[Response Teams] [What is CERT?] [Threat Response] [Case Study] [Sources]
is the role of response teams? [Top]
is CERT? [Top]
According to CERT's website, its goals include the following:
1. Establish a capability to quickly and effectively coordinate communication among experts during security emergencies in order to prevent future incidents.
2. Build an awareness of security issues across the Internet community.
In addition to handling reports of computer viruses and security holes, CERT/CC also trains and coordinates with other computer security incident response teams across the U.S. and the globe. Many other response teams with "CERT" in their name have sprung up and are part of the Forum of Incident Response and Security Teams (FIRST), of which CERT/CC was a founding member. They all work independently toward a common goal of computer security. These teams include AFCERT (Air Force CERT), AUSCERT (Austrailian Computer Emergency Response Team), BCERT (Boeing CERT), and many more. SUNSeT, the Stanford University Network Security Team, is also a member of FIRST.
In addition to CERT/CC and the organizations that make up FIRST, many private anti-virus software companies also have divisions that play the role of the emergency response team.
process of responding to a new threat [Top]
The first stage of virus response is the reporting of threats. The web sites of most virus response groups have sections that allow people to send them samples of viruses they have received or other information on system vulnerabilities. These groups depend on the assumption that concerned computer users will send them this information early on in the virus's life cycle. The faster that people tell them about the threat, the faster they can respond. Some groups, such as CERT/CC, ask users to encrypt system vulnerability information before sending it, to keep it from falling into the wrong hands.
After receiving information about a virus or security hole, response teams then begin reviewing it to determine how dangerous it is and how difficult it will be to fix. In the process of reviewing a new virus, groups can build a virus profile or definition, which they can then post on their web site in order to spread awareness about the virus. For every significant virus it reviews, the research team at Symantec (which also produces Norton Anti-Virus software) puts together a detailed profile which includes assessments on how much damage the virus causes, how fast it can replicate and distribute itself, and how widespread it is. Some teams, like the team at www.sophos.com, also put up profiles of viruses hoaxes when they receive virus alerts that they determine to be inaccurate.
Finally, after a response team has assessed a virus and built a profile, it can then work on building a recovery tool for that virus. A recovery tool looks for a specific virus, removes it from the system if it is found, then attempts to repair any damage that the virus may have caused. Because recovery tools are individually built in response to specific viruses, they are generally much more effective against particular new threats than general anti-virus software, which attempts to protect against all viruses.
Of course, recovery tools are only useful to people whose systems have already been infected. They are useful for helping people recover, but insufficient when it comes to containing the virus. For this reason, the virus definitions built by response teams during the review phase are eventually included in updates to anti-virus programs, so that people can protect their systems from being compromised in the first place.
study: response to the Anna Kournikova virus [Top]
The response teams did not dissappoint. By February 12, Symantec had found out about the virus, reviewed it, profiled it, built a recovery tool, and built an update to Norton AntiVirus that would recognize it. Everything necessary to detect, contain, and recover from the virus was available to the public within a day of the first infection.
The very short timelime of virus outbreak and containment is typical of computer viruses today. Response teams are very quick to respond to new viruses, but even so, many users are infected in that short period of time. Also, many systems still become infected even after the recovery tools are available because many people are unaware of them and/or do not update their anti-virus software. For this reason, the Kournikova virus remains at the top of Symantec's list of threats more than a month after it first appeared. Emergency response teams can be a godsend to those who look to them for help, but only can do as much as people let them. Without the awareness and cooperation of all computer users, viruses will continue to propagate.
http://www.first.org/about/ Information about the Forum of Incident Response and Security Teams.
http://www.symantec.com/avcenter/ Virus information from Symantec.
http://www.stanford.edu/~security/ The SUNSeT web site.
http://www.sophos.com/ Sophos Anti-Virus site.
http://www.cnn.com/2001/TECH/internet/02/14/kournikova.virus.02/index.html "Man charged over Kournikova virus", February 14, 2001.