The 9th Annual FIRST Conference and Workshop on
Computer Security Incident Handling and Response

sponsored by

The Forum of Incident Response and Security Teams (FIRST)

June 23 to June 27, 1997
Marriott Hotel, Bristol, England


If your browser does not support tables, then please read this version without tables.


Sunday, June 22, 1997

6:00pm-8:00pmOn-Site Registration
6:00pm-8:00pmIcebreaker and Early Arrival Get-Together


Monday, June 23, 1997

8:00am-On-Site Registration
9:00am-5:30pm
"Establishing an Incident Response Team" (full day tutorial)
Instructors: Sandy Sparks (CIAC)
Kathy Fithen (CERT-CC)
Marianne Swanson (NIST)
Pat Zechman (SAIC)
10:30am-11:00amRefreshment Break
12:30pm-2:00pmLunch Break
2:00pm-5:30pm
"International Internet Law Developments circa June 1997:
If You Can See It, You Can Sue It"
Instructor: William J. Cook
(Brinks Hofer Gilson & Lione, Intellectual Property Attorneys)
3:30pm-4:00pmRefreshment Break


Tuesday, June 24, 1997

8:00am-On-Site Registration
9:00am-9:30amWelcoming Remarks
9:30am-10:30am
Keynote Address: John Austen
Managing Director, Computer Crime Ltd. and lecturer in Information Security, Royal Holloway College, University of London. Previously Head of Computer Crime, New Scotland Yard (1984-1996) and Chairman, Interpol Computer Crime Committee (1990 - 1996)
10:30am-11:00amRefreshment Break
11:00am-12:30pm
FIRST Team Update Presentations
Coordinator: Klaus-Peter Kossakowski (DFN-NSCC)
12:30pm-2:00pmLunch Break
2:00pm-3:30pm
Incident Characterization
Session Chair: Brian Dunphy (ASSIST)

"The Evolution and Mutation of Hacks/Incidents"
Author: John Pescatore (Trusted Information Systems)

"Characterizing Intruder(s) Methods of Operation"
Author: Steve Romig (Ohio State University)

"Why Are Some Incidents Never Solved?"
Author: Wolfgang Ley (DFN-CERT)

3:30pm-4:00pmRefreshment Break
4:00pm-5:30pm
"Report of the Task Force on the Future of FIRST, Presentation and Discussion"
Moderator: Moira West-Brown (CERT-CC)
7:00pm-9:00pm
BoF (Birds of a Feather) Sessions
Coordinator: Wolfgang Ley (DFN-CERT)


Wednesday, June 25, 1997

8:00am-On-Site Registration
9:00am-10:30am
Tools 1 - Incident Response
Session Chair: Roger Safian (Northwestern University)

"The Design and Creation of a UNIX Based Automated Incident Response System"
Author: Dr. Eric A. Fisch (Trident Data Systems)
Udo Pooch (Texas A&M University)
Greg White (USAF Academy)

"Intruder Containment - An Automated Method of Response to Potential Security Incidents"
Authors: Paul C Brutch (Texas A&M University)
Willis Marti (Texas A&M University)
Udo Pooch (Texas A&M University)
Dhiraj Pradhan (Texas A&M University)
Greg White (USAF Academy)

"Incident and Request Handling System (IRHS)"
Author: John Fisher (CIAC)

10:30am-11:00am Refreshment Break
11:00am-12:30pm
Response Team Operations
Session Chair: Paul Mauvais (CIAC)

"Third Party Network Audit Experience"
Authors: Michel Miqueu (CNES)
Serge Tapia (Alcatel TITN Answare)

"Public Key Infrastructures"
Author: Wolfgang Ley (DFN-CERT)

"Coordinating Multi-Vendor Vulnerabilities - Why is it so difficult?"
Author: Eric Halil (AUSCERT)

12:30pm-2:00pmLunch Break
2:00pm-3:30pm
"Opening The Vendor Black Box"
Coordinator: Miguel J. Sanchez (SGI)
3:30pm-4:00pmRefreshment Break
4:00pm-5:30pm
FIRST PGP Key-Signing Session
Coordinator: Wolfgang Ley (DFN-CERT)
7:30pm-10:00pmConference Banquet


Thursday, June 26, 1997

8:00am-On-Site Registration
9:00am-10:30am
"Information Sharing Amongst Incident Response Teams"
Coordinator: Dr. Eric A. Fisch (Trident Data Systems)
10:30am-11:00am Refreshment Break
11:00am-12:30pm
"Public Communications in the World of Incident Response"
Presentors: Terry McGillen (CERT-CC)
Katherine Fithen (CERT-CC)
12:30pm-2:00pmLunch Break
2:00pm-5:30pm
FIRST General Meeting
The general meeting agenda will be e-mailed to the FIRST Teams prior to the conference.
Attendance and participation at the FIRST Steering Committee and General Meetings is limited to FIRST team members and their invited guests.
3:30pm-4:00pmRefreshment Break


Friday, June 27, 1997

9:00am-10:30am
Tools 2 - Incident Monitoring and Management
Session Chair: Eric Halil (AUSCERT)

"Hey, Who Took My Keyboard?"
Author: Steven Branigan (Lucent Technologies)

"Review - A Tool for Reviewing Tcpdump Packet Logs"
Author: Steve Romig (Ohio State University)

10:30am-11:00amRefreshment Break
11:00am-12:30pm
Response Team Management
Session Chair: Thomas Lenggenhaser (SWITCH-CERT)

"Incident Control via Incident Prevention"
Author: Dr. Eric A. Fisch (Trident Data Systems)

"From Incident Response to Incident Management"
Author: Klaus-Peter Kossakowski (DFN-NSCC)

"An Institutional Approach to Incident Response Team Staff Education & Certification"
Author: Asst. Prof. Ahmet Koltuksuz (Izmir Institute of Technology)

12:30pm-2:00pmLunch Break
2:00pm-3:30pmClosing Session