Emergency Operations Centers & Security Incident Management: A Correlation

Published: 2012-04-23
Last Updated: 2012-04-24 02:36:00 UTC
by Russ McRee (Version: 1)
2 comment(s)

I spent last Tuesday (17APR2012) taking orientation training at the State Emergency Operations Center (SEOC), a facility operated by the Washington State Military Department, Emergency Management Division. WA SEOC is a fully realized, extremely robust EOC with full authority to fulfill disaster and emergency coordination at the state level. The training was designed to orient attendees to serving or assisting when the EOC is activated during emergencies and disasters.

I was, as I have been during past EOC training or drills I've attended, drawn to the immediate parallels between EOC activity and mature security incident response programs.
 
Anyone who participates in or serves in a security incident response/management role has likely had the grave displeasure of being part of incident response gone bad. You know the event, it's seared into your memory. No incident command, no structure, everyone running around with their hair on fire, endless FUD and speculation, broken communication streams. and more damage being done than good. I for one, cannot and will not tolerate events unfolding in this manner, and am always thrilled when I see training and robust processes take over during major events. 
EOCs are designed to do this right at a scale few of us can imagine or fathom.
It's one thing to lead your organization through a server compromise or a DDoS attack.
It's quite another to do so where the lives of citizens and millions of dollars of property are in the mix. Life and death decisions change your perspective.
All of which is a long way of getting to the point: there is much to be learned and utilized from the incident management structure utilized by EOCs as it pertains to information security incident response and management.
I'm a huge proponent of "everything in its place, a place for everything" during incidents. Everyone should know their role, what swim lane they should be in, and how to garner the assistance and support they may need.
In an EOC you'll note that seating is arranged in pods. These pods each pertain to an ESF or Emergency Support Function. Such functions include communications (ESF 2), logistics (ESF 7), public safety and security (ESF 13), external affairs (ESF 15), and defense support to civil authorities (ESF 20). 
 
WA State EOC
Washington State EOC
 
Not every ESF has a direct match to a role during an information security incident or major event - hopefully you won't need housing, public health, or search and rescue functions (we lost Bobby in the data center!) - but allow me to strengthen my claims to correlation.
The ESF 2 function includes "protection, restoration, and sustainment of national cyber and information technology resources." Check, that sounds like an incident response analyst and/or manager. 
ESF 7 includes logistics planning, management, and sustainment capability as well as resource support. Ever try to muddle through a major information security incident without your operations teams at the ready to perform systems and network functions? 
ESF 13 includes security planning and technical resource assistance along with resource security. Roger that, I see a mitigations working group in the making here, yes? 
ESF 15 provides protective action guidance as well as media and community relations. Indeed. Sounds like the all important information security advisory (patch now, avoid website x) or the pressing need for a good PR response when your high traffic website was defaced.
ESF 20 offers guidance to officials on the coordination of military resources in support of operations during response and recovery. Ack. Subject matter expertise, vulnerability assessment post-mitigation and remediation, after action reports (lessons learned), and defensive tactics oversite.
You get my point. Having a well defined, practiced (drill, drill, drill!) incident management system that springs into action like a well oiled machine is of extraordinary value during major information security incidents.
Following are some resources for you to consider.
Check out FEMA's National Incident Management System (NIMS). You can take NIMS training online via FEMA's Emergency Management Institute. I suggest starting with IS-100.b Introduction to Incident Command System, IS-200.b ICS for Single Resources and Initial Action Incidents, and IS-700.a National Incident Management System (NIMS) An Introduction. I've taken these, as well as four other ISP courses as part of requirements for the Military Emergency Management Specialist (MEMS) Basic level and continue to see content matches to my role in security incident management. Also familiarize yourself with the National Response Framework
If you've noted similar relationships with emergency management practices and information security response and incident management, feel free to share with the readership via the comments form along with any questions you may have.
 
Keywords: incident Incident Handlers incident handling incident management incident response Incident Response Team
2 comment(s)

Continued interest in Nikjju mass SQL injection campaign

Published: 2012-04-23
Last Updated: 2012-04-24 00:17:18 UTC
by Russ McRee (Version: 1)
2 comment(s)

Readers continue to write in conveying updates from sources regarding the Nikjju mass SQL injection campaign. Like the Lilupophilupop campaign from December, ASP/ASP.net sites are target and scripts inserted.

Be wary of <script src= hxxp://nikjju.com/r.php ></script> or <script src = hxxp://hgbyju.com/r.php <</script> and the resulting fake/rogue AV campaigns they subject victims to.

Infected site count estimations vary wildly but a quick search of the above strings will give you insight. Handler Mark H continues to track this one and indicates that the MO is similar to the lihupophilupop campaign but that they're trying some interesting things this round. We'll report if anything groundbreaking surfaces.

As always if you have logs to share send them our way via the contact form or any comment with any insight you want to share with readers.

Russ McRee | @holisticinfosec

 

 

Keywords:
2 comment(s)

Comments open for NIST-proposed updates to Digital Signature Standard

Published: 2012-04-23
Last Updated: 2012-04-23 17:11:36 UTC
by Russ McRee (Version: 1)
1 comment(s)

The comment period for National Institute of Standards and Technology (NIST) proposed changes to the Digital Signature Standard (FIPS 186-3) is open until May 25, 2012. Submit comments via  fips_186-3_change_notice at nist dot gov, with ''186-3 Change Notice'' in the subject line.

The proposed changes include:

  • "clarification on how to implement the digital signature algorithms approved in the standard: the Digital Signature Algorithm (DSA), the Elliptic Curve Digital Signature Algorithm (ECDSA) and the Rivest-Shamir-Adelman algorithm (RSA)"
  • "allowing the use of additional, approved random number generators, which are used to generate the cryptographic keys used for the generation and verification of digital signatures"

NIST indicates that "the standard provides a means of guaranteeing authenticity in the digital world by means of operations based on complex math that are all but impossible to forge" but that "updates to the standard are still necessary as technology changes."

Comment and feedback on your digital signature implementations are welcome via our comments form.

 

Russ McRee@holisticinfosec

 

Keywords:
1 comment(s)
ISC StormCast for Monday, April 23rd 2012 http://isc.sans.edu/podcastdetail.html?id=2482

Comments

What's this all about ..?

Anonymous

Dec 3rd 2022
9 months ago

password reveal .

Anonymous

Dec 3rd 2022
9 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

Anonymous

Dec 26th 2022
9 months ago

https://thehomestore.com.pk/

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter corthrthmment here...

rthrth

Jan 2nd 2023
8 months ago

Login here to join the discussion.


Diary Archives