Abstract:
This talk will review some of the most pressing concerns relating to
computer systems and networks that must be secure and reliable -- threats,
vulnerabilities, characteristic penetrations and other misuses, risks,
defensive measures involving operating-system and network security
(including crypto), difficulties in software development, networking and
system operation, problems inherent in distributed systems, and intrinsic
limitations in the use of technology.
Biography:
Dr. Peter G. Neumann has been a computer scientist since 1953, with three
degrees from Harvard. He has been in the Computer Science Lab at SRI
International since 1971. Throughout the 1960s he was at Bell Telephone
Laboratories in Murray Hill, NJ, where from 1965 to 1969 he was a
codeveloper of Multics -- which has had a significant impact on subsequent
secure system developments. He has worked on systems that satisfy stringent
requirements for security, reliability, and safety, and on methodologies for
development of such systems. He has taught at Stanford and Berkeley. He is
Chairman of the Committee on Computers and Public Policy for the ACM
(Association for Computing Machinery), Moderator of the ACM Forum on Risks
to the Public in the Use of Computers and Related Systems (comp.risks),
Editor of the ACM Software Engineering Notes, and Contributing Editor of the
Communications of the ACM. He is a Fellow of the AAAS, ACM, and IEEE. He
was a member of the National Research Council System Security Study
Committee, whose efforts resulted in the book, Computers at Risk, and has
just completed his stint on the NRC study group that reviewed U.S. crypto
policy, resulting in the book, Cryptography's Role In Securing the
Information Society (a.k.a., the CRISIS report). This talk will be
illustrated with cases from the Risks Forum, many of which are documented in
his book, Computer-Related Risks, published by Addison-Wesley (1995).
Abstract:
As every year the FIRST conference is an excellent opportunity to meet
other team members and establish contacts and get first hand impressions
about the activities of other teams.
This session should facilitate this activity by providing a forum for short presentations focusing on current activities and projects of several teams.
Three different "groups" of teams are invited to present:
Abstract:
Traditional computer security is typically concerned with the
maintenance of security, as characterized by: `confidentiality',
`integrity' and `availability'.
Problems caused if one of these aspects is compromised, are often further complicated by the fact, that most system administrators lack the necessary knowledge to prepare their systems suitably in order to react to threatening intrusions, system vulnerabilities or probes. They do however find themselves confronted with these problems, and are frequently obliged to deal with them on their own.
Todays corporations have been able to take possible physical desasters into consideration and incorporate them into their risk management frameworks. The same companies are however, insufficiently prepared to deal with logical problems on the same scale, caused for example, by malicious persons or programs.
In 1988 the new concept of an incident response team (IRT) or computer emergency response team (CERT) which serves a defined constituency was introduced. Some tutorials and papers already provide practical guideline to managing the early stages of such operations and specific tasks.
After nearly eight years of practical service for users and organizations throughout the world, more and more commercialization becomes part of the business. Private consultants offer emergency services, existing teams have to deal with commercial offers and new teams, which will provide commercial services begin to promote their services.
Starting with considerations for integrating incident response services into a business organization as part of the overall risk (and crisis) management, it is shown that the already wellknown tasks and services are very useful to allow proactive steps against threats and dangers of todays global networks. Further on, as teams within organizations take benefit from authority and management decisions, services will be different and even new services will be possible, not normally carried out by external IRTs as tiger teams for example.
In reviewing existing funding models an overview of the ``commercial'' reality of today's teams is given. By reviewing these models the benefits -- but also their disadvantages -- are described. In searching for more funding, teams already started to look into ``selling'' -- at least part of -- their services. The impact of commercialization in regard to the task of computer security incident response will be analysed and examined in more detail.
The need of external teams is obvious in light of coordination and communication issues as neutral connection amoung various teams. Therefore the critical points related to the commercialization of such tasks are also addressed, together with topics not necessarily to be measurable in real money units like ethical and social implications.
