Bibliography of Computer Security Incident Handling Documents

by Klaus-Peter Kossakowski - kpk@cert.dfn.de

Top - Help

Copyright(c), 1996 - Management Analytics and Others - All Rights Reserved

During the past years I tried to find as many documents about Computer Security Incident Handling as possible. By no means does this bibliography implies that all published papers about this important topic are covered here. I appreciate every help in identifying new references. Please sent me new information by electronic mail to kpk@cert.dfn.de

Annotated References

• Brand 1990

  Coping with the Threat of Computer Security Incidents : A Primer from Prevention through Recovery

  Russell L. Brand (CERT/CC, US). - Carnegie Mellon University. - Pittsburgh, PA. - Version CERT 0.6. - June 8, 1990. - no ref. - 44 p.

  Abstract:Based on a basic text for one day intensive seminars on the practical aspects of computer security in unclassified networked environments. The text is divided into four sections with a number of appendices. Incident avoidance, pre-planning, and handling are covered in the main part of the paper. The main purpose is to serve as a simplified - but effective - primer and guide.

  Keywords: Guidelines, Incident Response

• [CEC/DGX111-B 1992]

  Incident Reporting - A European Structure: Database Structures

  Commission of the European Communities (CEC/DGX111-B). - Report No. 19733 (S2003/WP08). - October 1992.

  Keywords: Research

  Remark:Due to the fact that I was unable to obtain even a copy of this document yet I am unable to give any other information. I found the reference within a New Work Item Proposal for "IT Security Incident Analysis Services"

• [CEC/DGX111-B 1992a]

  Incident Reporting - A European Structure: Final Feasibility and Strategy Report

  Commission of the European Communities (CEC/DGX111-B). - Report No. 19733 (S2003/WP09-10). - December 1992.

  Keywords:Research

  Remark:Due to the fact that I was unable to obtain even a copy of this document yet I am unable to give any other information. I found the reference within a New Work Item Proposal for "IT Security Incident Analysis Services" [ISO/IEC JTC1/WG27/WG1/N457Rev 1994].

• [ CERT System 1990]

  Computer Emergency Response Team System (CERT System): Operational Framework

  Members of the CERT System. - November 16, 1990.

  Abstract:This framework explains the constitution of the CERT System - which is today called FIRST. Organization, meetings, membership, and policies are addressed. Due to the fact, that FIRST has released a new framework [FIRST 1992], this document is obsolete and only von historical interest.

  Keywords:International Aspects, Management

• [ CERT 1993]

  Internet Security for Managers

  Computer Emergency Response Team / Coordination Center. - Carnegie Mellon University. - Pittsburgh, PA. - 1993.

  Abstract:In this tutorial about Internet security there is a short chapter about the CERT Coordination Center itself and the process of establishing an own incident response team.

  Remarks:No electronic version of this document is available. The material is used as training material for tutorials only, which are held several times a year. If you are interested in this tutorials, please contact the CERT Coordination Center directly.

  Keywords:Incident Response, Team Establishment

• [ CERT-FAQ 1993]

  The CERT Coordination Center FAQ

  Computer Emergency Response Team / Coordination Center. - Carnegie Mellon University. - Pittsburgh, PA. - Revision 7. - January 1993.

  Abstract:Based on the experience of this team, frequently asked questions are answered. As this answers also covers topics as the task and definition of a Computer Emergency Response Team it is worthwile as a reference for specific terms. Additionally other aspects (information resources, incident response) are addressed, too.

  Keywords:Team Description

• [ CERT-NL 1992]

  CERT-NL Operational Framework

  CERT-NL. - SURFnet. - Utrecht, NL. - Version 2.1. - June 23, 1992. - 1 ref. - 22 p. -[available as PostScript and Text].

  Abstract:This framework describes CERT-NL, its organization, and the basic operational policies. In addition to the FIRST Operational Framework this document can serve as one of the leading documents to specify an own framework for a new team.

  Keywords:Management

• [ CERT-NL-FAQ 1993]

  Frequently Asked Questions about CERT-NL

  CERT-NL. - SURFnet. - Utrecht, NL. - February 16, 1993. - no ref. - 3 p.

  Abstract:Similar to other FAQs specific topics for CERT-NL and its task are addressed here.

