Air Force Computer Emergency Response Team

MISSION

The Air Force Computer Emergency Response Team is the single point of contact in the Air Force for the reporting and handling of all computer security incidents and vulnerabilities.

The AFCERT's primary responsibility is the coordination of Air Force Information Warfare Center technical resources to assess, analyze and assist in the handling of computer security incidents and vulnerabilities.

HISTORY

The AFCERT was created in 1993 in order to address known vulnerabilities inherent in computer networks. The AFCERT was self- initiated by the Air Force Information Warfare Center, and has grown from three people to over 60.

The AFCERT has computer scientists, computer analysts, engineers, programmers, intelligence operators, database experts, displays experts and a representative from the Air Force Office of Special Investigations. It is now at the forefront of information protection.

FUNCTIONS

The AFCERT has three major functions:

1 ON- LINE SURVEYS

On-Line Surveys are both automated and manual tools that test Air Force systems for known computer security vulnerabilities, measure system administrator detection and reporting capabilities and exercise protection capability.

2 AUTOMATED SECURITY INCIDENT MEASUREMENT

Automated Security Incident Measurement is a computer program that supports Air Force computer security incidents detection, provides early warning of attack, quantifies unauthorized network activity and exercises detection capability.

3 INCIDENT RESPONSE

Incident Response is the process the AFCERT uses to address or handle unauthorized activities on Air Force Networks. IR can be broken down into six steps: detection, notification, verification, isolation and containment,

criminal investigation and recovery.

1) Detection:
Incidents are detected either through ASIM or through Air Force personnel detecting possible intrusions on their own.

2) Notification:
The AFCERT is notified of a possible incident either through the ASIM or through Air Force personnel contacting the AFCERT.

3) Verification:
The AFCERT contacts the affected base's Computer Systems Security Officer (CSSO) and requests that he or she verify whether the activity was authorized.

4) Isolation and Containment:
The compromised system is moved into an environment that allows investigators to observe an unauthorized intruder but limits his or her actions.

5) Criminal Investigation:
The Air Force Office of Special Investigations is responsible for investigating all verified computer security incidents. The AFCERT will assist them in their evidence collection, but the AFCERT'S role is resource protection, not law enforcement.

6) Recovery:
The commander of the compromised system determines when the system is recovered based on his mission needs. The system administrator is responsible for the recovery, but the AFCERT will assist him, or her, if requested.