CERT® Coordination Center Research

Chapter 3

CERT^®/CC History and Policies

The CERT^®/CC, located at CMU's Software Engineering Institute (SEI), has been on the "front lines" in defense of the Internet since November, 1988. This chapter presents a history of CERT^®/CC and a description of their policies, particularly regarding advisories and the disclosure of other information. This also includes a brief discussion of other CERT^®-like organizations.

3.1. Origins of the CERT^®/CC

In November, 1988, a graduate student at Cornell University released a self-replicating computer program on the Internet. This program, which has come to be known as the "Internet Worm," exploited several software bugs in the UNIX operating system to penetrate host computers across the network. [RuG91:4]. At the time, the Internet consisted of approximately 60,000 computers [Lot92]. Although not programmed to damage computers or their files, apparently due to an error in the program, the Internet Worm replicated rapidly within host computers. Infected computers were rendered useless because their processing capability was absorbed by multiple copies of the worm program. While only 2,100 to 2,600 host computers were infected, this effectively "shut down" the Internet for several days as defensive measures were taken (which included many sites disconnecting from the network) [RuG91:4, Hug95:142].

In order to eliminate the Internet Worm, an ad hoc response team was created consisting of experts at MIT, Berkeley, Purdue and other sites. The Worm code was reverse engineered and fixes for the software bugs and procedures for eradication of the Worm were developed and disseminated [RuG91:4]. Following this incident, the Defense Advanced Research Projects Agency (DARPA), sponsors of the Internet, decided to institutionalize the concept of an Internet emergency response team. The CERT^® Coordination Center (CERT^®/CC) was therefore established at CMU's Software Engineering Institute (SEI), near the end of November, 1988 [ISV95:14; RuG91:5].

3.2. CERT^®/CC Purpose

The purpose of the CERT^®/CC is to provide the Internet community a single organization that can coordinate responses to security incidents on the Internet. CERT^®/CC accomplishes this during a security incident by establishing and maintaining communication with the affected sites, and with experts who can diagnose and solve security problems [HoR91:25].

The CERT^® charter is to work with the Internet community to facilitate its response to computer security events involving Internet hosts, to take proactive steps to raise the community's awareness of computer security issues, and to conduct research targeted at improving the security of existing systems [CER96:1].

The CERT^®/CC organization is made up of three closely related groups, each providing related products and services for the Internet community:

1) Operations - a single point of contact for system and network security

a) 24-hour technical assistance hot-line for responding to computer security incidents

b) advisories of Internet vulnerabilities through the CERT^® Advisories mailing list,

as well as through an anonymous FTP server and a Web site

c) additional product vulnerability assistance through a database of vulnerabilities

d) vendor relations

2) Education and Training - help organizations form response teams, train users, improve security

a) security-related technical documents, summaries, and vendor-initiated bulletins

b) security-related seminars and workshops

3) Research and Development - to stimulate the development of trustworthy systems

a) security research and engineering

b) security-related tools [CER92:2; CER96:1-5]

3.3. Operating Procedures and Policies

The CERT^®/CC currently consists of approximately 35 people who work in an isolated area of the SEI. To conduct operations as outlined above, CERT^®/CC personnel perform the following:

a) Incident Response - The CERT^®/CC hot-line is manned for incident response Monday through Friday during normal business hours. At other times, CERT^®/CC personnel assigned to incident response are "on call," and can be reached through the hot-line. CERT^®/CC personnel currently respond to an average of 15 incident reports a day. Most incidents are limited, and involve the use of known techniques. These can be handled by CERT^®/CC personnel. If necessary, CERT^®/CC personnel will coordinate by adding volunteer experts within the Internet community to form a larger response team.

b) Vulnerabilities Database - The CERT^®/CC maintains a database consisting of known Internet software security vulnerabilities, along with fixes for these vulnerabilities. Vulnerability reports are collected from the Internet community at large and then, if confirmed by CERT^®/CC personnel, they are entered into the database.

c) Information Response - A large percentage of CERT^®/CC inquiries have been for information. Many of these inquiries involve neither incident response nor vulnerabilities, and are more properly handled by software or hardware vendors. This CERT^®/CC service is, therefore, being phased out.

