Sessions and Workshops


Opening Session

  1. Welcome to Santa Clara, The Gateway to the Silicon Valley - Mayor Judy Nadler, Mayor of the City of Santa Clara, USA (Invited Speaker)

  2. Security Risks in the Infrastructure - Peter Neumann, SRI International, USA (Invited Speaker)

    This talk will review some of the most pressing concerns relating to computer systems and networks that must be secure and reliable -- threats, vulnerabilities, characteristic penetrations and other misuses, risks, defensive measures involving operating-system and network security (including crypto), difficulties in software development, networking and system operation, problems inherent in distributed systems, and intrinsic limitations in the use of technology.

    Dr. Peter G. Neumann has been a computer scientist since 1953, with three degrees from Harvard. He has been in the Computer Science Lab at SRI International since 1971. Throughout the 1960s he was at Bell Telephone Laboratories in Murray Hill, NJ, where from 1965 to 1969 he was a codeveloper of Multics -- which has had a significant impact on subsequent secure system developments. He has worked on systems that satisfy stringent requirements for security, reliability, and safety, and on methodologies for development of such systems. He has taught at Stanford and Berkeley. He is Chairman of the Committee on Computers and Public Policy for the ACM (Association for Computing Machinery), Moderator of the ACM Forum on Risks to the Public in the Use of Computers and Related Systems (comp.risks), Editor of the ACM Software Engineering Notes, and Contributing Editor of the Communications of the ACM. He is a Fellow of the AAAS, ACM, and IEEE. He was a member of the National Research Council System Security Study Committee, whose efforts resulted in the book, Computers at Risk, and has just completed his stint on the NRC study group that reviewed U.S. crypto policy, resulting in the book, Cryptography's Role In Securing the Information Society (a.k.a., the CRISIS report). This talk will be illustrated with cases from the Risks Forum, many of which are documented in his book, Computer-Related Risks, published by Addison-Wesley (1995).

Team Updates

  1. Team Updates

    As every year the FIRST conference is an excellent opportunity to meet other team members and establish contacts and get first hand impressions about the activities of other teams.

    This session should facilitate this activity by providing a forum for short presentations focusing on current activities and projects of several teams.

    Three different "groups" of teams are invited to present:

    • older teams already recognized by the community will give an update on their activities and present new ideas developed through their work
    • new teams, which joined FIRST since the last conference will present their constituency and current activities, to present themselves
    • teams, which are up to joining FIRST in the immediate future will get the opportunity to let other teams know about them beforehand
    By presenting experiences and lessons learned helpful input can be provided to the participants. The overall goal is to provide information to the FIRST community to foster communication and cooperation.

Session 1: Future of Incident Response

  1. Commercialization of Incident Response Services - Klaus-Peter Kossakowski, DFN-CERT, Germany

    Traditional computer security is typically concerned with the maintenance of security, as characterized by: `confidentiality', `integrity' and `availability'.

    Problems caused if one of these aspects is compromised, are often further complicated by the fact, that most system administrators lack the necessary knowledge to prepare their systems suitably in order to react to threatening intrusions, system vulnerabilities or probes. They do however find themselves confronted with these problems, and are frequently obliged to deal with them on their own.

    Todays corporations have been able to take possible physical desasters into consideration and incorporate them into their risk management frameworks. The same companies are however, insufficiently prepared to deal with logical problems on the same scale, caused for example, by malicious persons or programs.

    In 1988 the new concept of an incident response team (IRT) or computer emergency response team (CERT) which serves a defined constituency was introduced. Some tutorials and papers already provide practical guideline to managing the early stages of such operations and specific tasks.

    After nearly eight years of practical service for users and organizations throughout the world, more and more commercialization becomes part of the business. Private consultants offer emergency services, existing teams have to deal with commercial offers and new teams, which will provide commercial services begin to promote their services.

    Starting with considerations for integrating incident response services into a business organization as part of the overall risk (and crisis) management, it is shown that the already wellknown tasks and services are very useful to allow proactive steps against threats and dangers of todays global networks. Further on, as teams within organizations take benefit from authority and management decisions, services will be different and even new services will be possible, not normally carried out by external IRTs as tiger teams for example.

