Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Emergency Operations Centers & Security Incident Management: A Correlation

Published: 2012-04-23
Last Updated: 2012-04-24 02:36:00 UTC
by Russ McRee (Version: 1)
2 comment(s)

I spent last Tuesday (17APR2012) taking orientation training at the State Emergency Operations Center (SEOC), a facility operated by the Washington State Military Department, Emergency Management Division. WA SEOC is a fully realized, extremely robust EOC with full authority to fulfill disaster and emergency coordination at the state level. The training was designed to orient attendees to serving or assisting when the EOC is activated during emergencies and disasters.

I was, as I have been during past EOC training or drills I've attended, drawn to the immediate parallels between EOC activity and mature security incident response programs.
 
Anyone who participates in or serves in a security incident response/management role has likely had the grave displeasure of being part of incident response gone bad. You know the event, it's seared into your memory. No incident command, no structure, everyone running around with their hair on fire, endless FUD and speculation, broken communication streams. and more damage being done than good. I for one, cannot and will not tolerate events unfolding in this manner, and am always thrilled when I see training and robust processes take over during major events. 
EOCs are designed to do this right at a scale few of us can imagine or fathom.
It's one thing to lead your organization through a server compromise or a DDoS attack.
It's quite another to do so where the lives of citizens and millions of dollars of property are in the mix. Life and death decisions change your perspective.
All of which is a long way of getting to the point: there is much to be learned and utilized from the incident management structure utilized by EOCs as it pertains to information security incident response and management.
I'm a huge proponent of "everything in its place, a place for everything" during incidents. Everyone should know their role, what swim lane they should be in, and how to garner the assistance and support they may need.
In an EOC you'll note that seating is arranged in pods. These pods each pertain to an ESF or Emergency Support Function. Such functions include communications (ESF 2), logistics (ESF 7), public safety and security (ESF 13), external affairs (ESF 15), and defense support to civil authorities (ESF 20). 
 
WA State EOC
Washington State EOC
 
Not every ESF has a direct match to a role during an information security incident or major event - hopefully you won't need housing, public health, or search and rescue functions (we lost Bobby in the data center!) - but allow me to strengthen my claims to correlation.
The ESF 2 function includes "protection, restoration, and sustainment of national cyber and information technology resources." Check, that sounds like an incident response analyst and/or manager. 
ESF 7 includes logistics planning, management, and sustainment capability as well as resource support. Ever try to muddle through a major information security incident without your operations teams at the ready to perform systems and network functions? 
ESF 13 includes security planning and technical resource assistance along with resource security. Roger that, I see a mitigations working group in the making here, yes? 
ESF 15 provides protective action guidance as well as media and community relations. Indeed. Sounds like the all important information security advisory (patch now, avoid website x) or the pressing need for a good PR response when your high traffic website was defaced.
ESF 20 offers guidance to officials on the coordination of military resources in support of operations during response and recovery. Ack. Subject matter expertise, vulnerability assessment post-mitigation and remediation, after action reports (lessons learned), and defensive tactics oversite.
You get my point. Having a well defined, practiced (drill, drill, drill!) incident management system that springs into action like a well oiled machine is of extraordinary value during major information security incidents.
Following are some resources for you to consider.
Check out FEMA's National Incident Management System (NIMS). You can take NIMS training online via FEMA's Emergency Management Institute. I suggest starting with IS-100.b Introduction to Incident Command System, IS-200.b ICS for Single Resources and Initial Action Incidents, and IS-700.a National Incident Management System (NIMS) An Introduction. I've taken these, as well as four other ISP courses as part of requirements for the Military Emergency Management Specialist (MEMS) Basic level and continue to see content matches to my role in security incident management. Also familiarize yourself with the National Response Framework
If you've noted similar relationships with emergency management practices and information security response and incident management, feel free to share with the readership via the comments form along with any questions you may have.
 
2 comment(s)

Continued interest in Nikjju mass SQL injection campaign

Published: 2012-04-23
Last Updated: 2012-04-24 00:17:18 UTC
by Russ McRee (Version: 1)
2 comment(s)

Readers continue to write in conveying updates from sources regarding the Nikjju mass SQL injection campaign. Like the Lilupophilupop campaign from December, ASP/ASP.net sites are target and scripts inserted.

Be wary of <script src= hxxp://nikjju.com/r.php ></script> or <script src = hxxp://hgbyju.com/r.php <</script> and the resulting fake/rogue AV campaigns they subject victims to.

Infected site count estimations vary wildly but a quick search of the above strings will give you insight. Handler Mark H continues to track this one and indicates that the MO is similar to the lihupophilupop campaign but that they're trying some interesting things this round. We'll report if anything groundbreaking surfaces.

As always if you have logs to share send them our way via the contact form or any comment with any insight you want to share with readers.

Russ McRee | @holisticinfosec

 

 

Keywords:
2 comment(s)

Comments open for NIST-proposed updates to Digital Signature Standard

Published: 2012-04-23
Last Updated: 2012-04-23 17:11:36 UTC
by Russ McRee (Version: 1)
1 comment(s)

The comment period for National Institute of Standards and Technology (NIST) proposed changes to the Digital Signature Standard (FIPS 186-3) is open until May 25, 2012. Submit comments via  fips_186-3_change_notice at nist dot gov, with ''186-3 Change Notice'' in the subject line.

The proposed changes include:

  • "clarification on how to implement the digital signature algorithms approved in the standard: the Digital Signature Algorithm (DSA), the Elliptic Curve Digital Signature Algorithm (ECDSA) and the Rivest-Shamir-Adelman algorithm (RSA)"
  • "allowing the use of additional, approved random number generators, which are used to generate the cryptographic keys used for the generation and verification of digital signatures"

NIST indicates that "the standard provides a means of guaranteeing authenticity in the digital world by means of operations based on complex math that are all but impossible to forge" but that "updates to the standard are still necessary as technology changes."

Comment and feedback on your digital signature implementations are welcome via our comments form.

 

Russ McRee@holisticinfosec

 

Keywords:
1 comment(s)
ISC StormCast for Monday, April 23rd 2012 http://isc.sans.edu/podcastdetail.html?id=2482
Diary Archives