« back to Papers & Presentations

Papers & Presentations

17th Annual FIRST Conference on Computer Security Incident Handling

June 26–July 01, 2005 — Singapore, Singapore

  • A Common Vulnerability Scoring SystemReturn to TOC

    Art Manion (CERT Coordination Center), National Infrastructure Advisory Council (U.S.)


    The Common Vulnerability Scoring System (CVSS) is designed to provide open and universally standard severity ratings for vulnerabilities. CVSS seeks to help organizations reduce effort and confusion in prioritizing responses to vulnerabilities. The FIRST CVSS Special Interest Group hosts CVSS and interested members are invited to participate to provide feedback and contribute to further development:

    http://www.first.org/conference/2005/papers/art-manion-paper-1.pdf

    Format: application/pdf

    Size: 201 Kb


    http://www.first.org/conference/2005/papers/art-manion-slides-1.pdf

    Format: application/pdf


  • A Distributed Intrusion Alert SystemReturn to TOC

    Chih-Yao Lin


    In this paper, a distributed intrusion alert system which is based on Honeypot technology is proposed. It is used to monitor unexpected actions appearing in different organizations. The motivation of this project comes from the hardness of detecting malicious activities without further assistance. The main advantage of this system is that it can monitor many IP addresses in different organizations at the same time to find unexpected actions. This system is named DIAS and has two parts. One of them consists of a number of Intrusion Alert Systems (IASs). Each Intrusion Alert System (IAS) is connected to the intranet of an organization to detect unexpected actions. The other part is Alerts Analyzing System (AAS) which is used for data collecting and analyzing. In this paper we not only discuss the system model but also the implementation of this system. The practical experiment shows the benefit of this system. The future works to improve this system are also discussed in this paper.

    http://www.first.org/conference/2005/papers/speaker21-paper-1.pdf

    Format: application/pdf

    Size: 168 Kb


  • A National Early Warning Capability Based on a Network of Distributed HoneypotsReturn to TOC

    Cristine Hoepers (CERT.br - formerly NBSO/Brazilian CERT)


    We present here the work developed by NBSO/Brazilian CERT, in the ``Brazilian Honeypots Alliance -- Distributed Honeypots Project'', to centralize the data gathered in several honeypots and to process this data to be used for early warning and incident response. We shortly describe how the honeypots are deployed and how the data is centralized, then focus on how the data is being used by NBSO to generate statistics and to notify networks potentially compromised or infected.

    http://www.first.org/conference/2005/papers/cristine-hoepers-paper-1.pdf

    Format: application/pdf

    Size: 525 Kb


  • Artifact AnalysisReturn to TOC

    Kevin Houle (CERT Coordination Center)


    In order to understand the nature of the evolving threats in Internet security, it is important to understand the tools used to execute attacks. Malicious code developed and deployed on the Internet continues to evolve to enable more organized and sophisticated attacks. Defending systems and networks today now extends beyond just leveraging technology into a need to understand attacker capability. Artifact analysis is the study of Internet attack tools and malicious code. This tutorial will examine - the role artifact analysis plays in Internet security - the goals of artifact analysis - common components of an artifact analysis capability - relationship between artifact analysis and forensics - an overview of artifact analysis methodologies and tools This tutorial is at an introductory technical level aimed at an audience who is recently engaged in artifact analysis, is considering an artifact analysis capability, or wants to gain insight into artifact analysis as a capability.

    http://www.first.org/conference/2005/papers/kevin-houle-slides-1.ppt

    Format: application/vnd.ms-powerpoint


  • Bridging the Gap Between Software Development and Incident HandlingReturn to TOC

    Gary McGraw, Ph.D., Kenneth R. van Wyk (KRvW Associates, LLC)


    In this paper and accompanying presentation, the authors draw on their collective experiences in the fields of secure software development and incident handling. In the course of delivering Software Security consulting and training services to their clients, including having trained several hundred software developers at one of the world's largest mobile phone technology developers in the past year, the authors have observed significant barriers to success. Many of the barriers exist due to the inexperience of today's software developers in the area of information security. The authors believe that information security staff, and incident handlers in particular, can play a key role in removing these barriers, thereby enabling the developers to design and implement software that can better withstand the security risks faced in today's data processing environments.


