Computer incident response

Computer security breaches can be prevented with proper vigilence.

For more than 15 years, the Fermilab Computer Incident Response Team handled cyber security incidents. This team, comprised of individuals from throughout the laboratory, acted like a volunteer fire department for computers. They brought knowledge of their organizational units to bear on security incidents. The FCIRT acted quickly and decisively to contain incidents, prevent them from spreading widely and learned from them to prevent recurrences.

Several recent trends have made this strategy less effective. IT support consolidation moved most IT support into the Computing Sector; tools needed to understand and analyze incidents became more complex and specialized; and initial notification of many incidents now comes directly to the Computer Security Team through a variety of subscription and formal notification channels. Also, the requirements for reporting incidents to the DOE became more complex.

The combination of these factors has led us to consolidate cyber incident handling within the Security Team, where knowledge of the tools needed to process incidents is centralized. We are also using the Service Now system to maintain and track all information about incidents, which allows us to more easily share incident information among those who need access to the data. Service Now also aids us in preparing formal incident reports to DOE and in tracking incident statistics.

These changes should not affect your reporting of all suspected incidents to the Service Desk at x2345 or, for non-urgent situations, via email.

For their work on the FCIRT and for the transition to our new system, we owe thanks to Mark Leininger, Dane Skow, Don Petravick, Irwin Gaines, Mark Kaletka, Mike Diesburg and Keith Chadwick, as well as to the scores of individuals who have served on the FCIRT.

—Irwin Gaines