[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Anne's comments on draft-04, 1/4: typos
Appended is a list of typos and other trivia for the "04" draft. It is
in the form of a context diff, but on documents from which the page
breaks have been removed, so the line numbers will differ from those of
the formatted version. Nevil, or whoever has the master copy, if your
"patch" is unable to apply this patch, or if you'd rather I send the
diffs in a different way, or if you'd rather have just my corrected
version of the document, please let me know.
Anne.
--
Ms. Anne Bennett, Computing Services, Concordia University, Montreal H3G 1M8
anne@alcor.concordia.ca (514) 848-7606
----------------------------------------------------------------------------
*** draft-04.noformat.original Tue Mar 25 20:57:54 1997
--- draft-04.noformat.typos-fixed Mon Mar 31 11:36:24 1997
***************
*** 41,47 ****
the policies and procedures of "their" Security Incident Response Team.
One way to support this understanding is to supply detailed information
which users may consider, in the form of a formal template completed by
! the SIRT. An outline of such a template and a filled in example is
provided.
Table of Contents
--- 41,47 ----
the policies and procedures of "their" Security Incident Response Team.
One way to support this understanding is to supply detailed information
which users may consider, in the form of a formal template completed by
! the SIRT. An outline of such a template and a filled in example are
provided.
Table of Contents
***************
*** 49,55 ****
1 Introduction 1
2 Scope..............................................................3
! 2.1 Publishing a SIRT Policies and Procedures .....................4
2.2 Relationships between different SIRTs .........................5
2.3 Establishing Secure Communications ............................6
--- 49,55 ----
1 Introduction 1
2 Scope..............................................................3
! 2.1 Publishing SIRT Policies and Procedures .......................4
2.2 Relationships between different SIRTs .........................5
2.3 Establishing Secure Communications ............................6
***************
*** 66,72 ****
3.4.2 Co-operation and Interaction with other Organizations...12
3.4.3 Reporting and Disclosure................................13
3.4.4 Communication and Authentication........................14
! 3.4.5 Point of Customer Contacts..............................14
3.5 Services .....................................................15
3.6 Incident Reporting Forms .....................................15
3.7 Disclaimers ..................................................16
--- 66,72 ----
3.4.2 Co-operation and Interaction with other Organizations...12
3.4.3 Reporting and Disclosure................................13
3.4.4 Communication and Authentication........................14
! 3.4.5 Points of Customer Contact..............................14
3.5 Services .....................................................15
3.6 Incident Reporting Forms .....................................15
3.7 Disclaimers ..................................................16
***************
*** 111,117 ****
general interest.
Since it is vital that each member of a constituent community be
! able to understand what is reasonable to expect of their team, A SIRT
should make it clear who belongs to their constituency and define the
services the team offers to the community. Additionally, each SIRT
should publish its policies and operating procedures. Similarly, these
--- 111,117 ----
general interest.
Since it is vital that each member of a constituent community be
! able to understand what is reasonable to expect of their team, a SIRT
should make it clear who belongs to their constituency and define the
services the team offers to the community. Additionally, each SIRT
should publish its policies and operating procedures. Similarly, these
***************
*** 127,148 ****
It must be emphasised that without active participation from users, the
effectiveness of the SIRT's services can be greatly diminished. This
is particularly the case with reporting. At a minimum, users need to
! know that they should report security incidents, and know how and where
! they should report them to.
Many computer security incidents originate outside local community
boundaries and affect inside sites, others originate inside the local
community and affect hosts or users on the outside. Often, therefore,
-
- the handling of security incidents will involve the cooperation of
- multiple sites and potentially multiple SIRTs. The coordination of
- activities across communities and organization requires that the
- parties understand who they are dealing with, and what sort of policies
- they have in place.
-
- Many computer security incidents originate outside local community
- boundaries and affect inside sites, others originate inside the local
- community and affect hosts or users on the outside. Often, therefore,
the handling of security incidents will involve multiple sites and
potentially multiple SIRTs. Resolving these incidents will require
cooperation between individual sites and SIRTs, and between SIRTs.
--- 127,138 ----
It must be emphasised that without active participation from users, the
effectiveness of the SIRT's services can be greatly diminished. This
is particularly the case with reporting. At a minimum, users need to
! know that they should report security incidents, and know how and to where
! they should report them.