  • Building a Logging InfrastructureReturn to TOC

    Abe Singer (San Diego Supercomputer Center)


    This tutorial will describe how to build an infrastructure to collect, preserve, and extract useful information from computer operating system and application logs -- ultimately to help the system and security administrator get more useful information out of logs. The focus will be primarily on UNIX syslog, with some discussion of Windows logging and other sources of log data. Logfiles hold a wealth of information, from resource utilization diagnostics to problems with hardware and software, security problems, and forensic traces of intrusions. Examples are heavily weighted toward security issues, but provide some examples of resource and diagnostic monitoring. Many real-world examples from logs are included throughout the presentation. The presentation includes Configuring basic logging Configuring services to improve the quality of information logged Tools to generate useful log information Centralized logging architectures Building a central loghost Archiving and preserving log data The syslog protocol and syslogd configuration Log parsing and analysis Attack examples The Windows Event log, and forwarding the event log to syslog

    http://www.first.org/conference/2005/papers/abe-singer-slides-1.pdf

    Format: application/pdf

    Size: 351 Kb


  • Computer Forensics as Part of a Security Incident Response PlanReturn to TOC

    Raemarie J. Schmidt (Digital Intelligence, Inc.)


    Corporations have response plans that identify steps to be taken when a security incident is suspected or identified. Historically these incident response plans have included methods to identify the cause of the security breach, perform remedial activities to eliminate the vulnerability and return the affected systems to normal service as soon as possible. Computer Forensics, traditionally a tool used by law enforcement to investigate crimes, is frequently being included as part of a security incident response plan. This presentation will discuss the types of information that can be recovered when a duplicate image (forensic copy) of the affected systems is created and subjected to forensic examination, potential uses of computer forensics in a corporation, hardware and software designed to assist the examiner, and considerations for determining whether to perform the examination in-house, or out-source to a 3rd party.

    http://www.first.org/conference/2005/papers/raemarie-j.-schmidt-slides-1.pdf

    Format: application/pdf

    Size: 4.53 Mb


  • Creating and Managing CSIRTsReturn to TOC

    Audrey Dorofee, David Mundie, Robin Ruefle (CERT Coordination Center)


    This tutorial is designed to provide an overview of the issues involved in creating and operating an effective computer security incident response team (CSIRT). It will also provide an introductory view of CSIRTs to anyone new to the field who is interested in what a CSIRT is and what type of activities a CSIRT performs. Basic topics covered will include: the purpose and structure of CSIRTs, key steps in designing and implementing a CSIRT, an overview of CSIRT services, and a discussion of best practice incident handling processes.

    http://www.first.org/conference/2005/papers/robin-ruefle-slides-1.pdf

    Format: application/pdf

    Size: 2.57 Mb


  • Crisis communication and Media management in Security Incidence ResponseReturn to TOC

    Marie-Dominique Bonardi


    Part one: Understand the Press Tricks&Techniques, Principles and fundamentals of media work , Interview techniques. Part two: Develop efficient responses to the media in a crisis situation, Develop the right message according the press you address, Win the press over to your point of view. Case Study - Security Incident Response Communications

    http://www.first.org/conference/2005/papers/marie-dominique-bonardi-slides-1.pdf

    Format: application/pdf

    Size: 541 Kb


  • CVE, CME, ... CMSI? Standardizing System InformationReturn to TOC

    Dr. Bernd Grobauer (Siemens CERT)