  Keywords:Team Description

• [CSIHW 1/1989]

  Invitational Workshop on Computer Security Incident Response

  Carnegie Mellon University; Software Engineering Institute. - Pittsburgh, PA. - August 1991.

  Abstract:This workshop was the beginning of the Computer Security Incident Handling Workshop - nowadays organized by FIRST. During the workshop five working groups prepared a position paper on specific topics:

  • Incident Handling (11 p.)
  • Vendor Relations (7 p.)
  • Clearinghouse Activities (7 p.)
  • Legal and Investigative Issues (8 p. and 2 Appendices)
  • Modeling the Threat (7 p.)

  Keywords:Conferences and Workshops

  Remark:I am not aware of any electronic version of this proceedings. Most of the pages are presentation slides.

• [CSIHW 2/1990]

  Workshop on Computer Security Incident Handling

  Carnegie Mellon University; Software Engineering Institute. - Pittsburgh, PA. - June 1990.

  Content:

  • Plenary:
    • Charles E. Cole (LLNL, US) / The Challenge of Incident Handling
    • William Scherlis (DARPA, US) / The CERT Concept: Scaling Up
    • Michael Odawa (Software Development Councile, US) / Viruses and Their Implications for Commercial Software
  • Management Issues:
    • Legal Issues
      • Presentations by Mark D. Rasch (DoJ, US) and James J. Kolouch (FBI, US)
      • Stephen E. Hansen (Stanford, US) / Legal Issues, A Site Manager's Nightmare
    • Forming and Managing a Response Team
      • E. Eugene Schulz Jr. (CIAC, US) / Forming and Managing CIAC: Lessons Learned
      • Rich D. Pethia (CERT/CC, US) / Forming and Managing a Response Team
      • Presentations by Peter E. Yee (NASA Ames Research, US)
      • A. Fedeli (IBM, US) / Forming and Managing a Response Team
    • Developing the Response Team Network
      • Presentation by Dennis D. Steinauer (NIST, US)
      • Rich D. Pethia (CERT/CC, US) / Developing the Response Team Network
      • Presentations by Ronald H. Hysert (Canadian System Security Centre, CA) and Christopher C. Harvey (SPAN, FR)
    • Building a Constituency
      • J. Paul Holbrook (CERT/CC, US) / Building a Constituency - The CERT/CC Experience
      • Presentation by John W. Mildner (Naval Electronics System Security Engineering Center, US)
      • J. Dalton (AT&T, US) / Building a Constituency - An Ongoing Process
  • Dealing with Threats and Vulnerabilities:
    • Trends/Anticipated Future Trends
      • Presentations by Karl Levitt (UC Davies, US) and Donn B. Parker (SRI, US)
      • Jerry M. Carlin (Pacific Bell, US) / Future Imperfect or Some Thoughts on Future Security Incident Handling
    • Threat Models
      • Presentations by John Cordani (Adelphi University, US), Dave Icove (FBI, US) and Tim Huff (FBI, US)
    • Vendor Activities
      • Jack Collins and Beverly J. Ulbrich (SUN, US), Steve Redfern (DEC, US) and Gary Garb and David B. Shankland (UNISYS, US)
    • Tools
      • Presentations by Matt Bishop (Darthmouth College, US), Dan Farmer (CERT/CC, US) and Thomas R. Malarkey (NCSC, US)
  • Communications:
    • Trusted Communications Mechanisms
      • Presentations by Stephen D. Crocker (TIS, US), Doug Price (Sparta, US) and Rick Carr (NASA, US)
    • Communicating Vulnerability Information
      • Presentations by Gregory J. Stuk (Bellcore, US), Keith Bostic (UC Berkeley, US) and Tom Longstaff (CIAC, US)
    • Information Sources
      • Presentations by Kenneth van Wyk (CERT/CC, US), Marianne Swanson (NIST, US) and Thomas R. Malarkey (NCSC, US)
    • Intra-CERT Communication
      • Presentations by Ronald Tencati (SPAN, US), Joseph P. Boyd (DDN, US) and Doug L. Mansur (LLNL, US)

  Keywords:Conferences and Workshops

  Remark:I am not aware of any electronic version of this proceedings. Most of the pages are presentation slides.

