rfc2350.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.

Brownlee & Guttman       Best Current Practice                 [Page 23]

RFC 2350  Expectations for Computer Security Incident Response June 1998


   2. Contact Information

   2.1 Name of the Team

        "XYZ-CERT": the XYZ University Computer Emergency Response
        Team.

   2.2 Address

        XYZ-CERT
        XYZ University, Computing Services Department
        12345 Rue Principale
        UniversityTown, Quebec
        Canada H0H 0H0

   2.3 Time Zone

        Canada/Eastern (GMT-0500, and GMT-0400 from April to October)

   2.4 Telephone Number

        +1 234 567 7890  (ask for the XYZ-CERT)

   2.5 Facsimile Number

        +1 234 567 7899  (this is *not* a secure fax)

   2.6 Other Telecommunication

        None available.

   2.7 Electronic Mail Address

        <xyz-cert@xyz-univ.ca>  This is a mail alias that relays mail
        to the human(s) on duty for the XYZ-CERT.

   2.8 Public Keys and Other Encryption Information

        The XYZ-CERT has a PGP key, whose KeyID is 12345678 and
        whose fingerprint is
          11 22 33 44 55 66 77 88  88 77 66 55 44 33 22 11.
        The key and its signatures can be found at the usual large
        public keyservers.

        Because PGP is still a relatively new technology at XYZ
        University, this key still has relatively few signatures;
        efforts are underway to increase the number of links to this
        key in the PGP "web of trust".  In the meantime, since most



Brownlee & Guttman       Best Current Practice                 [Page 24]

RFC 2350  Expectations for Computer Security Incident Response June 1998


        fellow universities in Quebec have at least one staff member
        who knows the XYZ-CERT coordinator Zoe Doe, Zoe Doe has
        signed the XYZ-CERT key, and will be happy to confirm its
        fingerprint and that of her own key to those people who know
        her, by telephone or in person.

   2.9 Team Members

        Zoe Doe of Computing Services is the XYZ-CERT coordinator.
        Backup coordinators and other team members, along with their
        areas of expertise and contact information, are listed in the
        XYZ-CERT web pages, at
          http://www.xyz-univ.ca/xyz-cert/teamlist.html

        Management, liaison and supervision are provided by Steve Tree,
        Assistant Director (Technical Services), Computing Services.

   2.10 Other Information

        General information about the XYZ-CERT, as well as links to
        various recommended security resources, can be found at
          http://www.xyz-univ.ca/xyz-cert/index.html

   2.11 Points of Customer Contact

        The preferred method for contacting the XYZ-CERT is via
        e-mail at <xyz-cert@xyz-univ.ca>; e-mail sent to this address
        will "biff" the responsible human, or be automatically
        forwarded to the appropriate backup person, immediately.  If
        you require urgent assistance, put "urgent" in your subject
        line.

        If it is not possible (or not advisable for security reasons)
        to use e-mail, the XYZ-CERT can be reached by telephone during
        regular office hours.  Telephone messages are checked less
        often than e-mail.

        The XYZ-CERT's hours of operation are generally restricted to
        regular business hours (09:00-17:00 Monday to Friday except
        holidays).

        If possible, when submitting your report, use the form
        mentioned in section 6.








Brownlee & Guttman       Best Current Practice                 [Page 25]

RFC 2350  Expectations for Computer Security Incident Response June 1998


   3. Charter

   3.1 Mission Statement

        The purpose of the XYZ-CERT is, first, to assist members of XYZ
        University community in implementing proactive measures to
        reduce the risks of computer security incidents, and second, to
        assist XYZ community in responding to such incidents when they
        occur.

   3.2 Constituency

        The XYZ-CERT's constituency is the XYZ University community,
        as defined in the context of the "XYZ University Policy on
        Computing Facilities".  This policy is available at
          http://www-compserv.xyz-univ.ca/policies/pcf.html

        However, please note that, notwithtanding the above, XYZ-CERT
        services will be provided for on-site systems only.

   3.3 Sponsorship and/or Affiliation

        The XYZ-CERT is sponsored by the ACME Canadian Research
        Network.  It maintains affiliations with various University
        CSIRTs throughout Canada and the USA on an as needed basis.

   3.4 Authority

        The XYZ-CERT operates under the auspices of, and with authority
        delegated by, the Department of Computing Services of XYZ
        University.  For further information on the mandate and
        authority of the Department of Computing Services, please
        refer to the XYZ University "Policy on Computing Facilities",
        available at
          http://www-compserv.xyz-univ.ca/policies/pcf.html

        The XYZ-CERT expects to work cooperatively with system
        administrators and users at XYZ University, and, insofar as
        possible, to avoid authoritarian relationships.  However,
        should circumstances warrant it, the XYZ-CERT will appeal to
        Computing Services to exert its authority, direct or indirect,
        as necessary.  All members of the XYZ-CERT are members of the
        CCSA (Committee of Computer Systems Administrators), and have
        all of the powers and responsibilities assigned to Systems
        Administrators by the Policy on Computing Facilities, or are
        members of University management.