Since its inception, CERT^®/CC has maintained strict rules of confidentiality. Information provided by the CERT^®/CC to the Internet community is limited to advisories about vulnerabilities. These advisories give general information about the nature of the vulnerabilities and specific details of how these vulnerabilities may be eliminated or mitigated. The CERT^®/CC does not publish information on the specific details of vulnerabilities or on how these vulnerabilities may be exploited. In order to prevent aiding attackers in exploiting these vulnerabilities, this information is only given to the appropriate vendors and individuals requiring the information in order to correct the vulnerabilities.

Information about actual incidents, particularly the sites involved and the techniques used, are strictly confidential. CERT^®/CC rules require that site confidentiality be maintained for two reasons. First, if sites were to be identified, particularly during an incident, they may become targets for additional attacks. In addition, the CERT^®/CC may receive fewer reports if confidentiality were not guaranteed. Sites reporting to the CERT^®/CC desire this confidentiality not only to prevent additional attacks, but also to prevent adverse effects from publicity. Because of this policy, CERT^®/CC personnel will generally 1) not acknowledge the existence of an incident outside of the response team and the sites involved, and 2) not inform sites involved in an incident of the involvement of other sites, unless those sites give specific permission. Occasionally, the CERT^®/CC issued advisories warning about significant Internet intruder activity, but with no details about the incidents themselves.

3.4. Other Incident Response and Security Teams

The Internet is a diverse community of cultures, needs, policies, and technologies. There are a variety of constituencies for incident response and security ranging from the Internet, to military services, other government agencies, other networks, and commercial companies - all of which may be located in foreign countries. As a result, since the CERT^®/CC was established, a variety of computer security incident response teams have been established in various government, commercial and academic organizations around the world. The CERT^®/CC continues to be the largest and best known of these organizations. Also, since the Internet has become ubiquitous, it is unlikely that any large incident response effort would be outside the responsibility of the CERT^®/CC.

Some coordination takes place between these incident response and security teams, primarily through informal arrangements. The Forum of Incident Response and Security Teams (FIRST) provides an avenue for more formal interaction between these organizations. FIRST is a non-profit corporation that was established to exchange information and coordinate response activities. As of October, 1996, FIRST had 57 members. These are shown in Table 3.1 through Table 3.7.

As can be seen in these tables, the CERT^®/CC has a considerably larger responsibility than the other organizations that are part of FIRST. In addition, the responsibilities of the CERT^®/CC overlaps most of these organizations. This is further evidence that we should expect that most large incidents that took place on the Internet should appear in the CERT^®/CC records. This may not be the case, however, with smaller incidents that fall within the more limited responsibility of one of the other organizations.

3.5. Summary of CERT^®/CC History and Policies

Following the Internet Worm incident in November, 1988, the Defense Advanced Research Projects Agency (DARPA), established the CERT^® Coordination Center (CERT^®/CC) at CMU's Software Engineering Institute (SEI) in order to provide the Internet community a single organization that can coordinate responses to security incidents on the Internet.

The CERT^®/CC maintains strict rules of confidentiality. Information provided by the CERT^®/CC to the Internet community is limited to advisories about vulnerabilities. Information about actual incidents, particularly sites involved and techniques used, are strictly confidential. Throughout the CERT^®/CC history, this high level of confidentiality has been controversial.

A variety of computer security incident response teams have been established in various government, commercial and academic organizations around the world, although the CERT^®/CC continues to be the largest and best known of these organizations. These response teams coordinate informally, and through the Forum of Incident Response and Security Teams (FIRST).

Internet and Other Network Response Teams in FIRST
Organization	Constituency
AUSCERT (Australian Computer Emergency Resp. Team)	Australia
CARNet-CERT	CARNet connected sites
CERT^® Coordination Center	The Internet
CERT-IT, Computer Emergency Response Team Italiano	Italian Internet
CERT-NL	SURFnet connected sites
DFN CERT	Germany
Israeli Academic Network	Israeli University users
JANET-CERT	All UK organizations connected to JANET network
MxCERT (Mexican CERT)	Mexico (.mx domain)
NORDUnet	NORDUnet
SWITCH-CERT	Sites connected to SWITCH

