ESTABLISHING A NATIONAL COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT) IN AFRICA: KENYAN CASE STUDY

Transcription

1 ESTABLISHING A NATIONAL COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT) IN AFRICA: KENYAN CASE STUDY 2011 BY: MWENDE NJIRAINI Disclaimer: Views expressed in this paper except those quoted or referenced are the author s own Page 1 of 37

2 Table of Contents Executive Summary INTRODUCTION NATIONAL CYBERSECURITY FRAMEWORKS International Telecommunications Union United Kingdom Australia WHAT IS A CSIRT? NATIONAL CSIRT ESTABLISHMENT BENCHMARKING CERT-FI CERT-Hungary TunCERT National and Governmental CSIRTs in Europe CSIRT INITIATIVES IN KENYA CSIRT-Kenya KE CIRT CC icsirt East African CSIRT ESTABLISHING A NATIONAL CSIRT Political Support Legal Measures Planning Policy and procedures development Policy Procedures Communication Plan Services Page 2 of 37

3 6.7. Personnel Training and Capacity Building Cooperation and Partnerships Forum of Incident Response and Security Teams (FIRST) International Multilateral Partnership against Cyber-threats (IMPACT) Team Cymru Universities Resources Funding Personnel Hardware Software Facility Publicity Material CONCLUSION RECOMMENDATIONS Page 3 of 37

4 Executive Summary Cybersecurity is a growing global concern as critical infrastructure and services including financial, energy, telecommunication and transport increasingly becoming internetdependent. Deterring cybercrime is an integral component of a national cybersecurity and critical information infrastructure protection (CIIP) strategy. The formulation and implementation of a cybersecurity strategy requires a comprehensive approach that involves the adoption of appropriate legislation against the misuse of Information and Communications Technologies (ICTs) for criminal purposes, coordinated action to prevent, prepare, respond and recover from incidents in cooperation with relevant partners at a national, regional and international level. On the basis of research and benchmarking, this paper reviews various consideration for the establishment of a national Computer Security Incident Response Team (CSIRT). The paper proposes the publishing of a national Cybersecurity strategy to support the provisions of the Kenya Information and Communications Act, 2009 which proscribes cybercrime acts including unauthorized access to computer data and interception of computer service, publishing obscene information, electronic fraud among others. To facilitate the enforcement of these provisions and improve cybersecurity in Kenya this paper recommends a process for the institutionalisation of a national CSIRT based on a public private partnership (PPP) model. Further the paper recommends that a phased approached be taken in the establishment of the national CSIRT in order to prove the importance of the services thus acquiring buy-in from private sector which is critical in the provision of cybersecurity related information. In addition collaboration with the international CSIRT community is imperative to the working of the national CSIRT to facilitate trusted exchange of information. Page 4 of 37

5 1. INTRODUCTION Few developing countries, especially in Africa have addressed internet security issues critically. Local and international connectivity in the continent offers less than broadband speeds thus providing no incentive for meaningful exploits. This presents a situation where a dirt path by way of poor satellite connectivity has acted as our security. However, once super highways broadband connections offered by both national and submarine fibre optic cable systems become increasingly available; Africa, will draw the attention of international hackers and systems therefore becoming easy targets to high speed exploits. Kenya currently has about 4million internet users. This number continues to grow encouraged by improved accessibility and affordability to internet connectivity. According to a report by Team Cymru, an America-based Internet security firm, malicious assaults on Kenyan websites have surged and the attacks are predicted as more people go online. 1 Incidences of online security breaches however are not well documented. Unfortunately like many other African countries, Kenya is unprepared to face Internet security threats 2. With increased dependence on the internet, both the government and the private sector have a role to play in guaranteeing security, privacy and openness of the Internet. As such establishing a national cybersecurity strategy and upgrading information security policies and systems is important 3. It is important for Kenya to bring its anti-cybercrime strategies into line with international standards from the outset. Indeed Kenya is a supporter of the World Telecommunication Standardization Assembly (WTSA-08) resolution 50: Cybersecurity, in which the WTSA08 resolved that global, consistent and interoperable processes for sharing incident-response related information should be promoted. Consequently, WTSA-08 Resolution 58: Encourage the creation of national computer incident response teams, particularly for developing countries resolved to support the creation of national computer incident response teams (CIRTs) in Member States, where CIRTs are needed and are currently absent. 1 A botnet (also known as a zombie army) is a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet. Source: Botnet [online] Available from: [Accessed February 2010] 2 Africa security spending rises with increased connectivity. [online] Available at: [Accessed April 2010] 3 Kenya Embracing High Speed Internet at Cost of Security [online] Available at: [Accessed October 2009] Page 5 of 37

