Programme

Five prominent members of the computer and network security community in Europe will be presenting this two-day traning course for staff members (or future staff members) of new or established Computer Security Incident Response Teams. The course deals with the operational, organisational and legal aspects of incident response. It is aimed at professionals who are either members (or future members) of existing computer security teams, or who will be involved in building such a team within their own organisation.

The course will be a mixture of presentations, exercises and discussion sessions, occupying two full days. The course is designed to help trainees to work together to exchange information and develop their own ideas. To give the best opportunity for interaction the workshop will be conducted in two parallel classes of about 10 people each. For the same reason, accommodation for all participants has been arranged at the workshop hotel - informal discussions in the evening are expected to be a valuable part of the training.

Course Description

The objectives of the course are:

Understand where CSIRTs fit into the organisation
Understand the tasks and tools that are necessary to perform their function
Develop and practice the skills that are needed by a CSIRT team member
Understand the external issues (both legal and technical) that may affect the operation of a CSIRT.

The course consists of five modules. Some of these include exercises that the trainees will complete and discuss, while others will include time for discussion among the whole class. The modules are:

CSIRT Organisation: Describes how CSIRTs fit into their organisations: planning the CSIRT, defining the constituency of the team and gaining management authority for it, deciding the services the team will offer, working with those outside the organisation, staffing the CSIRT, funding. Students will discuss their own organisation and how their team fits into it.
Technical Aspects: Understand how intruders attack systems: intruders and their motivations, network protocols and how they can be abused, operating systems and services, types of vulnerability, information gathering, breaking in, hiding traces, denial-of-service attacks. A number of exercises are used to show how these appear in practice.
CSIRT Operations: Describes the facilities, systems and tools needed by CSIRTs to operate successfully: housing the CSIRT, equipment, e-mail, remote access, information and contacts, servers and networks, incident response plans and procedures, tracking systems. As an exercise students will discuss and develop incident response plans for their own teams.
Legal Issues: Looks at the areas of legislation that are likely to affect CSIRTs in their work and that team members need to be aware of: origins of computer legislation, problems, data protection, computer misuse, working with law enforcement, monitoring, evidence, European developments.
Working with vulnerabilities: Discusses the roles that CSIRTs may decide to play in distributing and producing information about vulnerabilities: why do vulnerabilities exist, what should CSIRTs aim to do, sources of information and how to use them, advisories - distribution, interpretation, investigation and co-ordination.