draft-ietf-grip-framework-irt-05.txt   draft-ietf-grip-framework-irt-06.txt 
Internet Engineering Task Force Nevil Brownlee Internet Engineering Task Force Nevil Brownlee
INTERNET-DRAFT The University of Auckland INTERNET-DRAFT The University of Auckland
Valid for six months Erik Guttman Valid for six months Erik Guttman
Sun Microsystems Sun Microsystems
Expectations for Security Incident Response Expectations for Security Incident Response
<draft-ietf-grip-framework-irt-05.txt> <draft-ietf-grip-framework-irt-06.txt>
Status of this Memo Status of this Memo
This document is an Internet Draft. Internet Drafts are working This document is an Internet Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its Areas, documents of the Internet Engineering Task Force (IETF), its Areas,
and its Working Groups. Note that other groups may also distribute and its Working Groups. Note that other groups may also distribute
working documents as Internet Drafts. This Internet Draft is a working documents as Internet Drafts. This Internet Draft is a
product of the GRIP Working Group of the IETF. product of the GRIP Working Group of the IETF.
Internet Drafts are draft documents valid for a maximum of six Internet Drafts are draft documents valid for a maximum of six
skipping to change at page 1, line 47 skipping to change at page 1, line 47
and describe the general set of topics and issues which are of and describe the general set of topics and issues which are of
concern and interest to constituent communities. concern and interest to constituent communities.
SIRT constituents have a legitimate need and right to fully SIRT constituents have a legitimate need and right to fully
understand the policies and procedures of "their" Security Incident understand the policies and procedures of "their" Security Incident
Response Team. One way to support this understanding is to supply Response Team. One way to support this understanding is to supply
detailed information which users may consider, in the form of a detailed information which users may consider, in the form of a
formal template completed by the SIRT. An outline of such a formal template completed by the SIRT. An outline of such a
template and a filled in example are provided. template and a filled in example are provided.
Expectations for Security Incident Response 28 April 97 Expectations for Security Incident Response 20 July 97
Table of Contents Table of Contents
1 Introduction 1 1 Introduction 1
2 Scope.............................................................3 2 Scope.............................................................3
2.1 Publishing SIRT Policies and Procedures ......................3 2.1 Publishing SIRT Policies and Procedures ......................3
2.2 Relationships between different SIRTs ........................4 2.2 Relationships between different SIRTs ........................5
2.3 Establishing Secure Communications ...........................5 2.3 Establishing Secure Communications ...........................5
3 Information, Policies and Procedures..............................6 3 Information, Policies and Procedures..............................7
3.1 Obtaining the Document........................................7 3.1 Obtaining the Document........................................8
3.2 Contact Information ..........................................8 3.2 Contact Information ..........................................9
3.3 Charter ......................................................9 3.3 Charter .....................................................10
3.3.1 Mission Statement.......................................9 3.3.1 Mission Statement......................................10
3.3.2 Constituency............................................9 3.3.2 Constituency...........................................10
3.3.3 Sponsoring Organization / Affiliation...................9 3.3.3 Sponsoring Organization / Affiliation..................11
3.3.4 Authority...............................................9 3.3.4 Authority..............................................11
3.4 Policies ....................................................10 3.4 Policies ....................................................11
3.4.1 Types of Incidents and Level of Support................10 3.4.1 Types of Incidents and Level of Support................11
3.4.2 Co-operation, Interaction and Disclosure of 3.4.2 Co-operation, Interaction and Disclosure of
Information............................................11 Information............................................12
3.4.3 Communication and Authentication.......................13 3.4.3 Communication and Authentication.......................14
3.5 Services ....................................................14 3.5 Services ....................................................14
3.6 Incident Reporting Forms ....................................14 3.5.1 Incident Response .....................................15
3.7 Disclaimers .................................................15 3.5.1.1 Incident Triate ...............................15
3.5.1.2 Incident Coordination .........................15
3.5.1.3 Incident Cure .................................15
3.5.2 Proactive Activities ..................................16
3.6 Incident Reporting Forms ....................................16
3.7 Disclaimers .................................................17
Appendix A: Glossary of Terms 15 Appendix A: Glossary of Terms 17
Appendix B: Related Material 17 Appendix B: Related Material 19
Appendix C: Known Security Incident Response Teams 18 Appendix C: Known Security Incident Response Teams 20
Appendix D: Outline for SIRT Template 19 Appendix D: Outline for SIRT Template 21
Appendix E: Example - 'filled-in' Template for a SIRT 20 Appendix E: Example - 'filled-in' Template for a SIRT 22
4 Acknowlegments 31 4 Acknowlegments 34
5 References 32 5 References 34
6 Security Considerations 32 6 Security Considerations 34
7 Authors' Addresses 32 7 Authors' Addresses 35
Expectations for Security Incident Response 15 April 97
1 Introduction 1 Introduction
The GRIP Working Group was formed to create a document that describes The GRIP Working Group was formed to create a document that describes
the community's expectations of security incident response teams the community's expectations of security incident response teams
(SIRTs). Although the need for such a document originated in the (SIRTs). Although the need for such a document originated in the
general Internet community, the expectations expressed should also general Internet community, the expectations expressed should also
closely match those of more restricted communities. closely match those of more restricted communities.
Expectations for Security Incident Response 15 April 97
In the past there have been misunderstandings regarding what to In the past there have been misunderstandings regarding what to
expect from SIRTs. The goal of this document is to provide a expect from SIRTs. The goal of this document is to provide a
framework for presenting the important subjects (related to incident framework for presenting the important subjects (related to incident
response) that are of concern to the community. response) that are of concern to the community.
Before continuing, it is important to clearly understand what is Before continuing, it is important to clearly understand what is
meant by the term "Security Incident Response Team." For the meant by the term "Security Incident Response Team." For the
purposes of this document, a SIRT is a team that performs, purposes of this document, a SIRT is a team that performs,
coordinates, and supports the response to security incidents that coordinates, and supports the response to security incidents that
involve sites within a defined constituency (see Appendix A for a involve sites within a defined constituency (see Appendix A for a
skipping to change at page 2, line 47 skipping to change at page 3, line 4
the effectiveness of the SIRT's services can be greatly diminished. the effectiveness of the SIRT's services can be greatly diminished.
This is particularly the case with reporting. At a minimum, users This is particularly the case with reporting. At a minimum, users
need to know that they should report security incidents, and know how need to know that they should report security incidents, and know how
and to where they should report them. and to where they should report them.
Many computer security incidents originate outside local community Many computer security incidents originate outside local community
boundaries and affect inside sites, others originate inside the local boundaries and affect inside sites, others originate inside the local
community and affect hosts or users on the outside. Often, community and affect hosts or users on the outside. Often,
therefore, the handling of security incidents will involve multiple therefore, the handling of security incidents will involve multiple
sites and potentially multiple SIRTs. Resolving these incidents will sites and potentially multiple SIRTs. Resolving these incidents will
Expectations for Security Incident Response 15 April 97
require cooperation between individual sites and SIRTs, and between require cooperation between individual sites and SIRTs, and between
SIRTs. SIRTs.
Constituent communities need to know exactly how their SIRT will be Constituent communities need to know exactly how their SIRT will be
working with other SIRTs and organizations outside their working with other SIRTs and organizations outside their
constituency, and what information will be shared. constituency, and what information will be shared.
The rest of this document describes the set of topics and issues that The rest of this document describes the set of topics and issues that
SIRTs need to elaborate for their constituents. However, there is no SIRTs need to elaborate for their constituents. However, there is no
attempt to specify the "correct" answer to any one topic area. attempt to specify the "correct" answer to any one topic area.
Rather, each topic is discussed in terms of what that topic means. Rather, each topic is discussed in terms of what that topic means.
For example, five types of policy statements are listed For example, five types of policy statements are listed (representing
those policies of interest to the community), but the content of any
Expectations for Security Incident Response 15 April 97 one of them will necessarily be specific to a given team.
(representing those policies of interest to the community), but the
content of any one of them will necessarily be specific to a given
team.
Chapter two provides an overview of three major areas: the Chapter two provides an overview of three major areas: the
publishing of information by a response team, the definition of the publishing of information by a response team, the definition of the
response team's relationship to other response teams, and the need response team's relationship to other response teams, and the need
for secure communications. Chapter three describes in detail all the for secure communications. Chapter three describes in detail all the
types of information that the community needs to know about their types of information that the community needs to know about their
response team. response team.
For ease of use by the community, these topics are condensed into an For ease of use by the community, these topics are condensed into an
outline template found in Appendix D. This template can be used outline template found in Appendix D. This template can be used
skipping to change at page 3, line 45 skipping to change at page 4, line 5
to know how those communications will be protected. Each of these to know how those communications will be protected. Each of these
subjects will be described in more detail in the following three subjects will be described in more detail in the following three
sections. sections.
