LECTURE 7 - COMPUTER NETWORK BUDGETS

Technology is a mission-critical investment, enabling staff members to work smarter and more efficiently to
build relationships, track gifts and memberships, communicate with constituents, and practice sound financial
management. By taking the time to assess inventory, define your current needs and map out future goals in a
technology plan, your organization can put technology to work to further your mission.

Hardware
Use three years as a common rule of thumb when budgeting for computer upgrades. It is not necessary to plan
to purchase new computers all at once. It is preferable to budget an annual amount for each workstation and
upgrade a portion of your machines each year. In addition to computers, plan for upgrades to servers and
peripherals.
Your hardware needs will vary depending on the specific applications each staff member uses and how your
systems are networked. Begin your assessment by making a list of your current hardware, including brand,
type, processor speed, memory, drives, modem, etc. When evaluating the need for additional software or staff
members, this inventory will help you quickly prioritize the hardware upgrades.

NETWORK AND OPERATING SYSTEM

There are many options for networking the workstations within your organization. Networks can be described
in terms of their size (LAN or WAN), security and access, protocol (for sharing information), and hardware,
which physically links the systems.

INTERNET CONNECTION

Depending on your staff’s needs to access email, update your Web site and research grants online, you can
make a small investment or a substantial one.
Consider your software, too — some hosted solutions tout low monthly leasing fees for applications, but the
subscription pricing does not seem like such a bargain when you factor in the need for a speedy Internet
connection and add up the annual costs. There are also related hardware expenses, such as modems and routers

SOFTWARE
Create a list of all the applications used by each staff member and volunteer — include everything from
contact management, donation processing and ticketing to word processing, virus scanning and Web browsers.
Be sure to note version numbers, too. Your assessment may bring new needs to light, and it may raise
questions about the advantages of investing in one system designed to meet multiple needs. Consider
additional user licenses and new staff members that will be required to achieve future goals related to capital
campaigns, projected membership growth, major fundraisers, increased student enrollment, etc.

DATA CONVERSION

If your organization plans to export data from an old system to new database applications, make sure you allow
for conversion costs. The charges can vary greatly, depending on the format and amount of your data. You
may be able to run the conversion in your own office using a utility designed to import the data to the
appropriate fields, or you may need to enlist the help of specialists to make sure your data effectively transfers
from the old system to the new.

SOFTWARE MAINTENANCE AND SUPPORT

Find out about maintenance programs and support associated for each software package you have or are
considering. For mid-range fund-raising and accounting systems, annual maintenance costs can range from 15
to 30 percent of the list price of the software. This is a substantial amount, yet the benefits you receive can vary
greatly. Ask what type of support is offered (telephone, email, Web, fax, FAQs). Is Helpline availability
coordinated with your organization’s workday? How many of the vendor’s employees are trained and
dedicated to develop and support the system you are considering? Clarify whether upgrades to the software are
included with a maintenance contract or are an additional expense

1
TRAINING

Training will ensure your organization optimizes its use of technology, and increased productivity will be the
rewarding result.
A systems administrator is often best suited to teach staff members the ins and outs of an organization’s
general systems and processes. If there is no budget for a dedicated technician, organizations may wish to
bring in a consultant to establish a technology plan and assist with training.
Task-specific systems such as fund-raising software call for training from someone with an in-depth
knowledge of software and an understanding of the various roles within nonprofit organizations. Consider how
and where your staff would prefer to attend training. If you can afford to leave the office for a few days,
intensive hands-on classes can be the most helpful. In addition, off-site courses provide the opportunity to
share insight with and learn from other organizations with similar needs and challenges.
If you must have a trainer come to your office, check his credentials.
 Is the trainer an employee of the vendor or an independent representative?
 Does the trainer have general knowledge of multiple systems, or is she an expert on the system in which
you are investing?
 Does the instructor have solid training experience?
Because the level of expertise among independent trainers can vary, be sure to check references.
Review options for supplemental training as well. Web-based courses and computer-based training CDs
provide ways for your staff to learn new skills quickly without leaving the office. Remember that staff
development — like hardware and software purchases — is an ongoing investment integral to your
organization’s success.

