draft-ietf-grip-framework-irt-07.txt   rfc2350.txt 
Internet Engineering Task Force Nevil Brownlee
INTERNET-DRAFT The University of Auckland
Valid for six months Erik Guttman
Sun Microsystems
September 1997
Expectations for Computer Security Incident Response Network Working Group N. Brownlee
Request for Comments: 2350 The University of Auckland
BCP: 21 E. Guttman
Category: Best Current Practice Sun Microsystems
June 1998
<draft-ietf-grip-framework-irt-07.txt> Expectations for Computer Security Incident Response
Status of this Memo Status of this Memo
This document is an Internet Draft. Internet Drafts are working This document specifies an Internet Best Current Practices for the
documents of the Internet Engineering Task Force (IETF), its Areas, Internet Community, and requests discussion and suggestions for
and its Working Groups. Note that other groups may also distribute improvements. Distribution of this memo is unlimited.
working documents as Internet Drafts. This Internet Draft is a
product of the GRIP Working Group of the IETF.
Internet Drafts are draft documents valid for a maximum of six Copyright Notice
months. Internet Drafts may be updated, replaced, or obsoleted by
other documents at any time. It is not appropriate to use Internet
Drafts as reference material or to cite them other than as a
'working draft' or 'work in progress.'
To learn the current status of any Internet Draft, please check the Copyright (C) The Internet Society (1998). All Rights Reserved.
'1id-abstracts.txt' listing contained in the Internet Drafts shadow
directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
ftp.isi.edu (US West Coast).
Abstract Abstract
The purpose of this document is to express the general Internet The purpose of this document is to express the general Internet
community's expectations of Computer Security Incident Response community's expectations of Computer Security Incident Response Teams
Teams (CSIRTs). It is not possible to define a set of requirements (CSIRTs). It is not possible to define a set of requirements that
that would be appropriate for all teams, but it is possible and would be appropriate for all teams, but it is possible and helpful to
helpful to list and describe the general set of topics and issues list and describe the general set of topics and issues which are of
which are of concern and interest to constituent communities. concern and interest to constituent communities.
CSIRT constituents have a legitimate need and right to fully CSIRT constituents have a legitimate need and right to fully
understand the policies and procedures of 'their' Computer Security understand the policies and procedures of 'their' Computer Security
Incident Response Team. One way to support this understanding is to Incident Response Team. One way to support this understanding is to
supply detailed information which users may consider, in the form of supply detailed information which users may consider, in the form of
a formal template completed by the CSIRT. An outline of such a a formal template completed by the CSIRT. An outline of such a
template and a filled in example are provided. template and a filled in example are provided.
Expectations for Computer Security Incident Response 11 September 97
Table of Contents Table of Contents
1 Introduction 1 1 Introduction ....................................................2
2 Scope............................................................4
2 Scope............................................................3 2.1 Publishing CSIRT Policies and Procedures ....................4
2.1 Publishing CSIRT Policies and Procedures ....................3
2.2 Relationships between different CSIRTs ......................5 2.2 Relationships between different CSIRTs ......................5
2.3 Establishing Secure Communications ..........................5 2.3 Establishing Secure Communications ..........................6
3 Information, Policies and Procedures.............................7
3 Information, Policies and Procedures.............................6 3.1 Obtaining the Document.......................................8
3.1 Obtaining the Document.......................................7 3.2 Contact Information .........................................9
3.2 Contact Information .........................................8 3.3 Charter ....................................................10
3.3 Charter .....................................................9 3.3.1 Mission Statement.....................................10
3.3.1 Mission Statement......................................9 3.3.2 Constituency..........................................10
3.3.2 Constituency...........................................9 3.3.3 Sponsoring Organization / Affiliation.................11
3.3.3 Sponsoring Organization / Affiliation..................9 3.3.4 Authority.............................................11
3.3.4 Authority.............................................10 3.4 Policies ...................................................11
3.4 Policies ...................................................10 3.4.1 Types of Incidents and Level of Support...............11
3.4.1 Types of Incidents and Level of Support...............10
3.4.2 Co-operation, Interaction and Disclosure of 3.4.2 Co-operation, Interaction and Disclosure of
Information...........................................11 Information...........................................12
3.4.3 Communication and Authentication......................13 3.4.3 Communication and Authentication......................14
3.5 Services ...................................................13 3.5 Services ...................................................15
3.5.1 Incident Response ....................................13 3.5.1 Incident Response ....................................15
3.5.1.1 Incident Triate ..............................14 3.5.1.1 Incident Triage ..............................15
3.5.1.2 Incident Coordination ........................14 3.5.1.2 Incident Coordination ........................15
3.5.1.3 Incident Resolution...........................14 3.5.1.3 Incident Resolution...........................16
3.5.2 Proactive Activities .................................15 3.5.2 Proactive Activities .................................16
3.6 Incident Reporting Forms ...................................15 3.6 Incident Reporting Forms ...................................16
3.7 Disclaimers ................................................15 3.7 Disclaimers ................................................17
Appendix A: Glossary of Terms ....................................18
Appendix A: Glossary of Terms 16 Appendix B: Related Material .....................................20
Appendix C: Known Computer Security Incident Response Teams ......21
Appendix B: Related Material 18 Appendix D: Outline for CSIRT Template ...........................22
Appendix E: Example - 'filled-in' Template for a CSIRT ...........23
Appendix C: Known Computer Security Incident Response Teams 19 4 Acknowlegements ................................................36
5 References .....................................................36
Appendix D: Outline for CSIRT Template 20 6 Security Considerations ........................................36
7 Authors' Addresses .............................................37
Appendix E: Example - 'filled-in' Template for a CSIRT 21 8 Full Copyright Statement .......................................38
4 Acknowlegments 33
5 References 33
6 Security Considerations 33
7 Authors' Addresses 33
Expectations for Computer Security Incident Response 11 September 97
1 Introduction 1 Introduction
The GRIP Working Group was formed to create a document that The GRIP Working Group was formed to create a document that describes
describes the community's expectations of computer security incident the community's expectations of computer security incident response
response teams (CSIRTs). Although the need for such a document teams (CSIRTs). Although the need for such a document originated in
originated in the general Internet community, the expectations the general Internet community, the expectations expressed should
expressed should also closely match those of more restricted also closely match those of more restricted communities.
communities.
In the past there have been misunderstandings regarding what to In the past there have been misunderstandings regarding what to
expect from CSIRTs. The goal of this document is to provide a expect from CSIRTs. The goal of this document is to provide a
framework for presenting the important subjects (related to incident framework for presenting the important subjects (related to incident
response) that are of concern to the community. response) that are of concern to the community.
Before continuing, it is important to clearly understand what is Before continuing, it is important to clearly understand what is
meant by the term "Computer Security Incident Response Team." For meant by the term "Computer Security Incident Response Team." For
the purposes of this document, a CSIRT is a team that performs, the purposes of this document, a CSIRT is a team that performs,
coordinates, and supports the response to security incidents that coordinates, and supports the response to security incidents that
involve sites within a defined constituency (see Appendix A for a involve sites within a defined constituency (see Appendix A for a
more complete definition). Any group calling itself a CSIRT for a more complete definition). Any group calling itself a CSIRT for a
specific constituency must therefore react to reported security specific constituency must therefore react to reported security
incidents, and to threats to "their" constituency in ways which the incidents, and to threats to "their" constituency in ways which the
specific community agrees to be in its general interest. specific community agrees to be in its general interest.
Since it is vital that each member of a constituent community be Since it is vital that each member of a constituent community be able
able to understand what is reasonable to expect of their team, a to understand what is reasonable to expect of their team, a CSIRT
CSIRT should make it clear who belongs to their constituency and should make it clear who belongs to their constituency and define the
define the services the team offers to the community. Additionally, services the team offers to the community. Additionally, each CSIRT
each CSIRT should publish its policies and operating procedures. should publish its policies and operating procedures. Similarly,
Similarly, these same constituents need to know what is expected of these same constituents need to know what is expected of them in
them in order for them to receive the services of their team. This order for them to receive the services of their team. This requires
requires that the team also publish how and where to report that the team also publish how and where to report incidents.
incidents.
This document details a template which will be used by CSIRTs to This document details a template which will be used by CSIRTs to
communicate this information to their constituents. The constituents communicate this information to their constituents. The constituents
should certainly expect a CSIRT to provide the services they describe should certainly expect a CSIRT to provide the services they describe
in the completed template. in the completed template.
It must be emphasised that without active participation from users, It must be emphasized that without active participation from users,
the effectiveness of the CSIRT's services can be greatly diminished. the effectiveness of the CSIRT's services can be greatly diminished.
This is particularly the case with reporting. At a minimum, users This is particularly the case with reporting. At a minimum, users
need to know that they should report security incidents, and know how need to know that they should report security incidents, and know how
and to where they should report them. and to where they should report them.
Many computer security incidents originate outside local community Many computer security incidents originate outside local community
boundaries and affect inside sites, others originate inside the local boundaries and affect inside sites, others originate inside the local
community and affect hosts or users on the outside. Often, community and affect hosts or users on the outside. Often,
therefore, the handling of security incidents will involve multiple therefore, the handling of security incidents will involve multiple
sites and potentially multiple CSIRTs. Resolving these incidents sites and potentially multiple CSIRTs. Resolving these incidents
will require cooperation between individual sites and CSIRTs, and will require cooperation between individual sites and CSIRTs, and
between CSIRTs. between CSIRTs.
Expectations for Computer Security Incident Response 11 September 97
Constituent communities need to know exactly how their CSIRT will be Constituent communities need to know exactly how their CSIRT will be
working with other CSIRTs and organizations outside their working with other CSIRTs and organizations outside their
constituency, and what information will be shared. constituency, and what information will be shared.
The rest of this document describes the set of topics and issues The rest of this document describes the set of topics and issues that
that CSIRTs need to elaborate for their constituents. However, there CSIRTs need to elaborate for their constituents. However, there is no
is no attempt to specify the "correct" answer to any one topic area. attempt to specify the "correct" answer to any one topic area.
Rather, each topic is discussed in terms of what that topic means. Rather, each topic is discussed in terms of what that topic means.
Chapter two provides an overview of three major areas: the Chapter two provides an overview of three major areas: the
publishing of information by a response team, the definition of the publishing of information by a response team, the definition of the
response team's relationship to other response teams, and the need response team's relationship to other response teams, and the need
for secure communications. Chapter three describes in detail all for secure communications. Chapter three describes in detail all the
the types of information that the community needs to know about types of information that the community needs to know about their
their response team. response team.
For ease of use by the community, these topics are condensed into an For ease of use by the community, these topics are condensed into an
outline template found in Appendix D. This template can be used outline template found in Appendix D. This template can be used by
by constituents to elicit information from their CSIRT. constituents to elicit information from their CSIRT.
It is the working group's sincere hope that through clarification It is the working group's sincere hope that through clarification of
of the topics in this document, understanding between the community the topics in this document, understanding between the community and
and its CSIRTs will be increased. its CSIRTs will be increased.
2 Scope 2 Scope
The interactions between an incident response team and its The interactions between an incident response team and its
constituent community response team require first that the community constituent community response team require first that the community
understand the policies and procedures of the response team. understand the policies and procedures of the response team. Second,
Second, since many response teams collaborate to handle incidents, since many response teams collaborate to handle incidents, the
the community must also understand the relationship between their community must also understand the relationship between their
response team and other teams. Finally, many interactions will take response team and other teams. Finally, many interactions will take
advantage of existing public infrastructures, so the community needs advantage of existing public infrastructures, so the community needs
to know how those communications will be protected. Each of these to know how those communications will be protected. Each of these
subjects will be described in more detail in the following three subjects will be described in more detail in the following three
sections. sections.