2.1 Publishing SIRT Policies and Procedures 2.1 Publishing SIRT Policies and Procedures
Each user who has access to a Security Incident Response Team should Each user who has access to a Security Incident Response Team should
know as much as possible about the services of and interactions with know as much as possible about the services of and interactions with
this team long before he or she actually needs them. this team long before he or she actually needs them.
Expectations for Security Incident Response 15 April 97
A clear statement of the policies and procedures of a SIRT helps the A clear statement of the policies and procedures of a SIRT helps the
constituent understand how best to report incidents and what support constituent understand how best to report incidents and what support
to expect afterwards. Will the SIRT assist in resolving the to expect afterwards. Will the SIRT assist in resolving the
incident? Will it provide help in avoiding incidents in the incident? Will it provide help in avoiding incidents in the
future? Clear expectations, particularly of the limitations of the future? Clear expectations, particularly of the limitations of the
services provided by a SIRT, will make interaction with it more services provided by a SIRT, will make interaction with it more
efficient and effective. efficient and effective.
There are different kinds of response teams: some have very broad There are different kinds of response teams: some have very broad
constituencies (e.g., CERT Coordination Center and the Internet), constituencies (e.g., CERT Coordination Center and the Internet),
others have more bounded constituencies (e.g., DFN-CERT, CIAC), others have more bounded constituencies (e.g., DFN-CERT, CIAC),
and still others have very restricted constituencies (e.g., and still others have very restricted constituencies (e.g.,
Expectations for Security Incident Response 15 April 97
commercial response teams, corporate response teams). Regardless commercial response teams, corporate response teams). Regardless
of the type of response team, the constituency supported by it of the type of response team, the constituency supported by it
must be knowledgeable about the team's policies and procedures. must be knowledgeable about the team's policies and procedures.
Therefore, it is mandatory that response teams publish such Therefore, it is mandatory that response teams publish such
information to their constituency. information to their constituency.
A SIRT should communicate all necessary information about its A SIRT should communicate all necessary information about its
policies and services in a form suitable to the needs of its policies and services in a form suitable to the needs of its
constituency. It is important to understand that not all policies constituency. It is important to understand that not all policies
and procedures need be publicly available. For example, it is not and procedures need be publicly available. For example, it is not
skipping to change at page 4, line 46 skipping to change at page 5, line 4
required to approach them. required to approach them.
It would be very useful to have a central repository containing all It would be very useful to have a central repository containing all
the completed SIRT templates. No such repository exists at the time the completed SIRT templates. No such repository exists at the time
of writing, though this might change in the future. of writing, though this might change in the future.
Regardless of the source from which the information is retrieved, Regardless of the source from which the information is retrieved,
the user of the template must check its authenticity. It is highly the user of the template must check its authenticity. It is highly
recommended that such vital documents be protected by digital recommended that such vital documents be protected by digital
signatures. These will allow the user to verify that the template signatures. These will allow the user to verify that the template
Expectations for Security Incident Response 15 April 97
was indeed published by the SIRT and that it has not been tampered was indeed published by the SIRT and that it has not been tampered
with. This document assumes the reader is familiar with the proper with. This document assumes the reader is familiar with the proper
use of digital signatures to determine whether a document is use of digital signatures to determine whether a document is
authentic. authentic.
2.2 Relationships between different SIRTs 2.2 Relationships between different SIRTs
In some cases a SIRT may be able to operate effectively on its own In some cases a SIRT may be able to operate effectively on its own
and in close cooperation with its constituency. But with today's and in close cooperation with its constituency. But with today's
international networks it is much more likely that most of the international networks it is much more likely that most of the
incidents handled by a SIRT will involve parties external to its incidents handled by a SIRT will involve parties external to its
constituency. Therefore the team will need to interact with other constituency. Therefore the team will need to interact with other
Expectations for Security Incident Response 15 April 97
SIRTs and sites outside its constituency. SIRTs and sites outside its constituency.
The constituent community should understand the nature and extent of The constituent community should understand the nature and extent of
this collaboration, as very sensitive information about individual this collaboration, as very sensitive information about individual
constituents may be disclosed in the process. constituents may be disclosed in the process.
Inter-SIRT interactions could include asking other teams for advice, Inter-SIRT interactions could include asking other teams for advice,
disseminating knowledge of problems, and working cooperatively to disseminating knowledge of problems, and working cooperatively to
resolve a security incident affecting one or more of the SIRTs' resolve a security incident affecting one or more of the SIRTs'
constituencies. constituencies.
skipping to change at page 5, line 44 skipping to change at page 6, line 4
parties to understand the objectives and services of a specific parties to understand the objectives and services of a specific
SIRT, supporting a first contact. SIRT, supporting a first contact.
2.3 Establishing Secure Communications 2.3 Establishing Secure Communications
Once one party has decided to share information with another party, Once one party has decided to share information with another party,
or two parties have agreed to share information or work together - as or two parties have agreed to share information or work together - as
required for the coordination of security incident response - all required for the coordination of security incident response - all
parties involved need secure communications channels. (In this parties involved need secure communications channels. (In this
context, "secure" refers to the protected transmission of information context, "secure" refers to the protected transmission of information
Expectations for Security Incident Response 15 April 97
shared between different parties, and not to the appropriate use of shared between different parties, and not to the appropriate use of
the information by the parties.) the information by the parties.)
The goals of secure communication are: The goals of secure communication are:
- Confidentiality: - Confidentiality:
Can somebody else access the content of the communication? Can somebody else access the content of the communication?
- Integrity: - Integrity:
Can somebody else manipulate the content of the communication? Can somebody else manipulate the content of the communication?
- Authenticity: - Authenticity:
Am I communicating with the "right" person? Am I communicating with the "right" person?
Expectations for Security Incident Response 15 April 97
It is very easy to send forged e-mail, and not hard to establish a It is very easy to send forged e-mail, and not hard to establish a
(false) identity by telephone. Cryptographic techniques, for (false) identity by telephone. Cryptographic techniques, for
example Pretty Good Privacy (PGP) or Privacy Enhanced Mail (PEM) example Pretty Good Privacy (PGP) or Privacy Enhanced Mail (PEM)
can provide effective ways of securing e-mail. With the correct can provide effective ways of securing e-mail. With the correct
equipment it is also possible to secure telephone communication. equipment it is also possible to secure telephone communication.
But before using such mechanisms, both parties need the "right" But before using such mechanisms, both parties need the "right"
infrastructure, which is to say preparation in advance. The infrastructure, which is to say preparation in advance. The
most important preparation is ensuring the authenticity of the most important preparation is ensuring the authenticity of the
cryptographic keys used in secure communication: cryptographic keys used in secure communication:
skipping to change at page 6, line 42 skipping to change at page 7, line 5
authenticity of keys) should be clear from the start. SIRT templates authenticity of keys) should be clear from the start. SIRT templates
provide a standardized vehicle for delivering this information. provide a standardized vehicle for delivering this information.
It is beyond the scope of this document to address the technical It is beyond the scope of this document to address the technical
and administrative problems of secure communications. The point is and administrative problems of secure communications. The point is
that response teams must support and use a method to secure the that response teams must support and use a method to secure the
communications between themselves and their constituents (or other communications between themselves and their constituents (or other
response teams). Whatever the mechanism is, the level of protection response teams). Whatever the mechanism is, the level of protection
it provides must be acceptable to the constituent community. it provides must be acceptable to the constituent community.
Expectations for Security Incident Response 15 April 97
3 Information, Policies and Procedures 3 Information, Policies and Procedures
In chapter 2 it was mentioned that the policies and procedures of a In chapter 2 it was mentioned that the policies and procedures of a
response team need to be published to their constituent community. response team need to be published to their constituent community.
In this chapter we will list all the types of information that the In this chapter we will list all the types of information that the
community needs to receive from its response team. How this community needs to receive from its response team. How this
information is communicated to a community will differ from team to information is communicated to a community will differ from team to
team, as will the specific information content. The intent here is team, as will the specific information content. The intent here is
to clearly describe the various kinds of information that a to clearly describe the various kinds of information that a
constituent community expects from its response team. constituent community expects from its response team.
To make it easier to understand the issues and topics relevant to the To make it easier to understand the issues and topics relevant to the
interaction of constituents with "their" SIRT, we suggest that a SIRT interaction of constituents with "their" SIRT, we suggest that a SIRT
publish all information, policies, and procedures addressing its publish all information, policies, and procedures addressing its
constituency as a document, following the template given in Appendix constituency as a document, following the template given in Appendix
D. The template structure arranges items, making it easy to supply D. The template structure arranges items, making it easy to supply
Expectations for Security Incident Response 15 April 97
specific information; in Appendix E we provide an example of a specific information; in Appendix E we provide an example of a
filled-out template for the fictitious XYZ University. While filled-out template for the fictitious XYZ University. While
no recommendations are made as to what a SIRT should adopt for its no recommendations are made as to what a SIRT should adopt for its
policy or procedures, different possibilities are outlined to give policy or procedures, different possibilities are outlined to give
some examples. The most important thing is that a SIRT have a policy some examples. The most important thing is that a SIRT have a policy
and that that those who interact with the SIRT be able to obtain and and that that those who interact with the SIRT be able to obtain and
understand it. understand it.
