120 likes | 201 Views
Fermi Computer Incident Response Team. Computer Security Awareness Day March 8, 2005 Michael Diesburg. What Is FCIRT?. FCIRT Fermi Computer Incident Response Team Group of computing experts who investigate compromised systems and guide cleanup On call 24x7
E N D
Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg
What Is FCIRT? • FCIRT • Fermi Computer Incident Response Team • Group of computing experts who investigate compromised systems and guide cleanup • On call 24x7 • FCIRT does not make policy. Their concern is with understanding how a compromise occurred and what actions are necessary to restore the system to production • Think of it as a volunteer fire department
When Should You Contact FCIRT? • Any time you suspect a system has been hacked or infected with a virus. • For any issues of unauthorized usage. • Anytime you suspect a machines usage is not in accordance with the rules of acceptable usage. • If in doubt, contact us
How To Contact FCIRT • Normal contact is via e-mail: computer_security@fnal.gov • Mail list is monitored on regular basis during normal working hours. Some delay in response after hours or on weekends • You may also contact Helpdesk • For urgent issues call: 630-840-2345
How FCIRT Operates • FCIRT actions have several goals: • Contain any damage • Determine how compromise occurred • Oversee the cleanup of compromised systems and certify cleaned systems to be returned to normal use • Assess how compromise could have been avoided
How FCIRT Operates • Upon alert, FCIRT personnel first triage the suspected incident: • No incident • SMOKE - Further investigation required. Minor incident to be handled by local system managers under oversight of FCIRT • FIRE – Major incident. FCIRT assumes full administrative control of the systems involved.
How FCIRT Operates • SMOKE • A SMOKE is declared if there is evidence that some compromise may have occurred and further investigation is required • If investigation shows problem is confined to single system with limited impact on users, then cleanup is usually delegated to system managers • Incidents which may have widespread impact may be elevated to FIREs
How FCIRT Operates • SMOKE • Covers things like well common viruses whose infection vector is well known. • Normal procedure: • Use AV cleaning tools • Or re-install form known good media. • Make sure all patches are up to date • Scan all files with latest AV signatures • Make sure node and all NICs are registered • Return to service
How FCIRT Operates • FIRE • A FIRE is declared when incident involves major servers, impacts many users, or in any way adversely effects the mission of the lab. • FCIRT takes complete control of systems in these cases • May involve removal form network, or in some cases even confiscation of equipment
How FCIRT Operates • FIRE • First action is to contain the damage. Either via network block or by physically removing the system from network. • State of the system is then examined to determine how the compromise occurred • Weak passwords • Known vulnerabilities • Pilot error
How FCIRT Operates • FIRE • Network records are examined to determine what other systems may have been involved • Determination is made as to what must be done to protect the system from compromise • Copies of disks may be made at the request of government authorities • System is cleaned and returned to service
How FCIRT Operates • Reporting • Any computing incident also triggers several reporting streams • In case of a FIRE, the relevant system managers, division heads, and CSExec are notified • In some instances appropriate government agencies will be informed • Daily reports are made to the above until the incident is closed