It is hoped that the points risen and the considerations outlined will help to develop a better understanding what it means to commercialize (or integrate into a business organization) such a critical task as computer security incident response. Moreover it is hoped that corporations and other entities develop a deeper insight and start integrate incident response services (instead of relying on external teams only) to enhance their risk management capabilities.
But instead of starting over again, they should make use of the already established knowledge and expertice. Only cooperation and learning from each other will help all parties involved to handle todays problems. This is also a new challenge for all existing teams and maybe a way to evolve into new futures.
Biography:
Klaus-Peter Kossakowski was among the first members of the Virus Test
Center. Since then he worked in the field of network security. Engaged
with the DFN-CERT since its conception, he started his official work on
January 1993, taking over the responsibility for administration and
organisation.
His special interests are international issues, cooperation and the establishment of an infrastructure for IRTs. He became a co-chair for the IETF WG Guidelines and Recommendations for Incident Processing -- GRIP.
Actually he is writing his Ph. D. thesis about Computer Security Incident Handling and its integration into traditional risk management processes.
Abstract:
The ever changing profile of the Internet and its users has resulted in
substantial changes to the way that computer security incidents are being
handled and contracted for. In the beginning there were few formal methods
from which a company or organization could cull the necessary processes,
procedures, and talent to handle an attack on their infrastructure. The
Computer Emergency Response Team / Coordination Center at Carnagie Mellon
university was established to help foster the talent that existed within the
community and to assist in the development of future teams. The Forum of
Incident Response and Security Teams (FIRST) was then formed as a way to
formalize the communications between the growing number of emergency response
teams and the incident response community began to take shape.
However, most of the initial efforts were concentrated in governmental and educational institutions. Recent events have again changed the landscape for how and where a small company will handle an attack against its information processors. The FIRST organization recently incorporated, CERT/CC is reportedly changing its strategic direction and two international commercial organizations, IBM and SAIC, offering fee for service incident response were recently voted into the membership of the FIRST.
This session with representatives from the incident response community will seek to address what changes are occurring, why, and what is their opinion of the projected impact on the face of incident response in the future. Invited panelists include:
Panel Members:
Mike Higgins, SAIC SERC, USA (Moderator)
Alan Fedeli, IBM, USA
Rich Pethia, CERT Coordination Center, USA
Steve Branigan, Bellcore, USA
Biographies:
Mike Higgins
Mr. Higgins is a Technical Director and Account Manager in the SAIC Corporate
Development's Center for Information Protection, where he is a technical lead
for information security assessments and marketing for commercial work in the
financial community. The Center's customers in the financial community
include U.S. Based and International banking, credit, and investment
institutions. Mr. Higgins as one of the Centers Technical Directors is
responsible for protection of information in client server and mainframe based
systems.
Prior to joining SAIC, Mr. Higgins was the Deputy Director for the Center for Information Systems Security for the Defense Information Systems Agency. In this capacity, Mr. Higgins was the senior technical manager of the Center's Information Security Countermeasures Department, responsible for the operational protection of all Department of Defense's unclassified and sensitive but unclassified information. Operationally, Mr. Higgins created the Automated Systems Security Incident Support Team (ASSIST), the largest and most effective computer emergency response team in the world. Mr. Higgins was also the developer of the Vulnerability Analysis and Assistance Program, a program which proactively, using automated tool suites, analyzed information systems for security vulnerabilities. The ASSIST and VAAP have been hailed as programs of merit which are being emulated across the Federal and Commercial infrastructures.
Mr. Higgins, as the senior technical representative for the Department of Defense on matters involving information systems security and incident response was an often requested speaker at many national and international conferences. Mr. Higgins presentations on "State of Computer Hacking", "How to Protect the Information Infrastructure", and "Assessing your Computers Security Health" have all received numerous accolades and have now been merged into mandatory training for all new information systems administrators in the Department of Defense.