• [CSIHW 3/1991]

  3th Workshop on Computer Security Incident Handling

  Carnegie Mellon University; Software Engineering Institute. - Herndon, VA. - August 1991.

  Content:

  • Plenary:
    • Presentation by Scott Charney (DoJ, US)
    • Steve Crocker (TIS, US) / Will the Network Ever Be Safe(r)? - The Role of Intrusion Detection in the Overall Scheme of Network Security
    • Richard D. Pethia (CERT/CC, US) / On Forming the CERT System
    • John Wack (NIST, US) / Establishing a Computer Security Incident Response Capability (CSIRC)
  • Vendor Activities:
    • Stephen C. O'Brien (RAXCO, US) / Asessing VMS Security with the Security Toolkit
    • Beverly J. Ulbrich (SUN, US) / SUN's Customer Warning System
    • Steve Redfern (DEC, US) / Security Incident Management at Digital
  • Network Intrusions:
    • James E. Molini (NASA, US) / Integrity Tools for Intrusion and Virus Detection
    • Jeffrey I. Schiller (MIT, US) / Computer Incident Handling at the Massachusetts Institute of Technology
    • Kenneth J. Kutz (Bowling Green State University) / An Intrusion from the Netherlands: An Internet and Unix Security Case Study
  • Legal / Liability Issues:
    • E. Eugene Schultz Jr. (CIAC, US) / The Computer Fraud and Abuse Act of 1986 and the Computer Security Act of 1987: Impact on Incident Response Efforts
    • David J. Icove and Karl A. Seger (FBI, US) / Project CASIAT: An Update
    • Geoffrey S. Stewart (Hale and Door, US) / Legal Liabilities of Software Publishers for Distribution of Software Containing Security Holes
  • Vulnerabilities / Malicious Code
    • Thomas A. Longstaff and E. Eugene Schultz Jr. (CIAC, US) / Beyond Preliminary Analysis of the WANK and OILZ Worms: A Case Study of Malicious Code
    • Gordon Hama and Maurice Massart (Royal Canadian Mounted Police, CA) and Ron Hysert (Communications Security Establishment, CA) / Government of Canada PC-Virus Training Package
    • Ray Kaplan (Univ. of Arizona, US) / Speculations on the Nature of Future Attacks and How we Will Defend Ourselves Against Them
  • Procedures, Policies & Techniques
    • David E. Post (Siemens Corporate Research, US) / Computer Security Incidents
    • Matt Bishop (Dartmouth College, US) / Comparing Authentication Techniques
    • Mike Nicholson (Westinghouse, US) / One Corporation's Approach to Information Systems Security
    • Dennis M. Flanders (Boeing, US) / Information Security: Understanding and Selling the Need
    • Charlie Atterbury (Eastman Kodak, US) / Managing Microcomputer Virus Concerns within A Large Diverse Environment
    • A. Padgett Peterson / Developing the Internal Computer Security Program
  • Tools
    • David S. Brown (CIAC, US) / The CIAC Binary Inspector Tool (BIT): A Non-Intrusive Vulnerability Detection Mechanism
    • James S. Rothfuss (LLNL, US) / Update on the VMS Security Profile Inspector
    • Thomas D. Garvey (Artificial Intelligence Center, US) and Teresa F. Lunt (SRI, US) / Using Models of Intrusions
    • Steven R. Snapp, Biswanath Mukherjee and Karl N. Levitt (Univ. of Calif, Davis, US) / Detecting Intrusions Through Attack Signature Analysis
    • Barbara Lawrence (Westinghouse, US) / Cost Conscious Network Security: Prioritizing Requirements

  Keywords:Conferences and Workshops

  Remark:I am not aware of any electronic version of this proceedings. Most of the pages are presentation slides.

• [CSIHW 4/1992]

  4th Workshop on Computer Security Incident Handling

  Forum of Incident Response and Security Teams. - Denver, CO. - August 1992.