    In reviewing existing funding models an overview of the ``commercial'' reality of today's teams is given. By reviewing these models the benefits -- but also their disadvantages -- are described. In searching for more funding, teams already started to look into ``selling'' -- at least part of -- their services. The impact of commercialization in regard to the task of computer security incident response will be analysed and examined in more detail.

    The need of external teams is obvious in light of coordination and communication issues as neutral connection amoung various teams. Therefore the critical points related to the commercialization of such tasks are also addressed, together with topics not necessarily to be measurable in real money units like ethical and social implications.

    It is hoped that the points risen and the considerations outlined will help to develop a better understanding what it means to commercialize (or integrate into a business organization) such a critical task as computer security incident response. Moreover it is hoped that corporations and other entities develop a deeper insight and start integrate incident response services (instead of relying on external teams only) to enhance their risk management capabilities.

    But instead of starting over again, they should make use of the already established knowledge and expertice. Only cooperation and learning from each other will help all parties involved to handle todays problems. This is also a new challenge for all existing teams and maybe a way to evolve into new futures.

    Klaus-Peter Kossakowski was among the first members of the Virus Test Center. Since then he worked in the field of network security. Engaged with the DFN-CERT since its conception, he started his official work on January 1993, taking over the responsibility for administration and organisation.

    His special interests are international issues, cooperation and the establishment of an infrastructure for IRTs. He became a co-chair for the IETF WG Guidelines and Recommendations for Incident Processing -- GRIP.

    Actually he is writing his Ph. D. thesis about Computer Security Incident Handling and its integration into traditional risk management processes.

  2. Future of Incident Response in our Changing World (panel) - Mike Higgins, SAIC-SERC, USA

    The ever changing profile of the Internet and its users has resulted in substantial changes to the way that computer security incidents are being handled and contracted for. In the beginning there were few formal methods from which a company or organization could cull the necessary processes, procedures, and talent to handle an attack on their infrastructure. The Computer Emergency Response Team / Coordination Center at Carnagie Mellon university was established to help foster the talent that existed within the community and to assist in the development of future teams. The Forum of Incident Response and Security Teams (FIRST) was then formed as a way to formalize the communications between the growing number of emergency response teams and the incident response community began to take shape.

    However, most of the initial efforts were concentrated in governmental and educational institutions. Recent events have again changed the landscape for how and where a small company will handle an attack against its information processors. The FIRST organization recently incorporated, CERT/CC is reportedly changing its strategic direction and two international commercial organizations, IBM and SAIC, offering fee for service incident response were recently voted into the membership of the FIRST.

    This session with representatives from the incident response community will seek to address what changes are occurring, why, and what is their opinion of the projected impact on the face of incident response in the future. Invited panelists include:

    Panel Members:
    Mike Higgins, SAIC SERC, USA (Moderator)
    Alan Fedeli, IBM, USA
    Rich Pethia, CERT Coordination Center, USA
    Steve Branigan, Bellcore, USA

    Mike Higgins
    Mr. Higgins is a Technical Director and Account Manager in the SAIC Corporate Development's Center for Information Protection, where he is a technical lead for information security assessments and marketing for commercial work in the financial community. The Center's customers in the financial community include U.S. Based and International banking, credit, and investment institutions. Mr. Higgins as one of the Centers Technical Directors is responsible for protection of information in client server and mainframe based systems.

    Prior to joining SAIC, Mr. Higgins was the Deputy Director for the Center for Information Systems Security for the Defense Information Systems Agency. In this capacity, Mr. Higgins was the senior technical manager of the Center's Information Security Countermeasures Department, responsible for the operational protection of all Department of Defense's unclassified and sensitive but unclassified information. Operationally, Mr. Higgins created the Automated Systems Security Incident Support Team (ASSIST), the largest and most effective computer emergency response team in the world. Mr. Higgins was also the developer of the Vulnerability Analysis and Assistance Program, a program which proactively, using automated tool suites, analyzed information systems for security vulnerabilities. The ASSIST and VAAP have been hailed as programs of merit which are being emulated across the Federal and Commercial infrastructures.

    Mr. Higgins, as the senior technical representative for the Department of Defense on matters involving information systems security and incident response was an often requested speaker at many national and international conferences. Mr. Higgins presentations on "State of Computer Hacking", "How to Protect the Information Infrastructure", and "Assessing your Computers Security Health" have all received numerous accolades and have now been merged into mandatory training for all new information systems administrators in the Department of Defense.

