Network Working Group N. Brownlee
Request for Comments: 2350 The University of Auckland
BCP: 21 E. Guttman
Category: Best Current Practice Sun Microsystems
June 1998
Network Working Group N. Brownlee
Request for Comments: 2350 The University of Auckland
BCP: 21 E. Guttman
Category: Best Current Practice Sun Microsystems
June 1998
Expectations for Computer Security Incident Response
对计算机安全事故响应的期望
Status of this Memo
本备忘录的状况
This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited.
本文件规定了互联网社区的最佳现行做法,并要求进行讨论和提出改进建议。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (1998). All Rights Reserved.
版权所有(C)互联网协会(1998年)。版权所有。
Abstract
摘要
The purpose of this document is to express the general Internet community's expectations of Computer Security Incident Response Teams (CSIRTs). It is not possible to define a set of requirements that would be appropriate for all teams, but it is possible and helpful to list and describe the general set of topics and issues which are of concern and interest to constituent communities.
本文档旨在表达一般互联网社区对计算机安全事件响应团队(CSIRT)的期望。不可能定义一套适用于所有团队的要求,但列出和描述组成社区关注和感兴趣的主题和问题是可能的,也是有帮助的。
CSIRT constituents have a legitimate need and right to fully understand the policies and procedures of 'their' Computer Security Incident Response Team. One way to support this understanding is to supply detailed information which users may consider, in the form of a formal template completed by the CSIRT. An outline of such a template and a filled in example are provided.
CSIRT成员有充分了解“其”计算机安全事件响应团队的政策和程序的合法需要和权利。支持这种理解的一种方式是提供用户可以考虑的详细信息,以CSSIRT完成的正式模板的形式。提供了此类模板的概要和填写的示例。
Table of Contents
目录
1 Introduction ....................................................2
2 Scope............................................................4
2.1 Publishing CSIRT Policies and Procedures ....................4
2.2 Relationships between different CSIRTs ......................5
2.3 Establishing Secure Communications ..........................6
3 Information, Policies and Procedures.............................7
3.1 Obtaining the Document.......................................8
3.2 Contact Information .........................................9
3.3 Charter ....................................................10
3.3.1 Mission Statement.....................................10
3.3.2 Constituency..........................................10
1 Introduction ....................................................2
2 Scope............................................................4
2.1 Publishing CSIRT Policies and Procedures ....................4
2.2 Relationships between different CSIRTs ......................5
2.3 Establishing Secure Communications ..........................6
3 Information, Policies and Procedures.............................7
3.1 Obtaining the Document.......................................8
3.2 Contact Information .........................................9
3.3 Charter ....................................................10
3.3.1 Mission Statement.....................................10
3.3.2 Constituency..........................................10
3.3.3 Sponsoring Organization / Affiliation.................11
3.3.4 Authority.............................................11
3.4 Policies ...................................................11
3.4.1 Types of Incidents and Level of Support...............11
3.4.2 Co-operation, Interaction and Disclosure of
Information...........................................12
3.4.3 Communication and Authentication......................14
3.5 Services ...................................................15
3.5.1 Incident Response ....................................15
3.5.1.1 Incident Triage ..............................15
3.5.1.2 Incident Coordination ........................15
3.5.1.3 Incident Resolution...........................16
3.5.2 Proactive Activities .................................16
3.6 Incident Reporting Forms ...................................16
3.7 Disclaimers ................................................17
Appendix A: Glossary of Terms ....................................18
Appendix B: Related Material .....................................20
Appendix C: Known Computer Security Incident Response Teams ......21
Appendix D: Outline for CSIRT Template ...........................22
Appendix E: Example - 'filled-in' Template for a CSIRT ...........23
4 Acknowlegements ................................................36
5 References .....................................................36
6 Security Considerations ........................................36
7 Authors' Addresses .............................................37
8 Full Copyright Statement .......................................38
3.3.3 Sponsoring Organization / Affiliation.................11
3.3.4 Authority.............................................11
3.4 Policies ...................................................11
3.4.1 Types of Incidents and Level of Support...............11
3.4.2 Co-operation, Interaction and Disclosure of
Information...........................................12
3.4.3 Communication and Authentication......................14
3.5 Services ...................................................15
3.5.1 Incident Response ....................................15
3.5.1.1 Incident Triage ..............................15
3.5.1.2 Incident Coordination ........................15
3.5.1.3 Incident Resolution...........................16
3.5.2 Proactive Activities .................................16
3.6 Incident Reporting Forms ...................................16
3.7 Disclaimers ................................................17
Appendix A: Glossary of Terms ....................................18
Appendix B: Related Material .....................................20
Appendix C: Known Computer Security Incident Response Teams ......21
Appendix D: Outline for CSIRT Template ...........................22
Appendix E: Example - 'filled-in' Template for a CSIRT ...........23
4 Acknowlegements ................................................36
5 References .....................................................36
6 Security Considerations ........................................36
7 Authors' Addresses .............................................37
8 Full Copyright Statement .......................................38
1 Introduction
1导言
The GRIP Working Group was formed to create a document that describes the community's expectations of computer security incident response teams (CSIRTs). Although the need for such a document originated in the general Internet community, the expectations expressed should also closely match those of more restricted communities.
GRIP工作组成立的目的是创建一份文档,描述社区对计算机安全事件响应团队(CSIRT)的期望。尽管对此类文件的需求源于一般互联网社区,但所表达的期望也应与更受限制的社区的期望密切匹配。
In the past there have been misunderstandings regarding what to expect from CSIRTs. The goal of this document is to provide a framework for presenting the important subjects (related to incident response) that are of concern to the community.
过去,人们对CSIRTs的预期存在误解。本文件的目标是提供一个框架,用于展示社区关注的重要主题(与事件响应相关)。
Before continuing, it is important to clearly understand what is meant by the term "Computer Security Incident Response Team." For the purposes of this document, a CSIRT is a team that performs, coordinates, and supports the response to security incidents that involve sites within a defined constituency (see Appendix A for a more complete definition). Any group calling itself a CSIRT for a specific constituency must therefore react to reported security incidents, and to threats to "their" constituency in ways which the specific community agrees to be in its general interest.
在继续之前,必须清楚地理解“计算机安全事件响应团队”一词的含义。在本文档中,CSIRT是一个团队,负责执行、协调和支持对涉及定义选区内站点的安全事件的响应(有关更完整的定义,请参见附录A)。因此,任何自称为特定选区的CSIRT的团体都必须以特定社区同意的符合其总体利益的方式对报告的安全事件和对“其”选区的威胁作出反应。
Since it is vital that each member of a constituent community be able to understand what is reasonable to expect of their team, a CSIRT should make it clear who belongs to their constituency and define the services the team offers to the community. Additionally, each CSIRT should publish its policies and operating procedures. Similarly, these same constituents need to know what is expected of them in order for them to receive the services of their team. This requires that the team also publish how and where to report incidents.
由于组成社区的每个成员都必须能够理解对其团队的合理期望,因此CSIRT应明确谁属于他们的选区,并定义团队向社区提供的服务。此外,每个CSIRT应发布其策略和操作程序。同样,这些相同的成员需要知道对他们的期望是什么,以便他们能够接受团队的服务。这要求团队还发布报告事件的方式和地点。
This document details a template which will be used by CSIRTs to communicate this information to their constituents. The constituents should certainly expect a CSIRT to provide the services they describe in the completed template.
本文档详细说明了CSIRT将使用的模板,以将此信息传达给其成员。参与者当然应该期望CSIRT提供他们在完成的模板中描述的服务。
It must be emphasized that without active participation from users, the effectiveness of the CSIRT's services can be greatly diminished. This is particularly the case with reporting. At a minimum, users need to know that they should report security incidents, and know how and to where they should report them.
必须强调的是,如果没有用户的积极参与,CSIRT服务的有效性可能会大大降低。报告尤其如此。至少,用户需要知道他们应该报告安全事件,并知道如何报告以及报告到哪里。
Many computer security incidents originate outside local community boundaries and affect inside sites, others originate inside the local community and affect hosts or users on the outside. Often, therefore, the handling of security incidents will involve multiple sites and potentially multiple CSIRTs. Resolving these incidents will require cooperation between individual sites and CSIRTs, and between CSIRTs.
许多计算机安全事件起源于本地社区边界之外并影响内部站点,其他计算机安全事件起源于本地社区内部并影响外部主机或用户。因此,安全事件的处理通常涉及多个站点和可能的多个CSIRT。解决这些事件需要各个站点和CSIRT之间以及CSIRT之间的合作。
Constituent communities need to know exactly how their CSIRT will be working with other CSIRTs and organizations outside their constituency, and what information will be shared.
组成社区需要确切地知道他们的CSIRT将如何与他们选区以外的其他CSIRT和组织合作,以及将共享哪些信息。
The rest of this document describes the set of topics and issues that CSIRTs need to elaborate for their constituents. However, there is no attempt to specify the "correct" answer to any one topic area. Rather, each topic is discussed in terms of what that topic means.
本文档的其余部分描述了CSIRT需要为其成员详细阐述的一组主题和问题。但是,没有人试图指定任何一个主题区域的“正确”答案。相反,每个主题都是根据该主题的含义进行讨论的。
Chapter two provides an overview of three major areas: the publishing of information by a response team, the definition of the response team's relationship to other response teams, and the need for secure communications. Chapter three describes in detail all the types of information that the community needs to know about their response team.
第二章概述了三个主要领域:响应团队发布信息、定义响应团队与其他响应团队的关系以及安全通信的需求。第三章详细描述了社区需要了解的有关其响应团队的所有类型的信息。
For ease of use by the community, these topics are condensed into an outline template found in Appendix D. This template can be used by constituents to elicit information from their CSIRT.
为了便于社区使用,这些主题被浓缩成附录D中的大纲模板。该模板可供成员使用,以从其CSIRT中获取信息。
It is the working group's sincere hope that through clarification of the topics in this document, understanding between the community and its CSIRTs will be increased.
工作组真诚希望通过澄清本文件中的主题,增进社区与其CSIRT之间的理解。
2 Scope
2范围
The interactions between an incident response team and its constituent community response team require first that the community understand the policies and procedures of the response team. Second, since many response teams collaborate to handle incidents, the community must also understand the relationship between their response team and other teams. Finally, many interactions will take advantage of existing public infrastructures, so the community needs to know how those communications will be protected. Each of these subjects will be described in more detail in the following three sections.
事件响应团队与其组成的社区响应团队之间的互动首先要求社区了解响应团队的政策和程序。其次,由于许多响应团队协作处理事件,社区还必须了解其响应团队与其他团队之间的关系。最后,许多交互将利用现有的公共基础设施,因此社区需要知道如何保护这些通信。以下三节将更详细地描述这些主题中的每一个。
Each user who has access to a Computer Security Incident Response Team should know as much as possible about the services of and interactions with this team long before he or she actually needs them.
每个有权访问计算机安全事件响应团队的用户在实际需要该团队之前,都应该尽可能多地了解该团队的服务和与该团队的交互。
A clear statement of the policies and procedures of a CSIRT helps the constituent understand how best to report incidents and what support to expect afterwards. Will the CSIRT assist in resolving the incident? Will it provide help in avoiding incidents in the future? Clear expectations, particularly of the limitations of the services provided by a CSIRT, will make interaction with it more efficient and effective.
明确说明CSIRT的政策和程序有助于选民了解如何最好地报告事件,以及事后会得到什么样的支持。CSIRT是否会协助解决该事件?它是否有助于避免将来发生事故?明确的期望,特别是CSIRT提供的服务的局限性,将使与它的交互更加高效和有效。
There are different kinds of response teams: some have very broad constituencies (e.g., CERT Coordination Center and the Internet), others have more bounded constituencies (e.g., DFN-CERT, CIAC), and still others have very restricted constituencies (e.g., commercial response teams, corporate response teams). Regardless of the type of response team, the constituency supported by it must be knowledgeable about the team's policies and procedures. Therefore, it is mandatory that response teams publish such information to their constituency.
有不同类型的响应团队:一些团队的成员非常广泛(如CERT协调中心和互联网),其他团队的成员范围更广(如DFN-CERT、CIAC),还有一些团队的成员范围非常有限(如商业响应团队、企业响应团队)。无论响应团队的类型如何,其支持的选民必须了解团队的政策和程序。因此,应急小组必须向其选区公布此类信息。
A CSIRT should communicate all necessary information about its policies and services in a form suitable to the needs of its constituency. It is important to understand that not all policies and procedures need be publicly available. For example, it is not necessary to understand the internal operation of a team in order to interact with it, as when reporting an incident or receiving guidance on how to analyze or secure one's systems.
