FedCIRC Quarterly Summary, June 1997

FedCIRC Quarterly
Summary Report

Reporting period: January - April, 1997

June 1997

Welcome New Subscribers

The past few months have been busy for the FedCIRC collaboration. The most exciting news is that during the quarter, three organizations became FedCIRC subscribers. The U.S. Customs, the Federal Supply Service of GSA, and the National Finance Center, U.S. Department of Agriculture are new FedCIRC subscribers. Welcome!

Intrusion Detection Seminar Held

The Practical Intrusion Detection Seminar held at NIST on April 23-24 was a stellar success. The seminar was attended by over eighty federal employees and their contractors. Literally, the room was packed!

The two day session addressed many of the technical and practical issues involved in detecting incidents in computer systems. The tools to detect intrusions and descriptions of the types of attacks targeted at networks, servers, and desktops were presented. The seminar was augmented with an exhibit of intrusion detection tools. More details follow.

The seminar program was packed with informative presentations. Sandy Sparks, FedCIRC-West, and Rich Pethia, FedCIRC-East, set the stage for the seminar with their session, Introduction to Practical Intrusion Detection. Pointing out that the seminar would cover "detection" but not prevention or response, Sparks and Pethia described the rise in the number of intrusions on computer systems and stated the seminar goal of "improving the ability of Federal civilian agencies to detect intrusions or intrusion attempts."

Scott Charney, U.S. Department of Justice, discussed information technology legal issues, including the wiretap statute and its exceptions. Charney emphasized that, under the 4th amendment, Americans have an expectation of privacy. Mentioning keystroke monitoring and the potential liability of systems administrators, he pointed out that it is illegal to intercept or disclose information except under court order. Attendees were reminded of the need for a banner message on systems to warn users that their use may be monitored. Charney commented that public service providers can read e-mail but they may not disclose the contents except with the consent of the sender or receiver.

Mark Zajicek, FedCIRC-East, covered Host-Based Intrusion Detection for UNIX systems. Zajicek cited several recommended practices for intrusion detection, including actions such as verifying the integrity of intrusion detection tools, examining system activities, and reviewing reports from other sources. He cautioned attendees to use tools distributed via read-only media, whenever possible and practical, because they are more reliable and less prone to accidental destruction.

Describing the differences between host-based and network-based intrusion, Jeffrey Carpenter, FedCIRC-East, briefed on Network-Based Intrusion Detection - Routers, Firewalls, and Network Monitoring. He pointed out that network monitoring is important for detecting break-in attempts, vulnerability exploits, intruder scans, automated attacks, and the presence of new machines on the network.

Marcey Kelley, FedCIRC-West, described tools and techniques for intrusion detection on Windows NT, Macintosh, and Novell in her presentation, Practical Intrusion Detection for Non-Unix Based Systems. Noting that the trend is for more powerful and economical desktop systems, Kelley described intrusion paths on desktop systems, such as intrusions on client machines vulnerable to untrusted host connections via web browsers and third-party software added on top of the operating system.

David Crawford, FedCIRC-West, informed seminar attendees about viruses and their detection. Citing a National Computer Security Association (NCSA) survey, Crawford noted that virtually one in every thousand PCs experienced a virus incident every month in 1996. This statistic is up significantly from the 1984 report in which a virus was encountered in every thousand PCs every three months. Crawford described the infection process and gave clues for finding viruses.

Barbara Fraser, FedCIRC-East, gave attendees an overview of the Security Improvement Handbook. A security improvement module is a collection of recommended system and network administration practices that address the security of a specific information technology area. Examples of information technology areas include security of publicly-accessible web services, intrusion detection, and management of network connectivity with external contractors.

Thanking the speakers for their excellent presentations, the attendees for their diligent listening, and the exhibitors for their informative displays, Marianne Swanson, FedCIRC Program Manager, summed up the two-day seminar and encouraged agencies to use the FedCIRC services while they are freely available.

Eight vendors and one federal agency demonstrated their tools and supplied information to seminar attendees. Exhibitors were:

Axent Technologies
Internet Security Systems
ITT Aerospace
Lawrence Livermore National Labs
McAfee Software
SAIC
Touch Technologies
Trend Micro Inc.
Wheel Group Corp.

Due to the positive response received, the seminar will be repeated in conjunction with the FedCIRC annual conference scheduled for early November in Washington, D.C.

Plan to attend the annual conference - watch for details in the next report.

Call Us, We Can Help!

The FedCIRC hotline (412-268-6321) is currently available at no cost to the federal community; however, the window of opportunity for free service will be open only a short while. To continue to serve the federal community, subscriptions are available for cost reimbursable incident handling support and direct technical assistance.

FedCIRC Statistics

With the growing dependence of business and government on networking and with the increased value of information, it has become even more vital that computer systems remain secure. The need for an incident handling capability that crosses agencies boundaries has never been greater. Almost all agencies are now connected to the Internet and exchange information. The cornerstone of the FedCIRC collaboration is incident handling.