Many computer security incidents originate outside local community
boundaries and affect inside sites, others originate inside the local
community and affect hosts or users on the outside. Often, therefore,
the handling of security incidents will involve multiple sites and
potentially multiple SIRTs. Resolving these incidents will require
cooperation between individual sites and SIRTs, and between SIRTs.
***************
*** 153,166 ****
The rest of this document describes the set of topics and issues that
SIRTs need to elaborate for their constituents. However, there is no
attempt to specify the "correct" answer to any one topic area. Rather,
! each topic is discussed it terms of what that topic means. For example,
five types of policy statements are listed (representing those policies
of interest to the community), but the content of any one of them will
necessarily be specific to a given team.
! Chapter two provides an overview of three major areas: The publishing
of information by a response team, the definition of the response
! team's relationship to other response teams and the need for secure
communications. Chapter three describes in detail all the types of
information that the community needs to know about their response team.
These topics are condensed into an outline template for ease of use by
--- 143,156 ----
The rest of this document describes the set of topics and issues that
SIRTs need to elaborate for their constituents. However, there is no
attempt to specify the "correct" answer to any one topic area. Rather,
! each topic is discussed in terms of what that topic means. For example,
five types of policy statements are listed (representing those policies
of interest to the community), but the content of any one of them will
necessarily be specific to a given team.
! Chapter two provides an overview of three major areas: the publishing
of information by a response team, the definition of the response
! team's relationship to other response teams, and the need for secure
communications. Chapter three describes in detail all the types of
information that the community needs to know about their response team.
These topics are condensed into an outline template for ease of use by
***************
*** 175,181 ****
2 Scope
The interactions between a constituent community and an incident
! response team require first that the community understands the
policies and procedures of the response team. Second, since many
response teams collaborate to handle incidents, the community must
also understand the relationship between their response team and
--- 165,171 ----
2 Scope
The interactions between a constituent community and an incident
! response team require first that the community understand the
policies and procedures of the response team. Second, since many
response teams collaborate to handle incidents, the community must
also understand the relationship between their response team and
***************
*** 184,190 ****
those communications are going to be protected. Each of these subjects
will be described in more detail in the following three sections.
! 2.1 Publishing a SIRT Policies and Procedures
Each user who has access to a Security Incident Response Team should
know as much as possible about services of and interactions with this
--- 174,180 ----
those communications are going to be protected. Each of these subjects
will be described in more detail in the following three sections.
! 2.1 Publishing SIRT Policies and Procedures
Each user who has access to a Security Incident Response Team should
know as much as possible about services of and interactions with this
***************
*** 224,230 ****
concerned, not only constituents but also other teams or organizations,
would be for each SIRT to publish its guidelines and procedures on its
own information server. This would allow constituents to easily access
! it, although this does not address the problem of how a constituent or
will find "his" or "her" team. People within the constituency have to
discover that there is a SIRT "at their disposal." It is foreseen that
completed SIRT templates will soon become searchable by modern search
--- 214,220 ----
concerned, not only constituents but also other teams or organizations,
would be for each SIRT to publish its guidelines and procedures on its
own information server. This would allow constituents to easily access
! it, although this does not address the problem of how a constituent
will find "his" or "her" team. People within the constituency have to
discover that there is a SIRT "at their disposal." It is foreseen that
completed SIRT templates will soon become searchable by modern search
***************
*** 238,246 ****
Regardless of the source from which the information is retrieved,
the user of the template must check its authenticity. It is highly
recommended that such vital documents be protected by digital
! signatures. These will allow user can verify that the template
! was indeed published by the SIRT and that it has not been modified
! thereafter. This document assumes the reader has familiarity with
the proper use of digital signatures to determine whether a document
is authentic.
--- 228,236 ----
Regardless of the source from which the information is retrieved,
the user of the template must check its authenticity. It is highly
recommended that such vital documents be protected by digital
! signatures. These will allow the user to verify that the template
! was indeed published by the SIRT and that it has not been tampered with.
! This document assumes the reader is familiar with
the proper use of digital signatures to determine whether a document
is authentic.
***************
*** 247,257 ****
2.2 Relationships between different SIRTs
In some cases a SIRT may be able to operate effectively on its own
! and in close cooperation with its constituency. But with todays
international networks it is much more likely that most of the
incidents handled by a SIRT will involve parties external to its
constituency. Therefore the team will need to interact with other
! SIRTs and sites outside their constituency.