  Content:

  • Plenary:
    • Dennis Steinauer (NIST, US) / FIRST - Where We Are And Where We Are Going
    • Steven Crocker (TIS, US) / Internet Privacy Enhanced Mail -(PEM)
    • Steven Squires (DARPA, US) / HPCC - High Performance Computing and Communications
    • Ray Kaplan (Univ. of Arizona, US) / Speculations on the Nature of Future Attacks and How We Will Defend Ourselves Against Them
    • Kathleen Padgett (LANL, US) / Establishing and Operating an Incident Response Team
    • Lenora E. Haldenby (Communications Security Establishment, CA) / Computer Security Incident Response Handling: Current Canadian Experiences, Issues and Plans
    • Panel session: Incident handling - A Vendor's Perspective
    • Barbara Lawrence (Westinghouse, US) / Information Warfare: A new World Order: New Security Challenges
    • John Wack (NIST, US) / Secure Internet Gateways
    • Electronic Disseminations of Computer Security Information / Presentations by Marianne Swanson (NIST, US), Ken van Wyk (CERT/CC, US) and Cindy Hash (NCSC, US)
  • Tools and Technologies
    • Abha Moitra (GE, US) / Real-Time Audit Log Viewer and Analyzer
    • Arthur Maccabe (Univ. of New Mexica, US) / Learning how to Characterize Normal Behavior in LANs
    • Steven Snapp (Haystack Laboratories, US) / Signature Analysis Model Definition and Formalism
    • Matt Bishop (Dartmouth College, US) / Proactive Password Checking
    • Dennis Jackson (Staffordshire County Council, UK) / X.25 network tracing for Internet users
  • Legal and Management Issues
    • William J. Cook (Willian Brinks Olds Hofer Gibson & Lione, US) / Trends in Network Liability
    • Karyn Pichnarczyk (CIAC, US) / PC Viruses: How Do They Do That?
    • Dennis Flanders (Boeing, US) / Information Security - Understanding and Selling the Need
    • Dennis Flanders (Boeing, US) / Security Awareness: The 70% Solution
    • Gene Spafford (Purdue Univ., US) / Policies and Planning can Prevent Security Incidents

  Keywords:Conferences and Workshops

  Remark:I am not aware of any electronic version of this proceedings. Also many slides are included in this proceedings also it was handed out as a report.

• [CSIHW 5/1993]

  5th Workshop on Computer Security Incident Handling

  Forum of Incident Response and Security Teams. - St. Louis, Miss. - August 1993.

  Content:

  • Plenary:
    • Keynote Speaker: Vinton Cerf (CNRI, US)
  • International Issues:
    • Presentations by Harry Onderwater (Dutch Federal Police, NL), John Austen (New Scotland Yard, UK) and John Neily (Royal Canadian Mounted Police, CA)
  • Professional Certification & Qualification:
    • Presentations by Sally Meglathery (ISCC, US), Lynn McNulty (NIST, US) and Genevieve Burns (ISSA, US)
  • Incident Aftermath and Press Relations:
    • Presentations by Laurie Sefton (Apple, US), Jeffrey Sebring (MITRE, US), Terry McGillen (CMU/SEI, US), John Markoff (New York Times, US) and Mike Alexander (InfoSecurity News, US)
  • Preserving Rights During an Investigation:
    • Presentations by Mike Godwin (EFF, US), Scott Charney (DoJ, US) and Frank Dudley Berry Jr. (Santa Clara County, US)
  • Coordinating an Investigation:
    • Presentations by Jim Settle (FBI, US), Jack Lewis (Secret Service, US) and John Smith (Santa Clara County, US)
  • Liabilities and Insurance:
    • Presentations by Mark Rasch (Arent Fox, US), Bill Cook (Willian, Brinks, Olds, Hoffer & Gibson, US) and Marr Haack (USF&G Insurance Companies, US)
  • Incident Role Playing:
    • An exercise organized by Tom Longstaff (CERT, US) to develop new insights into the process of investigating a computer security incident.
  • Virus Incidents:
    • Presentations by Werner Uhrig (Univ. of Texas, US), David Grisham (Univ. of New Mexico, US), Christoph Fischer (Univ. of Karlsruhe, DE) and Karyn Pichnarcyk (CIAC, US)
  • Databases:
    • Presentations by John Carr (CCTA, UK) and Michael Higgins (DISA/CISS, US)
  • Threats:
    • Presentations by Karl A. Seger (Associate Corporate Consultants, US), Craig Worstell (Boeing, US) and Genevieve Burns (Monsanto, US)

  Keywords:Conferences and Workshops

  Remark:I am not aware of any electronic version of this proceedings.