    During the last few years, a clear trend towards standardized names and exchange formats could be observed in the world of IT security. For example: (1) Vulnerability Information: CVE allows easy cross-referencing of vulnerabilities, while the EISPP/DAF format allows exchange of security-advisory information; (2) Incident Information: The IODEF format is used for exchanging incident information between CERTs; (3) Vulnerability Checks and Remediation: OVAL is a standardization effort regarding executable descriptions of vulnerability checks (4) Malware Information: Recently, the US-CERT announced an initiative to introduce CME, a Common Malware Enumeration. A problem that has not been tackled so far is the standardization of system information. Similarly to CVE, system information is orthogonal to other information exchange formats: Which systems are affected by the vulnerability described in an advisory? What kind of system was involved in a security incident? For which kind of system is a vulnerability check? As CVE did, a common naming scheme for (machine-readable) system information would increase the potential of standards for information exchange: automated handling based on system information, e.g., for statistical purposes, correlation and filtering, becomes possible. Can a common naming scheme for system information be established? This article describes the approach taken by a group of German CERTs towards a common model of system informa

    http://www.first.org/conference/2005/papers/dr.-bernd-grobauer-paper-1.pdf

    Format: application/pdf

    Size: 172 Kb


    http://www.first.org/conference/2005/papers/dr.-bernd-grobauer-slides-1.pdf

    Format: application/pdf

    Size: 648 Kb


  • Defining the Rules of Trusted Computing: A Global AgendaReturn to TOC

    Jeffrey B. Ritter (Kirkpatrick & Lockhart Nicholson Graham LLP)


    The ultimate functionality of the infrastructure of a digital global society requires very human decisions regarding whether or not our network, our machines and our data are trustworthy. Achieving trusted computing is more than achieving effective security; trust demands the formation and evolution of a rule-based matrix architecture through which the requirements, resources, risk and costs can be expressed into an ongoing continuing improvement of the structure and operation of our information systems. This matrix, as envisioned, integrates and expresses our trust requirements. This presentation proposes a mandate for how to achieve trusted computing in the 21st century. Adoption of that mandate will require collaboration and productive output among new communities formed across traditional sectors of security, risk management, legal and financial competencies. The agenda that must be developed and executed requires global mechanisms that empower rule-based controls--expressive, extensible and transparent. To succeed, above all other requirements, we must enable our global capacity, in collaboration with but apart from the nation state, to author, adopt and use code objects and system controls that automate and meet our trust requirements.


  • Dynamics of Incident ResponseReturn to TOC

    Johannes Wiik, Klaus-Peter Kossakowski


    In a continuously changing environment, a Computer Security Incident Response Team (CSIRT) has to evolve to sustain or improve its effectiveness. The main task of a CSIRT is to mitigate the effects of computer security incidents. A frequently identified problem is that CSIRTs are over-worked, under-staffed and under-funded. We present a conceptual model of such conditions based on a case study. The model is a first attempt to understand the main factors influencing a CSIRT’s effectiveness, and to improve its performance. Based on theory from process improvement and information from the case study, we identified that short-term pressure from a growing incident work load prevents attempts for developing more response capability long-term, leading the CSIRT into a “capability trap”. Fundamental solutions will typically involve a worse-before-better trade-off for management. Short term the CSIRT will lower its response capability while new capability is developed. Long term the CSIRT will get an automated response capability independent from limited human resources. Hence, it can automatically scale to future increases in workload.

    http://www.first.org/conference/2005/papers/speaker14-paper-1.pdf

    Format: application/pdf

    Size: 982 Kb


  • European CSIRT UpdateReturn to TOC

    Don Stikvoort (S-CURE), Goraz Božič


    Gorazd Bozic (SI-CERT) and Don Stikvoort (S-CURE) will give a short update on European CSIRT (related) initiatives, especially on TF-CSIRT, ENISA, Trusted Introducer and E-COAT.

    http://www.first.org/conference/2005/papers/don-stikvoort-slides-1.pdf

    Format: application/pdf

    Size: 69 Kb


  • EWIS in a BoxReturn to TOC

    Dr. Klaus-Peter Kossakowski (PRESECURE Consulting GmbH)


  • EWIS in a Box - or - How to build a National Early Warning Information System in 80 DaysReturn to TOC

    Dr. Klaus-Peter Kossakowski (PRESECURE Consulting GmbH)


