(CSIRC)
JohnP.Wack
ComputerSystemsLaboratory
NationalInstituteofStandardsandTechnology
NISTSpecialPublication800-3
November,1991
ESTABLISHINGACSIRC
EstablishingaComputerSecurityIncidentResponseCapability
(CSIRC)
Abstract
Governmentagenciesandotherorganizationshavebeguntoaugmenttheircomputersecu-rityeffortsbecauseofincreasedthreatstocomputersecurity.Incidentsinvolvingthesethreats,includingcomputerviruses,malicioususeractivity,andvulnerabilitiesassociatedwithhightech-nology,requireaskilledandrapidresponsebeforetheycancausesignificantdamage.Theseincreasedcomputersecurityefforts,describedhereasComputerSecurityIncidentResponseCa-pabilities(CSIRCs),haveasaprimaryfocusthegoalofreactingquicklyandefficientlytocom-putersecurityincidents.CSIRCeffortsprovideagencieswithacentralizedandcost-effectiveapproachtohandlingcomputersecurityincidentssothatfutureproblemscanbeefficientlyre-solvedandprevented.
Whiletheriskstocomputersecurityhaveincreased,agencieshavealsobecomemorede-pendentoncomputers.Manysystemsinwidespreadusetodaydonotcontainsafeguardsto
guaranteeprotectionfromthesethreats.Additionally,assystemsbecomemorecomplex,theyaremorepronetovulnerabilitiesthatcanincreasetheriskofmaliciousexploitation.Duetogreateravailabilityofcomputers,usersareoftendefactosystemmanagers,howevermanyhaveneithertherequisiteskillsnortimetomanagetheirsystemseffectively.Thesefactorsmakeitclearthatagenciesneedtoaugmenttheircomputersecuritycapabilitiesbeforetheysufferfromseriouscomputersecurityproblemsthatcanharmtheirmissions,resultinsignificantexpense,andtar-nishtheirimages.
ACSIRCcanhelpagenciesresolvecomputersecurityproblemsinawaythatisbotheffi-cientandcost-effective.Combinedwithpoliciesforcentralizedreporting,aCSIRCcanreducewasteandduplicationwhileprovidingabetterpostureagainstpotentiallydevastatingthreats.ACSIRCisaproactiveapproachtocomputersecurity,onethatcombinesreactivecapabilitieswithactivestepstopreventfutureincidentsfromoccurring.
iii
ESTABLISHINGACSIRC
Acknowledgments
Manypeoplecontributedtoversionsofthisdocumentandprovidedvaluablesupport.NISTwouldespeciallyliketorecognizetheef-fortsofE.EugeneSchultzofDOE’sCIACandKennethR.vanWykoftheCERT/CC,whocommentedondraftsofthisdocumentandprovidedvaluableinsightintothemanyissuesinvolvedinincidenthandling.
iv
ESTABLISHINGACSIRC
TableofContents
1.
Introduction..............1.1Purpose.............1.2Audience............1.3BasicTerms......................................................................................................................................................................11111.4StructureofthisDocument
.......................................2.
CSIRCOverview..................................................2.1TraditionalAgencyComputerSecurityEfforts.........................2.2TheChangingThreatEnvironment.................................2.3TheNeedforCSIRCapability....................................2.4TheCSIRCConcept...........................................2.5CSIRCConstituencyandTechnologyFocus...........................2.6Proactivevs.ReactiveNatureofaCSIRC............................2.7CSIRCRelationshiptoCurrentAgencySecurityEfforts..................2.8EarlyAgencyCSIRCEfforts.....................................3.
IssuesinEstablishingaCSIRC........................................3.1DeterminingCSIRGoals........................................3.2DefiningtheCSIRCConstituency..................................3.2.1ConstituencyCommunicationsIssues..............................3.2.2FormalandInformalConstituency................................3.3DeterminingtheStructureoftheCSIRCEffort.........................3.3.1Centralized,DistinctOrganization................................3.3.2Decentralized,DistributedOrganization.............................3.4ManagementSupportandFunding..................................3.4.1FundingandStaffingIssues.....................................3.4.2EffectingCentralizedReportingofIncidents.........................3.5CreatingaCharter.............................................3.5.1LegalIssuesinDeterminingaCharter.............................3.5.2ComponentsofaCSIRCCharter.................................3.6CreatingaCSIRCOperationsHandbook.............................3.7CSIRCStaffingIssues..........................................3.7.1CSIRCCoordinator...........................................3.7.2TechnicalStaff..............................................3.7.3OtherSupportStaff...........................................
v
2333456667991015101011111112121313131414151616
ESTABLISHINGACSIRC
3.7.4RequirementsforClearances....................................173.7.5AvoidingBurn-Out...........................................17
4.
CSIRCOperationalIssuesandActivities.................................4.1CommunicationswiththeConstituency..............................4.1.1IssuingaPressRelease........................................4.1.2SettingUpaHotlineCapability..................................4.1.3SettingUpAlertMechanisms...................................4.1.4UseofanInformationRepository.................................4.2LoggingInformation...........................................4.2.1ContactInformation..........................................4.2.2ActivityLogs...............................................4.2.3IncidentLogs...............................................4.2.4InformationMaintenance.......................................4.3IncidentNotificationIssues.......................................4.3.1IdentifyingtheExistenceofanIncidentanditsScope..................4.3.2NotifyingAppropriateAgencyPersonnel............................4.3.3NotifyingAffectedUsers.......................................4.3.4RequestsforConfidentiality.....................................4.4LegalIssues.................................................4.4.1WorkingWithLaw-EnforcementandInvestigativeAgencies..............4.4.2IncurredLiabilities...........................................4.4.3WordingofConstituencyCommunications..........................4.4.4LoggingandGatheringEvidence.................................4.5WorkingWiththeNewsMedia....................................4.6Post-IncidentAnalysis..........................................4.7MeasuringtheEffectivenessofaCSIRC.............................4.8AdditionalAssistance...........................................
19191920202121212222232323232424252525262727282829
5.References......................................................31
AppendixA.AnnotatedBibliography........................................33AppendixB.ForumofIncidentResponse&SecurityTeams(FIRST)
................39
vi
ESTABLISHINGACSIRC
1.Introduction
ThisguideprovidesadviceforfederalagenciesandotherorganizationsonestablishingaComputerSecurityIncidentResponseCapability(CSIRC).ACSIRCprovidescomputersecurityeffortswiththecapabilitytorespondtocomputersecurity-relatedincidentssuchascomputerviruses,unauthorizeduseractivity,andserioussoftwarevulnerabilities,inanefficientandtimelymanner.ACSIRCfurtherpromotesincreasedsecurityawarenessofcomputersecurity-relatedriskssothatagenciesarebetterpreparedandprotected.
1.1Purpose
ThispublicationprovidesguidanceforthoseinterestedinestablishingaCSIRC.Itde-scribeswhytraditionalcomputersecurityeffortsmaynotbesufficientinlightofmorerecentthreats.ThisguidediscussessomeoftheconsiderationsinestablishingaCSIRCaswellastheorganizational,technical,andlegalissuesconnectedwithaCSIRCoperation.
Thisguideisastartingpoint;itdoesnotaddressalltheissuesrelevanttoComputerSecuri-tyIncidentResponse(CSIR)foreachagencyorenvironment.ToestablishaCSIRC,eachagen-cymustexploremanyoptionsandmakemanydecisions.Referencesareincludedinthisdocu-menttohelpagenciesinthisprocess.
1.2Audience
Thisguideiswrittenprimarilyforfederalagencies;however,itisalsointendedforothergovernmental,commercial,andacademicorganizations.AlthoughthisguidefocusesprimarilyonestablishingaCSIRC,itcontainsbasicinformationthatisusefulforreadersunfamiliarwiththeCSIRCconcept.
1.3BasicTerms
Acomputersecurityincident,forpurposesofthisguide,isanyadverseeventwherebysomeaspectofcomputersecuritycouldbethreatened:lossofdataconfidentiality,disruptionofdataorsystemintegrity,ordisruptionordenialofavailability.Thedefinitionofanincidentmayvaryforeachagencydependingonmanyfactors;however,thefollowingcategoriesandexam-plesaregenerallyapplicable[SCHULTZ90]:
1
ESTABLISHINGACSIRC
•Compromiseofintegrity,suchaswhenavirusinfectsaprogramorthediscoveryofaserioussystemvulnerability;
•Denialofservice,suchaswhenanattackerhasdisabledasystemoranetworkwormhassaturatednetworkbandwidth;
•Misuse,suchaswhenanintruder(orinsider)makesunauthorizeduseofanaccount;•Damage,suchaswhenavirusdestroysdata;and
•Intrusions,suchaswhenanintruderpenetratessystemsecurity.
TheacronymCSIRCstandsforComputerSecurityIncidentResponseCapability,whereasCSIRisusedtostandforComputerSecurityIncidentResponse.OtheracronymsexistforCSIRcapability,includingCSRC(ComputerSecurityResponseCenter)andCERT(ComputerEmer-gencyResponseTeam).
ThisguideusesthetermtraditionalcomputersecurityefforttodescribecomputersecurityeffortsthatarerootedinsoundprinciplesofphysicalsecurityandcontingencyplanningbutthatdonotprovideaCSIRcapability.
ThetermsincidentresponseandincidenthandlingareusedsynonymouslytodescribethereactiveactivitiesassociatedwithaCSIRC.
1.4StructureofthisDocument
Thisdocumentisstructuredasfollows:Chapter2presentsanoverviewofaCSIRC,in-cludingreasonsforCSIRactivity,theCSIRCconcept,itsgoals,components,andinteractionwithexistingagencycomputersecurityefforts.Chapter3dealswithissuesandfactorsassociat-edwithestablishinganagencyCSIRC.Chapter4describessomeoftheissuesassociatedwithoperatingandmaintainingaCSIRC.Theappendicescontainanannotatedbibliographyforfur-therreadingoncomputersecurityandincidenthandlingandinformationonFIRST,theForumofIncidentResponseandSecurityTeams.
2
ESTABLISHINGACSIRC
2.CSIRCOverview
ThissectiondescribesthebasicaspectsofaComputerSecurityIncidentResponseCapabili-ty:itsconcept,benefits,components,andrelationshiptocurrentcomputersecurityeffortswithinanagency.Backgroundsectionsareincludedthatdealwithtraditionalcomputersecurityefforts,currentthreatstocomputersecurity,andjustificationsforincreasedCSIRCactivity.
2.1TraditionalAgencyComputerSecurityEfforts
Atraditionalcomputersecurityefforttypicallyisnotpreparedtodetectandsubsequentlyreactinatimelyandefficientmannertocomputersecuritythreats,suchassystemsintrusionsorseriousbugsandvulnerabilitiesinsystems.
Traditionalcomputersecurityeffortsaredesignedtomeetathreatscenariothattodayisconsideredincompleteoroutdated.Untiltheearly1980s,problemssuchascomputervirusesandmalicioushackingactivitywerenotrecognizedasproblems.Availableguidanceconcentrat-edonsubjectssuchasdisasterrecovery,physicalsecurity,backupcontingencyprocedures,anddataconfidentiality.Agenciessometimescombinedcomputersecurityresponsibilitieswithgen-eralsecurityresponsibilities,thereforethoseresponsibleforcomputersecurityoftenwerenothighlyskilledincomputertechnology.Formanyyears,thisarrangementofresourcessufficed.
