Standards Bodies and Incident Response Teams

Numerous standards bodies today help a network administrator design a sound security policy. The two main entities that are helpful are the Computer Emergency Response Team Coordination Center (CERT/CC) and the various newsgroups that enable you to share valuable security information with other network administrators.

CERT/CC is a U.S. federally-funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania. Following the infamous worm incident (Morris Worm — a virus developed to spread itself within any IP network), which brought 10 percent of Internet systems to a halt in November 1988, CERT/CC has helped to establish incident-handling practices that have been adopted by more than 200 incident response teams around the world (incident response teams are described in depth later in the chapter).

CERT/CC works with the Internet community to facilitate responses to incidents involving the Internet and the hosts that are attacked. CERT/CC is designed to take proactive steps to ensure that future attacks and vulnerabilities are communicated to the entire Internet community. CERT/CC also conducts research aimed at improving the security of existing systems.

CERT/CC also helped technology managers with Y2K compliance and with various well-known viruses, such as the Melissa virus. CERT/CC does not focus on the intruders themselves, or on the arrest of individuals responsible for causing havoc; rather, it ensures that vulnerabilities and loopholes are closed as soon as possible. CERT/CC does not maintain any security standards (these are left for RFCs); also, it does not provide any protocols to help network administrators.

CERT/CC has relationships with various other organizations, such as law enforcement and Internet security experts, and with the general public, so that any information gathered by the teams involved in stifling attacks is communicated quickly.

Examples of intruders actually overcoming network security include the famous Barclay Bank attack in July 2001, where the company's home page was defaced. The New York Times website was altered in September 1998. In February 2000, Yahoo also came under attack. In response to attacks like these and the increased concern brought about by them, Cisco Systems decided to release a new CCIE Security certification.

Cisco also provides a website (for the Cisco Product Security Incident Response Team) where customers can report any security concerns regarding flaws in Cisco IOS products:

http://www.cisco.com/en/US/products/products_security_advisories_listing.html

You can also e-mail the Cisco Product Security Incident Response Team directly for emergency issues, at [email protected], and for nonemergencies, at [email protected].

NOTE Social engineering is a widely used term that refers to the act of tricking or coercing employees into providing information, such as usernames, mail user identifications, and even passwords. First-level phone-support personnel typically are the employees who are called by intruders, pretending to work for the company, to gain valuable information. The following URL takes you to the "2004 E-Crime Watch Survey," which details the level of electronic crime. It is an excellent document you can give to upper management to show how important security should be regarded in any organization connected to the Internet:

http://www.cert.org/archive/pdf/2004eCrimeWatchSummary.pdf

In 1998, CERT/CC handled 4,942 incidents involving intruders. In 2001, CERT/CC handled over 52,000 incidents resulting is 2,437 incident reports. In 2004, through the month of November, there were over 2,680 incidents reported in a single month.

If you have never heard of CERT/CC, now is the time to read more and ensure that you are alerted to vulnerabilities. For more details on CERT/CC, visit http://www.cert.org. CERT/CC claims that over 95 percent of intrusions can be stopped with countermeasures and monitoring tools in place.

Was this article helpful?

0 0

Post a comment