Download as PDF
Blog Article
At the FIRST conference this week I've heard depressingly many incident responders saying "our lawyers won't let us...". Since incident response, done right, should actually support the law's objectives, it seems we need to be smarter, and maybe a bit more assertive, about explaining how incident response and law interact.
Blog Article
Following a couple of talks earlier in the FIRST conference that described how economic forces drive security downwards, it was good to hear a final keynote from Bruce Schneier that suggested that economics may actually encourage the development of high-quality incident response services. Incident response is commonly divided into three phases: prevent, detect, respond.
Blog Article
Many of the talks at the FIRST conference consider activities within and between incident response teams, but two talks today considered how CSIRTs and boards can work better together. Pete O’Dell suggested that many company boards either delegate or ignore information security, perhaps considering that it is “just another risk”.
Blog Article
If you've been watching movies and TV series, it may come as a surprise that most computer security incident response actually involves a lot of command line interfaces and perl scripts, and rather few graphical interfaces. That was the first disappointment that greeted a team of computer scientists from Honeywell and Kansas State University who tried to help their local security team with some new tools. The second was that those analysing incidents seemed to rely much more on experience and intuition than on rules or algorithms that might be encoded into software or training manuals.
Blog Article
There are quite a few talks at the FIRST conference this week about getting computers to automatically receive, process and distribute information about security events. However I was particularly interested in a session on the human issues that need to accompany any such information exchange.
Blog Article
A panel session at the FIRST conference on comparable security metrics made me wonder why this seems to be so hard. My first visit to another CSIRT, fifteen years ago, was to work out how to compare our Janet CSIRT statistics with those from SURFnet. And yet the tricky question still seems to be working out what it is you are actually measuring. Most incident statistics actually give you a reasonable idea of how busy the CSIRT is: as with most metrics the absolute values don't mean much but the trend – whether more or less busy – probably does.
Blog Article
From personal experience many years ago I know the frustration of discovering a security vulnerability in a website, wanting to warn the site owners, but being unable to find a responsive contact to accept the information. However I also know, from even longer ago, what it's like to be a sysadmin told by a stranger that my precious computer has a bug in it that I urgently need to fix. They no doubt thought they were helping me, but it was awfully tempting to shoot the messenger!
Prev | Next