Table 3.1. Internet and Other Network Response Teams in FIRST, and their Constituencies [FIR96]

Other U.S. Government Agency Response Teams in FIRST
Organization	Constituency
Department of Energy's CIAC	U.S. Department of Energy (DOE) and DOE Contractor sites, plus the Energy Science Network (ESnet)
Goddard Space Flight Center	Goddard Space Flight Center
NASA (Ames Research Center)	NASA (Ames Research Center)
NASA Auto. Sys. Incid. Resp. Capability (NASIRC)	NASA & the International Aerospace Comm.
NCSA-IRST (National Center for Supercomputing Applications IRST)	National Supercomputing Community, in particular our Industrial Partners, Collaborators, the State of Illinois, and K-12 Illinois Learning Mosaic community
U. S. National Institutes of Health	Employees of the U.S. National Institutes of Health
NIST/CSRC	NIST and civilian U.S. agencies (guidance only)
U.S. Social Security Administration	U.S. Social Security Administration
Small Business Administration (SBACERT)	Small Business Community Nationwide
Vet. Health Admin. Forum of Incid. Resp. Sec. Team	Veteran's Health Administration

Table 3.2. Other U.S. Government Agency Response Teams in FIRST, and their Constituencies [FIR96]

U.S. Military Incident Response Teams in FIRST
Organization	Constituency
AFCERT (Air Force CERT)	Air Force Users
Department of Defense ASSIST	DOD - Interest systems
Defense Information Systems Agency	MILNET
NAVCIRT (Naval Computer Incident Response Team)	U. S. Department of Navy

Table 3.3. U.S. Military Response Teams in FIRST, and their Constituencies [FIR96]

U.S. Educational Response Teams in FIRST
Organization	Constituency
Northwestern University	Northwestern University Faculty/Staff/Students
Ohio State University Incident Response Team(OSU-IRT)	The Ohio State University
Pennsylvania State University	Pennsylvania State University
Purdue Computer Emergency Resp. Team (PCERT)	Purdue University
Stanford University Network Security Team	Stanford University Networks and Systems

Table 3.4. U.S. Educational Response Teams in FIRST, with Constituencies [FIR96]

Foreign Government Response Teams in FIRST
Organization	Constituency
BSI/GISA	German Government Institutions
CCTA	All UK Government and Agencies
Defence Research Agency, Malvern	Defense Research Agency
Renater	Minister of Research & Education, France

Table 3.5. Foreign Government Response Teams in FIRST, with Constituencies [FIR96]

Computer and Communications Vendor Response Teams in FIRST
Organization	Constituency
Apple Computer	Apple Computer (worldwide)
Cisco Systems	Cisco Systems (employees/contractors)
Digital Equipment Corporation (SSRT)	DEC and customers
FreeBSD, Inc.	users of FreeBSD or other UNIX operating systems
Hewlett-Packard Company	All HP-UX and MPE Customers
IBM-ERS	IBM internal and external customers
MCI	MCI Employees, Contractors and Alliance Partners
Micro-BIT Virus Center	Anyone Calling
Motorola Comp. Emergency Resp. Team	Motorola
Silicon Graphics Inc.	Silicon Graphics' User Community
SUN Microsystems, Inc.	Customers of Sun Microsystems
UNISYS Computer Emer. Response Team (UCERT)	Unisys Internal/External Users
Sprint	Sprint Net (X.25) and Sprint Link (TCP/IP)

Table 3.6. Computer and Communications Vendor Response Teams in FIRST, with Constituencies [FIR96]

Other Commercial Response Teams in FIRST
Organization	Constituency
ANS CO+RE Systems, Inc.	ANS Customers
Bellcore	Bellcore
Boeing CERT (BCERT)	Boeing
EDS	EDS and EDS Customers
General Electric Company	Thirteen GE businesses
Goldman, Sachs and Company	Goldman, Sachs offices worldwide
JP Morgan	JP Morgan Employees/Consultants
SAIC Security Emergency Response Center	Commercial and government customers
TRW Inc.	TRW Network and System Administrators
Westinghouse Electric Corporation	Entire Corporation

Table 3.7. Other Commercial Response Teams in FIRST, with Constituencies [FIR96]

Back to the Table of Contents

[3]