P. 1
Handbook for Computer Security Incident Response Teams (CSIRTs)

Handbook for Computer Security Incident Response Teams (CSIRTs)

|Views: 375|Likes:
Published by epocableoils

More info:

Published by: epocableoils on Apr 09, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Many people incorrectly consider the most important attribute in CSIRT staff to be their
technical experience. Although technical experience is a desirable attribute, by far a more
critical criterion is an individual’s willingness and ability to follow procedures and to provide
a professional interface to constituents, customers, and other parties interacting with the
CSIRT. It is a more desirable approach to hire individuals with less technical experience and
good interpersonal and communication skills, and then train them in CSIRT-specific technical
skills, than vice versa. Certainly this handbook itself provides a good start for educating and
enhancing the understanding that all staff members will need in order to interact with other
teams and provide a suitable service.

Having a wide range of interpersonal skills is important, because team members are
constantly communicating with each other, their constituency, and other parties, such as other
response teams. The reputation of a team relies on the professional interactions that its team
members undertake. Interactions of a team member who is a technical expert but possesses
poor communication skills may severely damage a team’s reputation and standing in the
community, while those interactions that are handled professionally and competently will
serve to enhance the CSIRT’s reputation as a valued service provider. Hence attention to an
individual’s interpersonal skills is extremely important.62

The following interpersonal skills are important for incident handling staff and are listed here
(in no specific order):

• common sense to make efficient and acceptable decisions whenever there is no clear
ruling available and under stress or severe time constraints

• effective oral and written communication skills (in native language and English) to
interact with constituents and other teams

• diplomacy when dealing with other parties, especially the media and constituents

• ability to follow policies and procedures

• willingness to continue education

• ability to cope with stress and work under pressure

• team player

• integrity and trustworthiness to keep a team’s reputation and standing


Fithen, Katherine T. “Hiring IRT Staff Interview Process.” 8th

Workshop on Computer Security
Incident Handling, Forum of Incident Response and Security Teams, San Jose, California, June



• willingness to admit to one’s own mistakes or knowledge limitations about a topic

• problem solving to address new situations and efficiently handle incidents

• time management, in order to concentrate on priority work

From a technical perspective, each incident handler requires a basic understanding of the
underlying technology and issues on which the individual will base their expertise. The
nature of these skills is similar, regardless of the underlying software and hardware
technologies in use by the team or constituency.

The following technical foundation (with a few general examples in parentheses) is important
for incident handling staff:

• public data networks (telephone, ISDN, X.25, PBX, ATM, frame relay)

• the Internet (aspects ranging from architecture and history to future and philosophy)

• network protocols (IP, ICMP, TCP, UDP)

• network infrastructure elements (router, DNS, mail-server)

• network applications, services and related protocols (SMTP, HTTP, HTTPS, FTP,

• basic security principles

• risks and threats to computers and networks

• security vulnerabilities/weaknesses and related attacks (IP spoofing, Internet sniffers,
denial of service attacks, and computer viruses)

• network security issues (firewalls and virtual private networks)

• encryption technologies (TripleDES, AES, IDEA), digital signatures (RSA, DSA, DH),
cryptographic hash algorithms (MD5, SHA-1)

• host system security issues, from both a user and system administration perspective
(backups, patches)

It is imperative that some subset of the team has an in-depth understanding of the full
spectrum of technologies and issues in use by the team and constituency. This additional level
of expertise is a resource that will be used to broaden and deepen the technical resource and
capability of the team and educate other team members through training and documentation.
It also ensures that the team can cover smaller subsets of a constituency’s technology base
and can provide a full range of services. The following specialist skills to consider are in
addition to an in-depth understanding of each of the technical skills listed above:



• technical skills such as programming, administration of networking components (e.g.,
routers, switches) and computer systems (UNIX, Linux, Windows, etc.)

• interpersonal skills such as human communications, experience in presenting at
conferences, or managing a group

• work organization skills

A team may be unable for some reason to fund, find, or hire staff to provide the necessary
specialist skills considered appropriate. Section 4.5.6, “Extension of Staff,” discusses
possibilities for addressing such situations. Section 4.5.4, “Training Staff,” highlights other
means to build upon and maintain strong skills and to support the continuous improvement to
reflect changes in constituency, technology, service offerings, etc.

No single set of skills will be applicable for every position on a given team. It will be
necessary to look at the constituency served and the range of technologies used to determine
what skills are appropriate for the specific team’s composition. Wherever possible,
individuals with a mix of skills should be hired to ensure that no single team member in the
organization is indispensable. On the other hand, smaller teams should have at least one
person experienced in the skills named to ensure such issues are handled in a professional
way, although this can lead to other problems when such a person leaves the team. While it
might seem contradictory, it is much simpler to replace even the most experienced team
member than a person serving as an interface to the sponsoring/funding organization and to
other teams.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->