State of the Practice of Computer Security Incident Response Teams ...

More documents

Recommendations

Info

[Steele 02] Steele, Gordon. “Information Systems Security Incident Response.” IANewsletter 5, 1 (Spring 2002): 14–22. . [Swanson 02] Swanson, Marianne; Wohl, Amy; Pope, Lucinda; Grance, Tim; Hash, Joan; & Ray, Thomas. “Contingency Planning Guide for Information Technology Systems.” NIST Special Publication 800-34, National Institutes of Standards and Technology. http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf (2002). [Symantec 01] Symantec Corp. Advance Planning for Incident Response and Forensics. Cupertino, CA: Symantec Corp., November 2001. http://enterprisesecurity.symantec.com/SecurityServices /content.cfm?ArticleID=1557. [Symantec 02] Symantec Corp. Symantec Internet Security Threat Report, Volume II. http://enterprisesecurity.symantec.com /content.cfm?articleid=1539&PID=12944879&EID=0 (2002). [Taylor 02] Taylor, Laura. “Incident Response Planning and Management.” Intranet Journal, http://intranetjournal.com/articles/200201/pse_01_28_02b.html (2002). [TERENA 03] TERENA Task Force. “CSIRT Coordination for Europe.” http://www.terena.nl/task-forces/tf-csirt/ (2003). [TI 03] Trusted Introducer (TI) for CSIRTs in Europe. http://www.ti.terena.nl/ (2003). [US-CERT 03] United States Computer Emergency Response Team (US-CERT). http://www.us-cert.gov/ (2003). [USSS 01] United States Secret Service. “Cyber Threat/Network Incident Report,” Secret Service Form 4017. http://www.treas.gov/usss/net_intrusion_forms.shtml (2001). 256 CMU/SEI-2003-TR-001
[van Wyk 01] van Wyk, Kenneth R. & Forno, Richard. Incident Response. Sebastopol, CA: O’Reilly & Associates, Inc., 2001. [Vermont 01] State of Vermont. Incident Response Procedure. http://www.cio.state.vt.us/pdfs/sov_intrusion_procedures.pdf (2001). [Villano 01] Villano, Matt. “I.T. Autopsy.” CIO.com. http://www.cio.com/archive/030101/autopsy.html (2001). [Wack 91] Wack, John P. “Establishing a Computer Security Incident Response Capability (CSIRC).” NIST Special Publication 800-3, National Institutes of Standards and Technology. http://csrc.nist.gov/publications/nistpubs/800-3/800-3.pdf (1991). [West-Brown 03] West-Brown ,Moira J.; Stikvoort, Don; Kossakowski, Klaus-Peter; Killcrece, Georgia; Ruefle, Robin; & Zajicek, Mark. Handbook for Computer Security Incident Response Teams (CSIRTs) (CMU/SEI- 2003-HB-002). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2003. http://www.sei.cmu.edu /publications/documents/03.reports/03hb002.html. [Wood 01] Wood, Charles Cresson. Information Security Policies Made Easy. San Jose, CA: NetIQ Corp., 2001. http://www.pentasafe.com/publications/ispme.asp. [Wright 01] Wright, Timothy E. “How to Design a Useful Incident Response Policy.” SecurityFocus Online. http://online.securityfocus.com/infocus/1467 (2001). [Zeichner 03] Zeichner, Lee & Almosd, Robert. “State Implementation of Federal Cyber-Security Requirements.” Zeichner Risk Analytics, 2003. http://www.zra.com/docs/summaryReport.pdf. CMU/SEI-2003-TR-001 257
Page 1:
State of the Practice of Computer S
Page 4 and 5:
This report was prepared for the SE
Page 6 and 7:
3.1.3 Total Registered CSIRTs......
Page 8 and 9:
iv CMU/SEI-2003-TR-001
Page 10 and 11:
vi CMU/SEI-2003-TR-001
Page 12 and 13:
viii CMU/SEI-2003-TR-001
