Amrit Williams, BigFix CTO, discusses information security education and response with Ireland’s own Brian Honan of The Irish Reporting and Information Security Service.

Subscribe in iTunes:

Subscribe with XML:

TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter”, and today I’m joined by Brian Honan, an independent security consultant in Dublin, Ireland. And Brian is also one of members who helped found and create and maintain and get the word out about Ireland CSIRT Program, the Irish Reporting and Information Security Service.

Brian, thanks for joining me today. I really appreciate your time.

Before we get into some of the other aspects of your background, I am actually quite interested, and I am sure the audience is as well, in how different countries deal with security response. And so if you don’t mind, I’d like to basically start with IRISS, and when it was founded, how it was created and, you, know just a little bit about your experience with it.

Brian Honan: Sure. Well, firstly, thanks for having me on board; it’s great to have the opportunity to talk to you and your audience about this project.

IRISS had been a love child of mine from many years. I started my own company, BH Consulting, as an independent consulting firm back in 2004. And when I started working for myself, I saw this as an opportunity to try and give something back to the community.

One thing that had bothered me for many years previous to that was that Ireland is one of the very few countries I could see within the Western Hemisphere and the developed world that did not actually have a dedicated Computer Emergency Response Team to help out companies or businesses, organizations or even citizens, should they become victims of a cyber attack.

So in 2004 I decided like now that I am working for myself, I can take time and try and get something up. So I took the approach I went and I talked to the Irish Government to the department responsible for Internet security within Ireland — that’s the Department of Communications — and approached them and said, “Hey, guys, you know, we don’t have a CERTAIN. Should we have one?” and the response back then was “Well, we are not sure if we need one or not; nobody who has made a great demand, and we don’t want to create a Field of Dreams and nobody comes type scenario. But if it can be demonstrated there is a demand or a need for it, we will definitely look into it in more detail”.

So I spent the next year going around talking to various different bodies with Ireland; so be they the police, the defense, 2:27 of all shapes and all sizes within Ireland from small sector to medium sector up to large enterprises and Government agencies, talking to the groups in Ireland that would have a good Internet security community because of the 2:44 thing, et cetera, et cetera. And touching base with their members and getting their feedback as to what Ireland should or shouldn’t have from CERT.

And the overall response was, “Yes, Ireland does need a CERT”, and people did see Ireland potentially being on a disadvantage both economically and, you know, there is a 3:09 et cetera, intellectual property, et cetera. And what are the CERTs in place; there was no independent body that could coordinate any response to that.

So with that we went to the government, presented our findings, intelligence, on the need for a CERTAIN, and the response was relatively positive. We talked a bit further, and that was further enhanced then by the attacks against Estonia whereby the whole country was taken offline by Russian 3:37 protesting against Estonia taking the statue of a Russian soldier off of the main street in the capital city. And that demonstrated I think to a lot of nations how fragile putting the network infrastructure and how fragile the Internet is and what happens when it’s not there, like Estonia being very focused on trying to 4:00 et cetera, it was a good poster child about what it could be like. It’s probably not a good thing for this kind Estonia has, but it was a good example of how effective a country attack could be on a nation’s base.

And that obviously gained a lot of attention in Europe and in Ireland, and there was renewed interest from the Government in it. But then other things overtook it, a change in Government, the recession started to hit, and I figured as this things are progressing, we are at a very, very slow pace; we were now in the early year of 2008, and I decided, okay. It waits for funding and all the attempts to align pockets of the Government and get this up and running. We could be waiting a while longer. So in the interim I said, you know, let’s set something up that we can provide some services to the community here in Ireland.

(00:05:06)

So with that, I founded Ireland C-CERT, a 5:09 company, and we have been operating since November 2008. We are providing our services free to all companies operating within Ireland, so all organizations. And the services provided are predominantly alerting, warning and coordination services for attacks, and it’s been very successful so far. We have over 300 companies subscribing to our service, and the response we have had from everybody has been very, very positive.

Amrit Williams: So I don’t know if a lot of people know this; but Ireland actually does a lot of outsourcing. There is a lot of tech companies that have centers either for quality assurance or development throughout Ireland, including companies like Microsoft, I know McAfee just announced something and Quark.

What did they do previously? I mean, I know Microsoft has had a development center in Ireland, I think, for at least a decade. Did they… if they had an incident — I don’t know if you know this — but even if it’s a hypothetical, what would a company do prior to the founding of C-CERT? Who would they contact? How would they coordinate some type of either forensic informations or understanding more about the incidents so that they can respond?

