US Department of State from Apr 20 to May 4, 2012.

During the program, the team got the real and practical information all about the cyber security from core technical to policy level. Special presentations were performed on the topics like ICT Policy making in global environment, internet global collaborative development, ccTLD Administration and Operations, DNS and the Domain Name Industries, Cyber-Security and Digital Infrastructure, Internet Governance and Cyber Security International Policy.

The Team Visited AT&T communication center and gained knowledge of AT&T’s cyber security implementation strategy with internet governance. Similarly, the team visited IBM business center on behalf of United States telecommunication training institute. There were almost thirty-four (34) participants from African and Asian countries. The sharing of country level knowledge and experiences like the formation of Computer Emergency Response Team (CERT), its functions and duties, concept of US-CERT, Sri Lanka-CERT etc are quite encouraging for us to proceed ahead the development of Nepal CERT with its proper functionalities.

The team has realized the sensitivity of security matters in government and public sector system protection. The areas like transportation, drinking water, energy, electricity, industry are the sensitive sectors concerning of protection against cyber threats. It is also realized that for the developing country like Nepal where the sectors are in progress for system automation, use of computer and networking, we need to develop the proper security mechanisms, policy and strategies side by side with technology advancement.
This proposal, in my opinion, will focus on an overview of the basic steps to be taken to design and build a Nepal-CERT

2.0 US-Cyber Security Training: Brief Overview:
From April 20 to May 4, 2012, a group of six Nepalese delegates including private and public sector representatives attended the USA training and workshop program about “cyber-security and ICT Policy Making”. The main objective of the training was “to increase the awareness towards the cyber-security and its sensitivity for the nation with the formation of best rules and policies to protect ICT users, public and private data by the control over possible threats in cyber space. It had also another major concern of gathering experts and participants worldwide and shares the country experiences among all of the participants for optimization of security system and formulates best policies.
Almost thirty-four (34) participants from all over the world were gathered in the training program. It was a best platform to gain knowledge over whole ICT sector development with the sharing of best practices, standards and experiences. The training was conducted at different public and private institutes of United States, which basically covered sectors like security in Domain Name industries, telecom industries, government and non-government sectors like energy, transportation etc. with the overview of US-CERT, operations of US-HLS (Home Land Security), overview of Whitehouse Security Council, global initiatives towards cyber-security (ITU-IMPACT) and many more which encourages us towards the formation of Nepal-CERT.
 Training/Workshop Participants from Asia and the Africa
                           US Workshop/Training Participation from Nepal-Photos:

3.0 NP-CERT: Motivating Factors
Nepal, being a developing country, still has time to think for better security system to be deployed with the implementation of automated system. The deployment of e-government system and the back-end network infrastructure deployments are a bit rapid in progress for Nepal. With these perspectives, keeping organizational information assets secure in today's interconnected computing environment is a true challenge that becomes more difficult with each new "e" product and each new intruder tool. Most organizations realize that there is no one solution or panacea for securing systems and data; instead a multilayer security strategy is required. One of the layers that many organizations are including in their strategy today is the creation of a Computer Emergency Readiness/Response Team, generally called a CERT. Following are the main motivators towards the establishment of Nepal-CERT (NP-CERT)

[a] It is identified that there is a general increase in the number of computer security incidents being reported.
[b] It is realized that a general increase in the number and type of organizations being affected by computer security incidents.
[c] It is required to have a more focused awareness by organizations on the need for security policies and  practices as part of their overall risk-management strategies.
[d] It is required to have new laws and regulations that impact how organizations are required to protect information assets.
[e] It is realized that systems and network administrators alone cannot protect the organizational systems and assets.
Looking behind the international scenarios, we need to initiate for the establishment of NP-CERT as soon as possible for Nepal, for this we need to know the following basic queries towards the establishment.
  • Requirements to establish CERT?
  • Type of CERT required?
  • Types of services should be offered?
  • Size of CERT to be?
  • Organizational structure of CERT and its location?
  • Cost of implementation and for support of Team?
  • Basic initiaves required for CERT?

4.0 CERT Objectives
The main objective of formation of CERT will be to protect ICT Users in the Government, Public and Private Sector Organizations and the General Public by providing up-to-date information on potential threats and vulnerabilities and by undertaking computer emergency response handling services.