• [CSIHW 6/1994]

  6th Workshop on Computer Security Incident Handling

  Forum of Incident Response and Security Teams. - Boston, Mass. - July 1994.

  Keywords:Conferences and Workshops

  Remark:I am not aware of any electronic version of this proceedings, also some papers covered in this bibliography were presented here and the authors put the papers in the public domain thereafter:

  Content:

  • Plenary:
    • Keynote Speaker: Gene Spafford (Purdue Univ., US)
  • Incident Handling Teams Status and Update:
    • Presentations by AUSCERT, CERT, CIAC, and various other teams
    • [Kossakowski 1994a] Klaus-Peter Kossakowski (DFN-CERT, DE) / The DFN-CERT Project: The first 18 months
  • Non-Traditional and Public Domain Network Servers:
    • Presentations by Edward DeHart (CERT, US), Kathy Fithen (CERT, US) and other speakers
  • Vendor Panel on Incident Response Teams:
    • Presentations by DEC, Hewlett-Packard, SUN and other vendors
  • Incident Handling Trends:
    • Presentations by Ken van Wyk (ASSIST, US), Steve Weeber (CIAC, US), Christoph Fischer (Univ. of Karlsruhe, DE) and Kathy Fithen (CERT, US)
  • Interoperability in the FIRST Community:
    • Panel discussion: Howard Lipson - Moderator (CERT, US), John Kinyon (Motorola, US), Klaus-Peter Kossakowski (DFN-CERT, DE), Danny Smith (AUSCERT, AU), Sandy Sparks (CIAC, US), Ron Tencati (NASIRC, US), Ken van Wyk (ASSIST, US) and Moira West (CERT, US)
  • Security Tools:
    • Presentations by Todd Shell (USAF, US), Scott Weddell (USAF, US), Paul Proctor (SAIC, US) and David Curry (Purdue Univ., US)
  • Tools to Kill Systems:
    • Presentations by Karyn Pichnarczyk (CIAC, US), Wietse Venema (TU Eindhoven, NL) and Sandy Shaw (CIAC, US)
  • Forming an Incident Response Team:
    • Presentations by Georgia Killcrece (CERT, US) and Sandy Shaw (CIAC, US)
    • [Smith 1994] Danny Smith (AUSCERT, AU) / Forming an Incident Response Team
    • [Kossakowski 1994c] Klaus-Peter Kossakowski (DFN-CERT, DE) / The Funding Process: A challenging task
  • International Issues:
    • Presentations by Dain Gary (CERT, US), Danny Smith (AUSCERT, US) and David Vincenzetti (CERT-IT, IT)
    • [Kossakowski 1994b] Klaus-Peter Kossakowski (DFN-CERT, DE) / The European Situation: The future of CSIH in Europe

• [ DARPA 1988]

  DARPA establishes Computer Emergency Response Team

  Defense Advanced Research Projects Agency (DARPA). - December 6, 1988. - [Press announcement of first Computer Emergency Response Team]

  Abstract:After the Internet worm incident in November 1988 DARPA announced the creation of a so called Computer Emergency Response Team (CERT) in December 1988.

  Keywords:Team Description, Team Establishment

• [ FIRST 1992]

  Forum of Incident Response and Security Teams (FIRST) Operational Framework

  Forum of Incident Response and Security Teams. - September 11, 1992.

  Abstract:This framework explains the constitution of FIRST. Organization, meetings, membership, and policies are addressed.

  Keywords:International Aspects, Management

  Remarks:Since last year there is a notable amount of work to create a new framework to address the changed environment, the international growth of FIRST, and new tasks.

• [ FIRST contacts]

  FIRST contacts

  Forum of Incident Response and Security Teams. - no ref. - [frequently updated]

  Abstract:This is a list of contact information for the various incident response teams which are members of FIRST. The constituency, names, and addresses for email, fax, and telephone are given to allow users to contact the suitable team directly.

  Keywords:Information

• [ FIRST potential members]

  Information for potential members

  Forum of Incident Response and Security Teams. - no ref. - 1 p. - [frequently updated]

  Abstract:The details of the formal process to become a new member of FIRST are outline in this information.

