|Reporting Period: October-January 1998||
Highlights of Annual Workshop
FedCIRC held its first Annual Workshop on November 20 and 21, 1997, at the DoubleTree Hotel in Rockville, Maryland. A stellar success, the workshop focus was educating the community on current incident trends, incident detection, and incident handling. Nearly a hundred attendees benefitted from the opportunity to learn from security experts and to share experiences with each other.
The workshop was conducted as a series of presentations on the first day and three parallel training tracks on the second day.
REVIEW OF DAY ONE:
Welcoming attendees to the first annual workshop, FedCIRC Program Manager, Marianne Swanson (NIST), introduced Patricia Edfors (PNE Associates), who, as the Champion of Security for the Government Information Technology Services (GITS) Board, was instrumental in the birth of FedCIRC. Ms. Edforsí remarks encouraged attendees to focus on the business case for improved security of information systems. Her strong, outspoken support for FedCIRC and other federal IT computer security endeavors has been much appreciated and will be sorely missed now that she has transitioned to private industry.
Next, three varying perspectives of the state-of-the-threat were presented in a panel consisting of Rich Pethia (CERT), Brian Dunphey (ASSIST), and Dan Neilsen (CITAC). Pethia summarized trends seen from the FedCIRC experience; Dunphey described the information warfare environment; and Neilsen discussed the potential threat computers and technology pose to national security.
The operation and consequence of several currently-used intruder tools and techniques were presented in a session conducted by NASIRCís Frank Husson (Allied Technology Group, Inc.) and FedCIRC-westís Phil Cox (CIAC). Answering the key question of "How did they get that information?" Hussan explained the methods used by hackers to gather target information while Cox gave in-depth descriptions of current exploits, including the use of sniffers, the means hackers exploit to gain root access (such as buffer overflow), the damage they do (e.g., IP spoofing, DNS cache exploits), and the backdoors and trojan software that often result from these intrusions.
Trial attorney Susan Koeppen (DoJ) kept the audience enthralled after lunch by her presentation on legal issues. Entitled "Investigation and Prosecution of Computer Crime," her enthusiastic and informative talk sprinkled real life cases (e.g., Citibank) with the more dry information about statutes and laws which apply to computer crime. She told the audience what is needed to prosecute those who commit computer crimes.
James Seattle (Seattle Services in Technology) gave attendees tips on the realities of computer forensics -- from evidence collection to testifying in court -- by walking them through a real-life case he worked on.
In the final session of day one, Cal Dalrymple (FBI) kept attendees glued to their seats while he described recent investigations and prosecution of a fascinating high-technology crime handled by the San Francisco FBI Computer Crime Squad.
REVIEW OF DAY TWO:
Three parallel training tracks, specifically designed to address the participantsí differing backgrounds, were given on day two of the workshop.
Two tracks covering intrusion detection for systems and network administrators were presented. In one track, "Host-Based Intrusion Detection for UNIX Systems" was presented by Mark Zajicek (CERT) and "Network-Based Intrusion Detection, Routers, Firewalls, and Network Monitoring" was presented by Jeffrey Carpenter (CERT). In the second track, Kathryn Call (CIAC) gave the tutorial "Practical Intrusion Detection for Non-Unix Based Systems" and David Crawford (CIAC) gave the tutorial "Computer Virus Operation and Detection." Crawford also gave a brief tutorial on "IRTS: Incident Response Ticket System," a tool for tracking and recording incidents and requests for information. Note: the IRTS is described elsewhere in this newsletter.
In the third training track, Sandy Sparks (CIAC) and Marianne Swanson (NIST) conducted the seminar "Creating an Incident Response Capability (IRC)" and Shawn Hernan (CERT) lectured on secure communications.
The diverse workshop program and small conference atmosphere offered plenty of opportunity for audiences and speakers to mingle and share their experiences. All-in-all, the experience was a good one for attendees, presenters, and coordinators.
In an ideal world, all agencies would help pay for FedCIRC support. Like a fire department that responds to any and all fires, not merely to those of taxpayers in good standing, an incident response team needs to help wherever problems exist - not merely to help with subscriber incidents. While subscribers expect and deserve special attention, the reality of incident response requires that FedCIRC help all organizations involved in an incident. Incident response is not a stand-alone operation. A stable funding source is required to make FedCIRC a success fiscally ó that stability has been elusive. A key lesson from FedCIRCís piloting experience demonstrates that the subscription funding model is unworkable to support an infrastructure service, such as incident handling.