CSIRT应以适合其选民需求的形式传达有关其政策和服务的所有必要信息。重要的是要了解,并非所有政策和程序都需要公开。例如,在报告事件或接受关于如何分析或保护系统的指导时,没有必要为了与团队互动而了解团队的内部运作。
In the past, some teams supplied a kind of Operational Framework, others provided a Frequently Asked Questions list (FAQ), while still others wrote papers for distribution at user conferences or sent newsletters.
在过去,一些团队提供了一种操作框架,其他团队提供了一个常见问题列表(FAQ),而还有一些团队在用户会议上撰写论文或发送时事通讯。
We recommend that each CSIRT publish its guidelines and procedures on its own information server (e.g. a World Wide Web server). This would allow constituents to easily access it, though the problem remains of how a constituent can find his or her team; people within the constituency have to discover that there is a CSIRT "at their disposal."
我们建议每个CSIRT在其自己的信息服务器(例如万维网服务器)上发布其指南和程序。这将允许选民轻松访问它,尽管问题仍然是选民如何找到自己的团队;选区内的人必须发现有一个CSIRT“在他们的支配下”
It is foreseen that completed CSIRT templates will soon become searchable by modern search engines, which will aid in distributing information about the existence of CSIRTs and basic information required to approach them.
预计完成的CSIRT模板将很快被现代搜索引擎搜索,这将有助于分发有关CSIRT存在的信息以及接近它们所需的基本信息。
It would be very useful to have a central repository containing all the completed CSIRT templates. No such repository exists at the time of writing, though this might change in the future.
拥有一个包含所有已完成的CSIRT模板的中央存储库将非常有用。在编写本文时不存在这样的存储库,尽管将来可能会发生变化。
Regardless of the source from which the information is retrieved, the user of the template must check its authenticity. It is highly recommended that such vital documents be protected by digital signatures. These will allow the user to verify that the template was indeed published by the CSIRT and that it has not been tampered with. This document assumes the reader is familiar with the proper use of digital signatures to determine whether a document is authentic.
无论从何处检索信息,模板用户都必须检查其真实性。强烈建议使用数字签名保护这些重要文件。这将允许用户验证该模板确实是由CSIRT发布的,并且没有被篡改。本文档假设读者熟悉如何正确使用数字签名来确定文档是否真实。
In some cases a CSIRT may be able to operate effectively on its own and in close cooperation with its constituency. But with today's international networks it is much more likely that most of the incidents handled by a CSIRT will involve parties external to its constituency. Therefore the team will need to interact with other CSIRTs and sites outside its constituency.
在某些情况下,CSIRT可能能够自行有效运作,并与其选民密切合作。但在当今的国际网络中,CSIRT处理的大多数事件更有可能涉及其选区以外的党派。因此,团队需要与其他CSIRT和其选区以外的站点进行互动。
The constituent community should understand the nature and extent of this collaboration, as very sensitive information about individual constituents may be disclosed in the process.
选民团体应了解这种合作的性质和程度,因为在这一过程中可能会披露有关个别选民的非常敏感的信息。
Inter-CSIRT interactions could include asking other teams for advice, disseminating knowledge of problems, and working cooperatively to resolve a security incident affecting one or more of the CSIRTs' constituencies.
CSIRT之间的互动可能包括向其他团队征求建议、传播问题知识以及合作解决影响一个或多个CSIRT选区的安全事件。
In establishing relationships to support such interactions, CSIRTs must decide what kinds of agreements can exist between them so as to share yet safeguard information, whether this relationship can be disclosed, and if so to whom.
在建立支持此类交互的关系时,CSIRT必须决定他们之间可以存在何种协议,以共享但保护信息,这种关系是否可以披露,如果可以,向谁披露。
Note that there is a difference between a peering agreement, where the CSIRTs involved agree to work together and share information, and simple co-operation, where a CSIRT (or any other organization) simply contacts another CSIRT and asks for help or advice.
请注意,对等协议(其中涉及的CSIRT同意共同工作并共享信息)与简单合作(其中CSIRT(或任何其他组织)只是联系另一个CSIRT并寻求帮助或建议)之间存在差异。
Although the establishment of such relationships is very important and affects the ability of a CSIRT to support its constituency, it is up to the teams involved to decide about the details. It is beyond the scope of this document to make recommendations for this process. However, the same set of information used to set expectations for a user community regarding sharing of information will help other parties to understand the objectives and services of a specific CSIRT, supporting a first contact.
尽管这种关系的建立非常重要,并影响CSIRT支持其支持者的能力,但细节应由相关团队决定。就这一过程提出建议超出了本文件的范围。但是,用于设定用户社区对信息共享的期望值的同一组信息将帮助其他各方了解特定CSIRT的目标和服务,从而支持首次接触。
Once one party has decided to share information with another party, or two parties have agreed to share information or work together - as required for the coordination of computer security incident response - all parties involved need secure communications channels. (In this context, "secure" refers to the protected transmission of information shared between different parties, and not to the appropriate use of the information by the parties.)
一旦一方决定与另一方共享信息,或双方同意共享信息或共同工作(如协调计算机安全事件响应所需),所有相关方都需要安全的通信渠道。(在这种情况下,“安全”指的是不同各方之间共享信息的受保护传输,而不是各方对信息的适当使用。)
The goals of secure communication are:
安全通信的目标是:
- Confidentiality: Can somebody else access the content of the communication?
- 保密性:其他人可以访问通信内容吗?
- Integrity: Can somebody else manipulate the content of the communication?
- 诚信:其他人能操纵交流内容吗?
- Authenticity: Am I communicating with the "right" person?
- 真实性:我是否与“正确”的人沟通?
It is very easy to send forged e-mail, and not hard to establish a (false) identity by telephone. Cryptographic techniques, for example Pretty Good Privacy (PGP) or Privacy Enhanced Mail (PEM) can provide effective ways of securing e-mail. With the correct equipment it is also possible to secure telephone communication. But before using such mechanisms, both parties need the "right" infrastructure, which is to say preparation in advance. The most important preparation is ensuring the authenticity of the
发送伪造的电子邮件非常容易,通过电话建立(虚假)身份也不难。加密技术,例如相当好的隐私(PGP)或隐私增强邮件(PEM),可以提供保护电子邮件的有效方法。使用正确的设备,也可以确保电话通信的安全。但在使用这些机制之前,双方都需要“正确”的基础设施,也就是说提前做好准备。最重要的准备工作是确保文件的真实性
cryptographic keys used in secure communication:
安全通信中使用的加密密钥:
- Public keys (for techniques like PGP and PEM): Because they are accessible through the Internet, public keys must be authenticated before use. While PGP relies on a "Web of Trust" (where users sign the keys of other users), PEM relies on a hierarchy (where certification authorities sign the keys of users).
- 公钥(适用于PGP和PEM等技术):因为它们可以通过Internet访问,所以公钥在使用前必须经过身份验证。PGP依赖于“信任网”(用户在其中签署其他用户的密钥),而PEM依赖于层次结构(认证机构在其中签署用户的密钥)。
- Secret keys (for techniques like DES and PGP/conventional encryption): Because these must be known to both sender and receiver, secret keys must be exchanged before the communication via a secure channel.
- 密钥(对于DES和PGP/传统加密等技术):因为发送方和接收方都必须知道这些密钥,所以在通过安全通道进行通信之前必须交换密钥。
Communication is critical to all aspects of incident response. A team can best support the use of the above-mentioned techniques by gathering all relevant information, in a consistent way. Specific requirements (such as calling a specific number to check the authenticity of keys) should be clear from the start. CSIRT templates provide a standardized vehicle for delivering this information.
沟通对于事件响应的各个方面都至关重要。通过以一致的方式收集所有相关信息,团队可以最好地支持上述技术的使用。具体要求(如拨打特定号码检查钥匙的真实性)应从一开始就应明确。CSIRT模板提供了传递此信息的标准化工具。
It is beyond the scope of this document to address the technical and administrative problems of secure communications. The point is that response teams must support and use a method to secure the communications between themselves and their constituents (or other response teams). Whatever the mechanism is, the level of protection it provides must be acceptable to the constituent community.
解决安全通信的技术和管理问题超出了本文件的范围。关键是,响应团队必须支持并使用一种方法来确保他们自己与其成员(或其他响应团队)之间的通信安全。无论机制是什么,它提供的保护水平必须为组成社区所接受。
3 Information, Policies and Procedures
3信息、政策和程序
In chapter 2 it was mentioned that the policies and procedures of a response team need to be published to their constituent community. In this chapter we will list all the types of information that the community needs to receive from its response team. How this information is communicated to a community will differ from team to team, as will the specific information content. The intent here is to clearly describe the various kinds of information that a constituent community expects from its response team.
第2章提到,应对小组的政策和程序需要向其成员社区公布。在本章中,我们将列出社区需要从其响应团队获得的所有类型的信息。如何将这些信息传达给社区将因团队而异,具体的信息内容也会有所不同。这里的目的是清楚地描述组成社区期望从其响应团队获得的各种信息。
To make it easier to understand the issues and topics relevant to the interaction of constituents with "their" CSIRT, we suggest that a CSIRT publish all information, policies, and procedures addressing its constituency as a document, following the template given in Appendix D. The template structure arranges items, making it easy to supply specific information; in Appendix E we provide an example of a filled-out template for the fictitious XYZ University. While no recommendations are made as to what a CSIRT should adopt for its policy or procedures, different possibilities are outlined to give
为了更容易理解与选民与“他们的”CSIRT互动相关的问题和主题,我们建议CSIRT按照附录D中给出的模板,以文件形式发布所有涉及其选民的信息、政策和程序。模板结构安排项目,便于提供具体信息;在附录E中,我们提供了虚拟XYZ大学的填写模板示例。虽然没有就CSIRT应采取的政策或程序提出建议,但概述了不同的可能性
some examples. The most important thing is that a CSIRT have a policy and that those who interact with the CSIRT be able to obtain and understand it.
一些例子。最重要的是,CSIRT有一个策略,与CSIRT交互的人能够获得并理解它。
As always, not every aspect for every environment and/or team can be covered. This outline should be seen as a suggestion. Each team should feel free to include whatever they think is necessary to support its constituency.
一如既往,并非每个环境和/或团队的每个方面都可以涵盖。这个大纲应该被看作是一个建议。每个团队都应该自由地加入他们认为支持其选区所必需的内容。
Details of a CSIRT change with time, so the completed template must indicate when it was last changed. Additionally, information should be provided concerning how to find out about future updates. Without this, it is inevitable that misunderstandings and misconceptions will arise over time; outdated documents can do more harm than good.
CSIRT的详细信息会随时间而更改,因此完成的模板必须指明上次更改的时间。此外,应提供有关如何了解未来更新的信息。没有这一点,随着时间的推移,不可避免地会产生误解和误解;过时的文件弊大于利。
- Date of last update This should be sufficient to allow anyone interested to evaluate the currency of the template.
- 上次更新的日期这应该足以让任何有兴趣的人评估模板的货币。
- Distribution list Mailing lists are a convenient mechanism to distribute up-to-date information to a large number of users. A team can decide to use its own or an already existing list to notify users whenever the document changes. The list might normally be groups the CSIRT has frequent interactions with.
- 通讯组列表邮件列表是向大量用户分发最新信息的方便机制。当文档发生更改时,团队可以决定使用自己的或已经存在的列表通知用户。该列表通常可能是CSIRT经常与之交互的组。
Digital signatures should be used for update messages sent by a CSIRT.
数字签名应用于CSIRT发送的更新消息。
- Location of the document The location where a current version of the document is accessible through a team's online information services. Constituents can then easily learn more about the team and check for recent updates. This online version should also be accompanied by a digital signature.
- 文档位置通过团队的在线信息服务访问文档当前版本的位置。选民可以轻松地了解更多关于团队的信息,并查看最新更新。此在线版本还应附有数字签名。
Full details of how to contact the CSIRT should be listed here, although this might be very different for different teams; for example, some might choose not to publicize the names of their team members. No further clarification is given when the meaning of the item can be assumed.