    It is definitely time for early warning information systems (EWIS). Each of us working or being responsible for a security team, incident response team or security management is asked for it by our superiours. With the raise of new threats that minimizes the time between the discovery of some knowledge and its application in large scale attacks from month/weeks to days/hours/minutes, it is no longer possible, to take a reactive approach. But the desires we are confronted with are too demandful. Instead asking for what can reasonably be done, superiours ask for something nobody can do: „Predict the future!“ Therefore the presentation will carefully analyze, what can be done immediately and what value can be realized right now by putting pieces already in existance together and remove the limitations established by an attitude of not sharing important information. As the title implies, it is possible to build such system in 80 days. By no means will this system solve all problems, but it will immediately provide a value added service not available today and will allow further work to build upon it, integrate methods and algorithms that are not readily available yet.

    http://www.first.org/conference/2005/papers/dr.-klaus-peter-kossakowski-slides-1.pdf

    Format: application/pdf

    Size: 94 Kb


  • Fighting Phishing site at the front lineReturn to TOC

    Larry Yang Liu (CNCERT/CC)


    Phishing attacks use 'spoofed' e-mails and fake websites designed to bamboozle recipients into revealing confidential information with economic value such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brand of famous bank, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them. Some phishing also combine with worms, viruses or keyloggers. Worldwide financial and network security organizations start to consider it as a serious scam and fraud. Since first time closing down a phishing site in China reported from AusCERT in Nov. 2003, CNCERT/CC has never stopped fighting against Phishing sites. First of all,this paper will state the phishing concept and the different situation which victims and relevant people should be aware of, such as financial organization victims, stolen account owners, intruded host owners, and CERTs. Meanwhile, the paper will demonstrate how CNCERT/CC coordinates with ISPs, host owners and victims to deal with the phishing sites. As phishing compromises quite a lot of people, organizations and community, anti-phishing should be regarded as everyone’s responsibility. Not only foreign banks but also Chinese domestic banks are confronted with the challenges from phishing attack, so how promptly a phishing site can be detected and closed down depends on how well the relevant can cooperate. The characteristic of CNCERT/CC

    http://www.first.org/conference/2005/papers/larry-yang-liu-slides-1.ppt

    Format: application/vnd.ms-powerpoint

    Size: 890 Kb


  • FIRST 2005 WelcomeReturn to TOC

    Dr. Klaus-Peter Kossakowski (PRESECURE Consulting GmbH)

    http://www.first.org/conference/2005/papers/dr.-klaus-peter-kossakowski-slides-1.pdf

    Format: application/pdf

    Size: 94 Kb


  • Getting Ahead: Integrating Development and Response for Improved SecurityReturn to TOC

    Steve Lipner (Microsoft Corporation)


    Microsoft has developed an integrated approach to security that spans the software life cycle from development through deployment. The Security Development Lifecycle (SDL) adds a series of steps and deliverables to the development process that are intended to prevent the introduction of vulnerabilities, and to detect and remove vulnerabilities where necessary. Microsoft’s security response process and the Microsoft Security Response Center (MSRC) complement the SDL by acting to protect customers when remaining vulnerabilities are discovered in the field. The response process encompasses both the orderly production and release of software updates and an emergency response process that acts rapidly when vulnerabilities are exploited or when customers’ systems may be at risk. The feedback loop from the response process to the SDL provides a vehicle for updating development processes as new classes of security vulnerabilities are discovered. This presentation will discuss Microsoft’s SDL, the MSRC, the emergency response process, and their interactions aimed at improving software security and protecting customers.

    http://www.first.org/conference/2005/papers/steve-lipner-slides-1.ppt

    Format: application/vnd.ms-powerpoint

    Size: 4.44 Mb


  • How to Reduce Incidents by Employing Pro-Active PreventionsReturn to TOC

    Howard Schmidt (US CERT)


  • IEEE 802.16 WiMax SecurityReturn to TOC

    Kitti Wongthavarawat (ThaiCERT, NECTEC)