STAFFING YOUR NETWORK

If you want to build a computer network with capable managers, you need people with a certain set of skills
and technical expertise, and with abilities that enable them to respond to user needs, incidents, perform
analysis tasks, and communicate effectively with your constituency and other external contacts. They must
also be competent problem solvers, must easily adapt to change, and must be effective in their daily activities.
The composition of network support team staff varies from team to team and depends on a number of factors,
such as
 mission and goals of the network
 nature and range of services offered
 available staff expertise
 constituency size and technology base
 anticipated incident load
 severity or complexity of incidences
 funding

Basic Skills
The set of basic skills network staff members need to have separated into two broad groups: personal skills
and technical skills.

1. Personal Skills
It is important for network staff to have a wide range of personal skills because a major part of the support
daily activity will involve communicating with their constituency, their own team members, other response
teams, a variety of technical experts, and other individuals who may have various levels of technical
understanding. The reputation of a network can be made or lost by the professional interactions of its team
members.
a. Written Communication
A large part of its communication occurs through the written word. This communication can take many forms,
including
 responses in email concerning incidents
 documentation of event or incident reports, vulnerabilities, and other technical information
 notifications and/or guidelines that are provided to the constituency

2
  internal development of network policies and procedures
 other external communications to staff, management, or other relevant parties
Network staff members must be able to write clearly and concisely, describe activities accurately, and provide
information that is easy for their readers to understand.
b. Oral Communication
The ability to communicate effectively though spoken communication is also an important skill to ensure that
network staff members can say the right words to the right people. Oral communication often occurs through
telephone exchanges or face-to-face discussions and can involve a variety of individuals, for example
 network team members
 system and network administrators (or other IT staff)
 application owners/developers
 members of other response teams
 constituents or users (of the systems)
 subject matter or technical experts
 security officers
 management or other administrative staff
 human resources staff
 law enforcement or legal staff
 press/media/public relations staff
 vendors
c. Diplomacy
Network staff members often find that the community with whom they interact may have a variety of goals
and needs. This community may have varying levels of knowledge and degrees of excitement; some people
may feel overwhelmed with the gravity of their situation; they may be anxious, frustrated, or angry. Still others
may be aggressive or try to "trick" the network staff member into providing inappropriate information.
Skilled network staff will be able to anticipate potential points of contention, be able to respond appropriately,
maintain good relations, and avoid offending others. They also will understand that they are representing the
network and/or their organization. Diplomacy and tact are essential.
d. Ability to Follow Policies and Procedures
Network staff should understand how and why the policies and procedures came into existence. To ensure a
consistent and reliable response service, network staff must be prepared to accept and follow the rules and
guidelines, even if these are not fully documented and regardless of whether the staff member personally
agrees with them
e. Team Skills
Network staff must be able to work in a team environment as productive and cordial team players. They need
to be aware of their responsibilities, contribute to the goals of the team, and work together to share
information, workload, and experiences. They must be flexible and willing to adapt to change. They also need
team skills for interacting with other parties (for example, members of other incident response teams and other
members of the organization, such as IT staff, site security officers, and network operators).
f. Integrity
The nature of network administration work means that the team members often deal with information that is
sensitive and, occasionally, they might have access to information that is newsworthy. Network staff must be
trustworthy, discrete, and able to handle information in confidence according to the network administration
guidelines, any constituency agreements or regulations, and/or any organizational policies and procedures.
In their efforts to provide technical explanations or response, staff must be careful to provide appropriate and
accurate information while avoiding the dissemination of any confidential information that could detrimentally
affect another organization's reputation, result in the loss of integrity, or affect other activities that involve
other parties.
Thus, it is important that the team members understand the distinction between their "customer service" role in
providing assistance to their constituency and the need to ensure that information is protected and handled
appropriately. Network staff may find themselves in a position where they know about information and could
comment on a topic, but doing so could acknowledge or disclose information that was provided in confidence
or that could affect an ongoing investigation.
Staff must remain aware of their responsibilities and not be caught "off guard" and make unauthorized
disclosures.