2.1 Publishing CSIRT Policies and Procedures 2.1 Publishing CSIRT Policies and Procedures
Each user who has access to a Computer Security Incident Response Each user who has access to a Computer Security Incident Response
Team should know as much as possible about the services of and Team should know as much as possible about the services of and
interactions with this team long before he or she actually needs interactions with this team long before he or she actually needs
them. them.
A clear statement of the policies and procedures of a CSIRT helps A clear statement of the policies and procedures of a CSIRT helps the
the constituent understand how best to report incidents and what constituent understand how best to report incidents and what support
support to expect afterwards. Will the CSIRT assist in resolving to expect afterwards. Will the CSIRT assist in resolving the
the incident? Will it provide help in avoiding incidents in the incident? Will it provide help in avoiding incidents in the future?
future? Clear expectations, particularly of the limitations of the Clear expectations, particularly of the limitations of the services
services provided by a CSIRT, will make interaction with it more provided by a CSIRT, will make interaction with it more efficient and
effective.
Expectations for Computer Security Incident Response 11 September 97
efficient and effective.
There are different kinds of response teams: some have very broad There are different kinds of response teams: some have very broad
constituencies (e.g., CERT Coordination Center and the Internet), constituencies (e.g., CERT Coordination Center and the Internet),
others have more bounded constituencies (e.g., DFN-CERT, CIAC), others have more bounded constituencies (e.g., DFN-CERT, CIAC), and
and still others have very restricted constituencies (e.g., still others have very restricted constituencies (e.g., commercial
commercial response teams, corporate response teams). Regardless response teams, corporate response teams). Regardless of the type of
of the type of response team, the constituency supported by it response team, the constituency supported by it must be knowledgeable
must be knowledgeable about the team's policies and procedures. about the team's policies and procedures. Therefore, it is mandatory
Therefore, it is mandatory that response teams publish such that response teams publish such information to their constituency.
information to their constituency.
A CSIRT should communicate all necessary information about its A CSIRT should communicate all necessary information about its
policies and services in a form suitable to the needs of its policies and services in a form suitable to the needs of its
constituency. It is important to understand that not all policies constituency. It is important to understand that not all policies
and procedures need be publicly available. For example, it is not and procedures need be publicly available. For example, it is not
necessary to understand the internal operation of a team in order to necessary to understand the internal operation of a team in order to
interact with it, as when reporting an incident or receiving interact with it, as when reporting an incident or receiving guidance
guidance on how to analyze or secure one's systems. on how to analyze or secure one's systems.
In the past, some teams supplied a kind of Operational Framework, In the past, some teams supplied a kind of Operational Framework,
others provided a Frequently Asked Questions list (FAQ), while still others provided a Frequently Asked Questions list (FAQ), while still
others wrote papers for distribution at user conferences or sent others wrote papers for distribution at user conferences or sent
newsletters. newsletters.
We recommend that each CSIRT publish its guidelines and procedures We recommend that each CSIRT publish its guidelines and procedures on
on its own information server (e.g. a World Wide Web server). This its own information server (e.g. a World Wide Web server). This
would allow constituents to easily access it, though the problem would allow constituents to easily access it, though the problem
remains of how a constituent can find "his" or "her" team; people remains of how a constituent can find his or her team; people within
within the constituency have to discover that there is a CSIRT "at the constituency have to discover that there is a CSIRT "at their
their disposal." disposal."
It is foreseen that completed CSIRT templates will soon become It is foreseen that completed CSIRT templates will soon become
searchable by modern search engines, which will aid in distributing searchable by modern search engines, which will aid in distributing
information about the existence of CSIRTs and basic information information about the existence of CSIRTs and basic information
required to approach them. required to approach them.
It would be very useful to have a central repository containing all It would be very useful to have a central repository containing all
the completed CSIRT templates. No such repository exists at the the completed CSIRT templates. No such repository exists at the time
time of writing, though this might change in the future. of writing, though this might change in the future.
Regardless of the source from which the information is retrieved, Regardless of the source from which the information is retrieved, the
the user of the template must check its authenticity. It is highly user of the template must check its authenticity. It is highly
recommended that such vital documents be protected by digital recommended that such vital documents be protected by digital
signatures. These will allow the user to verify that the template signatures. These will allow the user to verify that the template
was indeed published by the CSIRT and that it has not been tampered was indeed published by the CSIRT and that it has not been tampered
with. This document assumes the reader is familiar with the proper with. This document assumes the reader is familiar with the proper
use of digital signatures to determine whether a document is use of digital signatures to determine whether a document is
authentic. authentic.
Expectations for Computer Security Incident Response 11 September 97
2.2 Relationships between different CSIRTs 2.2 Relationships between different CSIRTs
In some cases a CSIRT may be able to operate effectively on its own In some cases a CSIRT may be able to operate effectively on its own
and in close cooperation with its constituency. But with today's and in close cooperation with its constituency. But with today's
international networks it is much more likely that most of the international networks it is much more likely that most of the
incidents handled by a CSIRT will involve parties external to its incidents handled by a CSIRT will involve parties external to its
constituency. Therefore the team will need to interact with other constituency. Therefore the team will need to interact with other
CSIRTs and sites outside its constituency. CSIRTs and sites outside its constituency.
The constituent community should understand the nature and extent of The constituent community should understand the nature and extent of
this collaboration, as very sensitive information about individual this collaboration, as very sensitive information about individual
constituents may be disclosed in the process. constituents may be disclosed in the process.
Inter-CSIRT interactions could include asking other teams for Inter-CSIRT interactions could include asking other teams for advice,
advice, disseminating knowledge of problems, and working disseminating knowledge of problems, and working cooperatively to
cooperatively to resolve a security incident affecting one or resolve a security incident affecting one or more of the CSIRTs'
more of the CSIRTs' constituencies. constituencies.
In establishing relationships to support such interactions, CSIRTs In establishing relationships to support such interactions, CSIRTs
must decide what kinds of agreements can exist between them so as to must decide what kinds of agreements can exist between them so as to
share yet safeguard information, whether this relationship can be share yet safeguard information, whether this relationship can be
disclosed, and if so to whom. disclosed, and if so to whom.
Note that there is a difference between a peering agreement, where Note that there is a difference between a peering agreement, where
the CSIRTs involved agree to work together and share information, the CSIRTs involved agree to work together and share information, and
and simple co-operation, where a CSIRT (or any other organization) simple co-operation, where a CSIRT (or any other organization) simply
simply contacts another CSIRT and asks for help or advice. contacts another CSIRT and asks for help or advice.
Although the establishment of such relationships is very important Although the establishment of such relationships is very important
and affects the ability of a CSIRT to support its constituency, it and affects the ability of a CSIRT to support its constituency, it is
is up to the teams involved to decide about the details. It is up to the teams involved to decide about the details. It is beyond
beyond the scope of this document to make recommendations for this the scope of this document to make recommendations for this process.
process. However, the same set of information used to set However, the same set of information used to set expectations for a
expectations for a user community regarding sharing of information user community regarding sharing of information will help other
will help other parties to understand the objectives and services parties to understand the objectives and services of a specific
of a specific CSIRT, supporting a first contact. CSIRT, supporting a first contact.
2.3 Establishing Secure Communications 2.3 Establishing Secure Communications
Once one party has decided to share information with another party, Once one party has decided to share information with another party,
or two parties have agreed to share information or work together - or two parties have agreed to share information or work together - as
as required for the coordination of computer security incident required for the coordination of computer security incident response
response - all parties involved need secure communications channels. - all parties involved need secure communications channels. (In this
(In this context, "secure" refers to the protected transmission of context, "secure" refers to the protected transmission of information
information shared between different parties, and not to the shared between different parties, and not to the appropriate use of
appropriate use of the information by the parties.) the information by the parties.)
The goals of secure communication are: The goals of secure communication are:
- Confidentiality: - Confidentiality:
Can somebody else access the content of the communication? Can somebody else access the content of the communication?
Expectations for Computer Security Incident Response 11 September 97
- Integrity: - Integrity:
Can somebody else manipulate the content of the communication? Can somebody else manipulate the content of the communication?
- Authenticity: - Authenticity:
Am I communicating with the "right" person? Am I communicating with the "right" person?
It is very easy to send forged e-mail, and not hard to establish a It is very easy to send forged e-mail, and not hard to establish a
(false) identity by telephone. Cryptographic techniques, for (false) identity by telephone. Cryptographic techniques, for
example Pretty Good Privacy (PGP) or Privacy Enhanced Mail (PEM) example Pretty Good Privacy (PGP) or Privacy Enhanced Mail (PEM) can
can provide effective ways of securing e-mail. With the correct provide effective ways of securing e-mail. With the correct
equipment it is also possible to secure telephone communication. equipment it is also possible to secure telephone communication. But
But before using such mechanisms, both parties need the "right" before using such mechanisms, both parties need the "right"
infrastructure, which is to say preparation in advance. The infrastructure, which is to say preparation in advance. The most
most important preparation is ensuring the authenticity of the important preparation is ensuring the authenticity of the
cryptographic keys used in secure communication: cryptographic keys used in secure communication:
- Public keys (for techniques like PGP and PEM): - Public keys (for techniques like PGP and PEM):
Because they are accessible through the Internet, public keys must Because they are accessible through the Internet, public keys must
be authenticated before use. While PGP relies on a "Web of Trust" be authenticated before use. While PGP relies on a "Web of Trust"
(where users sign the keys of other users), PEM relies on a (where users sign the keys of other users), PEM relies on a
hierarchy (where certification authorities sign the keys of users). hierarchy (where certification authorities sign the keys of users).
- Secret keys (for techniques like DES and PGP/conventional - Secret keys (for techniques like DES and PGP/conventional
encryption): Because these must be known to both sender and encryption): Because these must be known to both sender and
skipping to change at page 6, line 42 skipping to change at page 7, line 25
via a secure channel. via a secure channel.
Communication is critical to all aspects of incident response. A Communication is critical to all aspects of incident response. A
team can best support the use of the above-mentioned techniques by team can best support the use of the above-mentioned techniques by
gathering all relevant information, in a consistent way. Specific gathering all relevant information, in a consistent way. Specific
requirements (such as calling a specific number to check the requirements (such as calling a specific number to check the
authenticity of keys) should be clear from the start. CSIRT authenticity of keys) should be clear from the start. CSIRT
templates provide a standardized vehicle for delivering this templates provide a standardized vehicle for delivering this
information. information.
It is beyond the scope of this document to address the technical It is beyond the scope of this document to address the technical and
and administrative problems of secure communications. The point is administrative problems of secure communications. The point is that
that response teams must support and use a method to secure the response teams must support and use a method to secure the
communications between themselves and their constituents (or other communications between themselves and their constituents (or other
response teams). Whatever the mechanism is, the level of protection response teams). Whatever the mechanism is, the level of protection
it provides must be acceptable to the constituent community. it provides must be acceptable to the constituent community.
3 Information, Policies and Procedures 3 Information, Policies and Procedures
In chapter 2 it was mentioned that the policies and procedures of a In chapter 2 it was mentioned that the policies and procedures of a
response team need to be published to their constituent community. response team need to be published to their constituent community.
In this chapter we will list all the types of information that the In this chapter we will list all the types of information that the
community needs to receive from its response team. How this community needs to receive from its response team. How this
information is communicated to a community will differ from team to information is communicated to a community will differ from team to
team, as will the specific information content. The intent here is team, as will the specific information content. The intent here is
to clearly describe the various kinds of information that a to clearly describe the various kinds of information that a
constituent community expects from its response team. constituent community expects from its response team.