Mr. Higgins served a Senior Intelligence Analyst within the Science and Technology Directorate. Specializing in telecommunications and information systems, Mr. Higgins was responsible for coordination and organization of the U.S. Defense and Intelligence communities response to high technology theft by the then Soviet Union and other prohibited countries. Mr. Higgins' efforts prevented millions of dollars in high technology from illegally being acquired for military use in the Soviet Bloc and in assessing the military capabilities of the Soviet Bloc based upon assessments of their illegal technical acquisitions.
Mr. Higgins also served as a Division Chief for the Countermeasures Division of the Information Security Department of the Information Systems Directorate. In this capacity Mr. Higgins established a vulnerability testing program for all specially compartment information (SCI) systems accredited by the DIA. This vulnerability testing program and the subsequent alert effort developed by the Countermeasures Division were the precursor for the current day ASSIST and VAAP efforts within DoD.
Mr. (then Army Captain) Higgins was a trained and qualified Operations Research Systems Analyst (ORSA) working with the Army's Operational Test and Evaluation Agency's Command, Control, Communications, and Computers (C4) Division. CPT Higgins served as the test director and test technical lead on several operational tests for state-of-the-art telecommunications systems including: Joint Tactical Information Distribution Systems (JTIDS), Army Tactical Command and Control System (ATCCS), and Mobile Subscriber Equipment (MSE). CPT Higgins expertise in statistical test analysis and spread spectrum and wide band telecommunications technologies were frequently utilized in assisting numerous other efforts within the Army and Air Force.
Alan Fedeli
Alan has been an advanced technology manager in IBM for 20 years. In
addition, he has managed IBM's world wide Computer Emergency Response
Team (CERT) for the past eight years. IBM's CERT handles network
intrusions, virus incidents, and phone fraud, both for IBM and customers.
Recently, Alan has created information security businesses within IBM,
namely IBM AntiVirus Products and Services and IBM's recently announced
Internet Emergency Response Service (ERS). IBM AntiVirus is now coming
into international recognition and acclaim. IBM's Internet Emergency
Response Service is well received by its initial customers, and is
beginning to be recognized as an industry imperative.
Alan holds a BA in English Literature, and recently earned an MBA in Organizational Behavior. He lives in Ringwood, New Jersey with his wife, supporting their two children who attend Syracuse University and Georgetown Law School. Alan has been a member of his local school board, and is now Vice President of his local lake association. The Fedelis are avid skiers.
Rich Pethia
Steve Branigan
Steven Branigan is a Senior Systems Engineer responsible for providing
technical expertise on Internet security matters and providing Internet
security consulting services. Steve's main focus is on studying the current
techniques employed by intruders to access systems connected to the Internet,
and tools that can be used for prevention and detection of these attacks. In
his position, he has become recognized as a leading Internet security expert,
and has been called upon by federal law enforcement agencies as well as the
Regional Bell Operating companies to analyze Internet intrusion evidence.
Steve has provided technical support for active computer crime investigations to Federal law enforcement agencies. Steve has also provided training for Federal law enforcement agencies on the subject of computer intrusions. Steve received his master's degree in Computer Science from Rutgers University and has been with Bellcore for over five years.
Abstract:
An important aspect of securing the National Information Infrastructure
is the elimination of vulnerabilities within internetworked computer systems.
Although operating systems developers have eradicated many of the exploitable flaws in their software, new ones emerge. Security vulnerabilities have been discovered recently in third-party software applications such as mail transfer agents, and FTP and WWW servers, among others. As new utilities continue to penetrate the marketplace, the likelihood that a computer system contains an exploitable defect increases significantly. In addition, improperly configured systems present opportunities for exploitation by malicious software, or "critters" in the analyst's parlance.
This paper recommends that incident response teams, private corporations and academia develop an internal critter analysis capability to better serve both the customer base and global community of users at-large. After justifying the increasing need for analyses, the author presents an approach for developing a baseline capability. Central to attaining this goal is enlisting upper management support. The relative merits of both quantitative (e.g., cost-benefit) and qualitative marketing approaches (e.g., corporate leadership and visibility) are discussed. Finally, interested organizations are encouraged to develop working alliances with similar groups in order to achieve synergistic gains.