    Mr. Higgins served a Senior Intelligence Analyst within the Science and Technology Directorate. Specializing in telecommunications and information systems, Mr. Higgins was responsible for coordination and organization of the U.S. Defense and Intelligence communities response to high technology theft by the then Soviet Union and other prohibited countries. Mr. Higgins' efforts prevented millions of dollars in high technology from illegally being acquired for military use in the Soviet Bloc and in assessing the military capabilities of the Soviet Bloc based upon assessments of their illegal technical acquisitions.

    Mr. Higgins also served as a Division Chief for the Countermeasures Division of the Information Security Department of the Information Systems Directorate. In this capacity Mr. Higgins established a vulnerability testing program for all specially compartment information (SCI) systems accredited by the DIA. This vulnerability testing program and the subsequent alert effort developed by the Countermeasures Division were the precursor for the current day ASSIST and VAAP efforts within DoD.

    Mr. (then Army Captain) Higgins was a trained and qualified Operations Research Systems Analyst (ORSA) working with the Army's Operational Test and Evaluation Agency's Command, Control, Communications, and Computers (C4) Division. CPT Higgins served as the test director and test technical lead on several operational tests for state-of-the-art telecommunications systems including: Joint Tactical Information Distribution Systems (JTIDS), Army Tactical Command and Control System (ATCCS), and Mobile Subscriber Equipment (MSE). CPT Higgins expertise in statistical test analysis and spread spectrum and wide band telecommunications technologies were frequently utilized in assisting numerous other efforts within the Army and Air Force.

    Alan Fedeli
    Alan has been an advanced technology manager in IBM for 20 years. In addition, he has managed IBM's world wide Computer Emergency Response Team (CERT) for the past eight years. IBM's CERT handles network intrusions, virus incidents, and phone fraud, both for IBM and customers. Recently, Alan has created information security businesses within IBM, namely IBM AntiVirus Products and Services and IBM's recently announced Internet Emergency Response Service (ERS). IBM AntiVirus is now coming into international recognition and acclaim. IBM's Internet Emergency Response Service is well received by its initial customers, and is beginning to be recognized as an industry imperative.

    Alan holds a BA in English Literature, and recently earned an MBA in Organizational Behavior. He lives in Ringwood, New Jersey with his wife, supporting their two children who attend Syracuse University and Georgetown Law School. Alan has been a member of his local school board, and is now Vice President of his local lake association. The Fedelis are avid skiers.

    Rich Pethia

    Steve Branigan
    Steven Branigan is a Senior Systems Engineer responsible for providing technical expertise on Internet security matters and providing Internet security consulting services. Steve's main focus is on studying the current techniques employed by intruders to access systems connected to the Internet, and tools that can be used for prevention and detection of these attacks. In his position, he has become recognized as a leading Internet security expert, and has been called upon by federal law enforcement agencies as well as the Regional Bell Operating companies to analyze Internet intrusion evidence.

    Steve has provided technical support for active computer crime investigations to Federal law enforcement agencies. Steve has also provided training for Federal law enforcement agencies on the subject of computer intrusions. Steve received his master's degree in Computer Science from Rutgers University and has been with Bellcore for over five years.

Session 2: Threat Research

  1. Developing a Malicious Code Analysis Capability to Support Incident Handling - Joseph A. Alfano, ASSIST, USA

    An important aspect of securing the National Information Infrastructure is the elimination of vulnerabilities within internetworked computer systems.

    Although operating systems developers have eradicated many of the exploitable flaws in their software, new ones emerge. Security vulnerabilities have been discovered recently in third-party software applications such as mail transfer agents, and FTP and WWW servers, among others. As new utilities continue to penetrate the marketplace, the likelihood that a computer system contains an exploitable defect increases significantly. In addition, improperly configured systems present opportunities for exploitation by malicious software, or "critters" in the analyst's parlance.

    This paper recommends that incident response teams, private corporations and academia develop an internal critter analysis capability to better serve both the customer base and global community of users at-large. After justifying the increasing need for analyses, the author presents an approach for developing a baseline capability. Central to attaining this goal is enlisting upper management support. The relative merits of both quantitative (e.g., cost-benefit) and qualitative marketing approaches (e.g., corporate leadership and visibility) are discussed. Finally, interested organizations are encouraged to develop working alliances with similar groups in order to achieve synergistic gains.

