Report an Incident
Please use this text form to report a computer security incident to us. Everyone is encouraged to report incidents. The instructions for completing the form are provided in the introduction to the form, and are summarized in the guidelines below. Once completed, if possible please use PGP to sign and (preferably) encrypt the form and e-mail it to us at
. Alternatively, the form can be faxed to +1 613 230 4933. Additional information on contacting us is provided at Contact CanCERT™.
Incident Reporting Guidelines
These guidelines were originally derived from the Incident Reporting Guidelines produced by the Computer Emergency Response Team Coordination Center (CERT/CC). The CERT/CC is part of the Software Engineering Institute, operated by Carnegie Mellon University. CERT is registered in U.S. Patent and Trademark Office.
What Should I Include in an Incident Report?
The basic information needed by CanCERT™ when reporting an incident is summarized below. Please see the detailed Incident Reporting Form for additional completion guidelines and details:
- Information on how to contact you. We ask that you provide telephone and fax numbers in addition to e-mail.
- A summary of the hosts involved in the incident.
- Your time zone and the accuracy of your clock. This information is important in trying to co-ordinate incident response among sites that may be located all over the world.
- A sufficiently detailed description of the activity you are reporting. It should be noted that the other sites you are reporting incidents to may have more or less experience with computer security, so please be clear in reporting the activity.
- Extracts from system logs showing the suspicious activity.
- Any restrictions on information disclosure beyond those already covered in the Incident Reporting Form.
- What you want CanCERT™ to do. The incident response assistance that you request from CanCERT™ depends on the level of incident response expertise available at your site. Some typical assistance request scenarios include:
- No additional assistance required (we are reporting the incident as part of our responsibilities as good netizens).
- We do not know how to go about contacting the other sites involved and need assistance coordinating the resolution of this incident.
- We have advised everyone else involved, but now how do we recover from this?
- Help, we have been compromised and have no idea what to do!
In general, we ask that reporting sites who are confident in their incident handling capabilities to go ahead and contact the other sites involved in the incident activity directly, with 'Cc:' copies to us at .
While copying CanCERT™ on your e-mail may not directly help you resolve the incident, it does help us identify connections between incidents and understand the scope of intruder activity. Normally, when an incident is initially reported to us, it will be assigned a CanCERT™ incident reference number. Where we have assigned a number to an incident, we would appreciate you including our incident number in the subject line of any further correspondence relating to the incident.
When Should I Report an Incident?
Preferably you should report an incident as soon as it is discovered, as information that assists in tracking down an attacker tends to fade quickly with time (log files roll over, etc.). Nonetheless, even if the incident is somewhat dated we encourage you to report it in case other sites may have been involved and are unaware.
Why Should I Report an Incident?
There are several reasons to report an incident to CanCERT™. These include:
- We can provide some limited technical assistance as to what you should do in the case of an incident.
- We may be able to correlate activities at your site with activities at other sites.
- Your data will help us collect, analyze and report statistics on Canadian incidents, an area in which very little has previously been done in Canada.
- We will let other sites know that they may have been the source, intermediary or target of an attack, as they are often unaware.
- It is part of being a responsible 'netizen', and supporting the Internet community.
Who Should I Report an Incident To?
To determine whom you should report an incident to, you should consult your own security policies and procedures. In cases where procedures do not explicitly identify who you should report incidents to, you should consult with your management. Some typical incident reporting contacts include:
- Your local system administrator, network administrator or department IT security officer.
- Your parent representative Incident Response Team (IRT). This could be a company, university or organization IRT, or it could be CanCERT™ if you are part of our constituency. The Forum of Incident Response and Security Teams (FIRST) is a consortium of security incident response teams from government, commercial, and academic organizations. To determine if your site is represented by a member of FIRST, you may want to review the list of FIRST teams which includes e-mail addresses, telephone numbers, and brief descriptions of each team's constituency. More information about FIRST can be found on their web site at FIRST.
- Other sites involved in the incident. This can be done directly by you, or via CanCERT™ or your parent IRT (at your discretion). If you need assistance in obtaining contact information for the sites involved, feel free to contact us as we have a number of contacts throughout the IRT and Internet Service Provider communities. If you choose to contact other sites yourself, we would appreciate being 'Cc:' on the messages.
- Optionally, Law Enforcement Agencies may be contacted if you believe the seriousness warrants it. You should probably discuss this with management and your legal counsel first. It should be noted that the expense of prosecution in terms of dollars and time is significant, and can impact how long it takes to return a system to service (e.g., in order to maintain the chain of custody).
- Optionally, send information copies to CERT/CC, which collects security incident statistics for the Internet as a whole.