    In this paper we overview the security features in IEEE 802.16 Broadband Wireless Access or WiMAX. We introduce the security model consisting of the required security functionality to protect the networks against common threats. Based on the security model, we examine IEEE 802.16 security to see how well it protects the network and possible vulnerabilities. We also discuss some solutions proposed in IEEE 802.16 Working Group.

    http://www.first.org/conference/2005/papers/kitti-wongthavarawat-slides-1.pdf

    Format: application/pdf

    Size: 166 Kb


  • Key Strategies for defeating crime onlineReturn to TOC

    John Lyons


    In his presentation, John Lyons will share with us some of the most recent and significant events concerning the exploitation of the Internet by organised crime gangs based in Eastern Europe and Russia. With this harsh reality as the back drop, he will go on to examine what he believes are the key strategies which Governments, law enforcement organisations, businesses and academia can execute which can make a real difference to the way in which networks of the future could develop. These will include coverage of the law enforcement and legal issues, international and political dimensions, the role of FIRST and the most important issue of all: the people and companies who are the victims of malicious activity which is likely to get out of control if global action is not taken soon to mitigate the threats that they face. Security and safety on the Internet and within computer networks and systems must not remain cocooned as a mystical black art orchestrated by experts and specialists – it’s time to bring the rest on board! During his recent tour with the UK’s National Hi-Tech Crime Unit, John travelled widely liaising with Internet security specialists and listening to the views of governments and law enforcement organisations around the world. The views he expresses are the result of extensive research and experience of the issues - he is keen to be challenged, so please listen and be ready to debate.


  • Mitirating Rogue Access Points in Corporate EnvironmentsReturn to TOC

    Laurent Butti


    The paper describes a design-from-scratch of a fully-featured wireless IDS. It will pinpoint all technical constraints and choices during the implementation, and will provide the reader with a precise snapshot of mandatory features of a wireless IDS. After the theorical part, a case study will be exposed: how to deal with illegitimate access points in corporate environments?

    http://www.first.org/conference/2005/papers/laurent-butti-slides-1.ppt

    Format: application/vnd.ms-powerpoint

    Size: 4.31 Mb


  • Network Monitoring on Large NetworksReturn to TOC

    Yao Chuan Han (Taiwan Computer Emergency Response Team)

    http://www.first.org/conference/2005/papers/speaker19-slides-1.pdf

    Format: application/pdf

    Size: 5.03 Mb


  • New Security Features in Solaris 10 and DTraceReturn to TOC

    Chandan B.N (Sun Microsystems)


    The most significant developments from security perspective, in Solaris 10 are improved hardening and minimization, application of principle of least privileges, introduction of zones and a new cryptographic framework. Apart from these there are a number of minor additions and enhancements that help in improving the OS security. This paper illustrates how the new security features and improvements in the latest release of Solaris Operating Environment can help defend system integrity, enable secure computation with ease of deployment and manageability. There also an introduction to DTrace which is a powerful infrastructure to observer the behaviour of the system.

    http://www.first.org/conference/2005/papers/chandan-b.n-paper-1.pdf

    Format: application/pdf

    Size: 157 Kb


  • Passive DNS ReplicationReturn to TOC

    Florian Weimer


    Passive DNS replication is a new technology for gathering data from the public DNS system and archive it in a database. This database supports a broader set of queries than the public domain name system, and it also stores historical data for later reference. The presentation shows that the query types the public DNS offers are insufficient for some applications, provides a rough overview of the architecture of a passive DNS replication implementation called "dnslogger", and documents real-world use cases. The intended audience are network operators and CSIRT members who focus on network-wide mitigation. The presentation includes a brief introduction to the relevant technical aspects of DNS, so detailed knowledge in this area is not strictly necessary.

    http://www.first.org/conference/2005/papers/florian-weimer-paper-1.pdf

    Format: application/pdf

    Size: 74 Kb


    http://www.first.org/conference/2005/papers/florian-weimer-slides-1.pdf

    Format: application/pdf

    Size: 68 Kb


  • Pondering and Patrolling Network PerimetersReturn to TOC

    Bill Cheswick (Lumeta Corp)