    Mr. Alfano is a senior member of the technical staff on the ASSIST team at the Defense Information Systems Agency (DISA). He is responsible for collecting, analyzing and preparing reports on malicious software. Additionally, his more recent duties include developing DISA program plans to secure the Defense Information Infrastructure.

    Prior to arriving at DISA in 1994, he worked for the U.S. Navy for 14 years. During that time, he performed requirements analyses, systems engineering, software design and security engineering on a wide range of Naval aviation projects. His experience includes software development, aircraft simulation, human factors and artificial intelligence expert systems. His last assignment entailed incorporating multilevel security into a tactical planning system.

    Mr. Alfano earned his B.S. degree in Electrical Engineering. His education includes graduate courses in Computer Science. He is currently enrolled in a Master of Science program in Engineering Management at Drexel University. He is a member of the Phi Sigma Tau collegiate honor society.

  2. Vulnerability/Advisory processes - Rob McMillan, CERT Coordination Center, USA

    Since its inception in 1988, the CERT Coordination Center has carried out work in the analysis of software vulnerabilities. One of the areas that this work has fed into is the issuing of advisories to the public.

    Whilst this work is continuing, both processes (i.e., the Vulnerability Handling Process and the Advisory Process) are evolving as a result of more clearly defined goals. As the goals of each process have become more clearly defined, each activity has become more distinct with a clear communication path between them. In this session, Rob will present an overview of the processes as they currently stand within the CERT Coordination Center.

    Rob McMillan has been with the CERT Coordination Center since September 1994. He is a member of the Incident Handling Team, which focuses on responding to incidents that have been reported to the Center by providing technical assistance, analyzing log files from compromised sites, guidance and/or follow-up with the affected sites as appropriate. He also facilitates communications among sites, other response teams, investigators, and vendors to assist these folks in responding to and recovering from security incidents. He participates in the discussion, design, testing, evaluation and use of in-house tools for incident handling. He has also assisted in the definition and development of internal incident response policies and procedures, CERT advisories and other technical documents.

    Prior to joining the CERT Coordination Center, Rob was a founding member of AUSCERT, the incident response team for Australia. This role was very similar to that he plays at CERT. Additionally, he built systems from the ground up for that team and developed many of the tools and techniques used by AUSCERT at that time.

    Rob has also spent time as a senior system administrator and security programmer for a university in Australia. In that role, he prepared a site security policy, carried out auditing of departmental networks, wrote security oriented applications, maintained systems, contributed to network design projects, acted as the site security contact and oversaw the day-to-day security oriented issues that arose.

    Previously Rob has been a network administrator and programmer dealing with various protocols including the IP suite or protocols, and X.25. He has experience in administration and programming on many platforms including PCs, IBM mainframes, VAX/VMS, and various flavors of UNIX.

    Rob has prepared various papers for conferences covering subjects such as practical steps in securing a VAX/VMS system, and the development of a site computer security policy.

  3. An Analysis of Intruder Personality Traits and Motives - Gene Schultz, SRI International, USA

    Along with the rapid growth the Internet has come an increasing number of intrusions. What kind of people perpetrate Internet-based break-ins? What personality characteristics do intruders possess? What motivates intruders to engage in unauthorized activity? Are intruder personality traits directly linked to unauthorized behavior? This paper addresses these questions, presenting findings of case studies and interviews conducted by SRI and others. These studies indicate that a large proportion of intruders have several traits in common, including dishonesty, self-aggrandizement, and social alienation, but that these traits are not strong predictors of actual unauthorized behavior. The final part of this paper raises the question whether understanding intruders' traits can help the incident response community deal with network intrusions more efficiently. Although empirical evidence is for the most part missing, the paper concludes that knowledge about intruders' traits can help not only to deter network intrusions, but also to contain them once they occur.

    Dr. Eugene Schultz is the Program Manager for SRI Consulting's International Information Integrity Institute (I-4). An expert in UNIX, network security, and malicious code, he has testified about intrusions into U.S. military computers during Operation Desert Storm before a U.S. Senate. He has also helped numerous agencies and corporations create information security policies and technical security practices.