6 2. NATIONAL CYBERSECURITY FRAMEWORKS 2.1. International Telecommunications Union The International Telecommunications Union (ITU) has developed Best Practices for developing a national approach to cybersecurity: A management framework for organizing national cybersecurity efforts 4. According to ITU a comprehensive strategy requires a review of the adequacy of current national practices and consideration of the role of all stakeholders, as protection of critical information infrastructure (CII) is a shared responsibility. The strategy should consider the establishment and modernization of cybercrime relatedpolicy, legislation and procedures to as well as establishment a focal point for watch, warning, response and recovery efforts and the facilitation of stakeholder collaboration. In addition ITU recommends that Governments must take a leadership role in bringing about this culture of cybersecurity. It is further recommends that a national cybersecurity strategy should include: Creating awareness at a national policy level about cybersecurity issues and the need for national action and international cooperation. Developing a national strategy to enhance cybersecurity in order to reduce the risks and effects of both cyber and physical disruptions. Participating in international efforts to promote national prevention of, preparation for, response to, and recovery from incidents. Developing government-industry collaborative relationships that work to effectively manage cyber risk and to protect cyberspace. Providing a mechanism for bringing a variety of perspectives, equities, and knowledge together to reach consensus and move forward together to enhance security at a national level. Enacting and enforcing a comprehensive set of laws relating to cybersecurity and cybercrime consistent with, among others, the provisions of the Convention on Cybercrime (2001). Developing a coordinated national cyberspace security response system to prevent, detect, deter, respond to, and recover from cyber incidents. 4 ITU Study Group Q.22/1 Report on Best Practices for a National Approach to Cybersecurity: A Management Framework for organizing National Cybersecurity Efforts. [online] Available at: D/cyb/cybersecurity/docs/itu-draft-cybersecurity-framework.pdf [Accessed 19th February 2010] Page 6 of 37

7 Establishing a focal point for managing cyber incidents that bring together critical elements from government (including law enforcement) and essential elements from infrastructure operators and vendors to reduce both the risk and severity of incidents. Participating in watch, warning, and incident response information sharing mechanisms. Developing, test, and exercise emergency response plans, procedures, and protocols to ensure that government and non-government collaborators can build trust and coordinate effectively in a crisis. Promoting a national culture of security consistent with UN General Assembly Resolutions 57/239, Creation of a global culture of cybersecurity 5, and 58/199, Creation of a global culture of cybersecurity and the protection of critical information infrastructures United Kingdom The government of the United Kingdom has published a Cyber Security Strategy of the United Kingdom 7 which provides a coherent approach that aims at reducing risk from the UK s use of cyber space, exploiting opportunities in cyber space and improving knowledge, capabilities and decision-making. The strategy recognizes the role of public and private sector as well as international partners including the GovCertUK. It also provides for the establishment of structures such as the Office of Cyber Security (OCS) to provide strategic leadership for and coherence across Government and a Cyber Security Operations Centre (CSOC) to actively monitor the health of cyber space and co-ordinate incident response; enable better understanding of attacks against UK networks and users and provide better advice and information about the risks to business and the public Australia Australia launched a Cybersecurity strategy in to formalise the roles, responsibilities and policies of Australian intelligence, cyber and policing agencies to protect Australian internet users. The stated aim of the strategy is the maintenance of a secure, resilient and trusted electronic operating environment that supports Australia s national security and 5 UNGA Resolutions 57/239: Creation of a global culture of cybersecurity [online] Available from: [Accessed 19th January 2010] 6 UNGA Resolutions 58/199: Creation of a global culture of cybersecurity and the protection of critical information infrastructures. [online] Available at: D/cyb/cybersecurity/docs/UN_resolution_58_199.pdf [Accessed 19th February 2010] 7 Cyber Security Strategy of the United Kingdom. [online] Available at: [Accessed 19th February 2010] 8 Australian Government: Cybersecurity Strategy. [online] Available at: ecurity+strategy+-+for+website.pdf/$file/ag+cyber+security+strategy+-+for+website.pdf [Accessed 19 th February 2010] Page 7 of 37

8 maximises the benefits of the digital economy. The strategy provides for the creation of the new Australian Government Computer Emergency Response Team, CERT Australia 9, which was expected to commence operation in January In addition the strategy seeks to establish the Cyber Security Operations Centre (CSOC) that will provide the Australian Government with all-source cyber situational awareness and an enhanced ability to facilitate operational responses to cyber security events of national importance CERT Australia [online] Available at: [Accessed 19 th February 2010] 10 Australian Government: Cyber Security: An overview. [online] Available at: ty+-+an+overview+(brochure-booklet).pdf/$file/cyber+security+-+an+overview+(brochure-booklet).pdf [Accessed 19th February 2010] Page 8 of 37