Biography:
Mr. Alfano is a senior member of the technical staff on the ASSIST team
at the Defense Information Systems Agency (DISA). He is responsible for
collecting, analyzing and preparing reports on malicious software.
Additionally, his more recent duties include developing DISA program plans
to secure the Defense Information Infrastructure.
Prior to arriving at DISA in 1994, he worked for the U.S. Navy for 14 years. During that time, he performed requirements analyses, systems engineering, software design and security engineering on a wide range of Naval aviation projects. His experience includes software development, aircraft simulation, human factors and artificial intelligence expert systems. His last assignment entailed incorporating multilevel security into a tactical planning system.
Mr. Alfano earned his B.S. degree in Electrical Engineering. His education includes graduate courses in Computer Science. He is currently enrolled in a Master of Science program in Engineering Management at Drexel University. He is a member of the Phi Sigma Tau collegiate honor society.
Abstract:
Since its inception in 1988, the CERT Coordination Center has carried out
work in the analysis of software vulnerabilities. One of the areas that
this work has fed into is the issuing of advisories to the public.
Whilst this work is continuing, both processes (i.e., the Vulnerability Handling Process and the Advisory Process) are evolving as a result of more clearly defined goals. As the goals of each process have become more clearly defined, each activity has become more distinct with a clear communication path between them. In this session, Rob will present an overview of the processes as they currently stand within the CERT Coordination Center.
Biography:
Rob McMillan has been with the CERT Coordination Center since
September 1994. He is a member of the Incident Handling Team, which
focuses on responding to incidents that have been reported to the
Center by providing technical assistance, analyzing log files from
compromised sites, guidance and/or follow-up with the affected sites
as appropriate. He also facilitates communications among sites, other
response teams, investigators, and vendors to assist these folks in
responding to and recovering from security incidents. He participates
in the discussion, design, testing, evaluation and use of in-house
tools for incident handling. He has also assisted in the definition
and development of internal incident response policies and procedures,
CERT advisories and other technical documents.
Prior to joining the CERT Coordination Center, Rob was a founding member of AUSCERT, the incident response team for Australia. This role was very similar to that he plays at CERT. Additionally, he built systems from the ground up for that team and developed many of the tools and techniques used by AUSCERT at that time.
Rob has also spent time as a senior system administrator and security programmer for a university in Australia. In that role, he prepared a site security policy, carried out auditing of departmental networks, wrote security oriented applications, maintained systems, contributed to network design projects, acted as the site security contact and oversaw the day-to-day security oriented issues that arose.
Previously Rob has been a network administrator and programmer dealing with various protocols including the IP suite or protocols, and X.25. He has experience in administration and programming on many platforms including PCs, IBM mainframes, VAX/VMS, and various flavors of UNIX.
Rob has prepared various papers for conferences covering subjects such as practical steps in securing a VAX/VMS system, and the development of a site computer security policy.
Abstract:
Along with the rapid growth the Internet has come an increasing number of
intrusions. What kind of people perpetrate Internet-based break-ins? What
personality characteristics do intruders possess? What motivates intruders
to engage in unauthorized activity? Are intruder personality traits directly
linked to unauthorized behavior? This paper addresses these questions,
presenting findings of case studies and interviews conducted by SRI and
others. These studies indicate that a large proportion of intruders have
several traits in common, including dishonesty, self-aggrandizement, and
social alienation, but that these traits are not strong predictors of actual
unauthorized behavior. The final part of this paper raises the question
whether understanding intruders' traits can help the incident response
community deal with network intrusions more efficiently. Although empirical
evidence is for the most part missing, the paper concludes that knowledge
about intruders' traits can help not only to deter network intrusions, but
also to contain them once they occur.
Biography:
Dr. Eugene Schultz is the Program Manager for SRI Consulting's
International Information Integrity Institute (I-4). An expert in UNIX,
network security, and malicious code, he has testified about intrusions
into U.S. military computers during Operation Desert Storm before a U.S.