这里应该列出如何联系CSIRT的全部细节,尽管这对于不同的团队可能会非常不同;例如,有些人可能会选择不公开其团队成员的姓名。如果可以假定该项目的含义,则不作进一步澄清。
- Name of the CSIRT
- CSIRT的名称
- Mailing Address
- 通讯地址
- Time zone This is useful for coordinating incidents which cross time zones.
- 时区这对于协调跨时区的事件非常有用。
- Telephone number
- 电话号码
- Facsimile number
- 传真号码
- Other telecommunication Some teams might provide secure voice communication (e.g. STU III).
- 一些团队可能会提供安全的语音通信(如STU III)。
- Electronic mail address
- 电子邮件地址
- Public keys and encryption The use of specific techniques depends on the ability of the communication partners to have access to programs, keys and so on. Relevant information should be given to enable users to determine if and how they can make use of encrypted communication while interacting with the CSIRT. - Team members
- 公钥和加密特定技术的使用取决于通信伙伴访问程序、密钥等的能力。应提供相关信息,以便用户在与CSIRT交互时确定是否以及如何使用加密通信。-团队成员
- Operating Hours The operating hours and holiday schedule should be provided here. Is there a 24 hour hotline?
- 营业时间应在此处提供营业时间和假日时间表。有24小时热线吗?
- Additional Contact Info Is there any specific customer contact info?
- 其他联系信息是否有任何特定的客户联系信息?
More detailed contact information can be provided. This might include different contacts for different services, or might be a list of online information services. If specific procedures for access to some services exist (for example addresses for mailing list requests), these should be explained here.
可以提供更详细的联系信息。这可能包括不同服务的不同联系人,或者可能是在线信息服务的列表。如果存在访问某些服务的特定程序(例如邮件列表请求的地址),则应在此处进行说明。
Every CSIRT must have a charter which specifies what it is to do, and the authority under which it will do it. The charter should include at least the following items:
每一个CSIRT都必须有一个章程,其中规定了它要做什么,以及它将要做什么的权限。章程至少应包括以下内容:
- Mission statement - Constituency - Sponsorship / affiliation - Authority
- 使命宣言-选区-赞助/附属机构-管理局
The mission statement should focus on the team's core activities, already stated in the definition of a CSIRT. In order to be considered a Computer Security Incident Response Team, the team must support the reporting of incidents and support its constituency by dealing with incidents.
任务说明应侧重于团队的核心活动,这已在CSIRT的定义中说明。为了被视为计算机安全事件响应团队,该团队必须支持事件报告,并通过处理事件支持其支持者。
The goals and purposes of a team are especially important, and require clear, unambiguous definition.
团队的目标和目的尤其重要,需要明确的定义。
A CSIRT's constituency can be determined in any of several ways. For example it could be a company's employees or its paid subscribers, or it could be defined in terms of a technological focus, such as the users of a particular operating system.
CSIRT的选区可以通过多种方式中的任何一种来确定。例如,它可以是一家公司的员工或其付费订户,也可以根据技术重点来定义,例如特定操作系统的用户。
The definition of the constituency should create a perimeter around the group to whom the team will provide service. The policy section of the document (see below) should explain how requests from outside this perimeter will be handled.
选区的定义应围绕团队将向其提供服务的群体建立一个周界。文档的策略部分(见下文)应解释如何处理来自此范围之外的请求。
If a CSIRT decides not to disclose its constituency, it should explain the reasoning behind this decision. For example, for-fee CSIRTs will not list their clients but will declare that they provide a service to a large group of customers that are kept confidential because of the clients' contracts.
如果CSIRT决定不披露其选区,则应解释该决定背后的原因。例如,付费CSIRTs不会列出其客户,但会声明他们向一大组客户提供服务,这些客户因其合同而被保密。
Constituencies might overlap, as when an ISP provides a CSIRT which delivers services to customer sites that also have CSIRTs. The Authority section of the CSIRT's description (see below) should make such relationships clear.
选区可能重叠,例如当ISP提供一个CSIRT,该CSIRT向同样具有CSIRT的客户站点提供服务时。CSIRT描述的权限部分(见下文)应明确此类关系。
The sponsoring organization, which authorizes the actions of the CSIRT, should be given next. Knowing this will help the users to understand the background and set-up of the CSIRT, and it is vital information for building trust between a constituent and a CSIRT.
接下来应该给出授权CSIRT行动的发起组织。了解这一点将有助于用户了解CSIRT的背景和设置,这对于在参与者和CSIRT之间建立信任至关重要。
This section will vary greatly from one CSIRT to another, based on the relationship between the team and its constituency. While an organizational CSIRT will be given its authority by the management of the organization, a community CSIRT will be supported and chosen by the community, usually in a advisory role.
根据团队及其支持者之间的关系,这一部分将因CSIRT的不同而大不相同。虽然组织的CSIRT将由组织的管理层授予其权限,但社区CSIRT将由社区支持和选择,通常以咨询角色的形式。
A CSIRT may or may not have the authority to intervene in the operation of all of the systems within its perimeter. It should identify the scope of its control as distinct from the perimeter of its constituency. If other CSIRTs operate hierarchically within its perimeter, this should be mentioned here, and the related CSIRTs identified.
CSIRT可能有权也可能无权干预其周边所有系统的运行。它应确定其控制范围,区别于其选区范围。如果其他CSIRT在其周界内分层运行,则应在此处提及,并确定相关CSIRT。
Disclosure of a team's authority may expose it to claims of liability. Every team should seek legal advice on these matters. (See section 3.7 for more on liability.)
披露团队的权限可能会使其面临责任索赔。每个团队都应该就这些问题寻求法律意见。(有关责任的更多信息,请参见第3.7节。)
It is critical that Incident Response Teams define their policies. The following sections discuss communication of these policies to the constituent community.
事件响应团队定义其策略至关重要。以下各节将讨论这些政策与组成社区的沟通。
The types of incident which the team is able to address, and the level of support which the team will offer when responding to each type of incident, should be summarized here in list form. The Services section (see below) provides the opportunity to give more detailed descriptions, and to address non-incident-related topics.
团队能够解决的事件类型,以及团队在应对每种类型的事件时将提供的支持水平,应在此处以列表形式进行总结。服务部分(见下文)提供了提供更详细描述的机会,并讨论了与事件无关的主题。
The level of support may change depending on factors such as the team's workload and the completeness of the information available. Such factors should be outlined and their impact should be explained. As a list of known types of incidents will be incomplete with regard to possible or future incidents, a CSIRT should also give some background on the "default" support for incident types not otherwise mentioned.
支持水平可能会因团队工作量和可用信息的完整性等因素而变化。应概述这些因素,并解释其影响。由于已知类型的事件列表对于可能发生的或未来发生的事件来说是不完整的,CSIRT还应提供一些关于未提及的事件类型的“默认”支持的背景信息。
The team should state whether it will act on information it receives about vulnerabilities which create opportunities for future incidents. A commitment to act on such information on behalf of its constituency is regarded as an optional proactive service policy rather than a core service requirement for a CSIRT.
团队应说明是否会根据收到的有关漏洞的信息采取行动,这些漏洞会为未来的事件创造机会。代表其选区对此类信息采取行动的承诺被视为可选的主动服务政策,而不是CSIRT的核心服务要求。
This section should make explicit which related groups the CSIRT routinely interacts with. Such interactions are not necessarily related to the computer security incident response provided, but are used to facilitate better cooperation on technical topics or services. By no means need details about cooperation agreements be given out; the main objective of this section is to give the constituency a basic understanding of what kind of interactions are established and what their purpose is.
本节应明确CSIRT定期与哪些相关群体互动。此类互动不一定与提供的计算机安全事件响应相关,而是用于促进在技术主题或服务方面的更好合作。绝不需要提供合作协议的细节;本节的主要目的是让选民基本了解建立的互动类型及其目的。
Cooperation between CSIRTs can be facilitated by the use of unique ticket number assignment combined with explicit handoff procedures. This reduces the chance of misunderstandings, duplications of effort, assists in incident tracking and prevents 'loops' in communication.
CSIRT之间的合作可以通过使用唯一票号分配和显式切换程序来实现。这减少了误解、重复工作的机会,有助于事件跟踪并防止通信中的“循环”。
The reporting and disclosure policy should make clear who will be the recipients of a CSIRT's report in each circumstance. It should also note whether the team will expect to operate through another CSIRT or directly with a member of another constituency over matters specifically concerning that member.
报告和披露政策应明确在每种情况下谁将是CSIRT报告的接收者。还应注意团队是否希望通过另一个CSIRT或直接与另一个选区的成员就具体涉及该成员的事项进行操作。
Related groups a CSIRT will interact with are listed below:
CSIRT将与之交互的相关组如下所示:
Incident Response Teams: A CSIRT will often need to interact with other CSIRTs. For example a CSIRT within a large company may need to report incidents to a national CSIRT, and a national CSIRT may need to report incidents to national CSIRTs in other countries to deal with all sites involved in a large-scale attack.
事件响应团队:CSIRT通常需要与其他CSIRT交互。例如,大型公司内的CSIRT可能需要向国家CSIRT报告事件,而国家CSIRT可能需要向其他国家的国家CSIRT报告事件,以处理涉及大规模攻击的所有站点。
Collaboration between CSIRTs may lead to disclosure of information. The following are examples of such disclosure, but are not intended to be an exhaustive list:
CSIRT之间的合作可能导致信息披露。以下是此类披露的示例,但并非详尽的列表:
- Reporting incidents within the constituency to other teams. If this is done, site-related information may become public knowledge, accessible to everyone, in particular the press.
- 向其他团队报告选区内的事件。如果做到这一点,与网站相关的信息可能会成为公共知识,每个人,特别是新闻界都可以获得。
- Handling incidents occurring within the constituency, but reported from outside it (which implies that some information has already been disclosed off-site).
- 处理选区内发生但从选区外报告的事件(这意味着一些信息已经在场外披露)。
- Reporting observations from within the constituency indicating suspected or confirmed incidents outside it.
- 报告选区内的观察结果,指出选区外的可疑或已确认事件。
- Acting on reports of incidents from outside the constituency.
- 根据选区外的事件报告采取行动。
- Passing information about vulnerabilities to vendors, to partner CSIRTs or directly to affected sites lying within or outside the constituency.
- 向供应商、合作伙伴CSIRT或直接向选区内外的受影响站点传递有关漏洞的信息。
- Feedback to parties reporting incidents or vulnerabilities.
- 向报告事件或漏洞的各方提供反馈。
- The provision of contact information relating to members of the constituency, members of other constituencies, other CSIRTs, or law-enforcement agencies.
- 提供与选区成员、其他选区成员、其他CSIRT或执法机构相关的联系信息。
Vendors: Some vendors have their own CSIRTs, but some vendors may not. In such cases a CSIRT will need to work directly with a vendor to suggest improvements or modifications, to analyze the technical problem or to test provided solutions. Vendors play a special role in handling an incident if their products' vulnerabilities are involved in the incident.
供应商:有些供应商有自己的CSIRT,但有些供应商可能没有。在这种情况下,CSIRT需要直接与供应商合作,提出改进或修改建议,分析技术问题或测试提供的解决方案。如果事件涉及供应商产品的漏洞,则供应商在处理事件中扮演特殊角色。
Law-enforcement agencies: These include the police and other investigative agencies. CSIRTs and users of the template should be sensitive to local laws and regulations, which may vary considerably in different countries. A CSIRT might advise on technical details of attacks or seek advice on the legal implications of an incident. Local laws and regulations may include specific reporting and confidentiality requirements.
执法机构:包括警察和其他调查机构。CSIRT和模板用户应注意当地法律法规,不同国家的法律法规可能会有很大差异。CSIRT可能就攻击的技术细节提供建议,或就事件的法律影响寻求建议。当地法律法规可能包括具体的报告和保密要求。
Press: A CSIRT may be approached by the press for information and comment from time to time.
新闻界:新闻界可能会不时联系CSIRT以获取信息和评论。
An explicit policy concerning disclosure to the press can be helpful, particularly in clarifying the expectations of a CSIRT's constituency. The press policy will have to clarify the same topics as above more specifically, as the constituency will usually be very sensitive to press contacts.
关于向媒体披露的明确政策可能会有所帮助,特别是在澄清CSIRT选民的期望方面。新闻政策必须更具体地澄清上述相同的主题,因为选民通常对新闻接触非常敏感。
Other: This might include research activities or the relation to the sponsoring organization.
