FedCIRC Quarterly 
Summary Report 
 

Reporting period: October - December, 1996  January 1997 

What is FedCIRC?

The Federal Computer Incident Response Capability (FedCIRC) is an initiative undertaken by the National Institute of Standards and Technology (NIST), the Department of Energy's Computer Incident Advisory Capability (CIAC), and the Carnegie Mellon, Software Engineering Institute's CERT Coordination Center (CERT/CC). These established computer security organizations have banded together to offer the Federal civilian community assistance and guidance in handling computer security related incidents. (A computer security incident is "an adverse event in a computer system or network caused by a failure of a security mechanism, or an attempted or threatened breach of these mechanisms." Ref: Eugene Schultz, David Brown, and Tom Longstaff; Responding to Computer Security Incidents: Guidelines for Incident Handling, July 23, 1990.)

The FedCIRC hotline (412-268-6321) is currently available at no cost to the federal community; however, the window of opportunity for free service will be open only a short while. To continue to serve the federal community, subscriptions are available for cost reimbursable incident handling support and direct technical assistance.

Purpose of Quarterly Report

The quarterly report summarizes FedCIRC activities of the preceding quarter. Along with descriptions of activities, the report contains highlights of security tools, guidance on preventing and handling incidents, and announcements about relevant computer-security events. Other key components of the report are incident trend information and aggregated statistics on the computer security incidents handled by FedCIRC during the reporting period. Statistics cover the number of calls received, types of incidents handled, systems attacked, and the effects of incidents.

Background of FedCIRC Project

On June 3, 1996, the Government Information Technology Services (GITS) Innovation Fund Committee granted $2,796,000 to the National Institute of Standards and Technology (NIST) to establish a Federal Computer Incident Response Capability (FedCIRC). The capability assists Federal civilian agencies in their incident handling efforts by providing proactive and reactive computer security related services.

NIST subcontracts the operational incident handling capability to the Defense Advanced Research Project Agency's CERT(SM) Coordination Center (CERT/CC) and to the Department of Energy's Computer Incident Advisory Capability (CIAC). NIST is responsible for operational management and for facilitating the development of incident handling standards and guidelines by utilizing the vulnerability data collected by FedCIRC. The vulnerability information will also be used in the analysis and testing of software and other products.

FedCIRC combines the experience and expertise of NIST's Computer Security Division, CERT/CC, and CIAC to provide agencies with cost reimbursable, direct technical assistance and incident handling support.

The need for an incident handling capability that crosses agency boundaries has never been greater. Almost all federal agencies are now connected to the Internet and exchange information regularly. The number of Internet related incidents that have occurred in the past year, along with the increase and complexity of threats, requires agencies to take seriously their incident handling capability. The Office of Management and Budget has emphasized this need in OMB Circular A-130, Appendix III, by requiring agencies to be able to respond in a manner that both protects their own information and helps to protect the information of others who might be affected by the incident.

The availability of the incident response hotline support and the collection, analysis, and publication of threat, vulnerability, and other security related data is accomplished by an underlying infrastructure of FedCIRC activities consisting of the following:

Statistics

The following statistics from the CERT/CC demonstrate the need for incident handling and indicate the volume of problems addressed in 1996. Incidents may involve one site or, potentially hundreds or thousands, of sites. Also, some incidents consist of on-going activities for long periods of time (e.g., more than a year).

Purpose of Quarterly Report

The quarterly report summarizes FedCIRC activities of the preceding quarter. Along with descriptions of activities, the report contains highlights of security tools, guidance on preventing and handling incidents, and announcements about relevant computer-security events. Other key components of the report are incident trend information and aggregated statistics on the computer security incidents handled by FedCIRC during the reporting period. Statistics cover the number of calls received, types of incidents handled, systems attacked, and the effects of incidents.

FedCIRC Quarterly Statistics

The FedCIRC project was officially announced October 22, 1996 at the National Information Systems Security Conference and was launched November 7, 1996 with an introductory workshop. Because of its newness, agency use of FedCIRC has been minimal. It is expected that as agencies become aware of the valuable assistance FedCIRC provides, their use of this resource will increase accordingly. The following statistics represent FedCIRC activity for the first quarter of FY97.

