1 / 12

Fermi Computer Incident Response Team

Fermi Computer Incident Response Team. Computer Security Awareness Day March 8, 2005 Michael Diesburg. What Is FCIRT?. FCIRT Fermi Computer Incident Response Team Group of computing experts who investigate compromised systems and guide cleanup On call 24x7

elliott
Download Presentation

Fermi Computer Incident Response Team

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg

  2. What Is FCIRT? • FCIRT • Fermi Computer Incident Response Team • Group of computing experts who investigate compromised systems and guide cleanup • On call 24x7 • FCIRT does not make policy. Their concern is with understanding how a compromise occurred and what actions are necessary to restore the system to production • Think of it as a volunteer fire department

  3. When Should You Contact FCIRT? • Any time you suspect a system has been hacked or infected with a virus. • For any issues of unauthorized usage. • Anytime you suspect a machines usage is not in accordance with the rules of acceptable usage. • If in doubt, contact us

  4. How To Contact FCIRT • Normal contact is via e-mail: computer_security@fnal.gov • Mail list is monitored on regular basis during normal working hours. Some delay in response after hours or on weekends • You may also contact Helpdesk • For urgent issues call: 630-840-2345

  5. How FCIRT Operates • FCIRT actions have several goals: • Contain any damage • Determine how compromise occurred • Oversee the cleanup of compromised systems and certify cleaned systems to be returned to normal use • Assess how compromise could have been avoided

  6. How FCIRT Operates • Upon alert, FCIRT personnel first triage the suspected incident: • No incident • SMOKE - Further investigation required. Minor incident to be handled by local system managers under oversight of FCIRT • FIRE – Major incident. FCIRT assumes full administrative control of the systems involved.

  7. How FCIRT Operates • SMOKE • A SMOKE is declared if there is evidence that some compromise may have occurred and further investigation is required • If investigation shows problem is confined to single system with limited impact on users, then cleanup is usually delegated to system managers • Incidents which may have widespread impact may be elevated to FIREs

  8. How FCIRT Operates • SMOKE • Covers things like well common viruses whose infection vector is well known. • Normal procedure: • Use AV cleaning tools • Or re-install form known good media. • Make sure all patches are up to date • Scan all files with latest AV signatures • Make sure node and all NICs are registered • Return to service

  9. How FCIRT Operates • FIRE • A FIRE is declared when incident involves major servers, impacts many users, or in any way adversely effects the mission of the lab. • FCIRT takes complete control of systems in these cases • May involve removal form network, or in some cases even confiscation of equipment

  10. How FCIRT Operates • FIRE • First action is to contain the damage. Either via network block or by physically removing the system from network. • State of the system is then examined to determine how the compromise occurred • Weak passwords • Known vulnerabilities • Pilot error

  11. How FCIRT Operates • FIRE • Network records are examined to determine what other systems may have been involved • Determination is made as to what must be done to protect the system from compromise • Copies of disks may be made at the request of government authorities • System is cleaned and returned to service

  12. How FCIRT Operates • Reporting • Any computing incident also triggers several reporting streams • In case of a FIRE, the relevant system managers, division heads, and CSExec are notified • In some instances appropriate government agencies will be informed • Daily reports are made to the above until the incident is closed

More Related