Brian Honan: Well, I suppose certain companies like Microsoft are the big multinationals that we do have here, and as I said, there are quite a few: we have IBM, we have Symantec, we have McAfee, Trend Micro, Apple, Hewlett Packard, Intel; you know, the list is quite long of the big, large multinationals here. Well, they would have quite capable internal CSIRT capabilities, which I am sure they would be able to use themselves and would cooperate with other CERTs of law enforcement in the jurisdiction they would need to.

I felt that, you know, those large organizations can survive a 06:54 to a certain extent; but the smaller organizations, you know, medium-sized companies or SMEs, didn’t have anybody to turn to. And in a lot of cases, if they suffered an attack or they had an instant if they knew about it, their response predominantly would have been maybe just to hire in a consultant or get their own internal to get things back online. They wouldn’t have had any capabilities to contact a CERTT in another country to stop an attack from happening. So the main market we were aiming were the medium and smaller companies anyway.

Amrit Williams: Right. And the value of including these large multinationals is not so much to assist them, which I am sure you can do, but the value of this is an aggregation point of information to share with others. Also the ability to notice certain types of trends, so that others can respond to it quickly.

Prior to the creation of IRISS, what did companies do? I mean, where would they get their information? What CERT programs would they affiliate themselves with, or was it just largely based on who they knew or what they were comfortable with? Was there a standard method that they would use, or did they look to the U.S., the UK?

Brian Honan: Yeah, predominantly a lot of companies, you know, when I was doing my research and putting the business case together for IRISS, a good deal of surveys amongst people, and one question I did  was: where do you currently get your CERT capabilities from? And a lot of the people were using CERT/CC or         US-CERTs to get a lot of their information from. But that predominantly would be warnings of, you know, vulnerabilities or alerts; there wouldn’t be any service within Ireland to give any localized or focused information on what’s happening within the Irish area, and we have been able to do that now with IRISS. We have been able to alert certain sectors of the community against attacks that we have been notified about or we have noticed happening and get the word out to that sector quickly to have them improve their defenses or at least be aware of what could be coming through their pipes.

So previous to that start, they would have been looking towards CERTAIN/CC or they would be subscribing to self-executing 9:17 tracker or other maintenance to try to get some heads-up on what’s happening.

Amrit Williams: You know, there is so much here to talk about, Brian; I want to get into a couple of areas. I want to talk a little bit about how one might go about supporting, enabling or better moving the maturity models for CSIRT programs around the world. I want to talk a little bit about coordination with other CERT programs internationally.

But before I do, one of the things we were talking about prior to the podcast was this concept of sometimes electronic crime is seen as a victimless crime. And I am curious if you’re seeing any of those perceptions change as you’ve gone through the process of creating the C-CERT program there in Ireland, either from the Government side or the commercial side, or are we still dealing with a lot of folks struggling with the concept of electronic crime actually having victims associated with it?

Brian Honan: I think the perception of having victims of electronic crime is changing. It is changing slowly. I think what has been happening is that, you know, people are becoming more aware of electronic crime because of various types of phishing attacks or the consumer, for example, is now more — you know, they’ve all having seen Spam, they’ve all had phishing emails. Some have become victims of phishing emails. Newspapers are reporting cybercrime issues a lot more than they did or they would in the past. But I still think, you know, we still have this, you know, perception that if I get mugged in the street and £2,000 is taken out of my pockets, that’s a more serious crime than if somebody electronically gets into my laptop and takes £2,000 out of my credit card or my bank account. And this would be the example we were talking about before the podcast, Amrit, was, you know, a physical attack against somebody is seen more seriously in the courts, if it gets to court, than electronic crime.

And, you know, over time I think it is changing. I still think companies still have a way to go before they realize the threats that are facing them and the potential that cybercrime and the damage that cybercrime could cause their business, be that money taken out of their bank accounts or leaving a 11:37 on the networks which could be used by other people or for their websites to be compromised to whole phishing sites or malware or 11:46 be stolen out of their company, and this 11:53 compared in the streets and stuff.

Amrit Williams: Well, that’s interesting. You mentioned to me the UK actually, I think you mentioned they had a law amended that if there was some type of electronic crime that they needed to contact the bank; they really is no service available for somebody that is experiencing that, especially if they are a consumer, regardless of the amount.