    Dr. Schultz has co-authored the IIA/EDPAA book, Unix - Its Use, Control, and Audit, the soon to be released John Wiley book, Internet Security for Business, and has published over 60 journal articles. Before joining SRI he was at Lawrence Livermore National Laboratory, where he founded and managed the Department of Energy's Computer Incident Advisory Capability (CIAC). He also held positions at the Jet Propulsion Laboratory (where he received a NASA Technical Innovation Award in 1986), Arca Systems, and the University of North Carolina. Finally, he was the co-recipient of the Best Paper Award at the 1995 National Information Systems Security Conference.

Session 3: Secure Communications

  1. The UKERNA Secure E-mail Project - Paul Leyland, Oxford University, UK and Piete Brooks, University of Cambridge, UK

    We report the findings of an in-depth study into the provision of secure electronic mail to the British academic community, a population of around a million in over a hundred institutions. The community has extremely varied requirements, resources and skills. Most are not sophisticated in cryptographic matters and tools must be as simple to use as possible. PGP was considered to be the only credible cryptographic component because of its security, popularity and fairly wide availability of packages to integrate it into mail user agents. Our report concentrated on MUA integration, and on the reliable, rapid and convenient provision of encryption keys and guarantees of their authenticity.

    Paul Leyland works for Oxford University Computing Services as a Unix administrator with special responsibility for computer and network security, and is the chairman of OxCERT. He's been active in the PGP field since 1992 and has run the JANET keyserver for three years. He maintains the cryptography archive at Oxford, including the master He factors integers as a hobby, and was a coordinator of the global collaboration to break the original RSA challenge. In 1995, he and three colleagues factored a 384-bit PGP key, showing beyond question that larger keys are necessary for security.

  2. New Technologies on the Internet - John Fisher, CIAC, USA

    The Internet is in a rapid state of growth, as new technologies are introduced into the ever expanding electronic community. This presentation will be a survey of some of these new technologies, with an emphasis on their security features and concerns. Some of the new technologies to be discussed include:

    Java - Java has proven to be one of the most controversial technologies on the Internet. It empowers Web browsers with unprecedented capabilities. Of chief concern is how those capabilities are controlled, and what new security measures are to be offered in the future.

    Communication Beyond Email - Internet users have begun to look beyond the limitations of electronic mail, to other mediums of communication. Live chat, telephony, and video conferencing are growing in popularity, and will introduce new questions about privacy and security.

    Operating Systems - A great deal of the functionality offered through Web browsers, Web servers, and other Internet applications are being integrated into the operating system itself. Java has gained rapid acceptance by a large number of operating system vendors. Web servers are now becoming standard operating system components. Security concerns once specific to UNIX are now applicable to other operating systems, including Windows 95 and Windows NT.

    John Fisher has been a member of the U.S. Department of Energy's Computer Incident Response Capability (CIAC), at the Lawrence Livermore National Laboratory for the last year. He is the author of Merlin, a user interface for UNIX security tools.

    Before his time in CIAC, John worked at the Livermore Lab and at the University of California Davis developing UNIX-based tools for security analysis and real-time network intrusion detections. John received a bachelor's degree from the University of California, Davis, and a master's degree from Santa Clara University.

    John served as a technical editor for the book Internet Security Professional Reference. He is currently working on his first book, The Webmaster's Handbook, due this Summer.

  3. FIRST E-mail Handling Procedures - Kenneth van Wyk, SAIC SERC, USA and Patricia Zechman, DoD ASSIST, USA

    This session presents an in-depth look at FIRST's procedures for handling electronic mail. Topics covered include descriptions of each FIRST mailing list, the FIRST encryption key management process and procedure, as well as a list of standard FIRST e-mail distribution restrictions and their appropriate uses.

    It is expected that attendees of this session have a basic understanding of the encryption technologies used within FIRST, as presented in Tutorial B of this workshop.

    Kenneth van Wyk
    Mr. Van Wyk holds a Bachelor of Science in Mechanical Engineering from Lehigh University in Bethlehem, PA. He worked for four years in Lehigh's Computing Center as a Technical Consultant, during which time he founded the VIRUS-L/comp.virus Internet discussion forum (April 1988), and took graduate courses in Lehigh's Computer Science Masters program. In 1989, he moved to Pittsburgh, PA, to be one of the first two full-time members of Carnegie Mellon University's Computer Emergency Response Team (CERT). From 1989 through 1993, he worked as a Technical Coordinator at CERT, and took several graduate courses in the Software Engineering Institute's Software Engineering Masters program.