Page 14 and 15:
x CMU/SEI-2003-TR-001
Page 16 and 17:
This document provides a view of th
Page 18 and 19:
• Katherine Fithen for her contin
Page 20 and 21:
xvi CMU/SEI-2003-TR-001
Page 22 and 23:
Although CSIRTs have been in existe
Page 24 and 25:
ased on a sampling of CSIRTs done v
Page 26 and 27:
future growth. It can also be used
Page 28 and 29:
The participating CSIRTs also repre
Page 30 and 31:
10 CMU/SEI-2003-TR-001
Page 32 and 33:
ole. This may include providing sec
Page 34 and 35:
• Incident response is the action
Page 36 and 37:
Model Coordinating CSIRT Descriptio
Page 38 and 39:
After the worm had been successfull
Page 40 and 41:
2.3.2 The Creation of FIRST In Augu
Page 42 and 43:
Up until this point, only one or tw
Page 44 and 45:
the other teams. Again, the communi
Page 46 and 47:
into a course for new incident hand
Page 48 and 49:
These early teams have become leade
Page 50 and 51:
2.3.5 Initiatives in Latin America
Page 52 and 53:
stituency is the research network a
Page 54 and 55:
In September 2003, the U.S. Departm
Page 56 and 57:
36 CMU/SEI-2003-TR-001
Page 58 and 59:
• There is not one entity for reg
Page 60 and 61:
Table 4 combines the total number o
Page 62 and 63:
In looking at the growth of teams e
Page 64 and 65:
Table 6: North American and Europea
Page 66 and 67:
3.1.5 Other Trends Other trends we
Page 68 and 69:
Figure 10: Example of Team Sponsors
Page 70 and 71:
service providers, or nation states
Page 72 and 73:
their web pages. This may also be t
Page 74 and 75:
A CSIRT, due to its position, may a
Page 76 and 77:
Malaysia Computer Emergency Respons
Page 78 and 79:
data collection, the use of analysi
Page 80 and 81:
Dittrich goes on to say that a big
Page 82 and 83:
• insider abuse of internal compu
Page 84 and 85:
Making the case to management to ga
Page 86 and 87:
• Security quality management ser
Page 88 and 89:
• perform artifact analysis (66%)
Page 90 and 91:
• Distributed dedicated CSIRTs: 1
Page 92 and 93:
Not surprisingly, in the majority o
Page 94 and 95:
tended team is formed by temporaril
Page 96 and 97:
• audit and risk management speci
Page 98 and 99:
As the field of incident handling a
Page 100 and 101:
promote “higher education in info
Page 102 and 103:
3.7.1 Defining Computer Security In
Page 104 and 105:
3.7.1.1 Security Incident Taxonomy
Page 106 and 107:
• identifying the staff and neces
Page 108 and 109:
Other flow diagrams and charts have
Page 110 and 111:
• Rule #1: Don’t Panic! • Rul
Page 112 and 113:
3.7.5.1 Data Fields Many CSIRTs hav
Page 114 and 115:
formats for exchanging incident dat
Page 116 and 117:
Level/Priority Low Type of Incident
Page 118 and 119:
priority), yellow (cautionary alert
Page 120 and 121:
way, the combined and coordination
Page 122 and 123:
Whoever does this work must not onl
Page 124 and 125:
• staff misuse of company system
Page 126 and 127:
Effective teams will have a plan in
Page 128 and 129:
• 83% of the education CSIRTs sha
Page 130 and 131:
Figure 14: Attack Sophistication Ve
Page 132 and 133:
service managers or customers. Such
Page 134 and 135:
As the volume of incident and vulne
Page 136 and 137:
enabling better cooperation and ass
Page 138 and 139:
3.9.2 United States Cyber Crime Law
Page 140 and 141:
3.10.1.2 Trusted Introducer for CSI
Page 142 and 143:
3.10.1.5 Asia Pacific Computer Emer