其他:这可能包括研究活动或与赞助组织的关系。
The default status of any and all security-related information which a team receives will usually be 'confidential,' but rigid adherence to this makes the team to appear to be an informational 'black hole,' which may reduce the likelihood of the team's obtaining cooperation from clients and from other organizations. The CSIRT's template should define what information it will report or disclose, to whom, and when.
团队收到的任何和所有安全相关信息的默认状态通常为“机密”,但严格遵守这一状态会使团队看起来像一个信息“黑洞”,这可能会降低团队获得客户和其他组织合作的可能性。CSIRT的模板应该定义它将报告或披露哪些信息,向谁报告或披露,以及何时报告或披露。
Different teams are likely to be subject to different legal restraints requiring or limiting disclosure, especially if they work in different jurisdictions. In addition, they may have reporting requirements imposed by their sponsoring organization. Each team's template should specify any such constraints, both to clarify users' expectations and to inform other teams.
不同的团队可能会受到要求或限制披露的不同法律约束,特别是如果他们在不同的司法管辖区工作。此外,他们的赞助组织可能会对其提出报告要求。每个团队的模板应指定任何此类约束,以澄清用户的期望并通知其他团队。
Conflicts of interest, particularly in commercial matters, may also restrain disclosure by a team; this document does not recommend on how such conflicts should be addressed.
利益冲突,特别是在商业事务中,也可能限制团队的披露;本文件不建议如何解决此类冲突。
A team will normally collect statistics. If statistical information is distributed, the template's reporting and disclosure policy should say so, and should describe how to obtain such statistics.
团队通常会收集统计数据。如果分发了统计信息,模板的报告和披露政策应说明这一点,并应说明如何获得此类统计数据。
You must have a policy which describes methods of secure and verifiable communication that you will use. This is necessary for communication between CSIRTs and between a CSIRT and its constituents. The template should include public keys or pointers to them, including key fingerprints, together with guidelines on how to use this information to check authenticity and how to deal with corrupted information (for example where to report this fact).
您必须有一个描述您将使用的安全和可验证通信方法的策略。这对于CSIRT之间以及CSIRT与其组成部分之间的通信是必要的。模板应包括公钥或指向公钥的指针,包括密钥指纹,以及关于如何使用此信息检查真实性以及如何处理损坏信息(例如,在何处报告此事实)的指导原则。
At the moment it is recommended that as a minimum every CSIRT have (if possible), a PGP key available. A team may also make other mechanisms available (for example PEM, MOSS, S/MIME), according to its needs and the needs of its constituents. Note however, that CSIRTs and users should be sensitive to local laws and regulations. Some countries do not allow strong encryption, or enforce specific policies on the use of encryption technology. In addition to encrypting sensitive information whenever possible, correspondence should include digital signatures. (Please note that in most countries, the protection of authenticity by using digital signatures is not affected by existing encryption regulations.)
目前,建议每个CSIRT至少有一个可用的PGP密钥(如果可能)。一个团队还可以根据其需要和其成员的需要提供其他机制(例如PEM、MOSS、S/MIME)。但是,请注意,CSIRT和用户应注意当地法律法规。一些国家不允许强加密,或强制执行有关使用加密技术的特定政策。除了尽可能加密敏感信息外,通信还应包括数字签名。(请注意,在大多数国家,使用数字签名保护真实性不受现有加密法规的影响。)
For communication via telephone or facsimile a CSIRT may keep secret authentication data for parties with whom they may deal, such as an agreed password or phrase. Obviously, such secret keys must not be
对于通过电话或传真进行的通信,CSIRT可以为可能与之进行交易的各方保密身份验证数据,例如约定的密码或短语。显然,这样的秘密密钥不能被使用
published, though their existence may be.
尽管它们的存在可能是公开的。
Services provided by a CSIRT can be roughly divided into two categories: real-time activities directly related to the main task of incident response, and non-real-time proactive activities, supportive of the incident response task. The second category and part of the first category consist of services which are optional in the sense that not all CSIRTs will offer them.
CSIRT提供的服务大致可分为两类:与事件响应主要任务直接相关的实时活动和支持事件响应任务的非实时主动活动。第二类和第一类的一部分由可选服务组成,因为并非所有CSIRT都会提供这些服务。
Incident response usually includes assessing incoming reports about incidents ("Incident Triage") and following up on these with other CSIRTs, ISPs and sites ("Incident Coordination"). A third range of services, helping a local site to recover from an incident ("Incident Resolution"), is comprised of typically optional services, which not all CSIRTs will offer.
事件响应通常包括评估有关事件的传入报告(“事件分类”),并与其他CSIRT、ISP和站点跟进这些报告(“事件协调”)。第三类服务,帮助本地站点从事件中恢复(“事件解决”),包括典型的可选服务,并非所有CSIRT都会提供这些服务。
Incident triage usually includes:
事故分类通常包括:
- Report assessment Interpretion of incoming incident reports, prioritizing them, and relating them to ongoing incidents and trends.
- 报告评估-解释收到的事件报告,确定其优先级,并将其与正在发生的事件和趋势联系起来。
- Verification Help in determining whether an incident has really occurred, and its scope.
- 验证有助于确定事件是否确实发生及其范围。
Incident Coordination normally includes:
事件协调通常包括:
- Information categorization Categorization of the incident related information (logfiles, contact information, etc.) with respect to the information disclosure policy.
- 信息分类与信息披露政策有关的事件相关信息(日志文件、联系信息等)的分类。
- Coordination Notification of other involved parties on a need-to-know basis, as per the information disclosure policy.
- 根据信息披露政策,在需要了解的基础上协调其他相关方的通知。
Usually additional or optional, incident resolution services include:
通常附加或可选的事件解决服务包括:
- Technical Assistance This may include analysis of compromised systems.
- 技术援助这可能包括对受损系统的分析。
- Eradication Elimination of the cause of a security incident (the vulnerability exploited), and its effects (for example, continuing access to the system by an intruder).
- 消除安全事件的原因(被利用的漏洞)及其影响(例如,入侵者继续访问系统)。
- Recovery Aid in restoring affected systems and services to their status before the security incident.
- 恢复帮助将受影响的系统和服务恢复到安全事件发生前的状态。
Usually additional or optional, proactive services might include:
主动预防性服务通常是附加的或可选的,包括:
- Information provision This might include an archive of known vulnerabilities, patches or resolutions of past problems, or advisory mailing lists.
- 信息提供这可能包括已知漏洞的存档、过去问题的补丁或解决方案,或咨询邮件列表。
- Security Tools This may include tools for auditing a Site's security.
- 安全工具这可能包括用于审核站点安全性的工具。
- Education and training
- 教育和培训
- Product evaluation
- 产品评价
- Site security auditing and consulting
- 现场安全审计和咨询
The use of reporting forms makes it simpler for both users and teams to deal with incidents. The constituent can prepare answers to various important questions before he or she actually contacts the team, and can therefore come well prepared. The team gets all the necessary information at once with the first report and can proceed efficiently.
报告表单的使用使得用户和团队处理事件更加简单。选民可以在实际联系团队之前准备好各种重要问题的答案,因此可以做好充分准备。团队在第一次报告中立即获得所有必要的信息,并且能够高效地进行。
Depending on the objectives and services of a particular CSIRT, multiple forms may be used, for example a reporting form for a new vulnerability may be very different from the form used for reporting
根据特定CSIRT的目标和服务,可以使用多种形式,例如,新漏洞的报告形式可能与用于报告的形式非常不同
incidents.
事件。
It is most efficient to provide forms through the online information services of the team. The exact pointers to them should be given in the CSIRT description document, together with statements about appropriate use, and guidelines for when and how to use the forms. If separate e-mail addresses are supported for form-based reporting, they should be listed here again.
通过团队的在线信息服务提供表格是最有效的。CSIRT描述文档中应给出指向这些表单的确切指针,以及有关适当使用的说明,以及何时和如何使用表单的指南。如果基于表单的报告支持单独的电子邮件地址,则应在此处再次列出。
One example of such a form is the Incident Reporting Form provided by the CERT Coordination Center:
此类表格的一个示例是CERT协调中心提供的事件报告表格:
- ftp://info.cert.org/incident_reporting_form
- ftp://info.cert.org/incident_reporting_form
Although the CSIRT description document does not constitute a contract, liability may conceivably result from its descriptions of services and purposes. The inclusion of a disclaimer at the end of the template is therefore recommended and should warn the user about possible limitations.
尽管CSIRT说明文件不构成合同,但可以想象,责任可能来自其对服务和目的的说明。因此,建议在模板末尾添加免责声明,并提醒用户可能存在的限制。
In situations where the original version of a document must be translated into another language, the translation should carry a disclaimer and a pointer to the original. For example:
如果文件的原始版本必须翻译成另一种语言,则翻译应带有免责声明和指向原始版本的指针。例如:
Although we tried to carefully translate the original document from German into English, we can not be certain that both documents express the same thoughts in the same level of detail and correctness. In all cases, where there is a difference between both versions, the German version will prevail.
尽管我们试图仔细地将原始文件从德语翻译成英语,但我们无法确定两份文件是否在相同的细节和正确性水平上表达了相同的想法。在所有情况下,如果两个版本之间存在差异,则以德语版本为准。
The use of and protection by disclaimers is affected by local laws and regulations, of which each CSIRT should be aware. If in doubt the CSIRT should check the disclaimer with a lawyer.
免责声明的使用和保护受当地法律法规的影响,每个CSIRT都应了解这些法律法规。如果有疑问,CSIRT应与律师核对免责声明。
Appendix A: Glossary of Terms
附录A:术语表
This glossary defines terms used in describing security incidents and Computer Security Incident Response Teams. Only a limited list is included. For more definitions please refer to other sources, for example to the Internet User's Glossary [RFC 1983].
本术语表定义了用于描述安全事件和计算机安全事件响应团队的术语。只包括有限的清单。有关更多定义,请参考其他来源,例如互联网用户词汇表[RFC 1983]。
Constituency: Implicit in the purpose of a Computer Security Incident Response Team is the existence of a constituency. This is the group of users, sites, networks or organizations served by the team. The team must be recognized by its constituency in order to be effective.
选区:计算机安全事件响应团队的目的隐含着选区的存在。这是由团队服务的用户、站点、网络或组织组成的组。该团队必须得到其支持者的认可才能发挥效力。
Security Incident: For the purpose of this document, this term is a synonym of Computer Security Incident: any adverse event which compromises some aspect of computer or network security.
安全事件:在本文件中,该术语是计算机安全事件的同义词:任何危害计算机或网络安全的不利事件。
The definition of an incident may vary between organizations, but at least the following categories are generally applicable:
事件的定义可能因组织而异,但至少以下类别通常适用:
- Loss of confidentiality of information. - Compromise of integrity of information. - Denial of service. - Misuse of service, systems or information. - Damage to systems.
- 信息保密性的损失。-损害信息的完整性。-拒绝服务滥用服务、系统或信息。-系统损坏。
These are very general categories. For instance the replacement of a system utility program by a Trojan Horse is an example of ' compromise of integrity,' and a successful password attack is an example of 'loss of confidentiality.' Attacks, even if they failed because of proper protection, can be regarded as Incidents.
这些是非常一般的类别。例如,用特洛伊木马替换系统实用程序是“完整性受损”的一个例子,而成功的密码攻击是“机密性丢失”的一个例子。即使攻击由于适当的保护而失败,也可以视为事件。
Within the definition of an incident the word 'compromised' is used. Sometimes an administrator may only 'suspect' an incident. During the response it must be established whether or not an incident has really occurred.
在事故的定义中,使用“损害”一词。有时管理员可能只是“怀疑”某个事件。在响应过程中,必须确定是否确实发生了事件。
Computer Security Incident Response Team: Based on two of the definitions given above, a CSIRT is a team that coordinates and supports the response to security incidents that involve sites within a defined constituency.
计算机安全事件响应团队:基于以上给出的两个定义,CSIRT是一个团队,负责协调和支持对涉及定义选区内站点的安全事件的响应。
In order to be considered a CSIRT, a team must:
为了被视为CSIRT,团队必须:
- Provide a (secure) channel for receiving reports about suspected incidents.
- 提供接收可疑事件报告的(安全)渠道。
- Provide assistance to members of its constituency in handling these incidents. - Disseminate incident-related information to its constituency and to other involved parties.