Until a funding resolution is achieved, the FedCIRC collaborators are spending a lot of time researching potential sources of income for the continuance of FedCIRC. As a result of a briefing on the status of FedCIRCís funding, the Computer Systems Security Privacy and Advisory Board (CSSPAB) wrote letters to the Director of the Office of Management and Budget (OMB), the Director of the National Security Agency, the Acting Director of NIST, the CIO Council Chairman, and the Secretary of Commerce in support of FedCIRC. Describing it as "an essential security-support function," CSSPAB requested cooperation among the appropriate federal officials to assure the ongoing funding and viability of FedCIRC.
The CSSPAB letters elevated the FedCIRC funding issue and resulted in the CIO Councilís Security Subcommittee requesting the General Services Administration (GSA), the Department of Justice (DoJ), and NIST to review the services and associated costs of FedCIRC to determine the best approach for a viable incident handling capability and a means of funding it. During the coming weeks, a transition plan will be developed that will, hopefully, culminate in the continuance of a coordinated, incident handling service to the Federal community.
The Federal Computer Incident Response Capability (FedCIRC) is an initiative undertaken by NISTís Information Technology Laboratoryís Computer Security Division, the CERT* Coordination Center (CERT/CC)), and the Department of Energyís Computer Incident Advisory Capability (CIAC)) to provide agencies with cost reimbursable, direct technical assistance and incident handling support. FedCIRC combines the experience and expertise of these three organizations to provide a virtual coast-to-coast team of incident response support for the federal civilian community.
*Registered in U.S. Patent and Trademark Office. The CERT Coordination Center is part of the Software Engineering Institute. The Software Engineering Institute is sponsored by the U.S. Department of Defense.
Developed by FedCIRC-west (CIAC) for managing the day-to-day responsibilities of an incident handling team, the IRTS is a tool that tracks incidents and requests for assistance. The toolís functionality matches the incident handling workflow model used by FedCIRC.
The primary design goal of the IRTS was to implement a platform-independent, distributed database that would capture requests for assistance and information, that would generate ticket information in a way that allows for easy, aggregated reporting, and that would associate pertinent e-mail messages with ticket information. Other goals were to minimize the cost of the tool and to provide a customizable solution.
The IRTS collects and relates ticket information, notes, and actions. Some information in the ticket can be supplied by table lookup, e.g., ticket type. From the IRTS home page the last few days of ticket activity can be viewed. The IRTS can view incoming e-mail (both current and archives by thread), can respond to e-mail directly and can add the ticket or action into the database; can edit or add to ticket information; and can store log files and notes; and can search through tickets. Each ticket can have an unlimited number of follow-up actions. Ticket reports can be generated. The IRTS includes a database maintaince tool to edit any record directly and add keywords to the list.
The IRTS is comprised of three main software tools: MhonArch (a tool for converting e-mail messages to web pages, free for any use - see http: www.oac.uci.edu/indiv/ehood/mhonarc.html) for converting e-mail messages into web pages, PHP 2.0 (combines Perl-like syntax with Active Server Pages functionality, free under GPL license - see http://www.vex.net/php) for server-side scripting, and MySQL (a straightforward, fast, SQL-based database for UNIX that is free for non-commercial use or $250 otherwise - see http://hughes.com.au) as the back-end database system. Each of these packages includes source code and may be customized for a variety of different needs.
The IRTS prototype is available from the FedCIRC-west web site:
FedCIRC will host the following technical seminars at NIST during the coming weeks:
Visit the FedCIRC website or contact Tammie Grice for registration information: 301-975-2775.
Beginning with the first quarter of FY98, the NASA incident response team, NASIRC, is reporting to FedCIRC the .gov incidents handled by them. This cooperation among incident handling teams to collect incident information marks a significant milestone in building a coordinated incident reporting mechanism that can be used to share threat and vulnerability data across the Federal community.
The number of .gov-related incidents handled by FedCIRC-east (CERT), FedCIRC-west (CIAC), and NASAís team (NASIRC) during the first quarter of FY98 was: 159. These incidents breakdown into the following types: 3 denial of service, 1 e-mail (forged .gov address), 44 intrusion, 4 malicious code, 5 misuse, 92 probes, 4 spamming, 5 virus, and 1 other ("pie-in-the-face" prank). The ripple effect of these incidents, however, impacted tens of thousands of sites and hosts across government, and industry, academia.
It is interesting to note that between October 1996 and October 1997, FedCIRC handled 244 incidents in which government sites were involved. Coupled with the statistics for the first quarter of 1998, this information seems to indicate a rise in incidents ó or at least a rise in incident reporting and handling!
The number of FedCIRC information requests handled during the quarter was 63.
The FedCIRC community receives advisories on incidents and potential problems. FedCIRC distributes advisories to aid in the wide distribution of essential security information. Generally, FedCIRC issues advisories about vulnerabilities whose exploitation can have the biggest impact on the Internet. So far, well over a hundred FedCIRC advisories have been distributed. The advisories are posted on the web site shortly after their distribution.