Who should attend: System and network administrators, security managers and managers of computer resources. You should have some knowledge of current operating systems and networking.

Are you prepared to handle a security incident at your site? Responding to computer security incidents is a requirement for all organizations where computers and networks are an important part of the infrastructure. In this tutorial you will find out how to prepare for and handle security incidents with step-by-step information and examples from real-world incidents.

You will learn about the need for comprehensive computer security incident handling capability, how to communicate that need to management and the user community, how to investigate an incident (as a handler, not as law enforcement), and how to establish and maintain the capability. Even if you are the only person tasked with security, this tutorial will help you prepare yourself and your organization.

Topics include:

	Incidents and their cost: types of incidents, statistics on the frequency of incidents, targets of incidents (finance, research, educational, etc.). The costs for handling an incident poorly versus handling one well.
	A multilevel assessment of organizations including the hardware and software, operating systems, network components, types of links, locations, user base, knowledge level, experience, behavior. Also the business of each part of the organization and the corporate or organizational management structure.
	What not to do - real-life examples of incident handling done wrong.
	Post-mortem of incident and overview of computer ethics and law. Major missteps analyzed, possible violations and relevance to various statutes, e.g., ECPA, CFAA, FERPA, and newer legislation.
	How to develop and refine computer and network security policies, including practice and procedures for incident handling starting with what's already in place.
	Ten steps to incident handling: incident detection, reporting, the quick appraisal, flaw identification, countermeasures, decide about contacting law enforcement, investigation, notification of related RTs, evidence collection, and closure.
	Chain of custody: correct evidence handling, dealing with law enforcement, search warrants; deciding when to contact law enforcement.
	Building an incident handling capability in-house and outside. People, places, equipment, procedures, authority. Who to notify and determining who is responsible for what. Defining ethical behavior for the incident handling team.
	Incident handling through role playing.
	Other resources: FIRST teams, law enforcement, mailing lists and newsgroups, archives, vendor notifications and expectations.

Jim Duncan is manager of Network and Information Systems and principal systems administrator for Pennsylvania State University's Applied Research Laboratory. He is a contributor to the Site Security Policy Handbook and has developed numerous policies, guidelines, and presentations on computer security, incident handling, and ethics. Jim is an active member of the Penn State CERT team.

Rik Farrow provides UNIX and Internet security consulting and training. He has been working with UNIX system security since 1984, and with TCP/IP networks since 1988. He is the author of UNIX System Security and System Administrator's Guide to System V. Farrow writes two columns for ;login:, and a network security column for Network magazine.

Tutorials at-a-Glance     Symposium Speakers