  Keywords:Guidelines, Information, Team Establishment

• [ Fithen, Fraser 1993]

  CERT Incident Response and the Internet

  K. T. Fithen and B. Y. Fraser (CERT/CC, US). - Presented on INET'93. - 1993. - p. EEC:1-7. - 14 ref. - 7 p.

  Abstract:The activities of the CERT Coordination Center utilizes the Internet in many ways. They involve both individual Internet sites and the global Internet as a whole. Additionally to the use of resources new services are provided to the Internet. The paper discusses these resources and gives information on how CERT products and services can be used.

  Keywords:Team Description

  Remarks:This paper is electronically available as part of the INET'93 archive. on ftp://ftp.isoc.org/isoc/inet/inet93 as file EEC.Fithen.

• [Fraser, Pethia 1992]

  The CERT/CC Experience: Past, Present, and Future

  B. Y. Fraser and R. D. Pethia (CERT/CC, US). - Presented on INET'92. - Kobe, Japan. - June 15-18, 1992. - p. 203-208. - 12 ref. - 6 p.

  Abstract:This paper discusses some security-related activities of the CERT Coordination Center during the first three years of operation and comments on the impacts these activities have had on the Internet community. Future needs are outlined along with suggestions for addressing those needs.

  Keywords:Team Description

• [ Holbrook, Reynolds 1991]

  Site Security Handbook

  P. Holbrook (CICNet, US) and J. Reynolds (ISI, US) (Eds.). - Request For Comments 1244 / For Your Information 8. - July 1991. - 27 ref. - 101 p. [an annotated bibliography with over 60 references is included, the RFC is available as HTML and Ascii]

  Abstract:This handbook was meant to be a first attempt at providing Internet users guidance on how to deal with security issues. Especially interesting for this bibliography are section 5 (Incident Handling) and section 6 (Establishing Post-Incident Procedures).

  Keywords:Guidelines, Incident Response

  Remark:In 1994 a new IETF working group was established to write a new edition. The proposed workplan is two finish two RFCs for site administrators and end users until the end of 1995.

• [ISO/IEC JTC1/WG27/WG1/N457Rev 1994]

  IT Security Incident Analysis Services (IAS)

  International Organization for Standardization ISO/IEC JTC1/SC27/WG1. - SC27/N882, SC27/WG1/N457Rev. - May 1994. - 2 ref. - 2 p.

  Abstract:In this new work item proposal a common framework and guidance for setting up and running Incident Analysis Services (IAS) within organizations are proposed for further work. Based on the background of a European project the proposal was sent for a ballot. According to my information it was not accepted as new work item.

  Keywords:Research

• [ Kossakowski 1994]

  The DFN-CERT Experience: Building up a new CERT within Europe

  Klaus-Peter Kossakowski (DFN-CERT, DE). - University of Hamburg. - Presented on the JENC5/INET'94 in Prague, June 1994. - 10 ref. - 6 p. - [available as HTML and PostScript].

  Abstract:The goal of this paper is to concentrate on the practical implications of the DFN-CERT - the Computer Emergency Response Team (CERT) for the German Research Network. their experiences, their problems, and the lessons learned are presented. In addition, some recommendations concerning the future development of incident response teams within Europe are described, emphasizing the importance of a cooperative approach.

  Keywords:International Aspects, Team Description

• [ Kossakowski 1994a]

  The DFN-CERT Project: The first 18 months

  Klaus-Peter Kossakowski (DFN-CERT, DE). - University of Hamburg. - Presented on the 6th Computer Security Incident Handling Workshop in Boston, July 1994. - 10 ref. - 5 p. - [available as HTML and PostScript].

  Abstract:This document was derived from: The DFN-CERT Experience: Building up a new CERT within Europe, but the focus is on the DFN-CERT itself and the lessons learned only.

  Keywords:Team Description

• [ Kossakowski 1994b]

  The European Situation: The future of CSIH in Europe

  Klaus-Peter Kossakowski (DFN-CERT, DE). - University of Hamburg. - Presented on the 6th Computer Security Incident Handling Workshop in Boston, July 1994. - 19 ref. - 6 p. - [available as HTML and PostScript].

