Brian Honan is the founder and head of Ireland’s first Computer Emergency Response Team (CERT) team as well as owner of BH Consulting. In this interview he discusses the inside workings of Ireland’s CERT and how it was formed.
This particular CERT differs from what you can find in most other countries, since it’s not government-backed and relies mainly on the good will of several security professionals.
To the best of your knowledge, why doesn’t Ireland have a government-back CERT like most other countries?
That is a hard one to answer. As with all countries, the Irish government will state that cyber security is important and has been handled by various intergovernmental departments and committees over the past few years. But in reality I think the ambition has not been met with appropriate actions, which can be demonstrated by Ireland’s failure to ratify the Council of Europe’s Convention on Cybercrime, even though Ireland signed the treaty in 2002. I would also say that other issues, such as ensuring broadband is rolled out throughout the country, has taken precedent over setting up a CERT. Last year the Irish government started the process to develop a cyber-security strategy and we look forward to seeing what is published in that.
How did you come by the idea of being the person to start a CERT? What were the biggest challenges in the planning stage?
I had always felt that not having a CERT was a major weakness in Ireland’s overall security, not only for individual organizations in Ireland to have an independent body to seek advice from but also to enable Ireland protect any technical innovation generated within the country, to protect our Critical Network Infrastructure and also act as a contact point in Ireland for other CERTs in coordinating response to cyber-attacks. So in 2004 when I started my own consulting business I took it as a personal project to work on getting a CERT established in Ireland. The most recent cybercrime survey carried out in Ireland, by ISSA Ireland and University College Dublin, highlight that 49% of companies surveyed suffered theft of IT assets while 30% were victims of Denial of Service attacks. I believe those figures demonstrate beyond doubt of the need for a CERT.
What were the biggest challenges in the planning stage?
The biggest challenge in the planning stage were:
(a) Getting stakeholder buy-in for the project. The majority of people and organisations I spoke to agreed that Ireland needed a CERT but none wanted to take the responsibility to set one up, nor to provide funding to do so.
(b) Learning how CERTs work and the different types of services they offer was also a challenge. By its nature the CERT community tends to be very tight-knight. It took a while to create relationship with various CERTs so that I could learn from them how best to set up a CERT in Ireland.
(c) Marketing the CERT and making people aware of it is also a challenge, especially on a small budget. We do not have the time, money or resources to place ads in magazines or use other traditional methods of promotion. Instead we have engaged with the various stakeholder groups that we met in the planning stages and asked them to promote the CERT to their members. We also use other media such as Twitter, Linkedin and good old fashioned word-of-mouth to promote our services
(d) Finally, funding is probably the biggest challenge I faced and continue to face. Providing services to the community does require initial and on-going investment to ensure the quality of the service can be maintained. Of all the challenges this is the one that is probably the most difficult and important one to overcome. If you are looking to set up a CERT you need to ensure you have adequate funding to provide the various services that you constituency requires, be that at a national, regional or organizational level.
How many people are involved in this CERT and how much time do you dedicate weekly to the project?
I am very lucky in that I have a team consisting of 15 people and made up of some of Ireland’s top information security professionals. They all have their own full time jobs but are able to dedicate some of their spare time to work on IRISS-CERT projects. Some of the team act as incident handlers and are scheduled to provide that service on a rota system, other work on our policies, procedures and administrative tasks, while others work on various projects and research.
I would estimate that I would spend up to a day a week working on various items for IRISS-CERT, be that acting as an incident handler, to liaising with other CERTs, to meeting with stakeholders, to fund raising, to developing our strategy and ensuring that we continue to provide the level of service our members need.
What do you use in terms of equipment? Do you have any sponsors?
Our main platform is the WARP platform (Warning, Advice and Reporting Point) which was developed by the United Kingdom’s Centre for the Protection of National Infrastructure. The WARP concept was developed to provide a community focused method for sharing information security issues, advice and best practices amongst a likeminded community. The WARP system is an excellent system that provides the ability to share information, issue alerts and vulnerability warnings. I took the concept and expanded it to enable me to set up the services offered by IRISS-CERT very quickly, reduce the amount of administration overhead required for the CERT and to achieve all this very cost effectively.
However, without our sponsors IRISS-CERT would not have been set up and nor could it continue to offer our services. I am very grateful to sponsors such as the SANS Institute, The IEDR, NetWitness Corporation and Syngress. There are a number of organizations such as ENISA, the WARP Programme, CERT/CC and members various members of TF-CSIRT who have also provided us with great support with items such as reference material, mentoring and advice. Thanks to those sponsors we are also able to provide our services to our constituency for free.
Has there been any reaction from the government and the corporate sector after you started working?
The reaction in general has been very positive. I think many people did not know what to expect from IRISS-CERT and may have seen us as some sort of threat, but over time we have proven that we are a vendor neutral, independent and trusted resource for information security. There has been no official reaction from the Irish government regarding IRISS-CERT and it will be interesting to see what role a CERT, be that IRISS-CERT or otherwise, will play within the cyber-security strategy that is being developed.
What are your strengths and your weaknesses? What areas need improving and where are the most significant problems?
Our main strengths are the fact that we are now well established within the CERT community and can leverage those relationships to provide high quality services our constituency. Recently IRISS-CERT has been accredited as part of the Trusted Introducer Framework. This framework validates the effectiveness of each subscribing CERT and ensures that it meets the necessary requirements to be considered a CERT. This accreditation demonstrates the hard work and professionalism of the team at IRISS-CERT. The other strengths would be that we are vendor neutral and independent and have a strong team made up of some of Ireland’s top information security professionals.
Our weaknesses would be that we are not yet a dedicated full time service. While we are able to cope with the demands on the service as they current stand, as the demand grows and more people and organizations use our services we will have to move into a full time model. I plan to eventually address that by raising enough funding to provide a full-time dedicated service to our constituency.
As we have no mandate from the Irish government we rely heavily on the cooperation of the various providers and ISPs within Ireland to assist us in dealing with various type of issues. While most are very cooperative and take the security of their systems and clients seriously, there is a small number who do not respond appropriately. Hopefully over time we can persuade and work with all providers to ensure issues are dealt with effectively.
What are your plans for the rest of the year?
Later this year we are hosting our annual conference. This will be held in Dublin on the 18th of November and promises to be a great event. Last year was the first year we hosted the conference and it was a resounding success, this year we plan to build on that success and make it Ireland’s premier information security conference. We have a great line up of speakers and with the help of our sponsors we have been able to improve the conference. Thanks to our sponsors we are able to make the conference available free of charge to those who wish to attend.
In parallel to the conference, IRISS-CERT will also host Ireland’s Cyber Security Challenge, HackEire, to identify Ireland’s top cyber security experts who will compete against each other in a controlled environment to see who will be the first to exploit weaknesses in a number of systems and declare victory. Having achieved accreditation this year to the TF-CSIRT our goal is now to become members of FIRST, which will also enable us to improve the quality of the service we provide to our constituents.
Finally, at definitely not least, our goal is to continue to provide an excellent service to our constituents and to make the Irish internet space that little bit safer for everyone.