FIRST Best Practice Guide Library (BPGL)

Existing Guides

• Acceptable Use Policy Template

  Gavin Reid (Cisco Systems), Devin Hilldale (Cisco Systems)

  This document is an Acceptable Use Policy that can be used as template for organizations that are creating one. The purpose of this policy is to establish acceptable and unacceptable use of electronic devices and network resources in conjunction with its established culture of ethical and lawful behavior, openness, trust, and integrity.

  aup_generic.doc
  Format: application/msword
  Last updated: November 03, 2006
  Size: 101 Kb

• Building a SOC: start small

  National Cyber Security Centre of The Netherlands (NCSC-NL)

  A Security Operations Centre (SOC) is an effective facility for monitoring business information security and digital threats. Establishing such a centre, however, requires investment of time, effort and resources. In order for a SOC to function successfully, it must keep pace in a controlled manner with the organisation’s need for visibility and control of information security. Start small, share results with the organisation and build on a positive reception to these results to realise the next stepin the development process. Ensure the planning, roadmap and implementation of a future SOC are realistic. Keep in mind that a SOC is a means and not an end in itself.

  Factsheet_Building_a_SOC_start_small.pdf
  Format: application/pdf
  Last Updated: November 15, 2017
  Size: 974 Kb

• CERT-in-a-box

  NCSC-NL (National Cyber Security Centre of The Netherlands)

  The project 'CERT-in-a-Box' and 'Alerting service-in-a-Box' is an initiative of GOVCERT.NL/NCSC to preserve the lessons learned from setting up GOVCERT.NL and 'De Waarschuwingsdienst', the Dutch national Alerting service.

  The project aim is to help others starting a CSIRT or Alerting Service by:

  • Getting them up to speed faster
  • Taking the benefits and not making the same mistakes

  cert-in-a-box.zip
  Format: application/zip
  Size: 8.42 Mb

• CSIRT Case Classification (Example for enterprise CSIRT)

  Gavin Reid (Cisco Systems), Dustin Schieber, Ivo Peixinho (CAIS/RNP)

  It is critical that the CSIRT provide consistent and timely response to the customer, and that sensitive information is handled properly. This document provides the guidelines needed for CSIRT Incident Managers (IM) to classify the case category, criticality level, and sensitivity level for each CSIRT case. This information will be entered into the Incident Tracking System (ITS) when a case is created. Consistent case classification is required for the CSIRT to provide accurate reporting to management on a regular basis. In addition, the classifications will provide CSIRT IM's with proper case handling procedures and will form the basis of SLA's between the CSIRT and other Company departments.

  csirt_case_classification.html
  Format: text/html
  Last updated: November 17, 2004

• CSIRT Setting up Guide

  European Network and Information Security Agency (Enisa)

  The document at hand describes the process of setting up a Computer Security and Incident Response Team (CSIRT) from all relevant perspectives like business management, process management and technical perspective. This document implements two of the deliverables described in ENISAs Working Programme 2006, chapter 5.1:

  This document: Written report on step-by-step approach on how to set up a CERT or similar facilities, including examples. (CERT-D1) Chapter 12 and external files: Excerpt of roadmap in itemised form allowing an easy application of the roadmap in practice. (CERT-D2)

  CSIRT_setting_up_guide_ENISA.pdf
  Format: application/pdf
  Last Updated: December 22, 2006

• CVSS based patch policy for enterprise (example)

  Cisco Systems Inc.

  cvss-based-patch-policy.pdf
  Format: application/pdf
  Size: 13 Kb

• Checking UNIX/LINUX Systems for Signs of Compromise

  Oxford University, University College London

  Patrick Green (OxCERT), Simon Baker (UCL Computer Security Team)

  One of the main aims of this document is to address the lack of documentation concerning concrete actions to be taken when dealing with a compromised *nix system. The document will try to be as generic as possible, so you may find tools for specific platforms are better suited.

  A secondary goal is an explanation of methods of examining this information via tools. Utilizing these tools we can then:

  • investigate the system;
  • find the points of entry and type of compromise;
  • identify areas for further investigation and issues for attention.

  Checking-UNIX_LINUX-Systems-for-Signs-of-Compromise.pdf
  Format: application/pdf
  Last Updated: May 18th, 2005

• Establishing a Certification Authority (CA)

  Martijn van der Heide (ThaiCERT)

  This handbook has been developed to provide an overview of how to establish a Certification Authority. The content is based on public information and not solely the view of the NRCA and ETDA. It is a guideline and may be updated from time to time.

