During the past years I tried to find as many documents about Computer Security Incident Handling as possible. By no means does this bibliography implies that all published papers about this important topic are covered here. I appreciate every help in identifying new references. Please sent me new information by electronic mail to kpk@cert.dfn.de
Coping with the Threat of Computer Security Incidents : A Primer from Prevention through Recovery
Russell L. Brand (CERT/CC, US). - Carnegie Mellon University. - Pittsburgh, PA. - Version CERT 0.6. - June 8, 1990. - no ref. - 44 p.
Abstract:Based on a basic text for one day intensive seminars on the practical aspects of computer security in unclassified networked environments. The text is divided into four sections with a number of appendices. Incident avoidance, pre-planning, and handling are covered in the main part of the paper. The main purpose is to serve as a simplified - but effective - primer and guide.
Keywords: Guidelines, Incident Response
Incident Reporting - A European Structure: Database Structures
Commission of the European Communities (CEC/DGX111-B). -
Report No. 19733 (S2003/WP08). - October 1992.
Keywords: Research
Remark:Due to the fact that I was unable to obtain even a copy of
this document yet I am unable to give any other information. I found the
reference within a New Work Item Proposal for "IT Security Incident
Analysis Services"
Incident Reporting - A European Structure: Final Feasibility and Strategy Report
Commission of the European Communities (CEC/DGX111-B). -
Report No. 19733 (S2003/WP09-10). - December 1992.
Keywords:Research
Remark:Due to the fact that I was unable to obtain even a copy of
this document yet I am unable to give any other information. I found the
reference within a New Work Item Proposal for "IT Security Incident
Analysis Services" [ISO/IEC JTC1/WG27/WG1/N457Rev 1994].
Computer Emergency Response Team System (CERT System): Operational Framework
Members of the CERT System. - November 16, 1990.
Abstract:This framework explains the constitution of the CERT System -
which is today called FIRST. Organization, meetings, membership, and policies
are addressed. Due to the fact, that FIRST has released a new framework
[FIRST 1992], this document is obsolete and only
von historical interest.
Keywords:International Aspects,
Management
Internet Security for Managers
Computer Emergency Response Team / Coordination Center. - Carnegie Mellon
University. - Pittsburgh, PA. - 1993.
Abstract:In this tutorial about Internet security there is a short
chapter about the CERT Coordination Center itself and the process of
establishing an own incident response team.
Remarks:No electronic version of this document is available. The
material is used as training material for tutorials only, which are held
several times a year. If you are interested in this tutorials, please
contact the CERT Coordination Center directly.
Keywords:Incident Response,
Team Establishment
The CERT Coordination Center FAQ
Computer Emergency Response Team / Coordination Center. - Carnegie Mellon
University. - Pittsburgh, PA. - Revision 7. - January 1993.
Abstract:Based on the experience of this team, frequently asked questions
are answered. As this answers also covers topics as the task and definition of
a Computer Emergency Response Team it is worthwile as a reference for specific
terms. Additionally other aspects (information resources, incident response)
are addressed, too.
Keywords:Team Description
CERT-NL Operational Framework
CERT-NL. - SURFnet. - Utrecht, NL. - Version 2.1. - June 23, 1992. - 1 ref. -
22 p. -[available as PostScript and
Text].
Abstract:This framework describes CERT-NL, its organization, and the
basic operational policies. In addition to the FIRST
Operational Framework this document can serve as one of the leading
documents to specify an own framework for a new team.
Keywords:Management
Frequently Asked Questions about CERT-NL
CERT-NL. - SURFnet. - Utrecht, NL. - February 16, 1993. - no ref. - 3 p.
Abstract:Similar to other FAQs specific topics for CERT-NL and its task
are addressed here.
Keywords:Team Description
Invitational Workshop on Computer Security Incident Response
Carnegie Mellon University; Software Engineering Institute. - Pittsburgh, PA. -
August 1991.