And it is not radically different here in the United States. I don’t think people know how to call or what to do if they have experienced even a significant amount of loss to electronic crime, which is very different in the physical world. Like you mentioned, you have 20 bucks stolen from you on the street of any major U.S. city, and cops will be there quickly — well, not in all major cities, but in some of them.

But, you know, you have thousands or tens of thousands of dollars stolen electronically, and I think the vast majority of people, probably 90% of the world’s population, have no idea what to do.

Brian Honan: I think we have to look at the problem from inside where it’s not just somebody, the victim’s point of view. I do think a lot of police forces need to be educated well of the seriousness of the crime and that, you know, if somebody rings a police station, they say “I’ve been a victim of a phishing attack, all my bank accounts have been raided”, that the police officer that takes that report knows what to do and who to report within the organization the crime to.

Like I found out here in Ireland talking to different companies, they don’t know 13:17 if they ring up their local police station that the police officer on the phone won’t know how to call the crime and report it, and I think that’s kind of the change we have to face as well is police forces need to be better educated in how they engage with the community when it comes to electronic crime.

Amrit Williams: Yeah, and it’s interesting too because in the physical world you’re geographically bounded, right? I mean, you can assign someone in the city of X to take care of a care that happens in the neighborhood of Y. That’s very, very different in the electronic world, because you could be attacked from, you know, anywhere in the world. I mean, you could be sitting in the U.S. attacked from Estonia, or you could be sitting in Ireland attacked from the Ukraine or China and Korea; who knows?

And I think it makes it very difficult, but this is definitely one area where education needs to ring true, and I wonder what is the role that the C-CERT Programs can play in driving better education, especially in the Government and in the commercial.

And let me just give you a quick example. I know when I was over in the UK, one of the things I was noticing with how the UK Government is looking at, you know, cyber attacks — and forgive me for using the word “cyber”, but it’s the best descriptor here.

We have the same problem in the U.S. You know, if you look at, you know, cybercrime, you know, you look at what people are calling cyber warfare — which, you know, I’m not going to get into here nor there statistics of it — or if you look at cyber espionage that as soon as you put the electronic or cyber or digital precursor to it, everyone wants to lump it into one type of thing, which doesn’t happen in the physical world, and I noticed, you know, the same experience when I was over in Europe similar responses. They weren’t really sure how to educate, designate and delineate between these three very different types of things. Organized crime trying to steal money for financial gain is extremely different than a state-sponsored espionage or even state-sponsored cyber attacks.

So my question to you really is around two things. One is how do you see the role of C-CERT in helping to drive better education; and, two, do you see the education being understands throughout your experience there in Europe?

Brian Honan: I think from the first question there as to how can C-CERT help on the education side of things, I think there’s two ways they can do that. One is simply by raising awareness of writing timely advice to people and to organizations when there is an attack or a 15:53 that they see on the horizon, and that may not just be putting an alert there on your RSS feed or on your email subscriptions. You, you know, engage with the press. Educate the press, give them heads-up on what types of attacks and, you know, let the papers try and educate the masses that way as well.

I think the second thing we could do is what we are trying to do with ours as well is really hold an annual cybercrime conference and try and get experts in the field to talk to our constituency about cybercrime and the risks that are there and how to counter those risks and how to deal with those risks, and that has been very well received by our constituents because all our services that we provide, we provide for the CERT; so, you know, you can’t better value for that than using our service and coming to our conferences. So, you know, people have found them to be very, very useful.

And I think that’s the way C-CERTs can help is by engaging more and more with the community, and that’s reaching out not just by the normal channels, you know, such as email and RSS feed, et cetera. Also using by using press and the opportunities, seminars, et cetera, to speak as well.

Amrit Williams: Brian, I really appreciate you joining me today. If folks want to interact with you, get some more information, reach out to you, do you have a place they can do that? Are you willing to talk to folks if they’ve got some more questions?

Yeah, well, my email is Brian.Honan@bhconsulting.ie. If you want to see how it’s www.iriss.ie. And I’m also on Twitter, so if you want to listen to me rant and rave electronically, my Twitter handle is @brianhonan.

Amrit Williams: And that’s B-R-I-A-N, H-O-N-A-N.

Brian Honan: That’s correct, yeah.

Amrit Williams: Brian, a fabulous conversation. I really appreciate you taking time today and hope to have you back on soon. Thanks a lot.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!