9 3. WHAT IS A CSIRT? CSIRT stands for Computer Security Incident Response Team. Other abbreviations 11 used for the similar teams include CERT or CERT/CC (Computer Emergency Response Team / Coordination Center), IRT (Incident Response Team), CIRT (Computer Incident Response Team) and SERT (Security Emergency Response Team). The term CERT is registered in the USA by the CERT Coordination Center (CERT/CC) 12. A CSIRT is defined as a service organisation responsible for receiving, reviewing and responding to computer security incidents reports and activity 13. It provides the necessary services to handle them and support their constituents to recover from breaches. The goals of CSIRT should include: o early detection; o short response time; o reduction of impact; o recognition of liability issues; o analysis techniques which are forensically safe, need to be developed in advance not when time is of the essence; and o Alignment with partners. There can be more than one CSIRT in a country serving the interest of various constituencies for example the academic, banking sectors, military and within organisation. These CSIRTs are focussed on and provide services and support to their defined constituency for the prevention of, handling, and response to cybersecurity incidents. However it is also possible for a country to designate an entity as a national CSIRT to serve a principle entity serving Government or government-related organisations. The mandate of national CSIRT is to be the main point of contact in a country and is to facilitate the cyberization of the economy and government by providing leadership and guidance in cybersecurity. It should be a repository for knowledge in cybersecurity, the place where any government agency, organisation or individual could turn for advice and guidance (Morel, 2009). It is important to note that CSIRTs do not replace existing national and local emergency preparedness, disaster recovery, business continuity or crisis teams, nor do they replace other national policing or intelligence agencies. 11 ENISA (2006) A step-by-step approach on how to set up a CSIRT Available at: [Accessed 31st August 2011] Page 9 of 37

10 4. NATIONAL CSIRT ESTABLISHMENT BENCHMARKING Kenya has had the opportunity to benchmark with Tunisia during the ITU Regional Cybersecurity Forum for Africa and Arab States was held in Tunis in June as well as Finland and Hungary in November December 2009 under the auspices of the East Africa Communications Organization (EACO) Cybersecurity Taskforce. Benchmarking is important in the establishment of a national CSIRT. It should however be noted that each country s situation and requirements are unique CERT-FI The Finnish national Computer Emergency Response Team (CERT 15 ), CERT- FI 16 is managed by the Finnish Communications Regulatory Authority (FICORA). CERT-FI was established in 2002 under law to supervise compliance, collect information on violations of and threats to information security, investigate violations of and threats to information security and publicize information security matters. The CERT is a national point of contact for security coordination and incident handling, information security awareness and vulnerability coordination Institutional Setup CERT-FI operates under the Network and Security department in FICORA. This direct linkage with the regulator and the location is advantageous, easing communication and coordination of activities with operators and service providers. CERT-FI is located in a separate secure specialized area at FICORA and is a Unix/Linux based environment recommended for download of malicious code for analysis. The CERT has adopted a bottom-up way of working and uses wiki 17 for internal organization and information sharing. The CERT has dependable and separate internet connections to allow secure analysis of malware and malicious code plus 3G connections providing redundancy Legal Framework FICORA derives its mandate for from the Act on the Protection of Privacy in Electronic Communications Chapter 5: Information Security in Communication, Section 31 that states the duties of the regulator are: To supervise compliance with the Act; 14 ITU(2009) 2009 ITU Regional Cybersecurity Forum for Africa and Arab States. Available at: [Accessed 31st August 2011] 15 CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. Source [Accessed 26th April 2010] 16 CERT-FI [online] Available at: [Accessed 30th November 2009] 17 Wiki [online] Available at: [Accessed 16th March 2010] Page 10 of 37

11 To collect information on violations of and threats to information security in respect of network services, communication services and value added services, and on significant faults and disruptions in such services; To investigate violations of and threats to information security in respect of network services, communications services and value added services, and significant faults and disruptions in such services; and Publicize information security matters. CERT-FI has a 10 year civil jurisdictional contractual agreement under the Tort liability Act (41/1974) Section 3 and 2 with the National Emergency Supply Agency (NESA) 18 with regard to safeguarding the functionality and efficiency of the communications services. NESA coordinates security of critical infrastructure including supporting the supply of food stuffs, energy, transport, warehousing and distribution systems, technical systems, health services, and manufacturing and repairs for the military defence at a national level through public-private partnership. Under the Act on the Protection of Privacy in Electronic Communications Section 21(3) telecommunications operators are obliged to notify FICORA of significant violations of security in network and communication services and of any information security threat to such services that may have come to the attention of the operator. Reference to Section 21(4) FICORA issued Regulation 9c/2009 on Obligation to report information security incidents and faults and disturbances in public telecommunications Other relevant regulations include Regulation 47B/2004 on Information Security of Telecommunication Operators, Regulations 13A/2008 on Information Security and Functionality of Internet Access Services and Regulations 11A/2008 on Information Security and Functionality of Services Services CERT-FI provides three core services including incident handling and coordination, vulnerability handling and coordination and providing a national situation picture of information security. Guided by the Regulations, CERT-FI seeks to meet the basic demands from operators/service providers as all incidents are different. It is recommended to start with a minimum service mix for which resources are available. Information received by the CERT from public and non-public sources is classified as primary, secondary and tertiary information sources. Data on malicious activities in Finnish IP space is received from both push and pull sources including Spamhaus 19 that provides realtime anti-spam protection for Internet networks, Sirios, Shadowserver 20 that tracks on 18 National Emergency Supply Agency [online] Available at: [Accessed 28th January 2010] 19 The Spamhaus Project. [online] Available at: [Accessed 28th January 2010] 20 The Shadowserver Foundation. [online] Available at: [Accessed 28th January 2010] Page 11 of 37

