Posts relating to responding to security incidents, CERTs, CSIRTs and similar acronyms
Recently we had one of our regular reviews of security incidents that have affected the company in the past few months. All three – one social engineering attack, one technical one, and one equipment loss – were minor, in that only limited information or systems were put at risk; all were detected and fixed, to […]
This paper looks at the UK’s Computer Misuse Act 1990 and how it might apply to the practice of vulnerability scanning. Where a scan has been authorised – either specifically or via a network security policy – there should be no problem. But there are some situations where we’d like to scan hosts for which […]
I was invited to give a presentation on legal and ethical issues around information sharing at TERENA’s recent security services workshop. The talk highlighted the paradox that sharing information is essential to protect the privacy of our users when their accounts or computers have been compromised, but that sharing can also harm privacy if it’s […]
At the FIRST conference this week I’ve heard depressingly many incident responders saying “our lawyers won’t let us…”. Since incident response, done right, should actually support the law’s objectives, it seems we need to be smarter, and maybe a bit more assertive, about explaining how incident response and law interact. The laws most relevant to […]
Following a couple of talks earlier in the FIRST conference that described how economic forces drive security downwards, it was good to hear a final keynote from Bruce Schneier that suggested that economics may actually encourage the development of high-quality incident response services. Incident response is commonly divided into three phases: prevent, detect, respond. Prevent […]
Many of the talks at the FIRST conference consider activities within and between incident response teams, but two talks today considered how CSIRTs and boards can work better together. Pete O’Dell suggested that many company boards either delegate or ignore information security, perhaps considering that it is “just another risk”. He suggested that information security […]
If you’ve been watching movies and TV series, it may come as a surprise that most computer security incident response actually involves a lot of command line interfaces and perl scripts, and rather few graphical interfaces. That was the first disappointment that greeted a team of computer scientists from Honeywell and Kansas State University who […]
There are quite a few talks at the FIRST conference this week about getting computers to automatically receive, process and distribute information about security events. However I was particularly interested in a session on the human issues that need to accompany any such information exchange. Organisations, which ultimately means individuals, need to trust one another […]
A panel session at the FIRST conference on comparable security metrics made me wonder why this seems to be so hard. My first visit to another CSIRT, fifteen years ago, was to work out how to compare our Janet CSIRT statistics with those from SURFnet. And yet the tricky question still seems to be working […]
From personal experience many years ago I know the frustration of discovering a security vulnerability in a website, wanting to warn the site owners, but being unable to find a responsive contact to accept the information. However I also know, from even longer ago, what it’s like to be a sysadmin told by a stranger […]