Senate. He has also helped numerous agencies and corporations create
information security policies and technical security practices.
Dr. Schultz has co-authored the IIA/EDPAA book, Unix - Its Use, Control, and Audit, the soon to be released John Wiley book, Internet Security for Business, and has published over 60 journal articles. Before joining SRI he was at Lawrence Livermore National Laboratory, where he founded and managed the Department of Energy's Computer Incident Advisory Capability (CIAC). He also held positions at the Jet Propulsion Laboratory (where he received a NASA Technical Innovation Award in 1986), Arca Systems, and the University of North Carolina. Finally, he was the co-recipient of the Best Paper Award at the 1995 National Information Systems Security Conference.
Abstract:
We report the findings of an in-depth study into the provision of secure
electronic mail to the British academic community, a population of around a
million in over a hundred institutions. The community has extremely varied
requirements, resources and skills. Most are not sophisticated in
cryptographic matters and tools must be as simple to use as possible. PGP
was considered to be the only credible cryptographic component because of its
security, popularity and fairly wide availability of packages to integrate it
into mail user agents. Our report concentrated on MUA integration, and on
the reliable, rapid and convenient provision of encryption keys and
guarantees of their authenticity.
Biography:
Paul Leyland works for Oxford University Computing Services as a Unix
administrator with special responsibility for computer and network
security, and is the chairman of OxCERT. He's been active in the PGP
field since 1992 and has run the JANET keyserver for three years. He
maintains the cryptography archive at Oxford, including the master
ftp.pgp.net. He factors integers as a hobby, and was a coordinator of
the global collaboration to break the original RSA challenge. In 1995,
he and three colleagues factored a 384-bit PGP key, showing beyond
question that larger keys are necessary for security.
Abstract:
The Internet is in a rapid state of growth, as new technologies are
introduced into the ever expanding electronic community. This
presentation will be a survey of some of these new technologies, with
an emphasis on their security features and concerns. Some of the new
technologies to be discussed include:
Java - Java has proven to be one of the most controversial technologies on the Internet. It empowers Web browsers with unprecedented capabilities. Of chief concern is how those capabilities are controlled, and what new security measures are to be offered in the future.
Communication Beyond Email - Internet users have begun to look beyond the limitations of electronic mail, to other mediums of communication. Live chat, telephony, and video conferencing are growing in popularity, and will introduce new questions about privacy and security.
Operating Systems - A great deal of the functionality offered through Web browsers, Web servers, and other Internet applications are being integrated into the operating system itself. Java has gained rapid acceptance by a large number of operating system vendors. Web servers are now becoming standard operating system components. Security concerns once specific to UNIX are now applicable to other operating systems, including Windows 95 and Windows NT.
Biography:
John Fisher has been a member of the U.S. Department of Energy's
Computer Incident Response Capability (CIAC), at the Lawrence
Livermore National Laboratory for the last year. He is the author of
Merlin, a user interface for UNIX security tools.
Before his time in CIAC, John worked at the Livermore Lab and at the University of California Davis developing UNIX-based tools for security analysis and real-time network intrusion detections. John received a bachelor's degree from the University of California, Davis, and a master's degree from Santa Clara University.
John served as a technical editor for the book Internet Security Professional Reference. He is currently working on his first book, The Webmaster's Handbook, due this Summer.
Abstract:
This session presents an in-depth look at FIRST's procedures for handling
electronic mail. Topics covered include descriptions of each FIRST mailing
list, the FIRST encryption key management process and procedure, as well as a
list of standard FIRST e-mail distribution restrictions and their appropriate
uses.
It is expected that attendees of this session have a basic understanding of the encryption technologies used within FIRST, as presented in Tutorial B of this workshop.
