FedCIRC
Quarterly
Summary
Report |
|
Reporting period: October - December, 1996 |
January 1997 |
What is FedCIRC?
The Federal Computer Incident Response Capability (FedCIRC) is an initiative
undertaken by the National Institute of Standards and Technology (NIST),
the Department of Energy's Computer Incident Advisory Capability (CIAC),
and the Carnegie Mellon, Software Engineering Institute's CERT Coordination
Center (CERT/CC). These established computer security organizations have
banded together to offer the Federal civilian community assistance and
guidance in handling computer security related incidents. (A computer security
incident is "an adverse event in a computer system or network caused by
a failure of a security mechanism, or an attempted or threatened breach
of these mechanisms." Ref: Eugene Schultz, David Brown, and Tom Longstaff;
Responding to Computer Security Incidents: Guidelines for Incident Handling,
July 23, 1990.)
The FedCIRC hotline (412-268-6321) is currently available at no cost
to the federal community; however, the window of opportunity for free service
will be open only a short while. To continue to serve the federal community,
subscriptions are available for cost reimbursable incident handling support
and direct technical assistance.
Purpose of Quarterly Report
The quarterly report summarizes FedCIRC activities of the preceding quarter.
Along with descriptions of activities, the report contains highlights of
security tools, guidance on preventing and handling incidents, and announcements
about relevant computer-security events. Other key components of the report
are incident trend information and aggregated statistics on the computer
security incidents handled by FedCIRC during the reporting period. Statistics
cover the number of calls received, types of incidents handled, systems
attacked, and the effects of incidents.
Background of FedCIRC Project
On June 3, 1996, the Government Information Technology Services (GITS)
Innovation Fund Committee granted $2,796,000 to the National Institute
of Standards and Technology (NIST) to establish a Federal Computer Incident
Response Capability (FedCIRC). The capability assists Federal civilian
agencies in their incident handling efforts by providing proactive and
reactive computer security related services.
NIST subcontracts the operational incident handling capability to the
Defense Advanced Research Project Agency's CERT(SM) Coordination Center
(CERT/CC) and to the Department of Energy's Computer Incident Advisory
Capability (CIAC). NIST is responsible for operational management and for
facilitating the development of incident handling standards and guidelines
by utilizing the vulnerability data collected by FedCIRC. The vulnerability
information will also be used in the analysis and testing of software and
other products.
FedCIRC combines the experience and expertise of NIST's Computer Security
Division, CERT/CC, and CIAC to provide agencies with cost reimbursable,
direct technical assistance and incident handling support.
The need for an incident handling capability that crosses agency boundaries
has never been greater. Almost all federal agencies are now connected to
the Internet and exchange information regularly. The number of Internet
related incidents that have occurred in the past year, along with the increase
and complexity of threats, requires agencies to take seriously their incident
handling capability. The Office of Management and Budget has emphasized
this need in OMB Circular A-130, Appendix III, by requiring agencies to
be able to respond in a manner that both protects their own information
and helps to protect the information of others who might be affected by
the incident.
The availability of the incident response hotline support and the collection,
analysis, and publication of threat, vulnerability, and other security
related data is accomplished by an underlying infrastructure of FedCIRC
activities consisting of the following:
-
alert creation;
-
interaction with other incident handling organizations, law enforcement,
and vendors;
-
threat and trend analysis;
-
hotline availability;
-
data tracking;
-
vulnerability analysis;
-
report generation;
-
database maintenance;
-
guidance documents (e.g., example practices);
-
web site maintenance; and
-
technology watch.
Statistics
The following statistics from the CERT/CC demonstrate the need for incident
handling and indicate the volume of problems addressed in 1996.
-
2,573 incidents handled.
-
31,269 E-mail messages processed.
-
1,543 requests for information processed.
-
2,062 hotline calls handled.
-
27 CERT/CC advisories published.
-
20 vendor-initiated bulletins published.
-
6 CERT/CC summaries published.
Incidents may involve one site or, potentially hundreds or thousands, of
sites. Also, some incidents consist of on-going activities for long periods
of time (e.g., more than a year).
Purpose of Quarterly Report
The quarterly report summarizes FedCIRC activities of the preceding quarter.
Along with descriptions of activities, the report contains highlights of
security tools, guidance on preventing and handling incidents, and announcements
about relevant computer-security events. Other key components of the report
are incident trend information and aggregated statistics on the computer
security incidents handled by FedCIRC during the reporting period. Statistics
cover the number of calls received, types of incidents handled, systems
attacked, and the effects of incidents.
FedCIRC Quarterly Statistics
The FedCIRC project was officially announced October 22, 1996 at the National
Information Systems Security Conference and was launched November 7, 1996
with an introductory workshop. Because of its newness, agency use of FedCIRC
has been minimal. It is expected that as agencies become aware of the valuable
assistance FedCIRC provides, their use of this resource will increase accordingly.
The following statistics represent FedCIRC activity for the first quarter
of FY97.
-
8,106 visits to FedCIRC web site.