3
 g. Coping with Stress
Network staff often find themselves in stressful situations. They need to be able to recognize when they are
becoming stressed, be willing to make their fellow team members aware of the situation, and take (or seek help
with) the necessary steps to control and maintain their composure.
In particular, they need the ability to remain calm in tense situations—ranging from an excessive workload to
an aggressive caller to an incident where human life or a critical infrastructure may be at risk. The team's
reputation, and the individual's personal reputation, will be enhanced or will suffer depending on how such
situations are handled.

h. Problem Solving
Without good problem-solving skills, staff members could become overwhelmed with the volumes of work
related to incidents and other tasks that need to be handled. Problem-solving skills also include an ability for
the network staff member to look at issues from multiple perspectives to identify relevant information or data.
This includes, for example,
 knowing who else in the team they might contact or approach for additional information, creative
ideas, or added technical insight
 recognizing and seeking additional information from other resources (e.g., literature searches, past
incidents that may involve similar activities, similarities in attack techniques or tools, other sources of
information)
 verifying information through alternative approaches
 synthesizing information to determine relationships or to correlate with other incident data

i. Time Management
Administrators will be confronted with a multitude of tasks ranging from analyzing, coordinating, and
responding to incidents, to performing duties such as prioritizing their workload, attending and/or preparing for
meetings, completing time sheets, collecting statistics, conducting research, giving briefings and presentations,
traveling to conferences, and possibly providing onsite technical support.
Sometimes, even when they are given criteria for prioritizing tasks, staff may find it difficult to appropriately
prioritize and manage the myriad responsibilities that they are assigned in accordance with those criteria. To
stay productive, network staff must be able to balance their effort between completing the tasks assigned to
them, recognizing when to seek help or guidance from their management (when workload is becoming
overwhelming), and avoiding a state where constant re-prioritizing as new tasks arise prevents them from
actually completing their tasks!

2. Technical Skills
The basic technical skills that network staff need have been separated into two categories: technical
foundation skills and incident handling skills.
Technical foundation skills require a basic understanding of the underlying technologies used by the network
and the constituency, as well as an understanding of issues that affect that team or constituency. Such issues
may include
 the type of user support activity that is being reported or seen by the community
 the way in which network services are being provided (the level and depth of technical assistance
provided to the constituency)
 the responses that are appropriate for the team (e.g., what policies and procedures or other regulations
must be considered or followed while undertaking the response)
 the level of authority the network has in taking any specific actions when applying technical solutions
to a reported incident.
Incident handling skills require an understanding of the techniques, decision points, and supporting tools
(software or applications) required in the daily performance of network activities.

Technical Skills
The concepts associated with these baseline skills are similar; regardless of the underlying software and
hardware that is used to perform the work (e.g., the principles will be the same). Building upon such a
baseline, then, are the more specialized skills and knowledge needed for any tools and technologies (software,
hardware, policy) in use by the team or constituency.

4
 a. Security Principles
Network staff members need to have a general understanding of basic security principles such as
 confidentiality
 availability
 authentication
 integrity
 access control
 privacy
 non-repudiation
Knowledge about security principles are necessary for the network staff to understand potential problems that
can arise if appropriate security measures have not been implemented correctly, as well as the potential
impacts to the constituents' systems or systems. Network staff with this understanding will be better prepared
to determine their constituents' needs in securely configuring systems to prevent misuse or compromises and
also be better prepared to provide appropriate technical assistance and guidance when breaches do occur.