- 在处理这些事件时向其选区成员提供协助。-向其选区和其他相关方传播事件相关信息。
Note that we are not referring here to police or other law enforcement bodies which may investigate computer-related crime. CSIRT members, indeed, need not have any powers beyond those of ordinary citizens.
请注意,我们这里指的不是警察或其他可能调查计算机相关犯罪的执法机构。事实上,CSIRT成员不必拥有普通公民以外的任何权力。
Vendor: A 'vendor' is any entity that produces networking or computing technology, and is responsible for the technical content of that technology. Examples of 'technology' include hardware (desktop computers, routers, switches, etc.), and software (operating systems, mail forwarding systems, etc.).
供应商:“供应商”是指生产网络或计算技术的任何实体,并负责该技术的技术内容。“技术”的例子包括硬件(台式计算机、路由器、交换机等)和软件(操作系统、邮件转发系统等)。
Note that the supplier of a technology is not necessarily the ' vendor' of that technology. As an example, an Internet Service Provider (ISP) might supply routers to each of its customers, but the 'vendor' is the manufacturer, since the manufacturer, rather than the ISP, is the entity responsible for the technical content of the router.
请注意,技术的供应商不一定是该技术的“供应商”。例如,互联网服务提供商(ISP)可能向其每个客户提供路由器,但“供应商”是制造商,因为制造商而不是ISP是负责路由器技术内容的实体。
Vulnerability: A 'vulnerability' is a characteristic of a piece of technology which can be exploited to perpetrate a security incident. For example, if a program unintentionally allowed ordinary users to execute arbitrary operating system commands in privileged mode, this "feature" would be a vulnerability.
漏洞:“漏洞”是一项技术的特征,可被利用来实施安全事件。例如,如果程序无意中允许普通用户在特权模式下执行任意操作系统命令,则此“功能”将是一个漏洞。
Appendix B: Related Material
附录B:相关材料
Important issues in responding to security incidents on a site level are contained in [RFC 2196], the Site Security Handbook, produced by the Site Security Handbook Working Group (SSH). This document will be updated by the SSH working group and will give recommendations for local policies and procedures, mainly related to the avoidance of security incidents.
现场安全手册工作组(SSH)编制的《现场安全手册》[RFC 2196]中包含了应对现场级安全事件的重要问题。本文件将由SSH工作组更新,并将为本地政策和程序提供建议,主要与避免安全事件有关。
Other documents of interest for the discussion of CSIRTs and their tasks are available by anonymous FTP. A collection can be found on:
讨论CSIRT及其任务的其他感兴趣的文档可通过匿名FTP获得。可以在以下位置找到集合:
- ftp://ftp.cert.dfn.de/pub/docs/csir/ Please refer to file 01-README for further information about the content of this directory.
- ftp://ftp.cert.dfn.de/pub/docs/csir/ 有关此目录内容的更多信息,请参阅文件01-README。
Some especially interesting documents in relation to this document are as follows:
与本文件相关的一些特别有趣的文件如下:
- ftp://ftp.nic.surfnet.nl/surfnet/net-security/cert-nl/docs/ reports/R-92-01 This report contains the Operational Framework of CERT-NL, the CSIRT of SURFnet (network provider in the Netherlands).
- ftp://ftp.nic.surfnet.nl/surfnet/net-security/cert-nl/docs/ reports/R-92-01本报告包含CERT-NL的运营框架,CERT-NL是SURFnet(荷兰的网络提供商)的CSIRT。
- For readers interested in the operation of FIRST (Forum of Incident Response and Security Teams) more information is collected in Appendix C.
- 对于对FIRST(事件响应和安全团队论坛)运作感兴趣的读者,更多信息请参见附录C。
- http://hightop.nrl.navy.mil/news/incident.html This document leads to the NRL Incident Response Manual.
- http://hightop.nrl.navy.mil/news/incident.html 本文件将导致NRL事件响应手册。
- http://www.cert.dfn.de/eng/team/kpk/certbib.html This document contains an annotated bibliography of available material, documents and files about the operation of CSIRTs with links to many of the referenced items.
- http://www.cert.dfn.de/eng/team/kpk/certbib.html 本文件包含关于CSIRTs操作的可用材料、文件和文件的注释书目,并链接到许多参考项目。
- ftp://info.cert.org/incident_reporting_form This Incident Reporting Form is provided by the CERT Coordination Center to gather incident information and to avoid additional delays caused by the need to request more detailed information from the reporting site.
- ftp://info.cert.org/incident_reporting_form 本事件报告表由CERT协调中心提供,以收集事件信息,并避免因需要从报告站点请求更详细的信息而造成的额外延迟。
- http://www.cert.org/cert.faqintro.html A collection of frequently asked questions from the CERT Coordination Center.
- http://www.cert.org/cert.faqintro.html 来自CERT协调中心的常见问题集。
Appendix C: Known Computer Security Incident Response Teams
附录C:已知计算机安全事件响应团队
Today, there are many different CSIRTs but no single source lists every team. Most of the major and long established teams (the first CSIRT was founded in 1988) are nowadays members of FIRST, the worldwide Forum of Incident Response and Security Teams. At the time of writing, more than 55 teams are members (1 in Australia, 13 in Europe, all others in North America). Information about FIRST can be found:
今天,有许多不同的CSIRT,但没有单一的来源列出每个团队。大多数主要和长期成立的团队(第一个CSIRT成立于1988年)如今都是全球事故响应和安全团队论坛first的成员。在撰写本文时,超过55支团队是成员(1支在澳大利亚,13支在欧洲,所有其他团队都在北美)。有关FIRST的信息可以找到:
- http://www.first.org/
- http://www.first.org/
The current list of members is available also, with the relevant contact information and some additional information provided by the particular teams:
还提供了当前成员名单,以及相关联系信息和特定团队提供的一些附加信息:
- http://www.first.org/team-info/
- http://www.first.org/team-info/
For CSIRTs which want to become members of this forum (please note that a team needs a sponsor - a team which is already a full member of FIRST - to be introduced), the following files contain more information:
对于希望成为本论坛成员的CSIRT(请注意,一个团队需要一个发起人-一个已经是第一个正式成员的团队-来介绍),以下文件包含更多信息:
- http://www.first.org/about/op_frame.html The Operational Framework of FIRST.
- http://www.first.org/about/op_frame.html 第一阶段的业务框架。
- http://www.first.org/docs/newmem.html Guidelines for teams which want to become members of FIRST.
- http://www.first.org/docs/newmem.html 为希望成为FIRST成员的团队制定的指南。
Many of the European teams, regardless of whether they are members of FIRST or not, are listed by countries on a page maintained by the German CSIRT:
许多欧洲球队,不管他们是否是FIRST的成员,都在德国CSIRT维护的页面上按国家列出:
- http://www.cert.dfn.de/eng/csir/europe/certs.html
- http://www.cert.dfn.de/eng/csir/europe/certs.html
To learn about existing teams suitable to one's needs it is often helpful to ask either known teams or an Internet Service Provider for the "right" contact.
要了解适合自己需求的现有团队,向已知团队或互联网服务提供商寻求“正确”的联系人通常是有帮助的。
Appendix D: Outline for CSIRT Template
附录D:CSIRT模板大纲
This outline summarizes in point form the issues addressed in this document, and is the recommended template for a CSIRT description document. Its structure is designed to facilitate the communication of a CSIRT's policies, procedures, and other relevant information to its constituency and to outside organizations such as other CSIRTs. A 'filled-in' example of this template is given as Appendix E.
本大纲以要点形式总结了本文档中解决的问题,是CSIRT描述文档的推荐模板。其结构旨在促进CSIRT的政策、程序和其他相关信息与其选区和外部组织(如其他CSIRT)的沟通。附录E中给出了该模板的“填写”示例。
1. Document Information 1.1 Date of Last Update 1.2 Distribution List for Notifications 1.3 Locations where this Document May Be Found
1. 文件信息1.1上次更新日期1.2通知分发列表1.3可找到本文件的位置
2. Contact Information 2.1 Name of the Team 2.2 Address 2.3 Time Zone 2.4 Telephone Number 2.5 Facsimile Number 2.6 Other Telecommunication 2.7 Electronic Mail Address 2.8 Public Keys and Encryption Information 2.9 Team Members 2.10 Other Information 2.11 Points of Customer Contact
2. 联系信息2.1团队名称2.2地址2.3时区2.4电话号码2.5传真号码2.6其他电信2.7电子邮件地址2.8公钥和加密信息2.9团队成员2.10其他信息2.11客户联系点
3. Charter 3.1 Mission Statement 3.2 Constituency 3.3 Sponsorship and/or Affiliation 3.4 Authority
3. 章程3.1使命声明3.2选区3.3赞助和/或附属机构3.4权限
4. Policies 4.1 Types of Incidents and Level of Support 4.2 Co-operation, Interaction and Disclosure of Information 4.3 Communication and Authentication
4. 政策4.1事件类型和支持级别4.2合作、互动和信息披露4.3沟通和认证
5. Services 5.1 Incident Response 5.1.1. Incident Triage 5.1.2. Incident Coordination 5.1.3. Incident Resolution 5.2 Proactive Activities
5. 服务5.1事件响应5.1.1。事故分类5.1.2。事件协调5.1.3。事件解决5.2积极主动的活动
6. Incident Reporting Forms
6. 事故报告表
7. Disclaimers
7. 免责声明
Appendix E: Example - 'filled-in' Template for a CSIRT
附录E:示例-CSIRT的“填写”模板
Below is an example of a filled-in template for a fictitious CSIRT called XYZ-CSIRT. This text is for example purposes only, and does not constitute endorsement by the working group or the IETF of any particular set of procedures or policies. While CSIRTs are welcome to use any or all of this text if they wish, such use is of course not mandatory, or even appropriate in most cases.
下面是一个虚拟CSIRT(称为XYZ-CSIRT)的填充模板示例。本文本仅供示例之用,不构成工作组或IETF对任何特定程序或政策的认可。虽然CSIRT如果愿意,欢迎使用本文的任何或全部内容,但这种使用当然不是强制性的,甚至在大多数情况下都不合适。
CSIRT Description for XYZ-CERT
-----------------------------
CSIRT Description for XYZ-CERT
-----------------------------
1. About this document
1. 关于这份文件
1.1 Date of Last Update
1.1 上次更新日期
This is version 1.01, published 1997/03/31.
这是1997年3月31日发布的1.01版。
1.2 Distribution List for Notifications
1.2 通知的通讯组列表
Notifications of updates are submitted to our mailing list <xyz-cert-info@xyz-univ.ca>. Subscription requests for this list should be sent to the Majordomo at <xyz-cert-info-request@xyz-univ.ca>; the body of the message should consist of the word "subscribe". Send the word "help" instead if you don't know how to use a Majordomo list manager. This mailing list is moderated.
更新通知提交到我们的邮件列表<xyz证书-info@xyz-univ.ca>。此列表的订阅请求应发送至位于<xyz cert info的Majordomo-request@xyz-加州大学>;邮件正文应包含“订阅”一词。如果您不知道如何使用Majordomo列表管理器,请发送“帮助”一词。此邮件列表已审核。
1.3 Locations where this Document May Be Found
1.3 可找到本文件的位置
The current version of this CSIRT description document is available from the XYZ-CERT WWW site; its URL is http://www.xyz-univ.ca/xyz-cert/english/CSIRT-descr.txt Une version francaise de ce document est igalement disponible: http://www.xyz-univ.ca/xyz-cert/francais/CSIRT-descr.txt Please make sure you are using the latest version.
本CSIRT说明文件的当前版本可从XYZ-CERT WWW网站获取;它的网址是http://www.xyz-univ.ca/xyz-cert/english/CSIRT-descr.txt 不可争议的Une版法兰西文件:http://www.xyz-univ.ca/xyz-cert/francais/CSIRT-descr.txt 请确保您使用的是最新版本。
1.4 Authenticating this Document
1.4 验证此文档
Both the English and French versions of this document have
been signed with the XYZ-CERT's PGP key. The signatures are
also on our Web site, under:
http://www.xyz-univ.ca/xyz-cert/english/CSIRT-descr.asc
http://www.xyz-univ.ca/xyz-cert/francais/CSIRT-descr.asc
Both the English and French versions of this document have
been signed with the XYZ-CERT's PGP key. The signatures are
also on our Web site, under:
http://www.xyz-univ.ca/xyz-cert/english/CSIRT-descr.asc
http://www.xyz-univ.ca/xyz-cert/francais/CSIRT-descr.asc
2. Contact Information
2. 联系方式
2.1 Name of the Team
2.1 队员姓名
"XYZ-CERT": the XYZ University Computer Emergency Response Team.