Trends

Increase in Intruder Activity and Awareness of Security Problems

Each year since the CERT Coordination Center (CERT/CC) was established in 1988, CERT/CC has seen dramatic increases in intruder activity. The primary causes for the increase are: While the number of incidents reported to the CERT/CC continues to increase, the growth rate decreased for the first time in 1995, due primarily to three factors: The statistics do not show the increased sophistication of the toolkits used by intruders and the way knowledgeable intruders share their expertise with novices.

Intruders Becoming More Sophisticated

Unauthorized access to a computer or network, called "intrusion," is a critical problem in today's electronic environment. As the information infrastructure has matured and grown, so has the expertise of intruders. They have become more and more sophisticated; they are prepared and organized. For example, intruders use the telephone, voice messaging systems, E-mail, bulletin board systems, conferences, and encryption to conduct their business of intrusion and to share information among themselves. In 1989, intruders exploited passwords and known vulnerabilities to gain access to systems. Today's intruder not only exploits passwords and known vulnerabilities, but exploits protocol flaws, examines source files for new security flaws, and installs sniffer programs.

Just as computer systems and technology are becoming more sophisticated and complex, the techniques intruders use to break in have become numerous and innovative. Intruders leverage the use of currently available technologies, they create easy-to-use exploitation scripts, they develop sophisticated toolkits, and they transfer their expertise to novices, spawning a whole new cadre of intruders. The trend is that intruders target the information infrastructure, thus increasing the impact of their attacks. In a typical network attack, the intruder identifies a system to attack, gains user access and/or privilege access to that system, engages in unauthorized activities on the system, moves to other hosts from the intrusion site, installs a backdoor for future use, and hides the intrusion trail.

Effects of intrusion, beyond denial of service and unauthorized use or misuse of systems, are many. Lost, altered, and compromised data and software, loss of money, loss of trust in the system, loss of public confidence, and loss or endangerment of human life are other possible effects of an attack.

Sites Requesting Advice on Secure Connections

The CERT/CC has seen an increase in the number of hotline calls from sites requesting information on how to connect to the Internet securely before the site actually connected. It is hoped that this trend continues.

Tools and Trade Secrets

Internet Hoaxes

Interspersed among real virus notices are computer virus hoaxes that take time to debunk even though they do not infect systems. The Computer Incident Advisory Capability (CIAC) has prepared information about Internet hoaxes, including descriptions of hoaxes (e.g., PKZ300, Irina, Good Times, Good Times Spoof, Deeyenda, Ghost, PENPAL GREETINGS!, and Make Money Fast.) The CIAC explanation covers the history of hoaxes, how to recognize a new hoax, and what to do when a message appears to be a hoax. The information is available from CIAC on their Hoaxes page.

Security Tools

The CIAC web site describes a number of security tools, such as Merlin (a graphical front end and management for several popular security tools such as SPI, Tiger, COPS, Crack, and Tripwire), Courtney (a network monitor to identify the source machines of SATAN probes/attacks), NID (network intrusion detector), and SPI (security profile inspector for most Unix systems). These and other security tools can be found at CIAC on their Tools page.

Virus Database

The CIAC Virus Database contains information gathered about small computer viruses and Trojans. CIAC's purpose in creating and maintaining the database is to identify known viruses for the Macintosh and PC and to give an overview of the effects of each virus. The CIAC Virus Database is located here.

Upcoming Events

NIST Seminar: Practical Intrusion Detection, April 23-24, 1997

Recent statistics show that security problems are occurring frequently, however, most victims never detect the problems. Computer security specialists and those technical experts responsible for system and network administration are the audience for the Practical Intrusion Detection Seminar. The seminar will address many of the technical and practical issues involved in incident detection. Vendors will be invited to discuss and to demonstrate their tools. Freely available tools will be described and demonstrated.

Contact Information

For more information about FedCIRC services and activities, contact Marianne Swanson or Fran Nielsen on 301/975-4369.
The FedCIRC information E-mail address is:

fedcirc-info@fedcirc.nist.gov.
The FedCIRC hotline for incident handling support is 412/268-6321; for support via E-mail:
fedcirc@fedcirc.nist.gov.

 
Return to Previous Page  Return to Incident Handling Homepage
Return to CSRC Homepage
Please send comments or suggestions to webmaster-csrc@nist.rip
Last Modified: December 2, 1998.