As always, not every aspect for every environment and/or team can As always, not every aspect for every environment and/or team can
be covered. This outline should be seen as a suggestion. Each team be covered. This outline should be seen as a suggestion. Each team
should feel free to include whatever they think is necessary to should feel free to include whatever they think is necessary to
support its constituency. support its constituency.
Expectations for Security Incident Response 15 April 97
3.1 Obtaining the Document 3.1 Obtaining the Document
Details of a SIRT change with time, so the completed template must Details of a SIRT change with time, so the completed template must
indicate when it was last changed. Additionally, information should indicate when it was last changed. Additionally, information should
be provided concerning how to find out about future updates. Without be provided concerning how to find out about future updates. Without
this, it is inevitable that misunderstandings and misconceptions will this, it is inevitable that misunderstandings and misconceptions will
arise over time; an outdated document can do more harm than good. arise over time; an outdated document can do more harm than good.
- Date of last update This should be sufficient to allow - Date of last update This should be sufficient to allow
anyone interested to evaluate the anyone interested to evaluate the
skipping to change at page 8, line 5 skipping to change at page 9, line 5
- Location of the document The location where a current version - Location of the document The location where a current version
of the document is accessible of the document is accessible
through a team's online information through a team's online information
services. Constituents can then services. Constituents can then
easily learn more about the team and easily learn more about the team and
check for recent updates. check for recent updates.
This online version should also be This online version should also be
accompanied by a digital signature. accompanied by a digital signature.
Expectations for Security Incident Response 15 April 97 Expectations for Security Incident Response 20 July 97
3.2 Contact Information 3.2 Contact Information
Full details of how to contact the SIRT should be listed here, Full details of how to contact the SIRT should be listed here,
although this might be very different for different teams; for although this might be very different for different teams; for
example, some might choose not to publicize the names of their team example, some might choose not to publicize the names of their team
members. No further clarification is given when the meaning of the members. No further clarification is given when the meaning of the
item can be assumed. item can be assumed.
- Name of the SIRT - Name of the SIRT
skipping to change at page 9, line 5 skipping to change at page 10, line 5
- Additional Contact Info Is there any specific customer - Additional Contact Info Is there any specific customer
contact info? contact info?
More detailed contact information can be provided. This might More detailed contact information can be provided. This might
include different contacts for different services, or might be a include different contacts for different services, or might be a
list of online information services. If specific procedures for list of online information services. If specific procedures for
access to some services exist (for example addresses for mailing access to some services exist (for example addresses for mailing
list requests), these should be explained here. list requests), these should be explained here.
Expectations for Security Incident Response 28 April 97 Expectations for Security Incident Response 20 July 97
3.3 Charter 3.3 Charter
Every SIRT must have a charter which specifies what it is to do, and Every SIRT must have a charter which specifies what it is to do, and
the authority under which it will do it. The charter should include the authority under which it will do it. The charter should include
at least the following items: at least the following items:
- Mission statement - Mission statement
- Constituency - Constituency
- Sponsorship / affiliation - Sponsorship / affiliation
skipping to change at page 9, line 52 skipping to change at page 11, line 5
explain the reasoning behind this decision. For example, for-fee explain the reasoning behind this decision. For example, for-fee
SIRTs will not list their clients but will declare that they provide SIRTs will not list their clients but will declare that they provide
a service to a large group of customers that are kept confidential a service to a large group of customers that are kept confidential
because of the clients' contracts. because of the clients' contracts.
Constituencies might overlap, as when an ISP provides a SIRT which Constituencies might overlap, as when an ISP provides a SIRT which
delivers services to customer sites that also have SIRTs. The delivers services to customer sites that also have SIRTs. The
Authority section of the SIRT's description (see below) should Authority section of the SIRT's description (see below) should
make such relationships clear. make such relationships clear.
Expectations for Security Incident Response 15 April 97
3.3.3 Sponsoring Organization / Affiliation 3.3.3 Sponsoring Organization / Affiliation
The sponsoring organization, which authorizes the actions of the The sponsoring organization, which authorizes the actions of the
SIRT, should be given next. Knowing this will help the users to SIRT, should be given next. Knowing this will help the users to
Expectations for Security Incident Response 28 April 97
understand the background and set-up of the SIRT, and it is vital understand the background and set-up of the SIRT, and it is vital
information for building trust between a constituent and a SIRT. information for building trust between a constituent and a SIRT.
3.3.4 Authority 3.3.4 Authority
This section will vary greatly from one SIRT to another, based on This section will vary greatly from one SIRT to another, based on
the relationship between the team and its constituency. While an the relationship between the team and its constituency. While an
organizational SIRT will be given its authority by the management organizational SIRT will be given its authority by the management
of the organization, a community SIRT will be supported and chosen of the organization, a community SIRT will be supported and chosen
by the community, usually in a advisory role. by the community, usually in a advisory role.
skipping to change at page 10, line 51 skipping to change at page 12, line 5
detailed descriptions, and to address non-incident-related topics. detailed descriptions, and to address non-incident-related topics.
The level of support may change depending on factors such as the The level of support may change depending on factors such as the
team's workload and the completeness of the information available. team's workload and the completeness of the information available.
Such factors should be outlined and their impact should be Such factors should be outlined and their impact should be
explained. As a list of known types of incidents will be incomplete explained. As a list of known types of incidents will be incomplete
with regard to possible or future incidents, a SIRT should also give with regard to possible or future incidents, a SIRT should also give
some background on the "default" support for incident types not some background on the "default" support for incident types not
otherwise mentioned. otherwise mentioned.
Expectations for Security Incident Response 15 April 97
The team should state whether it will act on information it receives The team should state whether it will act on information it receives
about vulnerabilities which create opportunities for future about vulnerabilities which create opportunities for future
incidents. A commitment to act on such information on behalf of its incidents. A commitment to act on such information on behalf of its
constituency is regarded as an optional proactive service policy constituency is regarded as an optional proactive service policy
rather than a core service requirement for a SIRT. rather than a core service requirement for a SIRT.
Expectations for Security Incident Response 15 April 97
3.4.2 Co-operation, Interaction and Disclosure of Information 3.4.2 Co-operation, Interaction and Disclosure of Information
This section should make explicit which related groups the SIRT This section should make explicit which related groups the SIRT
routinely interacts with. Such interactions are not necessarily routinely interacts with. Such interactions are not necessarily
related to the security incident response provided, but are used to related to the security incident response provided, but are used to
facilitate better cooperation on technical topics or services. By facilitate better cooperation on technical topics or services. By
no means need details about cooperation agreements be given out; the no means need details about cooperation agreements be given out; the
main objective of this section is to give the constituency a basic main objective of this section is to give the constituency a basic
understanding of what kind of interactions are established and what understanding of what kind of interactions are established and what
their purpose is. their purpose is.
skipping to change at page 11, line 52 skipping to change at page 13, line 5
- Handling incidents occurring within the constituency, but - Handling incidents occurring within the constituency, but
reported from outside it (which implies that some information reported from outside it (which implies that some information
has already been disclosed off-site). has already been disclosed off-site).
- Reporting observations from within the constituency indicating - Reporting observations from within the constituency indicating
suspected or confirmed incidents outside it. suspected or confirmed incidents outside it.
- Acting on reports of incidents occurring outside the - Acting on reports of incidents occurring outside the
constituency. constituency.
Expectations for Security Incident Response 20 July 97
- Passing information about vulnerabilities to vendors, to - Passing information about vulnerabilities to vendors, to
partner SIRTs or directly to affected sites lying within or partner SIRTs or directly to affected sites lying within or
outside the constituency. outside the constituency.
- Feedback to parties reporting incidents or vulnerabilities. - Feedback to parties reporting incidents or vulnerabilities.
- The provision of contact information relating to members of - The provision of contact information relating to members of
Expectations for Security Incident Response 15 April 97
the constituency, members of other constituencies, other the constituency, members of other constituencies, other
SIRTs, or law-enforcement agencies. SIRTs, or law-enforcement agencies.
Vendors: Vendors:
Larger vendors have their own SIRTs, but smaller vendors may not. Larger vendors have their own SIRTs, but smaller vendors may not.
In such cases a SIRT will need to work directly with a vendor to In such cases a SIRT will need to work directly with a vendor to
suggest improvements or modifications, to analyse the technical suggest improvements or modifications, to analyse the technical
problem or to test provided solutions. problem or to test provided solutions.