b. Security Vulnerabilities/Weaknesses
To understand how any specific attack is manifested in given software or hardware technology, the network
staff need to be able to first understand the fundamental causes of vulnerabilities through which most attacks
are exploited. They need to be able to recognize and categorize the most common types of vulnerabilities and
associated attacks, such as those that might involve
 physical security issues
 protocol design flaws (e.g., man-in-the-middle attacks, spoofing)
 malicious code (e.g., viruses, worms, Trojan horses)
 implementation flaws (e.g., buffer overflow, timing windows/race conditions)
 configuration weaknesses
 user errors or indifference

c. The Internet
It is important that network staff also understand the internet. Without this fundamental background
information, they will struggle or fail to understand other technical issues, such as the lack of security in
underlying protocols and services used on the Internet or to anticipate the threats that might occur in the future.
d. Risks
Network staff members need to have a basic understanding of computer security risk analysis. They should
understand the effects on their constituency of various types of risks (such as potentially widespread Internet
attacks, national security issues as they relate to their team and constituency, physical threats, financial threats,
loss of business, reputation, or customer confidence, and damage or loss of data). Newly hired network staff
may not have this knowledge and will need guidance and mentoring to ensure they understand the risks that
may affect the constituency being served, as well as any risks that might affect the network itself.

e. Network Protocols
Members of the network staff need to have a basic understanding of the common (or core) network protocols
that are used by the team and the constituency they serve. For each protocol, they should have a basic
understanding of the protocol, its specification, and how it is used. In addition, they should understand the
common types of threats or attacks against the protocol, as well as strategies to mitigate or eliminate such
attacks.
For example, at a minimum, staff should be familiar with protocols such as IP, TCP, UDP, ICMP, ARP, and
RARP. They should understand how these protocols work, what they are used for, the differences between
them, some of the common weaknesses, etc. In addition, staff should have a similar understanding of protocols
such as TFTP, FTP, HTTP, HTTPS, SNMP, SMTP, and any other protocols that are used by the network or its
constituency.
The specialist skills include a more in-depth understanding of security concepts and principles in all the above
areas in addition to expert knowledge in the mechanisms and technologies that lead to flaws in these protocols,
the weaknesses that can be exploited (and why), the types of exploitation methods that would likely be used,
and strategies for mitigating or eliminating these potential problems. They would have expert understanding of

5
additional protocols or internet technologies (DNSSEC, IPv6, IPSEC, other telecommunication standards that
might be implemented or interface with their constituent's networks, such as ATM, BGP, broadband, voice
over IP, wireless technology, other routing protocols, or new emerging technologies, etc.) and provide expert
technical guidance to other members of the team or constituency.

f. Network Applications and Services

Network staff members need a basic understanding of the common network applications and services that the
team and the constituency use (DNS, NFS, SSH, etc.). For each application or service, they should understand
the purpose of the application or service, how it works, its common usages, secure configurations, and the
common types of threats or attacks against the application or service, as well as mitigation strategies.
The specialist skills include expanded technical insight into these applications and services, as well as new
emerging products that may be integrated into the network constituency.

g. Network Security Issues

Network staff members should have a basic understanding of the concepts of network security and be able to
recognize vulnerable points in network configurations.
They should understand the concepts and basic perimeter security of network firewalls (design, packet
filtering, proxy systems, DMZ, bastion hosts, etc.), router security, potential for information disclosure of data
traveling across the network (e.g., packet monitoring or "sniffers"), or threats relating to accepting
untrustworthy information.

h. Host/System Security Issues

In addition to understanding security issues at a network level, network staff need to understand security issues
at a host level for the various types of operating systems (UNIX, Windows, or any other operating systems
used by the team or constituency). Before understanding the security aspects, the network staff member must
first have
 experience using the operating system (user security issues)
 some familiarity with managing and maintaining the operating system (as an administrator)
Then, for each operating system, the network staff member needs to know how to
 configure (harden) the system securely
 review configuration files for security weaknesses
 identify common attack methods
 determine if a compromise attempt occurred
 determine if an attempted system compromise was successful
 review log files for anomalies
 analyze the results of attacks
 manage system privileges
 secure network daemons
 recover from a compromise

i. Malicious Code (Viruses, Worms, Trojan Horse programs)