“XYZ-CERT”:XYZ大学计算机应急响应小组。
2.2 Address
2.2 住址
XYZ-CERT XYZ University, Computing Services Department 12345 Rue Principale UniversityTown, Quebec Canada H0H 0H0
XYZ-CERT XYZ大学计算机服务部加拿大魁北克省普林西比大学街12345号H0H 0H0
2.3 Time Zone
2.3 时区
Canada/Eastern (GMT-0500, and GMT-0400 from April to October)
加拿大/东部(4月至10月GMT-0500和GMT-0400)
2.4 Telephone Number
2.4 电话号码
+1 234 567 7890 (ask for the XYZ-CERT)
+12345677890(索取XYZ-CERT)
2.5 Facsimile Number
2.5 传真号码
+1 234 567 7899 (this is *not* a secure fax)
+1 234 567 7899 (this is *not* a secure fax)
2.6 Other Telecommunication
2.6 其他电信
None available.
没有。
2.7 Electronic Mail Address
2.7 电子邮件地址
<xyz-cert@xyz-univ.ca> This is a mail alias that relays mail to the human(s) on duty for the XYZ-CERT.
<xyz-cert@xyz-univ.ca>这是一个邮件别名,用于将邮件转发给XYZ-CERT的值班人员。
2.8 Public Keys and Other Encryption Information
2.8 公钥和其他加密信息
The XYZ-CERT has a PGP key, whose KeyID is 12345678 and
whose fingerprint is
11 22 33 44 55 66 77 88 88 77 66 55 44 33 22 11.
The key and its signatures can be found at the usual large
public keyservers.
The XYZ-CERT has a PGP key, whose KeyID is 12345678 and
whose fingerprint is
11 22 33 44 55 66 77 88 88 77 66 55 44 33 22 11.
The key and its signatures can be found at the usual large
public keyservers.
Because PGP is still a relatively new technology at XYZ University, this key still has relatively few signatures; efforts are underway to increase the number of links to this key in the PGP "web of trust". In the meantime, since most
因为PGP在XYZ大学仍然是一项相对较新的技术,所以该密钥的签名仍然相对较少;正在努力增加PGP“信任网”中该密钥的链接数量。与此同时,由于
fellow universities in Quebec have at least one staff member who knows the XYZ-CERT coordinator Zoe Doe, Zoe Doe has signed the XYZ-CERT key, and will be happy to confirm its fingerprint and that of her own key to those people who know her, by telephone or in person.
魁北克的其他大学至少有一名工作人员认识XYZ-CERT协调员Zoe Doe,Zoe Doe已经签署了XYZ-CERT密钥,并且很乐意通过电话或亲自向认识她的人确认其指纹和自己的密钥。
2.9 Team Members
2.9 团队成员
Zoe Doe of Computing Services is the XYZ-CERT coordinator. Backup coordinators and other team members, along with their areas of expertise and contact information, are listed in the XYZ-CERT web pages, at http://www.xyz-univ.ca/xyz-cert/teamlist.html
计算服务部的Zoe Doe是XYZ-CERT协调员。备份协调员和其他团队成员及其专业领域和联系信息列在XYZ-CERT网页中,网址为http://www.xyz-univ.ca/xyz-cert/teamlist.html
Management, liaison and supervision are provided by Steve Tree, Assistant Director (Technical Services), Computing Services.
计算机服务部助理主任(技术服务)Steve Tree负责管理、联络和监督。
2.10 Other Information
2.10 其他资料
General information about the XYZ-CERT, as well as links to
various recommended security resources, can be found at
http://www.xyz-univ.ca/xyz-cert/index.html
General information about the XYZ-CERT, as well as links to
various recommended security resources, can be found at
http://www.xyz-univ.ca/xyz-cert/index.html
2.11 Points of Customer Contact
2.11 客户联络点
The preferred method for contacting the XYZ-CERT is via e-mail at <xyz-cert@xyz-univ.ca>; e-mail sent to this address will "biff" the responsible human, or be automatically forwarded to the appropriate backup person, immediately. If you require urgent assistance, put "urgent" in your subject line.
联系XYZ-CERT的首选方法是通过电子邮件<XYZ-cert@xyz-加州大学>;发送到此地址的电子邮件将立即“通知”负责人,或自动转发给相应的备份人员。如果您需要紧急援助,请在主题栏中填写“紧急”。
If it is not possible (or not advisable for security reasons) to use e-mail, the XYZ-CERT can be reached by telephone during regular office hours. Telephone messages are checked less often than e-mail.
如果无法(或出于安全原因不建议)使用电子邮件,则可以在正常办公时间通过电话联系XYZ-CERT。电话信息的检查频率比电子邮件要低。
The XYZ-CERT's hours of operation are generally restricted to regular business hours (09:00-17:00 Monday to Friday except holidays).
XYZ-CERT的工作时间通常限于正常工作时间(周一至周五09:00-17:00,节假日除外)。
If possible, when submitting your report, use the form mentioned in section 6.
如果可能,在提交报告时,请使用第6节中提到的表格。
3. Charter
3. 宪章
3.1 Mission Statement
3.1 任务说明
The purpose of the XYZ-CERT is, first, to assist members of XYZ University community in implementing proactive measures to reduce the risks of computer security incidents, and second, to assist XYZ community in responding to such incidents when they occur.
XYZ-CERT的目的是,首先,帮助XYZ大学社区成员实施积极主动的措施,以降低计算机安全事件的风险,其次,帮助XYZ社区在此类事件发生时做出响应。
3.2 Constituency
3.2 选区
The XYZ-CERT's constituency is the XYZ University community, as defined in the context of the "XYZ University Policy on Computing Facilities". This policy is available at http://www-compserv.xyz-univ.ca/policies/pcf.html
XYZ-CERT的支持者是XYZ大学社区,定义见“XYZ大学计算设施政策”。本保单可在以下网址获得:http://www-compserv.xyz-univ.ca/policies/pcf.html
However, please note that, notwithtanding the above, XYZ-CERT services will be provided for on-site systems only.
但是,请注意,尽管有上述规定,XYZ-CERT服务将仅为现场系统提供。
3.3 Sponsorship and/or Affiliation
3.3 赞助和/或附属机构
The XYZ-CERT is sponsored by the ACME Canadian Research Network. It maintains affiliations with various University CSIRTs throughout Canada and the USA on an as needed basis.
XYZ-CERT由ACME加拿大研究网络赞助。它根据需要与加拿大和美国的各个大学CSIRT保持联系。
3.4 Authority
3.4 权威
The XYZ-CERT operates under the auspices of, and with authority delegated by, the Department of Computing Services of XYZ University. For further information on the mandate and authority of the Department of Computing Services, please refer to the XYZ University "Policy on Computing Facilities", available at http://www-compserv.xyz-univ.ca/policies/pcf.html
XYZ-CERT在XYZ大学计算服务部的支持下运行,并由其授权。有关计算服务部的授权和权限的更多信息,请参阅XYZ大学的“计算设施政策”,网址为http://www-compserv.xyz-univ.ca/policies/pcf.html
The XYZ-CERT expects to work cooperatively with system administrators and users at XYZ University, and, insofar as possible, to avoid authoritarian relationships. However, should circumstances warrant it, the XYZ-CERT will appeal to Computing Services to exert its authority, direct or indirect, as necessary. All members of the XYZ-CERT are members of the CCSA (Committee of Computer Systems Administrators), and have all of the powers and responsibilities assigned to Systems Administrators by the Policy on Computing Facilities, or are members of University management.
XYZ-CERT希望与XYZ大学的系统管理员和用户合作,并尽可能避免独裁关系。然而,如果情况允许,XYZ-CERT将在必要时呼吁计算服务部门直接或间接行使其权力。XYZ-CERT的所有成员都是CCSA(计算机系统管理员委员会)的成员,拥有计算机设施政策分配给系统管理员的所有权力和责任,或者是大学管理层的成员。
Members of the XYZ University community who wish to appeal the actions of the XYZ-CERT should contact the Assistant Director (Technical Services), Computing Services. If this recourse is not satisfactory, the matter may be referred to the Director of Computing Services (in the case of perceived problems with existing policy), or to the XYZ University Office of Rights and Responsibilities (in the case of perceived errors in the application of existing policy).
XYZ大学社区的成员如希望对XYZ-CERT的行为提出上诉,应联系计算机服务部助理主任(技术服务)。如果该申诉不令人满意,则可将该事项提交给计算机服务总监(如果认为现有政策存在问题),或XYZ大学权利与责任办公室(如果认为现有政策的应用存在错误)。
4. Policies
4. 政策
4.1 Types of Incidents and Level of Support
4.1 事件类型和支持级别
The XYZ-CERT is authorized to address all types of computer security incidents which occur, or threaten to occur, at XYZ University.
XYZ-CERT有权处理XYZ大学发生或可能发生的所有类型的计算机安全事件。
The level of support given by XYZ-CERT will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the XYZ-CERT's resources at the time, though in all cases some response will be made within one working day. Resources will be assigned according to the following priorities, listed in decreasing order:
XYZ-CERT提供的支持级别将根据事件或问题的类型和严重程度、组成部分的类型、受影响用户社区的规模以及XYZ-CERT当时的资源而有所不同,但在所有情况下,都会在一个工作日内做出响应。将根据以下优先级分配资源,按降序列出:
- Threats to the physical safety of human beings. - Root or system-level attacks on any Management Information System, or any part of the backbone network infrastructure. - Root or system-level attacks on any large public service machine, either multi-user or dedicated-purpose. - Compromise of restricted confidential service accounts or software installations, in particular those used for MIS applications containing confidential data, or those used for system administration. - Denial of service attacks on any of the above three items. - Any of the above at other sites, originating from XYZ University. - Large-scale attacks of any kind, e.g. sniffing attacks, IRC "social engineering" attacks, password cracking attacks. - Threats, harassment, and other criminal offenses involving individual user accounts. - Compromise of individual user accounts on multi-user systems. - Compromise of desktop systems. - Forgery and misrepresentation, and other security-related violations of local rules and regulations, e.g. netnews and e-mail forgery, unauthorized use of IRC bots.
- 对人类人身安全的威胁对任何管理信息系统或骨干网络基础设施的任何部分的根或系统级攻击。-对任何大型公共服务计算机(多用户或专用)的根或系统级攻击。-泄露受限制的保密服务帐户或软件安装,特别是用于包含保密数据的MIS应用程序或用于系统管理的帐户或软件安装。-对上述三项中任何一项的拒绝服务攻击。-上述任何一项在其他地点,源自XYZ大学。-任何类型的大规模攻击,例如嗅探攻击、IRC“社会工程”攻击、密码破解攻击。-涉及个人用户帐户的威胁、骚扰和其他刑事犯罪。-多用户系统上单个用户帐户的泄露。-桌面系统的危害伪造和虚假陈述,以及其他与安全相关的违反当地法规的行为,例如网络新闻和电子邮件伪造,未经授权使用IRC机器人。
- Denial of service on individual user accounts, e.g. mailbombing.
- 对单个用户帐户的拒绝服务,例如邮件轰炸。
Types of incidents other than those mentioned above will be prioritized according to their apparent severity and extent.
除上述事件外,其他类型的事件将根据其明显的严重性和程度进行优先排序。
Note that no direct support will be given to end users; they are expected to contact their system administrator, network administrator, or department head for assistance. The XYZ-CERT will support the latter people.
请注意,不会向最终用户提供直接支持;他们需要联系系统管理员、网络管理员或部门负责人以获得帮助。XYZ-CERT将支持后者。
While the XYZ-CERT understands that there exists great variation in the level of system administrator expertise at XYZ University, and while the XYZ-CERT will endeavor to present information and assistance at a level appropriate to each person, the XYZ-CERT cannot train system administrators on the fly, and it cannot perform system maintenance on their behalf. In most cases, the XYZ-CERT will provide pointers to the information needed to implement appropriate measures.
虽然XYZ-CERT了解XYZ大学的系统管理员专业水平存在很大差异,并且XYZ-CERT将努力以适合每个人的水平提供信息和帮助,但XYZ-CERT无法动态培训系统管理员,它不能代表他们进行系统维护。在大多数情况下,XYZ-CERT将提供执行适当措施所需信息的指针。
The XYZ-CERT is committed to keeping the XYZ University system administration community informed of potential vulnerabilities, and where possible, will inform this community of such vulnerabilities before they are actively exploited.
