CSIRT: A ROUTE TO COMBATING AFRICA'S POSITION AS ONE OF THE WORLD'S CYBER-BADLANDS

Top Story

Rightly or wrongly, Africa has gained a reputation as one of the cyber-badlands of the world. Ironically for a continent that has seemed to lag so far behind the rest of the world technologically, it may be forever associated in people's minds with fraudulent e-mails offering untold riches. Hackers know that what should be secure systems are all too often insecure: witness the cyber break-ins at various South African banks. System crashes resulting from insecure networks are rumored (including some major telcos) but hard to prove. Despite all of this, last month's Annual Conference on Computer Security Incident Handling had only one African representative and the continent still has no Computer Security Incident Response Teams. David Crochemore explains what they address and how they might help the continent.

The 16th Annual Conference on Computer Security Incident Handling took place in Budapest (Hungary) last month. For a one week, over 300 attendees, coming from almost 40 countries shared their experiences and expertise in the area of Security, Incident Response, Forensics, Network Analysis, etc... This conference, which is a major event for the CSIRTs (Computer Security Incident Response Teams) in the world and is organized by the Forum of Incident Response and Security Teams (FIRST).

Unfortunately, this year as on previous occasions, the attendees coming from Africa were under-represented: only one person made it. And what is even worse is that Africa has no official and recognized point of contact in any country, for any ISP or any company, in case of security incident. No CSIRT has been set up and is operational on the continent yet.

So what are CSIRTs and what do they do? According to the RFC2350, "A Computer Security Incident Response Team (CSIRT) is a team that coordinates and supports the response to security incidents that involve sites within a defined constituency.

In order to be considered a CSIRT, a team must:
- provide a (secure) channel for receiving reports about suspected incidents.
- provide assistance to members of its constituency in handling these incidents.
- disseminate incident-related information to its constituency and to other involved parties.

In addition to these mandatory services, a CSIRT may provide services such as training, risk analysis, security audit, post-mortem analysis and many other services designed to support secure networks.

However, the main role of a CSIRT is to create trust links between itself and its constituency, on one hand, and between it self and the other CSIRTs, on the other hand. The constituency of a CSIRT may be defined in several ways: customers, employees, users of a network, students of a university, inhabitants of a country or civil servants in a public organisation.

Nowadays, there are hundreds of CSIRTs in North America and Europe, there are dozens of CSIRTs in Asia-Pacific and Latin America, there are several CSIRTs in Middle East, but none in Africa...

With the progressive development of the networks and information systems in Africa, the continent needs to develop CSIRTs. Unless it does so information systems in Africa will be a good choice for all the hackers in the world, because they will know they can use them and abuse them without any risk of being discovered and banned.

Those hackers can compromise information systems in Africa not only in order to steal information, but also in order to use these systems as relay for sending spam, as a base to launch "Denial of Service" attacks, as a place to store illegal data, as a source for spreading worms or viruses, or just for the fun of defacing web pages.

Therefore, Governments and ISPs in Africa should be aware that they need security policies for their networks and information systems. These policies should include the establishment of CSIRTs and the CSIRTs should join the global network of security and Incident Response professionals within the Forum of Incident Response and Security Teams, in order to share information, expertise and techniques, and in order to build trust with other teams.

In order to set up a CSIRT in a company or as a public service, you need only one full-time employee at the beginning, with a computer, a telephone and a computer with an internet connection. The most important points are to define the constituency, to provide a point of contact in case of emergency, to advertise this point of contact inside the constituency and to communicate with the other CSIRTs in the world.

References

IETF Request for Comments (

Useful Documents

http://www.sei.cmu.edu/pub/documents/98.reports/pdf/98hb001.pdf

Useful Web Sites

http://www.first.org