|
"Cyber defenders, ever vigilant, ever responsive." -Marjorie Gilbert, 2003
The nsp-security [NSP-SEC] forum is a volunteer incident response mailing list, which coordinates the interaction between ISPs and NSPs in near real-time and tracks exploits and compromised systems as well as mitigates the effects of those exploits on ISP networks. The list has helped mitigate attacks and will continue to do so.
Step one is to insure you meet the qualifications for NSP-SEC. Some common questions to ask yourself are:
� Do you work for some type of IP transit provider, huge multi-homed content provider, or service provider?
� Does your job include Operational Security?
� Are you willing to offer free services, data, forensic, and other monitoring data to the NSP community?
� Do you have authorization to actively mitigate incidents in your network? Do you actually log into a router and do something to mitigate an attack or call someone to task them to do the work?
� Do you have the time for a real-time NSP mitigation forum?
If yes, then you might fit the expectations to be on the NSP-SEC Mitigation or Discussion Forums.
NSP-SEC PARTICIPATION EXPECTATIONS
NSP-SEC is a forum to get work done in the service of the community. As such, realistic expectations are placed on the NSP-SEC membership. These expectations are periodically reviewed by the NSP-SEC moderators to ensure that an individual�s community membership is relevant, productive, and adds value to the mission of NSP-SEC. These expectations, which have evolved through active membership feedback include:
� All posts to NSP-SEC must have an organizational affiliation via either a corporate email address that is identifable as an ISP/NSP, or via a signature that includes your organizational affiliation or ASN.
� Lurking and learning does not contribute to the community � there are other forums for that. Silence often indicates that people are not handling the information provided by the NSP-SEC community or that the information provided is of little relevence to the member. Acknowledgements of action � whether publicly on the mailing list or privately to the people involved � provides members of the community an indication that contributions are being made. Recognizing specific national laws, regulations, and/or corporate policies may prevent some members from posting on the public NSP-SEC alias; these limitations do not prevent private mitigation correspondence.
� Taking information provided on the NSP-SEC forums and using it for commercial gain is not allowed. It is a violation of trust to the community.
� NSP-SEC�s consultation on procedures, policies, tools, mitigation techniques, and other proactive activities take place on the discussion alias � NSP-SEC-DISCUSS. It is natural on-line human behavior to digress into a dialog. This is encouraged and discussions of this nature are expected to move from NSP-SEC to NSP-SEC-DISCUSS.
� NSP-SEC is built on trust. Therefore, reposting NSP-SEC communications to individuals inside or outside your organization is a violation of that trust. NSP-SEC members should have the span of control to take action on the information from an NSP-SEC correspondence without widely posting the information inside their organization. If forwarding inside the organization is required, permission of the posters must be sought.
� NSP-SEC postings must not be CCed or BCCed to any other forum. Internal dialog must be re-crafted for internal use as mentioned in previous guildelines.
NSP-SEC APPLICATION EXPECTATIONS
Membership in NSP-SEC is restricted to those actively involved in the mitigation of NSP security incidents within organizations in the IP transit, content, and service provider community. Therefore, it will be limited to operators, vendors, researchers, and people in the FIRST community working to stop NSP security incidents. That means no press and (hopefully) none of the "bad guys." It also means that engineers who do not directly work in the core transit/content provider network do not fit the purview of NSP-SEC and should look for other forums (i.e. like www.dshield.org, www.it-isac.org, www.wwisac.com, www.mynetwatchman.com, and www.ncs.gov/ncc/).
NSP-SEC is not a community for lurkers who wish to "learn more about NSP security." Individuals who are part of the NSP attack mitigation community at times create whitepapers, presentations, and training materials to educate the larger community. Much of this material will be presented to NANOG (http://www.nanog.org) and other NSP operations forums (RIPE, APRICOT, and AFNOG, etc.). A set of links below offers help for those looking to learn more about the tools, techniques, and training used by the NSP-SEC community.
NSP-SEC will use a simple trust/peering relationship. This model is not as "secure" as an encrypted conversation, yet it is better than a wide-open public dialog. All applications must be accompanied by at least two existing members who will �vouch� for the new applicant. We will establish the trust by asking members of the list to vouch for new subscriber requests. If the list administrators know the person, then they can vouch for them.
Yes, we have had similar "security" lists in the past. What we are trying with this one is to have it connected with face-to-face meetings at various operations conferences. These meetings will initially be entitled "ISP Security BOF", and held at the NANOG. Like NANOG's Peering BOF, the ISP Security BOF is a facilitation tool; bring together people living with the daily pain of NSP/ISP security incidents. The hope is the combination of face-to-face and a private e-mail list will help the community better handle Internet security events.
No information presented in this list is allowed to be forwarded or shared outside the NSP-SEC community without specific permission from the poster. It is expected that members strictly adhere to this policy to ensure list confidentiality.
NSP-SEC APPLICATION FOR MEMBERSHIP INSTRUCTIONS
Step one is to insure you meet the qualifications for NSP-SEC. Some common questions to ask yourself are:
� Do you work for some type of IP transit provider, content provider, or service provider?
� Does your job include Operational Security?
� Are you willing to offer free services, data, forensic, and other monitoring data to the NSP community?
� Do you have authorization to actively mitigate incidents in your network? Do you actually log into a router and do something to mitigate an attack or call someone to task them to do the work?
� Do you have the time for a real-time NSP mitigation forum?
If you'd like to be considered for membership, please provide the following information via email to: nsp-security-owner@puck.nether.net
Name:
E-mail:
DayPhone:
24hrPhone:
Best Chat to Use:
Company/Employer:
ASNs Responsible for:
JobDesc:
Internet security references (names & emails):
PGP Key Location:
For Job Description � be as detailed and descriptive as possible. After sending the above form via email go to the section below and issue a "subscription" request via the form.
NEW MEMBERS
When a new member requests membership and provides his/her "bio" (as above), once the moderators decide that the potential member has passed their initial review, that person's bio will be sent to the full list. All applications must be accompanied by at least two existing members who will "vouch" for the new applicant (at least one of which must come from outside the same organization). Any existing member will have 48 hours to send reservations about that potential member to the moderators. The moderators promise to review in depth any facts that are raised in regards to any potential new member. The final decision will be left up to moderator discretion based on member input.
RESERVATIONS AND REBUTTAL
Any reservation about an existing member that is sent privately to the -owner list will have all identifying aspects stripped out of the email and forwarded to the potential rejectee for rebuttal. That person will have 72 hours to send a rebuttal before a decision is taken. The moderators of the NSP-SEC list will attempt to take all matters into consideration before rendering a decision.
REMOVAL
A majority of the moderators will be required to remove an existing member or to override a new potential member�s candidacy for the list.
NSP-SEC REVETTING
The NSP-SEC Moderators will periodically review the membership and select some members for revetting. This is required to ensure that all members of the list continue to fit the charter characteristics. Both employment and the charter can change over time - this mechanism allows the list to remain true to its charter.
The revetting process occurs in three steps:
1.The member selected for revetting will be asked to update their information, and submit it to the NSP-SEC Administrators.
2.Should the member continue to meet the required characteristics for NSP-SEC membership, the members information will be sent to the list for revetting.
3.At least two members of the list must re-approve membership. At least one of the approvers must be from a different company than the member who is being revetted. In addition, other members selected for revetting during the same cycle may not approve each other.
Note that not meeting the requirements of each step will result in removal from the NSPSec mailing list. Those so removed may reapply through the normal method, although the two-company approval requirements will continue to apply.
To see the collection of prior postings to the list,
visit the nsp-security
Archives.
(The current archive is only available to the list
members.)
|
