With the significant increase in computer security incidents which have social, economic and political implications, most African countries are considering various mechanisms to minimise and mitigate the impact of incidents including the setting up or improvement of the coordination teams responsible for incident handling and response.
Figure: Interactive map of some major cyberattacks with political backgrounds and consequences (Source: DiploFoundation)
Case study: Cybersecurity Incidents in Africa during the COVID-19 Pandemic
Interpol’s African Cyberthreat Assessment Report, October 2021, identified that the most prominent threats in the region were online scams, digital extortion, business email compromise (BEC), ransomware, and botnets.
Experts in Kenya maintained that COVID-19 has triggered ‘an epidemic of cybercrimes,’ with a 37.3 per cent increase in cyberattacks in the period between April and June 2021, compared to January and March 2021.
The cyberattacks, including phishing, malware distribution, and attacks associated with remote working vulnerabilities have seen a substantial increase, as reported in the Africa Cybersecurity Report – Kenya, 2019/2020. These include remote access, risks associated with reduced monitoring, and exploitation of new teleworking infrastructure.
There are various types of teams that monitor, warn, coordinate response and recovery efforts, and facilitate collaboration between government entities, individual organisations, manufacturers, service and utility sectors, the academia and the international community on cybersecurity issues.
These teams are referred to with acronyms that include Computer Emergency Response Team (CERT), Computer Security Incident Response Team (CSIRT), Incident Response Team (IRT), Computer Incident Response Team (CIRT), Security Emergency Response Team (SERT), Security Operations Centre (SOC), National Computer Security Center (NCSC), Information Sharing and Analysis Center (ISAC) and more recently Cyber Defence Centres (CDC).
Subject to the mandate and the type of constituency, African stakeholders may use any of these terms to refer to the team managing cybersecurity incident management. National CSIRTs for example are often named using the CSIRT/CIRT/CERT abbreviation for example CERT-MU, EG-CERT. Teams servicing a sector include a shortened form of the sector and the two-letter country code for example, EG-FinCIRT. The name of the company or organisation or a shortened version would be included if the team provides services to the company, for example Siemens CSIRT.The term CSIRT normally used to refer to a CIRT, CERT or SIRT. An organisation using this term must provide an incident handling (response) service. A SOC is used to refer to a team that monitors the operations for the security of networks and data centres. It is important to note that the CERT is a worldwide registered trademark of the CERT Coordination Center (CERT/CC) which falls under the Software Engineering Institute (SEI) of Carnegie Mellon University (CMU) in the USA. Organisations who wish to use “CERT” in their team name must contact SEI-CMU to request permission (this policy may be amended in the future).
Resource – Definitions
Request for Comments (RFC) 2350 defines a CSIRT as a team that coordinates and supports the response to security incidents that involve sites within a defined constituency. In order to be considered a CSIRT, a team must provide a (secure) channel for receiving reports about suspected incidents.
The Forum for Incident Response Teams (FIRST) definition for a Computer Security Incident Response Team (CSIRT) is an organisational unit (which may be virtual) or a capability that provides services and support to a defined constituency for preventing, detecting, handling, and responding to computer security incidents, in accordance with its mission”. A specific set of individuals and/or organisations with common characteristics that a CSIRT provides services to is known as a constituency.
The International Telecommunications Union ITU-T Recommendation X.1060 defines cyber defence centre (CDC) as an entity within an organisation that offers security services to manage the cybersecurity risks of its business activities.
The SEI-CMU defines a Computer Security Incident Response Team (CSIRT) is a service organization that is responsible for receiving, reviewing, and responding to computer security incident reports and activity. Services are offered for defined constituency.
FIRST defines an Information Sharing and Analysis Center (ISAC) as a cooperation platform for security teams in the same sector or with a shared goal, which can offer many of the services a CSIRT can offer, but does not do incident handling.
A Security Operations Center (SOC) provides centralised real-time monitoring of an organisation’s networks and systems, coordinated incident response and handling.