-----BEGIN PGP SIGNED MESSAGE----- CanCERT(TM) Incident Reporting Form Version 2.3 20 January, 2004 The following form is provided to gather information on computer security incidents within Canadian government, businesses and academic institutions. If you believe you are involved in an incident, we would appreciate your completing the form below in as much detail as possible. Feel free to duplicate any section as required, and return this form by e-mail to: cancert@cancert.ca If you are unable or do not wish to e-mail this form, please send it by FAX to : +1 613 230 4933 If you do not know what to do about an incident, by providing us the information outlined in this reporting form, we can offer some assistance in getting you started in the right direction. While the extent of the 'free' support that CanCERT can provide is limited, there are a number of reasons to report incidents to CanCERT, including: a. we can provide basic technical assistance on what to do; b. we may be able to correlate activities at your site with activities at other sites; c. your data will help us collect, analyze and report statistics on Canadian incidents; d. to let other sites know that they may have been the source, intermediary or target of an attack (often they are unaware); and e. it is part of being a responsible 'netizen'. CanCERT(TM) policy is to keep any information specific to your site confidential unless we receive your permission to release that information. Please duplicate any section as required to include multiple contacts or hosts. 1.0 Your Contact Information ============================ 1.1 Name: 1.2 Email Address: 1.3 Country: 1.4 Contact's Timezone: 1.5 Telephone Number: 1.6 Fax Number: 1.7 Mobile Number: 1.8 Pager Number: 1.9 Organization Name: 1.10 Organization Sector: (Small Business Home User Agriculture/Food Electrical Emergency Services Energy (oil, gas) Financial Government Health Information Technology Law Enforcement Manufacturing Retail Telecommunications Transportation Water Other: ) 1.11 CanCERT(TM) Member (y/n): 1.12 CATA Member (y/n): 2.0 Other Sites Or Incident Response Teams That Have Been Notified ================================================================== 2.1 Name: 2.2 Organization Name: 2.3 Why Notified (e.g. involved in incident, IRT): 2.4 Email Address: 2.5 Telephone Number: 3.0 Target or Infected Host Information ======================================= 3.1 Hostname(s) and IP address(es): 3.2 System Function (e.g. web server, mail server, desktop): 3.3 Operating System: 3.4 Applications involved with this incident: 4.0 Source Host Information =========================== 4.1 Hostname(s) and IP address(es): 4.2 Other Information: 5.0 Incident Information ======================== 5.1 Date and Time: 5.2 Incident Timezone: 5.3 Your Incident Tracking Number: 5.4 Incident Type: (Host Scanning (e.g. Ping Sweep) Port / Service Scanning Buffer Overflow Attempt Unauthorized Login Attempt Other Access Attempt Denial of Service Malicious Software (e.g. Worms, Trojans or Virus) Web Defacement Other) 5.5 Description of Incident: 5.6 Incident Impact: 5.7 Sample System Audit Logs: 5.8 Assistance Requested: ACKNOWLEDGMENTS =============== This form has been derived from the Incident Reporting Form produced by the Computer Emergency Response Team Coordination Center (CERT/CC). The CERT* Coordination Center is part of the Software Engineering Institute, operated by Carnegie Mellon University for the U. S. Department of Defense. *CERT is registered in U.S. Patent and Trademark Office Copyright 2004 by CanCERT -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.1 iQEVAwUBQA1q63VjZHhOb/tRAQHTrAgAqps9vGDogu/jgIuJRC+oek5n4NZvbBW3 t/smbq2TcMZYtgiGPxgjS++ritTnGREOHFD9bvO5AyeyD86h8VswFxv/d5+GpZsb TZEuutU6BitgSUdurlBPIGw4AcIQ6tWwff5SMc/4ydjSnU3yl6KwdQpDv4vgoboy v+Ap6Bc5s/nYa/v79Xn6asHQNkywPiq9taF8pNBHcqL3V7GrF3yfQ4qhvR2koAOj VGbCC2wg4SdGbdHorMWDq7xZNrqzYHQJ6PQ7UQZJgkXzVMHOdDqoiPwlSV34STj5 qeAOKKQlMJaT0pQIvlFJcCUwbzyRNw2VUajKQ0UDZHTp90Octazemw== =CZ05 -----END PGP SIGNATURE-----