NETWORK WORLD NEWSLETTER: M. E. KABAY ON SECURITY 08/19/04 Today's focus: CIRT management: Tracking incidents
Dear [EMAIL PROTECTED], In this issue: * Computer Incident Response Team advantages, requirements and ��tools * Links related to Security * Featured reader resource _______________________________________________________________ This newsletter is sponsored by McAfee Visit the Enterprise Security Center, sponsored by McAfee(r), for an exclusive collection of news, whitepapers, information, analysis and strategy for securing your networks and systems. Learn new strategies for securing your servers and protecting your desktops from viruses. Get the latest information on how to stay on top of the latest threats to your network and bolster your skills in synergizing your IT staff as a critical business asset. http://www.fattail.com/redir/redirect.asp?CID=72596 _______________________________________________________________ CHECK OUT NW FUSION'S NEW WHITE PAPER LIBRARY Just launched: NW Fusion's White Paper Library with new features and improved capabilities! Sort NW Fusion's library of white papers by Date and Vendor, view white papers by TECHNICAL CATEGORY, mouse over white paper descriptions and take advantage of our IMPROVED white paper search engine. CLICK HERE: http://www.fattail.com/redir/redirect.asp?CID=72556 _______________________________________________________________ Today's focus: CIRT management: Tracking incidents By M. E. Kabay In this installment of my continuing series on Computer Incident Response Team management, I'll review a few principles and give some practical pointers for effective response to security breaches and other operational difficulties. Today, I'll focus on some of the advantages, requirements and tools for incident tracking. ADVANTAGES: Keeping track of all technical support calls is essential for effective incident handling. Having details available to all members of the CIRT in real-time and for research and analysis later serves many functions: * Communication among team members: Having the details written ��down in one place means that team members can pass a case from ��one to another and share data efficiently. * Better client service: Callers become frustrated when they ��have to repeat the same information to several people in a row; ��a good incident-tracking system reduces that kind of irritation. * Documentation for effective problem-solving: A good base of ��documented experience can help find the right procedure and the ��right solution quickly. * Institutional memory: When experience is written down and ��accessible, the organization's capacity to respond quickly and ��correctly to incidents improves over time. * Follow-up with clients: Managers can use the incident ��database to prepare management reports and to follow-up with ��specific clients to understand and resolve difficulties or ��complaints. * Forensic evidence: Detailed, accurate and correctly ��timestamped notes can be a deciding element in successful ��prosecution of malefactors. REQUIREMENTS: Some of the more obvious requirements of any incident-handling system are listed below. Most are self-explanatory but I've added comments to a few of them: * Unique identifier for each case. * Dates and times for all events. * Who currently controls the case: It should be instantly ��obvious who is in charge of solving the problem. * Keywords. * Contact information: Every person in the case should be ��listed with room for phone, e-mail and fax numbers. * Handover of control: Whenever someone takes over control of ��the case, that handover should be noted in the record. * Technical details including: - Diagnostics - Tests of hypotheses * Resolution: What was the outcome? When was the case closed? * Search facilities: Full-text search capabilities. * Knowledge base: Ability to integrate vendor-supplied entries ��to speed research. In an online discussion by someone called "DonaldA-M", I noted two additional points I hadn't thought of: * Industry-standard database engine: Easy to learn, maintain ��and improve. * Accept input from comma-separated value (CSV) files: Import ��data from other systems. TOOLS: There's a wide range of software available for tracking incidents. You can build your own, but then you'll have to provide proper documentation and training materials because turnover is a constant problem for CIRTs. In addition, unless your analysts have experience with the CIRT function, they are likely to miss useful features that have accumulated over the years in products used by thousands of people. I have provided a short list of proprietary (commercial) help desk products in the Readings section below. You will want to use the Network World Fusion search at <http://search.nwfusion.com/query.html?qt=help+desk> to see an extensive list of articles on this topic. There are also well-respected open-source tools listed below. All such tools can be complex; since you don't want people fumbling about in an emergency, be sure that you budget for adequate