The following statistics represent FedCIRC activity through the second quarter of FY97:

16,767 visits to FedCIRC web site.
131 hotline calls/E-mail messages for incident handling assistance (the ripple effect of these incidents impacted thousands of sites/hosts, 131 of which were .gov sites)
143 phone calls for information.

Of the 131 incidents handled, 13 were e-mail incidents, 62 were intrusion incidents, 44 were probes, and 12 were viruses. Mail spamming and spoofing made up the majority of the e-mail incidents. Intrusion incidents covered the gamut of stolen passwords and password files to exploiting known software vulnerabilities. Probes for security vulnerabilities, scans of systems, and scores of attempts to gain unauthorized access are examples of probes. Viruses, such as the wazzu virus, NPAD, and Tentacle, infected PCs and other systems. Look at the FedCIRC website for incident handling tools.

Examples of FedCIRC actions in handling these incidents were to coordinate communications among the site(s) involved as well as to provide appropriate contact information and advice about the attack method (e.g., mail spamming); to work with the compromised site to help it recover from the attack; and to explain how to handle the problem and how to prevent it in the future.

Background of FedCIRC Collaboration

On June 3, 1996, the Government Information Technology Services (GITS) Innovation Fund Committee granted $2,796,000 to the National Institute of Standards and Technology (NIST) to establish a Federal Computer Incident Response Capability (FedCIRC). The capability assists Federal civilian agencies in their incident handling efforts by providing proactive and reactive computer security related services. FedCIRC serves as a single point, world class service to respond to incidents and share vulnerability data. A centralized approach is required to leverage the full potential of networking in the federal civilian community as well as to protect and safeguard information across agency boundaries.

FedCIRC combines the experience and expertise of NIST's Information Technology Laboratory's Computer Security Division with FedCIRC-East (the Defense Advanced Research Project Agency's CERT(SM) Coordination Center (CERT/CC)) and FedCIRC-West (the Department of Energy's Computer Incident Advisory Capability (CIAC)) to provide agencies with cost reimbursable, direct technical assistance and incident handling support.

The number of Internet related incidents that have occurred in the past year, along with the increase and complexity of threats, requires agencies to take their incident handling capability more seriously. The Office of Management and Budget has emphasized the need for incident handling in OMB Circular A-130, Appendix III, by requiring agencies to be able to respond in a manner that both protects their own information and helps to protect the information of others who might be affected by the incident.

The availability of the incident response hotline support and the collection, analysis, and publication of threat, vulnerability, and other security related data is accomplished by an underlying infrastructure of FedCIRC activities consisting of the following:

alert creation;
interaction with other incident handling organizations, law enforcement, and vendors;
threat and trend analysis;
hotline availability;
data tracking;
vulnerability analysis;
report generation;
database maintenance;
guidance documents (e.g., example practices);
web site maintenance; and
technology watch.

How the Virtual Team Operates

Prior to the start of the FedCIRC collaboration, NIST, FedCIRC-East, and FedCIRC-West had their own operating procedures and methods of conducting business. To perform as a virtual team, however, the three collaborators agreed to a harmonized set of common procedures for coordinated activities. By holding weekly teleconferences, exchanging e-mails, coordinating schedules, and planning collaboratively, FedCIRC has demonstrated the viability of a virtual coast-to-coast incident handling team. The team is working well together!

FedCIRC Advisories

The FedCIRC community receives advisories on incidents and potential problems. FedCIRC distributes advisories to aid in the wide distribution of essential security information. Generally, FedCIRC issues advisories about vulnerabilities whose exploitation can have the biggest impact on the Internet. So far, eight FedCIRC advisories have been distributed. Twelve more advisories are being finalized and will be distributed before the end of June.

Upcoming Events

The FedCIRC collaboration will hold a series of three training sessions this summer at NIST. The sessions are:

July 25 - Web Security and Current Trends
August 28 - Connecting to the Internet Securely
September 26 - InfoSec for Managers

Registration packets will be available soon. To receive registration information, contact the FedCIRC information line: 301/975-4369 or send e-mail to:

fedcirc-info@fedcirc.nist.gov.

The FedCIRC annual conference will be held in early November - watch this space for details of date and place (Washington D.C. locale).

Contact Information

For more information about FedCIRC services and activities, contact Marianne Swanson or Fran Nielsen at the National Institute of Standards and Technology on 301/975-4369.

The FedCIRC information E-mail address is:
fedcirc-info@fedcirc.nist.gov.

The FedCIRC hotline for incident handling support is 412/268-6321; for support via E-mail:
fedcirc@fedcirc.nist.gov.

Return to Previous Page

Return to Incident Handling Homepage

Return to CSRC Homepage Please send comments or suggestions to webmaster-csrc@nist.rip Last Modified: December 2, 1998.