Login | Signup | Support
  • 0
  • ×

    Add as FriendDealing with network security incidents by Gorazd Božic

    by: priya

    Current Rating : Rate It :



    1 : 1 Dealing with network security incidents Fundamentals of network security / Part II Gorazd Božic ARNES, Academic and Research Network of Slovenia CEENet Workshop, August 1999 Budapest, Hungary
    2 : 2 Outline of the lecture 1. measures/actions by local administrator 2. what is an Incident Response Team (IRT) 3. who needs an IRT and how to form one
    3 : 3 Questions raised after the incident what measures to take after the incident? who do we report to? were others also affected and how do we notify them? do we wish the law enforcement involved and if so, who do we contact?
    4 : 4 Measures to take collect the evidence; if necessary, do a full backup of compromised hosts decide on follow-up actions block further attempts from intruders and sanitise compromised hosts monitor intruder’s activities; preferably setup a restricted fake environment report the incident
    5 : 5 What is an Incident Response Team (IRT) a well-known contact point a source of knowledge for security issues incident coordinator relay service for incident reports service also known as CERT - Computer Emergency Response Team
    6 : 6 Historical view 1998: Internet Worm leads to formation of Computer Emergency Response Team (now CERT/CC) 1990’s: emergence of other CERTs; AUSCERT and European national CERTs 1990: FIRST - Forum of Incident Response and Security Teams 1997: start of EuroCERT project
    7 : 7 Roles of an IRT assist in incident resolution coordinate between victim and source sites distribute information on known vulnerabilities
    8 : 8 Do you need an IRT? national ISP: yes! (local issues, helping constituency directly, the same time zone) large organisation: maybe small network: probably not
    9 : 9 Existing IRT’s and associations CERT Coordination Center CIAC, Computer Incident Advisory Capability ASSIST (US Department of Defense) AUSCERT, Australian CERT FIRST, Forum of Incident Response and Security Teams national European CERTs EuroCERT
    10 : 10
    11 : 11
    12 : 12
    13 : 13
    14 : 14
    15 : 15
    16 : 16 Establishing an IRT define what you will and will not do who will you do it for (what is your constituency) seek contacts with other IRTs and law enforcement agencies
    17 : 17 Defining goals raising the level of security quick resolution of incidents forming a bigger picture assisting victim sites/networks with expertise
    18 : 18 Defining what you will (not) do dealing with intrusions relaying reports giving advice on security issues on-site assistance determining active measures investigating abuse
    19 : 19 Availability working hours additional ad-hoc coverage during non-working hours paging service around the clock availability on-site inspections
    20 : 20 Scope of work what platforms will you cover types of incidents research on vulnerabilities standalone projects (hardware and software evaluations, testing hosts and networks, securing specific sites, …)
    21 : 21 Defining constituency by parent ISP organisation by geographical/national criteria by organisational criteria question of constituency is related to community that will fund the IRT
    22 : 22 Help others, too security issues are in the best interest of everybody victim site is a part of another IRT’s constituency: direct them to their own IRT else, provide at least minimal help
    23 : 23 Promote your activities inform your constituency let yourself be known to other IRTs be visible in public establish trust
    24 : 24 Communicating with your constituency guarantee non-disclosure of information give feedback on incident resolution progress don’t interfere with sites’ security policies, but offer advice
    25 : 25 Communicating with other IRTs present yourself on the Web submit your information to EuroCERT use encryption when needed (PGP) get your team’s PGP key signed by other IRTs (key signing parties at conferences)
    26 : 26 Communicating with law enforcement law enforcement will probably be unprepared for dealing with computer crime find the proper department that will understand basic issues require advice about local law assist them willingly, don’t let them abuse your availability
    27 : 27 Be patient don’t be discouraged when reports don’t start appearing immediately readily accept criticism admit your mistakes and update your procedures accordingly take time to update your technical knowledge
    28 : 28 Be careful are you sure you’re not talking to the intruder? are reports real, or are they a hoax? what information will you disclose to whom? are your archives safe?
    29 : 29 Conclusion incident response service is an essential higher-level service for national (and other large) networks incident coordination helps determining the scale of specific attacks IRT’s operation differs from operation of law enforcement agencies - it’s Internet specific

    Presentation Tags

    Copyright © 2019 All rights reserved.