Expectations for Computer Security Incident Response 11 September 97 To make it easier to understand the issues and topics relevant to the
interaction of constituents with "their" CSIRT, we suggest that a
To make it easier to understand the issues and topics relevant to CSIRT publish all information, policies, and procedures addressing
the interaction of constituents with "their" CSIRT, we suggest that
a CSIRT publish all information, policies, and procedures addressing
its constituency as a document, following the template given in its constituency as a document, following the template given in
Appendix D. The template structure arranges items, making it easy Appendix D. The template structure arranges items, making it easy to
to supply specific information; in Appendix E we provide an example supply specific information; in Appendix E we provide an example of a
of a filled-out template for the fictitious XYZ University. While filled-out template for the fictitious XYZ University. While no
no recommendations are made as to what a CSIRT should adopt for its recommendations are made as to what a CSIRT should adopt for its
policy or procedures, different possibilities are outlined to give policy or procedures, different possibilities are outlined to give
some examples. The most important thing is that a CSIRT have a some examples. The most important thing is that a CSIRT have a
policy and that those who interact with the CSIRT be able to obtain policy and that those who interact with the CSIRT be able to obtain
and understand it. and understand it.
As always, not every aspect for every environment and/or team can As always, not every aspect for every environment and/or team can be
be covered. This outline should be seen as a suggestion. Each team covered. This outline should be seen as a suggestion. Each team
should feel free to include whatever they think is necessary to should feel free to include whatever they think is necessary to
support its constituency. support its constituency.
3.1 Obtaining the Document 3.1 Obtaining the Document
Details of a CSIRT change with time, so the completed template must Details of a CSIRT change with time, so the completed template must
indicate when it was last changed. Additionally, information should indicate when it was last changed. Additionally, information should
be provided concerning how to find out about future updates. Without be provided concerning how to find out about future updates. Without
this, it is inevitable that misunderstandings and misconceptions this, it is inevitable that misunderstandings and misconceptions will
will arise over time; outdated documents can do more harm than good. arise over time; outdated documents can do more harm than good.
- Date of last update This should be sufficient to allow - Date of last update This should be sufficient to allow
anyone interested to evaluate the anyone interested to evaluate the
currency of the template. currency of the template.
- Distribution list Mailing lists are a convenient - Distribution list Mailing lists are a convenient
mechanism to distribute up-to-date mechanism to distribute up-to-date
information to a large number of information to a large number of
users. A team can decide to use its users. A team can decide to use its
own or an already existing list to own or an already existing list to
skipping to change at page 8, line 5 skipping to change at page 9, line 5
- Location of the document The location where a current version - Location of the document The location where a current version
of the document is accessible through of the document is accessible through
a team's online information services. a team's online information services.
Constituents can then easily learn Constituents can then easily learn
more about the team and check for more about the team and check for
recent updates. This online version recent updates. This online version
should also be accompanied by a should also be accompanied by a
digital signature. digital signature.
Expectations for Computer Security Incident Response 11 September 97
3.2 Contact Information 3.2 Contact Information
Full details of how to contact the CSIRT should be listed here, Full details of how to contact the CSIRT should be listed here,
although this might be very different for different teams; for although this might be very different for different teams; for
example, some might choose not to publicize the names of their team example, some might choose not to publicize the names of their team
members. No further clarification is given when the meaning of the members. No further clarification is given when the meaning of the
item can be assumed. item can be assumed.
- Name of the CSIRT - Name of the CSIRT
skipping to change at page 8, line 50 skipping to change at page 9, line 48
- Team members - Team members
- Operating Hours The operating hours and holiday - Operating Hours The operating hours and holiday
schedule should be provided here. schedule should be provided here.
Is there a 24 hour hotline? Is there a 24 hour hotline?
- Additional Contact Info Is there any specific customer - Additional Contact Info Is there any specific customer
contact info? contact info?
More detailed contact information can be provided. This might More detailed contact information can be provided. This might
include different contacts for different services, or might be a include different contacts for different services, or might be a list
list of online information services. If specific procedures for of online information services. If specific procedures for access to
access to some services exist (for example addresses for mailing some services exist (for example addresses for mailing list
list requests), these should be explained here. requests), these should be explained here.
Expectations for Computer Security Incident Response 11 September 97
3.3 Charter 3.3 Charter
Every CSIRT must have a charter which specifies what it is to do, Every CSIRT must have a charter which specifies what it is to do, and
and the authority under which it will do it. The charter should the authority under which it will do it. The charter should include
include at least the following items: at least the following items:
- Mission statement - Mission statement
- Constituency - Constituency
- Sponsorship / affiliation - Sponsorship / affiliation
- Authority - Authority
3.3.1 Mission Statement 3.3.1 Mission Statement
The mission statement should focus on the team's core activities, The mission statement should focus on the team's core activities,
already stated in the definition of a CSIRT. In order to be already stated in the definition of a CSIRT. In order to be
considered a Computer Security Incident Response Team, the team must considered a Computer Security Incident Response Team, the team must
support the reporting of incidents and support its constituency by support the reporting of incidents and support its constituency by
dealing with incidents. dealing with incidents.
The goals and purposes of a team are especially important, and The goals and purposes of a team are especially important, and
require clear, unambiguous definition. require clear, unambiguous definition.
3.3.2 Constituency 3.3.2 Constituency
A CSIRT's constituency can be determined in any of several ways. A CSIRT's constituency can be determined in any of several ways. For
For example it could be a company's employees or its paid example it could be a company's employees or its paid subscribers, or
subscribers, or it could be defined in terms of a technological it could be defined in terms of a technological focus, such as the
focus, such as the users of a particular operating system. users of a particular operating system.
The definition of the constituency should create a perimeter around The definition of the constituency should create a perimeter around
the group to whom the team will provide service. The policy section the group to whom the team will provide service. The policy section
of the document (see below) should explain how requests from outside of the document (see below) should explain how requests from outside
this perimeter will be handled. this perimeter will be handled.
If a CSIRT decides not to disclose its constituency, it should If a CSIRT decides not to disclose its constituency, it should
explain the reasoning behind this decision. For example, for-fee explain the reasoning behind this decision. For example, for-fee
CSIRTs will not list their clients but will declare that they CSIRTs will not list their clients but will declare that they provide
provide a service to a large group of customers that are kept a service to a large group of customers that are kept confidential
confidential because of the clients' contracts. because of the clients' contracts.
Constituencies might overlap, as when an ISP provides a CSIRT which Constituencies might overlap, as when an ISP provides a CSIRT which
delivers services to customer sites that also have CSIRTs. The delivers services to customer sites that also have CSIRTs. The
Authority section of the CSIRT's description (see below) should Authority section of the CSIRT's description (see below) should make
make such relationships clear. such relationships clear.
3.3.3 Sponsoring Organization / Affiliation 3.3.3 Sponsoring Organization / Affiliation
The sponsoring organization, which authorizes the actions of the The sponsoring organization, which authorizes the actions of the
CSIRT, should be given next. Knowing this will help the users to CSIRT, should be given next. Knowing this will help the users to
Expectations for Computer Security Incident Response 11 September 97
understand the background and set-up of the CSIRT, and it is vital understand the background and set-up of the CSIRT, and it is vital
information for building trust between a constituent and a CSIRT. information for building trust between a constituent and a CSIRT.
3.3.4 Authority 3.3.4 Authority
This section will vary greatly from one CSIRT to another, based on This section will vary greatly from one CSIRT to another, based on
the relationship between the team and its constituency. While an the relationship between the team and its constituency. While an
organizational CSIRT will be given its authority by the management organizational CSIRT will be given its authority by the management of
of the organization, a community CSIRT will be supported and chosen the organization, a community CSIRT will be supported and chosen by
by the community, usually in a advisory role. the community, usually in a advisory role.
A CSIRT may or may not have the authority to intervene in the A CSIRT may or may not have the authority to intervene in the
operation of all of the systems within its perimeter. It should operation of all of the systems within its perimeter. It should
identify the scope of its control as distinct from the perimeter of identify the scope of its control as distinct from the perimeter of
its constituency. If other CSIRTs operate hierarchically within its its constituency. If other CSIRTs operate hierarchically within its
perimeter, this should be mentioned here, and the related CSIRTs perimeter, this should be mentioned here, and the related CSIRTs
identified. identified.
Disclosure of a team's authority may expose it to claims of Disclosure of a team's authority may expose it to claims of
liability. Every team should seek legal advice on these matters. liability. Every team should seek legal advice on these matters.
(See section 3.7 for more on liability.) (See section 3.7 for more on liability.)
3.4 Policies 3.4 Policies
It is critical that Incident Response Teams define their policies. It is critical that Incident Response Teams define their policies.
The following sections discuss communication of these policies to The following sections discuss communication of these policies to the
the constituent community. constituent community.
3.4.1 Types of Incidents and Level of Support 3.4.1 Types of Incidents and Level of Support
The types of incident which the team is able to address, and the The types of incident which the team is able to address, and the
level of support which the team will offer when responding to each level of support which the team will offer when responding to each
type of incident, should be summarized here in list form. The type of incident, should be summarized here in list form. The
Services section (see below) provides the opportunity to give more Services section (see below) provides the opportunity to give more
detailed descriptions, and to address non-incident-related topics. detailed descriptions, and to address non-incident-related topics.
The level of support may change depending on factors such as the The level of support may change depending on factors such as the
team's workload and the completeness of the information available. team's workload and the completeness of the information available.
Such factors should be outlined and their impact should be Such factors should be outlined and their impact should be explained.
explained. As a list of known types of incidents will be incomplete As a list of known types of incidents will be incomplete with regard
with regard to possible or future incidents, a CSIRT should also give to possible or future incidents, a CSIRT should also give some
some background on the "default" support for incident types not background on the "default" support for incident types not otherwise
otherwise mentioned. mentioned.
The team should state whether it will act on information it receives The team should state whether it will act on information it receives
about vulnerabilities which create opportunities for future about vulnerabilities which create opportunities for future
incidents. A commitment to act on such information on behalf of its incidents. A commitment to act on such information on behalf of its
constituency is regarded as an optional proactive service policy constituency is regarded as an optional proactive service policy
rather than a core service requirement for a CSIRT. rather than a core service requirement for a CSIRT.
Expectations for Computer Security Incident Response 11 September 97
3.4.2 Co-operation, Interaction and Disclosure of Information 3.4.2 Co-operation, Interaction and Disclosure of Information
This section should make explicit which related groups the CSIRT This section should make explicit which related groups the CSIRT
routinely interacts with. Such interactions are not necessarily routinely interacts with. Such interactions are not necessarily
related to the computer security incident response provided, but are related to the computer security incident response provided, but are
used to facilitate better cooperation on technical topics or used to facilitate better cooperation on technical topics or
services. By no means need details about cooperation agreements be services. By no means need details about cooperation agreements be
given out; the main objective of this section is to give the given out; the main objective of this section is to give the
constituency a basic understanding of what kind of interactions are constituency a basic understanding of what kind of interactions are
established and what their purpose is. established and what their purpose is.
The reporting and disclosure policy should make clear who will be Cooperation between CSIRTs can be facilitated by the use of unique
the recipients of a CSIRT's report in each circumstance. It should ticket number assignment combined with explicit handoff procedures.
also note whether the team will expect to operate through another This reduces the chance of misunderstandings, duplications of effort,
CSIRT or directly with a member of another constituency over matters assists in incident tracking and prevents 'loops' in communication.
The reporting and disclosure policy should make clear who will be the
recipients of a CSIRT's report in each circumstance. It should also
note whether the team will expect to operate through another CSIRT or
directly with a member of another constituency over matters
specifically concerning that member. specifically concerning that member.
Important examples of related groups a CSIRT will interact with are Related groups a CSIRT will interact with are listed below:
listed below.