2.2TheChangingThreatEnvironment
Computersystemshaveprogressedrapidlyincapabilityandavailability.NetworkssuchastheInternet1linktogethertensofthousandsofsystemsandcrossinternationalboundaries.Sys-temcostshavedecreasedsothatmulti-usersystems,personalcomputers,andlocalareanetworksareoftenwidespreadthroughoutagencies.
Alongwiththegrowthandspreadofcomputertechnology,asimilargrowthhasoccurred
inthewaysinwhichhightechnologycanbeexploitedforharmfulpurposes.Fourfactorshaveincreasedrisksofmaliciousexploitation:
•Anemphasisondataconfidentiality(andnotintegrityoravailability);•Increaseduseoflocalandwideareanetworks;
TheInternetisaninterconnectednetworkofmanynetworksallrunningtheTCP/IPprotocolsuite,connectedthroughgateways.Itexiststofacilitatesharingofresourcesatparticipatingorganizations,whichincludegovernmentagencies,educationalinstitutions,andprivatecorporations.TheInternetisverylarge,coveringtheUnitedStates,Cana-da,Europe,andAsia.Estimatesofnumbersofhostsexceeds500,000;itcontinuestogrowatafastrate.
1
3
ESTABLISHINGACSIRC
•Extensiveuseofpersonalcomputerscombinedwithlackofusertraining;and•Increasedchancesofvulnerabilitiesduetosystemcomplexity.
Duetocomputersecurityrequirementsbeingdriveninthepastbyconcernsprimarilywithsecrecy,mostadvancesincomputersecurityhavebeenorientedtowardsprotectionofdataconfi-dentiality[RISK91]andnotintegrityoravailability.However,threatssuchascomputervirusesandwormsaregenerallydefeatedbymechanismsforensuringintegrityandavailability.Whilemanyvendors’productscontainsomeintegrity-enhancingmechanisms,systemsaremoreatrisktothreatssuchasvirusesandwormsthattargetintegrityandavailability.
Thegrowthofnetworksnowprovidesmorefreedomofrangeformaliciousactivity
[QUARTERM90].Anetworkedsystemwhosemanageranduserspracticepoorsecurityposessig-nificantthreatstoothersystemsonthenetworkbyenablingthespreadofmalicioussoftwareorbyuseasaspringboardformalicioususeractivity.Interconnectedcomputernetworksalsopro-videattackersahighdegreeofanonymitysinceconnectionsbetweennetworksandcountriesareoftendifficulttotrace.
Asthepriceandsizeofsystemshasdecreased,manyusersofsystemshavebecome,ineffect,systemmanagersaswell.Thisisparticularlytrueofpersonalcomputers,butoftenusersofmorecomplexandpowerfulsystemsmustcombinetheirotherworkactivitieswithsystemmanagement.Thisarrangementmayreduceemphasisonpropersystemmanagementandsecuri-typroceduresandincreasethelikelihoodthatsystemsarenotmaintainedtobemoreresistenttocomputersecuritythreats.
Finally,thecomplexityofmodernsystemshasincreasedtheriskthatsoftwaredefectsremainundetecteduntilthesystemsarealreadyinoperation.Usersareatriskfromundetectedvulnerabilitiesandsystemfailuresthataffectsystemintegrityandavailabilityandincreasetheoddsofmaliciousexploitation.
2.3TheNeedforCSIRCapability
Theelementsofatraditionalagencycomputersecurityeffortcontinuetobeimportantanduseful.Asshowninthepreviousdiscussion,twotrendsnecessitatetheestablishmentofCSIRcapability:first,computersarewidespreadthroughoutagencies;agenciesrelyheavilyoncom-putersandcannotafforddenialofservice,andsecond,agencycomputersystemsandnetworksareatmuchhigherrisktothreatssuchascomputerviruses,intrusions,andvulnerabilities.Thefollowingexamplesofcomputersecurityincidentsarenowcommonplace:
4
ESTABLISHINGACSIRC
•AcomputervirusiscopiedtoaLANserver;withinminuteshundredsofothercomputersareinfected;recoverytakesseveralpeopleandseveraldays.
•Backupsinfectedwithvirusesresultinreinfectedsystems,requiringmoretimeandex-pense.
•Vulnerabilitiesinsoftwarearediscoveredthatpermitunauthorizedentry;explicitinstruc-tionsonhowtoexploitthevulnerabilitybecomequicklyknown.
•Systemintruderscopypasswordfilesanddistributethemthroughoutlargenetworks.•Break-insthroughinternationalnetworksrequirecooperationofdifferentgovernmentagencies.
•Outbreaksofvirusesorsystempenetrationsappearinthepress,causingembarrassmentandpossiblelossofpublicconfidence.
Thesesituationscouldcauseagenciestofaceextremeexpenseinproductivity,significantdamagetotheirsystems,lossoffunds,anddamagetotheirreputations[GAO89].Clearly,agen-ciesnowneedtotakeactionpriortosufferingtheconsequencesofaseriouscomputersecurityproblem.
2.4TheCSIRCConcept
AComputerSecurityIncidentResponseCapabilityisthatpartofacomputersecurityeffortthatprovidesthecapabilitytorespondtocomputersecuritythreatsrapidlyandeffectively.ACSIRCisadirectextensionofthecontingencyplanningprocess,duetoitsexplicitpreparednesstorespondtothreatsastheyoccur.
ACSIRCshouldbeacentralcapabilityfordealingwithvirtuallyanycomputersecurityproblemthatoccurs.Itshouldprovideameansforreportingincidentsandfordisseminatingimportantincident-relatedinformationtomanagementandusers.Itshouldconcentratethecoor-dinationofincidenthandlingintooneeffort,therebyeliminatingduplicationofeffort.
OnebasicaimofaCSIRCistomitigatethepotentiallyseriouseffectsofaseverecomput-ersecurity-relatedproblem.Toeffectthisaim,aCSIRCeffortrequirestheinvolvementandcooperationoftheentireagency.Itrequiresnotonlythecapabilitytoreacttoincidents,buttheresourcestoalertandinformtheusers.Itrequiresthecooperationofalluserstoensurethatincidentsarereportedandresolvedandthatfutureincidentsareprevented.
ACSIRC,viewedasadiscreteorganization,wouldberelativelysmall,perhapsonlythreeormoreindividuals.Initsbroadestsense,aCSIRCeffortcanbeviewedastheinvolvementoftheagencyasawhole,organizedsuchthatitsmanagementstructures,communicationsandre-
5
ESTABLISHINGACSIRC
portingmechanisms,andusersallworktogetherinreporting,respondingto,andresolvingcom-putersecurityincidentsquicklyandefficiently.
2.5CSIRCConstituencyandTechnologyFocus
InherenttothepurposeofaCSIRCistheexistenceofaconstituency:thegroupofusersororganizationsservedbytheCSIRC.Theconstituencymemberssharespecificcharacteristics,suchasaspecificagency,itscomputernetwork,certainoperatingsystems,orothercommonfactors.TheCSIRC’stechnologyfocusisthatareaofcomputertechnologyinusebythecon-stituencythattheCSIRCspecializesin,suchasmicrocomputers,ormicrocomputersofacertainmake.
ACSIRCconstituencyneednotbetheentireagencyororganization.Forexample,anagencymightutilizeseveraltypesofcomputerandnetworkedsystems,butmaydecidethataCSIRCisrequiredtoserveonlyitsmicrocomputerusers,e.g.,computervirusesareviewedasmorelikelyathreatthanthosethreatsmorecommontolargersystems.Or,alargeagencycom-posedofseveralsitesmaydecidethatcurrentcomputersecurityeffortsatsomesitesdonotrequireaCSIRC,whereasothersitesdo.
2.6Proactivevs.ReactiveNatureofaCSIRC
ACSIRCisnotsolelyareactivecapability;itisalsoaproactiveapproachtoreducinganagency’scomputersecurityrisks.Whennotrespondingtoincidents,aCSIRCcantakeproactivestepstoeducateitsconstituencyregardingpertinentrisksandthreatstocomputersecurity.Theseactivitiescanpreventincidentsfromoccurring.Theyincludeinformingusersaboutvulnerabili-tiesandheighteningawarenessofothersecuritythreats,procedures,andpropermaintenanceoftheirsystems.
Ananalogytothismixofactivitiesisatypicalfiredepartment.Thereactiveactivitiesin-cludefightingfires;however,onecouldsaythattheproactive,orfire-prevention,activitiesresultinmoreinjuriesprevented.Likewise,aCSIRCmayprovemorecost-effectivebecauseofitsincident-preventionactivitiesthanitsincident-handlingefforts.
2.7CSIRCRelationshiptoCurrentAgencySecurityEfforts
ACSIRCactivitycomplementsandimprovescurrentcomputersecurityefforts.ResultsofCSIRCactivitysuchascollectedstatisticsandotherinformationoncomputersecurity,comple-mentothercomponentsofcurrenteffortssuchasriskanalysis,contingencyplanning,andsecuri-tyaudit.TheproactivefunctionsofaCSIRC,suchassecurityawarenesstraining,mayalready
6
ESTABLISHINGACSIRC
existtosomedegreeincurrentsecurityprograms.Theessentialrequirementsforcentralizedreactivecapabilitymayalreadyexisttosomedegreeintheformofhelpdesks,managementreportingstructures,andpoliciesforcentralizedreporting.
However,aCSIRCisdefinedlessbyitsorganizationalstructurethanbyitscentralized,proactivecapabilitytorespondtosecuritythreatswithspeed,efficiency,andwithoutduplicationofeffortandwasteofagencyresources.Toachievethoseobjectives,currenteffortswillmostlikelyrequiresomerevamping.Policiesforcentralizedreportingandmechanismsforeffectingitmayneedtobeputintoplace.Personnelwiththerequisiteskillsandnecessaryequipmentmayneedtobededicatedtotheeffort.Otherchangesinthewayinwhichtheagencymanagescom-putersecuritywillmostlikelyresult.
2.8EarlyAgencyCSIRCEfforts
SeveralgovernmentagencieshavestartedCSIRCactivitiesorhaveaugmentedtheircom-putersecurityeffortswithCSIRcapabilities.In1988,theDefenseAdvancedResearchProjectsAgency(DARPA)fundedtheCERT/CC(ComputerEmergencyResponseTeam/CoordinationCenter)toinvestigateandresolvecomputersecurityincidentsrelatedtotheInternet,concentrat-ingmainlyonUNIX2operatingsystems[SCHERLIS88],[SCHERLIS89].In1989,theDepartmentofEnergy(DOE)fundedtheCIAC(ComputerIncidentAdvisoryCapability)tohandlecomputersecurityincidentsaffectingDOEsystems[SCHULTZ89].Bothteamshavehandledandresolvedmanyincidentsandregularlyissuealertsconcerningnewvulnerabilitiesandsoftwaredefects.SeveralothergovernmentandcommercialorganizationsalsocreatedCSIRCefforts[DDN89],[FEDELI91].In1990,theNationalInstituteofStandardsandTechnology(NIST),inconjunctionwiththeCERT/CC,DOE’sCIAC,theNationalAeronauticsandSpaceAdministration(NASA),andotheragencyresponseteams,organizedacooperativeactivityknownastheForumofInci-dentResponseandSecurityTeams(FIRST).ThepurposeoftheForumistosharetechnicalinformationandtofosterfurtherparticipationinincident-handlingeffortsbygovernment,com-mercial,andacademicinstitutions[NIST90].RefertoAppendixBformoreinformation.