    Most Internet users rely on perimeter protection as part of their Internet defenses. How well are these working, and what lies behind perimeter defenses? Telephone networks have their intelligence in the center of the net, and internets at the edge. The talk will describe technologies that help scope out the extent of intranets, and find perimeter breaks.


    http://www.first.org/conference/2005/papers/bill-cheswick-slides-1.pdf

    Format: application/pdf

    Size: 3.42 Mb


  • Proposal for the experimental environment for Network Worm infectionReturn to TOC

    Masato Terada (Hitachi Incident Response Team, Hitachi Ltd.), Norihisa Doi, Shingo Takada


    Code analysis and simulation of network worm infection are useful methods to evaluate how it spreads and its effects. But a bug in infection algorithm or the way of implementing a random number generator etc. affects the retrieval behavior of network worm infection. It is important to evaluate the retrieval behavior of network worm infection in an experimental environment for complementing code analysis. This paper describes a prototype of experimental environment for network worm infection and actual data about network worm infection. The purpose of experimental environment is to investigate retrieval behavior and infection mechanisms in network worm behavior. For example, there are a mapping of retrieved IP addresses and a ratio of IP addresses retrieved and port numbers used by network worms. Also we implemented a prototype system to show the validity of our approach.

    http://www.first.org/conference/2005/papers/masato-terada-paper-1.pdf

    Format: application/pdf

    Size: 626 Kb


    http://www.first.org/conference/2005/papers/masato-terada-slides-1.pdf

    Format: application/pdf

    Size: 1.37 Mb


  • Risk Triage and Prototyping in Information Security EngagementsReturn to TOC

    Rakesh Bharania, Catherine B. Nelson (Cisco Systems)


    Security architecture teams are being called upon to provide expert security assistance to their clients at ever increasing rates. How can a security team manage resources and ensure that those resources are being applied to mitigate the most significant security risks to the enterprise? This paper discusses the need for risk triage and prototyping, how existing risk models do not meet those needs, the development of the Rapid Risk model, and its success at improving information security at Cisco.

    http://www.first.org/conference/2005/papers/speaker43-paper-1.pdf

    Format: application/pdf

    Size: 142 Kb


  • Risk Triage and Prototyping in Information Security (Powerpoint Slides)Return to TOC

    Rakesh Bharania, Catherine B. Nelson (Cisco Systems)

    http://www.first.org/conference/2005/papers/speaker43-slides-1.pdf

    Format: application/pdf

    Size: 6.59 Mb


  • Security Bulletin Publication at AusCERT using "EzESB"Return to TOC

    Matthew Braid, Matthew Braid, Robert Lowe


    This paper examines a problem - the publication of large volumes of security bulletins via various media (such as web and email). It then goes on to discuss the requirements of a tool which may be used to automate much of this manual work. Finally, the development, current features and future enhancement of the tool (EzESB) used by AusCERT for this purpose, will be discussed. The objective of this paper is to give other members of FIRST insight into the development and use of this tool and more details about how AusCERT publishes bulletins. Other FIRST members may be offering similar services or may have a future requirement for such a service. We hope that this paper will stimulate discussion between teams with an interest in the publication of security bulletins. The paper does not go into any real technical depth. Anyone who disseminates (a large number of) security bulletins would probably be interested in this paper. Analysts and software engineers developing tools for the publication of security advisories may find AusCERT's solution to this particular problem interesting. Managers directly involved in the work flow of such teams or team members may also find this paper of interest. Introduction AusCERT (the Australian Computer Emergency Response Team, Australia's National CERT) is funded primarily by member subscriptions. Members vary in size and include commercial, government and educational organisations. Accurate and timely notification of security th

    http://www.first.org/conference/2005/papers/speaker18-paper-1.pdf

    Format: application/pdf

    Size: 408 Kb


    http://www.first.org/conference/2005/papers/speaker18-slides-1.pdf

    Format: application/pdf

    Size: 1.18 Mb


  • Security Challenges on the Road AheadReturn to TOC

    Tim Mather (Symantec)

    http://www.first.org/conference/2005/papers/tim-mather-slides-1.pdf

    Format: application/pdf

    Size: 813 Kb


  • Sharing Incident Data; History, Perspective, and a View for the FutureReturn to TOC