Incident Response Teams: Incident Response Teams:
A CSIRT will often need to interact with other CSIRTs. For A CSIRT will often need to interact with other CSIRTs. For
example a CSIRT within a large company may need to report example a CSIRT within a large company may need to report
incidents to a national CSIRT, and a national CSIRT may need to incidents to a national CSIRT, and a national CSIRT may need to
report incidents to national CSIRTs in other countries to deal report incidents to national CSIRTs in other countries to deal
with all sites involved in a large-scale attack. with all sites involved in a large-scale attack.
Collaboration between CSIRTs may lead to disclosure of Collaboration between CSIRTs may lead to disclosure of
information. The following are examples of such disclosure, information. The following are examples of such disclosure, but
but are not intended to be an exhaustive list: are not intended to be an exhaustive list:
- Reporting incidents within the constituency to other teams. - Reporting incidents within the constituency to other teams.
If this is done, site-related information may become public If this is done, site-related information may become public
knowledge, accessible to everyone, in particular the press. knowledge, accessible to everyone, in particular the press.
- Handling incidents occurring within the constituency, but - Handling incidents occurring within the constituency, but
reported from outside it (which implies that some information reported from outside it (which implies that some information
has already been disclosed off-site). has already been disclosed off-site).
- Reporting observations from within the constituency indicating - Reporting observations from within the constituency indicating
suspected or confirmed incidents outside it. suspected or confirmed incidents outside it.
- Acting on reports of incidents occurring outside the - Acting on reports of incidents from outside the constituency.
constituency.
- Passing information about vulnerabilities to vendors, to - Passing information about vulnerabilities to vendors, to
partner CSIRTs or directly to affected sites lying within or partner CSIRTs or directly to affected sites lying within or
outside the constituency. outside the constituency.
- Feedback to parties reporting incidents or vulnerabilities. - Feedback to parties reporting incidents or vulnerabilities.
Expectations for Computer Security Incident Response 11 September 97
- The provision of contact information relating to members of - The provision of contact information relating to members of
the constituency, members of other constituencies, other the constituency, members of other constituencies, other
CSIRTs, or law-enforcement agencies. CSIRTs, or law-enforcement agencies.
Vendors: Vendors:
Some vendors have their own CSIRTs, but some vendors may not. Some vendors have their own CSIRTs, but some vendors may not. In
In such cases a CSIRT will need to work directly with a vendor to such cases a CSIRT will need to work directly with a vendor to
suggest improvements or modifications, to analyse the technical suggest improvements or modifications, to analyze the technical
problem or to test provided solutions. Vendors play a special problem or to test provided solutions. Vendors play a special
role in handling an incident if their products' vulnerabilities role in handling an incident if their products' vulnerabilities
are involved in the incident. are involved in the incident.
Law-enforcement agencies: Law-enforcement agencies:
These include the police and other investigative agencies. CSIRTs These include the police and other investigative agencies. CSIRTs
and users of the template should be sensitive to local laws and and users of the template should be sensitive to local laws and
regulations, which may vary considerably in different countries. regulations, which may vary considerably in different countries.
A CSIRT might advise on technical details of attacks or seek A CSIRT might advise on technical details of attacks or seek
advice on the legal implications of an incident. Local laws and advice on the legal implications of an incident. Local laws and
regulations may include specific reporting and confidentiality regulations may include specific reporting and confidentiality
requirements. requirements.
Press: Press:
A CSIRT may be approached by the press for information and A CSIRT may be approached by the press for information and comment
comment from time to time. from time to time.
An explicit policy concerning disclosure to the press can be An explicit policy concerning disclosure to the press can be
helpful, particularly in clarifying the expectations of a CSIRT's helpful, particularly in clarifying the expectations of a CSIRT's
constituency. The press policy will have to clarify the same constituency. The press policy will have to clarify the same
topics as above more specifically, as the constituency will topics as above more specifically, as the constituency will
usually be very sensitive to press contacts. usually be very sensitive to press contacts.
Other: Other:
This might include research activities or the relation to the This might include research activities or the relation to the
sponsoring organization. sponsoring organization.
The default status of any and all security-related information which The default status of any and all security-related information which
a team receives will usually be 'confidential,' but rigid adherence a team receives will usually be 'confidential,' but rigid adherence
to this makes the team to appear to be an informational 'black to this makes the team to appear to be an informational 'black hole,'
hole,' which may reduce the likelihood of the team's obtaining which may reduce the likelihood of the team's obtaining cooperation
cooperation from clients and from other organizations. The CSIRT's from clients and from other organizations. The CSIRT's template
template should define what information it will report or disclose, should define what information it will report or disclose, to whom,
to whom, and when. and when.
Different teams are likely to be subject to different legal Different teams are likely to be subject to different legal
restraints requiring or limiting disclosure, especially if they work restraints requiring or limiting disclosure, especially if they work
in different jurisdictions. In addition, they may have reporting in different jurisdictions. In addition, they may have reporting
requirements imposed by their sponsoring organization. Each team's requirements imposed by their sponsoring organization. Each team's
template should specify any such constraints, both to clarify users' template should specify any such constraints, both to clarify users'
expectations and to inform other teams. expectations and to inform other teams.
Conflicts of interest, particularly in commercial matters, may also Conflicts of interest, particularly in commercial matters, may also
restrain disclosure by a team; this document does not recommend on restrain disclosure by a team; this document does not recommend on
how such conflicts should be addressed. how such conflicts should be addressed.
Expectations for Computer Security Incident Response 11 September 97
A team will normally collect statistics. If statistical information A team will normally collect statistics. If statistical information
is distributed, the template's reporting and disclosure policy is distributed, the template's reporting and disclosure policy should
should say so, and should describe how to obtain such statistics. say so, and should describe how to obtain such statistics.
3.4.3 Communication and Authentication 3.4.3 Communication and Authentication
You must have a policy which describes methods of secure and You must have a policy which describes methods of secure and
verifiable communication that you will use. This is necessary for verifiable communication that you will use. This is necessary for
communication between CSIRTs and between a CSIRT and its communication between CSIRTs and between a CSIRT and its
constituents. The template should include public keys or pointers constituents. The template should include public keys or pointers to
to them, including key fingerprints, together with guidelines on how them, including key fingerprints, together with guidelines on how to
to use this information to check authenticity and how to deal with use this information to check authenticity and how to deal with
corrupted information (for example where to report this fact). corrupted information (for example where to report this fact).
At the moment it is recommended that as a minimum every CSIRT have At the moment it is recommended that as a minimum every CSIRT have
(if possible), a PGP key available. A team may also (if possible), a PGP key available. A team may also make other
make other mechanisms available (for example PEM, MOSS, S/MIME), mechanisms available (for example PEM, MOSS, S/MIME), according to
according to its needs and the needs of its constituents. Note its needs and the needs of its constituents. Note however, that
however, that CSIRTs and users should be sensitive to local laws and CSIRTs and users should be sensitive to local laws and regulations.
regulations. Some countries do not allow strong encryption, or Some countries do not allow strong encryption, or enforce specific
enforce specific policies on the use of encryption technology. In policies on the use of encryption technology. In addition to
addition to encrypting sensitive information whenever possible, encrypting sensitive information whenever possible, correspondence
correspondence should include digital signatures. (Please note that should include digital signatures. (Please note that in most
in most countries, the protection of authenticity by using digital countries, the protection of authenticity by using digital signatures
signatures is not affected by existing encryption regulations.) is not affected by existing encryption regulations.)
For communication via telephone or facsimile a CSIRT may keep secret For communication via telephone or facsimile a CSIRT may keep secret
authentication data for parties with whom they may deal, such as an authentication data for parties with whom they may deal, such as an
agreed password or phrase. Obviously, such secret keys must not be agreed password or phrase. Obviously, such secret keys must not be
published, though their existence may be. published, though their existence may be.
3.5 Services 3.5 Services
Services provided by a CSIRT can be roughly divided into two Services provided by a CSIRT can be roughly divided into two
categories: real-time activities directly related to the main task categories: real-time activities directly related to the main task of
of incident response, and non-real-time proactive activities, incident response, and non-real-time proactive activities, supportive
supportive of the incident response task. The second category and of the incident response task. The second category and part of the
part of the first category consist of services which are optional first category consist of services which are optional in the sense
in the sense that not all CSIRTs will offer them. that not all CSIRTs will offer them.
3.5.1 Incident Response 3.5.1 Incident Response
Incident response usually includes assessing incoming reports about Incident response usually includes assessing incoming reports about
incidents ("Incident Triage") and following up on these with other incidents ("Incident Triage") and following up on these with other
CSIRTs, ISPs and sites ("Incident Coordination"). A third range of CSIRTs, ISPs and sites ("Incident Coordination"). A third range of
services, helping a local site to recover from an incident services, helping a local site to recover from an incident ("Incident
("Incident Resolution"), is comprised of typically optional Resolution"), is comprised of typically optional services, which not
services, which not all CSIRTs will offer. all CSIRTs will offer.
Expectations for Computer Security Incident Response 11 September 97
3.5.1.1 Incident Triage 3.5.1.1 Incident Triage
Incident triage usually includes: Incident triage usually includes:
- Report assessment Interpreting incoming incident - Report assessment Interpretion of incoming incident
reports, prioritizing them,and reports, prioritizing them, and
relating them to ongoing incidents relating them to ongoing incidents
and trends. and trends.
- Verification Help in determining whether an - Verification Help in determining whether an
incident has really occurred, and incident has really occurred, and
its scope. its scope.
3.5.1.2 Incident Coordination 3.5.1.2 Incident Coordination
Incident Coordination normally includes: Incident Coordination normally includes:
- Information categorization Categorization the incident related - Information categorization Categorization of the incident related
information (logfiles, contact information (logfiles, contact
information, etc.) with respect to information, etc.) with respect to
the information disclosure policy. the information disclosure policy.
- Coordination Notification of other involved - Coordination Notification of other involved
parties on a need-to-know basis, as parties on a need-to-know basis, as
per the information disclosure per the information disclosure
policy. policy.
3.5.1.3 Incident Resolution 3.5.1.3 Incident Resolution
skipping to change at page 15, line 5 skipping to change at page 16, line 23
- Eradication Elimination of the cause of a - Eradication Elimination of the cause of a
security incident (the vulnerability security incident (the vulnerability
exploited), and its effects (for exploited), and its effects (for
example, continuing access to the example, continuing access to the
system by an intruder). system by an intruder).
- Recovery Aid in restoring affected systems - Recovery Aid in restoring affected systems
and services to their status before and services to their status before
the security incident. the security incident.
Expectations for Computer Security Incident Response 11 September 97
3.5.2. Proactive Activities 3.5.2. Proactive Activities
Usually additional or optional, proactive services might include: Usually additional or optional, proactive services might include:
- Information provision This might include an archive of - Information provision This might include an archive of
known vulnerabilities, patches or known vulnerabilities, patches or
resolutions of past problems, or resolutions of past problems, or
advisory mailing lists. advisory mailing lists.
- Security Tools This may include tools for auditing - Security Tools This may include tools for auditing
a Site's security. a Site's security.
- Education and training - Education and training
- Product evaluation - Product evaluation
- Site security auditing and consulting - Site security auditing and consulting
3.6 Incident Reporting Forms 3.6 Incident Reporting Forms
The use of reporting forms makes it simpler for both users and The use of reporting forms makes it simpler for both users and teams
teams to deal with incidents. The constituent can prepare answers to deal with incidents. The constituent can prepare answers to
to various important questions before he or she actually contacts various important questions before he or she actually contacts the
the team, and can therefore come well prepared. The team gets all team, and can therefore come well prepared. The team gets all the
the necessary information at once with the first report and can necessary information at once with the first report and can proceed
proceed efficiently. efficiently.