training for your staff as you implement the tool you select. * * * For Further Reading "DonaldA-M" (2003). Good, but there's more... <http://tinyurl.com/4bcve> Cerberus Helpdesk <http://cerberusweb.com/> DISA (2001). Introduction to Computer Incident Response Team (CIRT) Management. Defense Information Systems Agency, U.S. Department of Defense. See <http://iase.disa.mil/eta/> to download a full PDF catalog of free training materials. Help Desk Institute <http://www.thinkhdi.com/> HelpMaster Pro Suite <http://www.prd-software.com.au/prd/help-desk-products/> Open Source Ticket Request System (OTRS) <http://otrs.org/> Request Tracker (RT) <http://www.bestpractical.com/rt/> TrackIt! <http://www.itsolutions.intuit.com/Track-It.asp> Ward, J. (2003). Evaluate help desk call-tracking software with these criteria. <http://techrepublic.com.com/5100-6270-5030618.html?tag=series> Ward, J. (2003). Product review: HEAT PowerDesk, call center tracking software. <http://techrepublic.com.com/5100-6270-5034947.html> Ward, J. (2003). Product review: HelpMaster call center tracking software. <http://techrepublic.com.com/5100-6270-5034721.html> RELATED EDITORIAL LINKS FDA reads riot act to device makers Network World, 08/16/04 http://www.nwfusion.com/news/2004/081604fdapatch.html On the lookout for spyware Network World, 08/16/04 http://www.nwfusion.com/news/2004/081604spyware.html EBay taps WholeSecurity to fend off phishers Network World, 08/16/04 http://www.nwfusion.com/news/2004/081604wholesecurity.html _______________________________________________________________ To contact: M. E. Kabay M. E. Kabay, Ph.D., CISSP, is Associate Professor in the Division of Business and Management at Norwich University in Northfield, Vt. Mich can be reached by e-mail <mailto:[EMAIL PROTECTED]> and his Web site <http://www2.norwich.edu/mkabay/index.htm>. _______________________________________________________________ This newsletter is sponsored by McAfee Visit the Enterprise Security Center, sponsored by McAfee(r), for an exclusive collection of news, whitepapers, information, analysis and strategy for securing your networks and systems. Learn new strategies for securing your servers and protecting your desktops from viruses. Get the latest information on how to stay on top of the latest threats to your network and bolster your skills in synergizing your IT staff as a critical business asset. http://www.fattail.com/redir/redirect.asp?CID=72595 _______________________________________________________________ ARCHIVE LINKS Archive of the Security newsletter: http://www.nwfusion.com/newsletters/sec/index.html Breaking security news: http://www.nwfusion.com/topics/security.html _______________________________________________________________ FEATURED READER RESOURCE WONDERING IF YOUR PAY IS UP TO SNUFF? Check out Network World's 2004 Salary Calculator to see if you're getting paid what you're worth. Using data collected in the 2004 Network World Salary Survey, we've programmed this calculator with several categories that could affect your pay. Answer the questions and find out what the average salary is for your job category. Click here: <http://www.nwfusion.com/salary/2004/calculator.html> _______________________________________________________________ May We Send You a Free Print Subscription? You've got the technology snapshot of your choice delivered at your fingertips each day. Now, extend your knowledge by receiving 51 FREE issues to our print publication. Apply today at http://www.subscribenw.com/nl2 International subscribers click here: http://nww1.com/go/circ_promo.html _______________________________________________________________ SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World e-mail newsletters, go to: <http://www.nwwsubscribe.com/Changes.aspx> To unsubscribe from promotional e-mail go to: <http://www.nwwsubscribe.com/Preferences.aspx> To change your e-mail address, go to: <http://www.nwwsubscribe.com/ChangeMail.aspx> Subscription questions? Contact Customer Service by replying to this message. This message was sent to: [EMAIL PROTECTED] Please use this address when modifying your subscription. _______________________________________________________________ Have editorial comments? Write Jeff Caruso, Newsletter Editor, at: <mailto:[EMAIL PROTECTED]> Inquiries to: NL Customer Service, Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 For advertising information, write Kevin Normandeau, V.P. of Online Development, at: <mailto:[EMAIL PROTECTED]> Copyright Network World, Inc., 2004 ------------------------ This message was sent to: [EMAIL PROTECTED] ------------------------ Yahoo! Groups Sponsor --------------------~--> Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar. Now with Pop-Up Blocker. Get it for free! http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/BCfwlB/TM --------------------------------------------------------------------~-> Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/kumpulan/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
