The phenomenal growth of the Internet has spawned a global information society. The Internet connects an estimated 162 million computers in 240 countries and territories. Businesses with highly distributed information assets can function internationally with great efficiency, exchanging information quickly among their divisions, partners, suppliers, and customers. Governments are increasingly using the Internet to provide services to their citizens and for international information sharing and collaboration. Scientists, engineers, and educators all use the Internet for collaboration and rapid dissemination of information. Critical national infrastructures supporting such vital areas as power, transportation, and defense are growing more dependent on Internet-based applications.

Use of the Internet, however, puts the networked systems of these organizations at serious risk of compromise as a result of cyber attack. Attack tools are increasingly automated and sophisticated. The number of vulnerabilities discovered in widely used commercial software continues to more than double each year. Organizations relying on the Internet face significant challenges to ensure that their networked computing systems are survivable—that they provide essential services in the presence of attacks and failures, and recover full services in a timely manner.

Purpose

Through its work in survivable systems, the SEI seeks to ensure that management practices and technology are available to help organizations recognize, resist, and recover from attacks on networked systems. In particular, the SEI supports improvement in the security of networked systems by

>	developing and transitioning survivability engineering practices to software acquirers and developers, practices that focus on security and survivability as explicit requirements and yield systems with built-in mechanisms to recognize, resist, and recover from attack
>	developing and transitioning secure programming practices and tools for discovering and eliminating the most common cause of security vulnerabilities: implementation errors that can be exploited to compromise systems
>	developing and demonstrating the effectiveness of modeling and simulation tools that can be used to model and predict security attributes of systems while they are under development and to identify the cascade effects of attacks and failures
>	maturing operational tools for early detection and effective management of threats to networked systems
>	providing a comprehensive view of attack methods, vulnerabilities, and the impact of attacks on information systems and networks and on the operations that they support; also, advising the DoD on incident and vulnerability trends and characteristics. This support is provided by the CERT® Coordination Center.
>	building an infrastructure of increasingly competent security professionals who respond quickly to attacks on Internet-connected systems and who are able to protect their systems against security compromises
>	developing training courses that improve the skills of network system administrators to respond to attacks and to prevent security compromises
>	developing and transitioning methods to evaluate, improve, and maintain the security and survivability of deployed mission-critical organizations and systems
>	working with vendors to improve the security of as-shipped products

The CERT Coordination Center (CERT/CC) was established in 1988 as the first computer security incident response team (CSIRT). Staff members provide technical assistance and coordinate responses to security compromises, identify trends in intruder activity, analyze vulnerabilities in products and systems connected to the Internet, and work with vendors and other security experts to identify solutions to security problems. They alert the Internet community to potential threats to the security of their systems and provide information about how to avoid, minimize, or recover from the damage. CERT/CC technical experts are routinely called on by their sponsors and by international and homeland security leaders to identify and recommend remedies to security problems in the Internet infrastructure and to coordinate activity to implement those remedies.

The CERT/CC has responded to more than 200,000 security incidents that have affected hundreds of thousands of Internet sites, has handled more than 8,000 reported vulnerabilities, and has issued hundreds of advisories and bulletins. The CERT/CC also maintains a knowledgebase of security information, including descriptions of thousands of vulnerabilities. The CERT/CC is developing an automated incident-reporting system, AirCERT, which can collect data from sensors, allow data to be shared within and among organizations, and allow the data to be sanitized. AirCERT enables the CERT/CC to gain a real-time view of incident activity and enhances the center’s ability to monitor changes in the threat level.

The CERT/CC has helped foster the creation of more than 200 CSIRTs. CERT/CC staff members provide training courses for CSIRT managers and technical staff, give technical assistance by reviewing policies and standard operating procedures, and publish materials such as a CSIRT handbook, templates, and checklists. In addition, the staff is working on standards for certification and accreditation of computer network defense service providers and CSIRTs.