Depending on the objectives and services of a particular CSIRT, Depending on the objectives and services of a particular CSIRT,
multiple forms may be used, for example a reporting form for a new multiple forms may be used, for example a reporting form for a new
vulnerability may be very different from the form used for reporting vulnerability may be very different from the form used for reporting
incidents. incidents.
It is most efficient to provide forms through the online information It is most efficient to provide forms through the online information
services of the team. The exact pointers to them should be given in services of the team. The exact pointers to them should be given in
the CSIRT description document, together with statements about the CSIRT description document, together with statements about
appropriate use, and guidelines for when and how to use the forms. appropriate use, and guidelines for when and how to use the forms. If
If separate e-mail addresses are supported for form-based reporting, separate e-mail addresses are supported for form-based reporting,
they should be listed here again. they should be listed here again.
One example of such a form is the Incident Reporting Form provided One example of such a form is the Incident Reporting Form provided by
by the CERT Coordination Center: the CERT Coordination Center:
- ftp://info.cert.org/incident_reporting_form - ftp://info.cert.org/incident_reporting_form
3.7 Disclaimers 3.7 Disclaimers
Although the CSIRT description document does not constitute a Although the CSIRT description document does not constitute a
contract, liability may conceivably result from its descriptions of contract, liability may conceivably result from its descriptions of
services and purposes. The inclusion of a disclaimer at the end of services and purposes. The inclusion of a disclaimer at the end of
the template is therefore recommended and should warn the user about the template is therefore recommended and should warn the user about
possible limitations. possible limitations.
Expectations for Computer Security Incident Response 11 September 97
In situations where the original version of a document must be In situations where the original version of a document must be
translated into another language, the translation should carry a translated into another language, the translation should carry a
disclaimer and a pointer to the original. For example: disclaimer and a pointer to the original. For example:
Although we tried to carefully translate the original Although we tried to carefully translate the original document
document from German into English, we can not be certain from German into English, we can not be certain that both
that both documents express the same thoughts in the same documents express the same thoughts in the same level of detail
level of detail and correctness. In all cases, where there and correctness. In all cases, where there is a difference
is a difference between both versions, the German version between both versions, the German version will prevail.
will prevail.
The use of and protection by disclaimers is affected by local laws The use of and protection by disclaimers is affected by local laws
and regulations, of which each CSIRT should be aware. If in doubt and regulations, of which each CSIRT should be aware. If in doubt the
the CSIRT should check the disclaimer with a lawyer. CSIRT should check the disclaimer with a lawyer.
Appendix A: Glossary of Terms Appendix A: Glossary of Terms
This glossary defines terms used in describing security incidents This glossary defines terms used in describing security incidents and
and Computer Security Incident Response Teams. Only a limited list Computer Security Incident Response Teams. Only a limited list is
is included. For more definitions please refer to other sources, included. For more definitions please refer to other sources, for
for example to the Internet User's Glossary [RFC 1983]. example to the Internet User's Glossary [RFC 1983].
Constituency: Constituency:
Implicit in the purpose of a Computer Security Incident Response Implicit in the purpose of a Computer Security Incident Response
Team is the existence of a constituency. This is the group of Team is the existence of a constituency. This is the group of
users, sites, networks or organizations served by the team. The users, sites, networks or organizations served by the team. The
team must be recognized by its constituency in order to be team must be recognized by its constituency in order to be
effective. effective.
Security Incident: Security Incident:
For the purpose of this document, this term is a synonym of For the purpose of this document, this term is a synonym of
Computer Security Incident: any adverse event which compromises Computer Security Incident: any adverse event which compromises
some aspect of computer or network security. some aspect of computer or network security.
The definition of an incident may vary between organizations, but The definition of an incident may vary between organizations, but
at least the following categories are generally applicable: at least the following categories are generally applicable:
- Loss of confidentiality of information. - Loss of confidentiality of information.
- Compromise of integrity of information. - Compromise of integrity of information.
- Denial of service. - Denial of service.
- Misuse of service, systems or information. - Misuse of service, systems or information.
- Damage to systems. - Damage to systems.
These are very general categories. For instance the replacement These are very general categories. For instance the replacement
of a system utility program by a Trojan Horse is an example of of a system utility program by a Trojan Horse is an example of '
'compromise of integrity,' and a successful password attack is an compromise of integrity,' and a successful password attack is an
example of 'loss of confidentiality.' Attacks, even if they example of 'loss of confidentiality.' Attacks, even if they
failed because of proper protection, can be regarded as failed because of proper protection, can be regarded as Incidents.
Incidents.
Within the definition of an incident the word 'compromised' is Within the definition of an incident the word 'compromised' is
Expectations for Computer Security Incident Response 11 September 97
used. Sometimes an administrator may only 'suspect' an incident. used. Sometimes an administrator may only 'suspect' an incident.
During the response it must be established whether or not an During the response it must be established whether or not an
incident has really occurred. incident has really occurred.
Computer Security Incident Response Team: Computer Security Incident Response Team:
Based on two of the definitions given above, a CSIRT is a team Based on two of the definitions given above, a CSIRT is a team
that coordinates and supports the response to security incidents that coordinates and supports the response to security incidents
that involve sites within a defined constituency. that involve sites within a defined constituency.
In order to be considered a CSIRT, a team must: In order to be considered a CSIRT, a team must:
- Provide a (secure) channel for receiving reports about - Provide a (secure) channel for receiving reports about
suspected incidents. suspected incidents.
- Provide assistance to members of its constituency in
handling these incidents. - Provide assistance to members of its constituency in
- Disseminate incident-related information to its handling these incidents.
constituency and to other involved parties. - Disseminate incident-related information to its
constituency and to other involved parties.
Note that we are not referring here to police or other law Note that we are not referring here to police or other law
enforcement bodies which may investigate computer-related crime. enforcement bodies which may investigate computer-related crime.
CSIRT members, indeed, need not have any powers beyond CSIRT members, indeed, need not have any powers beyond those of
those of ordinary citizens. ordinary citizens.
Vendor: Vendor:
A 'vendor' is any entity that produces networking or computing A 'vendor' is any entity that produces networking or computing
technology, and is responsible for the technical content of that technology, and is responsible for the technical content of that
technology. Examples of 'technology' include hardware (desktop technology. Examples of 'technology' include hardware (desktop
computers, routers, switches, etc.), and software (operating computers, routers, switches, etc.), and software (operating
systems, mail forwarding systems, etc.). systems, mail forwarding systems, etc.).
Note that the supplier of a technology is not necessarily the Note that the supplier of a technology is not necessarily the '
'vendor' of that technology. As an example, an Internet Service vendor' of that technology. As an example, an Internet Service
Provider (ISP) might supply routers to each of its customers, but Provider (ISP) might supply routers to each of its customers, but
the 'vendor' is the manufacturer, since the manufacturer, rather the 'vendor' is the manufacturer, since the manufacturer, rather
than the ISP, is the entity responsible for the technical content than the ISP, is the entity responsible for the technical content
of the router. of the router.
Vulnerability: Vulnerability:
A 'vulnerability' is a characteristic of a piece of technology A 'vulnerability' is a characteristic of a piece of technology
which can be exploited to perpetrate a security incident. For which can be exploited to perpetrate a security incident. For
example, if a program unintentionally allowed ordinary users to example, if a program unintentionally allowed ordinary users to
execute arbitrary operating system commands in privileged mode, execute arbitrary operating system commands in privileged mode,
this "feature" would be a vulnerability. this "feature" would be a vulnerability.
Expectations for Computer Security Incident Response 11 September 97
Appendix B: Related Material Appendix B: Related Material
Important issues in responding to security incidents on a site level Important issues in responding to security incidents on a site level
are contained in [RFC 1244], the Site Security Handbook, produced by are contained in [RFC 2196], the Site Security Handbook, produced by
the Site Security Handbook Working Group (SSH). This document will the Site Security Handbook Working Group (SSH). This document will
be updated by the SSH working group and will give recommendations be updated by the SSH working group and will give recommendations for
for local policies and procedures, mainly related to the avoidance local policies and procedures, mainly related to the avoidance of
of security incidents. security incidents.
Other documents of interest for the discussion of CSIRTs and their Other documents of interest for the discussion of CSIRTs and their
tasks are available by anonymous FTP. A collection can be found on: tasks are available by anonymous FTP. A collection can be found on:
- ftp://ftp.cert.dfn.de/pub/docs/csir/ - ftp://ftp.cert.dfn.de/pub/docs/csir/
Please refer to file 01-README for further information about Please refer to file 01-README for further information about
the content of this directory. the content of this directory.
Some especially interesting documents in relation to this document Some especially interesting documents in relation to this document
are as follows: are as follows:
skipping to change at page 19, line 5 skipping to change at page 21, line 5
- ftp://info.cert.org/incident_reporting_form - ftp://info.cert.org/incident_reporting_form
This Incident Reporting Form is provided by the CERT This Incident Reporting Form is provided by the CERT
Coordination Center to gather incident information and to avoid Coordination Center to gather incident information and to avoid
additional delays caused by the need to request more detailed additional delays caused by the need to request more detailed
information from the reporting site. information from the reporting site.
- http://www.cert.org/cert.faqintro.html - http://www.cert.org/cert.faqintro.html
A collection of frequently asked questions from the CERT A collection of frequently asked questions from the CERT
Coordination Center. Coordination Center.
Expectations for Computer Security Incident Response 11 September 97
Appendix C: Known Computer Security Incident Response Teams Appendix C: Known Computer Security Incident Response Teams
Today, there are many different CSIRTs but no single source lists Today, there are many different CSIRTs but no single source lists
every team. Most of the major and long established teams (the first every team. Most of the major and long established teams (the first
CSIRT was founded in 1988) are nowadays members of FIRST, the CSIRT was founded in 1988) are nowadays members of FIRST, the
worldwide Forum of Incident Response and Security Teams. At the worldwide Forum of Incident Response and Security Teams. At the time
time of writing, more than 55 teams are members (1 in Australia, 13 of writing, more than 55 teams are members (1 in Australia, 13 in
in Europe, all others in North America). Information about FIRST Europe, all others in North America). Information about FIRST can be
can be found: found:
- http://www.first.org/ - http://www.first.org/
The current list of members is available also, with the relevant The current list of members is available also, with the relevant
contact information and some additional information provided by the contact information and some additional information provided by the
particular teams: particular teams:
- http://www.first.org/team-info/ - http://www.first.org/team-info/
For CSIRTs which want to become members of this forum (please note For CSIRTs which want to become members of this forum (please note
skipping to change at page 20, line 5 skipping to change at page 22, line 5
Many of the European teams, regardless of whether they are members Many of the European teams, regardless of whether they are members
of FIRST or not, are listed by countries on a page maintained by of FIRST or not, are listed by countries on a page maintained by
the German CSIRT: the German CSIRT:
- http://www.cert.dfn.de/eng/csir/europe/certs.html - http://www.cert.dfn.de/eng/csir/europe/certs.html
To learn about existing teams suitable to one's needs it is To learn about existing teams suitable to one's needs it is
often helpful to ask either known teams or an Internet Service often helpful to ask either known teams or an Internet Service
Provider for the "right" contact. Provider for the "right" contact.
Expectations for Computer Security Incident Response 11 September 97
Appendix D: Outline for CSIRT Template Appendix D: Outline for CSIRT Template
This outline summarizes in point form the issues addressed in this This outline summarizes in point form the issues addressed in this
document, and is the recommended template for a CSIRT description document, and is the recommended template for a CSIRT description
document. Its structure is designed to facilitate the communication document. Its structure is designed to facilitate the communication
of a CSIRT's policies, procedures, and other relevant information to of a CSIRT's policies, procedures, and other relevant information to
its constituency and to outside organizations such as other CSIRTs. its constituency and to outside organizations such as other CSIRTs. A
A 'filled-in' example of this template is given as Appendix E. 'filled-in' example of this template is given as Appendix E.