Brownlee & Guttman       Best Current Practice                 [Page 26]

RFC 2350  Expectations for Computer Security Incident Response June 1998


        Members of the XYZ University community who wish to appeal the
        actions of the XYZ-CERT should contact the Assistant Director
        (Technical Services), Computing Services.  If this recourse is
        not satisfactory, the matter may be referred to the Director
        of Computing Services (in the case of perceived
        problems with existing policy), or to the XYZ University
        Office of Rights and Responsibilities (in the case of perceived
        errors in the application of existing policy).

   4. Policies

   4.1 Types of Incidents and Level of Support

        The XYZ-CERT is authorized to address all types of computer
        security incidents which occur, or threaten to occur, at
        XYZ University.

        The level of support given by XYZ-CERT will vary depending on
        the type and severity of the incident or issue, the type of
        constituent, the size of the user community affected, and the
        XYZ-CERT's resources at the time, though in all cases some
        response will be made within one working day.  Resources will
        be assigned according to the following priorities, listed in
        decreasing order:

          - Threats to the physical safety of human beings.
          - Root or system-level attacks on any Management Information
            System, or any part of the backbone network infrastructure.
          - Root or system-level attacks on any large public service
            machine, either multi-user or dedicated-purpose.
          - Compromise of restricted confidential service accounts or
            software installations, in particular those used for MIS
            applications containing confidential data, or those used
            for system administration.
          - Denial of service attacks on any of the above three items.
          - Any of the above at other sites, originating from XYZ
            University.
          - Large-scale attacks of any kind, e.g. sniffing attacks,
            IRC "social engineering" attacks, password cracking
            attacks.
          - Threats, harassment, and other criminal offenses
            involving individual user accounts.
          - Compromise of individual user accounts on multi-user
            systems.
          - Compromise of desktop systems.
          - Forgery and misrepresentation, and other security-related
            violations of local rules and regulations, e.g. netnews
            and e-mail forgery, unauthorized use of IRC bots.



Brownlee & Guttman       Best Current Practice                 [Page 27]

RFC 2350  Expectations for Computer Security Incident Response June 1998


          - Denial of service on individual user accounts, e.g.
            mailbombing.

        Types of incidents other than those mentioned above will be
        prioritized according to their apparent severity and extent.

        Note that no direct support will be given to end users; they
        are expected to contact their system administrator, network
        administrator, or department head for assistance.  The XYZ-CERT
        will support the latter people.

        While the XYZ-CERT understands that there exists great
        variation in the level of system administrator expertise at XYZ
        University, and while the XYZ-CERT will endeavor to present
        information and assistance at a level appropriate to each
        person, the XYZ-CERT cannot train system administrators on the
        fly, and it cannot perform system maintenance on their behalf.
        In most cases, the XYZ-CERT will provide pointers to the
        information needed to implement appropriate measures.

        The XYZ-CERT is committed to keeping the XYZ University system
        administration community informed of potential vulnerabilities,
        and where possible, will inform this community of such
        vulnerabilities before they are actively exploited.

   4.2 Co-operation, Interaction and Disclosure of Information

        While there are legal and ethical restrictions on the flow of
        information from XYZ-CERT, many of which are also outlined in
        the XYZ University Policy on Computing Facilities, and all of
        which will be respected, the XYZ-CERT acknowledges its
        indebtedness to, and declares its intention to contribute to,
        the spirit of cooperation that created the Internet.
        Therefore, while appropriate measures will be taken to protect
        the identity of members of our constituency and members of
        neighbouring sites where necessary, the XYZ-CERT will otherwise
        share information freely when this will assist others in
        resolving or preventing security incidents.

        In the paragraphs below, "affected parties" refers to the
        legitimate owners, operators, and users of the relevant
        computing facilities.  It does not refer to unauthorized
        users, including otherwise authorized users making
        unauthorized use of a facility; such intruders may have no
        expectation of confidentiality from the XYZ-CERT.  They may or
        may not have legal rights to confidentiality; such rights will
        of course be respected where they exist.




Brownlee & Guttman       Best Current Practice                 [Page 28]

RFC 2350  Expectations for Computer Security Incident Response June 1998


        Information being considered for release will be classified as
        follows:

          - Private user information is information about particular
            users, or in some cases, particular applications, which
            must be considered confidential for legal, contractual,
            and/or ethical reasons.

            Private user information will be not be released in
            identifiable form outside the XYZ-CERT, except as provided
            for below.  If the identity of the user is disguised, then
            the information can be released freely (for example to show
            a sample .cshrc file as modified by an intruder, or to
            demonstrate a particular social engineering attack).

          - Intruder information is similar to private user
            information, but concerns intruders.

            While intruder information, and in particular identifying
            information, will not be released to the public (unless it
            becomes a  matter of public record, for example because
            criminal charges have been laid), it will be exchanged
            freely with system administrators and CSIRTs tracking an
            incident.

          - Private site information is technical information about
            particular systems or sites.

            It will not be released without the