2002 Accomplishments

Response to SNMP Vulnerabilities Coordinated
The CERT/CC staff conducted an extensive coordination effort in response to vulnerabilities in the simple network management protocol (SNMP), a widely deployed protocol that is commonly used to monitor and manage network devices. Staff members contacted more than 280 vendors, many of whom interacted with the CERT/CC for the first time. More than 150 vendors responded to the problem, contributing a record number of vendor statements for a CERT/CC advisory (CA-2002-03) and enabling the Internet community to protect itself. The day after the advisory was released, it already had been viewed more than 100,000 times, and the mailing list that the CERT/CC specifically created for the SNMP vulnerabilities had more than 400 subscribers. In the following week, CERT/CC staff members conducted 26 interviews with news media, helping to raise awareness of the problem. Articles appeared in publications such as The New York Times, Business Week, and the San Francisco Chronicle.

SEI's responsiveness has been exceptional. We added a number of new business lines to our services during the assessment process and SEI was able to help us develop appropriate protection strategies that would help us develop these services. The quality was excellent. The analysts that worked with us were amazing and we were completely impressed.
Roopangi Kadakia
Director, Systems, Security & New Technology
Office of Citizen Services and Communications
United States General Services Administration

OCTAVE Method and Training Developed
The SEI developed the Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM) method, a self-directed approach for evaluating information-security risks. The results of this development effort were published in July 2002 in book form in Managing Information Security Risks: The OCTAVE Approach. OCTAVE is endorsed by the Security Working Integrated Project Team, Office of the Assistant Secretary of Defense/Health Affairs, as the preferred security risk assessment for the DoD medical community to use in their preparations for complying with the forthcoming Health Insurance Portability and Accountability Act (HIPAA).

The SEI also developed OCTAVE-S, an information-security assessment technique for small defense manufacturers (see the section titled Octave for Small Businesses Provides Information-Security Management Practices).

Finally, the SEI made considerable progress in enabling others to use OCTAVE. More than 1,000 copies of the OCTAVE Method Implementation Guide were distributed and a public training course was offered four times to individuals and teams during 2002. In addition, the first OCTAVE Users’ Forum was held in September 2002 in Washington, DC (see the section titled "Octave Users' Forum").

e-Authentication Risk and Requirements Analysis Developed
The SEI has partnered with the General Services Administration Office of Electronic Government to develop the e-Authentication risk and requirements analysis (e-RA) approach, which helps organizations identify authentication risks and develop authentication requirements. The approach is being used by the 24 federal electronic government initiatives to define standardized levels of authentication and to define requirements for an authentication gateway—a single authentication solution for electronic government initiative users.

Training and Education in Information Security Offered
SEI staff members provided training and education that helped increase the number of trained professionals available to address security in networked computing. The SEI and its licensees offer nine courses related to computer and network security. One example is a training course in network security and survivability developed for officers at the Marine Corps Command and Control System School as part of its curriculum on information technology (IT) networking. In the course, security, technologies, and recommended practices are covered at increasing layers of complexity, from concepts to technical implementations. The approach used in the course makes it appropriate for a broad range of IT professionals. It has been transitioned to the Air Force and offered as a public course at the SEI, and it has also been licensed for delivery by an international transition partner.

I would like to express our appreciation for the professional job that you all did on the [network security and survivability] course. The students here loved the information in the student workbook as well as the hands-on provided by the lab exercises. We got great compliments on the course and the students are insistent on getting a copy on CD so that they can read the "book" on their own.
Capt. John Yarger
U.S. Marine Corps
Command and Control System School, Instructor Group Coordinator

A second example is a four-week program aimed at increasing the number of PhD-level faculty and researchers in information security at historically black colleges and universities and Hispanic-serving institutions. Carnegie Mellon’s School of Computer Science and the SEI are working with Howard University, Morgan State University, and the University of Texas at El Paso. The program provided participants with the knowledge and expertise to develop and deliver curricula in information security. As a result, PhD computer scientists will be able to teach courses in information security to advanced undergraduate and first-year graduate students at the participating universities.

These two efforts help build expertise among current IT professionals and create the next generation of Internet security experts.