Law-enforcement agencies: Law-enforcement agencies:
skipping to change at page 12, line 51 skipping to change at page 14, line 4
to this makes the team to appear to be an informational 'black to this makes the team to appear to be an informational 'black
hole,' which may reduce the likelihood of the team's obtaining hole,' which may reduce the likelihood of the team's obtaining
cooperation from clients and from other organizations. The SIRT's cooperation from clients and from other organizations. The SIRT's
template should define what information it will report or disclose, template should define what information it will report or disclose,
to whom, and when. to whom, and when.
Different teams are likely to be subject to different legal Different teams are likely to be subject to different legal
restraints requiring or limiting disclosure, especially if they work restraints requiring or limiting disclosure, especially if they work
in different jurisdictions. In addition, they may have reporting in different jurisdictions. In addition, they may have reporting
requirements imposed by their sponsoring organization. Each team's requirements imposed by their sponsoring organization. Each team's
Expectations for Security Incident Response 15 April 97
template should specify any such constraints, both to clarify users' template should specify any such constraints, both to clarify users'
expectations and to inform other teams. expectations and to inform other teams.
Conflicts of interest, particularly in commercial matters, may also Conflicts of interest, particularly in commercial matters, may also
restrain disclosure by a team; this document does not recommend on restrain disclosure by a team; this document does not recommend on
how such conflicts should be addressed. how such conflicts should be addressed.
A team will normally collect statistics. If statistical information A team will normally collect statistics. If statistical information
Expectations for Security Incident Response 28 April 97
is distributed, the template's reporting and disclosure policy is distributed, the template's reporting and disclosure policy
should say so, and should describe how to obtain such statistics. should say so, and should describe how to obtain such statistics.
3.4.3 Communication and Authentication 3.4.3 Communication and Authentication
Methods of secure and verifiable communication should be established. Methods of secure and verifiable communication should be established.
This is necessary for communication between SIRTs and between a SIRT This is necessary for communication between SIRTs and between a SIRT
and its constituents. The template should include public keys or and its constituents. The template should include public keys or
pointers to them, including key fingerprints, together with pointers to them, including key fingerprints, together with
guidelines on how to use this information to check authenticity and guidelines on how to use this information to check authenticity and
skipping to change at page 14, line 5 skipping to change at page 14, line 45
addition to encrypting sensitive information whenever possible, addition to encrypting sensitive information whenever possible,
correspondence should include digital signatures. (Please note that correspondence should include digital signatures. (Please note that
in most countries, the protection of authenticity by using digital in most countries, the protection of authenticity by using digital
signatures is not affected by existing encryption regulations.) signatures is not affected by existing encryption regulations.)
For communication via telephone or facsimile a SIRT may keep secret For communication via telephone or facsimile a SIRT may keep secret
authentication data for parties with whom they may deal, such as an authentication data for parties with whom they may deal, such as an
agreed password or phrase. Obviously, such secret keys must not be agreed password or phrase. Obviously, such secret keys must not be
published, though their existence may be. published, though their existence may be.
3.5 Services
Services provided by a SIRT can be roughly divided into two
categories: real-time activities directly related to the main task of
incident response, and non-real-time proactive activities, supportive
of the incident response task. The second category and part of the
first category consist of services which are optional in the sense
that not all SIRTs will offer them.
Expectations for Security Incident Response 15 April 97 Expectations for Security Incident Response 15 April 97
3.5 Services 3.5.1 Incident Response
Services provided by a SIRT can be differentiated according to Incident response usually includes assessing incoming reports about
whether they relate to the main task, which is incident response, or incidents ("Incident Triage") and following up on these with other
are provided in addition to it, i.e. are optional in regard to the SIRTs, ISPs and sites ("Incident Coordination"). A third range of
definition of a SIRT. services, helping a local site to recover from an incident ("Incident
Cure"), is comprised of typically optional services, which not all
SIRTs will offer.
Incident response usually includes: 3.5.1.1 Incident Triage
Incident triage usually includes:
- Report assessment Interpreting incoming incident
reports, prioritizing them,and
relating them to ongoing incidents
and trends.
- Verification Help in determining whether an - Verification Help in determining whether an
incident has really occurred, and incident has really occurred, and
its scope. its scope.
3.5.1.2 Incident Coordination
Incident Coordination normally includes:
- Information categorization Categorization the incident related
information (logfiles, contact
information, etc.) with respect to
the information disclosure policy.
- Coordination Notification of other involved
parties on a need-to-know basis, as
per the information disclosure
policy.
3.5.1.3 Incident Cure
Usually additional or optional, incident cure services include:
- Technical Assistance This may include analysis of - Technical Assistance This may include analysis of
compromised systems. compromised systems.
- Eradication Elimination of the cause of a - Eradication Elimination of the cause of a
security incident (the vulnerability security incident (the vulnerability
exploited), and its effects (for exploited), and its effects (for
example, continuing access to the example, continuing access to the
system by an intruder). system by an intruder).
Expectations for Security Incident Response 20 July 97
- Recovery Aid in restoring affected systems - Recovery Aid in restoring affected systems
and services to their status before and services to their status before
the security incident. the security incident.
- Coordination Notification of other involved 3.5.2. Proactive Activities
parties.
Additional or optional services might include: Usually additional or optional, proactive services might include:
- Information provision This might include an archive of - Information provision This might include an archive of
known vulnerabilities, patches or known vulnerabilities, patches or
resolutions of past problems, or resolutions of past problems, or
advisory mailing lists. advisory mailing lists.
- Security Tools This may include tools for auditing - Security Tools This may include tools for auditing
a Site's security. a Site's security.
- Education and training - Education and training
skipping to change at page 15, line 4 skipping to change at page 16, line 35
- Product evaluation - Product evaluation
- Site security auditing and consulting - Site security auditing and consulting
3.6 Incident Reporting Forms 3.6 Incident Reporting Forms
The use of reporting forms makes it simpler for both users and The use of reporting forms makes it simpler for both users and
teams to deal with incidents. The constituent can prepare answers to teams to deal with incidents. The constituent can prepare answers to
various important questions before he or she actually contacts the various important questions before he or she actually contacts the
team, and can therefore come well prepared. The team gets all the team, and can therefore come well prepared. The team gets all the
Expectations for Security Incident Response 15 April 97
necessary information at once with the first report and can proceed necessary information at once with the first report and can proceed
efficiently. efficiently.
Depending on the objectives and services of a particular SIRT, Depending on the objectives and services of a particular SIRT,
multiple forms may be used, for example a reporting form for a new multiple forms may be used, for example a reporting form for a new
vulnerability may be very different from the form used for reporting vulnerability may be very different from the form used for reporting
incidents. incidents.
It is most efficient to provide forms through the online information It is most efficient to provide forms through the online information
services of the team. The exact pointers to them should be given in services of the team. The exact pointers to them should be given in
the SIRT description document, together with statements about the SIRT description document, together with statements about
appropriate use, and guidelines for when and how to use the forms. appropriate use, and guidelines for when and how to use the forms.
If separate e-mail addresses are supported for form-based reporting, If separate e-mail addresses are supported for form-based reporting,
they should be listed here again. they should be listed here again.
One example of such a form is the Incident Reporting Form provided by One example of such a form is the Incident Reporting Form provided by
the CERT Coordination Center: the CERT Coordination Center:
- ftp://info.cert.org/incident_reporting_form - ftp://info.cert.org/incident_reporting_form
Expectations for Security Incident Response 20 July 97
3.7 Disclaimers 3.7 Disclaimers
Although the SIRT description document does not constitute a Although the SIRT description document does not constitute a
contract, liability may conceivably result from its descriptions of contract, liability may conceivably result from its descriptions of
services and purposes. The inclusion of a disclaimer at the end of services and purposes. The inclusion of a disclaimer at the end of
the template is therefore recommended and should warn the user about the template is therefore recommended and should warn the user about
possible limitations. possible limitations.
In situations where the original version of a document must be In situations where the original version of a document must be
translated into another language, the translation should carry a translated into another language, the translation should carry a
skipping to change at page 16, line 5 skipping to change at page 17, line 37
and regulations, of which each SIRT should be aware. If in doubt and regulations, of which each SIRT should be aware. If in doubt
the SIRT should check the disclaimer with a lawyer. the SIRT should check the disclaimer with a lawyer.
Appendix A: Glossary of Terms Appendix A: Glossary of Terms
This glossary defines terms used in describing security incidents and This glossary defines terms used in describing security incidents and
Security Incident Response Teams. Only a limited list is included. Security Incident Response Teams. Only a limited list is included.
For more definitions please refer to other sources, for example to For more definitions please refer to other sources, for example to
the Internet User's Glossary [RFC 1983]. the Internet User's Glossary [RFC 1983].
Expectations for Security Incident Response 28 April 97
Constituency: Constituency:
Implicit in the purpose of a Security Incident Response Team is Implicit in the purpose of a Security Incident Response Team is
the existence of a constituency. This is the group of users, the existence of a constituency. This is the group of users,
sites, networks or organizations served by the team. The team sites, networks or organizations served by the team. The team
must be recognized by its constituency in order to be effective. must be recognized by its constituency in order to be effective.