The constituent community should be clear about the nature and
extent of this collaboration, as very sensitive information about
--- 237,247 ----
2.2 Relationships between different SIRTs
In some cases a SIRT may be able to operate effectively on its own
! and in close cooperation with its constituency. But with today's
international networks it is much more likely that most of the
incidents handled by a SIRT will involve parties external to its
constituency. Therefore the team will need to interact with other
! SIRTs and sites outside its constituency.
The constituent community should be clear about the nature and
extent of this collaboration, as very sensitive information about
***************
*** 259,265 ****
Such interactions could include asking other teams for advice,
disseminating knowledge of problems and working cooperatively
! to resolve a security incident effecting one or more of the SIRTs'
constituencies.
In establishing relationships to support such interactions, SIRTs will
--- 249,255 ----
Such interactions could include asking other teams for advice,
disseminating knowledge of problems and working cooperatively
! to resolve a security incident affecting one or more of the SIRTs'
constituencies.
In establishing relationships to support such interactions, SIRTs will
***************
*** 273,279 ****
another SIRT and asks for help or advice.
Although the establishing of such relationships is very important and
! affect the ability of a SIRT to support its constituency, it is up to
the teams involved to decide about the details. It is beyond the scope
of this document to make recommendations for this process. But the
same set of information used to set expectations for a user community
--- 263,269 ----
another SIRT and asks for help or advice.
Although the establishing of such relationships is very important and
! affects the ability of a SIRT to support its constituency, it is up to
the teams involved to decide about the details. It is beyond the scope
of this document to make recommendations for this process. But the
same set of information used to set expectations for a user community
***************
*** 360,367 ****
As always, not every aspect for every environment and/or team can
be covered. This outline should be seen as a suggestion. Each team
! should feel free to include whatever they think is necessary for
! supporting their constituency.
3.1 Contact Information
--- 350,357 ----
As always, not every aspect for every environment and/or team can
be covered. This outline should be seen as a suggestion. Each team
! should feel free to include whatever it thinks is necessary to
! support its constituency.
3.1 Contact Information
***************
*** 436,442 ****
check for recent updates.
This online version should also be
! accompanied by a digital signature,
3.3 Charter
--- 426,432 ----
check for recent updates.
This online version should also be
! accompanied by a digital signature.
3.3 Charter
***************
*** 471,481 ****
the document (see below) should explain how requests from outside the
perimeter will be handled.
! If a SIRT decide, not to disclosure their constituency, they should
explain the reasoning behind this decision. For example for-fee
SIRTs will not list their clients but declare that they provide
a service to a large group of customers that are kept confidential
! because of the clients' contract.
Constituencies might overlap, as when an ISP provides a SIRT, but
delivers services to customer sites which also have SIRTs. The
--- 461,471 ----
the document (see below) should explain how requests from outside the
perimeter will be handled.
! If a SIRT decides not to disclose its constituency, it should
explain the reasoning behind this decision. For example for-fee
SIRTs will not list their clients but declare that they provide
a service to a large group of customers that are kept confidential
! because of the clients' contracts.
Constituencies might overlap, as when an ISP provides a SIRT, but
delivers services to customer sites which also have SIRTs. The
***************
*** 486,493 ****
The sponsoring organization, which authorizes the actions of the SIRT,
should be given next. Knowing this will help the users to understand
! the background and setup of the SIRT. It is vital information for
! building up trust between a constituent and a SIRT.
3.3.4 Authority
--- 476,483 ----
The sponsoring organization, which authorizes the actions of the SIRT,
should be given next. Knowing this will help the users to understand
! the background and set-up of the SIRT. It is vital information for
! building trust between a constituent and a SIRT.
3.3.4 Authority
***************
*** 503,509 ****
other SIRTs operate hierarchically within their perimeter, these should
be identified and addressed here.
! A disclosure of a team's authority may expose it to claims of
liability. Every team should seek legal advice on these matters.
(See section 3.7 for more on liability.)
--- 493,499 ----
other SIRTs operate hierarchically within their perimeter, these should
be identified and addressed here.
! Disclosure of a team's authority may expose it to claims of
liability. Every team should seek legal advice on these matters.
(See section 3.7 for more on liability.)
***************
*** 532,543 ****
3.4.2 Co-operation and Interaction with other Organizations
! This section should make explicit which related groups with which the
SIRT routinely interacts with. Such interactions are not related to
the Security Incident Response provided, but are used to facilitate
better cooperation on technical topics or services. By no means should
details about cooperation agreements be given out, the main objective
! of this section is to give the constituency a basic understanding
what kind of interactions are established and what their purpose is.
