The National Computer Board organized a Cyber Security Conference on Friday 28th November 2014. It was also part of the yearly Infotech event. I was rather keen to attend the conference, however after looking at the programme, I decided to show up only for the talk by CERT-MU. That way it would require me just an hour of lunch break.

I reached SVICC exactly at 11h30 and rushed towards the conference room. I was greeted by a charming lady, she showed me where the event was happening & I settled for a seat. Luckily, the talk hadn't started yet. The host was still introducing the next speaker, who was none other than the officer-in-charge of CERT-MU.

Title of the his presentation was « An Enhanced Framework for Incident Handling » and somehow that's what triggered my interest. The year 2014 has been rocked by several major vulnerabilities announced and we had our share of local incidents. On my end, I reported a few through the two email addresses as published on the CERT-MU website. They were never acknowledged and I remained baffled if my emails were ever read. So, this presentation was an opportunity for me to see how incidents are handled at CERT-MU.

According to the programme the talk should be around 30 mins. I therefore thought it would be very specific.

However, the presentation took rounds about explaining the rise of cyber threats around the world. The slide didn't elaborate on any of the local reported incidents.

cybersec-2014

Sorry for the photo quality. It's the best I could get with my mobile.

After taking the picture I was looking for a WiFi connection to Tweet the same but I stumbled on an FBI Surveillance Caravan that maybe was monitoring what is being discussed at the Cyber Security Conference ^^,

fbi-surveillance-mauritius

I was patiently waiting to learn about the incident handling framework of CERT-MU. By the end of the prez the speaker explained about ITIL, NIST models etc. By then I was also fed up, I wasn't there to learn academic stuffs, it wasn't a lecture class anyway. I apply PDCA models in my job everyday, I wouldn't spend 30 mins of my time sitting and listening to a theory. I was still waiting for something real concrete, some innovative & tested model of incident handling by CERT-MU on which I could build something; maybe using CERT-MU's model as a template.

I stood up & was about to leave the room but a friend stopped me. He said the talk is about to finish, better wait for it. Well, so did I. Right after that, the host announced there will a Q&A session for a panel of three speakers (two who presented earlier).

I grabbed this moment to learn more, so I shot the first question. Aww! I first thanked the National Computer Board for organizing the event, apologized to other speakers for not attending earlier and I addressed my questions (I had two) towards the officer-in-charge of CERT-MU.

My first question was how does CERT-MU currently handle incident reports? In one of the slides, the speaker had a flowchart of incident identification, root cause analysis etc. So, I elaborated the question as to how does CERT-MU identify an incident.
In response I was expecting that I would be told of the "real handling" process. As to what happens when someone reports an incident or vulnerability via email. Also I was expecting to hear about "incident detection" through live monitoring of applications (for Government e-services). The answer was nothing as such but rather a praise that the "current framework" has been reviewed and follows international standards. It was also said that the "framework" received good feedback and they have an online reporting tool that works effectively. The last time I tried the online reporting tool1, it's nothing more than just an electronic PDF which does not work on Linux machines. I could not use it. Definitely, I would not call this an effective tool. I thus wonder which international body tested & verified this as an effective tool. There are many other flaws I can pen down right here regarding the tool but I would first expect CERT-MU to be more collaborative & attentive to people.
My second question was that the slides mentioned cyber-threats & incidents around the world but they did not refer cyber-threats or incidents specific to Mauritius. No local incidents were mentioned. I then asked, should we assume that Mauritius did not encounter any Cyber-security incident in 2014?

I did not receive an answer to this one.

Someone from the Mauritius Oceanography Institute2 asked a question regarding support from CERT-MU and other related bodies in order to handle security incidents within their organization. I could not grasp the answer very well. It was like yes, they can expect support but there was some reluctance.

There was also a fellow from the Mauritius Internet Users (MIU) group who asked about what is being done to promote collaboration between various stakeholders when it comes to cyber security? He asked about incentives to report security incidents and informed that there was a report of vulnerability on the website of the previously mentioned organization (i.e Mauritius Oceanography Institute).

While I expected that upon hearing about the word "vulnerability" CERT-MU officers will be keen to talk & address the issue. However, nothing as such happened. In fact, after the talk even when the MIU fellow asked the officer-in-charge if he had 5 mins, the latter rushed saying "later".


[1] CERT-MU, Vulnerability Reporting [2] As per Government Web Portal migration, the new address should be moi.govmu.org but it fails and rather the website still loads at moi.gov.mu.