1. Document Information 1. Document Information
1.1 Date of Last Update 1.1 Date of Last Update
1.2 Distribution List for Notifications 1.2 Distribution List for Notifications
1.3 Locations where this Document May Be Found 1.3 Locations where this Document May Be Found
2. Contact Information 2. Contact Information
2.1 Name of the Team 2.1 Name of the Team
2.2 Address 2.2 Address
2.3 Time Zone 2.3 Time Zone
skipping to change at page 21, line 5 skipping to change at page 23, line 5
5.1 Incident Response 5.1 Incident Response
5.1.1. Incident Triage 5.1.1. Incident Triage
5.1.2. Incident Coordination 5.1.2. Incident Coordination
5.1.3. Incident Resolution 5.1.3. Incident Resolution
5.2 Proactive Activities 5.2 Proactive Activities
6. Incident Reporting Forms 6. Incident Reporting Forms
7. Disclaimers 7. Disclaimers
Expectations for Computer Security Incident Response 11 September 97
Appendix E: Example - 'filled-in' Template for a CSIRT Appendix E: Example - 'filled-in' Template for a CSIRT
Below is an example of a filled-in template for a fictitious CSIRT Below is an example of a filled-in template for a fictitious CSIRT
called XYZ-CSIRT. This text is for example purposes only, and does called XYZ-CSIRT. This text is for example purposes only, and does
not constitute endorsement by the working group or the IETF of any not constitute endorsement by the working group or the IETF of any
particular set of procedures or policies. While CSIRTs are welcome particular set of procedures or policies. While CSIRTs are welcome
to use any or all of this text if they wish, such use is of course to use any or all of this text if they wish, such use is of course
not mandatory, or even appropriate in most cases. not mandatory, or even appropriate in most cases.
CSIRT Description for XYZ-CERT CSIRT Description for XYZ-CERT
skipping to change at page 22, line 5 skipping to change at page 24, line 12
http://www.xyz-univ.ca/xyz-cert/english/CSIRT-descr.asc http://www.xyz-univ.ca/xyz-cert/english/CSIRT-descr.asc
http://www.xyz-univ.ca/xyz-cert/francais/CSIRT-descr.asc http://www.xyz-univ.ca/xyz-cert/francais/CSIRT-descr.asc
2. Contact Information 2. Contact Information
2.1 Name of the Team 2.1 Name of the Team
"XYZ-CERT": the XYZ University Computer Emergency Response "XYZ-CERT": the XYZ University Computer Emergency Response
Team. Team.
Expectations for Computer Security Incident Response 11 September 97
2.2 Address 2.2 Address
XYZ-CERT XYZ-CERT
XYZ University, Computing Services Department XYZ University, Computing Services Department
12345 Rue Principale 12345 Rue Principale
UniversityTown, Quebec UniversityTown, Quebec
Canada H0H 0H0 Canada H0H 0H0
2.3 Time Zone 2.3 Time Zone
skipping to change at page 22, line 44 skipping to change at page 24, line 49
to the human(s) on duty for the XYZ-CERT. to the human(s) on duty for the XYZ-CERT.
2.8 Public Keys and Other Encryption Information 2.8 Public Keys and Other Encryption Information
The XYZ-CERT has a PGP key, whose KeyID is 12345678 and The XYZ-CERT has a PGP key, whose KeyID is 12345678 and
whose fingerprint is whose fingerprint is
11 22 33 44 55 66 77 88 88 77 66 55 44 33 22 11. 11 22 33 44 55 66 77 88 88 77 66 55 44 33 22 11.
The key and its signatures can be found at the usual large The key and its signatures can be found at the usual large
public keyservers. public keyservers.
Because PGP is still a relatively new technology at XYZ Because PGP is still a relatively new technology at XYZ
University, this key still has relatively few signatures; University, this key still has relatively few signatures;
efforts are underway to increase the number of links to this efforts are underway to increase the number of links to this
key in the PGP "web of trust". In the meantime, since most key in the PGP "web of trust". In the meantime, since most
fellow universities in Quebec have at least one staff member fellow universities in Quebec have at least one staff member
who knows the XYZ-CERT coordinator Zoe Doe, Zoe Doe has who knows the XYZ-CERT coordinator Zoe Doe, Zoe Doe has
signed the XYZ-CERT key, and will be happy to confirm its signed the XYZ-CERT key, and will be happy to confirm its
fingerprint and that of her own key to those people who know fingerprint and that of her own key to those people who know
her, by telephone or in person. her, by telephone or in person.
2.9 Team Members 2.9 Team Members
Zoe Doe of Computing Services is the XYZ-CERT coordinator. Zoe Doe of Computing Services is the XYZ-CERT coordinator.
Backup coordinators and other team members, along with their Backup coordinators and other team members, along with their
areas of expertise and contact information, are listed in the areas of expertise and contact information, are listed in the
Expectations for Computer Security Incident Response 11 September 97
XYZ-CERT web pages, at XYZ-CERT web pages, at
http://www.xyz-univ.ca/xyz-cert/teamlist.html http://www.xyz-univ.ca/xyz-cert/teamlist.html
Management, liaison and supervision are provided by Steve Tree, Management, liaison and supervision are provided by Steve Tree,
Assistant Director (Technical Services), Computing Services. Assistant Director (Technical Services), Computing Services.
2.10 Other Information 2.10 Other Information
General information about the XYZ-CERT, as well as links to General information about the XYZ-CERT, as well as links to
various recommended security resources, can be found at various recommended security resources, can be found at
http://www.xyz-univ.ca/xyz-cert/index.html http://www.xyz-univ.ca/xyz-cert/index.html
2.11 Points of Customer Contact 2.11 Points of Customer Contact
The preferred method for contacting the XYZ-CERT is via The preferred method for contacting the XYZ-CERT is via
e-mail at <xyz-cert@xyz-univ.ca>; e-mail sent to this address e-mail at <xyz-cert@xyz-univ.ca>; e-mail sent to this address
will "biff" the responsible human, or be automatically will "biff" the responsible human, or be automatically
forwarded to the appropriate backup person, immediately. If forwarded to the appropriate backup person, immediately. If
you require urgent assistance, put "urgent" in your subject you require urgent assistance, put "urgent" in your subject
line. line.
If it is not possible (or not advisable for security reasons) If it is not possible (or not advisable for security reasons)
to use e-mail, the XYZ-CERT can be reached by telephone during to use e-mail, the XYZ-CERT can be reached by telephone during
regular office hours. Telephone messages are checked less regular office hours. Telephone messages are checked less
often than e-mail. often than e-mail.
The XYZ-CERT's hours of operation are generally restricted to The XYZ-CERT's hours of operation are generally restricted to
regular business hours (09:00-17:00 Monday to Friday except regular business hours (09:00-17:00 Monday to Friday except
holidays). holidays).
If possible, when submitting your report, use the form If possible, when submitting your report, use the form
mentioned in section 6. mentioned in section 6.
3. Charter 3. Charter
3.1 Mission Statement 3.1 Mission Statement
The purpose of the XYZ-CERT is, first, to assist members of XYZ The purpose of the XYZ-CERT is, first, to assist members of XYZ
University community in implementing proactive measures to University community in implementing proactive measures to
skipping to change at page 24, line 5 skipping to change at page 26, line 25
3.2 Constituency 3.2 Constituency
The XYZ-CERT's constituency is the XYZ University community, The XYZ-CERT's constituency is the XYZ University community,
as defined in the context of the "XYZ University Policy on as defined in the context of the "XYZ University Policy on
Computing Facilities". This policy is available at Computing Facilities". This policy is available at
http://www-compserv.xyz-univ.ca/policies/pcf.html http://www-compserv.xyz-univ.ca/policies/pcf.html
However, please note that, notwithtanding the above, XYZ-CERT However, please note that, notwithtanding the above, XYZ-CERT
services will be provided for on-site systems only. services will be provided for on-site systems only.
Expectations for Computer Security Incident Response 11 September 97
3.3 Sponsorship and/or Affiliation 3.3 Sponsorship and/or Affiliation
The XYZ-CERT is sponsored by the ACME Canadian Research The XYZ-CERT is sponsored by the ACME Canadian Research
Network. It maintains affiliations with various University Network. It maintains affiliations with various University
CSIRTs throughout Canada and the USA on an as needed basis. CSIRTs throughout Canada and the USA on an as needed basis.
3.4 Authority 3.4 Authority
The XYZ-CERT operates under the auspices of, and with authority The XYZ-CERT operates under the auspices of, and with authority
delegated by, the Department of Computing Services of XYZ delegated by, the Department of Computing Services of XYZ
University. For further information on the mandate and University. For further information on the mandate and
authority of the Department of Computing Services, please authority of the Department of Computing Services, please
refer to the XYZ University "Policy on Computing Facilities", refer to the XYZ University "Policy on Computing Facilities",
available at available at
http://www-compserv.xyz-univ.ca/policies/pcf.html http://www-compserv.xyz-univ.ca/policies/pcf.html
The XYZ-CERT expects to work cooperatively with system The XYZ-CERT expects to work cooperatively with system
administrators and users at XYZ University, and, insofar as administrators and users at XYZ University, and, insofar as
possible, to avoid authoritarian relationships. However, possible, to avoid authoritarian relationships. However,
should circumstances warrant it, the XYZ-CERT will appeal to should circumstances warrant it, the XYZ-CERT will appeal to
Computing Services to exert its authority, direct or indirect, Computing Services to exert its authority, direct or indirect,
as necessary. All members of the XYZ-CERT are members of the as necessary. All members of the XYZ-CERT are members of the
CCSA (Committee of Computer Systems Administrators), and have CCSA (Committee of Computer Systems Administrators), and have
all of the powers and responsibilities assigned to Systems all of the powers and responsibilities assigned to Systems
Administrators by the Policy on Computing Facilities, or are Administrators by the Policy on Computing Facilities, or are
skipping to change at page 24, line 53 skipping to change at page 27, line 24
4. Policies 4. Policies
4.1 Types of Incidents and Level of Support 4.1 Types of Incidents and Level of Support
The XYZ-CERT is authorized to address all types of computer The XYZ-CERT is authorized to address all types of computer
security incidents which occur, or threaten to occur, at security incidents which occur, or threaten to occur, at
XYZ University. XYZ University.
The level of support given by XYZ-CERT will vary depending on The level of support given by XYZ-CERT will vary depending on
the type and severity of the incident or issue, the type of the type and severity of the incident or issue, the type of
constituent, the size of the user community affected, and the constituent, the size of the user community affected, and the
XYZ-CERT's resources at the time, though in all cases some XYZ-CERT's resources at the time, though in all cases some
response will be made within one working day. Resources will response will be made within one working day. Resources will
be assigned according to the following priorities, listed in be assigned according to the following priorities, listed in
decreasing order: decreasing order:
Expectations for Computer Security Incident Response 11 September 97
- Threats to the physical safety of human beings. - Threats to the physical safety of human beings.
- Root or system-level attacks on any Management Information - Root or system-level attacks on any Management Information
System, or any part of the backbone network infrastructure. System, or any part of the backbone network infrastructure.
- Root or system-level attacks on any large public service - Root or system-level attacks on any large public service
machine, either multi-user or dedicated-purpose. machine, either multi-user or dedicated-purpose.
- Compromise of restricted confidential service accounts or - Compromise of restricted confidential service accounts or
software installations, in particular those used for MIS software installations, in particular those used for MIS
applications containing confidential data, or those used applications containing confidential data, or those used
for system administration. for system administration.