Biographies:
Kenneth van Wyk
Mr. Van Wyk holds a Bachelor of Science in Mechanical Engineering from Lehigh
University in Bethlehem, PA. He worked for four years in Lehigh's Computing
Center as a Technical Consultant, during which time he founded the
VIRUS-L/comp.virus Internet discussion forum (April 1988), and took graduate
courses in Lehigh's Computer Science Masters program. In 1989, he moved to
Pittsburgh, PA, to be one of the first two full-time members of Carnegie
Mellon University's Computer Emergency Response Team (CERT). From 1989
through 1993, he worked as a Technical Coordinator at CERT, and took several
graduate courses in the Software Engineering Institute's Software Engineering
Masters program.
In March 1993, Mr. Van Wyk moved to Washington, DC, to work for the Defense Information System Agency's Automated Systems Security Incident Support Team (ASSIST), where he was the Chief of the Operations Division, in charge of ASSIST operations through December 1995. ASSIST provides 24 hour per day incident response support to the entire Department of Defense (DoD) community. Mr. Van Wyk's division is also responsible for the execution of Vulnerability Analysis and Assistance Program (VAAP) assessments of DoD sites.
In December 1995, Mr. Van Wyk accepted a position at Science Applications International Corporation (SAIC) in their Center for Information Protection (CIP), where he is a Technical Director, responsible for managing and ensuring the quality of the technical services provided by the CIP. In addition, he serves as the Technical Director of SAIC's Security Emergency Response Center (SERC).
Mr. Van Wyk is also serving a two-year elected position as a member of the Steering Committee for the Forum of Incident Response and Security Teams (FIRST), an international organization of incident response teams that facilitates and promotes technical exchanges of information among its member teams.
Patricia Zechman
Patricia A. Zechman currently serves as a Computer Specialist for the
Automated Systems Security Incident Support Team (ASSIST)/Vulnerability
Analysis Assistance Program (VAAP) Branch (D331) at the Defense Information
Systems Agency (DISA). As one of the team chiefs for the ASSIST, she is
responsible for providing computer emergency response service for Department
of Defense (DoD) customers. The ASSIST team responsibilities include virus
analysis, vulnerability mitigation, technical analysis, and investigative
support. Presently, Ms. Zechman is responsible for establishing a training
program for incident response handling. As the World Wide Web coordinator,
she works closely with the system administration group in the development of
an external World Wide Web site for ASSIST. Ms Zechman is also responsible
for creating and maintaining the Standard Operating Procedures (SOP) for the
ASSIST team. She is responsible for providing security guidance on general
security policy and security aspects of systems architecture, testing, and
evaluation. Currently Ms Zechman is serving as the Forum Incident Response
Support Teams (FIRST) representative for ASSIST. As the FIRST representative,
she coordinates INFOSEC incidents with other incident response teams
worldwide.
In 1985, Ms. Zechman began her professional career as the system administrator for the Department of Engineering and Housing (DEH) in Fulda, Germany. Her responsibilities included performing system administration for the Honeywell DPS6 and the Unisys 5000/80 computer systems. In 1988, Ms Zechman's career led her to take a new position as a Local Area Network (LAN) Manager with the Provost Marshal at FT Meade, MD, where she was responsible for the development, configuration, and utilization of an Ethernet LAN Manager with the Provost Marshal at FT Meade, MD, where she was responsible for the development, configuration, and utilization of an Ethernet LAN. The Provost Marshal selected Ms Zechman as a Novell installer for the Forces Command where she assisted in the development of the Military Police Information System (MPIS) program and installed the program in Military Police offices throughout the United States. Ms. Zechman later took a job with the 902nd Military Intelligence Command, where she was responsible for determining if counter-intelligence information systems had been compromised. While working for the 902nd, Ms Zechman became a member of the computer crime unit and became certified as a Computer Crime Investigator. Additionally, she assisted the Counter Intelligence Agents in computer crime investigations and in the processing of evidence collected during investigations.
Ms. Zechman has received numerous letters of appreciation and training during her career. She is presently returning to college to get a degree in Computer Information Systems.
Abstract:
The European part of the Computer Security Incident Response scene has
received some attention in literature during 1995, without any tangible
results in the form of structural coordination or support of new teams
however.