2
UNIXisaregisteredtrademarkofAT&T.
7
ESTABLISHINGACSIRC
8
ESTABLISHINGACSIRC
3.IssuesinEstablishingaCSIRC
ThissectiondescribessomeoftheinitialstepsandissuesinestablishingaComputerSecu-rityIncidentResponseCapability.Whileeachagencyhasitsownspecificrequirements,thestepsandissueslistedhereshouldbeapplicabletomostenvironments.TheissuescenterondeterminingtheinitialgoalsoftheCSIReffort,definingtheCSIRCconstituency,acquiring
agencysupport,effectingpoliciesforcentralizedreporting,documentingprocedures,andstaffing.
3.1DeterminingCSIRGoals
ThefirststepinestablishinganincidentresponsecapabilityistodeterminewhetherthenatureofthecomputersecurityproblemintheagencyandhowitcouldbetterbehandledviaaCSIRCasopposedtoanexistingeffort.Fromthere,thegoalsoftheCSIRCeffortneedtobestated.Thegoalsdefinethescopeandboundariesoftheeffort,includingthetypeoftechnologytobeprotectedandtheconstituencyserved.Establishingclearandrealisticgoalswillhelptodetermineexpectationsofthemanagementandthefundingnecessary.
AmajorobjectiveofaCSIRCistogaincontrolofthesecurityproblembytakingaproac-tiveapproachtotheagency’ssecurityproblemsandreactingtoincidentsasnecessary.ThegoalsofaCSIRCmightincludesomeofthefollowing:
•facilitatecentralizedreportingofincidents;
•coordinateresponsetoincidentsofacertaintypeoraffectingacertaintechnology;•providedirecttechnicalassistanceasneeded;
•performtrainingandraisesecurityawarenessofusersandvendors;•provideaclearinghouseforrelevantcomputersecurityinformation;•providedataandotherinputstothecontingencyplanningeffort;•promotecomputersecuritypolicieswithinaconstituency;•developordistributesoftwaretoolstotheconstituency;•encouragevendorstorespondtoproduct-relatedproblems;and•provideliaisonstolegalandcriminalinvestigativegroups.
Goalsshouldbesimple,unambiguous,andrealistic.Forexample,theabilitytoperformtrainingmightbetooexpensiveforsomeorganizations.Attemptingtoservedisparateconstitu-enciessuchasmain-frameandmicrocomputerusersmaybeimpracticaldependingonfiscalconstraints.Therefore,guardagainstadoptinganyoverlyambitiousorambiguousgoals.
9
ESTABLISHINGACSIRC
3.2DefiningtheCSIRCConstituency
TheCSIRgoalsdeterminetheCSIRC’sconstituency.TheconstituencyisusuallyalignedalongaparticulartechnologyfocusoftheCSIRC,suchasaparticulartypeofcomputeroperat-ingsystemornetwork.However,iftheconstituencyisdefinedtobeanentireagency,thetech-nologyfocusresultsinanycomputertechnologyinusebytheagency,includingmainframes,personalcomputers,andassociatednetworks.ThesizeoftheconstituencyandthediversityofthetechnologyfocusthusdeterminethesizeandscopeoftheCSIRCeffort.Themorebroadthetechnologyfocus,themoreimportantandexpensiveitwillbetoacquirestaffwithtechnicalexpertiseineveryarea.
3.2.1ConstituencyCommunicationsIssues
AnimportantfactorinchoosingaconstituencyiswhetherthereexistsameansbywhichtheCSIRCandtheconstituencycancommunicateefficientlyandrapidly,suchasacentralizedcomputernetwork.TheconstituencywillneedtobeintouchwiththeCSIRCtoeffectcentral-izedreportingofincidents,torequestassistance,ortorequestinformationaboutrelevantaspectsofcomputersecurity.Ifsomeconvenientorcommonmeansofcommunicationisnotavailable,othermeanssuchasfacsimileorprintedinformationdisseminatedviamailcouldsufficeorcouldbeusedasabackupmeasure(however,theCSIRC’sabilitytorespondquicklytoincidents
wouldbecurtailed).Anotherissueinconstituencycommunicationsiswhethersensitiveorclas-sifiedinformationwillbecommunicated;ameansfortrustedcommunicationsmightberequiredsuchasencryptiondevicesorSTU-IIItelephones.3.2.2FormalandInformalConstituency
Incertainsituations,aCSIRCwillservebothaformalandaninformalconstituency.TheCSIRgoalsdeterminetheformalconstituency,forexample,aformalconstituencyofmicrocom-puteruserswithinaspecifiedagency.However,theCSIRCcouldfinditselfservinganinformalconstituencyofmulti-usersystemusersfromthesameagency,microcomputerusersfromotheragencies,agencycontractors,orusersfromthegeneralpublic.Thissituationmightarisebe-causetheCSIRChasbecomewell-knownandmaybetheonlysuchcapabilitywithinconvenientreachoftheinformalconstituency.WhiletheevolutionofaninformalconstituencycanbeasignoftheCSIRC’ssuccessandeffectiveness,itcanalsocauseproblems.ACSIRCcouldhavedifficultyturningdownrequestsfromaninformalconstituencyandthusfinditselfoverwhelmedwithwork.Also,therelationsbetweenagenciescouldbedisruptedif,forexample,AgencyA’susersprefertodirectlycontactAgencyB’sCSIRCinsteadofgoingthroughAgencyA’sowncomputersecuritychannels.Thus,aCSIRCneedstobeawareofitsrequirementstoserveitsformalconstituency,despitepressuresfromothercommunities.
10
ESTABLISHINGACSIRC
3.3DeterminingtheStructureoftheCSIRCEffort
ACSIRCstructurecantakedifferentforms,dependingonagencysize,itsdiversityoftech-nologies,anditsgeographicallocations.Whendeterminingastructure,keepinmindtheobjec-tivesofcentralizedresponseandavoidingduplicationofeffort.Fromthere,muchwilldependonthesizeanddiversityoftheconstituencyandexistingreportingandsecuritypracticesattheagency.AlthoughtherearemanysuitablestructuresforaCSIRC,thefollowingparagraphsde-scribetwogeneralapproaches.
3.3.1Centralized,DistinctOrganization
CertainenvironmentsmayfinditmostpracticaltoutilizeaCSIRCthatisseparatefromtheagencyreportingstructure.TheCSIRCmayoperateinconjunctionwithexistingsecurityefforts,butphysicallymaybeaseparategroupthatcanbecontacteddirectlybyagencyusers.Thisap-proachresultsinahighlycentralizedCSIRCwhichismostfeasiblewhentheconstituencyisalignedalongacentralizedcommunicationsnetwork.
SeveralworkingmodelsforcentralizedanddistinctCSIRCactivitiesexist[PETHIA90],[SCHULTZ90].InthecaseoftheCERT/CCandDOE’sCIAC,DARPAandDOErespectivelyhavecreatedneworganizationsasopposedtoaugmentingexistingones.Althoughthetwoorga-nizationsaredifferent,theysharethesamecharacteristicsofbeinghighlycentralized,theyoper-atewithoutauthoritytoenforcepolicies,andtheyarerelativelysmallinsize.Yetbyvirtueofcentralization,theyareabletomeettheneedsofverylargeconstituencies.
Thismodelcanbereworkedinmanywaystofitdifferentcircumstances.AnagencyorsitemaybeabletoaugmentanexistingcomputersecuritygroupwithCSIRcapabilities,suchthatthegroupcanoperateasadiscreteunitforthelocation.Forcertainenvironments,thisap-proachismorecost-effectiveasmuchduplicationofeffortisavoidedandcentralizedreportingisrenderedlesscomplicated.Additionally,thisstructurelendsitselftoacontractedactivityifagencyexpertiseisnotavailable.
3.3.2Decentralized,DistributedOrganization
Foravarietyofreasons,certainenvironmentsmayfinditdifficultorimpracticaltocreateaCSIRCthatisseparatefromtheagencyreportingstructureorthatiscentralizedintoaseparategroup.Forexample,thesensitivityoftheagency’soperationsmaymakeitdifficulttorelinquishanycontroltooneCSIRCactivity.Or,thediversityofthetechnologyandresultantconstituen-ciesmayrequirealessunifiedapproach.TheexistenceofcertainreportingandcommunicationsstructuresmayalsomakeitmorefeasiblefortheCSIRCactivitytobedistributedamongseverallocationsandlevelsoftheagency.
11
ESTABLISHINGACSIRC
Asanexample,anagencycouldaugmentexistingcomputersecuritycapabilities,suchashelpdesksorsitesecurityoffices,withCSIRcapability.EachresultantCSIRCwouldspecializeintheneedsofitslocalconstituency.However,iftheagencyislarge,manysuchCSIRCsmightberequired,allneedingtoreporttoacentralizedcomputersecuritycapability.Thecentralizedcapabilitymaynotrequireanyincidenthandlingexpertise,butwouldminimallylogallincidentsandfacilitatecommunicationsamongthelower-levelCSIRCs;itcouldalsocoordinatecontactswithinvestigativeagenciesandthepress.Existingmanagementstructurescouldbeusedtobub-bleinformationupanddownthroughouttheagency[FEDELI91].Thismodelmayworkwellincertainenvironments,butcouldalsoresultinsomeduplicationofeffortandpreventincidentsfrombeinghandledinatimelymanner.
Insummary,itisdifficulttoprescribeonebeststructure,aseachagencyhasdifferentre-quirements.TheobjectivesandgoalsoftheCSIReffortmayhavetobeadjustedsomewhatwithexistingpracticesandthenatureoftheagency;howevertoomuchcompromisecouldresultinanunwieldyapproachthatmayproveinefficientandtooexpensive.
3.4ManagementSupportandFunding
TheestablishmentandoperationofaCSIRCrequiressignificanttimeandresources.With-outpropersupportfrommanagementfortheCSIRCeffortandforpoliciessuchascentralizedreporting,aneffectiveCSIRCisnotpossible.Furthermore,a\"rogue\"CSIRCmaycauseanagencymoreharmthatgoodandreducethelikelihoodoffundingforanapprovedCSIRC.3.4.1FundingandStaffingIssues
ACSIRCrequirestwotypesoffunding:start-upandcontinuedfunding.Start-upfundingincludesitemssuchascomputerequipment,newhires,communicationsfacilities,andoffices.Continuedfundingincludesitemssuchassalarygrowth,inflation,travel,workshopandresourcecenterexpenses,andequipmentmaintenance.
ACSIRCplanmightcallsforatleastonemanagerandoneormoretechnicalstaffmem-bers.Abasiclevelofstaffingisrequiredtoaccomplishallgoalsandavoidburn-out.Sinceitmaybedifficulttoidentifyallstaffingcostsattheoutset,thefollowingyear’sfundingestimatesshouldaccountforpossiblegrowthinstaff.
ManagementshouldbepresentedwithseveralalternativeCSIRCconfigurations,withtheirrespectivefundingandstaffingestimates.Forexample,afullCSIRCeffortcouldbescaledbackandpresentedasanalternative,withtheappropriatetrade-offsnoted.
12
ESTABLISHINGACSIRC
3.4.2EffectingCentralizedReportingofIncidents
OncemanagementsupportfortheCSIRCisestablished,agencyofficialsneedtoissuepoli-ciestodirectthereportingofcomputersecurity-relatedproblemstoacentralpointofcontact,suchastheCSIRChotlineore-mailaddress.CentralizedreportingisvitaltotheCSIRC’sabili-tytobeeffective;iftheCSIRCisasinglepointofcontactforitsconstituency,itisthenpossibletorespondtoallincidentsandtodeterminewhetherincidentsarerelated.Withcentralizedre-porting,aCSIRCcanalsodevelopaccuratestatisticsonthesize,nature,andextentofthesecuri-typroblemswithintheagency.
3.5CreatingaCharter
Incidentresponseisfraughtwithmanydifficultiesthatariseoutofconfusionoverrolesandresponsibilities.Acharterhelpstoresolvetheseconflictsaswellasotherturfissuesthatarise.ThecharterisastatementoftheCSIRC’spurposeandfunction.Itrepresentsmanagement’sacknowledgmentandapprovaloftheCSIRCeffort.ThecharterliststherequirementsthattheCSIRCmustsatisfyandlaysouttheboundariesorscopeoftheCSIRCeffort.Itshouldbemadeavailabletotheagencyforuseasareference.3.5.1LegalIssuesinDeterminingaCharter
notesthatCSIRCactivityraisesseverallegalissues,mostlyinvolvingliabili-tiesthatmaybeincurredasaresultofintentional,recklessornegligentconductonthepartoftheCSIRCthatcouldcauseinjurytoanotherparty.3EventhoughaCSIRCisperforminga
usefulservice,itmaybeliabletosoftwarevendors,users,orothersifitperformsitsworknegli-[STEWART89]
[STEWART89]isorientedtowardsthosewhowouldestablishComputerSecurityResponseCenters(CSRCs)fortheInternet;itdoesnotpurporttoprovidedefinitivelegaladvice.ItstatesthattheimplementationofaCSRCraisesanumberoflegalissues,includingthefollowing:
•WhatisaCSRC’sliabilityif,havingundertakentoassistintheprotectionofInternet,itfailstodosoandsomeoneisharmedasaresult?
•WhatisaCSRC’sliabilityifitreportsasoftwarebugtoapublisherortousersandthebugdoesnot,infact,exist?
•HowshouldlegalconcernsshapeaCSRC’splannedcollectionandnotificationprocedures,ifatall?ItstatesthatmostoftheliabilitiesfacingaCSRCareinthenatureoftorts,i.e.,thecivilliabilitiesthelawimposesforintentional,reckless,ornegligentconductthatcausesinjurytoanother.ItthensuggeststhataCSRCcouldlimititsexposurebyclearlydeclaringthat(a)itssolepurposeistoevaluateandreportsoftwaredefects,(b)itwillnotbeinthebusinessofindependentlyuncoveringsoftwaredefects,(c)itdoesnotpurporttodisplacetheobligationssoftwarepub-lishershavetocomputerusers,(d)itseffortsshouldbeviewedasmeresupplementstotheeffortsofInternetusersandbeneficiariestoprotecttheInternet,(e)itencouragesuserstopurchasesoftwaremaintenancefrompublishersandremainincontactwithpublishersand(f)itisundertakingthesedutiesforthepurposeofassistingpublishers,usersandotherbeneficiariesinprotectingtheviabilityoftheInternetnetworkandnotattemptingtoprotectthesecurityofanyparticularcomputersystemoruser.
3
13
ESTABLISHINGACSIRC
gently.ACSIRCmightlimititslegalexposurebyclearlydeclaringwithinthecharterwhattheCSIRCisandisnotpurportingtodo,howitwillaccomplishitsgoals,andwhereitsboundariesofinvolvementlay.Appropriatelegaladvisorsneedtoreviewthecharterandallotherproce-duresinusebyaCSIRC.
3.5.2ComponentsofaCSIRCCharter
ACSIRCchartershouldincludethefollowing(orequivalent)sectionstodescribethepur-poseandscopeoftheeffort[STEINBERG89]:
1.ExecutiveSummary2.Responsibilities3.Methods
4.ReportingStructureandStaffingExecutiveSummary-toquicklyacquaintreaderswiththeexistenceoftheCSIRC,itsoverallscopeofresponsibilities,andotherbasicinformation.
Responsibilities-adescriptionofwhattheCSIRCisandisnotpurportingtodo.Tolimititslegalexposure,thissectionstatestheexpresspurposeoftheCSIRCeffortanddefinesthebound-ariesofinvolvementfortheCSIRC,suchaswhendealingwithclassifiedmattersormattersin-volvingotheragenciesorcontractors.
Methods-definesinahigh-levelmannerhowtheCSIRCwillmeetitsresponsibilitiesandre-quirementsandthegeneralapproachusedbytheCSIRCfordealingwithcertaintypesofthreatsandforreducingrisksintheaffectedareas.
ReportingandStaffing-identifieshowtheCSIRCwillfitwithintheorganizationalstructureoftheagencyandthestaffingandfundingrequirements.Thishelpstoquicklyresolveboundarydisputesandotherpotentialconflictsoverwhoshouldhandlecertaintypesofcomputersecurityproblems.
3.6CreatingaCSIRCOperationsHandbook
TheOperationsHandbookcontainstheproceduresthattheCSIRCwillfollowandrefertoduringitsdailyactivities.Itprovidesasinglepointofreferenceforoutliningtheoperatingpro-ceduresastheyaredevelopedandimplemented.ThehandbookisanevolvingdocumentthatwillundergochangesandmodificationsovertimeandastheCSIRCeffortgainsexperienceandbenefitsfromlessonslearned.Likethecharter,itshouldbereviewedbylegaladvisorstoavoidunnecessarylegalconflicts.
14
ESTABLISHINGACSIRC
TheCSIRCstaffmemberswillneedtoconsulttheOperationsHandbookroutinely,thusitshouldbeorganizedtoprovidereadyaccesstooperationalinformation.Theoperationshand-bookshouldcontainthefollowing:
•StaffingInformation-contacts,facsimile,pagers
•HotlineUse-numbers,proceduresfor24-houroperation,on-calllists
•ConstituencyCommunications-proceduresforreceivingandsendinginformation•IncidentReports-typesof,contentof,reviewsof,howverified
•InformationHandling-logging,sensitiveinformation,incidentsummaries•CSIRCComputerEquipment-administrationpolicies,configurations,procedures•AdministrativeProcedures-expensereports,travel,securityclearances•Contactswithininvestigativeagencies
•DealingWithMedia-pressreports,clearanceprocess•VendorContacts
•OtherContactInformation-otherindividualstocontactforhelp,reference
TheOperationsHandbookwillneedtoberevisedfrequently,especiallyduringthefirstyearofCSIRCoperation.Anon-linecopyhelpstofacilitatefrequentrevisions.
3.7CSIRCStaffingIssues
Althoughagencyrequirementsdiffer,atypicalCSIRCmighthavethefollowingfull-timestaff:
•oneormoreCSIRCcoordinators;
•severaltechnicalstaffmembers(probablytwoormore);and•supportstaffasnecessary.
Itisdifficulttoprescribeatypicalstaffingprofile,astheprofileisdirectlyrelatedtothediversityoftheconstituencyanditssizeaswellastootherfactorssuchasthetypesofriskstotheconstituencytechnology.Forexample,aCSIRCthathandlesincidentsofcomputervirusesmaybemuchsmallerthanaCSIRCthatcoversseveraltypesofsystems.3.7.1CSIRCCoordinator
ThepositionofCSIRCcoordinatorentailsmuchmorethantypicalmanagementfunctions.ACSIRC,inthecourseofhandlingincidents,mayprovetobecontroversial,especiallywhentheincidentsinvolvedealingswithotheragenciesorwithlawenforcementgroupsorthepress.Insituationswheredelicatepoliticalrelationshipshavetobeconsidered,themanagerofaCSIRC
15
ESTABLISHINGACSIRC
willneedtobeadeptatmaintainingapositiveworkingrelationshipbetweentheCSIRCandanyaffectedgroups.TheCSIRCcoordinatormightalsohavetospendaconsiderableamountoftime\"selling\"theCSIRCeffortstotheconstituencyandvendorstoeffectabetterrelationshipandraisecomputersecurityawareness.3.7.2TechnicalStaff
ACSIRC’stechnicalstaffmembersshouldpossessanumberofimportantqualities.Tech-nicalexpertiseintheCSIRC’stechnologyfocusisessential;however,abroadrangeofexperi-enceismostdesirable.Otherimportantqualitiescenteraroundgoodcommunicationsskills.Asummaryofthequalificationsatechnicalstaffmemberoughttopossessmightbeasfollows:
•capableofsupportingthetechnologyfocus;
•workinagroupenvironmentandshareinformationwithothers;
•communicateeffectivelywithdifferenttypesofusers,whowillrangefromsystemad-ministratorstounskilleduserstomanagementtolaw-enforcementofficials;•be\"politically\"adeptandskilledatdealingwithemotionalsituations;•beon-call24hoursasneeded;and•beabletotravelonshortnotice.3.7.3OtherSupportStaff
Othersupportstaffcouldbeutilizedtoperformfunctionsconnectedwiththedailyopera-tionandsupportoftheCSIRC;thiscouldalsobeperformedbytechnicalstaffmembers.Someofthefunctionsperformedbyothersupportstaffwouldbeasfollows:
•maintainCSIRCcomputerresources;•coordinateincidentloggingprocedures;
•develophistoriesandsummariesofCSIRCinteractions;•on-lineanalysisofCSIRCoperations;
•capturelessonslearnedthroughoperationoftheCSIRCandpost-incidentreviews;and•providesupportservicestotherestoftheCSIRCmembers.
16
ESTABLISHINGACSIRC
3.7.4RequirementsforClearances
CSIRCstaffmembersmayrequireclearancestoworkwithDepartmentofDefenseagenciesandlawenforcementgroupsinsituationswheredatamaybesensitiveorclassified.Whileclear-anceswillnotbenecessaryforallenvironments,informationaboutaspectsofincidentscanbe-comeclassifieddependingonmanyfactors.Findingpeoplewhocanorwishtoundergotheclearanceprocessandwhopossesstherequisiteskillsmaybetime-consumingandtheclearanceprocessitselfmaytakeseveralmonthsorlonger.Ifthereexistsarequirementforclearances,paperworkshouldbesubmittedattheearliestopportunity.3.7.5AvoidingBurn-Out
IfaCSIRCperformsonlyincidenthandlingandnootheractivities,burn-outmaybecomeacriticalproblemaffectingtheCSIRCstaffmembers.Incidenthandlingonafull-timebasismayprovesomewhatunderchallengingforhighlytechnicalindividuals,andsomealternativetasksmayneedtobebuilt-in.Somesuggestionsforthesetasksare:
•performingworkshopsortrainingsessionsfortheconstituency;•writingeducationalmaterialthatcanbedistributedorpublished;
•writingsoftwaretoolsforsystemmanagerstobetterdetectorpreventincidents;and•conductingresearch.
