This is the last article in a series looking at computer incident response team (CIRT) management. One of the most valuable contributions we can make to each other is information sharing. The Computer Emergency Response Team Coordination Center (CERT-CC) offers an overview of why and how to report security incidents in its “Incident Reporting Guidelines.” The CIRT experts summarize the types of activity on which they would appreciate receiving reports; reasons for reporting security incidents; the variety of people and agencies who can benefit from such reports; extensive guidelines on what to include in the reports; and how to reach the CERT-CC securely.
The section “Why should I report an incident?” has the following headers (and a paragraph or so of explanation of each point):
* You may receive technical assistance.
* We may be able to associate activity with other incidents.
* Your report will allow us to provide better incident statistics.
* Contacting others raises security awareness.
* Your report helps us to provide you with better documents.
* Your organization's policies may require you to report the activity.
* Reporting incidents is part of being a responsible site on the Internet.
Another way of contributing to the field is to speak at conferences. For example, the Forum of Incident Response and Security Teams (FIRST) organizes conferences, technical colloquia and workshops. The 19th Annual FIRST Conference on Computer Security Incident Handling will be in Seville, Spain, June 17-22, 2007. This year the focus is “Private Lives and Corporate Risk: Digital Privacy - Hazards and Responsibilities” and includes sessions on a wide range of topics suitable for technical, managerial, and legal staff at all levels. The conference is open to all, not just members of FIRST, and organizers want participants to (quoting):
* Learn the latest security strategies in incident management
* Increase your knowledge and technical insight about security problems and their solutions
* Keep up-to-date with the latest incident response and prevention techniques
* Gain insight on analysing network vulnerabilities
* Hear how the industry experts manage their security issues
* Interact and network with colleagues from around the world to exchange ideas and advice on incident management best practices.
Readers should think about contributing papers to such conferences. Anyone who has spoken at technical conferences will confirm that there’s no better way to solidify one’s expertise than marshalling information into a clear presentation and speaking before one’s peers. Feedback from interested participants can improve not only the current presentation but also the process being described. Intelligent, enthusiastic interchange among practitioners of good will with varied experiences and from different environments is not only productive of new ideas, it’s also immense fun!
The FIRST event includes “Lightning Talks” which are described as “short presentations or speeches by any attendee on any topic, which can be scheduled into conference proceedings with the approval of the organisers.” Participants with hot news can thus present their findings or their ideas without necessarily having to prepare a long lecture or submitting their work many months in advance.
Another CIRT conference organizer is ENISA, the European Network and Information Security Agency. ENISA has a calendar of conferences and workshops; at the time of writing, it seems to be a bit out of date (last entry from November 2006), but readers can get a good sense of the opportunities available for future conferences.
Other conferences such as those organized by the Computer Security Institute (CSI), MIS Training Institute (MISTI) and RSA Security among many others offer opportunities for discussions of CIRT management. Take advantage of these opportunities by registering for the calls for participation and responding to one or two a year if you can.
You will be contributing to the progress of knowledge - and you’ll have a blast.