XYZ-CERT致力于将潜在漏洞告知XYZ大学系统管理社区,并在可能的情况下,在积极利用这些漏洞之前通知该社区。
4.2 Co-operation, Interaction and Disclosure of Information
4.2 合作、互动和信息披露
While there are legal and ethical restrictions on the flow of information from XYZ-CERT, many of which are also outlined in the XYZ University Policy on Computing Facilities, and all of which will be respected, the XYZ-CERT acknowledges its indebtedness to, and declares its intention to contribute to, the spirit of cooperation that created the Internet. Therefore, while appropriate measures will be taken to protect the identity of members of our constituency and members of neighbouring sites where necessary, the XYZ-CERT will otherwise share information freely when this will assist others in resolving or preventing security incidents.
虽然XYZ-CERT的信息流动存在法律和道德限制,其中许多限制也在XYZ大学的计算设施政策中概述,所有这些限制都将得到遵守,但XYZ-CERT承认其对以下方面的负债,并声明其打算为以下方面作出贡献:,创造互联网的合作精神。因此,虽然必要时将采取适当措施保护我们选区成员和邻近站点成员的身份,但XYZ-CERT将在有助于其他人解决或预防安全事件时自由共享信息。
In the paragraphs below, "affected parties" refers to the legitimate owners, operators, and users of the relevant computing facilities. It does not refer to unauthorized users, including otherwise authorized users making unauthorized use of a facility; such intruders may have no expectation of confidentiality from the XYZ-CERT. They may or may not have legal rights to confidentiality; such rights will of course be respected where they exist.
在下文各段中,“受影响方”指相关计算设施的合法所有者、运营商和用户。它不指未经授权的用户,包括未经授权使用设施的其他授权用户;此类入侵者可能不希望XYZ-CERT为其保密。他们可能有或可能没有保密的合法权利;这些权利当然会在存在的地方得到尊重。
Information being considered for release will be classified as follows:
考虑发布的信息将分类如下:
- Private user information is information about particular users, or in some cases, particular applications, which must be considered confidential for legal, contractual, and/or ethical reasons.
- 私人用户信息是关于特定用户或某些情况下特定应用程序的信息,出于法律、合同和/或道德原因,这些信息必须被视为机密信息。
Private user information will be not be released in identifiable form outside the XYZ-CERT, except as provided for below. If the identity of the user is disguised, then the information can be released freely (for example to show a sample .cshrc file as modified by an intruder, or to demonstrate a particular social engineering attack).
除以下规定外,私人用户信息将不会以可识别的形式在XYZ-CERT之外发布。如果用户身份被伪装,则可以自由发布信息(例如,显示入侵者修改的.cshrc示例文件,或演示特定的社会工程攻击)。
- Intruder information is similar to private user information, but concerns intruders.
- 入侵者信息类似于私人用户信息,但与入侵者有关。
While intruder information, and in particular identifying information, will not be released to the public (unless it becomes a matter of public record, for example because criminal charges have been laid), it will be exchanged freely with system administrators and CSIRTs tracking an incident.
虽然入侵者信息,特别是身份信息不会向公众发布(除非它成为公共记录事项,例如因为刑事指控),但它将与跟踪事件的系统管理员和CSIRT自由交换。
- Private site information is technical information about particular systems or sites.
- 专用站点信息是关于特定系统或站点的技术信息。
It will not be released without the permission of the site in question, except as provided for below.
除以下规定外,未经相关网站许可,不得发布。
- Vulnerability information is technical information about vulnerabilities or attacks, including fixes and workarounds.
- 漏洞信息是关于漏洞或攻击的技术信息,包括修复和解决方法。
Vulnerability information will be released freely, though every effort will be made to inform the relevant vendor before the general public is informed.
脆弱性信息将免费发布,但将尽一切努力在通知公众之前通知相关供应商。
- Embarrassing information includes the statement that an incident has occurred, and information about its extent or severity. Embarrassing information may concern a site or a particular user or group of users.
- 令人尴尬的信息包括事件发生的声明,以及关于其程度或严重性的信息。令人尴尬的信息可能与网站、特定用户或用户组有关。
Embarrassing information will not be released without the permission of the site or users in question, except as provided for below.
除非下文另有规定,否则未经相关网站或用户许可,不得发布令人尴尬的信息。
- Statistical information is embarrassing information with the identifying information stripped off.
- 统计信息是令人尴尬的信息,识别信息被剥离。
Statistical information will be released at the discretion of the Computing Services Department.
统计资料将由电脑服务署酌情发放。
- Contact information explains how to reach system administrators and CSIRTs.
- 联系信息说明了如何联系系统管理员和CSIRT。
Contact information will be released freely, except where the contact person or entity has requested that this not be the case, or where XYZ-CERT has reason to believe that the dissemination of this information would not be appreciated.
联系信息将自由发布,除非联系人或实体要求不这样做,或XYZ-CERT有理由认为不希望传播此信息。
Potential recipients of information from the XYZ-CERT will be classified as follows:
XYZ-CERT信息的潜在接收者将分类如下:
- Because of the nature of their responsibilities and consequent expectations of confidentiality, members of XYZ University management are entitled to receive whatever information is necessary to facilitate the handling of computer security incidents which occur in their jurisdictions.
- 由于其职责的性质以及由此产生的保密期望,XYZ大学管理层成员有权接收任何必要的信息,以便于处理在其管辖范围内发生的计算机安全事件。
- Members of the Office of Rights and Responsibilities are entitled to receive whatever information they request concerning a computer security incident or related matter which has been referred to them for resolution. The same is true for the XYZ Security Department, when its assistance in an investigation has been enlisted, or when the investigation has been instigated at its request.
- 权利和责任办公室的成员有权收到他们要求的关于计算机安全事件或相关事项的任何信息,这些信息已提交给他们解决。对于XYZ安全部门来说也是如此,当其在调查中获得协助时,或者当调查是应其请求发起的时。
- System administrators at XYZ University who are members of the CCSA are also, by virtue of their responsibilities, trusted with confidential information. However, unless such people are also members of XYZ-CERT, they will be given only that confidential information which they must have in order to assist with an investigation, or in order to secure their own systems.
- XYZ大学的系统管理员是CCSA的成员,由于他们的职责,他们也可以信任机密信息。但是,除非这些人也是XYZ-CERT的成员,否则他们将只获得他们必须拥有的机密信息,以协助调查或保护他们自己的系统。
- Users at XYZ University are entitled to information which pertains to the security of their own computer accounts, even if this means revealing "intruder information", or "embarrassing information" about another user. For example, if account aaaa is cracked and the intruder attacks account bbbb, user bbbb is entitled to know that aaaa was cracked, and how the attack on the bbbb account was
- XYZ大学的用户有权获得与其计算机帐户安全相关的信息,即使这意味着泄露关于另一个用户的“入侵者信息”或“尴尬信息”。例如,如果帐户aaaa被破解,入侵者攻击帐户bbbb,用户bbbb有权知道aaaa被破解,以及对bbbb帐户的攻击是如何进行的
executed. User bbbb is also entitled, if she or he requests it, to information about account aaaa which might enable bbbb to investigate the attack. For example, if bbbb was attacked by someone remotely connected to aaaa, bbbb should be told the provenance of the connections to aaaa, even though this information would ordinarily be considered private to aaaa. Users at XYZ University are entitled to be notified if their account is believed to have been compromised.
执行。如果用户bbbb提出请求,她或他也有权获得有关帐户aaaa的信息,这可能使bbbb能够调查攻击。例如,如果bbbb被远程连接到aaaa的人攻击,bbbb应该被告知到aaaa的连接的来源,即使这些信息通常被认为是aaaa的私有信息。XYZ大学的用户有权在其帐户被认为已被泄露时得到通知。
- The XYZ University community will receive no restricted information, except where the affected parties have given permission for the information to be disseminated. Statistical information may be made available to the general XYZ community. There is no obligation on the part of the XYZ-CERT to report incidents to the community, though it may choose to do so; in particular, it is likely that the XYZ-CERT will inform all affected parties of the ways in which they were affected, or will encourage the affected site to do so.
- XYZ大学社区将不会收到任何限制性信息,除非受影响方允许传播信息。一般XYZ社区可获得统计信息。XYZ-CERT没有义务向社区报告事件,尽管它可以选择这样做;特别是,XYZ-CERT可能会通知所有受影响方其受影响的方式,或鼓励受影响的站点这样做。
- The public at large will receive no restricted information. In fact, no particular effort will be made to communicate with the public at large, though the XYZ-CERT recognizes that, for all intents and purposes, information made available to the XYZ University community is in effect made available to the community at large, and will tailor the information in consequence.
- 广大公众将不会收到任何限制性信息。事实上,虽然XYZ-CERT承认,出于所有目的和目的,向XYZ大学社区提供的信息实际上是向整个社区提供的,因此将对信息进行定制,但不会做出特别的努力与广大公众进行沟通。
- The computer security community will be treated the same way the general public is treated. While members of XYZ-CERT may participate in discussions within the computer security community, such as newsgroups, mailing lists (including the full-disclosure list "bugtraq"), and conferences, they will treat such forums as though they were the public at large. While technical issues (including vulnerabilities) may be discussed to any level of detail, any examples taken from XYZ-CERT experience will be disguised to avoid identifying the affected parties.
- 计算机安全社区将受到与普通公众相同的待遇。虽然XYZ-CERT的成员可以参加计算机安全社区内的讨论,如新闻组、邮件列表(包括完整披露列表“bugtraq”)和会议,但他们将把此类论坛视为公众论坛。虽然技术问题(包括漏洞)可能会被讨论到任何详细程度,但从XYZ-CERT经验中获取的任何示例都将被掩盖,以避免识别受影响方。
- The press will also be considered as part of the general public. The XYZ-CERT will not interact directly with the Press concerning computer security incidents, except to point them toward information already released to the general public. If necessary, information will be provided to the XYZ University Public Relations Department, and to the Customer Relations group of the Computing Services Department. All incident-related queries will be referred to
- 新闻界也将被视为公众的一部分。XYZ-CERT不会就计算机安全事件直接与媒体互动,除非向他们指出已经向公众发布的信息。如有必要,将向XYZ大学公共关系部和计算机服务部的客户关系小组提供信息。所有与事件相关的查询都将被引用
these two bodies. The above does not affect the ability of members of XYZ-CERT to grant interviews on general computer security topics; in fact, they are encouraged to do to, as a public service to the community.
这两个机构。上述情况不影响XYZ-CERT成员就一般计算机安全主题进行访谈的能力;事实上,我们鼓励他们这样做,作为对社会的公共服务。
- Other sites and CSIRTs, when they are partners in the investigation of a computer security incident, will in some cases be trusted with confidential information. This will happen only if the foreign site's bona fide can be verified, and the information transmitted will be limited to that which is likely to be helpful in resolving the incident. Such information sharing is most likely to happen in the case of sites well known to XYZ-CERT (for example, several other Quebec universities have informal but well-established working relationships with XYZ University in such matters).
- 当其他站点和CSIRT是计算机安全事件调查的合作伙伴时,在某些情况下,它们将获得机密信息。只有当外国网站的真实性能够得到验证,并且传输的信息将限于可能有助于解决事件的信息时,才会发生这种情况。此类信息共享最有可能发生在XYZ-CERT熟知的站点(例如,其他几所魁北克大学在此类问题上与XYZ大学建立了非正式但良好的工作关系)。
For the purposes of resolving a security incident, otherwise semi-private but relatively harmless user information such as the provenance of connections to user accounts will not be considered highly sensitive, and can be transmitted to a foreign site without excessive precautions. "Intruder information" will be transmitted freely to other system administrators and CSIRTs. "Embarrassing information" can be transmitted when there is reasonable assurance that it will remain confidential, and when it is necessary to resolve an incident.
为了解决安全事件,其他半私有但相对无害的用户信息(如用户帐户连接的来源)将不会被视为高度敏感,可以在不采取过度预防措施的情况下传输到外部站点。“入侵者信息”将免费传输给其他系统管理员和CSIRT。“令人尴尬的信息”可以在有合理保证保密的情况下传输,也可以在有必要解决事件的情况下传输。
- Vendors will be considered as foreign CSIRTs for most intents and purposes. The XYZ-CERT wishes to encourage vendors of all kinds of networking and computer equipment, software, and services to improve the security of their products. In aid of this, a vulnerability discovered in such a product will be reported to its vendor, along with all technical details needed to identify and fix the problem. Identifying details will not be given to the vendor without the permission of the affected parties.