17
ESTABLISHINGACSIRC
18
ESTABLISHINGACSIRC
4.CSIRCOperationalIssuesandActivities
ThissectiondescribessomeoftheissuesandactivitiesinvolvedinoperatingaCSIRC.Incidentresponseisaprocesswherebyincidentsareidentified,contained,andresolved.Therearemanyissuesanddetailsinvolvedineachofthesesteps;adetaileddiscussionisbeyondthescopeofthisguide.Readersareencouragedtoexamine[HOLBROOK91],[BRAND89],and[SCHULTZ90]fordiscussiononincidentresponse.
Thischapterconcentratesonoperationalactivitiesandissuesthataregenerallyinvolvedinincidentresponse,regardlessofthetypeofincidents,computingenvironments,ororganization.Sectionsdealwithconstituencycommunications,logginginformation,legalissues,thepress,andpost-incidentprocedures.
4.1CommunicationswiththeConstituency
ACSIRCneedstobeintouchwithitsconstituencyonadailybasistoeffectcentralizedreportingandtodisseminateinformationconcerningvulnerabilities,alerts,andotherawarenessinformation.Thissectioncontainsinformationontechnicalcommunicationsissues,i.e.,themechanismsforconvenientandeffectivecommunicationsbetweentheconstituencyandCSIRC.Sectionsfocusonissuingapressreleasetotheconstituencyandissuesonusingahotlineandinformationrepository.
4.1.1IssuingaPressRelease
ApressreleaseisusefulformakingtheexistenceoftheCSIRCknowntotheconstituencysothatmisconceptionsandmisunderstandingsabouttheCSIRC’sroleandpurposeareavoided.ApressreleaseshouldminimallystatethepurposeoftheCSIRCandwhereitsboundariesofin-volvementlay.ItshoulddefinetheconstituencyandhowtheconstituencycangetintouchwiththeCSIRC.ItmaybeadvisablebeforecommencingCSIRCoperationstomakeotherinforma-tionavailabletothepublicaffairsofficesothattheywillhaveappropriatematerialon-handwhenfieldinginquiriesabouttheCSIRC.
ACSIRCmayfinditadvantageoustoissuepressreleasesforreasonsotherthaninitialstart-up.Duringthecourseofanincident,itmaybeusefultoissueinformationtoensurethataccurateinformationgetsdisseminatedanddamagingmisconceptionsareprevented.Whendeal-ingwiththepress,alwaysmakeuseofthepublicaffairsoffice.Workingwiththepressiscov-eredinmoredetailinsection4.5.
19
ESTABLISHINGACSIRC
4.1.2SettingUpaHotlineCapability
TheCSIRCneedstoadvertisehowtheconstituencycancontacttheCSIRCincaseof
emergenciesandothermatters.Itmaybemostpracticaltopublisha\"hotline\"telephonenumberthattheconstituencycancallforurgentmatters.Ane-mailaddressisusefulforconstituentstosendinquiriesorobtaininformation.Usingane-mailaddressortelephonevoicemailboxper-mitstheCSIRCstafftoprioritizecalls.Ane-mailaddressoffersthefurtheradvantageofallmembersoftheCSIRCbeingabletoreceivethee-mail,enhancingteamcommunications.Animportantdetailtosettingupahotlinecapabilityisdecidingwhoshouldanswerthecalls.Apracticalarrangementistodesignateatechnicalstaffmembertobe\"on-call\"foracer-tainperiod,oneweekforexample,andthentorotatetheassignmenttothenextstaffmember,withotherstaffmembersavailabletohelpoutasneeded.Thisarrangementismostpracticalwhenthehotlineistobestaffed24hoursaday;thestaffmemberon-callneedstowearapagerwhenawayfromtheofficeandstaywithinaclosegeographicalareaduringtheperiodofon-callduty.
4.1.3SettingUpAlertMechanisms
TheCSIRCneedssomemechanismforalertingitsconstituencyofimportantalertandvulnerability-relatedinformation.Incertainenvironments,acomputernetworkworkswellforthispurpose;informationsentouttothenetworkcouldrapidlyreachusers.UserscouldrespondtoacentralCSIRCe-mailaddress.
Factorsthatmakeacomputernetworklessfeasibleincludelackofuniformaccesstoanet-workandlackoftrustinthenetwork,i.e.,ifclassifiedorverysensitiveinformationwouldneedtoberelayedviaanetworksubjecttoeavesdropping.Ifnocentral,homogeneousnetworkexists,communicationsaremorecomplicated.Afrequentnetworkingsituationisthatseveraldifferenttypesofnetworksareinusethroughoutanagency.Inthiscase,gatewaysbetweenthenetworkscouldbeinvestigated,orelsetheCSIRCmayneeddirectaccesstoeachnetwork.Encryptionmethodsshouldalsobeexploredsothatnetworktrafficcanbeprotectedfromsurreptitioustam-peringandlistening.TheCSIRCcouldalsoissuealertsandinformationviatelephone,manage-mentbulletins,facsimile,orphone-mail.
Emergencybackupcommunicationsshouldbeputinplaceforcontingenciessuchasequip-mentfailureormaliciousactivitythatcouldmaketheprimarymechanismunavailable.Whilearedundantcomputernetworkispreferable,asimplebuteffectivebackupmechanismcouldmakeuseofapoints-of-contactlisttoalertmanagement,whichcouldinturnalertusers.
20
ESTABLISHINGACSIRC
4.1.4UseofanInformationRepository
AnelectronicinformationrepositoryofferssignificantadvantagesinthatitcanbeusedtomakeawarenessinformationavailabletotheconstituencyinaformatthatisbothconvenientandefficientfortheCSIRC.UsersareabletoperuseanddownloadinformationwithoutrequiringassistancefromtheCSIRC,enablingtheCSIRCtoconcentrateitsresourcesonincidenthandlingandinformationgathering.Aninformationrepositorymightincludethefollowing:
•archivedvulnerabilityoralertinformation;•descriptionsoftheCSIRCandrelatedinformation;•agencysecuritypolicies;
•proceduresforreportingsuspectedproblemsorincidents;
•self-helpinformation,suchashowtouseaccesscontrolstoimproveintegrity;and•informationaboutcurrentthreats,suchasvirusesorsoftwarevulnerabilities.
Iftheconstituencyisalignedalonganetwork,anetworkservercouldbemadeavailableasaninformationrepository.Otherwise,abulletinboardsystem(BBS)systemreachableviatele-phonelinesmaywork.Minimally,thisinformationcouldbemadeavailableinhardcopy,al-thoughthedisseminationofhardcopymaterialmaybetterbehandledbyagroupotherthantheCSIRC.
4.2LoggingInformation
ACSIRCneedstoretainavarietyofinformationforitsownoperationaluseandforcon-ductingreviewsofeffectivenessandaccountability.Severaltypesofinformationneedtobemaintained:
•contactinformation•activitylogs•incidentlogs4.2.1ContactInformation
Thedemandsofincidenthandlingnecessitatethatcontactinformationbemaintainedinaformatthatcanbereadilyaccessedandupdated.Acontactsdatabaseincludessuchitemsasvendorcontacts,legalandinvestigativecontacts,otherindividualswithtechnicalexpertise,andotherCSIRCinformation.Acontactsdatabaserecordmightincludethefollowinginformationfields:
NameTitle
21
ESTABLISHINGACSIRC
OrganizationAddress
RegularPhoneEmergencyPhoneE-mailAddressFacsimileAddress
Comments(couldincludefieldofexpertiseorotherinformation)AlternativeContact(incasecontactisnotavailable)4.2.2ActivityLogs
Activitylogsreflectthecourseofeachday.Itisnotnecessarytodescribeeachactivityindetail,butitisusefultokeepsuchalogsothattheCSIRCcanaccountforitsactions.Notingallcontacts,telephoneconversations,andsoforthultimatelysavestimebyenablingonetoretaininformationthatmayproveusefullater.Securityincidentsorothereventsthatareseeminglyunrelatedmay,throughexaminingactivitylogs,provetoberelatedorotherwisemoreimportant.Whileitispossibletomaintainactivitylogson-line,asimplenotebookisconvenientandflexi-ble.
4.2.3IncidentLogs
Incidentlogsaregeneratedduringthecourseofhandlinganincident.Whilephysicallysimilartoactivitylogs,theyarededicatedtoincidentresponseandmeritmoredetail.Incidentlogsareimportantforaccuraterecordingofeventsthatmayneedtoberelayedtoothers-iflittleornoinformationislogged,thesourceofinformationneedstobecontactedrepeatedly,wastingvaluabletime.Informationinincidentlogsishelpfulforestablishingnewcontacts,piecingtogetherthecause,course,andextentoftheincident,andforpost-incidentanalysisandfinalassessmentofdamage.Additionally,iftheCSIRCwillbeinvolvedinpotentialprosecutions,theinformationmightalsobeusedasevidence.Anincidentlogshouldminimallycontainthefol-lowinginformation:
•allactionstaken,withtimesnoted;
•allconversations,includingtheperson(s)involved,thedateandtime,andasummary;and
•allsystemeventsandotherpertinentinformationsuchasauditlogs.
Itispracticaltomaintainanincidentloginanotebookalongwiththeactivitylog.ItmaybedifficulttopinpointwhenanincidentfirstbeganorwhentheCSIRCfirstbecameawareofit,thusthelogofanincidentmaybecomeintertwinedwiththeactivitylog.
22
ESTABLISHINGACSIRC
4.2.4InformationMaintenance
Maintainallcontactandotherinformationinatightlycontrolledarea.Notebooksneedtobestoredinlocked,fireproofareas.Allinformationmaintainedon-lineneedstobebackedupdailyandsecuredfromunauthorizedaccess.Storetheinformationonasystemthatisinacces-sibletonon-CSIRCmembers,i.e.,asystemnotconnectedtoanagency-widenetwork.
4.3IncidentNotificationIssues
Whenfirstnotifiedofanincident,aCSIRCfollowsanestablishedsetofprocedurestoverifytheactualexistenceoftheincidentandtonotifyappropriatecontactswithintheagencyaswellasothersaffectedbytheincident.Iftheseproceduresarenotestablishedbeforehand,em-barrassingandpotentiallydamagingsituationscouldarisethatmaydamagetheagency’sreputa-tionandexposeittolegalproblems[STEWART89].
4.3.1IdentifyingtheExistenceofanIncidentanditsScope
Uponlearningofapossibleincident,aCSIRCneedstotakestepstoverifythattheinci-dentactuallydoesexist.Ifthesourceoftheincidentinformationisunfamiliarornottrusted,verifythesource,especiallyifthesourcehasidentifiedthemselvesasarepresentativeofalegalorinvestigativeagency.Verifytheincident,firsthandifpossible,toensurethattheincidentisnotaharmlessmisunderstandingorevenahoax.TheCSIRCshouldbeawareoffalsealarmsandotheractivitythatmayonlyresemblesomethingmoreserious.