12 malware, botnet activity, and electronic fraud, arbornetworks 21, Team Cymru and other security partners. CERT-FI forwards this information which includes valuable statistics such as absolute numbers of infections and number of incidents per capita to operators/service providers in blog type format on a website which with a restricted area for specific community, alerts, bulletins and mailing lists International Cooperation CERT-FI has built a trusted contact list in every continent, time zones of major network service providers (NSP), Internet Service Providers (ISP) and software vendors through networking at meetings, references, training and handling of incidents. CERT-FI is a member of the Forum for Incident Response and Security Teams 22 (FIRST) and attends conferences such as AP-CERT 23 which provide important opportunities for networking Funding CERT-FI is 25% funded from tax equivalent telecommunication security administration fee paid by telecommunication operators. This amount is derived from 0.1% of annual turnover consequently bigger companies pay more than smaller ones because of economies of scale of dealing with one incident compared to 10 incidents. CERT-FI receives 75% of its funding from national preparedness fund through NESA CERT-Hungary CERT-Hungary CERT-Hungary 24 was set up in 2005 after the need to protect governmental networks and critical infrastructures and to coordinate CERTs in Hungary was identified. CERT-Hungary was established with the support of the Ministry of Informatics and Communication and hosted by the Theodore Puskas Foundation. CERT-Hungary's services are offered to the Hungarian government, municipalities, and critical service providers, with computer networks owned by the government receiving special attention. Other CERTS in Hungary include the Hun-CERT and NIIF-CERT established in 1997 to serve ISPs and the academia, respectively Institutional Setup The Theodore Puskas Foundation is a semi-autonomous government institution that is governed by civil code and acts in the interests of the public. CERT-Hungary is a flexible 21 [Accessed 28th January 2010] 22 Forum for Incident Response and Security Teams [online] Available at: [Accessed 21 st December 2009] 23 Asia Pacific Computer Emergency Response Team. [online] Available at: [Accessed 28 th January 2009] 24 Hungarian National Computer Emergency Response Team. [online] Available at: [Accessed 19 th February 2010] Page 12 of 37

13 organization with government mandate that has evolved through a bottom-up approach. The public-private partnership (PPP) framework gives the CERT stability, enabling it to survive government changes. The establishment of a separate organization allows for competitive enumeration of employees and facilitates interaction with other critical sectors including banking and energy. Persons employed in the CERT are not public servants but are however required to have security clearance from government. With the change of the legal system through the Government Decree No. 223, 2009 on the security of electronic public service CERT-Hungary has become a the National Cyber Security Centre of Hungary. Thus becoming a designated national point of contact responsible for cybersecurity and the protection of critical information infrastructures. The centre supervised by the Prime Minister s office is operated by the Theodore Puskas Foundation on the basis of a public service agreement. The centre operates the National Alert Service for Informatics and Communications, which is an outsource service from the National Communications Authority (the regulator) Legal Framework Government decree 223 of 14 th October 2009 enumerates the tasks, control, framework and services of the CERT. The E-commerce Act provides for indirect liability of ISPs for any wrong doing committed through their systems either in terms of content, access, cache or search engine-type services. ISPs are required by law or may be given financial incentives such as tax exemption to create a secure environment. The ministerial decree on National Alert Service for Informatics and Communications designates 8 communication service providers with the obligation of reporting security breaches of a physical nature, having an affect on service availabilty. The alert service centre receives and distributes information to ministries and Centre for crisis management Services The technical service is viewed as a beneficial service to stakeholders when the scope and constituency are defined. CERT-Hungary is responsible for security of the e-government backbone, critical information infrastructure protection (CIIP) in the banking and energy sectors. The services offered by the CERT can be broadly divided into the following 3 groups: Reactive - incident handling Proactive - awareness raising and Preventive - vulnerability analysis and database vulnerability management. To facilitate the provision of national high level service for communications and informatics, telecommunications, broadcast, postal operators are required to report a minimum level of failures. CERT-Hungary has two duty centers, one for Telecommunications and the other for IT incident reporting. Page 13 of 37