- Denial of service attacks on any of the above three items. - Denial of service attacks on any of the above three items.
- Any of the above at other sites, originating from XYZ - Any of the above at other sites, originating from XYZ
University. University.
- Large-scale attacks of any kind, e.g. sniffing attacks, - Large-scale attacks of any kind, e.g. sniffing attacks,
IRC "social engineering" attacks, password cracking IRC "social engineering" attacks, password cracking
attacks. attacks.
- Threats, harrassment, and other criminal offenses - Threats, harassment, and other criminal offenses
involving individual user accounts. involving individual user accounts.
- Compromise of individual user accounts on multi-user - Compromise of individual user accounts on multi-user
systems. systems.
- Compromise of desktop systems. - Compromise of desktop systems.
- Forgery and misrepresentation, and other security-related - Forgery and misrepresentation, and other security-related
violations of local rules and regulations, e.g. netnews violations of local rules and regulations, e.g. netnews
and e-mail forgery, unauthorized use of IRC bots. and e-mail forgery, unauthorized use of IRC bots.
- Denial of service on individual user accounts, e.g. - Denial of service on individual user accounts, e.g.
mailbombing. mailbombing.
Types of incidents other than those mentioned above will be Types of incidents other than those mentioned above will be
prioritized according to their apparent severity and extent. prioritized according to their apparent severity and extent.
Note that no direct support will be given to end users; they Note that no direct support will be given to end users; they
are expected to contact their system administrator, network are expected to contact their system administrator, network
administrator, or department head for assistance. The XYZ-CERT administrator, or department head for assistance. The XYZ-CERT
will support the latter people. will support the latter people.
While the XYZ-CERT understands that there exists great While the XYZ-CERT understands that there exists great
variation in the level of system administrator expertise at XYZ variation in the level of system administrator expertise at XYZ
University, and while the XYZ-CERT will endeavor to present University, and while the XYZ-CERT will endeavor to present
information and assistance at a level appropriate to each information and assistance at a level appropriate to each
person, the XYZ-CERT cannot train system administrators on the person, the XYZ-CERT cannot train system administrators on the
fly, and it cannot perform system maintenance on their behalf. fly, and it cannot perform system maintenance on their behalf.
In most cases, the XYZ-CERT will provide pointers to the In most cases, the XYZ-CERT will provide pointers to the
information needed to implement appropriate measures. information needed to implement appropriate measures.
The XYZ-CERT is committed to keeping the XYZ University system The XYZ-CERT is committed to keeping the XYZ University system
administration community informed of potential vulnerabilities, administration community informed of potential vulnerabilities,
and where possible, will inform this community of such and where possible, will inform this community of such
vulnerabilities before they are actively exploited. vulnerabilities before they are actively exploited.
4.2 Co-operation, Interaction and Disclosure of Information 4.2 Co-operation, Interaction and Disclosure of Information
While there are legal and ethical restrictions on the flow of While there are legal and ethical restrictions on the flow of
information from XYZ-CERT, many of which are also outlined in information from XYZ-CERT, many of which are also outlined in
Expectations for Computer Security Incident Response 11 September 97 the XYZ University Policy on Computing Facilities, and all of
which will be respected, the XYZ-CERT acknowledges its
the XYZ University Policy on Computing Facilities, and all of indebtedness to, and declares its intention to contribute to,
which will be respected, the XYZ-CERT acknowledges its the spirit of cooperation that created the Internet.
indebtedness to, and declares its intention to contribute to, Therefore, while appropriate measures will be taken to protect
the spirit of cooperation that created the Internet. the identity of members of our constituency and members of
Therefore, while appropriate measures will be taken to protect neighbouring sites where necessary, the XYZ-CERT will otherwise
the identity of members of our constituency and members of share information freely when this will assist others in
neighbouring sites where necessary, the XYZ-CERT will otherwise resolving or preventing security incidents.
share information freely when this will assist others in
resolving or preventing security incidents.
In the paragraphs below, "affected parties" refers to the In the paragraphs below, "affected parties" refers to the
legitimate owners, operators, and users of the relevant legitimate owners, operators, and users of the relevant
computing facilities. It does not refer to unauthorized computing facilities. It does not refer to unauthorized
users, including otherwise authorized users making users, including otherwise authorized users making
unauthorized use of a facility; such intruders may have no unauthorized use of a facility; such intruders may have no
expectation of confidentiality from the XYZ-CERT. They may or expectation of confidentiality from the XYZ-CERT. They may or
may not have legal rights to confidentiality; such rights will may not have legal rights to confidentiality; such rights will
of course be respected where they exist. of course be respected where they exist.
Information being considered for release will be classified as Information being considered for release will be classified as
follows: follows:
- Private user information is information about particular - Private user information is information about particular
users, or in some cases, particular applications, which users, or in some cases, particular applications, which
must be considered confidential for legal, contractual, must be considered confidential for legal, contractual,
and/or ethical reasons. and/or ethical reasons.
Private user information will be not be released in Private user information will be not be released in
identifiable form outside the XYZ-CERT, except as provided identifiable form outside the XYZ-CERT, except as provided
for below. If the identity of the user is disguised, then for below. If the identity of the user is disguised, then
the information can be released freely (for example to show the information can be released freely (for example to show
a sample .cshrc file as modified by an intruder, or to a sample .cshrc file as modified by an intruder, or to
demonstrate a particular social engineering attack). demonstrate a particular social engineering attack).
- Intruder information is similar to private user - Intruder information is similar to private user
information, but concerns intruders. information, but concerns intruders.
While intruder information, and in particular identifying While intruder information, and in particular identifying
information, will not be released to the public (unless it information, will not be released to the public (unless it
becomes a matter of public record, for example because becomes a matter of public record, for example because
criminal charges have been laid), it will be exchanged criminal charges have been laid), it will be exchanged
freely with system administrators and CSIRTs tracking an freely with system administrators and CSIRTs tracking an
incident. incident.
- Private site information is technical information about - Private site information is technical information about
particular systems or sites. particular systems or sites.
It will not be released without the permission of the site It will not be released without the permission of the site
in question, except as provided for below. in question, except as provided for below.
- Vulnerability information is technical information about - Vulnerability information is technical information about
vulnerabilities or attacks, including fixes and vulnerabilities or attacks, including fixes and
Expectations for Computer Security Incident Response 11 September 97
workarounds. workarounds.
Vulnerability information will be released freely, though Vulnerability information will be released freely, though
every effort will be made to inform the relevant vendor every effort will be made to inform the relevant vendor
before the general public is informed. before the general public is informed.
- Embarrassing information includes the statement that an - Embarrassing information includes the statement that an
incident has occurred, and information about its extent or incident has occurred, and information about its extent or
severity. Embarrassing information may concern a site or severity. Embarrassing information may concern a site or
a particular user or group of users. a particular user or group of users.
skipping to change at page 27, line 40 skipping to change at page 30, line 23
Contact information will be released freely, except where Contact information will be released freely, except where
the contact person or entity has requested that this not the contact person or entity has requested that this not
be the case, or where XYZ-CERT has reason to believe that be the case, or where XYZ-CERT has reason to believe that
the dissemination of this information would not be the dissemination of this information would not be
appreciated. appreciated.
Potential recipients of information from the XYZ-CERT will be Potential recipients of information from the XYZ-CERT will be
classified as follows: classified as follows:
- Because of the nature of their responsibilities and - Because of the nature of their responsibilities and
consequent expectations of confidentiality, members of XYZ consequent expectations of confidentiality, members of XYZ
University management are entitled to receive whatever University management are entitled to receive whatever
information is necessary to facilitate the handling of information is necessary to facilitate the handling of
computer security incidents which occur in their computer security incidents which occur in their
jurisdictions. jurisdictions.
- Members of the Office of Rights and Responsibilities are - Members of the Office of Rights and Responsibilities are
entitled to receive whatever information they request entitled to receive whatever information they request
concerning a computer security incident or related matter concerning a computer security incident or related matter
which has been referred to them for resolution. The same is which has been referred to them for resolution. The same is
true for the XYZ Security Department, when its assistance in true for the XYZ Security Department, when its assistance in
an investigation has been enlisted, or when the investigation an investigation has been enlisted, or when the investigation
has been instigated at its request. has been instigated at its request.
- System administrators at XYZ University who are members of - System administrators at XYZ University who are members of
the CCSA are also, by virtue of their responsibilities, the CCSA are also, by virtue of their responsibilities,
trusted with confidential information. However, unless such trusted with confidential information. However, unless such
people are also members of XYZ-CERT, they will be given only people are also members of XYZ-CERT, they will be given only
Expectations for Computer Security Incident Response 11 September 97
that confidential information which they must have in order that confidential information which they must have in order
to assist with an investigation, or in order to secure their to assist with an investigation, or in order to secure their
own systems. own systems.
- Users at XYZ University are entitled to information which - Users at XYZ University are entitled to information which
pertains to the security of their own computer accounts, pertains to the security of their own computer accounts,
even if this means revealing "intruder information", or even if this means revealing "intruder information", or
"embarrasssing information" about another user. For "embarrassing information" about another user. For
example, if account aaaa is cracked and the intruder attacks example, if account aaaa is cracked and the intruder attacks
account bbbb, user bbbb is entitled to know that aaaa was account bbbb, user bbbb is entitled to know that aaaa was
cracked, and how the attack on the bbbb account was cracked, and how the attack on the bbbb account was
executed. User bbbb is also entitled, if she or he requests executed. User bbbb is also entitled, if she or he requests
it, to information about account aaaa which might enable it, to information about account aaaa which might enable
bbbb to investigate the attack. For example, if bbbb was bbbb to investigate the attack. For example, if bbbb was
attacked by someone remotely connected to aaaa, bbbb should attacked by someone remotely connected to aaaa, bbbb should
be told the provenance of the connections to aaaa, even be told the provenance of the connections to aaaa, even
though this information would ordinarily be considered though this information would ordinarily be considered
private to aaaa. Users at XYZ University are entitled to be private to aaaa. Users at XYZ University are entitled to be
notified if their account is believed to have been notified if their account is believed to have been
compromised. compromised.
- The XYZ University community will receive no restricted - The XYZ University community will receive no restricted
information, except where the affected parties have given information, except where the affected parties have given
permission for the information to be disseminated. permission for the information to be disseminated.
Statistical information may be made available to the general Statistical information may be made available to the general
XYZ community. There is no obligation on the part of the XYZ community. There is no obligation on the part of the
XYZ-CERT to report incidents to the community, though it may XYZ-CERT to report incidents to the community, though it may
choose to do so; in particular, it is likely that the choose to do so; in particular, it is likely that the
XYZ-CERT will inform all affected parties of the ways in XYZ-CERT will inform all affected parties of the ways in
which they were affected, or will encourage the affected site which they were affected, or will encourage the affected site
to do so. to do so.
- The public at large will receive no restricted information.
In fact, no particular effort will be made to communicate
with the public at large, though the XYZ-CERT recognizes
that, for all intents and purposes, information made
available to the XYZ University community is in effect made
available to the community at large, and will tailor the
information in consequence.
- The computer security community will be treated the same way - The public at large will receive no restricted information.
the general public is treated. While members of XYZ-CERT may In fact, no particular effort will be made to communicate
participate in discussions within the computer security with the public at large, though the XYZ-CERT recognizes
community, such as newsgroups, mailing lists (including the that, for all intents and purposes, information made
full-disclosure list "bugtraq"), and conferences, they will available to the XYZ University community is in effect made
treat such forums as though they were the public at large. available to the community at large, and will tailor the
While technical issues (including vulnerabilities) may be information in consequence.
discussed to any level of detail, any examples taken from
XYZ-CERT experience will be disguised to avoid identifying
the affected parties.