  Abstract:Only very few papers address the need for more cooperation and support of new teams within Europe. Therefore some of the practical problems, and some possible approaches are described here. To support a more deeper understanding of the actual situation in Europe, a summary of the past development of CERTs until today is given. Additionally the results of a survey of European network providers are presented to provide insights into future plans to establish more CERTs in Europe.

  Keywords:International Aspects

  Remarks:The paper suggest the creation of a Special Interest Group Europe within FIRST to organize the cooperation of European teams and to allow a special focus on European problems and needs. More information about the European situation and this group can be found in the WWW.

• [ Kossakowski 1994c]

  The Funding Process: A challenging task

  Klaus-Peter Kossakowski (DFN-CERT, DE). - University of Hamburg. - Presented on the 6th Computer Security Incident Handling Workshop in Boston, July 1994. - 2 ref. - 4 p. - [available as HTML and PostScript].

  Abstract:One of the most difficult - and challenging - tasks related to build up a new team is the funding process. Therefore the paper try to collect some thoughts and experiences to provide support to other (especially new) teams. From a practical point of view some of the problems are described, together with some approaches, and some lessons learned. By no means does this paper imply that all of the possible solutions are covered. This paper should be a beginning to collect this kind of information and present it to interested parties.

  Keywords:Management

• [Longstaff 1993]

  Results of a Workshop on Research in Incident Handling

  Thomas A. Longstaff (CERT/CC, US). - Carnegie Mellon University. - Pittsburgh, PA. - Special Report CMU/SEI-93-SR-20. - September 1993. - no ref. - 58 p.

  Abstract:The report contains the results of an invitational workshop on research in incident handling, held at the Software Engineering Institute in November 1992. The workshop was convened to address a wide range of topics of computer, network, and information security, both in the present and in the future. It was intended to identify areas for research and development in improving the practice of incident handling.

  Keywords:Conferences and Workshops, Incident Response, Research

  Availability:The document is available through the US Defense Technical Information Center (DTIC) and through the National Technical Informaton Service (NTIS).

• [ Pethia, van Wyk]

  Computer Emergency Response : An International Problem

  Richard D. Pethia and K. R. van Wyk (CERT/CC, US). - Carnegie Mellon University. - Pittsburgh, PA. - 13 ref. - 8 p.

  Abstract:The paper rise the importance of international cooperation among computer security response groups. Methods for better cooperation are also addressed.

  Keywords:International Aspects

  Remarks:Also no date is given for the paper it was obvious released after June 1990 because of some specific references within the paper.

• [Scherlis et al. 1990]

  Computer Emergency Response

  W. L. Scherlis and S. L. Squires (DARPA, US); Richard D. Pethia (CERT/CC, US). - In: Computers Under Attack/ Peter J. Denning (Ed.). - Reading, Mass.: Addison-Wesley, 1990. - p. 495-504. - no ref. - 10 p.

  Abstract:Beginning with the lessons learned from the Internet worm of November 1988 the need for computer emergency response is explained. Relevant topics, such as circumstances affecting prevention and recovery in case of an incident and operating principles are discussed. The concepts of CERT and FIRST (to that time known as CERT-System) are explained also.

  Keywords:International Aspects, Management, Team Description

• [ Schultz Jr. et al. 1990]

  Responding to Computer Security Incidents

  E. Eugene Schultz Jr., David S. Brown and Thomas A. Longstaff (CIAC, US). - Lawrence Livermore National Laboratory. - Livermore, CA. - July 23, 1990. - 2 ref. - 67 p. - [available as PostScript and Text].

  Abstract:The guidelines do not comprise an exhaustive set of incident handling procedures for various reasons. It contains basic information about responding to incidents which can be used to incorporate these knowledge into site contingency response plans. These guidelines reflect the experience of the CIAC (Computer Incident Advisory Capability) team and parallels the content of their workshop. Because of that the workshop exercises are also included.

  Keywords:Guidelines, Incident Response

• [Schultz Jr. et al. 1990a]

  Computer Emergency Response Teams : Lessons Learned

  E. Eugene Schultz Jr. (CIAC, US); Richard D. Pethia (CERT/CC, US); J. R. Dalton (AT&T, US). - Presented on the 13th National Computer Security Conference (NCSC). - Gaithersburg, Md.: US National Institute of Standards and Technology, 1990. - p. 634-640. - no ref. - 7 p.