    In March 1993, Mr. Van Wyk moved to Washington, DC, to work for the Defense Information System Agency's Automated Systems Security Incident Support Team (ASSIST), where he was the Chief of the Operations Division, in charge of ASSIST operations through December 1995. ASSIST provides 24 hour per day incident response support to the entire Department of Defense (DoD) community. Mr. Van Wyk's division is also responsible for the execution of Vulnerability Analysis and Assistance Program (VAAP) assessments of DoD sites.

    In December 1995, Mr. Van Wyk accepted a position at Science Applications International Corporation (SAIC) in their Center for Information Protection (CIP), where he is a Technical Director, responsible for managing and ensuring the quality of the technical services provided by the CIP. In addition, he serves as the Technical Director of SAIC's Security Emergency Response Center (SERC).

    Mr. Van Wyk is also serving a two-year elected position as a member of the Steering Committee for the Forum of Incident Response and Security Teams (FIRST), an international organization of incident response teams that facilitates and promotes technical exchanges of information among its member teams.

    Patricia Zechman
    Patricia A. Zechman currently serves as a Computer Specialist for the Automated Systems Security Incident Support Team (ASSIST)/Vulnerability Analysis Assistance Program (VAAP) Branch (D331) at the Defense Information Systems Agency (DISA). As one of the team chiefs for the ASSIST, she is responsible for providing computer emergency response service for Department of Defense (DoD) customers. The ASSIST team responsibilities include virus analysis, vulnerability mitigation, technical analysis, and investigative support. Presently, Ms. Zechman is responsible for establishing a training program for incident response handling. As the World Wide Web coordinator, she works closely with the system administration group in the development of an external World Wide Web site for ASSIST. Ms Zechman is also responsible for creating and maintaining the Standard Operating Procedures (SOP) for the ASSIST team. She is responsible for providing security guidance on general security policy and security aspects of systems architecture, testing, and evaluation. Currently Ms Zechman is serving as the Forum Incident Response Support Teams (FIRST) representative for ASSIST. As the FIRST representative, she coordinates INFOSEC incidents with other incident response teams worldwide.

    In 1985, Ms. Zechman began her professional career as the system administrator for the Department of Engineering and Housing (DEH) in Fulda, Germany. Her responsibilities included performing system administration for the Honeywell DPS6 and the Unisys 5000/80 computer systems. In 1988, Ms Zechman's career led her to take a new position as a Local Area Network (LAN) Manager with the Provost Marshal at FT Meade, MD, where she was responsible for the development, configuration, and utilization of an Ethernet LAN Manager with the Provost Marshal at FT Meade, MD, where she was responsible for the development, configuration, and utilization of an Ethernet LAN. The Provost Marshal selected Ms Zechman as a Novell installer for the Forces Command where she assisted in the development of the Military Police Information System (MPIS) program and installed the program in Military Police offices throughout the United States. Ms. Zechman later took a job with the 902nd Military Intelligence Command, where she was responsible for determining if counter-intelligence information systems had been compromised. While working for the 902nd, Ms Zechman became a member of the computer crime unit and became certified as a Computer Crime Investigator. Additionally, she assisted the Counter Intelligence Agents in computer crime investigations and in the processing of evidence collected during investigations.

    Ms. Zechman has received numerous letters of appreciation and training during her career. She is presently returning to college to get a degree in Computer Information Systems.

Session 4: Regional Coordination Updates

  1. Incident Response Teams in Europe: status report - Don Stikvoort, CERT-NL, Netherlands and Klaus-Peter Kossakowski, DFN-CERT, Germany

    The European part of the Computer Security Incident Response scene has received some attention in literature during 1995, without any tangible results in the form of structural coordination or support of new teams however.

    As two of the still relatively few CERTs within Europe, the DFN-CERT and CERT-NL are existentially interested in the development of a suitable and efficient security infrastructure for the rapidly growing European part of the global network. From this point of view a brief overview of the European network situation is given, followed by an outline of the current Incident Response structure and its problems.

    In addition, recommendations concerning the future development of Incident Response within Europe are presented, emphasizing the importance of a cooperative approach and the creation of a European center of coordination. The status of the ongoing efforts to achieve these goals is reported.

    Don Stikvoort
    Born 1961 in Leiden, The Netherlands, Don Stikvoort graduated in Physics in 1987 at Leiden University in the area of Low Temperature Physics (pressure measurement in superfluid Helium film environments).