As two of the still relatively few CERTs within Europe, the DFN-CERT and CERT-NL are existentially interested in the development of a suitable and efficient security infrastructure for the rapidly growing European part of the global network. From this point of view a brief overview of the European network situation is given, followed by an outline of the current Incident Response structure and its problems.
In addition, recommendations concerning the future development of Incident Response within Europe are presented, emphasizing the importance of a cooperative approach and the creation of a European center of coordination. The status of the ongoing efforts to achieve these goals is reported.
Biographies:
Don Stikvoort
Born 1961 in Leiden, The Netherlands, Don Stikvoort graduated in
Physics in 1987 at Leiden University in the area of Low Temperature Physics
(pressure measurement in superfluid Helium film environments).
After a 1,5 years management course in the Dutch Army and a 3 months hike in the Austrian Alps he joined SURFnet, the Dutch academic research network, in 1989. Starting as a network consultant he moved to the network management department in 1992 where he devoted most of his time until 1995 on the topics of lower-layer technology (X.25, IP, multiplexing and ATM), security (CERT-NL chairman) and Quality-of-Service.
Since mid 1995 he is working as a manager in the area of communication services, involving development and management of higher-layer services, with an emphasis on e-mail and security, thus also continuing his CERT-NL position.
Inside the security area his main topic of interest apart from leading CERT-NL, the incident handling team for SURFnet, is that of national and international coordination of incident handling. Accordingly he is an active member of FIRST and other security gremia and also co-initiator of ongoing attempts to found a European incident handling coordination core.
Outside his work Don's main interest apart from his wife and two daughters are hiking and Alpinism, biking, ice-skating, good music and philosophy.
Klaus-Peter Kossakowski
Klaus-Peter Kossakowski was among the first members of the Virus Test
Center. Since then he worked in the field of network security. Engaged
with the DFN-CERT since its conception, he started his official work on
January 1993, taking over the responsibility for administration and
organisation.
His special interests are international issues, cooperation and the establishment of an infrastructure for IRTs. He became a co-chair for the IETF WG Guidelines and Recommendations for Incident Processing -- GRIP.
Actually he is writing his Ph. D. thesis about Computer Security Incident Handling and its integration into traditional risk management processes.
Abstract:
In Korea the the Internet online was started in 1989, and the first internet
intrusions was happened in 1991. And then there were so many security
incidents and those were introduced in the journal and paper as social
problems.
In 1995, we decided to launch IRT, CERT-Korea like US CERT and other teams overseas. To do this, we just looked over the documents from foreign CERTs and other IRTs. Without formal policies for this team, without detail incident handling procedures, it was very difficult job for us to operate team properly. After we contacted the other teams, we can recognize the right team policies, organization, constituency model, operational procedures, and internal incidents handling tools.
In this presentation, it's decribed what were happened in CERT-Korea to deal this situation in 1995 and how we set up the correct IRT model this year.
And finally the current status of Korean IRTs and cooperation is introduced.
Biography:
>From 1986, Chaeho Lim has been the technical staff for Korea Research Envisonment
Open Network(KREONet), major Korea Internet sponsored by government. His
experience on data communication and computer network got from there.
In 1990, he had the master degree and its study topic is about OSI security architecture and transport layer security protocol. In 1991 he made a study meeting because there were several security intrusions in Korea.
He became the chair of CERT-Korea and Korea Internet Security Group in the early of 1995. He attended FIRST workshop and visited AUSCERT last year to get the advises on CERT-Korea operation.
And he finished Ph.D course work in the same year.
Abstract:
Katherine will discuss current incident trends and expertise, and
incident statistics that CERT/CC have identified from inception in 1988
to present day. The presentation will conclude with a comparison of the
intruder trends and CERT/CC statistics trends identified and how these
trends highlight the need for continuing revision incident response
strategies.
Biography:
Katherine Fithen is the Team Leader for the CERT Coordination Center
Strategic Incident Response team. She has been part of the CERT/CC team
for four years. The CERT Coordination Center provides technical
assistance to Internet sites that have computer security issues,
concerns, or have experienced a computer security compromise. Katherine
has earned a Bachelor's degree in Retail Management, a Master's degree
in Personnel Management, and a Master's degree in Information Science.
