State of the Practice of Computer Security Incident Response Teams ...

More documents

Recommendations

Info

e. __ answering hotline/help desk calls f. __ monitoring intrusion detection systems g. __ monitoring network and system logs such as firewalls, routers, mail servers, etc. h. __ monitoring public security information sites and mailing lists i. __ publishing advisories and alerts j. __ publishing technical documents k. __ penetration testing of constituent systems l. __ vulnerability scanning of constituent systems and networks m. __ vulnerability assessments of constituent systems and networks n. __ security policy development o. __ developing security product (creating your own patches, incident response or security tools) p. __ administering security configurations for constituent systems q. __ constituency training or security awareness r. __ computer forensics evidence collection s. __ tracking and tracing intruders t. __ pursuing legal or law enforcement investigations 20. How do you record and track incident information? (Check all that apply.) a. __ Paper log book or forms b. __ Database c. __ Other: ___________________________________________________________ 21. If you use a database, what type of product does your CSIRT use? a. __ Off-the-shelf database. Product: _______________________________________ b. __ CSIRT created or customized database 146 CMU/SEI-2003-TR-001
22. Do you provide incident reporting guidelines in hardcopy or electronic form to your constituency? a. Yes ____ b. No ____ 23. How do you receive incident reports? (Check all that apply.) a. __ Phone b. __ Email c. __ Paper Incident Reporting Form d. __ Web Incident Reporting Form e. __ Intrusion Detection Systems f. __ Walk-in g. __ Other: ___________________________________________________________ 24. How does your CSIRT provide incident response? (Check all that apply.) a. __ Provide recommendations and guidelines only via phone or email b. __ Repair and recover affected systems and networks c. __ Develop and distribute technical documents and alerts d. __ We do not provide a response; we pass incidents to another area to be handled To whom are they passed? ________________________________________ e. __ Other: ________________________________________________________ 25. If you have a CSIRT hotline or help desk, who answers the phone? During Business Hours After Hours a. ______ ____ CSIRT staff b. ______ ____ IT help desk staff c. ______ ____ Message center d. ______ ____ Other: _________________________________________ CMU/SEI-2003-TR-001 147
Page 1:
State of the Practice of Computer S
Page 4 and 5:
This report was prepared for the SE
Page 6 and 7:
3.1.3 Total Registered CSIRTs......
Page 8 and 9:
iv CMU/SEI-2003-TR-001
Page 10 and 11:
vi CMU/SEI-2003-TR-001
Page 12 and 13:
viii CMU/SEI-2003-TR-001
Page 14 and 15:
x CMU/SEI-2003-TR-001
Page 16 and 17:
This document provides a view of th
Page 18 and 19:
• Katherine Fithen for her contin
Page 20 and 21:
xvi CMU/SEI-2003-TR-001
Page 22 and 23:
Although CSIRTs have been in existe
Page 24 and 25:
ased on a sampling of CSIRTs done v
Page 26 and 27:
future growth. It can also be used
Page 28 and 29:
The participating CSIRTs also repre
Page 30 and 31:
10 CMU/SEI-2003-TR-001
Page 32 and 33:
ole. This may include providing sec
Page 34 and 35:
• Incident response is the action
Page 36 and 37:
Model Coordinating CSIRT Descriptio
Page 38 and 39:
After the worm had been successfull
Page 40 and 41:
2.3.2 The Creation of FIRST In Augu
Page 42 and 43:
Up until this point, only one or tw
Page 44 and 45:
the other teams. Again, the communi
Page 46 and 47:
into a course for new incident hand
Page 48 and 49:
These early teams have become leade
Page 50 and 51:
2.3.5 Initiatives in Latin America
Page 52 and 53:
stituency is the research network a
Page 54 and 55:
In September 2003, the U.S. Departm
Page 56 and 57:
36 CMU/SEI-2003-TR-001
Page 58 and 59:
• There is not one entity for reg
Page 60 and 61:
Table 4 combines the total number o
Page 62 and 63:
In looking at the growth of teams e
Page 64 and 65:
Table 6: North American and Europea
Page 66 and 67:
3.1.5 Other Trends Other trends we
Page 68 and 69:
Figure 10: Example of Team Sponsors
Page 70 and 71:
service providers, or nation states
Page 72 and 73:
their web pages. This may also be t
Page 74 and 75:
A CSIRT, due to its position, may a
Page 76 and 77:
Malaysia Computer Emergency Respons
Page 78 and 79:
data collection, the use of analysi
Page 80 and 81:
Dittrich goes on to say that a big
Page 82 and 83:
• insider abuse of internal compu
Page 84 and 85:
Making the case to management to ga
Page 86 and 87:
• Security quality management ser
Page 88 and 89:
• perform artifact analysis (66%)