Security Incident: Security Incident:
For the purpose of this document, this term is a synonym of For the purpose of this document, this term is a synonym of
Computer Security Incident: any adverse event which compromises Computer Security Incident: any adverse event which compromises
some aspect of computer or network security. some aspect of computer or network security.
The definition of an incident may vary between organizations, but The definition of an incident may vary between organizations, but
at least the following categories are generally applicable: at least the following categories are generally applicable:
- Loss of confidentiality of information. - Loss of confidentiality of information.
- Compromise of integrity of information. - Compromise of integrity of information.
- Denial of service. - Denial of service.
- Misuse of service, systems or information. - Misuse of service, systems or information.
- Damage to systems. - Damage to systems.
Expectations for Security Incident Response 20 July 97
These are very general categories. For instance the replacement These are very general categories. For instance the replacement
of a system utility program by a Trojan Horse is an example of of a system utility program by a Trojan Horse is an example of
'compromise of integrity,' and a successful password attack is an 'compromise of integrity,' and a successful password attack is an
example of 'loss of confidentiality.' Attacks, even if they example of 'loss of confidentiality.' Attacks, even if they
failed because of proper protection, can be regarded as failed because of proper protection, can be regarded as
Incidents. Incidents.
Within the definition of an incident the word 'compromised' is Within the definition of an incident the word 'compromised' is
used. Sometimes an administrator may only 'suspect' an incident. used. Sometimes an administrator may only 'suspect' an incident.
During the response it must be established whether or not an During the response it must be established whether or not an
skipping to change at page 17, line 5 skipping to change at page 18, line 38
- Provide assistance to members of its constituency in - Provide assistance to members of its constituency in
handling these incidents. handling these incidents.
- Disseminate incident-related information to its - Disseminate incident-related information to its
constituency and to other involved parties. constituency and to other involved parties.
Note that we are not referring here to police or other law Note that we are not referring here to police or other law
enforcement bodies which may investigate computer-related crime. enforcement bodies which may investigate computer-related crime.
SIRT members, indeed, need not have any powers beyond SIRT members, indeed, need not have any powers beyond
those of ordinary citizens. those of ordinary citizens.
Expectations for Security Incident Response 28 April 97
Vendor: Vendor:
A 'vendor' is any entity that produces networking or computing A 'vendor' is any entity that produces networking or computing
technology, and is responsible for the technical content of that technology, and is responsible for the technical content of that
technology. Examples of 'technology' include hardware (desktop technology. Examples of 'technology' include hardware (desktop
computers, routers, switches, etc.), and software (operating computers, routers, switches, etc.), and software (operating
systems, mail forwarding systems, etc.). systems, mail forwarding systems, etc.).
Note that the supplier of a technology is not necessarily the Note that the supplier of a technology is not necessarily the
'vendor' of that technology. As an example, an Internet Service 'vendor' of that technology. As an example, an Internet Service
Provider (ISP) might supply routers to each of its customers, but Provider (ISP) might supply routers to each of its customers, but
skipping to change at page 17, line 28 skipping to change at page 19, line 5
than the ISP, is the entity responsible for the technical content than the ISP, is the entity responsible for the technical content
of the router. of the router.
Vulnerability: Vulnerability:
A 'vulnerability' is a characteristic of a piece of technology A 'vulnerability' is a characteristic of a piece of technology
which can be exploited to perpetrate a security incident. For which can be exploited to perpetrate a security incident. For
example, if a program unintentionally allowed ordinary users to example, if a program unintentionally allowed ordinary users to
execute arbitrary operating system commands in privileged mode, execute arbitrary operating system commands in privileged mode,
this "feature" would be a vulnerability. this "feature" would be a vulnerability.
Expectations for Security Incident Response 20 July 97
Appendix B: Related Material Appendix B: Related Material
Important issues in responding to security incidents on a site level Important issues in responding to security incidents on a site level
are contained in [RFC 1244], the Site Security Handbook, produced by are contained in [RFC 1244], the Site Security Handbook, produced by
the Site Security Handbook Working Group (SSH). This document will the Site Security Handbook Working Group (SSH). This document will
be updated by the SSH working group and will give recommendations be updated by the SSH working group and will give recommendations
for local policies and procedures, mainly related to the avoidance for local policies and procedures, mainly related to the avoidance
of security incidents. of security incidents.
Other documents of interest for the discussion of SIRTs and their Other documents of interest for the discussion of SIRTs and their
skipping to change at page 18, line 5 skipping to change at page 19, line 38
This report contains the Operational Framework of CERT-NL, the This report contains the Operational Framework of CERT-NL, the
SIRT of SURFnet (network provider in the Netherlands). SIRT of SURFnet (network provider in the Netherlands).
- For readers interested in the operation of FIRST (Forum of - For readers interested in the operation of FIRST (Forum of
Incident Response and Security Teams) more information is Incident Response and Security Teams) more information is
collected in Appendix C. collected in Appendix C.
- http://hightop.nrl.navy.mil/news/incident.html - http://hightop.nrl.navy.mil/news/incident.html
This document leads to the NRL Incident Response Manual. This document leads to the NRL Incident Response Manual.
Expectations for Security Incident Response 28 April 97
- http://www.cert.dfn.de/eng/team/kpk/certbib.html - http://www.cert.dfn.de/eng/team/kpk/certbib.html
This document contains an annotated bibliography of available This document contains an annotated bibliography of available
material, documents and files about the operation of SIRTs material, documents and files about the operation of SIRTs
with links to many of the referenced items. with links to many of the referenced items.
- ftp://info.cert.org/incident_reporting_form - ftp://info.cert.org/incident_reporting_form
This Incident Reporting Form is provided by the CERT This Incident Reporting Form is provided by the CERT
Coordination Center to gather incident information and to avoid Coordination Center to gather incident information and to avoid
additional delays caused by the need to request more detailed additional delays caused by the need to request more detailed
information from the reporting site. information from the reporting site.
- http://www.cert.org/cert.faqintro.html - http://www.cert.org/cert.faqintro.html
A collection of frequently asked questions from the CERT A collection of frequently asked questions from the CERT
Coordination Center. Coordination Center.
Expectations for Security Incident Response 20 July 97
Appendix C: Known Security Incident Response Teams Appendix C: Known Security Incident Response Teams
Today, there are many different SIRTs but no single source lists Today, there are many different SIRTs but no single source lists
every team. Most of the major and long established teams (the first every team. Most of the major and long established teams (the first
SIRT was founded in 1988) are nowadays members of FIRST, the SIRT was founded in 1988) are nowadays members of FIRST, the
worldwide Forum of Incident Response and Security Teams. At the worldwide Forum of Incident Response and Security Teams. At the
time of writing, more than 55 teams are members (1 in Australia, 13 time of writing, more than 55 teams are members (1 in Australia, 13
in Europe, all others in North America). Information about FIRST in Europe, all others in North America). Information about FIRST
can be found: can be found:
skipping to change at page 19, line 4 skipping to change at page 20, line 43
- http://www.first.org/docs/newmem.html - http://www.first.org/docs/newmem.html
Guidelines for teams which want to become members of FIRST. Guidelines for teams which want to become members of FIRST.
Many of the European teams, regardless of whether they are members Many of the European teams, regardless of whether they are members
of FIRST or not, are listed by countries on a page maintained by of FIRST or not, are listed by countries on a page maintained by
the German SIRT: the German SIRT:
- http://www.cert.dfn.de/eng/csir/europe/certs.html - http://www.cert.dfn.de/eng/csir/europe/certs.html
To learn about existing teams suitable to one's needs it is To learn about existing teams suitable to one's needs it is
Expectations for Security Incident Response 28 April 97
often helpful to ask either known teams or an Internet Service often helpful to ask either known teams or an Internet Service
Provider for the "right" contact. Provider for the "right" contact.
Expectations for Security Incident Response 20 July 97
Appendix D: Outline for SIRT Template Appendix D: Outline for SIRT Template
This outline summarizes in point form the issues addressed in this This outline summarizes in point form the issues addressed in this
document, and is the recommended template for a SIRT description document, and is the recommended template for a SIRT description
document. Its structure is designed to facilitate the communication document. Its structure is designed to facilitate the communication
of a SIRT's policies, procedures, and other relevant information to of a SIRT's policies, procedures, and other relevant information to
its constituency and to outside organizations such as other SIRTs. its constituency and to outside organizations such as other SIRTs.
A 'filled-in' example of this template is given as Appendix E. A 'filled-in' example of this template is given as Appendix E.