Examples of these are listed below.
--- 522,533 ----
3.4.2 Co-operation and Interaction with other Organizations
! This section should make explicit which related groups the
SIRT routinely interacts with. Such interactions are not related to
the Security Incident Response provided, but are used to facilitate
better cooperation on technical topics or services. By no means should
details about cooperation agreements be given out, the main objective
! of this section is to give the constituency a basic understanding of
what kind of interactions are established and what their purpose is.
Examples of these are listed below.
***************
*** 583,589 ****
requiring or limiting disclosure, especially if they work in different
jurisdictions. In addition, they may have reporting requirements
imposed by their sponsoring organization. Each team's template should
! specify any such restraints, both to clarify users' expectations and to
inform other teams.
Conflicts of interest, particularly in commercial matters, may also
--- 573,579 ----
requiring or limiting disclosure, especially if they work in different
jurisdictions. In addition, they may have reporting requirements
imposed by their sponsoring organization. Each team's template should
! specify any such constraints, both to clarify users' expectations and to
inform other teams.
Conflicts of interest, particularly in commercial matters, may also
***************
*** 608,614 ****
SIRTs or directly to affected sites lying within or outside the
constituency.
! - Feed-back to parties reporting incidents or vulnerabilities.
- The provision of contact information relating to members of the
constituency, members of other constituencies, other SIRTs or
--- 598,604 ----
SIRTs or directly to affected sites lying within or outside the
constituency.
! - Feedback to parties reporting incidents or vulnerabilities.
- The provision of contact information relating to members of the
constituency, members of other constituencies, other SIRTs or
***************
*** 626,632 ****
or directly with a member of another constituency over matters directly
involving that member.
! A team will normally collect statistics. If such information are
distributed, the template's reporting and disclosure policy should
say so, and should list methods to obtain such statistics.
--- 616,622 ----
or directly with a member of another constituency over matters directly
involving that member.
! A team will normally collect statistics. If such information is
distributed, the template's reporting and disclosure policy should
say so, and should list methods to obtain such statistics.
***************
*** 640,652 ****
with corrupted information (for example where to report this fact to).
At the moment it is recommended that every SIRT has - if possible - as
! a minimum, a PGP key available. Teams may also make other mechanisms
available (for example PEM, MOSS, S/MIME), according to its needs and
the needs of its constituents. Note however, that SIRTs and users
should be sensitive to local laws and regulations. Some countries do
not allow strong encryption or enforce specific policies on the use of
encryption technology. In addition to encrypting sensitive information
! whenever possible, correspondence should include digitally signatures.
(Please note, that in most countries, the protection of authenticity
by using digital signatures is not affected by existing encryption
regulations.)
--- 630,642 ----
with corrupted information (for example where to report this fact to).
At the moment it is recommended that every SIRT has - if possible - as
! a minimum, a PGP key available. A team may also make other mechanisms
available (for example PEM, MOSS, S/MIME), according to its needs and
the needs of its constituents. Note however, that SIRTs and users
should be sensitive to local laws and regulations. Some countries do
not allow strong encryption or enforce specific policies on the use of
encryption technology. In addition to encrypting sensitive information
! whenever possible, correspondence should include digital signatures.
(Please note, that in most countries, the protection of authenticity
by using digital signatures is not affected by existing encryption
regulations.)
***************
*** 655,661 ****
authentication data for parties with whom they may deal, such as an
agreed password or phrase.
! 3.4.5 Point of Customer Contacts
More detailed contact information might be provided. This might
include different contacts for different services or might be a list
--- 645,651 ----
authentication data for parties with whom they may deal, such as an
agreed password or phrase.
! 3.4.5 Points of Customer Contact
More detailed contact information might be provided. This might
include different contacts for different services or might be a list
***************
*** 701,707 ****
3.6 Incident Reporting Forms
! The use of reporting forms makes it simplier for both sides, users and
teams, to deal with incidents. The constituent may prepare answers to
various important questions before he or she actually contacts the team
and therefore come well prepared. The team gets all the necessary
--- 691,697 ----
3.6 Incident Reporting Forms
! The use of reporting forms makes it simpler for both sides, users and
teams, to deal with incidents. The constituent may prepare answers to
various important questions before he or she actually contacts the team
and therefore come well prepared. The team gets all the necessary
***************
*** 709,715 ****
Depending on the objectives and services of a single SIRT, multiple
forms may be used, for example a reporting form for a new vulnerability
! will be very different for the form used for reporting incidents.