Network staff must understand the different types of malicious code attacks that occur and how these can
affect their constituency (system compromises, denial of service, loss of data integrity, etc.).
Malicious code can have different types of payloads that can cause a denial of service attack or web
defacement, or the code can contain more "dynamic" payloads that can be configured to result in multi-faceted
attack vectors.
Specialist skills include expertise in performing analysis, black box testing, or reverse engineering on
malicious code that is associated with such attacks and in providing advice to the team on the best approaches
for effective response.

j. Programming Skills
Some team members need to have system and network programming experience. The team should ensure that
a range of programming languages is covered on the operating systems that the team and the constituency use.
For example, the team should have experience in
 C#

6
  .Net
 Java
 shell (all variations)
 other scripting tools
These scripts or programming tools can be used to assist in the analysis and handling of incident information
(e.g., writing different scripts for counting and sorting through various logs, searching databases, looking up
information, extracting information from logs/files, collecting and merging data).
Additionally, staff should understand the concepts of and techniques for secure programming. They need to be
aware of how vulnerabilities can be introduced into code (e.g., through poor programming and design
practices) and how to avoid these in any tools or products that they may develop for the team or their
constituency.

Incident Handling Skills

Within the broad range of technical skills needed to undertake incident handling is a subset of skills the
network staff also need. We call these "incident handling" skills, and they are associated with the underlying
daily operational activities of the CSIRT. It is worth noting that while these underlying concepts relating to
incident handling skills can be similar across many different CSIRTs, the specific implementation, policies,
and procedures for how these concepts are applied will be very specific within each team (and based on other
factors mentioned previously in the Introduction).

a. Local Team Policies and Procedures

The network incident handlers must be trained in the local policies and procedures that govern the operation of
their team. Every aspect of the work will most likely lead back to a policy or procedure that must be followed
or to other directives from management. Network staff need this background information and must have a firm
grasp of the guiding principles; otherwise, they will not understand the framework and boundaries in which
they apply their range of skills and knowledge. Every network staff member must be able to support these
policies and procedures, not only at the team level but also at an organizational level.

b. Understanding/Identifying Intruder Techniques

Building on their technical foundation skills, all network incident handlers must be able to recognize known
intrusion techniques based on the footprints or artifacts left by different types of attack in the incident reports
they handle. In addition, they need to know the appropriate methods to protect against these known attack
techniques and the risks associated with the attacks.
Some team members will require additional specialist skills and knowledge to be able to
 identify a new vulnerability
 undertake technical analysis of intruder tools and techniques
 recognize new intrusion techniques based on the footprints and their effects
 document analyses of artifacts as reference material for other team members (this work might also
extend to providing guidance to help other network staff identify footprints, associated risks, and
prevention methods)

c. Communicating with Sites

Much of the communication undertaken by network incident handlers is conducted online, commonly through
email. The correspondence often requires the transmittal of incident data in a secure manner. As a result, it is
crucial that network staff be fully conversant in the use of email and MIME functionality, as well as tools and
methods to identify contact information for other sites—including understanding which points of contact are
most appropriate—and the appropriate encryption technologies to be used.
They should also understand the functionality and use of various tools to facilitate the review and
interpretation of incident data (compressed file formats and tools, archiving tools such as UNIX tar or WinZIP,
uuencode/decode, etc.). In addition, it is important to ensure that the incident handling staff are cognizant of
the types of coordination that occur in interactions between and across these other teams.

d. Incident Analysis
It has been said by others in the community that network incident handlers are like detectives. When they
analyze an incident report, they are looking to determine answers to questions such as

7
  Who is involved?
 What has happened?
 Where did the attack originate from?
 When (what time frame)?
 Why did it happen?
 How was the system vulnerable or how did the attack occur?
 What was the reason for the attack?

e. Maintenance of Incident Records

Another major role of the incident handler is to maintain incident records. While this is not necessarily a "skill"
in the same sense as other skills discussed in this section, it is an important process that should be integrated
into the network operations and followed by all team members who are responsible for incident handling
functions.