incident response

29 April 2013 at 1:04pm

Domains with Criminal Purpose

Andrew Cormack
Botnets
Role of ISPs
incident response
Domain Names
Questions about my last posting on Nominet's DNS domain suspension discussions, have got me thinking a bit more about my idea of "domains registered for a criminal purpose". My suggestion is that these should be the only domains that a top-level registry can remove on its own, rather than asking for the decision to be taken by an independent authority.
Read more
6 June 2012 at 10:53am

Standards Highlights for Incident Response Teams

Andrew Cormack
CSIRT
incident response
An interesting presentation by Michael Brophy of Certification Europe at TERENA's CSIRT Task Force meeting last week drew attention to three standards likely to be relevant to Incident Response Teams: ISO20000, ISO27001 and BS25999. Unfortunately getting copies of these standards involves payment, but the highlighted content suggested this may be worthwhile.
Read more
29 April 2013 at 1:07pm

Domain suspension - when might it be justified?

Andrew Cormack
Illegal Material
Role of ISPs
incident response
Domain Names
Nominet have published an issues paper asking whether there are circumstances in which it might be appropriate to rapidly suspend a DNS domain involved in criminal activity, and the processes that would be needed to ensure such action did not create too great a risk of unfairness.
Read more
4 July 2012 at 4:51pm

EC Internal Security Strategy

Andrew Cormack
CSIRT
Cybercrime
incident response
The European Commission have recently published a more detailed action plan to support their draft Internal Security Strategy from earlier this year (that's "internal" as in "within the continent", by the way!).
Read more
6 June 2012 at 10:29am

Can ISPs help with Botnets?

Andrew Cormack
Botnets
Role of ISPs
incident response
An interesting talk at the GovCERT.nl Symposium by Michel van Eeten of Delft University. For some time, and in many countries, there have been suggestions that ISPs should be encouraged, perhaps by legislation, to do more to protect other internet users from their customers.
Read more
6 June 2012 at 10:27am

New JANET Documents

Andrew Cormack
Cloud computing
eSafety
incident response
I'm happy to announce the publication of a couple of new JANET factsheets covering frequently asked questions. As with all factsheets these aim to be a short (two page) introduction to an area, to let you know whether you should be concerned and, if so, what to do next. The new ones are:
Read more
11 December 2012 at 11:18am

Dealing with Misuse of eduroam

Andrew Cormack
eduroam
incident response
An interesting presentation at the TERENA TF-CSIRT meeting on how visited and home sites need to work together to resolve complaints about users of eduroam visitor networks. Stefan Winter is both an architect of eduroam and a member of RESTENA-CSIRT, so well placed to understand these issues.
Read more
11 December 2012 at 11:19am

Cloud Incident Response and Security

Andrew Cormack
Cloud computing
incident response
Cloud computing was the theme of the day at the FIRST conference, with talks on security and incident response both concluding that we may need to re-learn old techniques. The adoption of at least some form of “cloud” seems to be inevitable, so we need to understand how to do this with an acceptable level of risk. Unfortunately assessing the risk requires both an understanding of the criticality of data and processes and knowledge of the security measures implemented by the cloud provider; one or both of these may be missing.
Read more
29 April 2013 at 1:10pm

DNS Logs for Incident Response

Andrew Cormack
Privacy
incident response
Domain Names
A number of talks at the FIRST conference this week have mentioned the value of Domain Name Service (DNS) logs for both detecting and investigating various types of computer misuse: from users accessing unauthorised websites to PCs infected with botnets to targeted theft of information (see, for example, Google's talk).
Read more
6 June 2012 at 10:11am

Incident Response and Data Protection

Andrew Cormack
Privacy
incident response
Incident response, as performed by CERTs, CSIRTs and other related acronyms, is an essential part of keeping the Internet habitable, however it raises some interesting data protection issues. In most data protection scenarios, you know in advance what people and what information you are going to be processing, so you can give them prior notice, design systems and processes to be compliant, and so on.
Read more
Subscribe to incident response