Abstract:This workshop was the beginning of the Computer Security
Incident Handling Workshop - nowadays organized by FIRST. During the workshop
five working groups prepared a position paper on specific topics:
Keywords:Conferences and Workshops
Remark:I am not aware of any electronic version of this proceedings.
Most of the pages are presentation slides.
Workshop on Computer Security Incident Handling
Carnegie Mellon University; Software Engineering Institute. - Pittsburgh, PA. -
June 1990.
Content:
Keywords:Conferences and Workshops
Remark:I am not aware of any electronic version of this proceedings.
Most of the pages are presentation slides.
3th Workshop on Computer Security Incident Handling
Carnegie Mellon University; Software Engineering Institute. - Herndon, VA. -
August 1991.
Content:
Keywords:Conferences and Workshops
Remark:I am not aware of any electronic version of this proceedings.
Most of the pages are presentation slides.
4th Workshop on Computer Security Incident Handling
Forum of Incident Response and Security Teams. - Denver, CO. -
August 1992.
Content:
Keywords:Conferences and Workshops
Remark:I am not aware of any electronic version of this proceedings.
Also many slides are included in this proceedings also it was handed out as a
report.
5th Workshop on Computer Security Incident Handling
Forum of Incident Response and Security Teams. - St. Louis, Miss. -
August 1993.
Content:
Keywords:Conferences and Workshops
Remark:I am not aware of any electronic version of this proceedings.
6th Workshop on Computer Security Incident Handling
Forum of Incident Response and Security Teams. - Boston, Mass. -
July 1994.
Keywords:Conferences and Workshops
Remark:I am not aware of any electronic version of this proceedings,
also some papers covered in this bibliography were presented here and the
authors put the papers in the public domain thereafter:
Content:
DARPA establishes Computer Emergency Response Team
Defense Advanced Research Projects Agency (DARPA). - December 6, 1988. -
[Press announcement of first Computer Emergency Response Team]
Abstract:After the Internet worm incident in November 1988 DARPA
announced the creation of a so called Computer Emergency Response Team (CERT)
in December 1988.
Keywords:Team Description,
Team Establishment
Forum of Incident Response and Security Teams (FIRST) Operational Framework
Forum of Incident Response and Security Teams. - September 11, 1992.
Abstract:This framework explains the constitution of FIRST. Organization,
meetings, membership, and policies are addressed.
Keywords:International Aspects,
Management
Remarks:Since last year there is a notable amount of work to create a
new framework to address the changed environment, the international growth of
FIRST, and new tasks.
FIRST contacts
Forum of Incident Response and Security Teams. - no ref. -
[frequently updated]
Abstract:This is a list of contact information for the various incident
response teams which are members of FIRST. The constituency, names, and addresses
for email, fax, and telephone are given to allow users to contact the suitable
team directly.
Keywords:Information
Information for potential members
Forum of Incident Response and Security Teams. - no ref. - 1 p. -
[frequently updated]
Abstract:The details of the formal process to become a new member of
FIRST are outline in this information.
Keywords:Guidelines,
Information,
Team Establishment
CERT Incident Response and the Internet
K. T. Fithen and B. Y. Fraser (CERT/CC, US). - Presented on INET'93. -
1993. - p. EEC:1-7. - 14 ref. - 7 p.
Abstract:The activities of the CERT Coordination Center utilizes the
Internet in many ways. They involve both individual Internet sites and the
global Internet as a whole. Additionally to the use of resources new services
are provided to the Internet. The paper discusses these resources and gives
information on how CERT products and services can be used.
Keywords:Team Description
Remarks:This paper is electronically available as part of the INET'93
archive. on ftp://ftp.isoc.org/isoc/inet/inet93 as file EEC.Fithen.