14 CERT-Hungary also coordinates information sharing and analysis centres with the critical sectors. In the voluntary information sharing working groups, CERT-Hungary acts on behalf of the government, with other representation from the critical sector stakeholders, the regulators, and the high-tech group of law enforcement CERT-Hungary offers the following services: Base services: provided to constituents and situation analysis based on reports and observations from trusted sources. These include: o Incident handling and coordination o Vulnerability management and maintenance of vulnerability database o Basic training and education and capacity building o Incident analysis service o Incident detection o System protection advisory o a think tank in the preparation of relevant regulations, project management and technical service Value-added services: provided at a fee including project design and management International Cooperation CERT-Hungary leverages on its international accreditation and membership to organizations including Forum of Incident Response and Security Teams (FIRST), European Network and Information Security Agency (ENISA),, the Meridian Process 25, International Watch and Warning Network 26 (IWWN) and European Government CERTs (EGC) group 27 as a reference point, trusted source of information and to provide stability. Information from trusted sources should be speedy, accurate, useful and reliable. The CERT combines information from multiple sources and checks it against information from independent sources as well as verifies it against its own knowledge or tests. Accreditation to these bodies requires that the CERT meet the following requirements: - Be operational for at least one and half years - Have a government mandate, 25 MERIDIAN 2009: Critical Information Infrastructure Protection: Our Shared responsibility [online] Available at: [Accessed 21 December 2009] European Government CERTs (EGC) group [online] Available at: [Accessed 13 th January 2009] Page 14 of 37

15 - Have stable financing, - Necessary equipment and staff, - Recommendations from two FIRST member CERTs, - Payment of membership fee and - Attendance to annual conferences. The CERT coordinates private sector working groups in the financial and energy sectors and is involved cybersecurity exercises, sharing of best practice and as intermediary with regulatory authority. The CERT also facilitates national and international cooperation, crisis management, awareness raising and policy making Funding The CERT has distributed financial sources including state budget, state project contract, service contract and EU/national funding on research projects. The CERT is required to generate a maximum of 20% from its business-oriented service. CERT-Hungary employs 5 people to handle IT related incidents, who are graduates from technical colleges. This is part of the 24/7 duty service. It also offers internship opportunities in order to build skills among college graduates. Employees at the National Alert Service for Informatics and Communications are telecommunication engineers. The CERT measures its performance on the basis of incident management, vulnerability advisories downloaded, service contracts, international involvement in CERT capacity building and CERT cooperation and achievement of strategic goals TunCERT The Tunisian Computer Emergency Response Team (tuncert) 28 was established in 2004 as a sub-structure under the National Agency for Computer Security (ANSI) 29 becoming the first CERT in the African region 30. tuncert is the trusted point of contact in Tunisia providing centralized incident management services for Government, public and private sector, technology and security watch, cyberspace monitoring, expertise to support and assist to quickly recover from security and incidents and awareness arising. 28 Tunisian Computer Incidence Response Team [online] Available at: [Accessed 3 rd March 2010] 29 National Agency for Computer Security [online] Available at: [Accessed 3 rd March 2010] 30 Promoting a Cybersecurity Culture: Tunisian Experience [online] Available at: D/cyb/events/2008/lusaka/docs/rais-awareness-raising-tunisia-case-study-lusaka-aug-08.pdf [Accessed 3 rd March 2010] Page 15 of 37

16 Institutional Setup To facilitate the set up of the CERT three persons, one with technical experience, another with managerial and the third with technical knowledge, managerial capability and access to the highest level of the government were appointed to draw up with a cybersecurity national strategy and creating awareness. The tuncert has grown from 3 personnel in 2004 to 42 in 2008 (Figure 1) organised as follows: The Saher team responsible for monitoring and incident detection incident and utilizes open-source solutions to monitor the Tunisian cyberspace in real-time therefore providing early detection of potential threats and monitoring of their impact; The Amen team responsible for the national reaction plan and for national incident coordination; The Incident Response Team responsible for incident handling and computer forensics; The Alert and warning team responsible for vulnerability and malware watch; The Awareness Team The Penetration testing and vulnerability assessment team ; and The Assistance Team responsible for providing support for citizen and professional regarding security issues. Page 16 of 37

17 Figure 2: CERT-TCC historical overview: Source HayThem (2009) Legal Framework The Information Technology (IT) Security (Law N ) 31 promulgated in February 2004 includes the following: Obligation for national companies (public and some private) to carry out risk assessment of their information systems (IS) and organization Obligation to declare (to the National Agency for Computer Security), any cybersecurity incident that could affect other IS, with guarantee of confidentiality, by law. Creation of the National Agency for Computer Security and definition of its mission. Launch of the CERT/TCC (now tuncert) under the National Agency for Computer Security. Other cybersecurity related laws include Law on protection of privacy and personal data (Law n ), Law on Electronic Signature and e-commerce (Law N ), Law Against Cyber-Crimes (Law N 99-89) and Laws on consumer protection and Intellectual property. 31 Tunisian Coordination Centre (CERT-TCC) [online] Available at: [Accessed 3rd March 2010] Page 17 of 37

