Best Practices
Contest: Protect

June 22-27, 2008
Hyatt Regency Vancouver
British Columbia, Canada

20th Annual FIRST Conference

Best Practices Contest 2008: Protect

In conjunction with the 2008 FIRST annual conference in Vancouver, Canada, the CERT Coordination Center and the Forum of Incident Response and Security Teams (FIRST) jointly held the first-ever international competition honoring best practices and advances in safeguarding the security of computer systems and networks. The purpose of the contest was to honor experts worldwide who have developed best practices to prevent cyber attacks or mitigate attacks that are unfolding.

The 2008 contest focused on two fields of security activity—prevention and mitigation—under the banner "Protect," reflecting the first phase of a computer security incident response team's cycle of activity: Protect, Detect, Respond and Sustain. Preventive actions were defined as those that secure and fortify systems and networks, decreasing the chances of an attack against infrastructure. Mitigation involves changing the enterprise infrastructure to contain, eradicate or fix actual or potential malicious activity.

2008 Winners

Call for Submission: System and Network Security Best Practices

The Forum of Incident Response and Security Teams (FIRST) annual conference brings together computer security incident response teams (CSIRTS), Government officials, researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the field of computer system and network security. FIRST and the CERT Coordination Center will host a best practices contest during the 2008 FIRST annual conference in Vancouver, Canada. The purpose is to identify and share the CSIRT community's best practices in order to help organizations use methods that most effectively mitigate security threats globally.

All interested parties are encouraged to submit the best practices they use to improve and maintain a high standard of information security in the topic area Protect as described below. Submissions are due on April 30, 2008 11:59pm (U.S. Eastern Standard Time, UTC-5).

An evaluation committee will review the submitted best practices and give an award for the top two. FIRST and the CERT Coordination Center will present the awards during the 2008 FIRST annual conference.

The first place will be awarded with USD 5,000 (five thousand US Dollars), and the second place a USD 2,500 (twenty five hundred US Dollars) award.

Best Practices Contest Topic: Protect

The topic for this year's best practices contest is chosen from the operational activity cycle within CSIRTs. This cycle is typically divided into four categories: Protect, Detect, Respond, and Sustain. This year's topic will be focused on the Protect category.

The Protect process describes actions taken to prevent attacks from happening and to mitigate the impact of those that have already occurred. Preventative actions secure and fortify systems and networks. They decrease the likelihood of successful attacks against an organization's infrastructure. Such steps can include:

  • implementing defense-in-depth and other security best practices to ensure systems and networks are securely designed, configured, and implemented
  • performing security audits, vulnerability assessments, and other infrastructure evaluations to identify and address any weaknesses or exposure before they are exploited
  • collecting information about new risks and threats and evaluating their impact on the organization

Mitigation involves making changes in the enterprise infrastructure to contain, eradicate, or fix actual or potential malicious activity. Such actions might include:

  • making changes in filters on firewalls, routers, or mail servers to prohibit malicious packets from entering the infrastructure
  • updating intrusion detection systems (IDSs) or anti-virus signatures to identify and contain new threats
  • installing patches for vulnerable software

Teams may alter their organization's infrastructure based on process improvement changes and lessons learned from a postmortem review after they have handled an incident. These types of changes are made to prevent reoccurrence of the same or similar incidents.

Best Practices Submission Guidelines

  • Individuals, working groups, teams, or organizations can submit their best practices. The submitter does not need to be a member of FIRST.
  • All submissions should be made by the intellectual property owner or with the permission of the owner. Where employer, client, or government authorization is needed, it is the responsibility of the author(s) to obtain such authorization prior to submitting the final materials.
  • All submissions must reflect original work and must adequately document any overlap with previously published or simultaneously submitted papers from any of the authors.
  • FIRST and CERT Coordination Center require a non-exclusive, royalty-free copyright license for all submitted papers. This includes distribution on websites and in publications.
  • Paper submissions are due on April 30, 2008 11:59pm (U.S. Eastern Standard Time, UTC-5, firm deadline). All submissions should be made online via email. Submissions should be finished, complete papers.
  • Submissions received after the deadline (see Important Dates below) will not be considered unless the evaluation committee chair has granted an extension.
  • Submit papers to Submission will be acknowledged within 48 hours of receipt.
  • Submissions must be in PDF format (i.e., processed by Adobe's Acrobat Distiller or equivalent) and printable.
  • All submissions will be judged on originality, relevance, correctness, and clarity.
  • For blind review, some information may be sanitized from the original paper by collectors and handed to the evaluation committee.
  • Papers accompanied by nondisclosure agreement forms will not be considered. All submissions will be treated as confidential prior to publication.
  • Send questions about submissions to

20th Annual Conference Sponsorship Team