    After a 1,5 years management course in the Dutch Army and a 3 months hike in the Austrian Alps he joined SURFnet, the Dutch academic research network, in 1989. Starting as a network consultant he moved to the network management department in 1992 where he devoted most of his time until 1995 on the topics of lower-layer technology (X.25, IP, multiplexing and ATM), security (CERT-NL chairman) and Quality-of-Service.

    Since mid 1995 he is working as a manager in the area of communication services, involving development and management of higher-layer services, with an emphasis on e-mail and security, thus also continuing his CERT-NL position.

    Inside the security area his main topic of interest apart from leading CERT-NL, the incident handling team for SURFnet, is that of national and international coordination of incident handling. Accordingly he is an active member of FIRST and other security gremia and also co-initiator of ongoing attempts to found a European incident handling coordination core.

    Outside his work Don's main interest apart from his wife and two daughters are hiking and Alpinism, biking, ice-skating, good music and philosophy.

    Klaus-Peter Kossakowski
    Klaus-Peter Kossakowski was among the first members of the Virus Test Center. Since then he worked in the field of network security. Engaged with the DFN-CERT since its conception, he started his official work on January 1993, taking over the responsibility for administration and organisation.

    His special interests are international issues, cooperation and the establishment of an infrastructure for IRTs. He became a co-chair for the IETF WG Guidelines and Recommendations for Incident Processing -- GRIP.

    Actually he is writing his Ph. D. thesis about Computer Security Incident Handling and its integration into traditional risk management processes.

  2. Experience of Establishing IRT in Korea - Chae-ho Lim, CERT-KR, South Korea

    In Korea the the Internet online was started in 1989, and the first internet intrusions was happened in 1991. And then there were so many security incidents and those were introduced in the journal and paper as social problems.

    In 1995, we decided to launch IRT, CERT-Korea like US CERT and other teams overseas. To do this, we just looked over the documents from foreign CERTs and other IRTs. Without formal policies for this team, without detail incident handling procedures, it was very difficult job for us to operate team properly. After we contacted the other teams, we can recognize the right team policies, organization, constituency model, operational procedures, and internal incidents handling tools.

    In this presentation, it's decribed what were happened in CERT-Korea to deal this situation in 1995 and how we set up the correct IRT model this year.

    And finally the current status of Korean IRTs and cooperation is introduced.

    >From 1986, Chaeho Lim has been the technical staff for Korea Research Envisonment Open Network(KREONet), major Korea Internet sponsored by government. His experience on data communication and computer network got from there.

    In 1990, he had the master degree and its study topic is about OSI security architecture and transport layer security protocol. In 1991 he made a study meeting because there were several security intrusions in Korea.

    He became the chair of CERT-Korea and Korea Internet Security Group in the early of 1995. He attended FIRST workshop and visited AUSCERT last year to get the advises on CERT-Korea operation.

    And he finished Ph.D course work in the same year.

  3. CERT Strategic Incident Response and Statistics Update - Katherine T. Fithen, CERT Coordination Center, USA

    Katherine will discuss current incident trends and expertise, and incident statistics that CERT/CC have identified from inception in 1988 to present day. The presentation will conclude with a comparison of the intruder trends and CERT/CC statistics trends identified and how these trends highlight the need for continuing revision incident response strategies.

    Katherine Fithen is the Team Leader for the CERT Coordination Center Strategic Incident Response team. She has been part of the CERT/CC team for four years. The CERT Coordination Center provides technical assistance to Internet sites that have computer security issues, concerns, or have experienced a computer security compromise. Katherine has earned a Bachelor's degree in Retail Management, a Master's degree in Personnel Management, and a Master's degree in Information Science.

Session 5 - Team Coordination and Communication

  1. GRIP Overview - Klaus-Peter Kossakowski, DFN-CERT, Germany and Barbara Fraser, CERT Coordination Center, USA

    The Internet Engineering Task Force (IETF) is the standards body for the Internet. Originally, the standards were focused on protocols. However, over the past 6 years, it has been recognized that attention is needed both in the management aspects of the Internet as well in user services and they are many RFCs that are published on such topics. For the past year, the GRIP working group of the IETF has been writing a document that reflects the Internet community's expectation for incident response teams. This session will focus on what motivated the formation of this working group, the state of the current draft document, and user experiences with the document. The purpose is to both share information with the FIRST community and to solicit participation by members of the FIRST community.