18 Services tuncert provides 24/7 free-of-charge services in accordance with its mission statement. It provides incident handling as a mandatory service while core services include alerts and warnings, incident analysis, incident response support, incident response coordination and announcements. The CERT collects information on from phishing, identity theft, copyright infringement, sabotage, Denial of Service (DoS), defacement, brute force, vulnerability exploit, social engineering, malware, paedophilia, pornography, harassment, spam incidents from various trusted sources and evaluates them utilizing various tools to facilitate identification, classification, risk assessment, impact analysis and severity. These tools include a dedicated server and network, PGP, incident tracking system, network analysis and log analysis software, forensics and data recovery tools International Cooperation tuncert joined the Organisation of The Islamic Conference-Computer Emergency Response Team 32 (OIC-CERT) in 2006 and was admitted as a full member of FIRST in May In 2008 tuncert joined the Network of Center of Excellence of the CNUCED/UNCTAD Funding The tuncert is funded by the government through a special fund called "Telecommunication development Fund" managed by the Ministry of Communication Technologies National and Governmental CSIRTs in Europe The main finding of the survey of European CSIRT teams administration, operations, cooperation and communications 33 carried out by FICORA were: Each CERT is unique; though a common objective was identified that is helping keep its country's critical networks secure the tools and methods to achieve this objective vary. A set of recommended capabilities for national and governmental CSIRTs were identified as: be a designated point of contact for incident and response coordination, building and maintaining an extensive domestic and international contact network as well as providing other essential services including situation monitoring and awareness building 32 The Organisation of The Islamic Conference-Computer Emergency Response Team [online] Available from: [Accessed 22 nd February 2010] 33 National and Governmental CSIRTs in Europe Study Conducted by CERT-FI [online] Available at: f [Accessed 28th January 2010] Page 18 of 37

19 Governmental CSIRTs are funded by the state as a general rule the main beneficiaries cover the costs, funding tools include state budget, service agreement, membership fee, project funding. The pay per incident model is not in use. Page 19 of 37

20 5. CSIRT INITIATIVES IN KENYA 5.1. CSIRT-Kenya There have been various initiatives to establish a national CSIRT in Kenya. The first such initiative was CSIRT-Kenya 34 that was ponsored by the Kenya Network Information Centre 35 (KENIC) and the Telecommunication Service Providers of Kenya (TESPOK). The objective of the CSIRT-Kenya was to assist members of the local internet community in implementing proactive measures to reduce the risks of computer security incidents and to assist the community in responding to such incidents when they occur. However CSIRT-Kenya is currently not functional KE CIRT CC Based on the mandate provided in the Kenya Information and Communications Act, the regulator the Communications Commission of Kenya 37 is in the process of setting up the Kenya Computer Incident Response Team Coordination Centre (KE-CIRT CC) whose role will be to receive, review and respond to computer security incident reports and activity as well as create awareness on cyber security icsirt The Industry Computer Security Incident Response Team 38 (icsirt) is a initiative of Telecommunication Service Providers of Kenya (TESPOK). icsirt has been established to ensure network integrity and information security is maintained at the Kenya Internet Exchange Point (KIXP). Services currently offered by the icsirt include weekly reports on bad IPs reported on the member s networks, security bulletins, alerts and warnings and general security incident handling. The overall goal of the icsirt is to develop and promote the use of appropriate technology and systems management practices to resist attacks on networked systems, to limit damage and ensure continuity of critical services East African CSIRT The East Africa Communications Organization (EACO) set up a Cybersecurity Taskforce at its meeting held on 2008 in Dar es salaam, Tanzania. The vision of the taskforce is to building confidence and security in the use of cyberspace in the East Africa (EA) region 34 CERT-Kenya [online] Available at: [ Accessed 19th February 2010] 35 KENIC: 36 Kenya Information and Communications Act, 2009 Available at [Accessed March 2011] 37 CCK: 38 icsirt Available at: [Accessed 29 th August 2011] Page 20 of 37

21 while its mission is to enhance security of the cyberspace in the EA region through collaboration amongst all the stakeholders. Taskforce Terms of Reference include: Establishment of National CSIRTs Regional Coordination Regional and international partnerships Annually Incident reporting to EACO The taskforce s implementation plan was set out as follows: Benchmarking: Members of the Taskforce in November 2009 visited national CERTs in Finland and Hungary and the key findings are highlighted in section 4. Establishment of national CSIRTs: The taskforce has embarked on capacity building through workshops supported by partners including ICANN and ITU. East Africa- CSIRT: This is the ultimate goal of the taskforce. Page 21 of 37

