Odd packets
No. Time Source Destination Protocol Info
107496 10.768466 10.10.10.10 12.12.12.12 UDP Source port: 43152 Destination port: http
Frame 107496 (118 bytes on wire, 118 bytes captured)
Ethernet II, Src: Cisco (MACSRC), Dst: Cisco (MACDST)
Internet Protocol, Src: my-net (10.10.10.10), Dst: apnic (12.12.12.12)
User Datagram Protocol, Src Port: 43152 (43152), Dst Port: http (80)
Data (76 bytes)
0030 01 00 8f f9 08 00 61 62 63 64 65 66 67 68 69 6a ......abcdefghij
0040 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 61 62 63 klmnopqrstuvwabc
0050 64 65 66 67 68 69 00 00 00 00 00 00 00 00 00 00 defghi..........
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00
A few things to note, these are UDP packets from a high src port to port 80. They are coming from an 'our' network and going to a system in APNIC. There are a significant number of them.
Any ideas? Let us know.
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
Adobe Flash Media Server privilege escalation security bulletin
From their web site: A potential vulnerability has been identified in Flash Media Server 3.5.1 and earlier that could allow an attacker to execute remote procedures in Flash Media Interactive Server or Flash Media Streaming Server. Adobe recommends users update to the most current version of Flash Media Server (3.5.2 or 3.0.4 or greater)
Updates available to address Flash Media Server privilege escalation issue
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
OpenBSD 4.5
OpenBSD 4.5 has been released. There are a few security and reliability fixes, including OpenSSH 5.2.
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
Incident Management
Continuing on the discussion started here regarding Incident Response and Incident Handling, let's now introduce Incident Management. One of the issues we face in IT security is that we do not always use a common set of definitions or terminologies, so I find explaining what I mean is helpful when I say Incident Management, which may be different from what others understand. Looking at a couple of industry definitions we can see that they differ somewhat, but have common themes.
From ITIL: The objective of Incident Management is to restore normal operations as quickly as possible with the least possible impact on either the business or the user, at a cost-effective price.
From SEI: An incident management capability is instantiated in a set of services considered essential to protecting, defending, and sustaining an organization’s computing environment, in addition to conducting appropriate response actions.
From ISO/IEC 27002: Information security incident management - anticipating and responding appropriately to information security breaches.
From US-CERT: An incident management capability is the ability to provide management of computer security events and incidents. It implies end-to-end management for controlling or directing how security events and incidents should be handled. This involves defining a process to follow with supporting policies and procedures in place, assigning roles and responsibilities, having appropriate equipment, infrastructure, tools, and supporting materials ready, and having qualified staff identified and trained to perform the work in a consistent, high-quality, and repeatable way.
The definitions I work from are as follows:
Incident Response is all of the technical components required in order to identify, analyze, and contain an incident.
Incident Handling is the logistics, communications, coordination, and planning functions needed in order to resolve an incident in a calm and efficient manner.
One definition is more related to tactical, the other operational. Response focuses on the immediate needs of incident at hand; Handling on the broader capabilities of an organization to prepare for an incident.
Incident Management is the framework and set of functions required to enable Incident Response and Incident Handling within an organization.
Information Security Incident Management (IM) is not composed of a single process, but rather includes a number of operational and technical components which provide the necessary functions in order to support the traditional “Preparation, Identification, Contain, Eradication, Recovery, Lessons Learned” incident process model, including longer term monitoring, strategic planning, and trend analysis.
I helped develop an Incident Management Maturity Model (IM-MM) which included the following domains:
- Threat Environment Monitoring
- Security Incident Monitoring
- Vulnerability Management
- Configuration Management
- Log Management
- Forensics:
- Incident Handling
- Co-ordination/Centralization
- Knowledge Management
People, policy, processes, and technology in each of these domains are required to varying degrees for an organizational Incident Management capability to function correctly. Each can also be evaluated for an assessment of the organization's overall capability to resolve incidents.
Cheers,
Adrien de Beaupré, yes I do hold the GCIH certification, analyst #69. And yes, I have worked in Incident Response, Incident Handling, and Incident Management for quite some time.
Adrien de Beaupré
Intru-shun.ca Inc.
The IM-MM has been released under a Creative Commons license, but not published as of yet, working on it now. Disclaimer, I am not an employee of SANS nor GIAC, and do not represent them. My opinions are my own and not my employer's nor anyone else's. And yes, I am Canadian eh!
Password != secure
Reading a story on how an attacker broke into the administrative interface to twitter was the following quote: "One of the admins has a yahoo account, i've reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password." Social engineering and good guessing trumps security every time. Twitter have confirmed the intrusion, so sad but true. No hacking necessary. I could probably rant for hours on the subject, but most of you know the story. Enough said.
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
Comments