    Patrick Cain (The Cooper-Cain Group, Inc)


    As the conference theme is to "Join the Global Network", this talk addresses sharing incident data for the betterment of all net citizens. It starts with an introduction to information sharing and some common definitions, then meanders through the history of information sharing, identifying discovered problems and attempted solutions. The talk concludes with an overview of the Anti-Phishing Working Group's (APWG) phishing and phraud activity sharing initiative and some perspective on why this attempt will be successful.

    http://www.first.org/conference/2005/papers/speaker25-slides-1.ppt

    Format: application/vnd.ms-powerpoint

    Size: 393 Kb


  • SIRIOS, a Framework for CERTsReturn to TOC

    Thomas Klingmueller (CERT-Bund, Federal Office for Information Security)


    Framework for CERTs With the project SIRIOS CERT-Bund developed an open source framework for tools and workflows in use within CERT-Bund. This gives CERT-Bund the ability to implement its internal workflows in the framework so that they can be edited, logged and optimised. The system and its databases can be implemented as a classic client/server architecture in a closed environment (Intranet). Alternatively it can be set up to as a decentralised open framework with distributed databases and systems working together. With SIRIOS exchanging incident or vulnerability information between CERTs is no longer a problem: SIRIOS internal data structures got derived from international acknowledged data formats such as IODEF for incident information and EISPP/DAF for advisory/vulnerability information. As a result the formats for exporting these objects are well defined and can get used by any CERT regardless of the usage of SIRIOS. The system got developed whilst CERT-Bund was still setting up. In early 2002 when CERT-Bund became operational, a trouble ticket system to structure and log CERT-Bund's workflows was missing. An analysis of tools and workflows in other CERT environments revealed that many CERTs used tools developed on their own. Such toolboxes consisted of Office components for writing advisories and several task-specific tools. As a consequence out of missing standards for CERT specific information and tools that implemented these standards, information sharing was re

    http://www.first.org/conference/2005/papers/thomas-klingmueller-paper-1.pdf

    Format: application/pdf

    Size: 169 Kb


    http://www.first.org/conference/2005/papers/thomas-klingmueller-slides-1.pdf

    Format: application/pdf

    Size: 1.09 Mb


  • Strategies for Achieving Network IntelligenceReturn to TOC

    Adam D'Amico (Zanshin Security, LLC)


    In order for security efforts to be effective in the contemporary threat environment, network professionals who have some responsibility for operational security or incident response in an organization will need actionable knowledge regarding network activity. This paper describes a strategic model for implementation of appropriate technologies, policies and procedures in pursuit of that goal. The content is not meant to be an exhaustive methodology, but rather one possible paradigm based on lessons learned in several distinct categories of organizations over the past decade. The approach will be most relevant to those in positions of management, but will also present information useful to anyone wishing to better understand the issues that surround network monitoring and security.

    http://www.first.org/conference/2005/papers/adam-damico-paper-1.pdf

    Format: application/pdf


    http://www.first.org/conference/2005/papers/adam-damico-slides-1.pdf

    Format: application/pdf

    Size: 96 Kb


  • TeamDefend Organizational and Inter-Organizational Cyber Defense TrainingReturn to TOC

    Hart Rossman, Scott C. Kennedy (SAIC)


    TeamDefend addresses the weakest computer network link in that Infrastructure: The Network Defense Team. Using an on-site, real-time training system, our TeamDefend tutorial prepares and evaluates a FIRST member team’s ability to recognize and effectively deal with the cyber threat. Using the on-site, real-time training system, we are using TeamDefend during the 17th Annual FIRST Conference (2005) as a compelling addition to the tutorial track. We will provide a venue, which will prepare and evaluate a FIRST member team’s ability to recognize and effectively deal with the cyber threat. Further, we will be adapting the tutorials to highlight inter-team coordination. The focus will be to allow FIRST member teams to literally “train as they fight” going beyond traditional information collaboration & dissemination during an incident to exhibiting through the hands-on environment of TeamDefend how teams can work together at a technical level to resolve threats in real-time and receive feedback based on the Neutral Team and the automated scoring mechanisms. TeamDefend will raise your Team’s level of proficiency in a measurable way.