5.0 CERT: Establishment Steps
The operations of CERT depend upon the availability of staffs, their expertise, budget allocated and circumstances of the country.  Very basic steps have been commonly discussed below to create CERT
  • Obtain Management Support.
  • Determine the CERT strategic plan
  • Gather Relevant Information
  • Design the CERT vision
  • Communicate vision and operational plan
  • Begin CERT implementation
  • Make CERT operational
  • Evaluate CERT effectiveness
To secure the resources, funding and time with long term sustainability to the person or group of people who will act as the project team for implementing the CERT, it is necessary to have management’s full support. It is important to elicit management's expectations and perceptions of the CERT's function and responsibilities. Without this information, a team may be built whose services and authority are not understood or appropriately used by the rest of the organization.
There should be realistic strategic plan to be developed for the establishment of CERT including the administrative and management issues. It is necessary to deal with key stakeholders to discuss not only their incident response needs, but to achieve an initial consensus on the expectations, strategic direction, definitions, and responsibilities of the CERT. The Major stakeholders may be the concerned ministries/department, regulator(s), business manager(s), IT representative(s), Legal representative(s), public relation representative(s), existing security group(s) if any (like CIB...), Audit/Risk Management specialist(s) and many more as per the requirement needed. Stakeholders should also include anyone who will be involved in the incident-handling or notification process. In addition, it is necessary to investigate what similar organizations/countries (like US-CERT, ITU-IMPACT, Sri Lanka-CERT…) are doing to provide incident handling services or to organize a CERT to know much about their missions, charters, funding scheme, and service listing.
With the formation of CERT, it is necessary to create a vision, which should identify our constituency, define mission/goal/objectives, selection of services, and determination of organizational model, resource identification and funding arrangement etc.
Communicating out vision in advance can help identify process or organizational problems before implementation. It is a way to let people know what is coming and allow them to provide input into CERT development.
The effective implementation of CERT includes the hiring of staffs, develop the network infrastructure with management of equipments and develop CERT Policies with incident reporting guidelines. The Incident reporting guideline defines how our constituency interacts with our CERT and all about incident reporting and management steps.  The process for reporting an incident includes a detailed description of the mechanisms for submitting reports: phone, email, web form, or some other mechanism. It should also include details about what type of information should be included in the report.
After the CERT comes into fully functional stages, it is necessary to measure the effectiveness to improve the process and fulfill the objectives. Information on effectiveness can be gathered through a variety of feedback mechanisms, including
  • benchmarking against other CERTs
  • general discussions with constituent representatives
  • evaluation surveys distributed to constituency members on a periodic basis
  • creation of a set of criteria or quality parameters that is then used by an audit or third party group to evaluate the team
The Information collected for analysis may include
  • number of reported incidents
  • response time or time-to-live of an incident
  • number of incidents successfully resolved
  • information reported to the constituency about computer security issues or ongoing activity
  • attentiveness to security issues within the organization
  • preventative techniques and security practices in place

6.0 Steps Towards NP-CERT

6.1 Identify Major Stakeholder (s)

It is the first prioritized step to identify the key stakeholder of this CERT establishment. Some of the major stakeholder(s) may be: 
6.1.1 Ministry of Information and Communication (MoIC):
This is the umbrella organization concerning the information and communication sector development of Nepal. Hence MoIC should play a key role regarding the formation of NP-CERT and its necessary policies including other necessary stakeholders.

6.1.1 Nepal Telecommunications Authority (NTA):

NTA, the autonomous regulatory and authority body of Nepal looking after all the telecom and ISP sector and its development. It is also the major concern of NTA towards the development of secure Telecom and ISP Networks within Nepal.

6.1.3 Nepal Police: Criminal Investigation Bureau/Division:

Physical and Computer security breaching leads to challenges to police investigation. CIB needs help form other key stakeholder to control the security breach.

6.1.4 Nepal Rastra Bank (NRB):

To secure banking Network, which is quite sensitive sector of the state, NRB including audit/risk management specialist, in coordination with other stakeholder(s) should develop financial policy behind network security. It develops threat metrics and vulnerability assessments, along with encouraging computer security best practices across the constituency or organization. 

6.1.5 Legal Department:

Legal staff may also be needed to review non-disclosure agreements, develop appropriate wording for contacting other sites and organizations, and determine site liability for computer security incidents.

6.1.6
…..

A superior coordinating team (including possible major stakeholders) needs to be formed on behalf of MoIC. Following the national and international practices, standards, policies and proper coordination, this team may carry-out all the activities towards the establishment of NP-CERT to formalize its nature, structure, functionalities, scopes and operations

7.0Recommendation(s) and Conclusion
It is realized that the initiation towards the formation of NP-CERT right with this time is necessary for the sector development. MoIC, the lead ministry of ICT sector(s) is expected to play a lead role and initiate for NP-CERT formation.

No comments:

Post a Comment