Last Updated: 2010-11-01 20:31:48 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
The topic of today for the role of the office geek. For those who are responsible for the information security in the company, we find people who are continually trying to commit fraud within the organization. Although in such cases many organizations have already established an incident response process and the corresponding regulations to sanction these types of behaviors, we find another type of user who does not seek to commit illegal actions and although he does not have a comprehensive conception of information security, has an above-average skills, loves technology, study on their own and because of his actions he can cause us some problems in our daily operation.
I can name an example that occurred in my company: a economist leading the process of imports of goods and services was sent to a Microsoft Office course. As this employee loves technology, decided to study a little bit more and decided to use Microsoft Access to carry in a database all the information needed to handle the import procedures. In a very short time became the main database for the management of imports from the company, and any content on a computer with 1 GB of RAM with Windows XP and 80 GB disk.
When we realized the existence of this database? When we perform a penetration testing on the workstation infrastructure, as you might imagine because the database did not have the necessary security settings and apart from that had some vulnerabilities due to lack of patches.
What to do with these people? They are a double-edged sword and although they can provide ideas and feedback to the process of IT, it is necessary to channel and enforce at all times the guidelines established in the security policy information.
As always, your comments are welcome. Please remember our contact form.
Last Updated: 2010-10-29 17:53:59 UTC
by Kevin Liston (Version: 1)
As you go through the process of individually-contacting abuse-contacts (http://isc.sans.edu/diary.html?storyid=9664) and work your way up the stream (http://isc.sans.edu/diary.html?storyid=9712) you may eventually end up the state/nation-level. This should only occur in cases where the ISP is unresponsive, or actually complicit in behavior. For something like slammer this shouldn't be the case, but for completeness I'd like to cover how to engage CERTs.
Each CERT is unique. They have varying levels of funding and organization, their missions are not consistent from one country to another, but they do have a couple of things in common. Most are clearing-houses for abuse-reporting. If your research into the owner and up-stream provider of an infected IP address isn't turning up working contacts, they can usually help identify the correct contacts and forward the report on for you. Also, they are each responsible to a specific constituency.
Before contacting a CERT it's important to study their mission and their constituency. You will not get good results if you report an IP address or an organization that is outside of their scope. Some CERTs do not actually accept abuse reports from individuals or organizations and only service other CERTs (e.g. Asia Pacific Computer Emergency Response Team-- apcert.org)
As an individual or organization directly reporting an incident to a CERT it's best to use their online reporting form. This assures that your report enters their work-flow and contains the information that they require. Sending an email in your own format runs the risk that it may be ignored. If you shotgun your report as an email to multiple organizations and CERTs it's almost guaranteed to be ignored by most or all of the recipients on your list. However, if what you have to report doesn't fit with their reporting-form and you think an email is necessary, they are quite fond of digital signatures.
Let's look at a couple of examples. For reporting slammer, your two most common countries are China and the United States. CNCERT has an easy web-form to report infections: http://www.cert.org.cn/english_web/ir.htm. There's a little captcha to prove that you're a human, you fill out a few fields, select "Virus, worm or trojan infection" from the incident type, paste your logs/packet dump in the description field, and ask that they system be taken off-line or cleaned. Be sure to record when you sent the report in your tracking spread-sheet and what kind of response you get.
US-CERT (http://www.us-cert.gov) has their own reporting forms, they break them down into: incident, phishing, and vulnerability. For something like slammer, you'd use the "Report an Incident" link: https://forms.us-cert.gov/report/ They collect some contact information, as well as more details about how the incident is impacting you (none to minimal in the case of slammer attacks,) what type of followup you require (none, contact or forward-- probably forward in this case.) They ask for the current status of the incident, since the slammer infection is still ongoing, you could use the "Occurring" status. They have a couple of fields to use to describe the incident, one of them is specifically for pasting logs-- use that.
Reporting to an organization such as a CERT is often an act of faith. You're not likely to get a quick, human response (not like when you submit something to us: http://isc.sans.edu/contact.html) but your efforts do have an impact. The attention that an IP address gets grows more and more reports come in from multiple organizations. This is why I've been soliciting you to make your own reports individually as opposed to a request of "send me all of your known SQL slammer infections."
we're quickly approaching the end of this exercise, so next week I'll post the results and go into more of the background of why I chose Slammer and how I organized the drill.