    http://www.first.org/conference/2005/papers/scott-c.-kennedy--hart-rossman-paper-1.pdf

    Format: application/pdf

    Size: 432 Kb


    http://www.first.org/conference/2005/papers/scott-c.-kennedy--hart-rossman-slides-1.pdf

    Format: application/pdf

    Size: 6.23 Mb


  • The Looming Privacy Rights Debacle: How Data Protection Law Will Shape Response Team ActivitiesReturn to TOC

    Thomas Daemen (Covington & Burling)


    There is no dispute that international efforts to improve network security are both warranted and necessary. Indeed, virtually the entire 17th Annual FIRST Conference is dedicated to exploring global responses to the global phenomena of cybercrime. What is less clear, however, is the extent to which incident response teams working on these challenging problems can cooperate and collaborate by sharing key information without violating data protection laws and requirements. This presentation will analyze these issues and identify steps that response teams should take to ensure that their collaborative efforts do not violate individual privacy rights and data protection law.

    http://www.first.org/conference/2005/papers/thomas-daemen-slides-1.ppt

    Format: application/vnd.ms-powerpoint

    Size: 80 Kb


  • Title: Pondering and Patrolling Network PerimetersReturn to TOC

    Bill Cheswick (Lumeta Corp)


    Most Internet users rely on perimeter protection as part of their Internet defenses. How well are these working, and what lies behind perimeter defenses? Telephone networks have their intelligence in the center of the net, and internets at the edge. The talk will describe technologies that help scope out the extent of intranets, and find perimeter breaks.

    http://www.first.org/conference/2005/papers/bill-cheswick-slides-1.ppt

    Format: application/vnd.ms-powerpoint

    Size: 11.89 Mb


  • Trends in Malware Enabled Identity TheftReturn to TOC

    Matthew Braid, Matthew McGlashan

    http://www.first.org/conference/2005/papers/matthew-braid-slides-1.pdf

    Format: application/pdf

    Size: 1.04 Mb


  • Vulnerabilities in Consumer Electronics -- DVD players, Cell phones attack : your system ??Return to TOC

    Keisuke Kamata (JPCERT/CC), Masaki Kubo


    The goal of this presentation is to report vulnerabilities found in network-connected consumer electronics. Firstly, Japanese consumer electronics market trend, specifically DVD recorder and cell-phone market, is discussed. The market structure as well as the technology involved in the market is explained. Secondly two vulnerabilitis in consumer electronics that JPCERT/CC handled will be discussed. The issues and difficulties in handling consumer electronics are presented. Lastly, some points important for the development of network-connected consumer electronics market will be presented.

    http://www.first.org/conference/2005/papers/masaki-kubo-paper-1.pdf

    Format: application/pdf


    http://www.first.org/conference/2005/papers/masaki-kubo-slides-1.ppt

    Format: application/vnd.ms-powerpoint


  • Wireless SecurityReturn to TOC

    Michael H. Warfield (Internet Security Systems)


    This session is an overview of the current state of 802.11* wireless standards, security profiles, developments, and practices. As hardware costs plumet, wireless networks are proliferating rapidly. Many are badly configured and highly insecure, in spite of improvements in standards and default configurations. This talk on Wireless Security will be an update on the state of the art in 802.11 [abgix] security and security practices. Included will be some recent developments in standards, security incidents, and developments in the field as well as recommendations on securing wireless infrastructure.

    http://www.first.org/conference/2005/papers/michael-h.-warfield-slides-1.ppt

    Format: application/vnd.ms-powerpoint

    Size: 691 Kb