Expectations for Computer Security Incident Response 11 September 97 - The computer security community will be treated the same way
the general public is treated. While members of XYZ-CERT may
participate in discussions within the computer security
community, such as newsgroups, mailing lists (including the
full-disclosure list "bugtraq"), and conferences, they will
treat such forums as though they were the public at large.
While technical issues (including vulnerabilities) may be
discussed to any level of detail, any examples taken from
XYZ-CERT experience will be disguised to avoid identifying
the affected parties.
- The press will also be considered as part of the general - The press will also be considered as part of the general
public. The XYZ-CERT will not interact directly with the public. The XYZ-CERT will not interact directly with the
Press concerning computer security incidents, except to point Press concerning computer security incidents, except to point
them toward information already released to the general them toward information already released to the general
public. If necessary, information will be provided to the public. If necessary, information will be provided to the
XYZ University Public Relations Department, and to the XYZ University Public Relations Department, and to the
Customer Relations group of the Computing Services Customer Relations group of the Computing Services
Department. All incident-related queries will be referred to Department. All incident-related queries will be referred to
these two bodies. The above does not affect the ability of these two bodies. The above does not affect the ability of
members of XYZ-CERT to grant interviews on general computer members of XYZ-CERT to grant interviews on general computer
security topics; in fact, they are encouraged to do to, as a security topics; in fact, they are encouraged to do to, as a
public service to the community. public service to the community.
- Other sites and CSIRTs, when they are partners in the - Other sites and CSIRTs, when they are partners in the
investigation of a computer security incident, will in some investigation of a computer security incident, will in some
cases be trusted with confidential information. This will cases be trusted with confidential information. This will
happen only if the foreign site's bona fide can be verified, happen only if the foreign site's bona fide can be verified,
and the information transmitted will be limited to that which and the information transmitted will be limited to that which
is likely to be helpful in resolving the incident. Such is likely to be helpful in resolving the incident. Such
information sharing is most likely to happen in the case of information sharing is most likely to happen in the case of
sites well known to XYZ-CERT (for example, several other sites well known to XYZ-CERT (for example, several other
Quebec universities have informal but well-established Quebec universities have informal but well-established
working relationships with XYZ University in such mattters). working relationships with XYZ University in such matters).
For the purposes of resolving a security incident, otherwise For the purposes of resolving a security incident, otherwise
semi-private but relatively harmless user information such as semi-private but relatively harmless user information such as
the provenance of connections to user accounts will not be the provenance of connections to user accounts will not be
considered highly sensitive, and can be transmitted to a considered highly sensitive, and can be transmitted to a
foreign site without excessive precautions. "Intruder foreign site without excessive precautions. "Intruder
information" will be transmitted freely to other system information" will be transmitted freely to other system
administrators and CSIRTs. "Embarrassing information" can be administrators and CSIRTs. "Embarrassing information" can be
transmitted when there is reasonable assurance that it will transmitted when there is reasonable assurance that it will
remain confidential, and when it is necessary to resolve an remain confidential, and when it is necessary to resolve an
incident. incident.
- Vendors will be considered as foreign CSIRTs for most intents - Vendors will be considered as foreign CSIRTs for most intents
and purposes. The XYZ-CERT wishes to encourage vendors of and purposes. The XYZ-CERT wishes to encourage vendors of
all kinds of networking and computer equipment, software, and all kinds of networking and computer equipment, software, and
services to improve the security of their products. In aid services to improve the security of their products. In aid
of this, a vulnerability discovered in such a product will be of this, a vulnerability discovered in such a product will be
reported to its vendor, along with all technical details reported to its vendor, along with all technical details
needed to identify and fix the problem. Identifying details needed to identify and fix the problem. Identifying details
will not be given to the vendor without the permission of the will not be given to the vendor without the permission of the
affected parties. affected parties.
- Law enforcement officers will receive full cooperation from - Law enforcement officers will receive full cooperation from
the XYZ-CERT, including any information they require to the XYZ-CERT, including any information they require to
pursue an investigation, in accordance with the Policy on pursue an investigation, in accordance with the Policy on
Computing Facilities. Computing Facilities.
Expectations for Computer Security Incident Response 11 September 97
4.3 Communication and Authentication 4.3 Communication and Authentication
In view of the types of information that the XYZ-CERT will In view of the types of information that the XYZ-CERT will
likely be dealing with, telephones will be considered likely be dealing with, telephones will be considered
sufficiently secure to be used even unencrypted. Unencrypted sufficiently secure to be used even unencrypted. Unencrypted
e-mail will not be considered particularly secure, but will be e-mail will not be considered particularly secure, but will be
sufficient for the transmission of low-sensitivity data. If sufficient for the transmission of low-sensitivity data. If
it is necessary to send highly sensitive data by e-mail, PGP it is necessary to send highly sensitive data by e-mail, PGP
will be used. Network file transfers will be considered to will be used. Network file transfers will be considered to
be similar to e-mail for these purposes: sensitive data should be similar to e-mail for these purposes: sensitive data should
skipping to change at page 31, line 5 skipping to change at page 34, line 5
- Determining the initial cause of the incident - Determining the initial cause of the incident
(vulnerability exploited). (vulnerability exploited).
- Facilitating contact with other sites which may be - Facilitating contact with other sites which may be
involved. involved.
- Facilitating contact with XYZ University Security and/or - Facilitating contact with XYZ University Security and/or
appropriate law enforcement officials, if necessary. appropriate law enforcement officials, if necessary.
- Making reports to other CSIRTs. - Making reports to other CSIRTs.
- Composing announcements to users, if applicable. - Composing announcements to users, if applicable.
Expectations for Computer Security Incident Response 11 September 97
5.1.3 Incident Resolution 5.1.3 Incident Resolution
- Removing the vulnerability. - Removing the vulnerability.
- Securing the system from the effects of the incident. - Securing the system from the effects of the incident.
- Evaluating whether certain actions are likely to reap - Evaluating whether certain actions are likely to reap
results in proportion to their cost and risk, in results in proportion to their cost and risk, in
particular those actions aimed at an eventual prosecution particular those actions aimed at an eventual prosecution
or disciplinary action: collection of evidence after the or disciplinary action: collection of evidence after the
fact, observation of an incident in progress, setting fact, observation of an incident in progress, setting
traps for intruders, etc. traps for intruders, etc.
skipping to change at page 31, line 54 skipping to change at page 35, line 4
patches for various operating systems. This repository patches for various operating systems. This repository
will be available to the general public wherever will be available to the general public wherever
license restrictions allow it, and will be provided via license restrictions allow it, and will be provided via
commonly-available channels such as the World Wide Web commonly-available channels such as the World Wide Web
and/or ftp. and/or ftp.
- Repository of security tools and documentation for - Repository of security tools and documentation for
use by sysadmins. Where possible, precompiled use by sysadmins. Where possible, precompiled
ready-to-install versions will be supplied. These will ready-to-install versions will be supplied. These will
be supplied to the general public via www or ftp as be supplied to the general public via www or ftp as
above. above.
- "Clipping" service for various existing resources, such - "Clipping" service for various existing resources, such
as major mailing lists and newsgroups. The resulting as major mailing lists and newsgroups. The resulting
clippings will be made available either on the clippings will be made available either on the
restricted mailing list or on the web site, depending restricted mailing list or on the web site, depending
on their sensitivity and urgency. on their sensitivity and urgency.
Expectations for Computer Security Incident Response 11 September 97
- Training services - Training services
- Members of the XYZ-CERT will give periodic seminars on - Members of the XYZ-CERT will give periodic seminars on
computer security related topics; these seminars will computer security related topics; these seminars will
be open to XYZ University system administrators. be open to XYZ University system administrators.
- Auditing services - Auditing services
- Central file integrity checking service for Unix - Central file integrity checking service for Unix
machines, and for any other platforms capable of machines, and for any other platforms capable of
running "tripwire". running "tripwire".
- Security level assignments; machines and subnetworks - Security level assignments; machines and subnetworks
at XYZ University will be audited and assigned a at XYZ University will be audited and assigned a
skipping to change at page 33, line 5 skipping to change at page 36, line 12
PA). The current version is available from: PA). The current version is available from:
ftp://info.cert.org/incident_reporting_form ftp://info.cert.org/incident_reporting_form
7. Disclaimers 7. Disclaimers
While every precaution will be taken in the preparation of While every precaution will be taken in the preparation of
information, notifications and alerts, XYZ-CERT assumes no information, notifications and alerts, XYZ-CERT assumes no
responsibility for errors or omissions, or for damages responsibility for errors or omissions, or for damages
resulting from the use of the information contained within. resulting from the use of the information contained within.
Expectations for Computer Security Incident Response 11 September 97 4 Acknowlegdements
4 Acknowlegements
The editors gratefully acknowledge the contributed material and The editors gratefully acknowledge the contributed material and
editorial scrutiny of Anne Bennett. Thanks also to Don Stikvoort editorial scrutiny of Anne Bennett. Thanks also to Don Stikvoort
for assistance reworking the description of Incident Response Team for assistance reworking the description of Incident Response Team
services. services.
5 References 5 References
[RFC 1244] P. Holbrooks, J. Reynolds / Site Security Handbook. - [RFC 2196] Fraser, B., "Site Security Handbook", FYI 8, RFC 2196,
July 23, 1991. - 101 pages. - FYI 8. September 1997.
[RFC 1983] G. Malkin / Internet Users' Glossary. - [RFC 1983] Malkin, G., "Internet Users' Glossary", FYI 18, RFC 1983,
August 16, 1996. - 62 pages. - FYI 18. August 1996.
6 Security Considerations 6 Security Considerations
This document discusses the operation of Computer Security This document discusses the operation of Computer Security Incident
Incident Response Teams, and the teams' interactions with their Response Teams, and the teams' interactions with their constituencies
constituencies and with other organizations. It is, therefore, and with other organizations. It is, therefore, not directly
not directly concerned with the security of protocols, applications, concerned with the security of protocols, applications, or network
or network systems themselves. It is not even concerned with systems themselves. It is not even concerned with particular
particular responses and reactions to security incidents, but only responses and reactions to security incidents, but only with the
with the appropriate description of the responses provided by appropriate description of the responses provided by CSIRTs.
CSIRTs.
Nonetheless, it is vital that the CSIRTs themselves operate securely, Nonetheless, it is vital that the CSIRTs themselves operate securely,
which means that they must establish secure communication channels which means that they must establish secure communication channels
with other teams, and with members of their constituency. They must with other teams, and with members of their constituency. They must
also secure their own systems and infrastructure, to protect the also secure their own systems and infrastructure, to protect the
interests of their constituency and to maintain the confidentiality interests of their constituency and to maintain the confidentiality
of the identity of victims and reporters of security incidents. of the identity of victims and reporters of security incidents.
7 Authors' Addresses 7 Authors' Addresses
Nevil Brownlee Erik Guttman Nevil Brownlee
ITSS Technology Development Sun Microsystems, Inc. ITSS Technology Development
The University of Auckland Bahnstr. 2 The University of Auckland
74915 Waibstadt Germany
Phone: +64 9 373 7599 x8941
E-mail: n.brownlee@auckland.ac.nz Phone: +49 7263 911484
E-Mail: Erik.Guttman@sun.com
This document expires March 11, 1998. Phone: +64 9 373 7599 x8941
EMail: n.brownlee@auckland.ac.nz
Erik Guttman
Sun Microsystems, Inc.
Bahnstr. 2
74915 Waibstadt Germany
Phone: +49 7263 911484
EMail: Erik.Guttman@sun.com
8 Full Copyright Statement
Copyright (C) The Internet Society (1998). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 End of changes. 128 change blocks. 
513 lines changed or deleted 414 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/