Page 144 and 145:
For more information see: http://ce
Page 146 and 147:
3.10.3.3 Distributed Intrusion Dete
Page 148 and 149:
3.10.5 Research CSIRTs and security
Page 150 and 151:
3.12 Resources 3.12.1 Case Study Ex
Page 152 and 153:
132 CMU/SEI-2003-TR-001
Page 154 and 155:
standards for incident handling met
Page 156 and 157:
• management support and trust fr
Page 158 and 159:
We are seeking opportunities to col
Page 160 and 161:
140 CMU/SEI-2003-TR-001
Page 162 and 163:
3. If yes, who is that constituency
Page 164 and 165:
. __ Distributed dedicated team (te
Page 166 and 167:
e. __ answering hotline/help desk c
Page 168 and 169:
26. What are your business hours? _
Page 170 and 171:
e. __ Audit or Risk Management Depa
Page 172 and 173:
Type and Title of Publication Autho
Page 174 and 175:
Type and Title of Publication Autho
Page 176 and 177:
156 CMU/SEI-2003-TR-001
Page 178 and 179:
Seminars include Intrusion Detectio
Page 180 and 181:
TRANSITS Training Workshop http://w
Page 182 and 183:
Certification Organizations Current
Page 184 and 185:
164 CMU/SEI-2003-TR-001
Page 186 and 187:
Article 10 - Offences related to in
Page 188 and 189:
accessing legal implications coordi
Page 190 and 191:
http://thomas.loc.gov/ Bills, Publi
Page 192 and 193:
18 U.S.C. § 1832 - Theft of trade
Page 194 and 195:
http://frwebgate.access.gpo.gov/cgi
Page 196 and 197:
SecurityFocus Online - Library Comp
Page 198 and 199:
U.S. House of Representatives - Off
Page 200 and 201:
CERT Coordination Center The CERT/C
Page 202 and 203:
CIO/FBI/USSS These are the CIO Cybe
Page 204 and 205:
CIO CYBERTHREAT RESPONSE & REPORTIN
Page 206 and 207:
asic information that is included i
Page 208 and 209:
Department of Justice Computer Crim
Page 210 and 211:
FBI & USSS FIELD OFFICES TELEPHONE/
Page 212 and 213:
FBI & USSS FIELD OFFICES TELEPHONE/
Page 214 and 215:
CONTRIBUTORS INDUSTRY Peter Allor M
Page 228 and 229: Nebraska Information Technology Com
Page 237 and 238: COMPUTER INCIDENT REPORTING SHORT F
Page 239 and 240: 3. Has your agency experienced this
Page 241 and 242: a. System(s) disconnected from the
Page 243 and 244: 6. (Optional) Updates to policies a
Page 245 and 246: COMPUTER SECURITY INCIDENT HANDLING
Page 253: Steele The Information Assurance Te
Page 256 and 257: Network Incident Report United Stat
Page 258 and 259: Details for Probes and Scans Appare
Page 260 and 261: Details for Unauthorized Access (co
Page 262: Van Wyk and Forno In their book Inc
Page 267 and 268: Bibliography All URLs are valid as
Page 269 and 270: [Caloyannides 01] Caloyannides, Mic
Page 271 and 272: [Ferreira 96] Ferreira, Joao Nuno;
Page 273 and 274: [Kossakowski 00] Kossakowski, Klaus
Page 275: [Scalet 02] Scalet, Sarah. “Risk:
Page 279 and 280: Index @stake, 157 abnormal network
Page 281 and 282: CIO, 84, 92 CIRC, 13 CIRT, 13 CISSP
Page 283 and 284: internal, 14, 92 internal centraliz
Page 285 and 286: incident handling, 84 reporting, 92
Page 287 and 288: security, 56, 124 support staff, 73
Page 289 and 290: incoming information, 74 priority s
Page 291 and 292: survey, xii, 5, 49, 52, 55, 67, 71,
Page 293: REPORT DOCUMENTATION PAGE Form Appr
show all

State of the Practice of Computer Security Incident Response Teams ...

Create successful ePaper yourself

Delete template?

Save as template?