|Reporting period: January - April, 1997||June 1997|
The two day session addressed many of the technical and practical issues involved in detecting incidents in computer systems. The tools to detect intrusions and descriptions of the types of attacks targeted at networks, servers, and desktops were presented. The seminar was augmented with an exhibit of intrusion detection tools. More details follow.
The seminar program was packed with informative presentations. Sandy Sparks, FedCIRC-West, and Rich Pethia, FedCIRC-East, set the stage for the seminar with their session, Introduction to Practical Intrusion Detection. Pointing out that the seminar would cover "detection" but not prevention or response, Sparks and Pethia described the rise in the number of intrusions on computer systems and stated the seminar goal of "improving the ability of Federal civilian agencies to detect intrusions or intrusion attempts."
Scott Charney, U.S. Department of Justice, discussed information technology legal issues, including the wiretap statute and its exceptions. Charney emphasized that, under the 4th amendment, Americans have an expectation of privacy. Mentioning keystroke monitoring and the potential liability of systems administrators, he pointed out that it is illegal to intercept or disclose information except under court order. Attendees were reminded of the need for a banner message on systems to warn users that their use may be monitored. Charney commented that public service providers can read e-mail but they may not disclose the contents except with the consent of the sender or receiver.
Mark Zajicek, FedCIRC-East, covered Host-Based Intrusion Detection for UNIX systems. Zajicek cited several recommended practices for intrusion detection, including actions such as verifying the integrity of intrusion detection tools, examining system activities, and reviewing reports from other sources. He cautioned attendees to use tools distributed via read-only media, whenever possible and practical, because they are more reliable and less prone to accidental destruction.
Describing the differences between host-based and network-based intrusion, Jeffrey Carpenter, FedCIRC-East, briefed on Network-Based Intrusion Detection - Routers, Firewalls, and Network Monitoring. He pointed out that network monitoring is important for detecting break-in attempts, vulnerability exploits, intruder scans, automated attacks, and the presence of new machines on the network.
Marcey Kelley, FedCIRC-West, described tools and techniques for intrusion detection on Windows NT, Macintosh, and Novell in her presentation, Practical Intrusion Detection for Non-Unix Based Systems. Noting that the trend is for more powerful and economical desktop systems, Kelley described intrusion paths on desktop systems, such as intrusions on client machines vulnerable to untrusted host connections via web browsers and third-party software added on top of the operating system.
David Crawford, FedCIRC-West, informed seminar attendees about viruses and their detection. Citing a National Computer Security Association (NCSA) survey, Crawford noted that virtually one in every thousand PCs experienced a virus incident every month in 1996. This statistic is up significantly from the 1984 report in which a virus was encountered in every thousand PCs every three months. Crawford described the infection process and gave clues for finding viruses.
Barbara Fraser, FedCIRC-East, gave attendees an overview of the Security Improvement Handbook. A security improvement module is a collection of recommended system and network administration practices that address the security of a specific information technology area. Examples of information technology areas include security of publicly-accessible web services, intrusion detection, and management of network connectivity with external contractors.
Thanking the speakers for their excellent presentations, the attendees for their diligent listening, and the exhibitors for their informative displays, Marianne Swanson, FedCIRC Program Manager, summed up the two-day seminar and encouraged agencies to use the FedCIRC services while they are freely available.
Eight vendors and one federal agency demonstrated their tools and supplied information to seminar attendees. Exhibitors were:
Plan to attend the annual conference - watch for details in the next report.
The following statistics represent FedCIRC activity through the second quarter of FY97:
Examples of FedCIRC actions in handling these incidents were to coordinate communications among the site(s) involved as well as to provide appropriate contact information and advice about the attack method (e.g., mail spamming); to work with the compromised site to help it recover from the attack; and to explain how to handle the problem and how to prevent it in the future.
FedCIRC combines the experience and expertise of NIST's Information Technology Laboratory's Computer Security Division with FedCIRC-East (the Defense Advanced Research Project Agency's CERT(SM) Coordination Center (CERT/CC)) and FedCIRC-West (the Department of Energy's Computer Incident Advisory Capability (CIAC)) to provide agencies with cost reimbursable, direct technical assistance and incident handling support.
The number of Internet related incidents that have occurred in the past year, along with the increase and complexity of threats, requires agencies to take their incident handling capability more seriously. The Office of Management and Budget has emphasized the need for incident handling in OMB Circular A-130, Appendix III, by requiring agencies to be able to respond in a manner that both protects their own information and helps to protect the information of others who might be affected by the incident.
The availability of the incident response hotline support and the collection, analysis, and publication of threat, vulnerability, and other security related data is accomplished by an underlying infrastructure of FedCIRC activities consisting of the following: