Day 1 - Preparation: Policies, Management Support, and User Awareness

Published: 2008-10-01
Last Updated: 2008-10-08 13:15:19 UTC
by Marcus Sachs (Version: 3)
1 comment(s)

October is Cyber Security Awareness Month and as we announced earlier we are going to use this month to solicit tips for proper incident handling. 

The SANS Institute teaches a six-step process:

1.  Preparation
2.  Identification
3.  Containment
4.  Eradication
5.  Recovery
6.  Lessons Learned

Preparation is the first step, and most of us know that if you are unprepared then it's nearly impossible to handle an incident property.  For the rest of this week we will focus on the elements of preparation.  To kick off the month, send us your ideas via the contact page on how you develop policies, how you engage management support, and how you raise user awareness.  We'll add the best ideas to this diary throughout the day.

Thanks and Happy Cyber Security Awareness Month!!


Craig sent us these thoughts:

I would like to suggest this:  Everyone knows an organization needs an Incident Response Plan that has management buy in, but how well written is your plan?  Do YOU have to be there for it to work?  I (being an engineer by education) do not consider myself a very good writer, so I was pleasantly surprised to hear that while I was on leave this past summer, an incident occurred and the organization was able to use the IRP totally and completely without my help.

I don't say that to brag, but it taught me something:  If I'm going to have a good impact and create something that lasts, I have to build it so it operates independently of me.  In a small org, that's one person deep at each position, it helps if policies and procedures aren't dependent on one person/position to succeed.


Handler Steve had these ideas:

I've recently had to define and create our incident response team.  We took a multitude of source media SANS (of course), NIST, CERT, and molded this into our policies and procedures for the IRT.  However, before all of that starts the first step has to be stakeholder management.  Without the right names on a piece of paper telling you can do IRT on behalf of your organisation, your as good as sunk on day 1.

So :
    1. Define who you are working for, and who you perform Incident response on behalf of, and who you don't!
    2. Work your way up the structure to find the best CxO's which cover what you define in 1, who want to sponsor your operation and educate them about incident response.
        a) get them all to sign a document  - your mission statement - which says you can perform Incident Response
        b) check out RFC 2350
        c) is important to ensure that these people are responsible for the RUN side of your IT, and not just the Information Security side. if they dont 100% align, either go higher, or get 2 to sign it.
    3. Define your policy for IR.
        The killers are:    
           -  HR policies in relation to IR
           -  Incident handling policies
           -  Information handling, so what needs to be encrypted, hows it sent, who to, and how, how long do you keep it, and how do you dispose of it when your finished
    4.  Announce yourself to the world.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords: Awareness2008
1 comment(s)

Handler Mailbag

Published: 2008-10-01
Last Updated: 2008-10-01 21:47:05 UTC
by Rick Wanner (Version: 1)
0 comment(s)

Just a few items that came in through the Handler's mailbox today:

TCP Vulnerabilities

A few readers sent in some more information on the TCP vulnerabilities that has been the talk around the water cooler for the last week or so. First a webcast of the Dutch researchers is available at first part is in Dutch, but shortly after the 5 minute mark the conversation changes to English.

Secondly, a Search Security article provides some more details here.

I haven't had time to dig into this in detail, but it seems that a relatively few number of packets are capable of DOSing most TCP/IP stacks. Some sources are making this sound like the Internet perfect storm, others are writing it off as FUD.  I will leave it up to you to make your own decisions, but I expect it is closer to the latter.



Reader Frank forwarded an article about a hack  at the University of Indianapolis that compromised 11,000 Social Security numbers. This in itself is nothing new. Universities by the nature of their culture have had a relatively open network, and it seems the bad guys have been increasingly turning there attentions in that direction.  But a quote in the article upset Frank, ..."it was well beyond our control". Now I can't speak about the University of Indianapolis, they may very well have excellent security and this hack may have been carried out by world class hackers.  But what this hack hilights for me is that the days when universities could have a wide open network are long gone.  Enlightened universities have started realizing that they need to understand which data needs to be protected and separating the important data from the rest of the network with adequate security controls such as network segregation, firewalls, and encryption.  If you are interested the article is here.


Christmas in October!

Frequent contributer Roseman pointed out the release of updates to the free SysInternal's tools.  For those of you who regularly use the SysInternals tools to debug and understand Windows you understand when I say this is like an early Christmas.  For those of you who are not yet enlightened about should take a look.

The major change is a update to Process Monitor..."adds real-time TCP and UDP monitoring to its existing process, thread, DLL, file system and registry monitoring."

The blog post with some basic release notes is available here.

SysInternals tools can be downloaded from here.


-- Rick Wanner

rwanner at isc dot sans dot org

0 comment(s)

National Do Not Respond List

Published: 2008-10-01
Last Updated: 2008-10-01 11:52:43 UTC
by Adrien de Beaupre (Version: 1)
1 comment(s)

The National Do Not Call List for Canada went live yesterday. Well, sort of. It would appear as though they did not adequately plan (prepare) for the volume of requests. Both the web services and phone services did not respond or a busy signal almost all day. Somewhat of an incident, particularly when a new service of any kind simply isn't available. The intention of the DNCL is for consumers to register their phone numbers for certain classes of telemarketers to never dial. Well, to the aproximately 1 Million fellow Canadians who failed to register for the Some-Should-Call-and-Some-Shouldn't list, perhaps tomorrow is another day for their provider to get the service up and running.

Adrien de Beaupré

1 comment(s)


What's this all about ..?
password reveal .
<a hreaf="">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> nearest public toilet to me</a>
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> nearest public toilet to me</a>
<a hreaf=""> public bathroom near me</a>
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
Enter corthrthmment here...

Diary Archives