1. Document Information 1. Document Information
skipping to change at page 19, line 50 skipping to change at page 21, line 47
3.3 Sponsorship and/or Affiliation 3.3 Sponsorship and/or Affiliation
3.4 Authority 3.4 Authority
4. Policies 4. Policies
4.1 Types of Incidents and Level of Support 4.1 Types of Incidents and Level of Support
4.2 Co-operation, Interaction and Disclosure of Information 4.2 Co-operation, Interaction and Disclosure of Information
4.3 Communication and Authentication 4.3 Communication and Authentication
5. Services 5. Services
5.1 Incident Response 5.1 Incident Response
5.1.1. Incident Triage
5.1.2. Incident Coordination
5.1.3. Incident Cure
5.2 Proactive Activities 5.2 Proactive Activities
6. Incident Reporting Forms 6. Incident Reporting Forms
7. Disclaimers 7. Disclaimers
Expectations for Security Incident Response 28 April 97 Expectations for Security Incident Response 20 July 97
Appendix E: Example - 'filled-in' Template for a SIRT Appendix E: Example - 'filled-in' Template for a SIRT
Below is an example of a filled-in template for a fictitious SIRT Below is an example of a filled-in template for a fictitious SIRT
called XYZ-SIRT. This text is for example purposes only, and does called XYZ-SIRT. This text is for example purposes only, and does
not constitute endorsement by the working group or the IETF of any not constitute endorsement by the working group or the IETF of any
particular set of procedures or policies. While SIRTs are welcome particular set of procedures or policies. While SIRTs are welcome
to use any or all of this text if they wish, such use is of course to use any or all of this text if they wish, such use is of course
not mandatory, or even appropriate in most cases. not mandatory, or even appropriate in most cases.
skipping to change at page 21, line 5 skipping to change at page 23, line 5
http://www.xyz-univ.ca/xyz-cert/english/sirt-descr.asc http://www.xyz-univ.ca/xyz-cert/english/sirt-descr.asc
http://www.xyz-univ.ca/xyz-cert/francais/sirt-descr.asc http://www.xyz-univ.ca/xyz-cert/francais/sirt-descr.asc
2. Contact Information 2. Contact Information
2.1 Name of the Team 2.1 Name of the Team
"XYZ-CERT": the XYZ University Computer Emergency Response "XYZ-CERT": the XYZ University Computer Emergency Response
Team. Team.
Expectations for Security Incident Response 28 April 97 Expectations for Security Incident Response 20 July 97
2.2 Address 2.2 Address
XYZ-CERT XYZ-CERT
XYZ University, Computing Services Department XYZ University, Computing Services Department
12345 Rue Principale 12345 Rue Principale
UniversityTown, Quebec UniversityTown, Quebec
Canada H0H 0H0 Canada H0H 0H0
2.3 Time Zone 2.3 Time Zone
skipping to change at page 22, line 5 skipping to change at page 24, line 5
who knows the XYZ-CERT coordinator Zoe Doe, Zoe Doe has who knows the XYZ-CERT coordinator Zoe Doe, Zoe Doe has
signed the XYZ-CERT key, and will be happy to confirm its signed the XYZ-CERT key, and will be happy to confirm its
fingerprint and that of her own key to those people who know fingerprint and that of her own key to those people who know
her, by telephone or in person. her, by telephone or in person.
2.9 Team Members 2.9 Team Members
Zoe Doe of Computing Services is the XYZ-CERT coordinator. Zoe Doe of Computing Services is the XYZ-CERT coordinator.
Backup coordinators and other team members, along with their Backup coordinators and other team members, along with their
Expectations for Security Incident Response 28 April 97 Expectations for Security Incident Response 20 July 97
areas of expertise and contact information, are listed in the areas of expertise and contact information, are listed in the
XYZ-CERT web pages, at XYZ-CERT web pages, at
http://www.xyz-univ.ca/xyz-cert/teamlist.html http://www.xyz-univ.ca/xyz-cert/teamlist.html
Management, liaison and supervision are provided by Steve Tree, Management, liaison and supervision are provided by Steve Tree,
Assistant Director (Technical Services), Computing Services. Assistant Director (Technical Services), Computing Services.
2.10 Other Information 2.10 Other Information
skipping to change at page 22, line 58 skipping to change at page 25, line 5
assist XYZ community in responding to such incidents when they assist XYZ community in responding to such incidents when they
occur. occur.
3.2 Constituency 3.2 Constituency
The XYZ-CERT's constituency is the XYZ University community, The XYZ-CERT's constituency is the XYZ University community,
as defined in the context of the "XYZ University Policy on as defined in the context of the "XYZ University Policy on
Computing Facilities". This policy is available at Computing Facilities". This policy is available at
http://www-compserv.xyz-univ.ca/policies/pcf.html http://www-compserv.xyz-univ.ca/policies/pcf.html
Expectations for Security Incident Response 20 July 97
However, please note that, notwithtanding the above, XYZ-CERT However, please note that, notwithtanding the above, XYZ-CERT
services will be provided for on-site systems only. services will be provided for on-site systems only.
Expectations for Security Incident Response 28 April 97
3.3 Sponsorship and/or Affiliation 3.3 Sponsorship and/or Affiliation
The XYZ-CERT is currently completing the application process The XYZ-CERT is currently completing the application process
for membership in FIRST, the Forum of Incident Response and for membership in FIRST, the Forum of Incident Response and
Security Teams. More information about FIRST is available Security Teams. More information about FIRST is available
from from
http://www.first.org/ http://www.first.org/
3.4 Authority 3.4 Authority
skipping to change at page 23, line 55 skipping to change at page 26, line 4
4. Policies 4. Policies
4.1 Types of Incidents and Level of Support 4.1 Types of Incidents and Level of Support
The XYZ-CERT is authorized to address all types of computer The XYZ-CERT is authorized to address all types of computer
security incidents which occur, or threaten to occur, at security incidents which occur, or threaten to occur, at
XYZ University. XYZ University.
The level of support given by XYZ-CERT will vary depending on The level of support given by XYZ-CERT will vary depending on
the type and severity of the incident or issue, the type of the type and severity of the incident or issue, the type of
Expectations for Security Incident Response 20 July 97
constituent, the size of the user community affected, and the constituent, the size of the user community affected, and the
XYZ-CERT's resources at the time, though in all cases some XYZ-CERT's resources at the time, though in all cases some
response will be made within one working day. Resources will response will be made within one working day. Resources will
Expectations for Security Incident Response 28 April 97
be assigned according to the following priorities, listed in be assigned according to the following priorities, listed in
decreasing order: decreasing order:
- Threats to the physical safety of human beings. - Threats to the physical safety of human beings.
- Root or system-level attacks on any Management Information - Root or system-level attacks on any Management Information
System, or any part of the backbone network infrastructure. System, or any part of the backbone network infrastructure.
- Root or system-level attacks on any large public service - Root or system-level attacks on any large public service
machine, either multi-user or dedicated-purpose. machine, either multi-user or dedicated-purpose.
- Compromise of restricted confidential service accounts or - Compromise of restricted confidential service accounts or
software installations, in particular those used for MIS software installations, in particular those used for MIS
skipping to change at page 24, line 54 skipping to change at page 26, line 57
While the XYZ-CERT understands that there exists great While the XYZ-CERT understands that there exists great
variation in the level of system administrator expertise at XYZ variation in the level of system administrator expertise at XYZ
University, and while the XYZ-CERT will endeavor to present University, and while the XYZ-CERT will endeavor to present
information and assistance at a level appropriate to each information and assistance at a level appropriate to each
person, the XYZ-CERT cannot train system administrators on the person, the XYZ-CERT cannot train system administrators on the
fly, and it cannot perform system maintenance on their behalf. fly, and it cannot perform system maintenance on their behalf.
In most cases, the XYZ-CERT will provide pointers to the In most cases, the XYZ-CERT will provide pointers to the
information needed to implement appropriate measures. information needed to implement appropriate measures.
The XYZ-CERT is committed to keeping the XYZ University system The XYZ-CERT is committed to keeping the XYZ University system
administration community informed of potential administration community informed of potential vulnerabilities,
vulnerabilities, and where possible, will inform this
community of such vulnerabilities before they are actively
exploited.
Expectations for Security Incident Response 28 April 97 Expectations for Security Incident Response 20 July 97
and where possible, will inform this community of such
vulnerabilities before they are actively exploited.
4.2 Co-operation, Interaction and Disclosure of Information 4.2 Co-operation, Interaction and Disclosure of Information
While there are legal and ethical restrictions on the flow of While there are legal and ethical restrictions on the flow of
information from XYZ-CERT, many of which are also outlined in information from XYZ-CERT, many of which are also outlined in
the XYZ University Policy on Computing Facilities, and all of the XYZ University Policy on Computing Facilities, and all of
which will be respected, the XYZ-CERT acknowledges its which will be respected, the XYZ-CERT acknowledges its
indebtedness to, and declares its intention to contribute to, indebtedness to, and declares its intention to contribute to,
the spirit of cooperation that created the Internet. the spirit of cooperation that created the Internet.
