WASHINGTON -- Discover a new worm? Uncover a previously unseen bug in Windows? Identify a malicious spammer? Where do you call the cybercops?
The Department of Homeland Security, which considers cybersecurity among its duties, has issued an incident response handbook intended to answer all that. Called "The Incident Response and Reporting Guidelines," the publication should be available directly from the Department of Homeland Security.
The laminated booklet contains suggestions on identifying and responding to suspicious computer behavior. It is published as a Homeland Security initiative to educate the public on cyber threats. Unlike other efforts, it is designed to make it easy for people to report problems.
The booklet provides a list of symptoms of a possible threat, such as unexplained modification or deletion of data, finding new files or unfamiliar file names, unauthorized or suspicious system entries, unauthorized modifications of file dates, and activation of a system alarm or similar indication of an intrusion.
No matter how insignificant the incident may appear, Homeland Security representatives say they want to know about it.
The Federal Computer Incident Response Center (FedCIRC), part of the National Cyber Security Division within the Homeland Security Department, offers online and telephone alert hotlines. You can fill out an automated incident report at fedcirc.gov, or call the toll-free hotline number 888/282-0870 around the clock.
"Remain calm," is the first instruction on responding to an incident.
The second direction is to ask questions and take good notes. The guidelines remind readers to log the four W's--what, where, when, who--in relation to their problem. It also encourages them to record any observations and time stamps.
The third step is to determine the priority of the threat and then to report it to officials. Pass along the information you gathered. Remember to include the name of your organization and your contact information when reporting a cyber threat.
The department would also like to know if it could pass along data about your cyber attack to other government agencies, such as the National Security Incident Response Center and the Joint Task Force for Computer Network Operations. The Department of Homeland Security has paired with several other agencies, including the U.S. Computer Emergency Readiness Team (CERT) for cybersecurity efforts.
When reporting an incident, include such additional information as the operating system that was affected, the IP address of the attacker, and the type of incident, the guidelines advise. Helpful information includes whether it involves intrusion, a denial-of-service attack, Web site defacement, virus, or other problem.
FedCIRC will use the information you provide to build its database, allowing it to track and measure specific threats in order to understand their distribution and perhaps to issue warnings to other agencies.