FedCIRC Quarterly 
Summary Report 
 
Reporting period: May - September, 1997  October 1997 

FedCIRC Celebrates First Anniversary

Happy Anniversary!

Formally announced in October 1996, the Federal Computer Incident Response Capability (FedCIRC) has been underway now for approximately twelve months. Happy Anniversary FedCIRC!

FedCIRC has accomplished much in its first year. The FedCIRC web site has been accessed over a quarter of a million times, nine workshops have been held, and FedCIRC has assisted in nearly two hundred and fifty incidents. While FedCIRC has achieved some success and acclaim, its future is cloudy because of financial concerns.

During its short existence, the energies and resources of the FedCIRC team (NIST, FedCIRC-East (CERT/CC), and FedCIRC-West (CIAC)) have focused on informing potential clientele about the program and on obtaining funding for continued fiscal health. While these two activities are inarguably intertwined, they remain separate and time-consuming tasks. The two-fold problem of educating the consumer and soliciting sponsorship is costly and it side-steps the real FedCIRC emphasis of providing incident handling for the civilian federal government. The initial GITS funding of $2.76M will have been spent on building the FedCIRC infrastructure (i.e., operationalizing a virtual coast-to-coast incident response team) and on initializing an awareness campaign. A long term approach with a consistent funding source is essential to providing incident handling across civilian federal agencies.

The past twelve months have been a learning experience for the FedCIRC collaboration. Several key lessons were learned:

As a result of the lessons learned from the initial twelve months of existence and experience, a proposed plan of action has been developed by the FedCIRC collaborators. The proposal includes an updated business plan (based on the second increment of GITS funding and on the FedCIRC subscriptions received thus far) and has two major components: The proposal points out that with the second increment of GITS funding ($1.9M) and the subscriptions received so far, FedCIRC can continue to operate in the current mode (with a change in emphasis on increasing agency awareness) until the September 1998 time frame. Operation beyond that will require a revised funding model. The next six months are critical to the continued survival of FedCIRC and a long-term solution to the funding issue must be found.

The proposal was delivered to the GITS Champion for Computer Security and FedCIRC awaits a response. It is hoped that a steady income stream can be obtained to ensure the survival of FedCIRC.

Welcome Three New Subscribers!

The FedCIRC family increased threefold during the quarter. The U.S. Department of State, Treasury’s Bureau of Alcohol, Tobacco and Firearms, and the U.S. Department of Justice have become FedCIRC subscribers. Welcome! These three organizations join the other FedCIRC subscribers: The U.S. Customs Service, GSA’s Federal Supply Service, and Agriculture’s National Finance Center.

Over the summer, FedCIRC presented a trio of security seminars aimed at increasing information security awareness in the federal community. The seminars stressed the importance of employing best practices to protect federal information resources. The three classes -- "Web Security and Current Trends","Connecting to the Internet Securely", and "Information Security for Managers" -- were well received and were deemed a great success.

The first seminar, presented in July, was "Web Security and Current Trends." The seminar was taught by Jeff Carpenter and Shawn Hernan, both of FedCIRC-East. The tag-team approach that the presenters used was very effective in presenting technical information in an easy to understand format. The seminar began with an overview of the Internet, including their views of the evolution and future of the Internet. The history of incident handling and the trends in incidents were described. Ironically, many of the intrusion profiles used years ago are still in use today. Carpenter discussed the attacks that FedCIRC is seeing (such as root compromises, mail bombs, IP spoofing, SYN attacks, and ping floods).

The second half of the session was devoted to Web security issues. Hernan explained that the key to using it securely is understanding and defending against the risks of placing information on the Web. He told attendees that the network configuration of a web site is critical, however, he pointed out that no single tool is a silver bullet. He encouraged security managers to use sound practices and procedures in conjunction with appropriate technology.

In August, FedCIRC-West’s team of Phillip Cox and John Fisher led the second seminar, "Connecting to the Internet Securely." The session began with Cox describing the Internet threats currently being observed by FedCIRC. The threats now being faced have increased in stealth, in complexity, and in automation. Cox provided stealth examples such as backdoor login, trojan shared libraries, and the dynamic modification of the Unix kernel.

The third seminar of the series was presented in September and consisted of a half day session, "Information Security for Managers." Taught by Kathy Fithen (FedCIRC-East) and Sandy Sparks (FedCIRC-West), they repeated the half day session in the afternoon to give an opportunity for a wider audience of managers to attend the seminar. Each session informed high level managers of the importance of security, emphasizing the growing threat and impact of it on information resources. The roles of policy, procedures, and incident detection and response were explained in detail. The session ended with the presenters stressing the importance of security training for all system users, administrators, and managers.