Therefore, while appropriate measures will be taken to protect Therefore, while appropriate measures will be taken to protect
skipping to change at page 25, line 55 skipping to change at page 28, line 5
- Intruder information is similar to private user - Intruder information is similar to private user
information, but concerns intruders. information, but concerns intruders.
While intruder information, and in particular identifying While intruder information, and in particular identifying
information, will not be released to the public (unless it information, will not be released to the public (unless it
becomes a matter of public record, for example because becomes a matter of public record, for example because
criminal charges have been laid), it will be exchanged criminal charges have been laid), it will be exchanged
freely with system administrators and SIRTs tracking an freely with system administrators and SIRTs tracking an
incident. incident.
Expectations for Security Incident Response 20 July 97
- Private site information is technical information about - Private site information is technical information about
particular systems or sites. particular systems or sites.
It will not be released without the permission of the site It will not be released without the permission of the site
in question, except as provided for below. in question, except as provided for below.
Expectations for Security Incident Response 28 April 97
- Vulnerability information is technical information about - Vulnerability information is technical information about
vulnerabilities or attacks, including fixes and vulnerabilities or attacks, including fixes and
workarounds. workarounds.
Vulnerability information will be released freely, though Vulnerability information will be released freely, though
every effort will be made to inform the relevant vendor every effort will be made to inform the relevant vendor
before the general public is informed. before the general public is informed.
- Embarrassing information includes the statement that an - Embarrassing information includes the statement that an
incident has occurred, and information about its extent or incident has occurred, and information about its extent or
skipping to change at page 26, line 52 skipping to change at page 29, line 4
- Because of the nature of their responsibilities and - Because of the nature of their responsibilities and
consequent expectations of confidentiality, members of XYZ consequent expectations of confidentiality, members of XYZ
University management are entitled to receive whatever University management are entitled to receive whatever
information is necessary to facilitate the handling of information is necessary to facilitate the handling of
computer security incidents which occur in their computer security incidents which occur in their
jurisdictions. jurisdictions.
- Members of the Office of Rights and Responsibilities are - Members of the Office of Rights and Responsibilities are
entitled to receive whatever information they request entitled to receive whatever information they request
concerning a computer security incident or related matter concerning a computer security incident or related matter
Expectations for Security Incident Response 20 July 97
which has been referred to them for resolution. The same is which has been referred to them for resolution. The same is
true for the XYZ Security Department, when its assistance in true for the XYZ Security Department, when its assistance in
an investigation has been enlisted, or when the investigation an investigation has been enlisted, or when the investigation
has been instigated at its request. has been instigated at its request.
- System administrators at XYZ University who are members of - System administrators at XYZ University who are members of
the CCSA are also, by virtue of their responsibilities, the CCSA are also, by virtue of their responsibilities,
Expectations for Security Incident Response 28 April 97
trusted with confidential information. However, unless such trusted with confidential information. However, unless such
people are also members of XYZ-CERT, they will be given only people are also members of XYZ-CERT, they will be given only
that confidential information which they must have in order that confidential information which they must have in order
to assist with an investigation, or in order to secure their to assist with an investigation, or in order to secure their
own systems. own systems.
- Users at XYZ University are entitled to information which - Users at XYZ University are entitled to information which
pertains to the security of their own computer accounts, pertains to the security of their own computer accounts,
even if this means revealing "intruder information", or even if this means revealing "intruder information", or
"embarrasssing information" about another user. For "embarrasssing information" about another user. For
skipping to change at page 27, line 51 skipping to change at page 30, line 4
- The public at large will receive no restricted information. - The public at large will receive no restricted information.
In fact, no particular effort will be made to communicate In fact, no particular effort will be made to communicate
with the public at large, though the XYZ-CERT recognizes with the public at large, though the XYZ-CERT recognizes
that, for all intents and purposes, information made that, for all intents and purposes, information made
available to the XYZ University community is in effect made available to the XYZ University community is in effect made
available to the community at large, and will tailor the available to the community at large, and will tailor the
information in consequence. information in consequence.
- The computer security community will be treated the same way - The computer security community will be treated the same way
the general public is treated. While members of XYZ-CERT may the general public is treated. While members of XYZ-CERT may
Expectations for Security Incident Response 20 July 97
participate in discussions within the computer security participate in discussions within the computer security
community, such as newsgroups, mailing lists (including the community, such as newsgroups, mailing lists (including the
full-disclosure list "bugtraq"), and conferences, they will full-disclosure list "bugtraq"), and conferences, they will
treat such forums as though they were the public at large. treat such forums as though they were the public at large.
While technical issues (including vulnerabilities) may be While technical issues (including vulnerabilities) may be
discussed to any level of detail, any examples taken from discussed to any level of detail, any examples taken from
XYZ-CERT experience will be disguised to avoid identifying XYZ-CERT experience will be disguised to avoid identifying
the affected parties. the affected parties.
Expectations for Security Incident Response 28 April 97
- The press will also be considered as part of the general - The press will also be considered as part of the general
public. The XYZ-CERT will not interact directly with the public. The XYZ-CERT will not interact directly with the
Press concerning computer security incidents, except to point Press concerning computer security incidents, except to point
them toward information already released to the general them toward information already released to the general
public. If necessary, information will be provided to the public. If necessary, information will be provided to the
XYZ University Public Relations Department, and to the XYZ University Public Relations Department, and to the
Customer Relations group of the Computing Services Customer Relations group of the Computing Services
Department. All incident-related queries will be referred to Department. All incident-related queries will be referred to
these two bodies. The above does not affect the ability of these two bodies. The above does not affect the ability of
members of XYZ-CERT to grant interviews on general computer members of XYZ-CERT to grant interviews on general computer
skipping to change at page 28, line 49 skipping to change at page 31, line 4
remain confidential, and when it is necessary to resolve an remain confidential, and when it is necessary to resolve an
incident. incident.
- Vendors will be considered as foreign SIRTs for most intents - Vendors will be considered as foreign SIRTs for most intents
and purposes. The XYZ-CERT wishes to encourage vendors of and purposes. The XYZ-CERT wishes to encourage vendors of
all kinds of networking and computer equipment, software, and all kinds of networking and computer equipment, software, and
services to improve the security of their products. In aid services to improve the security of their products. In aid
of this, a vulnerability discovered in such a product will be of this, a vulnerability discovered in such a product will be
reported to its vendor, along with all technical details reported to its vendor, along with all technical details
needed to identify and fix the problem. Identifying details needed to identify and fix the problem. Identifying details
Expectations for Security Incident Response 20 July 97
will not be given to the vendor without the permission of the will not be given to the vendor without the permission of the
affected parties. affected parties.
- Law enforcement officers will receive full cooperation from - Law enforcement officers will receive full cooperation from
the XYZ-CERT, including any information they require to the XYZ-CERT, including any information they require to
pursue an investigation, in accordance with the Policy on pursue an investigation, in accordance with the Policy on
Computing Facilities. Computing Facilities.
Expectations for Security Incident Response 28 April 97
4.3 Communication and Authentication 4.3 Communication and Authentication
In view of the types of information that the XYZ-CERT will In view of the types of information that the XYZ-CERT will
likely be dealing with, telephones will be considered likely be dealing with, telephones will be considered
sufficiently secure to be used even unencrypted. Unencrypted sufficiently secure to be used even unencrypted. Unencrypted
e-mail will not be considered particularly secure, but will be e-mail will not be considered particularly secure, but will be
sufficient for the transmission of low-sensitivity data. If sufficient for the transmission of low-sensitivity data. If
it is necessary to send highly sensitive data by e-mail, PGP it is necessary to send highly sensitive data by e-mail, PGP
will be used. Network file transfers will be considered to will be used. Network file transfers will be considered to
be similar to e-mail for these purposes: sensitive data should be similar to e-mail for these purposes: sensitive data should
skipping to change at page 29, line 34 skipping to change at page 32, line 5
neighbor sites, referrals from known trusted people will neighbor sites, referrals from known trusted people will
suffice to identify someone. Otherwise, appropriate methods suffice to identify someone. Otherwise, appropriate methods
will be used, such as a search of FIRST members, the use of will be used, such as a search of FIRST members, the use of
WHOIS and other Internet registration information, etc, along WHOIS and other Internet registration information, etc, along
with telephone call-back or e-mail mail-back to ensure that with telephone call-back or e-mail mail-back to ensure that
the party is not an impostor. Incoming e-mail whose data must the party is not an impostor. Incoming e-mail whose data must
be trusted will be checked with the originator personally, or be trusted will be checked with the originator personally, or
by means of digital signatures (PGP in particular is by means of digital signatures (PGP in particular is
supported). supported).
Expectations for Security Incident Response 20 July 97
5. Services 5. Services
5.1 Incident Response 5.1 Incident Response
XYZ-CERT will assist system administrators in handling the XYZ-CERT will assist system administrators in handling the
technical and organizational aspects of incidents. In technical and organizational aspects of incidents. In
particular, it will provide assistance or advice with respect particular, it will provide assistance or advice with respect
to the following aspects of incident management: to the following aspects of incident management:
- Determining the extent of the incident. - Determining the extent of the incident.