  Establishing-a-Certification-Authority-CA.pdf
  Format: application/pdf
  Last updated: September 2023
  Size: 1338 Kb

• Establishing a CSIRT

  Martijn van der Heide (ThaiCERT)

  This handbook describes the entire process from start to finish how to establish a CSIRT team and how to improve the team as time goes by.

  Establishing-CSIRT-v1.2.pdf
  Format: application/pdf
  Last updated: November, 2017
  Size: 756 Kb

  Spanish version

• Secure BGP Template

  Cymru Team

  Rob Thomas

  A secure BGP configuration template for use with Cisco routers

  http://www.cymru.com/Documents/secure-bgp-template.html
  Format: text/html
  Last updated: August, 2004

• Secure BIND Template

  Cymru Team

  Rob Thomas

  A secure BIND configuration and topology to help defend against BIND attacks

  http://www.cymru.com/Documents/secure-bind-template.html
  Format: text/html
  Last updated: August, 2004

• Secure IOS Configuration Template

  Cymru Team

  Rob Thomas

  A secure IOS configuration template for use with Cisco routers.

  http://www.cymru.com/Documents/secure-ios-template.html
  Format: text/html
  Last updated: August, 2004

Archived Guides

• Guide to Tunneling Windows NT VNC traffic with SSH2

  Gavin Reid (Cisco Systems)

  VNC is a GUI remote access program that allows full console access. It has clients and servers covering many different architectures. VNC alone has some inherent security issues. All communication is in plain text and the authentication scheme is very weak. However, by tunneling VNC over SSH we will fix both of these problems. SSH will encrypt all information over the wire and use NT's authentication which is much stronger than VNC's. The following document outlines the steps required to do this

  vnc_ssh.zip
  Format: application/zip
  Last updated: December, 2001
  Size: 1.09 Mb

  Note: It is important to follow the steps exactly, as leaving out one part can have you incorrectly using straight VNC with all of its accompanying security risks.

• IIS and NTS 4.0 Hardening Guide

  Gavin Reid (Cisco Systems)

  This document aims to provide minimum security requirements to system administrators to install, setup, configure and harden a Windows NT server running a IIS server. It is applicable ONLY to NTS 4.0 running IIS 4.0. If any other application is running on the server to support its function (e.g., Cold Fusion), then that application must also be secured. Registry edit instructions are also found, as well as special hardening instructions for Securing Permissions, Firewall Access Control Lists, and SSHD.

  nt40.zip
  Format: application/zip
  Last updated: July, 2001
  Size: 1.08 Mb

  Note: This hardening procedure should NOT be used on general-purpose NT servers on an internal LAN (e.g., file servers), as it removes several of the services that NT uses for default functionality. The steps in this guide should be performed on new installations only to avoid unpredictable results

• SSH Public Key Configuration Windows NT/2000/XP Guide

  Gavin Reid (Cisco Systems)

  This document outlines how to configure the SSH cleient & daemon for NT/W2K/XP to accept public key authentication. This was done on server version SSHServerSetup312.exe. This document uses version 3.2 of the client and server software from SSH.COM.

  pki_ssh_w2k.zip
  Format: application/zip
  Last updated: August, 2002
  Size: 646 Kb

• Windows 2000 / IIS 5.0 DMZ Hardening Guide

  Gavin Reid (Cisco Systems), Jay Ward

  This guide was written to help System Administrators and Security personnel secure their IIS 5.0 servers running on Windows 2000.

  w2k.zip
  Format: application/zip
  Last updated: October 08, 2004
  Size: 1.47 Mb

  Note: This guide was written for servers sitting in a DMZ only. You should not apply this guide to Domain Controllers, File Servers, Exchange Servers or any other server in your internal network as it WILL break it.

• Windows 2003 / IIS 6.0 DMZ Hardening Guidelines

  Jay Ward

  This document aims to provide minimum security requirements to system administrators and users in order to harden a Windows 2003 system running IIS 6.0 for DMZ deployment.

  w2k3.zip
  Format: application/zip
  Last updated: October 15, 2004
  Size: 1.37 Mb

  Note: This document is applicable ONLY to Microsoft Server 2003 running IIS 6.0. If any other application is running on the server to support its function (e.g., Cold Fusion), then that application must also be secured. The steps in this guide should be performed on new installations only to avoid unpredictable results. This hardening procedure should NOT be used on general-purpose NT servers on an internal LAN (e.g., file servers), as it removes several of the services that NT uses for default functionality.

Acknowledgements

FIRST gratefully acknowledges the moderators of the "best practices" page, Ian Cook & Gavin Reid, and all authors and maintainers involved.