Oncetheincidentisverified,determineitsscope.Whiletherealscopeoftheincidentmaynotbeapparentatthisstage,knowingwhetheritaffectsotheragenciesororganizationswilldeterminewhoshouldbenotifiedandwhetherinvestigativeagenciesshouldbecontacted.4.3.2NotifyingAppropriateAgencyPersonnel
Aftertheincidenthasbeenconfirmed,theCSIRCmayberequiredtonotifyapredeter-minedlistofagencypersonnel.Createthislistbeforeincidenthandlingoccurstoavoidconfu-sionandpreventsituationswhereagencyofficialslearnoftheincidentviathirdparties.Whileeachagencyhasitsownnotificationrequirements,atypicallistmightincludethefollowing:
•agencydirectors
•computersecuritypersonnel•networkmanagersasappropriate•dataprocessingsitesasappropriate•legaladvisor
23
ESTABLISHINGACSIRC
•publicaffairsoffice•localorstatepolice
•contactsininvestigativeagencies4.3.3NotifyingAffectedUsers
Iftheincidentaffectsotherusers,theymayneedtobenotifiedsoastotakeappropriateaction.Forexample,ifanintruderisusingasystemtobreakintoothersystems,thesystem’sadministratorneedstobecontactedsothattheintruder’saccesscanbeclosedortheiractionsmonitored.Whenapprisingusersoftheexistenceofanincident,theCSIRCshouldmakeeveryattempttoprovideclearandconciseinformation,asthoseusersmayneedtoinformtheirrespec-tiveorganizations.TheCSIRCshouldavoidanyappearanceofbeinganenforcementactivityandshouldbeawarethataffectedusersmaynottakethenewsoftheincidentinapositiveman-ner.Goodcommunicationskillsandtheabilitytobeadaptivetodifferentusersandtheirrespec-tivelevelsoftechnicalexperienceareallthemoreimportant.4.3.4RequestsforConfidentiality
Duringthecourseofincidenthandling,aCSIRCmayfindthatsomeindividualswishtoremainanonymous,i.e.,theCSIRCmayberequestedtokeepitssourceofincidentinformationconfidential.ThispresentsadilemmaiftheCSIRCisobligatedtoreportsourceofinformation:ifthepartyisnotgrantedanonymity,thepartymayrefusetocooperatefurtherormayturntoanotherCSIReffortthatrespectstheparty’swishes.
ThecentralissueisthatiftheCSIRCtakesontheappearanceofanenforcementaspectanddoesnotrespectrequestsforconfidentiality,incidentsmaynotbereportedbecausetheaffectedpartiesmaynotwanttoriskexposure,embarrassment,orpenalty.IfthepartiesturntootherCSIRefforts,itmaypresentdilemmasforthoseefforts,sincetheymaynotwishtooversteptheirboundariesofinvolvement.
IftheCSIRCistorespectrequestsforconfidentiality,CSIRCstaffmembersshouldadviseaffectedpartiesthattheymaystillbeunderotherobligationsforreportingtheincidentinforma-tion,i.e.,theCSIRC’sdecisionnottoreportasourcedoesnotremoveanyotherobligationsforreporting.Makingthiscleartothepartyisimportantfromalegalstandpointandmayencouragethepartytofulfillitsobligations.
24
ESTABLISHINGACSIRC
4.4LegalIssues
ThereareanumberoflegalissuesinoperatingaCSIRC.Someoftheseissueshaveal-readybeencovered:Chapter3discussedappropriatelanguageintheCSIRCchartertoreducelegalexposurebydefiningtheCSIRC’sexpressedpurposeandboundariesofinvolvement.Theguidancegivenhereisnotauthoritative;alwaysconsultappropriateagencylegaladvisors.4.4.1WorkingWithLaw-EnforcementandInvestigativeAgencies
ACSIRCneedstomakecontactswithinthelocalandstatelaw-enforcementgroupsandwithintheinvestigativeagencies,mostimportantlytheFBIandtheSecretService,beforeassum-inganincidentresponserole.Therearemanyreasonsforestablishingthesecontactsattheout-set,mostimportantlybecausethehandlingofanincidentdoesnotleavetimetoestablishthecorrectcontacts.Ifanincidentinvolvingcriminalconductismishandled,theCSIRCcouldcon-ceivablycauseitsagencytobelegallyliable.
Issuestoresolvewithlaw-enforcementandinvestigativeagenciesincludedifferencesbe-tweenstateandfederallawthataffectcomputersecurity,gatheringevidence,monitoringissues,andwhichagencieswillassumejurisdictioninanincident.4.4.2IncurredLiabilities
ACSIRCmayfacealegalobligationofperformingitsdutieswithreasonablecareintheinvestigationandreportingofsoftwaredefectsandvulnerabilities.IftheCSIRC’sCharterstatesthattheCSIRCwillacceptandinvestigatereportsofsoftwaredefectsorvulnerabilities,theCSIRCmustmakeitselfreasonablyavailabletoreceivereportsofsoftwaredefects.Ane-mailaddressorhotlineshouldbemadeavailableforreportingproblems,andallproblemsmustbecheckedthoroughlyforaccuracyandthenlogged.TheCSIRCmustaccuratelyrecordandreportthedefectstothepropervendorsor,failingthat,tousergroups.Thereportsmustbeheldconfi-dentialandreportedtothepropervendor(s)inatimelymanner.Itmaybeusefultosolicitthevendor’sresponseandhelpwhenwritingareportofthedefectorvulnerabilitytotheconstituen-cy[STEWART89].
ThepossibleconsequencesoffailurestoperformtheaboveinareasonablefashioncouldinvolvealawsuitwherebytheplaintiffcouldarguethattheCSIRC,bynotproperlydisclosingknowledgeofasoftwaredefectorvulnerability,wouldhavealegalliabilitytoaplaintiffthatwasharmedbythedefect.Forthisreason,aCSIRCmustnotpurporttoassumeanyobligationsthatothergroupsalreadyincur,suchasavendor’sstatedobligationtocorrectsoftwaredefects.TheCSIRCshouldalsowidelydisseminateadetaileddescriptionofitspoliciesonnotifying
25
ESTABLISHINGACSIRC
softwarevendors,itsconstituency,andthepublicaboutsoftwaredefectsorvulnerabilitiestoensurethatanymisunderstandingsorfalseexpectationsofitspoliciesareminimized.4.4.3WordingofConstituencyCommunications
Whenwritingalertsorreportstosendtotheconstituencyregardinganincidentorvulnera-bility,careshouldbetakentochoosetheproperwording.WhiletheagencyandtheCSIRCmayconsiderthatanycommunicationtotheconstituencyareprivate,theagencyshouldexpectthatthecommunicationsmaybedisseminatedfarbeyondtheconstituency.Thesamecareshouldbetakenwiththepress:beaccurate,butdonotrevealevidenceortechnicaldetailsthatmayresultinmoreincidentsorfurtherdamage.
Whenwritingaboutsoftwaredefectsorvulnerabilities,aCSIRCshouldavoidpossiblecopyright,defamation,patent,ortradesecretissueswiththevendor(s)inquestion[STEWART89].Value-neutralwordsshouldbechosentodescribetheproblems,suchas\"possiblesoftwarede-fect\"or\"potentialsecurityvulnerability\"asopposedtowordsthatimplyvendornegligenceorguilt.IftheCSIRCpossessessourcecodeorhasmadenon-disclosureagreements,careshouldbetakentoavoidrevealinganyinformationthatislegallyprotected.
ThelegaladvisormaysuggestthatadisclaimerbeattachedtoCSIRCcommunications,especiallywhenvendorproductsarementioned.Followingisanexampleofsuchadisclaimer4:
NeithertheUnitedStatesGovernmentnoranyofitsemploy-eesmakesanywarranty,expressorimplied,orassumesanylegalliabilityorresponsibilityfortheaccuracy,com-pleteness,orusefulnessofanyinformation,apparatus,pro-duct,orprocessdisclosed,orrepresentsthatitsusewouldnotinfringeprivatelyownedrights.Referencehereintoanyspecificcommercialproducts,process,orservicebytradename,trademark,manufacturer,orotherwise,doesnotnecessarilyconstituteorimplyitsendorsement,recommen-dationorfavoringbytheUnitedStatesGovernment.The
viewsandopinionsofauthorsexpressedhereindonotneces-sarilystateorreflectthoseoftheUnitedStatesGovern-ment,andshallnotbeusedforadvertisingorproducten-dorsementpurposes.
ThisdisclaimerisadaptedfromadisclaimerusedbytheDepartmentofEnergy’sComputerIncidentAdvisoryCapability(CIAC).Itisprovidedhereonlyasanexample;agenciesshouldconsulttheirlegaladvisorsforappropriatewording.
4
26
ESTABLISHINGACSIRC
4.4.4LoggingandGatheringEvidence
Attheoutsetofanincident,itmaynotbepossibletodeterminewhethertheincidentwillresultinaprosecution.Thus,incidentloggingshouldbetreatedmuchthesameasevidencegathering:theincidentlogshouldbedetailed,accurate,andtheproperproceduresshouldbe
followedsothattheincidentlogcouldbeusedasevidenceinacourtoflaw.Investigativeagen-ciescanprovidemoredetail;ataminimum,usethefollowingprocedures:
•attheendofeachday,makeaphotocopyoftheincidentlog;•signanddatethephotocopyandsubmitittoadocumentcustodian;•acceptandretainthereceiptfromthecustodian;and
•thedocumentcustodianmuststorethephotocopyinasecurearea.
Whenloggingormonitoringelectronicinformationconcerninganincident,alwayscontacttheinvestigativeagenciesfirstforadviceonlegalissuesandprocedures[HANSEN90],[HOLBROOK91].
4.5WorkingWiththeNewsMedia
Certaintypesofincidentsmaygenerateinquiriesfromthepressorbroadcastmedia,oritmaybeadvisableincertaincircumstancestoissueinformationtothemedia.Therearemanyissuestoconsiderwhenworkingwiththepress,thusanagency’spublicaffairsoffice(orequiva-lent)shouldalwaysbecontactedfirstbeforeanydealingswiththepress.Thepublicaffairs
officecanactasasinglepointofcontactforthepress,whichshieldstheCSIRCstaffandleavesthemmoretimetohandletheincident.Talkcandidlywiththepublicaffairsofficeandensurethattheyunderstandthetechnicalissues,sothattheymaycommunicatemoreeffectivelyandaccuratelywiththepress.Falseormisleadinginformationmayultimatelycausemoredamagetotheagency’simagethantheincidentitself[BRAND89].Somesuggestionswhenworkingwiththepressregardinganincidentare:
•contactthelegaladvisorifunsureoflegalissues;
•establishasinglepointofcontacttothepresssothatmediainquiriesarecoordinatedandtheCSIRCisabletoconcentrateonresolvingtheincident;
•keeptheleveloftechnicaldetaillow-donotprovideattackerswithinformation;•beasaccurateaspossible,butdonotspeculate;and
•ensurethatdetailsabouttheincidentthatmaybeusedasevidencearefirstcheckedwithinvestigativeagencies.
27
ESTABLISHINGACSIRC
4.6Post-IncidentAnalysis
Afteranincidenthasbeenresolved,apost-mortemshouldbeconductedsothattheCSIRCcanlearnfromtheexperienceand,ifnecessary,updateitsprocedures.Thefollowingsortsofincidentinformationshouldbeexamined:
•howtheincidentstarted:whichvulnerabilitieswereexploited,howaccesswasgained,andotherrelevantdetails;
•howtheCSIRCbecameawareoftheincident;•howtheincidentwasresolved;
•whetherexistingprocedureswereadequateorrequireupdating;•whethervulnerabilitiesstillneedtobeclosed;and•whethernewcontactsweremade.