The CERT/CC Experience: Past, Present, and Future
B. Y. Fraser and R. D. Pethia (CERT/CC, US). - Presented on INET'92. -
Kobe, Japan. - June 15-18, 1992. - p. 203-208. - 12 ref. - 6 p.
Abstract:This paper discusses some security-related activities of the
CERT Coordination Center during the first three years of operation and comments
on the impacts these activities have had on the Internet community. Future
needs are outlined along with suggestions for addressing those needs.
Keywords:Team Description
Site Security Handbook
P. Holbrook (CICNet, US) and J. Reynolds (ISI, US) (Eds.). - Request For
Comments 1244 / For Your Information 8. - July 1991. - 27 ref. - 101 p.
[an annotated bibliography with over 60 references is included, the RFC is
available as HTML and
Ascii]
Abstract:This handbook was meant to be a first attempt at providing
Internet users guidance on how to deal with security issues. Especially
interesting for this bibliography are section 5 (Incident Handling) and
section 6 (Establishing Post-Incident Procedures).
Keywords:Guidelines,
Incident Response
Remark:In 1994 a new IETF
working group was established to write a new edition. The
proposed workplan
is two finish two RFCs for site administrators and end users until the end
of 1995.
IT Security Incident Analysis Services (IAS)
International Organization for Standardization ISO/IEC JTC1/SC27/WG1. -
SC27/N882, SC27/WG1/N457Rev. - May 1994. - 2 ref. - 2 p.
Abstract:In this new work item proposal a common framework and
guidance for setting up and running Incident Analysis Services (IAS) within
organizations are proposed for further work. Based on the background of a
European project the proposal was sent for a ballot. According to my
information it was not accepted as new work item.
Keywords:Research
The DFN-CERT Experience: Building up a new CERT within Europe
Klaus-Peter Kossakowski (DFN-CERT, DE). - University of Hamburg. -
Presented on the JENC5/INET'94 in Prague, June 1994. - 10 ref. - 6 p. -
[available as HTML and
PostScript].
Abstract:The goal of this paper is to concentrate on the practical
implications of the DFN-CERT - the Computer Emergency Response Team (CERT)
for the German Research Network. their experiences, their problems, and the
lessons learned are presented. In addition, some recommendations concerning
the future development of incident response teams within Europe are described,
emphasizing the importance of a cooperative approach.
Keywords:International Aspects,
Team Description
The DFN-CERT Project: The first 18 months
Klaus-Peter Kossakowski (DFN-CERT, DE). - University of Hamburg. -
Presented on the 6th Computer Security Incident Handling Workshop in
Boston, July 1994. - 10 ref. - 5 p. - [available as HTML and
PostScript].
Abstract:This document was derived from:
The DFN-CERT Experience: Building up a new CERT
within Europe, but the focus is on the DFN-CERT itself and the lessons
learned only.
Keywords:Team Description
The European Situation: The future of CSIH in Europe
Klaus-Peter Kossakowski (DFN-CERT, DE). - University of Hamburg. -
Presented on the 6th Computer Security Incident Handling Workshop in
Boston, July 1994. - 19 ref. - 6 p. - [available as HTML and
PostScript].
Abstract:Only very few papers address the need for more cooperation
and support of new teams within Europe. Therefore some of the practical
problems, and some possible approaches are described here. To support a more
deeper understanding of the actual situation in Europe, a summary of the past
development of CERTs until today is given. Additionally the results of a survey
of European network providers are presented to provide insights into future
plans to establish more CERTs in Europe.
Keywords:International Aspects
Remarks:The paper suggest the creation of a Special Interest Group
Europe within FIRST to organize the cooperation of European teams and to
allow a special focus on European problems and needs. More information about
the European situation and this group can be found in the
WWW.
The Funding Process: A challenging task
Klaus-Peter Kossakowski (DFN-CERT, DE). - University of Hamburg. -
Presented on the 6th Computer Security Incident Handling Workshop in
Boston, July 1994. - 2 ref. - 4 p. - [available as HTML and
PostScript].
