CyberSecurity Institute

“We’re definitely seeing an increase in the number of [CSIRTs] being formed,” says Georgia Killcrece, leader of the CSIRT development team at the CERT Coordination Center at Carnegie Mellon University.

In many cases, companies are being driven to create CSIRTs by mandates from Washington, industry groups and the upper reaches of corporate management, she says. New requirements in laws such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, and California State Law SB 1386, hold companies accountable for the handling and whereabouts of sensitive data, and respond appropriately to any breaches of customer or employee privacy.

At their best, CSIRTs let companies react in a consistent and coordinated way to events that affect IT systems. “Companies don’t want to have to reinvent the wheel each time an incident occurs. They want to know what to do, gather the right information and pull the right people together,” Killcrece says.

To create an incident response team, start by getting the proper participants together. Business managers, network and desktop administrators, and IT security experts have to be involved, Killcrece says. Legal staff, human resources representatives and senior executives who make funding decisions also should participate in the planning.

When drafting your CSIRT plan, start with the basics, recommends Adam Hansen, manager of security at Sonnenschein, Nath & Rosenthal, a law firm in Chicago.

Companies also need to identify the scope of a CSIRT’s responsibilities, says Troy Smith, senior vice president at Marsh Risk Consulting.

“You have to look at the core software applications that you need to sustain yourselves. If you have one set of systems that are really critical, the scope [of the CSIRT] could be narrow. If you’re an organization that’s very dependent on technology, it could be very broad,” he says.

Howard Schmidt, former White House cybersecurity adviser and the current chief security officer at online auction site eBay, recommends a holistic approach to creating CSIRTs.

“The biggest mistake is to think that you can [create CSIRTs] in a short time-that you’ll set it up and it will be in operation next month,” she says.

Ultimately, the success of an organization’s incident response team will depend on its commitment to that team: the resources and funding allocated, the time put into planning and rehearsing incident response scenarios.

Every CSIRT is special: Identify what your company’s core business processes and systems are, what needs to be done to support and protect those, and how they can be quickly restored if need be.

http://www.nwfusion.com/careers/2005/013105man.html?fsrc=rss-security

More than 8,000 Windows computers running the MySQL database were probably infected with the worm program, referred to as the MySQL bot worm or by the name of the executable file, SpoolCLL, that the worm installs on vulnerable machines.

The program did not spread on its own, but downloaded targets from several Internet relay chat (IRC) servers. Those several have been made inaccessible, virtually stopping the worm, said Oliver Friedrichs, senior manager for incident response at security technology maker Symantec. “We are just seeing residual infections,” Friedrichs said. “The worm cannot connect to those servers, so it has lost its control channel. Without those commands, the worm is not going to be able to spread.”

The worm started infecting systems on Tuesday, according to Symantec’s network of sensors.

While the thousands of compromised systems hardly compare to the millions of systems infected by MSBlast or hundreds of thousands compromised by Microsoft SQL Slammer, the MySQL worm is significant for a different reason: Technically, it’s not a worm, but an example of bot software, designed to infect and control computers. Such programs are numerous (Symantec’s catalog holds more than 6,500) and, as the MySQL worm demonstrates, can easily be turned into programs that spread widely.

“We are seeing a real graying of the lines,” Friedrichs said. “There is really a huge blur now between all the different kinds of threats.”

Bot software represents a significant danger on the Internet because computers compromised by the programs can be controlled by an attacker, allowing anonymous assaults on Web sites, untraceable spam floods and a way for an attacker to steal data. Anyone attempting to trace back the malicious activity will merely find the compromised computer. Most users are unaware that their computer systems contain malicious software. A group of computers controlled by bot software, known as bots or zombies, disrupted Internet service provider Akamai’s network in June.

The MySQL worm, which Symantec refers to as Spybot.ivq, underscores the danger that far more of these programs will start to have an automated function for scanning for vulnerable systems and spreading to any potential victim found. On Thursday, the company that develops the MySQL database software, MySQL AB, emphasized that the bot software spread by exploiting weak passwords and that MySQL runs with elevated privileges under Windows. The company’s security team released an advisory outlining steps that MySQL administrators could use to identify infections and safeguard their systems. The ability to use user-defined functions in MySQL is a feature, not a flaw, said Zack Urlocker, vice president of marketing for MySQL. “Although this vulnerability stems from users not setting a proper password or firewall on Windows, we take full responsibility in helping our users make sure they have a secure environment,” Urlocker stated in an e-mail interview. “This does appear to have been a Windows-only issue…It is unlikely to be an issue on Linux.” Unix-like systems, such as Linux and BSD, run server software, including the MySQL database, as a separate user, shielding many critical system functions from exploitation by such a worm.

A report from Next-Generation Security Software (NGSSoftware) published last July described the mechanism for exploiting Windows systems through the MySQL database’s user-defined functions. Code to do just that was published on the Internet in December.

Microsoft was not immediately available for comment on whether the installation of code by exploiting MySQL’s user-defined functions could be blocked on Windows.

http://news.zdnet.com/2100-1009_22-5555242.html