Asaresultofapost-incidentanalysis,aCSIRCmayneedtoissuealertsorwarningstoitsconstituencyaboutcertainactionstotaketoreducevulnerabilitiesthatwereexploitedduringtheincident.TheCSIRCmayalsoneedtoupdateitsOperationsHandbooktoreflectnewproce-dures.TheCSIRCcoulduseapost-incidentanalysistoascertainitsimpactontheagencyasaresultofhandlingandresolvingtheincident.Althoughthismaybedifficulttoquantify,somemeasureofitsperformanceandbeneficialeffectmaybeusefulindeterminingthefuturescopeanddirectionoftheCSIRC.
4.7MeasuringtheEffectivenessofaCSIRC
HowdoesanagencydeterminewhethertheinvestmentinaCSIRChasactuallypaidoffintermsofincreasingsecurity?Theanswermightnotbeentirelyquantifiableintermsofdollarssavedandincidentshandled.Itmaynotbepossibletosatisfactorilyquantifythebenefitsa
CSIRCprovideswithinitsfirstyearofoperation.ItcouldturnoutthattheinitialestimateofthesecurityproblemstobehandledbytheCSIRChasfallenfarshortoftherealproblem,makingitappearasiftheCSIRCisnotmakingrapidprogress.ACSIRCwillhavetorecognizethediffi-cultyinmeasuringthesuccessofitsactivitiesandinpart,justifythoseactivitiestotheorganiza-tion.
OneofthewaysinwhichaCSIRCcouldrateitssuccessisbycollectingandanalyzingstatisticsonitsactivity.Forexample,aCSIRCcouldkeepstatisticsonthefollowingitems:
•incidentsrespondedto•vulnerabilitiesreported•vulnerabilitiesfixed
28
ESTABLISHINGACSIRC
•incidentsreported•toolsimplemented
•e-mailmessagesreceived/sent
Byexaminingthesestatisticsandothers,theCSIRCandothermanagementcanmeasurethesuccessoftheoperation.Statisticssuchasthesewillbeveryhelpfulinmeasuringandcom-paringCSIRCperformanceinsubsequentyears.
4.8AdditionalAssistance
Therearemoreissues,steps,andconcernsinvolvedinestablishingaCSIRCthanarelistedhere.AgenciesshoulddrawontheexperiencesofothersthathavealreadydevelopedCSIRCeffortsaswellasexaminethereferenceslistedinthisguideformoreinformation.Itisimpor-tantthattheseagenciesdocumentthelessonslearnedinthisprocess,sothatotheragenciesandgroupscangainfromtheirexperiences.Ofparticularuseis[FEDELI91],[SCHULTZ90],and[RFC1244].
29
ESTABLISHINGACSIRC
30
ESTABLISHINGACSIRC
5.References
[BRAND89]
Brand,RussellL.,CopingWiththeThreatofComputerSecurityIncidents:APrimerfromPreventionthroughRecovery,July,1989.
DCADDNDefenseCommunicationsSystem,\"DDNSecurityBulletin01,\"DDNSecurityCoordinationCenter,October,1989.
Fedeli,Alan,\"OrganizingaCorporateAnti-VirusEffort,\"ProceedingsoftheThirdAnnualComputerVIRUSClinic,NationwideComputerCorp.,March,1990.
ComputerSecurity-VirusHighlightsNeedforImprovedInternetManage-ment,UnitedStatesGeneralAccountingOffice,Washington,DC,1989.Hansen,Steve,\"LegalIssues:ASiteManager’sNightmare,\"ProceedingsoftheSecondInvitationalWorkshoponComputerSecurityIncidentResponse,June,1990.
[DDN89]
[FEDELI91]
[GAO89]
[HANSEN90]
[HOLBROOK91]Holbrook,P.,andReynolds,J.,SecurityPolicyHandbook,RFC1244pre-paredfortheInternetEngineeringTaskForce,1991.[NIST90]
CERTSystemOperationalFramework,NationalInstituteofStandardsandTechnology,1990.
Pethia,Rich,andvanWyk,Kenneth,ComputerEmergencyResponse-AnInternationalProblem,1990.
[PETHIA90]
[QUARTERM90]Quarterman,John,TheMatrix-ComputerNetworksandConferencingSys-temsWorldwide,DigitalPress,1990.[RISK91]
NationalResearchCouncil,ComputersatRisk,NationalAcademyPress,1991.
Scherlis,William,\"DARPAEstablishesComputerEmergencyResponseTeam,\"DARPAPressRelease,December6,1988.
Scherlis,William,Squires,Steven,andPethia,Rich,ComputerEmergencyResponse,1989.
[SCHERLIS88]
[SCHERLIS89]
31
ESTABLISHINGACSIRC
[SCHULTZ89]
[SCHULTZ90]
[STEINBERG89][STEWART89]
[WCSIR91]
Schultz,E.Eugene,\"TheComputerIncidentAdvisoryCapability(CIAC),\"CenterforComputerSecurityNews,Vol.8,1989.
Schultz,E.Eugene,Brown,David,andLongstaff,Thomas,RespondingtoComputerSecurityIncidents:GuidelinesforIncidentHandling,UniversityofCaliforniaTechnicalReportUCRL-104689,1990.
Steinberg,Tad,\"DevelopingaComputerSecurityCharter,\"Security,Audit,
andControlReview,Vol.6No.4,ACMSIGSAC,Winter1989.Stewart,Geoffrey,andSylvester,David,PotentialLiabilitiesofComputerSecurityResponseCentersArisingfromNotificationtoPublishersandUsersofSecurityDeficienciesinSoftware,December,1989.
ProceedingsoftheThirdInvitationalWorkshoponComputerSecurityInci-dentResponse,August,1991.
32
ESTABLISHINGACSIRC
AppendixA.AnnotatedBibliography
Thissectionconsistsofanannotatedlistofselectedworksdealingwithincidenthandling.Wherenoted,someworksareavailablefromNISTinelectronicformforuserswithamodemandcommunicationssoftwareorforInternetusers;refertotheendofthissectionfordetails.SomereferencesarefromRFC1244,SecurityPolicyHandbook;see[HOLBROOK91].
[BRAND89]Brand,Russell,CopingWiththeThreatofComputerSecurityIncidents:APrimerfromPreventionthroughRecovery,July,1989.
Containsawiderangeofguidanceregardingincidenthandling,butorientedmostlytowardstechnicalissues.HasadviceinparticularforUNIXandVAX/VMSmanagers.Thisguideisrecommendedforanyoneinvolvedinincidenthandling.Indraftform,availableviatheInternetfromcert.sei.cmu.edu.Cheswick,B.,\"TheDesignofaSecureInternetGateway,\"ProceedingsoftheSummerUsenixConference,Anaheim,CA,June,1990.
Briefabstract(slightparaphrasefromtheoriginalabstract):AT&Tmaintainsalargeinter-nalInternetthatneedstobeprotectedfromoutsideattacks,whileprovidingusefulservicesbetweenthetwo.ThispaperdescribesAT&T’sInternetgateway.ThisgatewaypassesmailandmanyofthecommonInternetservicesbetweenAT&TinternalmachinesandtheInternet.ThisisaccomplishedwithoutIPconnectivityusingapairofmachines:atrustedinternalmachineandanuntrustedexternalgateway.Thisconfigurationhelpsprotecttheinternalinterneteveniftheexternalmachineisfullycompromised.AvailableviatheInter-netfromresearch.att.com.Courtney,Robert,Jr.,\"ProperAssignmentofResponsibilityforDataSecurity,\"ComputersandSecurity,Volume7#1,February,1988.
Briefabstract:\"Ananalysisofthedatasecurityresponsibilitieswithinanorganizationispresented.ItisproposedthatDPmanagementshouldnothavetotalresponsibility,butthatthisshouldbesharedbystaffinthefunctionalareastoensurecost-effectivenessandviabil-ity.\"TheauthorrecommendscreationofaComputerSecurityCompetenceCenterthathassomeparallelstoaCSIRC,especiallyinadministrationofsecurityanduserawareness.Curry,David,ImprovingtheSecurityofYourUNIXSystem,SRIInternationalReportITSTD-721-FR-90-21,April1990.
ApracticalguidetoimprovingUNIXsystemsecuritythatlaysoutanumberofvulnerabili-tiesandmethodsforimprovingmonitoringanddetectingthreats.Containsanumberofgoodreferencestoothersourcesofinformation.Availableon-linefromNIST.
33
ESTABLISHINGACSIRC
Denning,Peter,ComputersUnderAttack:Intruders,Worms,andViruses,ACMPress,1990.
Acollectionof40piecesdividedintosixsections:theemergenceofworldwidecomputernetworks,electronicbreakins,worms,viruses,counterculture(articlesexaminingtheworldofthe\"hacker\"),andfinallyasectiondiscussingsocial,legal,andethicalconsiderations.[FEDELI91]Fedeli,Alan,\"OrganizingaCorporateAnti-VirusEffort,\"ProceedingsoftheThirdAnnualComputerVIRUSClinic,NationwideComputerCorp.,March,1990.
DiscussesIBM’sapproachinorganizingtheircomputervirusincidenthandlingprocedures.Containsmostlymanagementissuesinvolvedinestablishingtheincidenthandlingcenter,locatingitwithinexistingorganizationalstructures,andinitialstepsinoperatingthecenter.Thisdocumentcontainsmuchusefulguidanceandishighlyrecommended.Availableon-linefromNIST.Fites,M.,Kratz,P.,andBrebner,A.,ControlandSecurityofComputerInformationSystems,ComputerSciencePress,1989.
Thisbookservesasagoodguidetotheissuesencounteredinformingcomputersecuritypoliciesandprocedures.Thebookisparticularlynotableforitsstraight-forwardapproachtosecurity,emphasizingthatcommonsenseisthefirstconsiderationindesigningasecurityprogram.Theauthorsnotethatthereisatendencytolooktomoretechnicalsolutionstosecurityproblemswhileoverlookingorganizationalcontrolswhichareoftenlessexpensiveandmoreeffective.[GAO89]U.S.GeneralAccountingOffice,ComputerSecurity-VirusHighlightsNeedforIm-provedInternetManagement,UnitedStatedGeneralAccountingOffice,Washington,DC,1989.
Thispaper,aGeneralAccountingOfficeReport,containsmuchusefulinformationregard-ingtheInternet,theInternetworm,commonvulnerabilities,andcomputerviruses.Itcon-tainsanumberofrecommendationsforimprovingsystemmanagementandcommunicationsbetweenvendorsandsystemmanagersasregardsbugreportsandfixes.Somelegalissuesregardingprosecutionarediscussed.Availableon-linefromNIST.Garfinkel,Simson,andSpafford,Eugene,PracticalUNIXSecurity,O’Reilly&Associates,Inc.,1991.
AcomprehensiveguidetoUNIXsecurity;animportantsourceforUNIXsitesthatareat-tachedtoUUCPnetworksortheInternet.Thebookcontainssomeguidanceregardingincidenthandling:detectingsignsofunauthorizedactivityandsubsequentstepstotake.