    Klaus-Peter Kossakowski
    Klaus-Peter Kossakowski was among the first members of the Virus Test Center. Since then he worked in the field of network security. Engaged with the DFN-CERT since its conception, he started his official work on January 1993, taking over the responsibility for administration and organisation.

    His special interests are international issues, cooperation and the establishment of an infrastructure for IRTs. He became a co-chair for the IETF WG Guidelines and Recommendations for Incident Processing -- GRIP.

    Actually he is writing his Ph. D. thesis about Computer Security Incident Handling and its integration into traditional risk management processes.

    Barbara Fraser
    Barbara Fraser is a senior member of the technical staff at the Software Engineering Institute (SEI) located at Carnegie Mellon University. She is currently working in the Trustworthy Systems Program of the SEI and the CERT* Coordination Center. Barbara leads the security improvement tools and techniques activity area. Current efforts are focused on developing comprehensive security profiling and improvement methodologies.

    Barbara has been involved with the CERT Coordination Center since 1990 and is an internationally recognized speaker on the subject of Internet security. She has given many talks and courses on Internet security and security incident response, and she has worked with many organizations to help them understand and address security issues as they relate to the Internet.

    Barbara is active in the security area of the Internet Engineering Task Force and was one of the authors of RFC 1281, "Guidelines for the Secure Operation of the Internet." She is currently a member of the Security Area Directorate and chairs two IETF working groups.

    * CERT is a service mark of Carnegie Mellon University

  2. PGP Key Signing Party - Coordinator: Wolfgang Ley, DFN-CERT, Germany

    An important goal to allow exchange of sensitive information and to verify the originator of information passed to FIRST teams is to secure email.

    One popular software to authenticate and/or encrypt email is called PGP (Pretty Good Privacy) which offers RSA public-key usage. If you don't know what PGP is, or how to use it, then you are invited to join the Tutorial B on Sunday morning to learn more about encryption, authentication and key management including PGP and PEM. The rest of this mail may require some understanding of PGP key management, so it is addressed to people who are already using PGP.

    FIRST is using PGP to encrypt sensitive mails on the first mailing lists. An PGP FAQ for FIRST is available from the FIRST www server at

    One important part of PGP public key management is the creation of a "web of trust" where users certify the association of a key to a real person. To create or enhance this "web of trust" there is a PGP key signing session scheduled (on Wednesday afternoon). During this session the attendees will present their PGP key and verify the keys of the others. Back at home you are able to create a digital signature on the other key to confirm that you have checked that this key really belongs to the listed person. You are welcome to present your PGP key during this session and benefit from the international forum and the resulting certificates.

    To get more information and to register your key for the key signing session contact Wolfgang Ley ( *** until Thursday, 18th July ***.

    1. Your name and email address
    2. Your PGP public key (the result of "pgp -kxa ")
    3. Optional the PGP key of your team

    To verify the association between the PGP key and you as a person you need the following items *** at the PGP session on the conference ***

    1. A printout (on paper) of the fingerprint from your (and optional the team) PGP key. This is the output of "pgp -kvc "
    2. At least one official document including a photo of your (e.g. a passport or driving license)


International Law Enforcement Panel

What Incident Response Teams should know to protect themselves and their customers. Coordination of international incidents with law enforcement. What IRTs can and cannot do to assist clients when responding to incidents. To include representatives from the Australian, Dutch, US Secret Service, Italian, Canadian, USA law enforcement agencies.

Panel Members:
Harry Onderwater, Dutch NCIS Computer Crime Unit, Netherlands
William A. Perez, FBI, USA
Maurice Massart, RCMP, Canada
Byron Collie, Australian Federal Police, Australia
Maria Christina Ascenzi, Italian State Police, Italy
Keith Helton, United States Secret Service, USA

Vendor Panel

How vendors could help Incident Response Teams. How Incident Response Teams can help Vendors. Inter-vendor cooperation. Ask your vendor your favorite question. Each vendor will be asked to make a small presentation along a set format. SUN, HP, SGI, IBM, DEC, Microsoft, FreeBSD, Apple, AOL, Cisco and other firewall vendors.

Last modified: 16 Jul 1996

Current Maintainer of this page: John Fisher / CIAC /