22 6. ESTABLISHING A NATIONAL CSIRT Cybersecurity require political, social and technical approaches. Cybersecurity Agenda 39 identifies five areas of work: The ITU Global 1. Legal Measures 2. Technical and Procedural Measures 3. Organizational Structures 4. Capacity Building 5. International Cooperation A national CSIRT is a national focal point within a country or region to coordinate incident handling activities. CSIRTs study internet security vulnerabilities, research long-term changes in network systems, and develop information and training to help improving security. Similar organizations may be set up to serve a constituents with common interests such as commercial, academic, government and the military. The national CSIRT should be a point of contact for other CSIRTs within the country facilitating coordinated responses to incidents. The national CSIRT is expected to develop tools customized to the needs of Kenya to acquire early evidence of infections and more generally situational awareness of the national network. The CSIRT would help in designing of critical infrastructure to make them resilient to cyber attacks and should educate and inform Kenyans of the dangers of the Internet. It is imperative that the national CSIRT keep abreast with the latest developments in the fast changing world of cybersecurity Political Support Getting executive approval to build a national CSIRT is essential to the success of a CSIRT and must be gained early in the development stage. A national CSIRT, to be successful, should enjoy a generous financial support and solid backing from the government and the legislative power. There have been failed attempts at building CSIRTs worldwide where failure has been blamed on the lack of support/interest at the highest level together with a general lack of awareness on the importance of cybersecurity in the country. This is to a certain extent changing in an environment where all the parties are convinced on the need for a national CSIRT and prepare to work hard at its success (Morel, 2009) Legal Measures In order to function effectively a CSIRT should be supported by extending existing and enacting appropriate legislation. The legislation would seek to encourage cooperation among stakeholders and reporting of security incidents to the national CSIRT. Consequently an 39 ITU (2007) The ITU Global Cybersecurity Agenda Available at: [Accessed 31st August 2011] Page 22 of 37

23 analysis of current national laws is recommended to identify any possible gaps as well as the legislative impact for example the potential placing of undue burden on the organizations. The ICT policy states that there is need for a comprehensive policy, legal and regulatory framework to: Address issues of privacy, e-security, ICT legislation, cyber crimes, ethical and moral conduct, copyrights, intellectual property rights and piracy. In addition the policy in Section 2.11 Electronic Security states that: The challenge is for the country to establish an adequate legal framework and capacity to deal with national security, network security, cyber-crime and terrorism; and to establish mechanisms for international cooperation to combat cross-border crimes. An e-security structure will be developed in collaboration with the relevant institutions. In facing this challenge, the Kenya Information and Communications Act, 2009 section 83Q states that: (1) The Minister may by notification in the Gazette, declare that any computer or computer network is a protected system. (2) The minister may by order in writing, authorize any person to access protected systems notified under sub-section (1) In addition the Kenya Information and Communications Act, 2009 proscribes the following cybercrimes: Unauthorized access to computer data, Access with intent to commit offences, Unauthorized access to and interception of computer service, Unauthorized modification of computer material, Damaging or denying access to computer system, Unauthorized disclosure of password, Unlawful possession of devices and data, Electronic fraud, Tampering with computer source documents, Publishing obscene information in electronic form, Publication for fraudulent purpose, Unauthorized access to protected systems, Reprogramming of mobile telephone and Possession or supply of anything for re-programming mobile telephone. These provisions may be used as the legal basis for the establishment of a national CSIRT. However there is need to analyze specific laws, regulations, and other policies that will affect the national CERT development (what constraints, level of authority, information protection, or compliance issues will determine its operation) Planning Extensive planning needs to take place before a CSIRT is developed and implemented. This includes identifying key stakeholders and participants in the development process; developing a strategic plan and vision for how the CSIRT will be organized, structured, staffed and funded; training the CSIRT staff; and incorporating mechanisms to evaluate and improve CSIRT operations. 40 National Information and Communication Technology (ICT) Policy Available at: [Accessed August 2011] Page 23 of 37