34
ESTABLISHINGACSIRC
Hafner,Katie,andMarkoff,John,Cyperpunk-OutlawsandHackersontheComputerFrontier,SimonandSchuster,1991.
Entertainingandusefulreadingforinsightsintocomputerhacking.ThebookcontainscasestudiesofKevinMitnick,anotedtelephonehacker,Pengo,aWestGermanwhoofferedhishackingservicestotheSovietGovernment,andRobertMorrisJr.,,astudentwhowrotethe\"InternetWorm\"program.Thebookalertsreadersastotheextenttowhichsocietyisdependentoncomputersandhowfragilethecomputersafeguardsare.[HANSEN90]Hansen,Steve,\"LegalIssues:ASiteManager’sNightmare,\"ProceedingsoftheSecondInvitationalWorkshoponComputerSecurityIncidentResponse,June,1990.
Thispaperdetailssomeofthelegalissuesinvolvedinincidenthandling,especiallyinlog-gingelectronicinformation.ThepaperfocusesontheFederalElectronicCommunicationsActof1986andsomeoftheambiguitiesandethicsinvolvedininterpretingthelawandmonitoringuseractivity.Availableon-linefromNIST.Hoffman,Lance,RoguePrograms:Viruses,Worms,andTrojanHorses,VanNostrandReinhold,1990.
Acollectionofpapersandexcerptsfrompublicationsregardingcomputervirusesandrelat-edthreats.Recommendedforitsthoroughnessandbroadscope.[HOLBROOK91]Holbrook,Paul,andReynolds,Joyce,SecurityPolicyHandbook,RFC1244preparedfortheInternetEngineeringTaskForce,1991.
Ahighlyusefulpaper,preparedasanInternetRequestForComments(RFC).AlthoughthispaperisorientedtowardssitesconnectedtotheInternet,muchoftheinformationisequallyapplicabletoothersystemandnetworkenvironments.Itcontainsusefulinforma-tionregardingbasicsecurityprocedures,incidentresponse,andlegalissues.Adetailedbibliographyisincluded.Thispaperishighlyrecommendedforitsdiscussionofmanage-mentandtechnicalissuesinvolvedinincidentresponse.Availableon-linefromNIST.NationalInstituteofStandardsandTechnology,BibliographyofSelectedComputerSecurityPublicationsJanuary1980-October1989,NISTSpecialPublication800-1,December,1990.
ThisbibliographycitesselectedbooksandarticlesoncomputersecuritypublishedfromJanuary1980throughOctober1989.Tohavebeenselected,anarticlehadtobesubstantialincontentandhavebeenpublishedinprofessionalortechnicaljournals,magazines,or
conferenceproceedings.Englishlanguagefromforeignjournalswereincludedasavailable.Acategoryofpre-1980publicationsisalsoprovided,aswellasanappendixcontainingaddressofalljournalsandmagazinesreferenced.ForsalebytheU.S.GovernmentPrint-ingOffice,Washington,DC20402,(202)783-3238,reference#003-003-03060-1.Avail-ableon-linefromNIST.
35
ESTABLISHINGACSIRC
[PETHIA90]Pethia,Rich,andvanWyk,Kenneth,ComputerEmergencyResponse-AnInterna-tionalProblem,1990.
Thispaperdescribeshowcomputersecurityincidentshavebeguntobecomeinternationalinscopeduetonetworks.Thepaperrecommendsinternationalcooperationindealingwithincidentsandsuggestsmethodsbywhichindividualcomputersecurityresponsegroupscanworktogetherinternationallytocopewithcomputersecurityincidents.AvailableviatheInternetfromcert.sei.cmu.edu.Pfleeger,Charles,SecurityinComputing,Prentice-Hall,EnglewoodCliffs,NJ,1989.
Ageneraltextbookincomputersecurity,thisbookprovidesanexcellentandveryreadableintroductiontoclassiccomputersecurityproblemsandsolutions,withaparticularemphasisonencryption.Theencryptioncoverageservesasagoodintroductiontothesubject.Oth-ertopicscoveredincludebuildingsecureprogramsandsystems,securityofdatabase,per-sonalcomputersecurity,networkandcommunicationssecurity,physicalsecurity,riskanal-ysisandsecurityplanning,andlegalandethicalissues.[QUARTERM90]Quarterman,John,TheMatrix-ComputerNetworksandConferencingSystemsWorldwide,DigitalPress,1990.
Acomprehensiveguidetotheworld’scomputernetworksandtheirprotocols.Ausefulsourceofinformationforsitesconnectedtonetworks.[RISK91]NationalResearchCouncil,ComputersatRisk,NationalAcademyPress,1991.
Thisdocumentpresentsacomprehensiveagendafordevelopingnationwidepolicesandpracticesforcomputersecurity.Itcontainsanumberofrecommendationsthataddressrolesofagencies,expansionofcurrentefforts,andcooperationbetweenindustryandgov-ernment.Russell,Deborah,andGangemi,G.T.Sr.,ComputerSecurityBasics,O’Reilly&Associates,Inc.,July,1991.
Providesanintroductiontocomputersecurityconcepts:passwords,accesscontrols,networksecurity,biometrics,TEMPEST,andmore.Describesgovernmentandindustrystandardsforsecurity,includingthe\"OrangeBook.\"Containsanumberofusefulreferences.
36
ESTABLISHINGACSIRC
[SCHULTZ90]Schultz,E.Eugene,Brown,David,andLongstaff,Thomas,RespondingtoCom-puterSecurityIncidents:GuidelinesforIncidentHandling,UniversityofCaliforniaTechnicalReportUCRL-104689,1990.
Containsgeneralguidanceonincidenthandlingandspecificproceduresforvirusesandotherrelatedthreats.Ausefuldocumentfororganizingincidentresponseprocedures.AvailablefromNTIS,5285PortRoyalRd.,Springfield,VA22161,(703)487-4650.Spafford,Eugene,\"TheInternetWormProgram:AnAnalysis,\"ComputerCommunicationRe-view,Vol.19,No.1,ACMSIGCOM,January1989.
AthoroughanalysisoftheInternetWorm,includinginformationonthevulnerabilitiesitexploited,howitspread,andanalysisofitssoftwareroutines.Agoodsourceofinforma-tionabouthownetworkwormsoperate.Availableon-linefromNIST.Spafford,E.,Heaphy,K.,andFerbrache,D.,ComputerViruses:DealingwithElectronicVandal-ismandProgrammedThreats,ADAPSO,1989.
Thisisagoodgeneralreferenceoncomputervirusesandrelatedconcerns.Inadditiontodescribingvirusesinsomedetail,italsocoversmoregeneralsecurityissues,legalrecourseincaseofsecurityproblems,andincludeslistsoflaws,journalsfocusedoncomputerssecurity,andothersecurity-relatedresources.AvailablefromADAPSO,1300N.17thSt,Suite300,Arlington,VA22209.(703)522-5055.[STEINBERG89]Steinberg,Tad,\"DevelopingaComputerSecurityCharter,\"Security,Audit,andControlReview,Vol.6No.4,ACMSIGSAC,Winter1989.
Aninformativearticleondevelopingacomputersecuritycharter.Containsusefulexam-plesofacharter’scontents.[STEWART89]Stewart,Geoffrey,andSylvester,David,PotentialLiabilitiesofComputerSecu-rityResponseCentersArisingfromNotificationtoPublishersandUsersofSecurityDeficienciesinSoftware,December,1989.
Ahighlyusefulpaperthatconcentratesonlegalliabilitiesthatacomputersecurityresponsecentermightface.Itcontainssomelegaladvice,althoughitdoesnotpurporttocontainauthoritativeanswerstolegalquestions.Certainincurredliabilitiesaredescribedalongwithmethodsandstepstotakeforreducinglegalexposure.Thispaperalsocontainsad-vicefordealingwithvendorsasregardsreportingofsoftwaredefectsandvulnerabilities.Availableon-linefromNIST.Stoll,Cliff,TheCuckoo’sEgg,Doubleday,NewYork,1989.
Thisbookdescribestheauthor’sdiscoveryandsubsequenttrackingofaseriesofbreak-instocomputersitesconnectedtomilitaryandresearchnetworks.Thebookisentertaining
37
ESTABLISHINGACSIRC
andeasytoread,asitexplainsmanytechnicalissuesinlaymen’sterms.Thebookisespe-ciallyusefultomanagersofsystemsconnectedtonetworks.
[WCSIR91]ProceedingsoftheThirdInvitationalWorkshoponComputerSecurityIncidentRe-sponse,August,1991.
Theproceedingstotheseconferencesareveryusefulforthoseinterestedinestablishingincidentresponsecapabilities.InformationontheseproceedingscanbeobtainedfromCERT/CC,SEI,CarnegieMellonU.,Pittsburgh,PA15213-3890ObtainingElectronicInformationfromNIST
Worksfromthissectionnotedasbeingavailableon-linefromNIST,aswellasthisdocu-mentandothergeneralinformation,canbeobtainedviatheNISTComputerSecurityResourceCenterBBSorviatheInternetusingftp:
BBS:ftp:
(301)948-5717(2400orless),(301)948-5140(9600)
ftpcsrc.ncsl.nist.gov(129.6.54.11),
loginasuseranonymous,passwordyourname,worksarelocatedindirectorypub
38
ESTABLISHINGACSIRC
AppendixB.ForumofIncidentResponse&SecurityTeams(FIRST)
TheForumofIncidentResponseandSecurityTeams(FIRST)isanorganizationwhosemembersworktogethervoluntarilytodealwithcomputersecurityproblemsandtheirprevention.TheforumiscomposedofaSecretariat,SteeringCommittee,Representativesfromeachpartici-patingteam,andadhocworkinggroups.Theforummeetsregularlyandconductsperiodicworkshopsonincidenthandling.
Therearetwotypesofparticipationintheforum.ForumMembersrepresentorganiza-tionswhoassistaninformationtechnologycommunityorotherdefinedconstituencyinprevent-ingandhandlingcomputersecurity-relatedincidents,i.e.,incidentresponseteams.Liaisonsareindividualsorrepresentativesoforganizationsotherthanemergencyresponseteamsthathavealegitimateinterestinandvaluetotheforum.
InformationonaprospectiveparticipantiscirculatedamongexistingForumMembersforpossiblenominationinterest.InformationprovidedbythenomineeisreviewedbytheSteeringCommittee,whichvotesonacceptanceofthenominee.WrittennotificationofacceptanceissentbytheSecretariat.
Membershipinformationandoperationalproceduresareavailableon-linefromtheNISTComputerSecurityResourceCenterBBSorviatheInternetusingftp;refertoAppendixAfordetails.MoreinformationaboutFIRSTcanbeobtainedbycontactinganyparticipatingmemberortheNationalInstituteofStandardsandTechnologyatthefollowingaddress:
NationalInstituteofStandardsandTechnologyComputerSecurityandManagementGroupA-216,Technology
Gaithersburg,MD20899Telephone:(301)975-3359Facsimile:(301)590-0932
Internete-mail:csrc@csrc.ncsl.nist.gov
39
因篇幅问题不能全部显示,请点此查看更多更全内容