  Abstract:Starting with a description of three teams (CIAC, CERT/CC and AT&T Corporate Security) focusing on each team's structure, activities, and procedures the paper ends with a high-level analysis of incidents and trends.

  Keywords:Team Description

• [Schultz Jr. 1990]

  The Computer Incident Advisory Capability

  E. Eugene Schultz Jr. (CIAC, US). - Lawrence Livermore National Laboratory. - Livermore, CA. - September 1990. - 4 ref. - 5 p. - [Submitted to the Office Information Management Conference (OIM), New Orleans, LA, October 24-26, 1990]

  Abstract:The DOE Computer Incident Advisory Capability (CIAC) team was formed primarily to assist DOE sites in responding to computer security incidents. CIAC's experience, activity and scope in the future are addressed in this paper.

  Keywords:Team Description

  Availability:This paper is available as University of California Technical Report UCRL-JC--105099, 1990]

• [Schultz Jr. 1991]

  The Computer Emergency Response Team System (CERT-SYSTEM)

  E. Eugene Schultz Jr. (CIAC, US) - Lawrence Livermore National Laboratory. - Livermore, CA. - October 11, 1991. - 1 ref. - 4 p. - [Submitted to the 14th National Computer Security Conference (NCSC), Washington, DC, October 1-4, 1991]

  Abstract:This paper describes an international affiliation of computer security response teams. The purpose is to provide a forum for ideas about incident response and computer security. The views presented are the views of one member (CIAC).

  Keywords:International Aspects

  Remarks:FIRST was initially called CERT-System. For various reasons this was later changed.

  Availability:This paper is available as University of California Technical Report UCRL-JC--108517, 1991]

• [Schultz Jr. 1991a]

  Computer Security Incident Response Teams

  E. Eugene Schultz Jr. (CIAC, US) - Lawrence Livermore National Laboratory. - Livermore, CA. - November 1991. - 5 ref. - 7 p. - [Submitted to the NASA 1st AIS Security Technology for Space Operations Conference, Houston, TX, November 6-8, 1991]

  Abstract:This paper discusses computer security incident response teams. Beginning with the development of single teams and FIRST the services and lessons learned are explained, taking CIAC as an example for successful operating for the DOE constituency.

  Keywords:Team Description

  Availability:This paper is available as University of California Technical Report UCRL-JC--108961, 1991]

• [ Smith 1994]

  Forming an Incident Response Team

  Danny Smith (AUSCERT, AU). - University of Queensland. - Brisbane, Qld. - July 1994. - 85 ref. - 36 p.

  Abstract:On March 1993 AUSCERT (formerly SERT) commenced incident response operations in Australia. Since that time the team has undergone many changes as usual for a new incident response team. Steadily collected from a number of sources over time the paper examines what issues need to be addressed and resolved prior to, and after, forming an incident response team.

  Keywords:Guidelines, Team Establishment

  Remark:I have found this paper particular useful, because it is the only one which address this - especially for new teams - important topics. But I am sorry that this paper was not available as our team starts ;-)

  The AUSCERT was formerly called SERT (Security Emergency Response Team).

• [ Stewart, Sylvester 1989]

  Potential Liabilities Of Computer Security Response Centers Arising From Notification To Publishers And Users Of Security Deficiencies In Software

  G. S. Stewart and D. Sylvester. - December 1989. - no ref. - 27 p. - [Memorandum to Computer Security Response Centers]

  Abstract:Software publishers and Computer Security Response Centers have a duty of care to those who use their products or rely on their services. This duty requires to take reasonable actions to prevent conditions that can lead to harm and to correct those conditions where possible. During the paper the legal issues are discussed, mainly for US located publishers and teams.

  Keywords:Legal Issues

• [ Wack 1991]

  Establishing a Computer Security Incident Response Capability (CSIRC)

  John P. Wack (NIST, US). - US National Institute of Standards and Technology. - Gaithersburg, Md. - NIST Special Publication 800-3. - November 1991. - 17 ref. - 39 p. - [an annotated bibliography with 25 references is included as appendix].

  Abstract:A comprehensive guide which covers most of the operational and organisational aspects of forming a Incident Response Team. Together with [Smith 1994] it can serve as a leading document to determine the task and scope of a new team.

  Keywords:Guidelines, Team Establishment