Categories
Articles

Incident Response and the Law

At the FIRST conference this week I’ve heard depressingly many incident responders saying “our lawyers won’t let us…”. Since incident response, done right, should actually support the law’s objectives, it seems we need to be smarter, and maybe a bit more assertive, about explaining how incident response and law interact. The laws most relevant to […]

Categories
Articles

Incident Response: Humans and Tools

Following a couple of talks earlier in the FIRST conference that described how economic forces drive security downwards, it was good to hear a final keynote from Bruce Schneier that suggested that economics may actually encourage the development of high-quality incident response services. Incident response is commonly divided into three phases: prevent, detect, respond. Prevent […]

Categories
Articles

Security and the Board

Many of the talks at the FIRST conference consider activities within and between incident response teams, but two talks today considered how CSIRTs and boards can work better together. Pete O’Dell suggested that many company boards either delegate or ignore information security, perhaps considering that it is “just another risk”. He suggested that information security […]

Categories
Articles

An anthropologist learns about incident response

If you’ve been watching movies and TV series, it may come as a surprise that most computer security incident response actually involves a lot of command line interfaces and perl scripts, and rather few graphical interfaces. That was the first disappointment that greeted a team of computer scientists from Honeywell and Kansas State University who […]

Categories
Articles

The Human Side of Information Sharing

There are quite a few talks at the FIRST conference this week about getting computers to automatically receive, process and distribute information about security events. However I was particularly interested in a session on the human issues that need to accompany any such information exchange. Organisations, which ultimately means individuals, need to trust one another […]

Categories
Articles

Measuring “network health”

A panel session at the FIRST conference on comparable security metrics made me wonder why this seems to be so hard. My first visit to another CSIRT, fifteen years ago, was to work out how to compare our Janet CSIRT statistics with those from SURFnet. And yet the tricky question still seems to be working […]

Categories
Articles

Dutch national responsible disclosure guidelines

From personal experience many years ago I know the frustration of discovering a security vulnerability in a website, wanting to warn the site owners, but being unable to find a responsive contact to accept the information. However I also know, from even longer ago, what it’s like to be a sysadmin told by a stranger […]

Categories
Articles

User Interfaces for Federated Login

It’s often said that technical people are bad at designing user interfaces. Ken Klingenstein’s presentation at the TERENA Networking Conference reported (and demonstrated) the results when user interface experts looked at the problem of explaining federated login to users. A striking early finding was that even the interfaces users regularly use to login to services […]

Categories
Articles

Managing Federated Authorisation for Research

Research, and particularly the on-line collaborative research referred to as e-science, creates a new challenge for federated access management systems. In teaching, the authoritative statement whether an individual is entitled to access an on-line resource comes from their home organisation: are they a member of that course? are they covered by that institutional licence? Thus […]

Categories
Articles

Cleaning up after Botnets

One of the challenges in finding an appropriate legal framework for incident response is that for many types of incident you don’t know in advance what information you are likely to receive. Rogier Spoor of SURFnet discussed one of the most common situations – cleaning up after a botnet infection – at the TERENA Networking […]