Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Who ya gonna contact? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Who ya gonna contact?

A reader sent us an email with an link to a posting about a compromise and that posting included links to the compromised data. They were frustrated from trying to contact someone to warn them that their data was out there and being unable to get hold of anyone except a recording to call 911 if it was an emergency.(Guess no one is thinking about a cyber emergency)

I had to agree with the reader.  It's frustrating to try to make contact with an actual security group or someone who handles such things.   The only number you can generally find and can get a person on the phone to speak with is customer service.  They have NO idea what your talking about or what to do with you.  Most of the time what is listed on a website for contact information is an email address. How often is that monitored and if the issue is major for the entity, how long can they afford to let it go unanswered.

  To quote the email we received:

"It is kind of an interesting issue, though. "Does your company have an easy
way for people to get in touch with it 24x7?"

If you're a bank and a customer gets a phishing email on a Saturday
afternoon, like next Saturday before a long weekend, how long would it be
before someone at the bank knew they were getting phished?"

In the scenario emailed to us, you have an individual, with knowledge of what seems to be freshly posted damaging data, trying to be a good net citizen and let the organization know.  The only thing that they could do was send an email and hope someone sees it.

There are two sides to think about in this issue.

First, if your in this reader's position, how do you try to make contact? Do you have a better method?   He suggested also sending emails to the following and see if they exist:

·         All ARIN contacts if applicable

·         All domain name registrar contacts

·         postmaster@

·         security@

·         webmaster@

·         abuse@

·         Any I can find on the website itself
 

Second thought, your the company/organization that has data out there, how successful would you be in the above scenario? Do you have phone numbers people can call?  If customer service gets a call, do they even know you have a security department or how to route the call?  How often does that email account get checked that you have posted as a contact?  Better yet, who checks it and makes a decision if its important and gets passed on and who it gets passed on to.  If it went to the webmaster, will they ignore it or are they trained who to pass it on to for review?  Have you ever tested your organization from this point of view?  It is my opinion that every person in the organization needs to know who to contact for cyber related issues and the process is very clear.

So again, the real question is "Who ya gonna contact?"

Lorna

165 Posts
ISC Handler
Funny, I've recently experienced this sort of frustration - being unable to do the good deed. I noticed on a government agency site an attempt to load a javascript from an .ru address. I went to the agency and obtained and emailed the contact only to get a reply that the person was on holidays and would return by the end of the month.
The root of the problem is that security is not taken seriously or even considered.
Pedro

1 Posts
security@ and abuse@ will reach our corporate IT security incident response team.
We monitor 24*7*365.
Pedro
7 Posts
if you need to point to a standard, RFC2142 defines these mailboxes (and more)
ietf.org/rfc/…
Johannes

3683 Posts
ISC Handler
My bank has a special e-mail address to which you can forward phishing e-mail that mentions them. I'm not sure how many clients know about it, though.
Vincent T

14 Posts
One would think if it was a Bank that they should have pretty good documented procedures that are fairly well known. If not, I guess you could always try and contact their banking regulator. The regulator might have some sharp words for a bank that makes it difficult for users to report issues.
Vincent T
20 Posts
I had an issue with a machine DDOSing our site. A call to the ISP customer care center was a total waste of time. So I called the corporate offices and asked to speak to the CIO's executive assistant. I knew I would not get to speak to the CIO but from experience I know the EA wields the same amount of power. About 10 minutes after talking to the EA, I got a call from one of the networking team and the first words out of his mouth were "I just got a ticket from someone you never want to get one from, what can I do to help you"
Anonymous
I try to help other .edu's by letting them know when their accounts are phishing or attacking us. In general, it's difficult. The ARIN and registrar contacts often don't get answers, and it can take a lot of time to wade through their web site to find a suitable email address.

I like the idea about calling the CIO's assistant, though. I hadn't thought of that.
John

88 Posts

Sign Up for Free or Log In to start participating in the conversation!