It is most efficient to provide forms through the online information
services of the team. The exact pointers to them should be given in
--- 699,705 ----
Depending on the objectives and services of a single SIRT, multiple
forms may be used, for example a reporting form for a new vulnerability
! will be very different from the form used for reporting incidents.
It is most efficient to provide forms through the online information
services of the team. The exact pointers to them should be given in
***************
*** 718,724 ****
addresses are supported for form based reporting, they should be
listed here again.
! One example for such form is the Incident Reporting Form provided by
the CERT Coordination Center:
- ftp://info.cert.org/incident_reporting_form
--- 708,714 ----
addresses are supported for form based reporting, they should be
listed here again.
! One example of such a form is the Incident Reporting Form provided by
the CERT Coordination Center:
- ftp://info.cert.org/incident_reporting_form
***************
*** 745,751 ****
is a difference between both versions, the German version
is the binding version.
! The use of and protection by disclaimers is effected by local laws and
regulations. Therefore each SIRT should be sensitive and if in doubt
should check the disclaimer with a lawyer.
--- 735,741 ----
is a difference between both versions, the German version
is the binding version.
! The use of and protection by disclaimers is affected by local laws and
regulations. Therefore each SIRT should be sensitive and if in doubt
should check the disclaimer with a lawyer.
***************
*** 780,787 ****
of a system utility program by a Trojan Horse is an example of
'compromise of integrity,' and a successful password attack is an
example of 'loss of confidentiality.' Attacks, even if they
! failed because of proper protection, might be regarded as an
! Incident.
Within the definition of an incident the word 'compromised' is
used. Sometimes an administrator may only 'suspect' an incident.
--- 770,777 ----
of a system utility program by a Trojan Horse is an example of
'compromise of integrity,' and a successful password attack is an
example of 'loss of confidentiality.' Attacks, even if they
! failed because of proper protection, might be regarded as
! Incidents.
Within the definition of an incident the word 'compromised' is
used. Sometimes an administrator may only 'suspect' an incident.
***************
*** 875,881 ****
6 Appendix C: Known Security Incident Response Teams
! Today, there are many different SIRTs but no single source list every
team. Most of the major and long established teams (the first SIRT was
founded in 1988) are nowadays member of FIRST, the worldwide Forum of
Incident Response and Security Teams. Actually more than 55 teams are
--- 865,871 ----
6 Appendix C: Known Security Incident Response Teams
! Today, there are many different SIRTs but no single source lists every
team. Most of the major and long established teams (the first SIRT was
founded in 1988) are nowadays member of FIRST, the worldwide Forum of
Incident Response and Security Teams. Actually more than 55 teams are
***************
*** 906,912 ****
- http://www.cert.dfn.de/eng/csir/europe/certs.html
To learn about existing teams and maybe more suitable teams for one's
! need it is always a good approach, to ask either existing teams or an
Internet Service Provider for the "right" contact.
7 Appendix D: Outline for SIRT Template
--- 896,902 ----
- http://www.cert.dfn.de/eng/csir/europe/certs.html
To learn about existing teams and maybe more suitable teams for one's
! needs it is always a good approach, to ask either existing teams or an
Internet Service Provider for the "right" contact.
7 Appendix D: Outline for SIRT Template
***************
*** 944,950 ****
4.2 Cooperation and Interaction with Other Entities
4.3 Disclosure of Information
4.4 Communication and Authentication
! 4.5 Points of Customer Contacts
5. Services
5.1 Incident Response
--- 934,940 ----
4.2 Cooperation and Interaction with Other Entities
4.3 Disclosure of Information
4.4 Communication and Authentication
! 4.5 Points of Customer Contact
5. Services
5.1 Incident Response
***************
*** 1314,1320 ****
10 Security Considerations
This document discusses issues of the operation of Security Incident
! Response Teams, and the teams interactions with their constituency.
It is therefore not directly concerned with the security of protocols,
applications or network systems themselves. It is not even concerned
about the response and reaction to security incidents.
--- 1304,1310 ----
10 Security Considerations
This document discusses issues of the operation of Security Incident
! Response Teams, and the teams' interactions with their constituencies.
It is therefore not directly concerned with the security of protocols,
applications or network systems themselves. It is not even concerned
about the response and reaction to security incidents.