Category: News

Careful analysis of the nature of the attack or incident can lead to the implementation of effective and widespread preventative measures and the avoidance of similar events. This ability to respond quickly and effectively to a computer security threat is a critical element in providing a secure computing environment. One way to provide such a response is through the establishment of a formal incident response capability. This response capability can be in the form of comprehensive policies and procedures for reporting, analyzing, and responding to computer security incidents. It can also be in the form of an established or designated group that is given the responsibility for handling computer security events. This type of group is generally called a Computer Security Incident Response Team (CSIRT).

Focusing a team on incident handling activities allows them to further develop expertise in understanding intruder trends and attacks, along with acquiring knowledge in incident response methodologies. Depending on the services provided, the team can be composed of full-time or part-time staff. A CSIRT provides a single point of contact for reporting computer security incidents and problems. This enables the team to serve as a repository for incident information, a center for incident analysis, and a coordinator of incident response across an organization. This coordination can extend even outside the organization to include collaboration with other teams, security experts, and law enforcement agencies. The team’s relationships with other CSIRTs and security organizations can facilitate sharing of response strategies and provide early alerts to potential problems.

As a focal point for incident information, a CSIRT can gather information from across their organization, gaining insight into threats against the constituency that might not have been apparent when looking at individual reports. Based on this information, they can propose strategies to prevent intruder activity from escalating or occurring at all. They also can be a key player in providing risk data and business intelligence to the organization, based on the actual incident data and threat reports received by the CSIRT. This information can then be used in any risk analysis or evaluation. Having an experienced team established, with defined incident handling procedures in place, can jump start the response process.

There is no need to determine who in an organization does what, as there is a team already in place knowing what to look for, who to contact, and how to affect the response as quickly as possible. CSIRTs located at constituency sites may also have familiarity with the compromised systems and therefore be more readily able to coordinate the recovery and propose mitigation and response strategies. Depending on its mission and goals, a CSIRT can be structured and organized to provide a range of services in a variety of ways. Of key importance in deciding what types of services to offer will be the type of expertise available and the type of incident handling capability already in place in an organization.

Environmental variables, such as organization and constituency size, available funding, and geographic distribution, can also affect the range and level of services provided by a CSIRT. A small, centrally located organization will require a CSIRT that is different from that required by a large, geographically dispersed organization. Others act as that central repository and also disseminate any information on new vulnerabilities and intruder trends.

A CSIRT can also be organized as a coordinating CSIRT or coordination center rather than a one-on-one incident response service. In either case, the coordinating CSIRT synthesizes reports and information from all areas to determine the accurate picture of incident activity across the constituency and its vulnerability to attack.

This document attempts to illustrate the various issues regarding each option and highlight the decisions that organizations will face when choosing a model. This document does not address these other views, but they are interesting topics for future discussion and publication.

Regarding the decision-making capability and authority of a CSIRT, this document does not discuss how the CSIRT will interact with the business management side of any organization.

Once you have identified a model that best suites your situation, we highly recommend that you follow the guidelines presented in the Handbook for CSIRTs [West-Brown 03] to identify the next steps necessary to implement the decision. By being informed and prepared, the management team can focus their energy and resources appropriately and minimize the time and effort associated with building a solid foundation for an effective CSIRT within the organization.

http://www.bankinfosecurity.com/feed.php?target=http://www.sei.cmu.edu/publications/documents/03.reports/03hb001/03hb001chap01.html

A high-powered cybersecurity task force says software vendors must adopt patch management principles to ensure security patches are well-tested, small, localized, reversible and easy to install. The National Cyber Security Partnership (NCSP), a public-private task force that includes participation from the Business Software Alliance (BSA), issued its recommendations in a…

These two areas of the act — sections 302 and 404, respectively — are certainly key, and one out of three financial officers charged with ensuring their company reaches compliance with financial regulations cites them as the most challenging, according to a survey from Protiviti, which provides independent internal audit and business and technology risk consulting services.