- Determining the initial cause of the incident - Determining the initial cause of the incident
skipping to change at page 30, line 4 skipping to change at page 32, line 30
- Removing the vulnerability. - Removing the vulnerability.
- Securing the system from the effects of the incident. - Securing the system from the effects of the incident.
- Evaluating whether certain actions are likely to reap - Evaluating whether certain actions are likely to reap
results in proportion to their cost and risk, in results in proportion to their cost and risk, in
particular those actions aimed at an eventual prosecution particular those actions aimed at an eventual prosecution
or disciplinary action: collection of evidence after the or disciplinary action: collection of evidence after the
fact, observation of an incident in progress, setting fact, observation of an incident in progress, setting
traps for intruders, etc. traps for intruders, etc.
- Collecting evidence where criminal prosecution, or - Collecting evidence where criminal prosecution, or
University disciplinary action, is contemplated. University disciplinary action, is contemplated.
Expectations for Security Incident Response 28 April 97
- Facilitating contact with XYZ University Security and/or - Facilitating contact with XYZ University Security and/or
appropriate law enforcement officials, if necessary. appropriate law enforcement officials, if necessary.
- Making reports to other SIRTs. - Making reports to other SIRTs.
- Composing announcements to users, if applicable. - Composing announcements to users, if applicable.
In addition, XYZ-CERT will collect statistics concerning In addition, XYZ-CERT will collect statistics concerning
incidents which occur within or involve the XYZ University incidents which occur within or involve the XYZ University
community, and will notify the community as necessary to community, and will notify the community as necessary to
assist it in protecting against known attacks. assist it in protecting against known attacks.
skipping to change at page 30, line 35 skipping to change at page 33, line 4
services to the extent possible depending on its resources: services to the extent possible depending on its resources:
- Information services - Information services
- List of departmental security contacts, administrative - List of departmental security contacts, administrative
and technical. These lists will be available to the and technical. These lists will be available to the
general public, via commonly-available channels such as general public, via commonly-available channels such as
the World Wide Web and/or the Domain Name Service. the World Wide Web and/or the Domain Name Service.
- Mailing lists to inform security contacts of new - Mailing lists to inform security contacts of new
information relevant to their computing environments. information relevant to their computing environments.
These lists will be available only to XYZ University These lists will be available only to XYZ University
system administrators. system administrators.
Expectations for Security Incident Response 20 July 97
- Repository of vendor-provided and other security-related - Repository of vendor-provided and other security-related
patches for various operating systems. This repository patches for various operating systems. This repository
will be available to the general public wherever will be available to the general public wherever
license restrictions allow it, and will be provided via license restrictions allow it, and will be provided via
commonly-available channels such as the World Wide Web commonly-available channels such as the World Wide Web
and/or ftp. and/or ftp.
- Repository of security tools and documentation for - Repository of security tools and documentation for
use by sysadmins. Where possible, precompiled use by sysadmins. Where possible, precompiled
ready-to-install versions will be supplied. These will ready-to-install versions will be supplied. These will
be supplied to the general public via www or ftp as be supplied to the general public via www or ftp as
skipping to change at page 31, line 4 skipping to change at page 33, line 31
restricted mailing list or on the web site, depending restricted mailing list or on the web site, depending
on their sensitivity and urgency. on their sensitivity and urgency.
- Training services - Training services
- Members of the XYZ-CERT will give periodic seminars on - Members of the XYZ-CERT will give periodic seminars on
computer security related topics; these seminars will computer security related topics; these seminars will
be open to XYZ University system administrators. be open to XYZ University system administrators.
- Auditing services - Auditing services
- Central file integrity checking service for Unix - Central file integrity checking service for Unix
machines, and for any other platforms capable of machines, and for any other platforms capable of
running "tripwire". running "tripwire".
Expectations for Security Incident Response 28 April 97
- Security level assignments; machines and subnetworks - Security level assignments; machines and subnetworks
at XYZ University will be audited and assigned a at XYZ University will be audited and assigned a
security level. This security level information will be security level. This security level information will be
available to the XYZ University community, to facilitate available to the XYZ University community, to facilitate
the setting of appropriate access privileges. However, the setting of appropriate access privileges. However,
details of the security analyses will be confidential, details of the security analyses will be confidential,
and available only to the concerned parties. and available only to the concerned parties.
- Archiving services - Archiving services
- Central logging service for machines capable of - Central logging service for machines capable of
Unix-style remote logging. Incoming log entries will Unix-style remote logging. Incoming log entries will
skipping to change at page 31, line 33 skipping to change at page 34, line 5
statistical reports will be made available to the XYZ statistical reports will be made available to the XYZ
University community. University community.
Detailed descriptions of the above services, along with Detailed descriptions of the above services, along with
instructions for joining mailing lists, downloading instructions for joining mailing lists, downloading
information, or participating in certain services such as the information, or participating in certain services such as the
central logging and file integrity checking services, are central logging and file integrity checking services, are
available on the XYZ-CERT web site, as per section 2.10 available on the XYZ-CERT web site, as per section 2.10
above. above.
Expectations for Security Incident Response 20 July 97
6. Incident Reporting Forms 6. Incident Reporting Forms
There are no local forms developed yet for reporting incidents There are no local forms developed yet for reporting incidents
to XYZ-CERT. If possible, please make use of the Incident to XYZ-CERT. If possible, please make use of the Incident
Reporting Form of the CERT Coordination Center (Pittsburgh, Reporting Form of the CERT Coordination Center (Pittsburgh,
PA). The actual version is available from: PA). The actual version is available from:
ftp://info.cert.org/incident_reporting_form ftp://info.cert.org/incident_reporting_form
7. Disclaimers 7. Disclaimers
While every precaution will be taken in the preparation of While every precaution will be taken in the preparation of
information, notifications and alerts, XYZ-CERT assumes no information, notifications and alerts, XYZ-CERT assumes no
responsibility for errors or omissions, or for damages responsibility for errors or omissions, or for damages
resulting from the use of the information contained within. resulting from the use of the information contained within.
4 Acknowlegements 4 Acknowlegements
The editors gratefully acknowledge the contributed material and The editors gratefully acknowledge the contributed material and
editorial scrutiny of Anne Bennett. editorial scrutiny of Anne Bennett. Thanks also to Don Stikvoort
for assistance reworking the description of Incident Response Team
Expectations for Security Incident Response 28 April 97 services.
5 References 5 References
[RFC 1244] P. Holbrooks, J. Reynolds / Site Security Handbook. - [RFC 1244] P. Holbrooks, J. Reynolds / Site Security Handbook. -
July 23, 1991. - 101 pages. - FYI 8. July 23, 1991. - 101 pages. - FYI 8.
[RFC 1983] G. Malkin / Internet Users' Glossary. - [RFC 1983] G. Malkin / Internet Users' Glossary. -
August 16, 1996. - 62 pages. - FYI 18. August 16, 1996. - 62 pages. - FYI 18.
6 Security Considerations 6 Security Considerations
skipping to change at page 32, line 32 skipping to change at page 35, line 5
reactions to security incidents, but only with the appropriate reactions to security incidents, but only with the appropriate
description of the responses provided by SIRTs. description of the responses provided by SIRTs.
Nonetheless, it is vital that the SIRTs themselves operate securely, Nonetheless, it is vital that the SIRTs themselves operate securely,
which means that they must establish secure communication channels which means that they must establish secure communication channels
with other teams, and with members of their constituency. They must with other teams, and with members of their constituency. They must
also secure their own systems and infrastructure, to protect the also secure their own systems and infrastructure, to protect the
interests of their constituency and to maintain the confidentiality interests of their constituency and to maintain the confidentiality
of the identity of victims and reporters of security incidents. of the identity of victims and reporters of security incidents.
Expectations for Security Incident Response 20 July 97
7 Authors' Addresses 7 Authors' Addresses
Nevil Brownlee Nevil Brownlee ITSS Technology Development
ITSS Technology Development
The University of Auckland The University of Auckland
Phone: +64 9 373 7599 x8941 Phone: +64 9 373 7599 x8941
E-mail: n.brownlee@auckland.ac.nz E-mail: n.brownlee@auckland.ac.nz
Erik Guttman Erik Guttman
Sun Microsystems, Inc. Sun Microsystems, Inc.
Gaisbergstr. 6 Gaisbergstr. 6
69115 Heidelberg Germany 69115 Heidelberg Germany
Phone: +49 6221 601649 Phone: +49 6221 601649
E-Mail: eguttman@eng.sun.com E-Mail: eguttman@eng.sun.com
This document expires October 28, 1997. This document expires January 20, 1998.
 End of changes. 82 change blocks. 
113 lines changed or deleted 158 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/