Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg.

Similar presentations


Presentation on theme: "Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg."— Presentation transcript:

1 Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg

2 What Is FCIRT? FCIRT – Fermi Computer Incident Response Team –Group of computing experts who investigate compromised systems and guide cleanup –On call 24x7 –FCIRT does not make policy. Their concern is with understanding how a compromise occurred and what actions are necessary to restore the system to production –Think of it as a volunteer fire department

3 When Should You Contact FCIRT? Any time you suspect a system has been hacked or infected with a virus. For any issues of unauthorized usage. Anytime you suspect a machines usage is not in accordance with the rules of acceptable usage. If in doubt, contact us

4 How To Contact FCIRT Normal contact is via e-mail: computer_security@fnal.gov Mail list is monitored on regular basis during normal working hours. Some delay in response after hours or on weekends You may also contact Helpdesk For urgent issues call: 630-840-2345

5 How FCIRT Operates FCIRT actions have several goals: –Contain any damage –Determine how compromise occurred –Oversee the cleanup of compromised systems and certify cleaned systems to be returned to normal use –Assess how compromise could have been avoided

6 How FCIRT Operates Upon alert, FCIRT personnel first triage the suspected incident: –No incident –SMOKE - Further investigation required. Minor incident to be handled by local system managers under oversight of FCIRT –FIRE – Major incident. FCIRT assumes full administrative control of the systems involved.

7 How FCIRT Operates SMOKE –A SMOKE is declared if there is evidence that some compromise may have occurred and further investigation is required –If investigation shows problem is confined to single system with limited impact on users, then cleanup is usually delegated to system managers –Incidents which may have widespread impact may be elevated to FIREs

8 How FCIRT Operates SMOKE –Covers things like well common viruses whose infection vector is well known. –Normal procedure: Use AV cleaning tools Or re-install form known good media. Make sure all patches are up to date Scan all files with latest AV signatures Make sure node and all NICs are registered Return to service

9 How FCIRT Operates FIRE –A FIRE is declared when incident involves major servers, impacts many users, or in any way adversely effects the mission of the lab. –FCIRT takes complete control of systems in these cases –May involve removal form network, or in some cases even confiscation of equipment

10 How FCIRT Operates FIRE –First action is to contain the damage. Either via network block or by physically removing the system from network. –State of the system is then examined to determine how the compromise occurred Weak passwords Known vulnerabilities Pilot error

11 How FCIRT Operates FIRE –Network records are examined to determine what other systems may have been involved –Determination is made as to what must be done to protect the system from compromise –Copies of disks may be made at the request of government authorities –System is cleaned and returned to service

12 How FCIRT Operates Reporting –Any computing incident also triggers several reporting streams –In case of a FIRE, the relevant system managers, division heads, and CSExec are notified –In some instances appropriate government agencies will be informed –Daily reports are made to the above until the incident is closed


Download ppt "Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg."

Similar presentations


Ads by Google