Standards Bodies and Incident Response Teams

A number of standards bodies today help a network administrator design a sound security policy. The two main entities that are helpful are the Computer Emergency Response Team Coordination Center (CERT/CC) and the various newsgroups that enable you to share valuable security information with other network administrators.

The CERT/CC is a U.S. federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania. Following the infamous worm incident (a virus developed to halt IP networks), which brought 10 percent of Internet systems to a halt in November 1988, the CERT/CC has helped to establish incident handling practices that have been adopted by more than 200 response teams around the world.

CERT/CC works with the Internet community to facilitate responses to incidents involving the Internet and the hosts that are attacked. CERT/CC is designed to take proactive steps to ensure that future attacks and vulnerabilities are communicated to the entire Internet community. CERT/CC also conducts research aimed at improving the security of existing systems.

CERT/CC also helped technology managers with Y2K compliance and various other well-known viruses, such as the Melissa virus. CERT/CC does not focus on the intruders themselves, or on the arrest of individuals responsible for causing havoc; rather, it ensures that vulnerabilities and loopholes are closed as soon as possible. CERT/CC does not maintain any security standards (these are left for RFCs); also, it does not provide any protocols to help network administrators.

CERT/CC has a number of relationships with other organizations, such as law enforcement, Internet security experts, and the general public, so that any information gathered by the teams involved in stifling attacks is communicated.

Examples of intruders actually overcoming network security include the famous Barclay Bank attack in July 2001, where the company's home page was defaced. The New York Times website was altered in September 1998. In February 2000, Yahoo also came under attack. In response to attacks like these and the increased concern brought about by them, Cisco Systems decided to release a new CCIE Security certification.

Cisco Systems also provides a website (for the Cisco Product Security Incident Response Team) where customers can report any security concerns regarding flaws in Cisco IOS products:

www.cisco.com/warp/public/707/sec_incident_response.shtml

You can also e-mail the Cisco Product Security Incident Response Team directly for emergency issues at [email protected], and for nonemergencies at [email protected].

NOTE Social engineering is a widely used term that refers to the act of tricking or coercing employees into providing information, such as usernames or mail user identifications and even passwords. First-level phone support personnel are individuals typically called by intruders pretending to work for the company to gain valuable information.

In 1998, CERT/CC handled 4942 incidents involving intruders. In 2001, CERT/CC handled over 52,000 incidents resulting is 2437 incidents reports.

If you have never heard of CERT/CC, now is the time to read more and ensure that you are alerted to vulnerabilities. For more details on CERT/CC, visit www.cert.org. CERT/CC claims that over 95 percent of intrusions can be stopped with countermeasures in place and monitoring tools.

Incident Response Teams

Incident response teams are too often set up only after an incident or intrusion occurs. However, sound security administration should already have teams set up to monitor and maintain network security.

Incident responses teams do the following:

• Verify the incident.

• Determine the magnitude of the incident (hosts affected and how many).

• Assess the damage (for example, determine if public servers have been modified).

• Gather and protect the evidence.

After this data has been collected, the incident response team determines whether there is enough trace data to track the intruders. The actual data you discover might be only a small part of the entire puzzle. For example, initially, you might have only a log file or notice that a log file size increased or decreased during the incident.

The data should be sent to upper management, to the operations groups within an organization, to all affected sites, and to organizations such as CERT/CC or the press. Organizations like Cisco are typically not going to release a statement to the press detailing any attacks.

After the information flows to all parts of an organization, the incident response team restores programs and data from the vendor-supplied media and backup device storage media. The data restored needs to be securely configured (such as routers; see the example in the section, "Protecting Cisco IOS from Intrusion" later in this chapter), including installing all relevant patches for all application-based programs.

Finally, the incident response team prepares a report and provides that information to the law enforcement organization if prosecution is required.

Internet Newsgroups

Another important body for both network administrators and intruders themselves is Internet newsgroups. Newsgroups are mailing list type forums where individuals can share ideas and past incidents to keep current with the latest security concerns and protection policies. As a network administrator, you must be aware of both standards and what intruders are discussing.

For example, CERT/CC recommends the following newsgroups:

• alt.security—Lists computer security issues as well as other security issues, such as car locks and alarm systems

• comp.risks—Moderated forum on the risks to the public in computers and related systems

• comp.security.announce—Computer security announcements, including new CERT advisories, summaries, and vendor-initiated bulletins

• comp.security.misc—A variety of issues related to computer and network security

• comp.security.unix—Security information related to the UNIX operating system

• comp.virus—Computer viruses and related topics

NOTE The following sites also contain a great wealth of information. Although not security specific, they can help you identify the mechanism used to infiltrate technologies such as TCP/IP:

• Internet Domain Survey (www.isc.org/ds/)—Includes Host Count History and pointers to other sources of Internet trend and growth information

• Internet Engineering Task Force (IETF) (www.ietf.org/)—Offers technical papers, best practices, standards, and more

• Internet Society (ISOC) (www.isoc.org/internet/)—Provides an overview of the Internet, including its history and how it works

0 0

Post a comment