-
13 hotline calls/E-mail messages for incident handling assistance.
-
40 FedCIRC phone calls for information.
Trends
Increase in Intruder Activity and Awareness of Security Problems
Each year since the CERT Coordination Center (CERT/CC) was established
in 1988, CERT/CC has seen dramatic increases in intruder activity. The
primary causes for the increase are:
-
increases in the number of Internet hosts,
-
corresponding increases in intruder activities, and
-
increases in the Internet community's awareness of security issues.
While the number of incidents reported to the CERT/CC continues to increase,
the growth rate decreased for the first time in 1995, due primarily to
three factors:
-
existence of incident response teams that serve a specific constituency
of the Internet community and to whom Internet incidents are reported;
-
improved ability of site personnel to handle incidents directly; and
-
increased facility of the CERT/CC staff to identify related intruder activities
from diverse reports, resulting in fewer separate incidents but more large,
complex ones.
The statistics do not show the increased sophistication of the toolkits
used by intruders and the way knowledgeable intruders share their expertise
with novices.
Intruders Becoming More Sophisticated
Unauthorized access to a computer or network, called "intrusion," is a
critical problem in today's electronic environment. As the information
infrastructure has matured and grown, so has the expertise of intruders.
They have become more and more sophisticated; they are prepared and organized.
For example, intruders use the telephone, voice messaging systems, E-mail,
bulletin board systems, conferences, and encryption to conduct their business
of intrusion and to share information among themselves. In 1989, intruders
exploited passwords and known vulnerabilities to gain access to systems.
Today's intruder not only exploits passwords and known vulnerabilities,
but exploits protocol flaws, examines source files for new security flaws,
and installs sniffer programs.
Just as computer systems and technology are becoming more sophisticated
and complex, the techniques intruders use to break in have become numerous
and innovative. Intruders leverage the use of currently available technologies,
they create easy-to-use exploitation scripts, they develop sophisticated
toolkits, and they transfer their expertise to novices, spawning a whole
new cadre of intruders. The trend is that intruders target the information
infrastructure, thus increasing the impact of their attacks. In a typical
network attack, the intruder identifies a system to attack, gains user
access and/or privilege access to that system, engages in unauthorized
activities on the system, moves to other hosts from the intrusion site,
installs a backdoor for future use, and hides the intrusion trail.
Effects of intrusion, beyond denial of service and unauthorized use
or misuse of systems, are many. Lost, altered, and compromised data and
software, loss of money, loss of trust in the system, loss of public confidence,
and loss or endangerment of human life are other possible effects of an
attack.
Sites Requesting Advice on Secure Connections
The CERT/CC has seen an increase in the number of hotline calls from sites
requesting information on how to connect to the Internet securely before
the site actually connected. It is hoped that this trend continues.
Tools and Trade Secrets
Internet Hoaxes
Interspersed among real virus notices are computer virus hoaxes that take
time to debunk even though they do not infect systems. The Computer Incident
Advisory Capability (CIAC) has prepared information about Internet hoaxes,
including descriptions of hoaxes (e.g., PKZ300, Irina, Good Times, Good
Times Spoof, Deeyenda, Ghost, PENPAL GREETINGS!, and Make Money Fast.)
The CIAC explanation covers the history of hoaxes, how to recognize a new
hoax, and what to do when a message appears to be a hoax. The information
is available from CIAC on their Hoaxes
page.
Security Tools
The CIAC web site describes a number of security tools, such as Merlin
(a graphical front end and management for several popular security tools
such as SPI, Tiger, COPS, Crack, and Tripwire), Courtney (a network monitor
to identify the source machines of SATAN probes/attacks), NID (network
intrusion detector), and SPI (security profile inspector for most Unix
systems). These and other security tools can be found at CIAC on their
Tools
page.
Virus Database
The CIAC Virus Database contains information gathered about small computer
viruses and Trojans. CIAC's purpose in creating and maintaining the database
is to identify known viruses for the Macintosh and PC and to give an overview
of the effects of each virus. The CIAC Virus Database is located here.
Upcoming Events
NIST Seminar: Practical Intrusion Detection, April 23-24, 1997
Recent statistics show that security problems are occurring frequently,
however, most victims never detect the problems. Computer security specialists
and those technical experts responsible for system and network administration
are the audience for the Practical Intrusion Detection Seminar. The seminar
will address many of the technical and practical issues involved in incident
detection. Vendors will be invited to discuss and to demonstrate their
tools. Freely available tools will be described and demonstrated.
Contact Information
For more information about FedCIRC services and activities, contact Marianne
Swanson or Fran Nielsen on 301/975-4369.
The FedCIRC information E-mail address is:
fedcirc-info@fedcirc.nist.gov.
The FedCIRC hotline for incident handling support is 412/268-6321;
for support via E-mail:
fedcirc@fedcirc.nist.gov.
Return to Previous Page
Return to Incident Handling Homepage
Return to CSRC Homepage
Please send comments or suggestions to webmaster-csrc@nist.rip
Last Modified: December 2, 1998.