Page 90 and 91:
• Distributed dedicated CSIRTs: 1
Page 92 and 93:
Not surprisingly, in the majority o
Page 94 and 95:
tended team is formed by temporaril
Page 96 and 97:
• audit and risk management speci
Page 98 and 99:
As the field of incident handling a
Page 100 and 101:
promote “higher education in info
Page 102 and 103:
3.7.1 Defining Computer Security In
Page 104 and 105:
3.7.1.1 Security Incident Taxonomy
Page 106 and 107:
• identifying the staff and neces
Page 108 and 109:
Other flow diagrams and charts have
Page 110 and 111:
• Rule #1: Don’t Panic! • Rul
Page 112 and 113:
3.7.5.1 Data Fields Many CSIRTs hav
Page 114 and 115:
formats for exchanging incident dat
Page 116 and 117: Level/Priority Low Type of Incident
Page 118 and 119: priority), yellow (cautionary alert
Page 120 and 121: way, the combined and coordination
Page 122 and 123: Whoever does this work must not onl
Page 124 and 125: • staff misuse of company system
Page 126 and 127: Effective teams will have a plan in
Page 128 and 129: • 83% of the education CSIRTs sha
Page 130 and 131: Figure 14: Attack Sophistication Ve
Page 132 and 133: service managers or customers. Such
Page 134 and 135: As the volume of incident and vulne
Page 136 and 137: enabling better cooperation and ass
Page 138 and 139: 3.9.2 United States Cyber Crime Law
Page 140 and 141: 3.10.1.2 Trusted Introducer for CSI
Page 142 and 143: 3.10.1.5 Asia Pacific Computer Emer
Page 144 and 145: For more information see: http://ce
Page 146 and 147: 3.10.3.3 Distributed Intrusion Dete
Page 148 and 149: 3.10.5 Research CSIRTs and security
Page 150 and 151: 3.12 Resources 3.12.1 Case Study Ex
Page 152 and 153: 132 CMU/SEI-2003-TR-001
Page 154 and 155: standards for incident handling met
Page 156 and 157: • management support and trust fr
Page 158 and 159: We are seeking opportunities to col
Page 162 and 163: 3. If yes, who is that constituency
Page 164 and 165: . __ Distributed dedicated team (te
Page 168 and 169: 26. What are your business hours? _
Page 170 and 171: e. __ Audit or Risk Management Depa
Page 172 and 173: Type and Title of Publication Autho
Page 174 and 175: Type and Title of Publication Autho
Page 178 and 179: Seminars include Intrusion Detectio
Page 180 and 181: TRANSITS Training Workshop http://w
Page 182 and 183: Certification Organizations Current
Page 186 and 187: Article 10 - Offences related to in
Page 188 and 189: accessing legal implications coordi
Page 190 and 191: http://thomas.loc.gov/ Bills, Publi
Page 192 and 193: 18 U.S.C. § 1832 - Theft of trade
Page 194 and 195: http://frwebgate.access.gpo.gov/cgi
Page 196 and 197: SecurityFocus Online - Library Comp
Page 198 and 199: U.S. House of Representatives - Off
Page 200 and 201: CERT Coordination Center The CERT/C
Page 202 and 203: CIO/FBI/USSS These are the CIO Cybe
Page 204 and 205: CIO CYBERTHREAT RESPONSE & REPORTIN
Page 206 and 207: asic information that is included i
Page 208 and 209: Department of Justice Computer Crim
Page 210 and 211: FBI & USSS FIELD OFFICES TELEPHONE/
Page 212 and 213: FBI & USSS FIELD OFFICES TELEPHONE/
Page 214 and 215: CONTRIBUTORS INDUSTRY Peter Allor M
Page 228 and 229:
Nebraska Information Technology Com
Page 230 and 231:
Page 232 and 233:
Page 234 and 235:
Page 237 and 238:
COMPUTER INCIDENT REPORTING SHORT F
Page 239 and 240:
3. Has your agency experienced this
Page 241 and 242:
a. System(s) disconnected from the
Page 243 and 244:
6. (Optional) Updates to policies a
Page 245 and 246:
COMPUTER SECURITY INCIDENT HANDLING
Page 247 and 248:
Page 249 and 250:
Page 251 and 252:
Page 253:
Steele The Information Assurance Te
Page 256 and 257:
Network Incident Report United Stat
Page 258 and 259:
Details for Probes and Scans Appare
Page 260 and 261:
Details for Unauthorized Access (co
Page 262:
Van Wyk and Forno In their book Inc
Page 267 and 268:
Bibliography All URLs are valid as
Page 269 and 270:
[Caloyannides 01] Caloyannides, Mic
Page 271 and 272:
[Ferreira 96] Ferreira, Joao Nuno;
Page 273 and 274:
[Kossakowski 00] Kossakowski, Klaus
Page 275 and 276:
[Scalet 02] Scalet, Sarah. “Risk:
Page 277 and 278:
[van Wyk 01] van Wyk, Kenneth R. &
Page 279 and 280:
Index @stake, 157 abnormal network
Page 281 and 282:
CIO, 84, 92 CIRC, 13 CIRT, 13 CISSP
Page 283 and 284:
internal, 14, 92 internal centraliz
Page 285 and 286:
incident handling, 84 reporting, 92
Page 287 and 288:
security, 56, 124 support staff, 73
Page 289 and 290:
incoming information, 74 priority s
Page 291 and 292:
survey, xii, 5, 49, 52, 55, 67, 71,
Page 293:
REPORT DOCUMENTATION PAGE Form Appr
show all

State of the Practice of Computer Security Incident Response Teams ...

Create successful ePaper yourself

Delete template?

Save as template?