24 Carnegie Mellon Software Engineering Institute proposes the following four Steps for Creating National CSIRTs 41 Figure 3: Steps for Creating National CSIRTs Stage 1 Educating stakeholders about the development of a national team. At this stage those who need to participate in and champion the development the national CSIRT learn and are made aware of awareness of the role of CSIRT. Stage 2 This step involves design and planning the national CSIRT and includes review and discussion the need and benefits of the team, identification of the its constituency, the services and role, determination of estimated costs to create and operate the team, time and people required in planning, implementing and operating the CSIRT. Stage 3 Implementing the CSIRT includes obtaining funding, announcing the creation of the national CSIRT, formalizing coordination and communications mechanisms with stakeholders and constituency, implementing the secure information systems and network infrastructures to operate the CSIRT and developing operational policies and procedures. Stage 4 Operating the CSIRT. Tasks at this stage include active provision of services, developing and implementing a mechanism for evaluating the effectiveness of the operations and improving the teams operations on the basis of the results of the evaluations, expanding the mission, services, and staff as appropriate, continuous tracking of changes in the constituency, legislation, policy, or other regulations and development of policies and procedures and training new and existing staff Stage 5 Collaboration with the global CSIRT community by becoming a trusted partner is essential as the team matures and gains expertise in incident handling and management. According to Rajnovic (2009) the CSIRT should start providing a service, playing a coordinating role and be 'useful' to its constituents therefore gaining the recognition required. With regards to timelines, Rajnovic suggests the following phased approach that would be viewed to produce value and tangible results that would attract funding: 0-6 months, stage 1 & 2 At this stage with 2-3 full time employees the national CSIRT who would start providing incident handling for government and related entities. It is recommended that more time is 41 Steps for Creating National CSIRTs. [online] Available at: [Accessed 19th February 2010] Page 24 of 37

25 spent advertising the team internally (within Kenya) and externally (regionally and globally) and establishing partnerships. During that period the CSIRT would refine plans for the next stages months, stage 3 At this stage the team should seek to potentially increase for 1-2 people and engage in active handling of multiple incidents one weekly/monthly. The CSIRT should seek to establish technical expertise and be relatively well known within country. At this stage the CSIRT should also start establishing itself as subject matter expert within government and legislature. 12 months and beyond, Stage 4 After the first year the CSIRT should be fully operational for incident handling. Depending on how many other CSIRTs there will be in Kenya serving specific constituents, the national CSIRT may (or not) start doing incident co-ordination. At this point the CSIRT should also be able to propose what other activities it may perform in the next 12 months period Policy and procedures development Figure 4: Policy and Procedure development Page 25 of 37

26 Policy The CSIRT policy is the authority that the CSIRT requires to conduct their response activity. This may be derived from law. However the CSIRT should on its own motion formulate its policies in collaboration with stakeholders Procedures A CSIRT procedures document details the steps that should be taken in: Identification is important in order to confirm if a cyber security incident has really happened, and if so determine the type of threat and the extent of harm or damage that has been or is being caused. Identification of an event or incident will come from various sources including companies intrusion detection, monitoring systems, firewall, vendor alerts and employees. Analysis provides information on the five W?s; What occurred, How it took place, Who was impacted, When it took place and Where the attack vector originated. Preparation is the most vital and time consuming step in developing a CSIRT, given that technology and attacks are constantly changing. Consequently, documentation and tools necessary to prepare for an investigation need to constantly change. Containment to reduce the chances of an event or incident spreading is essential. Eradication allows the safe removal of the event or incident from the environment without compromising the evidence of the event or incident. Mitigation is the outcome of the analysis which determines how to mitigate or eliminate the risk that allowed the event or incident to occur. Reporting of the information to interested parties (or an authorised entity) facilitates learning and effective response in future incidents. Recovery allows restoration of to the original state prior to the event or incident. This step should also be used to put measures in place to mitigate the event from occurring in the future. Lessons Learned provides for the review of the investigation identifying possible improvements Communication Plan The CSIRT should have an effective communications plan as part of the broader Incident response plan. The communications plan should identify key players and include as a minimum - contact names, business telephone numbers, home tel. numbers, pager numbers, fax numbers, cell phone numbers, home addresses, internet addresses, permanent bridge numbers, etc. Page 26 of 37

27 Notification plans should be developed prior to an event/incident happening and the appropriate communication media determined. This include a public website, closed member area on the website, web-forms to report incidents, mailing lists, , phone, SMS, old fashioned paper letters and monthly or annual reports. The plan should also include alternate communications channels such as alpha pagers, internet, satellite phones, VOIP, private lines, blackberries, etc. The value of any alternate communications method needs to be balanced against the security and information loss risks introduced Services Request for assistance in terms of any data that you have that quantifies the increased rate in computer crime with the increased usage of mobile phones A national CSIRT should not charge for its services and should not try to be a commercial success. It should be a service. But the salaries of its personnel have to be competitive with the private sector to be able to keep qualified personnel. This is a necessary condition to meet for success. Reactive Services Proactive Services Artifact Handling Alerts and WarningsAnnouncements Artifact analysis Incident HandlingTechnology WatchArtifact response Incident analysissecurity Audits or Assessments Artifact response coordination Incident response on siteconfiguration and Maintenance Incident response supportof Security Security Quality Management Incident responsedevelopment of Security Tools Risk Analysis coordination Intrusion Detection Services Business Continuity and Disaster Vulnerability HandlingSecurity-Related Information Recovery Vulnerability analysisdissemination Security Consulting Vulnerability response Awareness Building Vulnerability response Education/Training coordination Product Evaluation or Certification Table 1: CSIRT Services list: Source CERT/CC pdf Page 27 of 37