WHAT IS THE SSASRT?

SSA’s Security response team is tasked with responding to incidents involving computer systems, Internet and Intranet servers and Local Area Network Servers (LANs). These incidents or attacks may involve:

• malicious code (virus, worm or Trojan horse), Email bombardment (also called SPAMMING),
• a stranger’s attempt to learn your PIN and/or PASSWORD under false pretexts, e.g. representing themselves as a network troubleshooter (also called SOCIAL ENGINEERING),
• unauthorized change in your system configuration or discovery of an unknown ‘hidden file’.

Any of these examples or any other network incident that may indicate suspect activity, could lead to a denial of service to SSA systems for SSA employees or the public at large or disclosure/compromise of critical SSA assets. Anyone who attempts to tamper with government systems is committing a criminal offense, which is prosecutable under Federal law.

With the advent of the INTERNET and escalating hacker activity nationwide, the threat of compromise or damage to computer systems has grown exponentially over the last few years. The SSA network infrastructure is essential to timely delivery of critical SSA services. Because of this the Agency strives to prevent any compromise or damage to our systems, whether through inadvertent disclosure or modification or loss of information.

SSA has long had reporting procedures for various incidents in place and other related processes such as our INTERNET operations. The SSASRT has been formed to better address the newer dynamic threats against our electronic systems and to assist the work force with handling systems incidents by centralizing this activity in one functional unit.

A more formalized incident response team can better respond to incidents and make sure that the broad range of issues which arise are fully coordinated. It also ensures that SSA executives receive a comprehensive assessment of impact on SSA as fast as possible.

The SSASRT is comprised of security staff, systems personnel and Office of the Inspector General representatives. These individuals are technical consultants for their area of expertise.

PROCEDURES FOR REPORTING A SYSTEMS INCIDENT
(This procedure supercedes the previous VIRUS reporting procedure.)

Notify your Manager or Site/LAN Coordinator/Administrator immediately. They will notify the appropriate security officer and ensure a report is filed.

IF THEY ARE NOT AVAILABLE, IMMEDIATELY REPORT THE INCIDENT DIRECTLY TO THE SSASRT AT THE NATIONAL NETWORK SERVICE CENTER NUMBER SHOWN BELOW.

*********************************************************************

*********************************************************************

This INCIDENT RESPONSE HELP LINE is a 7-day 24-hour help number at the Network Service Center (NSC) in Baltimore. The NSC personnel will take an SSASRT Security Incident Report (SIR) and contact an incident response manager.

You should be prepared to supply the information below to the NSC employee taking the report. If you are unsure about some of the information, you should contact your Site/LAN Administrator or Security Officer, however, report the incident immediately with as much information as you have.

• Your name and phone number and eMail address
• An alternate point of contact (if appropriate)
• Location of affected machine
• Hostname and IP address of affected machine
• Data or Information which is at risk
• Hostname and IP address of source of the attack (if known)
• Any other information you can provide that will assist in analyzing the incident