The overwhelming success of these three seminars encourages FedCIRC to continue to present high quality, inexpensive, one day seminars geared to the federal community. FedCIRC plans to hold a winter series of training sessions beginning in February 1998. Be sure to peruse the FedCIRC website

http://csrc.nist.rip/fedcirc/

for seminar announcements and other FedCIRC information.

Call Us, We Can Help!

The FedCIRC hotline (412-268-6321) is currently available at no cost to the federal community; however, the window of opportunity for free service will be open only a short while. To continue to serve the federal community, subscriptions are available for cost reimbursable incident handling support and direct technical assistance.

FedCIRC Annual Workshop

On November 20 - 21, 1997 FedCIRC will hold its first Annual Workshop. The Workshop will be held at the DoubleTree Hotel in Rockville, Maryland. The focus of this workshop is to educate the community on current incident trends, incident detection, and incident handling.

The workshop is being conducted as a series of presentations on the first day and parallel training tracks on the second day. The three parallel training tracks are specifically designed to address participants’ differing backgrounds. Two tracks covering intrusion detection for systems and network administrators will be presented: one track will focus on Unix and networking and the other track will address Windows NT and viruses. The third training track describes secure communications and explains how to establish an incident response capability.

The diverse program and small conference atmosphere will provide plenty of opportunity for audiences and speakers to mingle and share their experiences. FedCIRC invites you to attend and to increase the benefits of this Workshop by your participation.

The Workshop brochure and registration information are available on the FedCIRC web site or it can be obtained through e-mail or surface mail.

Visit the FedCIRC web site at:
http://csrc.nist.rip/fedcirc/

Send e-mail to:
fedcirc-info@fedcirc.nist.gov

or phone the FedCIRC Information Line at:
301-975-4369.

FedCIRC Participates in NISSC

At the recent National Information Systems Security Conference (NISSC) in Baltimore, Maryland, FedCIRC presented a tutorial on establishing an incident handling capability. The conference, co-sponsored by the National Institute of Standards and Technology and the National Security Agency, addresses the need of information security professionals for "swift, secure, value-added solutions." Nearly two thousand individuals registered for the 1997 NISSC.

Additionally, in an effort to highlight FedCIRC activities and services, FedCIRC joined the scores of computer security vendors and service providers who exhibited their wares at the vendor exposition sponsored by the Armed Forces Communications and Electronics Association (AFCEA) and held in conjunction with NISSC. The exposition provided an opportunity to share information and approaches to problem-solving with a broad audience of security specialists. Team members distributed information and held one-on-one discussions with visitors to the FedCIRC booth.

Contact Information

For more information about FedCIRC services and activities, contact Marianne Swanson or Fran Nielsen at the National Institute of Standards and Technology on 301/975-4369.

The FedCIRC website is:
http://csrc.nist.rip/fedcirc/

The FedCIRC information E-mail address is:
fedcirc-info@fedcirc.nist.gov.

The FedCIRC hotline for incident handling support is 412/268-6321;
for support via E-mail: fedcirc@fedcirc.nist.gov.

FedCIRC Advisories

The FedCIRC community receives advisories on incidents and potential problems. FedCIRC distributes advisories to aid in the wide distribution of essential security information. Generally, FedCIRC issues advisories about vulnerabilities whose exploitation can have the biggest impact on the Internet. So far, 71 FedCIRC advisories have been distributed. The advisories are posted on the web site shortly after their distribution.

About FedCIRC

The Federal Computer Incident Response Capability (FedCIRC) is an initiative undertaken by NIST’s Information Technology Laboratory’s Computer Security Division, the CERT* Coordination Center (CERT/CC)), and the Department of Energy’s Computer Incident Advisory Capability (CIAC)) to provide agencies with cost reimbursable, direct technical assistance and incident handling support. FedCIRC combines the experience and expertise of these three organizations to provide a virtual coast-to-coast team of incident response support for the federal civilian community.

*Registered in U.S. Patent and Trademark Office. The CERT Coordination Center is part of the Software Engineering Institute. The Software Engineering Institute is sponsored by the U.S. Department of Defense.

What are "Quarterly" Reports?

Perhaps readers have noticed that the FedCIRC "quarterly" reports have not exactly been published quarterly during the first year. In fact, the FedCIRC quarterly report came out only three times this year. This can be considered good news, however, because it indicates the high level of energy devoted to other FedCIRC activities, such as the summer series, NISSC, annual workshop, incident handling support, security evaluations, and so on. It is the intention of the FedCIRC collaboration to issue its newsletter regularly and to continue to call it a "quarterly" report.


Return to Previous Page  Return to Incident Handling Homepage
Return to CSRC Homepage
Please send comments or suggestions to webmaster-csrc@nist.rip
Last Modified: December 2, 1998.