Tutorials

There are two tutorial A sessions. These are designed to be run contiguously. It is important that anyone intending to attend the afternoon session should also attend the morning session for maximum benefit.

This tutorial is designed to provide practical experience to attendees in the day to day operation of an Incident Response Team (IRT). It is based upon real-world experience from two sides of the world, Australia and the United States, with the core of the material based upon lessons learned over more than a decade of combined incident handling experience. Included in the material will be information on what works and what doesn't, with reasons explaining why.

The tutorial is divided into two main sessions: morning and afternoon.

The morning session will concentrate on the interaction between the IRT and the local constituency. It will examine incident resolution, urgency prioritisation, resource allocation, and information release.

The afternoon session will concentrate on the interaction between the IRT and the international community. It will examine the resolution of a major global incident covering timezone differences, language and culture differences, and global coordination.

Each session will be conducted as a practical exercise where attendees will have the opportunity to contribute to the solution of the particular problem at hand. Time will be allocated to form groups and discuss possible solutions and why some solutions are better than others.

Attendees can be assured that the day will be filled with mystery, frustration, and the "unexpected", in much the same way that real incident handling situations will occur. Attendees will have direct participation in various incidents, and will play a large factor in the resolution of each incident.

Presenters: Danny Smith (AUSCERT) and Moira West-Brown (CERT Coordination Center)

About the Presenters:

Danny Smith:
Danny is the Operational Manager of the Australian Computer Emergency Response Team. He has over 10 years experience in computer security and incident response. He has presented a number of practical exercises in computer security and several sessions designed to assist new Incident Response Teams.

Moira West-Brown:
Moira has been a member of the CERT Coordination Center for over five years and has been involved in incident response throughout that time. Until recently she managed the Incident Response group and is currently leading a project to encourage the formation of new incident response groups with the goal of fostering the development of a self-supporting Internet incident response infrastructure. Moira has trained many staff in the field of incident handling and had assisted in the formation in a number of incident response teams around the world.

Tutorial B

This tutorial presents an overview of available encryption technology and discusses its possible uses by an incident response team. Topics covered include private/public key encryption fundamentals, overview of encryption tools and their availability, and applications of encryption technology. The information presented will be tailored to an incident response audience; in particular, the mathematics of encryption algorithms will not be covered. Rather, the tutorial will discuss how the technologies work and how to apply them in practice.

Presenters: Peter Hammes (SAIC SERC), Kenneth van Wyk (SAIC SERC), and Patricia Zechman (DoD ASSIST)

About the Presenters:

Peter Hammes:
Mr. Hammes began working for the Defense Intelligence Agency (DIA) in May of 1991, after receiving a Bachelor of Science degree in Computer Science from the University of Wisconsin - LaCrosse. His initial assignment at DIA was with the Computer Systems Security Accreditation Branch. Duties included review of system security plans and testing procedures, supervising the actual test process, preparing reports on the various procedures and findings, and providing other support as necessary for systems involved in the security accreditation process. A year later, Mr. Hammes accepted a transfer to the Computer Security Countermeasures Branch and was involved in the developmental phases of the Automated Systems Security Incident Support Team (ASSIST) program for DIA. While working for ASSIST, Mr. Hammes participated in performing vulnerability analysis, providing security response to DoD elements, and writing and editing ASSIST bulletins which are distributed to the DoD worldwide community.

The ASSIST program evolved from a DIA into a Department of Defense (DoD) asset, and Mr. Hammes transferred to the Defense Information Systems Agency (DISA) with the program in September of 1992. The ASSIST program was expanded to 24 hour operations in 1994, and Mr. Hammes was selected to be an ASSIST Response Center (ARC) team leader. In addition to previously described ASSIST duties, team leader responsibilities included supervising ARC operations during shifts assigned to his team, and scheduling and supervising team members. Mr. Hammes also set up and administered an ASSIST BBS and Milnet FTP system as information resources for DoD.

Mr. Hammes accepted a Senior Information Security Engineer position with the SAIC Security Emergency Response Center in February 1996, and provides security incident response and other information security services to SERC clients.

Kenneth van Wyk:
Mr. Van Wyk holds a Bachelor of Science in Mechanical Engineering from Lehigh University in Bethlehem, PA. He worked for four years in Lehigh's Computing Center as a Technical Consultant, during which time he founded the VIRUS-L/comp.virus Internet discussion forum (April 1988), and took graduate courses in Lehigh's Computer Science Masters program. In 1989, he moved to Pittsburgh, PA, to be one of the first two full-time members of Carnegie Mellon University's Computer Emergency Response Team (CERT). From 1989 through 1993, he worked as a Technical Coordinator at CERT, and took several graduate courses in the Software Engineering Institute's Software Engineering Masters program.