- 出于大多数意图和目的,供应商将被视为外国CSIRT。XYZ-CERT希望鼓励各种网络和计算机设备、软件和服务的供应商提高其产品的安全性。为此,将向其供应商报告在此类产品中发现的漏洞,以及识别和修复问题所需的所有技术细节。未经受影响方许可,不得向供应商提供识别详细信息。
- Law enforcement officers will receive full cooperation from the XYZ-CERT, including any information they require to pursue an investigation, in accordance with the Policy on Computing Facilities.
- 执法人员将得到XYZ-CERT的充分合作,包括根据计算机设施政策进行调查所需的任何信息。
4.3 Communication and Authentication
4.3 通信和认证
In view of the types of information that the XYZ-CERT will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be
鉴于XYZ-CERT可能处理的信息类型,电话将被视为足够安全,即使未加密也可以使用。未加密的电子邮件不会被认为是特别安全的,但会被认为是安全的
sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission.
足以传输低灵敏度数据。如果需要通过电子邮件发送高度敏感的数据,将使用PGP。出于这些目的,网络文件传输将被视为类似于电子邮件:敏感数据传输时应加密。
Where it is necessary to establish trust, for example before relying on information given to the XYZ-CERT, or before disclosing confidential information, the identity and bona fide of the other party will be ascertained to a reasonable degree of trust. Within XYZ University, and with known neighbor sites, referrals from known trusted people will suffice to identify someone. Otherwise, appropriate methods will be used, such as a search of FIRST members, the use of WHOIS and other Internet registration information, etc, along with telephone call-back or e-mail mail-back to ensure that the party is not an impostor. Incoming e-mail whose data must be trusted will be checked with the originator personally, or by means of digital signatures (PGP in particular is supported).
如果需要建立信任,例如在依赖提供给XYZ-CERT的信息之前,或在披露机密信息之前,将在合理的信任程度上确定另一方的身份和真实性。在XYZ大学内部,以及已知的邻居站点,来自已知信任人员的推荐将足以识别某人。否则,将使用适当的方法,如搜索第一名成员、使用WHOIS和其他互联网注册信息等,以及电话回访或电子邮件回访,以确保该方不是冒名顶替者。必须信任其数据的传入电子邮件将由发起人亲自或通过数字签名(特别支持PGP)进行检查。
5. Services
5. 服务
5.1 Incident Response
5.1 事件响应
XYZ-CERT will assist system administrators in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of incident management:
XYZ-CERT将协助系统管理员处理事故的技术和组织方面。特别是,它将在事件管理的以下方面提供协助或建议:
5.1.1 Incident Triage
5.1.1 事故分类
- Investigating whether indeed an incident occured. - Determining the extent of the incident.
- 调查是否确实发生了事故。-确定事件的程度。
5.1.2 Incident Coordination
5.1.2 事件协调
- Determining the initial cause of the incident (vulnerability exploited). - Facilitating contact with other sites which may be involved. - Facilitating contact with XYZ University Security and/or appropriate law enforcement officials, if necessary. - Making reports to other CSIRTs. - Composing announcements to users, if applicable.
- 确定事件的初始原因(漏洞利用)。-促进与可能涉及的其他网站的联系。-如有必要,促进与XYZ大学安全和/或适当执法官员的联系。-向其他CSIRT报告向用户撰写公告(如果适用)。
5.1.3 Incident Resolution
5.1.3 事件解决
- Removing the vulnerability. - Securing the system from the effects of the incident. - Evaluating whether certain actions are likely to reap results in proportion to their cost and risk, in particular those actions aimed at an eventual prosecution or disciplinary action: collection of evidence after the fact, observation of an incident in progress, setting traps for intruders, etc. - Collecting evidence where criminal prosecution, or University disciplinary action, is contemplated.
- 正在删除该漏洞。-保护系统免受事故影响。-评估某些行动是否可能按照其成本和风险的比例获得结果,特别是那些旨在最终起诉或纪律处分的行动:事后收集证据、观察正在发生的事件、为入侵者设置陷阱等——在刑事起诉时收集证据,或大学纪律处分。
In addition, XYZ-CERT will collect statistics concerning incidents which occur within or involve the XYZ University community, and will notify the community as necessary to assist it in protecting against known attacks.
此外,XYZ-CERT将收集有关在XYZ大学社区内发生或涉及XYZ大学社区的事件的统计数据,并在必要时通知社区,以帮助其防范已知攻击。
To make use of XYZ-CERT's incident response services, please send e-mail as per section 2.11 above. Please remember that the amount of assistance available will vary according to the parameters described in section 4.1.
要使用XYZ-CERT的事件响应服务,请按照上述第2.11节发送电子邮件。请记住,可用的援助金额将根据第4.1节所述的参数而变化。
5.2 Proactive Activities
5.2 积极主动的活动
The XYZ-CERT coordinates and maintains the following services to the extent possible depending on its resources: - Information services - List of departmental security contacts, administrative and technical. These lists will be available to the general public, via commonly-available channels such as the World Wide Web and/or the Domain Name Service. - Mailing lists to inform security contacts of new information relevant to their computing environments. These lists will be available only to XYZ University system administrators. - Repository of vendor-provided and other security-related patches for various operating systems. This repository will be available to the general public wherever license restrictions allow it, and will be provided via commonly-available channels such as the World Wide Web and/or ftp. - Repository of security tools and documentation for use by sysadmins. Where possible, precompiled ready-to-install versions will be supplied. These will be supplied to the general public via www or ftp as above.
XYZ-CERT根据其资源,尽可能协调和维护以下服务:-信息服务-部门安全联系人、行政和技术联系人列表。这些名单将通过万维网和/或域名服务等常用渠道向公众开放。-邮件列表,用于通知安全联系人与其计算环境相关的新信息。这些列表仅适用于XYZ大学系统管理员。-各种操作系统的供应商提供的修补程序和其他安全相关修补程序的存储库。只要许可证限制允许,此存储库将向公众开放,并将通过万维网和/或ftp等常用渠道提供。-系统管理员使用的安全工具和文档的存储库。在可能的情况下,将提供预编译准备安装版本。这些文件将通过上述www或ftp提供给公众。
- "Clipping" service for various existing resources, such as major mailing lists and newsgroups. The resulting clippings will be made available either on the restricted mailing list or on the web site, depending on their sensitivity and urgency. - Training services - Members of the XYZ-CERT will give periodic seminars on computer security related topics; these seminars will be open to XYZ University system administrators. - Auditing services - Central file integrity checking service for Unix machines, and for any other platforms capable of running "tripwire". - Security level assignments; machines and subnetworks at XYZ University will be audited and assigned a security level. This security level information will be available to the XYZ University community, to facilitate the setting of appropriate access privileges. However, details of the security analyses will be confidential, and available only to the concerned parties. - Archiving services - Central logging service for machines capable of Unix-style remote logging. Incoming log entries will be watched by an automated log analysis program, and events or trends indicative of a potential security problem will be reported to the affected system administrators. - Records of security incidents handled will be kept. While the records will remain confidential, periodic statistical reports will be made available to the XYZ University community.
-为各种现有资源提供“剪辑”服务,如主要邮件列表和新闻组。由此产生的剪报将在受限邮件列表或网站上提供,具体取决于其敏感性和紧迫性。-培训服务-XYZ-CERT成员将定期举办计算机安全相关主题的研讨会;这些研讨会将向XYZ大学系统管理员开放。-审计服务-Unix计算机和任何其他能够运行“tripwire”的平台的中央文件完整性检查服务-安全级别分配;XYZ大学的机器和子网络将接受审核,并指定一个安全级别。XYZ大学社区可以使用此安全级别信息,以便于设置适当的访问权限。但是,安全分析的详细信息将是保密的,并且仅对相关方可用。-归档服务—用于能够进行Unix风格远程日志记录的计算机的中央日志记录服务。自动日志分析程序将监视传入的日志条目,并将指示潜在安全问题的事件或趋势报告给受影响的系统管理员。-将保存处理的安全事件记录。记录将保密,定期统计报告将提供给XYZ大学社区。
Detailed descriptions of the above services, along with instructions for joining mailing lists, downloading information, or participating in certain services such as the central logging and file integrity checking services, are available on the XYZ-CERT web site, as per section 2.10 above.
根据上述第2.10节,XYZ-CERT网站上提供了上述服务的详细说明,以及加入邮件列表、下载信息或参与某些服务(如中央日志记录和文件完整性检查服务)的说明。
6. Incident Reporting Forms
6. 事故报告表
There are no local forms developed yet for reporting incidents to XYZ-CERT. If possible, please make use of the Incident Reporting Form of the CERT Coordination Center (Pittsburgh, PA). The current version is available from: ftp://info.cert.org/incident_reporting_form
目前还没有为向XYZ-CERT报告事件而制定的本地表格。如果可能,请使用CERT协调中心(宾夕法尼亚州匹兹堡)的事件报告表格。当前版本可从以下网站获得:ftp://info.cert.org/incident_reporting_form
7. Disclaimers
7. 免责声明
While every precaution will be taken in the preparation of information, notifications and alerts, XYZ-CERT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.
虽然在准备信息、通知和警报时将采取一切预防措施,但XYZ-CERT对错误或遗漏或因使用其中包含的信息而造成的损害不承担任何责任。
4 Acknowlegdements
4承认事项
The editors gratefully acknowledge the contributed material and editorial scrutiny of Anne Bennett. Thanks also to Don Stikvoort for assistance reworking the description of Incident Response Team services.
编辑们感谢安妮·贝内特提供的材料和编辑审查。还感谢Don Stikwoort协助修改事件响应团队服务的描述。
5 References
5参考文献
[RFC 2196] Fraser, B., "Site Security Handbook", FYI 8, RFC 2196, September 1997.
[RFC 2196]弗雷泽,B.,《现场安全手册》,第8期,RFC 2196,1997年9月。
[RFC 1983] Malkin, G., "Internet Users' Glossary", FYI 18, RFC 1983, August 1996.
[RFC 1983]Malkin,G.“互联网用户词汇表”,仅供参考,RFC 1983,1996年8月。
6 Security Considerations
6安全考虑
This document discusses the operation of Computer Security Incident Response Teams, and the teams' interactions with their constituencies and with other organizations. It is, therefore, not directly concerned with the security of protocols, applications, or network systems themselves. It is not even concerned with particular responses and reactions to security incidents, but only with the appropriate description of the responses provided by CSIRTs.
本文件讨论了计算机安全事件响应团队的运作,以及团队与其支持者和其他组织的互动。因此,它与协议、应用程序或网络系统本身的安全性没有直接关系。它甚至不涉及对安全事件的特定响应和反应,而只涉及对CSIRTs提供的响应的适当描述。
Nonetheless, it is vital that the CSIRTs themselves operate securely, which means that they must establish secure communication channels with other teams, and with members of their constituency. They must also secure their own systems and infrastructure, to protect the interests of their constituency and to maintain the confidentiality of the identity of victims and reporters of security incidents.
尽管如此,CSIRT自身的安全运作至关重要,这意味着他们必须与其他团队以及其选区的成员建立安全的沟通渠道。他们还必须确保自己的系统和基础设施安全,以保护其选民的利益,并对安全事件受害者和记者的身份保密。
7 Authors' Addresses
7作者地址
Nevil Brownlee ITSS Technology Development The University of Auckland
NevelBrnnLee IDSS技术开发奥克兰大学
Phone: +64 9 373 7599 x8941
EMail: n.brownlee@auckland.ac.nz
Phone: +64 9 373 7599 x8941
EMail: n.brownlee@auckland.ac.nz
Erik Guttman Sun Microsystems, Inc. Bahnstr. 2 74915 Waibstadt Germany
埃里克·古特曼太阳微系统公司。274915德国威伯斯塔特
Phone: +49 7263 911484
EMail: Erik.Guttman@sun.com
Phone: +49 7263 911484
EMail: Erik.Guttman@sun.com
8 Full Copyright Statement
8完整版权声明
Copyright (C) The Internet Society (1998). All Rights Reserved.
版权所有(C)互联网协会(1998年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。