Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg.

Slides:



Advertisements
Similar presentations
Example policy elements and their role in bandwidth management and optimisation.
Advertisements

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
1 Creating a Data Backup Oakland University University Relations Updated - June 2006.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Basic Computer Security. Outline F Why Computer Security F Fermilab Strategy: –Integrated Computer Security –Defense in Depth F Your role and responsibilities.
INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
Basic Computer Security. Outline F Why Computer Security F Fermilab Strategy: –Integrated Computer Security –Defense in Depth F Your role and responsibilities.
Security Essentials for Desktop System Administrors.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
Computer Security: Principles and Practice
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Incident Response Updated 03/20/2015
1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.
Information Security Information Technology and Computing Services Information Technology and Computing Services
Security Awareness Norfolk State University Policies.
Securing Information in the Higher Education Office.
The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
PPD & CLRC's response to the (IS) Security Threat Gareth Smith PPD/CG Christmas Lectures 2002.
The Policy Company Limited © Control of Infection.
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
IT Security Essentials Lesley A. Bidwell, IT Security Administrator.
Module 7. Data Backups  Definitions: Protection vs. Backups vs. Archiving  Why plan for and execute data backups?  Considerations  Issues/Concerns.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
GGF Fall 2004 Brussels, Belgium September 20th, 2004 James Marsteller Pittsburgh Supercomptuing Center
Event Management & ITIL V3
INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.
A Guide to Group Contracts. Contract Parts  Contact information  Group Goals  Roles and Responsibilities  Rules  Steps for firing a member  Signatures.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Incident Security & Confidentiality Integrity Availability.
Fermilab Computer Security & Strong Authentication Project Mark Kaletka Computing Division Operating Systems Support Department.
Data protection This means ensuring that stored data does not get changed, removed or accessed accidentally or by unauthorised people. Data can be corrupted,
Security Essentials for Fermilab System Administrators 29-Sep-2009.
CPS ® and CAP ® Examination Review OFFICE SYTEMS AND TECHNOLOGY, Fifth Edition By Schroeder and Graf ©2005 Pearson Education, Inc. Pearson Prentice Hall.
Security Essentials for Fermilab System Administrors.
Computer Security Status Update FOCUS Meeting, 28 March 2002 Denise Heagerty, CERN Computer Security Officer.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
IT Computer Security JEOPARDY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.
TRUENORTH TECHNOLOGY POLICIES OVERVIEW. This includes but is not limited to : – Games – Non-work related software – Streaming media applications – Mobile.
Managing a “Data Spill”
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Role Of Network IDS in Network Perimeter Defense.
1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Computer Security Essentials for Fermilab Sysadmins Irwin Gaines and Matt Crawford Computing Division.
Incident Response Christian Seifert IMT st October 2007.
Computer Security Sample security policy Dr Alexei Vernitski.
Security Essentials for Fermilab System Administrators 29-Sep-2009.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Privacy and Security Challenge Just Browsing Keep out - Private! Pushing IT You sound like a broken record Legal Beagles
Incident Response Strategy and Implementation Anthony J. Scaturro University IT Security Officer September 22, 2004.
CompTIA Security+ Study Guide (SY0-401)
Administration of a FIDIC Contract - Project Control
Systems Security Keywords Protecting Systems
LAND RECORDS INFORMATION SYSTEMS DIVISION
UGA Extension Credit Card Processing Training
A Trojan is a computer program that contains the malicious code and it misleads users and user's computer. It aims to designed to perform something is.
Red Flags Rule An Introduction County College of Morris
County HIPAA Review All Rights Reserved 2002.
Clemson University Red Flags Rule Training
Continuity of Operations Planning
HQ Expectations of DOE Site IRBs
European Computer Driving Licence Syllabus version 5.0
Presentation transcript:

Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg

What Is FCIRT? FCIRT – Fermi Computer Incident Response Team –Group of computing experts who investigate compromised systems and guide cleanup –On call 24x7 –FCIRT does not make policy. Their concern is with understanding how a compromise occurred and what actions are necessary to restore the system to production –Think of it as a volunteer fire department

When Should You Contact FCIRT? Any time you suspect a system has been hacked or infected with a virus. For any issues of unauthorized usage. Anytime you suspect a machines usage is not in accordance with the rules of acceptable usage. If in doubt, contact us

How To Contact FCIRT Normal contact is via Mail list is monitored on regular basis during normal working hours. Some delay in response after hours or on weekends You may also contact Helpdesk For urgent issues call:

How FCIRT Operates FCIRT actions have several goals: –Contain any damage –Determine how compromise occurred –Oversee the cleanup of compromised systems and certify cleaned systems to be returned to normal use –Assess how compromise could have been avoided

How FCIRT Operates Upon alert, FCIRT personnel first triage the suspected incident: –No incident –SMOKE - Further investigation required. Minor incident to be handled by local system managers under oversight of FCIRT –FIRE – Major incident. FCIRT assumes full administrative control of the systems involved.

How FCIRT Operates SMOKE –A SMOKE is declared if there is evidence that some compromise may have occurred and further investigation is required –If investigation shows problem is confined to single system with limited impact on users, then cleanup is usually delegated to system managers –Incidents which may have widespread impact may be elevated to FIREs

How FCIRT Operates SMOKE –Covers things like well common viruses whose infection vector is well known. –Normal procedure: Use AV cleaning tools Or re-install form known good media. Make sure all patches are up to date Scan all files with latest AV signatures Make sure node and all NICs are registered Return to service

How FCIRT Operates FIRE –A FIRE is declared when incident involves major servers, impacts many users, or in any way adversely effects the mission of the lab. –FCIRT takes complete control of systems in these cases –May involve removal form network, or in some cases even confiscation of equipment

How FCIRT Operates FIRE –First action is to contain the damage. Either via network block or by physically removing the system from network. –State of the system is then examined to determine how the compromise occurred Weak passwords Known vulnerabilities Pilot error

How FCIRT Operates FIRE –Network records are examined to determine what other systems may have been involved –Determination is made as to what must be done to protect the system from compromise –Copies of disks may be made at the request of government authorities –System is cleaned and returned to service

How FCIRT Operates Reporting –Any computing incident also triggers several reporting streams –In case of a FIRE, the relevant system managers, division heads, and CSExec are notified –In some instances appropriate government agencies will be informed –Daily reports are made to the above until the incident is closed

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.