Abstract:One of the most difficult - and challenging - tasks related to
build up a new team is the funding process. Therefore the paper try to collect
some thoughts and experiences to provide support to other (especially new)
teams. From a practical point of view some of the problems are described,
together with some approaches, and some lessons learned. By no means does this
paper imply that all of the possible solutions are covered. This paper should
be a beginning to collect this kind of information and present it to
interested parties.
Keywords:Management
Results of a Workshop on Research in Incident Handling
Thomas A. Longstaff (CERT/CC, US). - Carnegie Mellon University. -
Pittsburgh, PA. - Special Report CMU/SEI-93-SR-20. - September 1993. -
no ref. - 58 p.
Abstract:The report contains the results of an invitational workshop
on research in incident handling, held at the Software Engineering Institute
in November 1992. The workshop was convened to address a wide range of topics
of computer, network, and information security, both in the present and in the
future. It was intended to identify areas for research and development in
improving the practice of incident handling.
Keywords:Conferences and Workshops,
Incident Response,
Research
Availability:The document is available through the US Defense Technical
Information Center (DTIC) and through the National Technical Informaton Service
(NTIS).
Computer Emergency Response : An International Problem
Richard D. Pethia and K. R. van Wyk (CERT/CC, US). - Carnegie Mellon
University. - Pittsburgh, PA. - 13 ref. - 8 p.
Abstract:The paper rise the importance of international cooperation
among computer security response groups. Methods for better cooperation are
also addressed.
Keywords:International Aspects
Remarks:Also no date is given for the paper it was obvious released
after June 1990 because of some specific references within the paper.
Computer Emergency Response
W. L. Scherlis and S. L. Squires (DARPA, US); Richard D. Pethia (CERT/CC, US). -
In: Computers Under Attack/ Peter J. Denning (Ed.). -
Reading, Mass.: Addison-Wesley, 1990. - p. 495-504. - no ref. - 10 p.
Abstract:Beginning with the lessons learned from the Internet worm
of November 1988 the need for computer emergency response is explained.
Relevant topics, such as circumstances affecting prevention and recovery
in case of an incident and operating principles are discussed. The concepts
of CERT and FIRST (to that time known as CERT-System) are explained also.
Keywords:International Aspects,
Management,
Team Description
Responding to Computer Security Incidents
E. Eugene Schultz Jr., David S. Brown and Thomas A. Longstaff (CIAC, US). -
Lawrence Livermore National Laboratory. - Livermore, CA. - July 23, 1990. -
2 ref. - 67 p. - [available as PostScript and
Text].
Abstract:The guidelines do not comprise an exhaustive set of incident
handling procedures for various reasons. It contains basic information about
responding to incidents which can be used to incorporate these knowledge into
site contingency response plans. These guidelines reflect the experience of
the CIAC (Computer Incident Advisory Capability) team and parallels the content
of their workshop. Because of that the workshop exercises are also included.
Keywords:Guidelines,
Incident Response
Computer Emergency Response Teams : Lessons Learned
E. Eugene Schultz Jr. (CIAC, US); Richard D. Pethia (CERT/CC, US);
J. R. Dalton (AT&T, US). - Presented on the 13th National Computer Security
Conference (NCSC). - Gaithersburg, Md.: US National Institute of Standards
and Technology, 1990. - p. 634-640. - no ref. - 7 p.
Abstract:Starting with a description of three teams (CIAC, CERT/CC
and AT&T Corporate Security) focusing on each team's structure, activities,
and procedures the paper ends with a high-level analysis of incidents and
trends.
Keywords:Team Description
The Computer Incident Advisory Capability
E. Eugene Schultz Jr. (CIAC, US). - Lawrence Livermore National Laboratory. -
Livermore, CA. - September 1990. - 4 ref. - 5 p. -
[Submitted to the Office Information Management Conference (OIM),
New Orleans, LA, October 24-26, 1990]
Abstract:The DOE Computer Incident Advisory Capability (CIAC) team
was formed primarily to assist DOE sites in responding to computer security
incidents. CIAC's experience, activity and scope in the future are addressed
in this paper.
