Fermi Computer Incident Response Team - PowerPoint PPT Presentation

1 / 12
About This Presentation
Title:

Fermi Computer Incident Response Team

Description:

Use AV cleaning tools. Or re-install form known good media. Make sure ... Scan all files with latest AV signatures. Make sure node and all NICs are registered ... – PowerPoint PPT presentation

Number of Views:68
Avg rating:3.0/5.0
Slides: 13
Provided by: MichaelD116
Category:

less

Transcript and Presenter's Notes

Title: Fermi Computer Incident Response Team


1
Fermi Computer Incident Response Team
  • Computer Security Awareness Day
  • March 8, 2005
  • Michael Diesburg

2
What Is FCIRT?
  • FCIRT
  • Fermi Computer Incident Response Team
  • Group of computing experts who investigate
    compromised systems and guide cleanup
  • On call 24x7
  • FCIRT does not make policy. Their concern is
    with understanding how a compromise occurred and
    what actions are necessary to restore the system
    to production
  • Think of it as a volunteer fire department

3
When Should You Contact FCIRT?
  • Any time you suspect a system has been hacked or
    infected with a virus.
  • For any issues of unauthorized usage.
  • Anytime you suspect a machines usage is not in
    accordance with the rules of acceptable usage.
  • If in doubt, contact us

4
How To Contact FCIRT
  • Normal contact is via e-mail
  • computer_security_at_fnal.gov
  • Mail list is monitored on regular basis during
    normal working hours. Some delay in response
    after hours or on weekends
  • You may also contact Helpdesk
  • For urgent issues call
  • 630-840-2345

5
How FCIRT Operates
  • FCIRT actions have several goals
  • Contain any damage
  • Determine how compromise occurred
  • Oversee the cleanup of compromised systems and
    certify cleaned systems to be returned to normal
    use
  • Assess how compromise could have been avoided

6
How FCIRT Operates
  • Upon alert, FCIRT personnel first triage the
    suspected incident
  • No incident
  • SMOKE - Further investigation required. Minor
    incident to be handled by local system managers
    under oversight of FCIRT
  • FIRE Major incident. FCIRT assumes full
    administrative control of the systems involved.

7
How FCIRT Operates
  • SMOKE
  • A SMOKE is declared if there is evidence that
    some compromise may have occurred and further
    investigation is required
  • If investigation shows problem is confined to
    single system with limited impact on users, then
    cleanup is usually delegated to system managers
  • Incidents which may have widespread impact may be
    elevated to FIREs

8
How FCIRT Operates
  • SMOKE
  • Covers things like well common viruses whose
    infection vector is well known.
  • Normal procedure
  • Use AV cleaning tools
  • Or re-install form known good media.
  • Make sure all patches are up to date
  • Scan all files with latest AV signatures
  • Make sure node and all NICs are registered
  • Return to service

9
How FCIRT Operates
  • FIRE
  • A FIRE is declared when incident involves major
    servers, impacts many users, or in any way
    adversely effects the mission of the lab.
  • FCIRT takes complete control of systems in these
    cases
  • May involve removal form network, or in some
    cases even confiscation of equipment

10
How FCIRT Operates
  • FIRE
  • First action is to contain the damage. Either
    via network block or by physically removing the
    system from network.
  • State of the system is then examined to determine
    how the compromise occurred
  • Weak passwords
  • Known vulnerabilities
  • Pilot error

11
How FCIRT Operates
  • FIRE
  • Network records are examined to determine what
    other systems may have been involved
  • Determination is made as to what must be done to
    protect the system from compromise
  • Copies of disks may be made at the request of
    government authorities
  • System is cleaned and returned to service

12
How FCIRT Operates
  • Reporting
  • Any computing incident also triggers several
    reporting streams
  • In case of a FIRE, the relevant system managers,
    division heads, and CSExec are notified
  • In some instances appropriate government agencies
    will be informed
  • Daily reports are made to the above until the
    incident is closed
Write a Comment
User Comments (0)
About PowerShow.com