Abstract:
The Internet Engineering Task Force (IETF) is the standards
body for the Internet. Originally, the standards were focused on protocols.
However, over the past 6 years, it has been recognized that attention is
needed both in the management aspects of the Internet as well in user
services and they are many RFCs that are published on such topics. For
the past year, the GRIP working group of the IETF has been writing a
document that reflects the Internet community's expectation for incident
response teams. This session will focus on what motivated the formation
of this working group, the state of the current draft document, and
user experiences with the document. The purpose is to both share information
with the FIRST community and to solicit participation by members of the
FIRST community.
Biographies:
Klaus-Peter Kossakowski
Klaus-Peter Kossakowski was among the first members of the Virus Test
Center. Since then he worked in the field of network security. Engaged
with the DFN-CERT since its conception, he started his official work on
January 1993, taking over the responsibility for administration and
organisation.
His special interests are international issues, cooperation and the establishment of an infrastructure for IRTs. He became a co-chair for the IETF WG Guidelines and Recommendations for Incident Processing -- GRIP.
Actually he is writing his Ph. D. thesis about Computer Security Incident Handling and its integration into traditional risk management processes.
Barbara Fraser
Barbara Fraser is a senior member of the technical staff at the Software
Engineering Institute (SEI) located at Carnegie Mellon University. She is
currently working in the Trustworthy Systems Program of the SEI and the
CERT* Coordination Center. Barbara leads the security improvement tools
and techniques activity area. Current efforts are focused on developing
comprehensive security profiling and improvement methodologies.
Barbara has been involved with the CERT Coordination Center since 1990 and is an internationally recognized speaker on the subject of Internet security. She has given many talks and courses on Internet security and security incident response, and she has worked with many organizations to help them understand and address security issues as they relate to the Internet.
Barbara is active in the security area of the Internet Engineering Task Force and was one of the authors of RFC 1281, "Guidelines for the Secure Operation of the Internet." She is currently a member of the Security Area Directorate and chairs two IETF working groups.
* CERT is a service mark of Carnegie Mellon University
Abstract:
An important goal to allow exchange of sensitive information and to
verify the originator of information passed to FIRST teams is to secure
email.
One popular software to authenticate and/or encrypt email is called PGP (Pretty Good Privacy) which offers RSA public-key usage. If you don't know what PGP is, or how to use it, then you are invited to join the Tutorial B on Sunday morning to learn more about encryption, authentication and key management including PGP and PEM. The rest of this mail may require some understanding of PGP key management, so it is addressed to people who are already using PGP.
FIRST is using PGP to encrypt sensitive mails on the first mailing lists. An PGP FAQ for FIRST is available from the FIRST www server at https://www.first.org/docs/pgpfaq/
One important part of PGP public key management is the creation of a "web of trust" where users certify the association of a key to a real person. To create or enhance this "web of trust" there is a PGP key signing session scheduled (on Wednesday afternoon). During this session the attendees will present their PGP key and verify the keys of the others. Back at home you are able to create a digital signature on the other key to confirm that you have checked that this key really belongs to the listed person. You are welcome to present your PGP key during this session and benefit from the international forum and the resulting certificates.
To get more information and to register your key for the key signing session contact Wolfgang Ley (ley@cert.dfn.de) *** until Thursday, 18th July ***.
To verify the association between the PGP key and you as a person you need the following items *** at the PGP session on the conference ***
Panel Members:
Harry Onderwater, Dutch NCIS Computer Crime Unit, Netherlands
William A. Perez, FBI, USA
Maurice Massart, RCMP, Canada
Byron Collie, Australian Federal Police, Australia
Maria Christina Ascenzi, Italian State Police, Italy
Keith Helton, United States Secret Service, USA
Last modified: 16 Jul 1996
Current Maintainer of this page: John Fisher / CIAC / fisher23@llnl.gov