However, 27 percent say aligning audit committee activity with legal and regulatory requirements is the most difficult part of Sarbanes-Oxley, and 23 percent cite recruiting an audit committee financial expert. “Publicly traded firms remain under intense pressure from boards and shareholders to meet the new governance requirements of Sarbanes-Oxley, the SEC, the exchanges and other regulatory bodies,” Protiviti Managing Director Everett Gibbs says.

1. Four out of 10 CFOs overall and 33 percent at large companies say the act has led or will lead to changes in the makeup of their boards or board committees.
2. In 83 percent of firms, management decided on its own to provide more information to the board and its committees.
3. Slightly less than half of the companies surveyed have formed a disclosure committee.
4. Disclosure committees are more common among large companies (74 percent have formed one) than small companies (33 percent).
5. Ensuring the independence of external auditing is also a priority for CFOs.
6. A number of survey respondents say it’s still too early to know how much it costs to reach full compliance with Sarbanes-Oxley.

More info: [url=http://www.bankinfosecurity.com/?q=node/view/556]http://www.bankinfosecurity.com/?q=node/view/556[/url]

The attack began Saturday night and by Sunday morning the software firm’s site was completely flooded with requests, Utah-based SCO said.

While infected PCs were supposed to start inundating the main SCO Web site with data starting at 4:09 pm GMT (8:09 am PST), the site had been nearly inaccessible for a 16-hour period prior to the scheduled start of the attack, according to Internet performance measurement firm Netcraft. The outage could have been due to a large number of infected computers having their clocks set to the wrong time.

“This is the biggest single (denial of service) attack ever,” Mikko Hypponen, director of antivirus research at F-Secure, wrote in an update on the security company’s Web site. In its statement on Sunday, SCO it still “had a series of contingency plans to deal with this problem,” but would wait until Monday–at about 5 a.m. PST–to communicate them.

The attack aimed at Microsoft by computers infected with the B variant of MyDoom is not expected to have as much effect because that version hasn’t spread as widely, said Vincent Weafer, a senior director at computer-security company Symantec.

More info: [url=http://zdnet.com.com/2100-1105_2-5151572.html]http://zdnet.com.com/2100-1105_2-5151572.html[/url]

The email worm became the world’s fastest spreading virus, after 1.5 million copies of emails sent out to infect machines were intercepted in the first 24 hours.

The creators of MyDoom.A plan to use those “back doors” to co-ordinate a mass attack on the website of US software firm SCO, starting tomorrow.

More info: [url=http://www.smh.com.au/articles/2004/01/30/1075340841697.html]http://www.smh.com.au/articles/2004/01/30/1075340841697.html[/url]

Launched Wednesday by the National Cyber Security Division of the Department of Homeland Security, the alerts will be available to members of the public as well as technology professionals responsible for the security of infrastructure systems.

Interested parties can subscribe to the alerts online: [url=http://www.us-cert.gov/]http://www.us-cert.gov/[/url]

Amit Yoran, director of the National Cyber Security Division, said each computer connected to the Internet is a point of vulnerability in the spread of malicious attacks. Individual computer users who don’t patch vulnerabilities in their systems, keep antivirus definitions up-to-date or take precautions when opening e-mail attachments are the biggest contributors to the spread of viruses and worms.

The alerts will include announcements about current attacks as well as information for users about how to protect their systems before attacks occur. The alerts also will provide background information about computer scams and other fraud that may occur online. In addition, the department will provide security bulletins containing vulnerability announcements, patches and work-arounds to security professionals in charge of computer networks to help them protect national infrastructure and e-commerce systems.

Yoran said the alerts will be digitally signed by the department so users can distinguish them from fake alerts that attackers might send out with virus attachments.

One of the main parties providing information is the Computer Emergency Readiness Team, or CERT, at Carnegie Mellon University.

More info: [url=http://www.wired.com/news/business/0,1367,62078,00.html?tw=rss.TOP]http://www.wired.com/news/business/0,1367,62078,00.html?tw=rss.TOP[/url]