FIRST and CERT

[spaf () cs purdue edu (Gene Spafford)]

> So, what *is* FIRST all about, and what *is* CERT's mission?

Well, first of all, realize that I do not speak officially for either
group. However, unofficially, and as an informed party, I'll respond;
I've cc'd the current steering committee members for FIRST in case
they would like to expand on these comments.

You can find more complete info about FIRST from their WWW, gopher, or
ftp servers (http://first.org, gopher://gopher.first.org,
ftp://first.org/pub/first) Briefly speaking, FIRST is intended as a
forum for response teams to share information in a trusted fashion,
coordinate responses to on-going security incidents, develop joint
protocols and tools, reduce duplication of effort and raise public
awareness.  Some FIRST member teams belong to vendors.  A few FIRST
teams do proactive security work (developing tools, searching for
bugs), but most are focused on incident response and investigation.

Each member of FIRST is responsible for security response (and
*sometimes* for security policy/defense/etc) within a defined
constituency.  For instance, CIAC handles US Dept of Energy sites and
contractors. PCERT handles Purdue University sites, CERCUS responds to
incidents at TRW's unclassified sites, SERT is responsible for sites
in the Australian .au domain, NORDUNET handles incidents at sites in
Denmark, etc.  (A complete list of teams, contacts, and coverage is
available from one of the servers listed above.)

FIRST has a yearly workshop on incident response that brings together
members of the teams, law enforcement personnel from around the globe
(at least at last year's workshop), researchers, policy makers, and
lots of system admins.  There are tutorials and talks.  This year,
among other things, the FIRST has commissioned a CD-ROM of useful
security and incident response tools to be available for attendees.

FIRST is working on an archive of material, and has several mailing
lists (most internal to members).

FIRST is still evolving as an organization.  It hasn't been around for
more than a couple of years, and as everyone involved gains more
experience, I suspect FIRST will take on additional roles.  An
important part of this is having people aware FIRST and that the FIRST
member teams are there.  

Part of FIRST's function will also be defined by the user population.
Many people are "covered" by 2 or 3 different FIRST member
organizations.   As those organizations grow, and as users seek more
coordinated response to things, I expect (hope) FIRST to be the agent
of coordination and communication.

------------------

As far as the CERT goes, I can only relay what its members have told
me repeatedly and what they have said at conferences and in written
communication; I do not work for CERT, and I have never been a part of
CERT. 

However, I note that their name really conveys it: Computer Emergency
RESPONSE Team.  They are there to help sites in response to break-ins
or other security incidents.  They are not there to act as a generic
customer support agency to fix bugs in every version of Unix in
existence. 

Consider this text from ftp://info.cert.org/pub/cert_faq :

> A1.    What is CERT?
>
>       CERT is the Computer Emergency Response Team that was formed
>       by the Defense Advanced Research Projects Agency (DARPA) in
>       November 1988 in response to the needs exhibited during the
>       Internet worm incident.  The CERT charter is to work with the
>       Internet community to facilitate its response to computer
>       security events involving Internet hosts, to take proactive
>       steps to raise the community's awareness of computer security
>       issues, and to conduct research targeted at improving the
>       security of existing systems. 

> From all accounts, they are usually too busy and too understaffed to
do much (or any) of the proactive research work.

If someone's site has been broken into, CERT will respond to the phone
24 hours a day.  Maybe their response isn't always as complete as some
people on this list and elsewhere would like.  But they do respond,
and they do try to help sites get cleaned up after incidents and back
"on the air".  They have responded to thousands of incidents, many for
admins at sites who had no where else to turn and no clue what to do.

CERT started out taking reports of security flaws in software.  They
then made contacts with vendors, and (sometimes with great pain) tried
to follow up on the reports to get fixes out.  Sometimes vendors
cooperate, sometimes not.  CERT has provided a "one-stop" and trusted
avenue for many of us to get bug reports to vendors...although not
every vendor has responded, or responded quickly.  This is loosely
under the CERT charter, and has been the source of most of the
complaints from people outside CERT.  But this is not really their
primary mission -- incident response on the Internet.

I'm sure people at the CERT are on this list and can respond more
definitively. 

--spaf