In March 1993, Mr. Van Wyk moved to Washington, DC, to work for the Defense Information System Agency's Automated Systems Security Incident Support Team (ASSIST), where he was the Chief of the Operations Division, in charge of ASSIST operations through December 1995. ASSIST provides 24 hour per day incident response support to the entire Department of Defense (DoD) community. Mr. Van Wyk's division is also responsible for the execution of Vulnerability Analysis and Assistance Program (VAAP) assessments of DoD sites.

In December 1995, Mr. Van Wyk accepted a position at Science Applications International Corporation (SAIC) in their Center for Information Protection (CIP), where he is a Technical Director, responsible for managing and ensuring the quality of the technical services provided by the CIP. In addition, he serves as the Technical Director of SAIC's Security Emergency Response Center (SERC).

Mr. Van Wyk is also serving a two-year elected position as a member of the Steering Committee for the Forum of Incident Response and Security Teams (FIRST), an international organization of incident response teams that facilitates and promotes technical exchanges of information among its member teams.

Patricia Zechman:
Patricia A. Zechman currently serves as a Computer Specialist for the Automated Systems Security Incident Support Team (ASSIST)/Vulnerability Analysis Assistance Program (VAAP) Branch (D331) at the Defense Information Systems Agency (DISA). As one of the team chiefs for the ASSIST, she is responsible for providing computer emergency response service for Department of Defense (DoD) customers. The ASSIST team responsibilities include virus analysis, vulnerability mitigation, technical analysis, and investigative support. Presently, Ms. Zechman is responsible for establishing a training program for incident response handling. As the World Wide Web coordinator, she works closely with the system administration group in the development of an external World Wide Web site for ASSIST. Ms Zechman is also responsible for creating and maintaining the Standard Operating Procedures (SOP) for the ASSIST team. She is responsible for providing security guidance on general security policy and security aspects of systems architecture, testing, and evaluation. Currently Ms Zechman is serving as the Forum Incident Response Support Teams (FIRST) representative for ASSIST. As the FIRST representative, she coordinates INFOSEC incidents with other incident response teams worldwide.

In 1985, Ms. Zechman began her professional career as the system administrator for the Department of Engineering and Housing (DEH) in Fulda, Germany. Her responsibilities included performing system administration for the Honeywell DPS6 and the Unisys 5000/80 computer systems. In 1988, Ms Zechman's career led her to take a new position as a Local Area Network (LAN) Manager with the Provost Marshal at FT Meade, MD, where she was responsible for the development, configuration, and utilization of an Ethernet LAN. The Provost Marshal selected Ms Zechman as a Novell installer for the Forces Command where she assisted in the development of the Military Police Information System (MPIS) program and installed the program in Military Police offices throughout the United States. Ms. Zechman later took a job with the 902nd Military Intelligence Command, where she was responsible for determining if counter-intelligence information systems had been compromised. While working for the 902nd, Ms Zechman became a member of the computer crime unit and became certified as a Computer Crime Investigator. Additionally, she assisted the Counter Intelligence Agents in computer crime investigations and in the processing of evidence collected during investigations.

Ms. Zechman has received numerous letters of appreciation and training during her career. She is presently returning to college to get a degree in Computer Information Systems.

Tutorial C

This half-day tutorial will address some of the basic issues of establishing an incident response capability (IRC). Starting on a shoestring, protecting yourself from hackers, hiring the right people, are some of the topics that will be covered. Experienced incident response managers will be available to answer questions during an open forum.

Presenter: Sandy Sparks (CIAC)

About the Presenter:

Sandra L. Sparks:
Ms. Sandra L. Sparks has worked in the computing industry for 15 years as an employee at Lawrence Livermore National Laboratory (LLNL). As a computer scientist at LLNL, she has experience in databases, end-user systems, training and consulting. She is currently manager of the DOE's computer security incident response team, CIAC. This team provides incident handling, vulnerability assessments, plus awareness, education, and training for the entire DOE/DOE contractor complex; they were established in 1989.

She has eight years of experience in the computer security field including oversight for the security of the primary business information systems at LLNL. She also managed the Administrative Information Systems Information Center (IC), served as Deputy Manager of the Office Technology Support Center responsible for delivering computer support for desktop systems, and was LLNL's PC Technical Coordinator.

Prior to joining LLNL in 1980, Ms. Sparks was an Assistant Professor of Mathematics at Gallaudet University for 9 years. She holds a Masters Degree in Mathematics from Virginia Polytechnic Institute and State University.

Last modified: 31 May 1996