- The Life Cycle of an Incident
- Incident Reporting
- Keeping Current
- Writing Computer Security Advisories
Writing Computer Security Advisories
Some teams decide to write their own advisories on vulnerabilities about which they want to alert their constituency. Other teams simply rely on forwarding advisories from other sources, such as those published by CERT CC or specific vendors. A few simple rules should be followed by teams chartered with writing their own advisories:
Keep it simple. The advisory should stick to the facts and avoid technical jargon.
Always include a fix or some steps to lessen the vulnerability. If a vulnerability does not have a readily available fix or countermeasure, the decision may be to not advertise the problem for further exploitation.
If a patch will be downloaded, include the MD5 checksum whenever it is available. The MD5 checksum is a digital signature or fingerprint of the patch and should be used to validate that the correct patch has been downloaded before it is installed on the system. Although the MD5 checksum is not foolproof, this step does significantly increase the overall security of the patch process. (Note: On some occasions, a patch has been compromised and modified to include a Trojan horse program when people are downloading it.)
Whenever possible, test the vulnerability and proposed fix in a lab environment to verify that the patch fixes the problem and doesn't inject other problems. This step may not always be possible, but it is a good security measure for protecting the team's integrity if it is an option.
For most teams that are internal to a specific company or organization, the testing of the patch is handled by the system administrators. The role of the CIRT is to identify and qualify the vulnerabilities, and then advise the appropriate entities of vulnerabilities, warnings, and informational bulletins. It is then the responsibility of the system administrators to test patches appropriately in their environment, troubleshoot any problems that arise, and be prepared with backups to restore the system if the patch goes bad.
The best format to follow with writing advisories has four parts:
Problem: Briefly describe the vulnerability—what it is and what can happen if it is exploited.
Symptoms: Identify any symptoms that may indicate the vulnerability has been exploited on a system.
Fix: Describe the steps that can be taken to prevent the vulnerability from being exploited or to recover from an attack. Remember to include the MD5 checksum, if applicable.
Point of contact information: How can further information be obtained? Who can be contacted for questions or problems?
Advisories can be distributed to the constituency through several means. One of the most popular methods is through a list server, sending the advisory electronically through e-mail. Many teams also post copies of the advisory on their Web sites: on intranet sites, Web pages, or both. The final method is through paper versions, physically sending the report out to people or posting it on bulletin boards around corporate buildings. In this day of automation, the hard copy distribution is the method used the least, but it can be very valuable when a major event is taking place and people need to be made aware of it prior to turning computer systems on. For example, the Melissa virus made its debut on a Friday afternoon in March 1999. Offices that posted warnings on their doors before employees returned to work on the following Monday were able to give notice of the activity prior to computer systems being turned on. Very similar circumstances were experienced more recently when the Slammer worm spread in January 2003. The advisory steps taken by organizations in these cases may have helped to stop the further spread of the virus or worm by increasing the awareness of end users.