📄 rfc2350.txt
字号:
example to the Internet User's Glossary [RFC 1983]. Constituency: Implicit in the purpose of a Computer Security Incident Response Team is the existence of a constituency. This is the group of users, sites, networks or organizations served by the team. The team must be recognized by its constituency in order to be effective. Security Incident: For the purpose of this document, this term is a synonym of Computer Security Incident: any adverse event which compromises some aspect of computer or network security. The definition of an incident may vary between organizations, but at least the following categories are generally applicable: - Loss of confidentiality of information. - Compromise of integrity of information. - Denial of service. - Misuse of service, systems or information. - Damage to systems. These are very general categories. For instance the replacement of a system utility program by a Trojan Horse is an example of ' compromise of integrity,' and a successful password attack is an example of 'loss of confidentiality.' Attacks, even if they failed because of proper protection, can be regarded as Incidents. Within the definition of an incident the word 'compromised' is used. Sometimes an administrator may only 'suspect' an incident. During the response it must be established whether or not an incident has really occurred. Computer Security Incident Response Team: Based on two of the definitions given above, a CSIRT is a team that coordinates and supports the response to security incidents that involve sites within a defined constituency. In order to be considered a CSIRT, a team must: - Provide a (secure) channel for receiving reports about suspected incidents.Brownlee & Guttman Best Current Practice [Page 18]
RFC 2350 Expectations for Computer Security Incident Response June 1998 - Provide assistance to members of its constituency in handling these incidents. - Disseminate incident-related information to its constituency and to other involved parties. Note that we are not referring here to police or other law enforcement bodies which may investigate computer-related crime. CSIRT members, indeed, need not have any powers beyond those of ordinary citizens. Vendor: A 'vendor' is any entity that produces networking or computing technology, and is responsible for the technical content of that technology. Examples of 'technology' include hardware (desktop computers, routers, switches, etc.), and software (operating systems, mail forwarding systems, etc.). Note that the supplier of a technology is not necessarily the ' vendor' of that technology. As an example, an Internet Service Provider (ISP) might supply routers to each of its customers, but the 'vendor' is the manufacturer, since the manufacturer, rather than the ISP, is the entity responsible for the technical content of the router. Vulnerability: A 'vulnerability' is a characteristic of a piece of technology which can be exploited to perpetrate a security incident. For example, if a program unintentionally allowed ordinary users to execute arbitrary operating system commands in privileged mode, this "feature" would be a vulnerability.Brownlee & Guttman Best Current Practice [Page 19]
RFC 2350 Expectations for Computer Security Incident Response June 1998Appendix B: Related Material Important issues in responding to security incidents on a site level are contained in [RFC 2196], the Site Security Handbook, produced by the Site Security Handbook Working Group (SSH). This document will be updated by the SSH working group and will give recommendations for local policies and procedures, mainly related to the avoidance of security incidents. Other documents of interest for the discussion of CSIRTs and their tasks are available by anonymous FTP. A collection can be found on: - ftp://ftp.cert.dfn.de/pub/docs/csir/ Please refer to file 01-README for further information about the content of this directory. Some especially interesting documents in relation to this document are as follows: - ftp://ftp.nic.surfnet.nl/surfnet/net-security/cert-nl/docs/ reports/R-92-01 This report contains the Operational Framework of CERT-NL, the CSIRT of SURFnet (network provider in the Netherlands). - For readers interested in the operation of FIRST (Forum of Incident Response and Security Teams) more information is collected in Appendix C. - http://hightop.nrl.navy.mil/news/incident.html This document leads to the NRL Incident Response Manual. - http://www.cert.dfn.de/eng/team/kpk/certbib.html This document contains an annotated bibliography of available material, documents and files about the operation of CSIRTs with links to many of the referenced items. - ftp://info.cert.org/incident_reporting_form This Incident Reporting Form is provided by the CERT Coordination Center to gather incident information and to avoid additional delays caused by the need to request more detailed information from the reporting site. - http://www.cert.org/cert.faqintro.html A collection of frequently asked questions from the CERT Coordination Center.Brownlee & Guttman Best Current Practice [Page 20]
