State of the Practice of Computer Security Incident Response Teams ...

More documents

Recommendations

Info

[Arvidsson 03] Arvidsson, J., ed. “Taxonomy of the Computer Security Incident related terminology.” TERENA Incident Taxonomy and Description Working Group http://www.terena.nl/tech/task-forces /tf-csirt/iodef/docs/i-taxonomy_terms.html. [AusCERT 01] Australian Computer Emergency Response Team. The Methodology of Incident Handling. http://www.mncc.com.my/infosec2k1/panel4- 3.pdf (2001). [AusCERT 03] Australian Computer Emergency Response Team (AusCERT). http://www.auscert.org.au/ (2003). [Australia 02] AusCERT; Deloitte Touche Tohmatsu; & The New South Wales Police. “2002 Australian Computer Crime and Security Survey.” http://www.auscert.org.au/Information/Auscert_info/2002cs.pdf (2002). [Australia 03] AusCERT, Australian Federal Police; Queensland Police, South Australian Police, Western Australian Police. “2003 Australian Computer Crime and Security Survey.” http://www.auscert.org.au/download.html?f=65 (2003). [Berinato 01] Berinato, Scott. “Coming Up ROSI.” cso online.com, October 26, 2001. http://www.csoonline.com/alarmed/10262001.html. [Berinato 02a] Berinato, Scott. “Finally, a Real Return on Security Spending.” CIO Magazine, February 15, 2002. http://www.cio.com/archive/021502/security.html. [Berinato 02b] Berinato, Scott. “The Security Spending Mystery.” cso online.com, April 25, 2002. http://www.csoonline.com/alarmed/04252002.html. [Brezinski 02] Brezinski, D. & Killalea, T. “Guidelines for Evidence Collection and Archiving” (RFC 3227). Internet Engineering Task Force. ftp://ftp.isi.edu/in-notes/rfc3227.txt (2002). [Brownlee 98] Brownlee, N. & Guttman, E. Expectations for Computer Security Incident Response. http://www.ietf.org/rfc/rfc2350.txt?number=2350 (1998). 248 CMU/SEI-2003-TR-001
[Caloyannides 01] Caloyannides, Michael A. Computer Forensics and Privacy. Norwood, MA: Artech House, Inc., 2001. [CanCERT 03] CanCERT. http://www.cancert.ca/. [CERIAS 03] CERIAS Incident Response Database. https://cirdb.cerias.purdue.edu/website/ (2003). [CERT 02a] CERT Coordination Center. “Dealing with External Computer Security Incidents.” http://www.cert.org/archive/pdf/external-incidents.pdf (2002). [CERT 02b] CERT Coordination Center. Overview of Attack Trends. http://www.cert.org/archive/pdf/attack_trends.pdf (2002). [CERT 02c] CERT Coordination Center. “Creating a Computer Security Incident Response Team: A Process for Getting Started.” http://www.cert.org/csirts/Creating-A-CSIRT.html (2002). [CERT 02d] CERT Coordination Center. “Computer Security Incident Response Team (CSIRT) Frequently Asked Questions (FAQ).” (2002). [CERT-NL 03] SURFnet Computer Security Incident Response Team (CERT-NL). http://cert-nl.surfnet.nl/ (2003). [CHIHT 03] CHIHT – Clearing House for Incident Handling Tools. http://chiht.dfn-cert.de/ (2003). [CIO 02] CIO Magazine. CIO Cyberthreat Response & Reporting Guidelines. http://www.cio.com/research/security/incident_response.pdf (2002). [CSIRT 02] CSIRT Development Team, CERT/CC. Computer Security Incident Response Team (CSIRT) Frequently Asked Questions(FAQ) December 2002. http://www.cert.org/csirts/csirt_faq.html. CMU/SEI-2003-TR-001 249
Page 1:
State of the Practice of Computer S
Page 4 and 5:
This report was prepared for the SE
Page 6 and 7:
3.1.3 Total Registered CSIRTs......
Page 8 and 9:
iv CMU/SEI-2003-TR-001
Page 10 and 11:
vi CMU/SEI-2003-TR-001
Page 12 and 13:
viii CMU/SEI-2003-TR-001
Page 14 and 15:
x CMU/SEI-2003-TR-001
Page 16 and 17:
This document provides a view of th
Page 18 and 19:
• Katherine Fithen for her contin
Page 20 and 21:
xvi CMU/SEI-2003-TR-001
Page 22 and 23:
Although CSIRTs have been in existe
Page 24 and 25:
ased on a sampling of CSIRTs done v
Page 26 and 27:
future growth. It can also be used
Page 28 and 29:
The participating CSIRTs also repre
Page 30 and 31:
10 CMU/SEI-2003-TR-001
Page 32 and 33:
ole. This may include providing sec
Page 34 and 35:
• Incident response is the action
Page 36 and 37:
Model Coordinating CSIRT Descriptio
Page 38 and 39:
After the worm had been successfull
Page 40 and 41:
2.3.2 The Creation of FIRST In Augu
Page 42 and 43:
Up until this point, only one or tw
Page 44 and 45:
the other teams. Again, the communi
Page 46 and 47:
into a course for new incident hand
Page 48 and 49:
These early teams have become leade
Page 50 and 51:
2.3.5 Initiatives in Latin America
Page 52 and 53:
stituency is the research network a
Page 54 and 55:
In September 2003, the U.S. Departm
Page 56 and 57:
36 CMU/SEI-2003-TR-001
Page 58 and 59:
• There is not one entity for reg
Page 60 and 61:
Table 4 combines the total number o
Page 62 and 63:
In looking at the growth of teams e
Page 64 and 65:
Table 6: North American and Europea
Page 66 and 67:
3.1.5 Other Trends Other trends we
Page 68 and 69:
Figure 10: Example of Team Sponsors
Page 70 and 71:
service providers, or nation states
Page 72 and 73:
their web pages. This may also be t
Page 74 and 75:
A CSIRT, due to its position, may a
Page 76 and 77:
Malaysia Computer Emergency Respons
Page 78 and 79:
data collection, the use of analysi
Page 80 and 81:
Dittrich goes on to say that a big
Page 82 and 83:
• insider abuse of internal compu
Page 84 and 85:
Making the case to management to ga
Page 86 and 87:
• Security quality management ser
Page 88 and 89:
• perform artifact analysis (66%)
Page 90 and 91:
• Distributed dedicated CSIRTs: 1
Page 92 and 93:
Not surprisingly, in the majority o
Page 94 and 95:
tended team is formed by temporaril
Page 96 and 97:
• audit and risk management speci
Page 98 and 99:
As the field of incident handling a
Page 100 and 101:
promote “higher education in info
Page 102 and 103:
3.7.1 Defining Computer Security In
Page 104 and 105:
3.7.1.1 Security Incident Taxonomy
Page 106 and 107:
• identifying the staff and neces
Page 108 and 109:
Other flow diagrams and charts have
Page 110 and 111:
• Rule #1: Don’t Panic! • Rul
Page 112 and 113:
3.7.5.1 Data Fields Many CSIRTs hav
Page 114 and 115:
formats for exchanging incident dat
Page 116 and 117:
Level/Priority Low Type of Incident
Page 118 and 119:
priority), yellow (cautionary alert
Page 120 and 121:
way, the combined and coordination
Page 122 and 123:
Whoever does this work must not onl
Page 124 and 125:
• staff misuse of company system
Page 126 and 127:
Effective teams will have a plan in
Page 128 and 129:
• 83% of the education CSIRTs sha
Page 130 and 131:
Figure 14: Attack Sophistication Ve
Page 132 and 133:
service managers or customers. Such
Page 134 and 135:
As the volume of incident and vulne
Page 136 and 137:
enabling better cooperation and ass
Page 138 and 139:
3.9.2 United States Cyber Crime Law
Page 140 and 141:
3.10.1.2 Trusted Introducer for CSI
Page 142 and 143:
3.10.1.5 Asia Pacific Computer Emer
Page 144 and 145:
For more information see: http://ce
Page 146 and 147:
3.10.3.3 Distributed Intrusion Dete
Page 148 and 149:
3.10.5 Research CSIRTs and security
Page 150 and 151:
3.12 Resources 3.12.1 Case Study Ex
Page 152 and 153:
132 CMU/SEI-2003-TR-001
Page 154 and 155:
standards for incident handling met
Page 156 and 157:
• management support and trust fr
Page 158 and 159:
We are seeking opportunities to col
Page 160 and 161:
140 CMU/SEI-2003-TR-001
Page 162 and 163:
3. If yes, who is that constituency
Page 164 and 165:
. __ Distributed dedicated team (te
Page 166 and 167:
e. __ answering hotline/help desk c
Page 168 and 169:
26. What are your business hours? _
Page 170 and 171:
e. __ Audit or Risk Management Depa
Page 172 and 173:
Type and Title of Publication Autho
Page 174 and 175:
Type and Title of Publication Autho
Page 176 and 177:
156 CMU/SEI-2003-TR-001
Page 178 and 179:
Seminars include Intrusion Detectio
Page 180 and 181:
TRANSITS Training Workshop http://w
Page 182 and 183:
Certification Organizations Current
Page 184 and 185:
164 CMU/SEI-2003-TR-001
Page 186 and 187:
Article 10 - Offences related to in
Page 188 and 189:
accessing legal implications coordi
Page 190 and 191:
http://thomas.loc.gov/ Bills, Publi
Page 192 and 193:
18 U.S.C. § 1832 - Theft of trade
Page 194 and 195:
http://frwebgate.access.gpo.gov/cgi
Page 196 and 197:
SecurityFocus Online - Library Comp
Page 198 and 199:
U.S. House of Representatives - Off
Page 200 and 201:
CERT Coordination Center The CERT/C
Page 202 and 203:
CIO/FBI/USSS These are the CIO Cybe
Page 204 and 205:
CIO CYBERTHREAT RESPONSE & REPORTIN
Page 206 and 207:
asic information that is included i
Page 208 and 209:
Department of Justice Computer Crim
Page 210 and 211:
FBI & USSS FIELD OFFICES TELEPHONE/
Page 212 and 213:
FBI & USSS FIELD OFFICES TELEPHONE/
Page 214 and 215:
CONTRIBUTORS INDUSTRY Peter Allor M
Page 228 and 229: Nebraska Information Technology Com
Page 237 and 238: COMPUTER INCIDENT REPORTING SHORT F
Page 239 and 240: 3. Has your agency experienced this
Page 241 and 242: a. System(s) disconnected from the
Page 243 and 244: 6. (Optional) Updates to policies a
Page 245 and 246: COMPUTER SECURITY INCIDENT HANDLING
Page 253: Steele The Information Assurance Te
Page 256 and 257: Network Incident Report United Stat
Page 258 and 259: Details for Probes and Scans Appare
Page 260 and 261: Details for Unauthorized Access (co
Page 262: Van Wyk and Forno In their book Inc
Page 267: Bibliography All URLs are valid as
Page 271 and 272: [Ferreira 96] Ferreira, Joao Nuno;
Page 273 and 274: [Kossakowski 00] Kossakowski, Klaus
Page 275 and 276: [Scalet 02] Scalet, Sarah. “Risk:
Page 277 and 278: [van Wyk 01] van Wyk, Kenneth R. &
Page 279 and 280: Index @stake, 157 abnormal network
Page 281 and 282: CIO, 84, 92 CIRC, 13 CIRT, 13 CISSP
Page 283 and 284: internal, 14, 92 internal centraliz
Page 285 and 286: incident handling, 84 reporting, 92
Page 287 and 288: security, 56, 124 support staff, 73
Page 289 and 290: incoming information, 74 priority s
Page 291 and 292: survey, xii, 5, 49, 52, 55, 67, 71,
Page 293: REPORT DOCUMENTATION PAGE Form Appr
show all

State of the Practice of Computer Security Incident Response Teams ...

Create successful ePaper yourself

Delete template?

Save as template?