2011 FIRST Conference: Sunday

Two members of OxCERT are currently attending the annual conference of FIRST (Forum of Incident Response and Security Teams). As a truly international body, the venue for the conference moves around the world each year; recent venues have included Seville, Vancouver, and Kyoto. This year it is being held in the Hilton Hotel in Vienna, a short walk from the many cultural, historic and gastronomic delights that the city has to offer. We aim to post periodic updates through the week as time permits.

On Sunday, before the start of the conference proper, we have been attending a meeting of educational and research networks, allowing us to focus on the specific issues being faced within our community. Many of the teams present operate at the national level, equivalent to JANET-CSIRT in the UK, although some other university sites were represented; additionally some members fulfil dual roles both as part of a university CERT as well as that for their national research/educational network.

As the teams introduced themselves it became apparent how much we have in common, facing common threats, using common tactics to detect incidents and defend their constituency, and dealing with common problems in terms of user education. Nevertheless there are many differences. One team posts over 2000 security bulletins each year, an order of magnitude more than we do, and without careful targetting, we feel liable to overwhelm the recipients. Another had given up entirely on posting such advisories.

Comparing incident statistics raised several questions, not least in terms of huge differences as to what was being compared. This is a problem we are already addressing through work with other UK universities in drafting a set of standard incident categories; work which in time we hope to share with the wider community. Substantial differences will nevertheless remain; for instance we can detect a lot of malware infections ourselves through local monitoring which is impractical or impossible for others to do – they must instead rely on third-party reports.

Approaches to copyright infringement were discussed, with considerable variation, from those who do little with the notifications to those such as ourselves who take a strong line. It was generally felt necessary to stress that copyright violation is not a security issue and should not be treated as such. We were amused by one approach of requiring the offender to give a lecture to others on what they had done wrong.

Discussion over coffee revealed a team using the same incident tracking sofware (AIRT, Application for Incident Response Teams) as ourselves and provided us with an opportunity for sharing of customisations to the core code base. Many teams, like ourselves, are keen to increase the amount of automation of handling routine incidents in order to concentrate staff resources on the more unusual.

In the evening, the main conference started with a drinks reception, allowing us to catch up with old friends, chat to colleagues previously only encountered online, and to meet new people. Here the varied backgrounds of the various participants becomes evident, with discussions including the challenges facing a major multinational telecommunications provider, or the risks of ever-increasing reliance on computerisation in a car. Nevertheless, some of the underlying issues are similar: co-ordination of a large number of national networks is perhaps not so far from that faced by the University with the departments and colleges, while in the automotive industry, there is the challenge in getting the product developers to think about security from the start, something we can appreciate all too well.

Posted in FIRST Conference | Comments Off

Comments are closed.