Keywords:Team Description
Availability:This paper is available as University of California
Technical Report UCRL-JC--105099, 1990]
The Computer Emergency Response Team System (CERT-SYSTEM)
E. Eugene Schultz Jr. (CIAC, US) - Lawrence Livermore National Laboratory. -
Livermore, CA. - October 11, 1991. - 1 ref. - 4 p. -
[Submitted to the 14th National Computer Security Conference (NCSC),
Washington, DC, October 1-4, 1991]
Abstract:This paper describes an international affiliation of computer
security response teams. The purpose is to provide a forum for ideas about
incident response and computer security. The views presented are the views of
one member (CIAC).
Keywords:International Aspects
Remarks:FIRST was initially called CERT-System. For various reasons
this was later changed.
Availability:This paper is available as University of California
Technical Report UCRL-JC--108517, 1991]
Computer Security Incident Response Teams
E. Eugene Schultz Jr. (CIAC, US) - Lawrence Livermore National Laboratory. -
Livermore, CA. - November 1991. - 5 ref. - 7 p. -
[Submitted to the NASA 1st AIS Security Technology for Space Operations
Conference, Houston, TX, November 6-8, 1991]
Abstract:This paper discusses computer security incident response
teams. Beginning with the development of single teams and FIRST the
services and lessons learned are explained, taking CIAC as an example
for successful operating for the DOE constituency.
Keywords:Team Description
Availability:This paper is available as University of California
Technical Report UCRL-JC--108961, 1991]
Forming an Incident Response Team
Danny Smith (AUSCERT, AU). - University of Queensland. - Brisbane, Qld. -
July 1994. - 85 ref. - 36 p.
Abstract:On March 1993 AUSCERT (formerly SERT) commenced incident
response operations in Australia. Since that time the team has undergone
many changes as usual for a new incident response team. Steadily collected
from a number of sources over time the paper examines what issues need to be
addressed and resolved prior to, and after, forming an incident response
team.
Keywords:Guidelines,
Team Establishment
Remark:I have found this paper particular useful, because it is the
only one which address this - especially for new teams - important topics. But
I am sorry that this paper was not available as our team starts ;-)
The AUSCERT was formerly called SERT (Security Emergency Response
Team).
Potential Liabilities Of Computer Security Response Centers Arising
From Notification To Publishers And Users Of Security Deficiencies In
Software
G. S. Stewart and D. Sylvester. - December 1989. - no ref. - 27 p. -
[Memorandum to Computer Security Response Centers]
Abstract:Software publishers and Computer Security Response Centers
have a duty of care to those who use their products or rely on their services.
This duty requires to take reasonable actions to prevent conditions that can
lead to harm and to correct those conditions where possible. During the paper
the legal issues are discussed, mainly for US located publishers and teams.
Keywords:Legal Issues
Establishing a Computer Security Incident Response Capability (CSIRC)
John P. Wack (NIST, US). - US National Institute of Standards and Technology. -
Gaithersburg, Md. - NIST Special Publication 800-3. - November 1991. - 17 ref. -
39 p. - [an annotated bibliography with 25 references is included as appendix].
Abstract:A comprehensive guide which covers most of the operational
and organisational aspects of forming a Incident Response Team. Together with
[Smith 1994] it can serve as a leading document to
determine the task and scope of a new team.
Keywords:Guidelines,
Team Establishment
If the paper concentrates on a particular subtopic this is stated in brackets behind the reference.
Keywords:
References listed by keywords:
Last modified: Tue Mar 7 10:01:00 MET 1995
Klaus-Peter Kossakowski / DFN-CERT / kpk@cert.dfn.de