RFC 2350 Expectations for Computer Security Incident Response June 1998Appendix C: Known Computer Security Incident Response Teams Today, there are many different CSIRTs but no single source lists every team. Most of the major and long established teams (the first CSIRT was founded in 1988) are nowadays members of FIRST, the worldwide Forum of Incident Response and Security Teams. At the time of writing, more than 55 teams are members (1 in Australia, 13 in Europe, all others in North America). Information about FIRST can be found: - http://www.first.org/ The current list of members is available also, with the relevant contact information and some additional information provided by the particular teams: - http://www.first.org/team-info/ For CSIRTs which want to become members of this forum (please note that a team needs a sponsor - a team which is already a full member of FIRST - to be introduced), the following files contain more information: - http://www.first.org/about/op_frame.html The Operational Framework of FIRST. - http://www.first.org/docs/newmem.html Guidelines for teams which want to become members of FIRST. Many of the European teams, regardless of whether they are members of FIRST or not, are listed by countries on a page maintained by the German CSIRT: - http://www.cert.dfn.de/eng/csir/europe/certs.html To learn about existing teams suitable to one's needs it is often helpful to ask either known teams or an Internet Service Provider for the "right" contact.Brownlee & Guttman Best Current Practice [Page 21]
RFC 2350 Expectations for Computer Security Incident Response June 1998Appendix D: Outline for CSIRT Template This outline summarizes in point form the issues addressed in this document, and is the recommended template for a CSIRT description document. Its structure is designed to facilitate the communication of a CSIRT's policies, procedures, and other relevant information to its constituency and to outside organizations such as other CSIRTs. A 'filled-in' example of this template is given as Appendix E. 1. Document Information 1.1 Date of Last Update 1.2 Distribution List for Notifications 1.3 Locations where this Document May Be Found 2. Contact Information 2.1 Name of the Team 2.2 Address 2.3 Time Zone 2.4 Telephone Number 2.5 Facsimile Number 2.6 Other Telecommunication 2.7 Electronic Mail Address 2.8 Public Keys and Encryption Information 2.9 Team Members 2.10 Other Information 2.11 Points of Customer Contact 3. Charter 3.1 Mission Statement 3.2 Constituency 3.3 Sponsorship and/or Affiliation 3.4 Authority 4. Policies 4.1 Types of Incidents and Level of Support 4.2 Co-operation, Interaction and Disclosure of Information 4.3 Communication and Authentication 5. Services 5.1 Incident Response 5.1.1. Incident Triage 5.1.2. Incident Coordination 5.1.3. Incident Resolution 5.2 Proactive Activities 6. Incident Reporting Forms 7. DisclaimersBrownlee & Guttman Best Current Practice [Page 22]
RFC 2350 Expectations for Computer Security Incident Response June 1998Appendix E: Example - 'filled-in' Template for a CSIRT Below is an example of a filled-in template for a fictitious CSIRT called XYZ-CSIRT. This text is for example purposes only, and does not constitute endorsement by the working group or the IETF of any particular set of procedures or policies. While CSIRTs are welcome to use any or all of this text if they wish, such use is of course not mandatory, or even appropriate in most cases.CSIRT Description for XYZ-CERT----------------------------- 1. About this document 1.1 Date of Last Update This is version 1.01, published 1997/03/31. 1.2 Distribution List for Notifications Notifications of updates are submitted to our mailing list <xyz-cert-info@xyz-univ.ca>. Subscription requests for this list should be sent to the Majordomo at <xyz-cert-info-request@xyz-univ.ca>; the body of the message should consist of the word "subscribe". Send the word "help" instead if you don't know how to use a Majordomo list manager. This mailing list is moderated. 1.3 Locations where this Document May Be Found The current version of this CSIRT description document is available from the XYZ-CERT WWW site; its URL is http://www.xyz-univ.ca/xyz-cert/english/CSIRT-descr.txt Une version francaise de ce document est igalement disponible: http://www.xyz-univ.ca/xyz-cert/francais/CSIRT-descr.txt Please make sure you are using the latest version. 1.4 Authenticating this Document Both the English and French versions of this document have been signed with the XYZ-CERT's PGP key. The signatures are also on our Web site, under: http://www.xyz-univ.ca/xyz-cert/english/CSIRT-descr.asc http://www.xyz-univ.ca/xyz-cert/francais/CSIRT-descr.asc⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -