Network Security Consulting Blog

The ultimate test of the value of an incident response team is how that team handles crises. Crises are generally not everyday occurrences. In fact, most issues with which an incident response team must deal are not of a bona fide emergency nature. That is why from the very onset of computer incident response teams I have objected to any incident response team name that includes “emergency” or “crisis” in it, because these terms represent little more than massive embellishment of the true nature of most of their activities.

Read more…

Perhaps the biggest single step in the life cycle of an incident response team is going operational. The major problem with getting the Department of Energy’s incident response team operational was that there was nothing–no policies, no standards, and virtually no procedures concerning incident response at that time. The CERT/CC team claimed that it was operational at that time, but if that were true, there would have been some kind of indication that operations were taking place, and there was no indication whatsoever. One of the best ways that my management ever helped at that time was to inform me of other emergency response teams and to try to get me in touch with people who managed such efforts. One such team was the Nuclear Energy Search Team (NEST) at Lawrence Livermore National Laboratory. Discussions with the manager and some of the more senior staff members of this team helped me better understand the kind of procedures that would have to be performed, the kinds of communication that would have to occur, and how action priorities would have to be determined. Still, the nuclear arena is not all that closely aligned with the information security arena, and after I was finished meeting with NEST members I developed a kind of sinking feeling that there was much more to do than I had ever imagined. And at the time the team I managed consisted only of myself.

Read more…

I’ve been affiliated with incident response in one way or another since 1988. I am not saying this boastfully, as I’ve made many mistakes both in responding to incidents technically and in managing incident response efforts. At the same time, however, when I first entered the incident response arena, there were no policies, standards, and procedures, and not really any requirements, either, to guide incident response efforts. Everyone who played in this arena originally had to use a combination of intuition and learning from mistakes just to get by.

Read more…

The Obama Administration (and in particular the U.S. State Department) continues to take the heat for the massive leakage of U.S. government documents courtesy of WikiLeaks (and allegedly originally because of the actions of PFC Bradley Manning). The volume of vitriol directed at President Obama and Security of State Hillary Clinton is astounding; members of the information security community have contributed more than their fair share of it. How could the U.S. government, they say, have been so negligent regarding access control that even a lowly private in the U.S. Army could allegedly gain access to these documents?

Read more…

Those of us who are information security professionals know all too well that success stories in our arena are too few and far between. When we hear of one, we thus need to savor the moment. This kind of moment recently occurred within Nationwide Insurance, which not too long ago had implemented a data loss prevention (DLP) tool enterprise-wide. The DLP tool issued an alert that a Nationwide employee had sent a spreadsheet from his personal email account to his Nationwide email account. A follow-up investigation revealed that the spreadsheet contained information such as credit card numbers, Pay Pal and eBay account names, and bogus identity information, prompting an investigation by Nationwide officials who contacted law enforcement soon afterwards. The FBI Cybercrime Task Force and the U.S. Postal Inspection Service launched an investigation and ultimately determined that Bi was copying computer games to CDs and then selling the CDs for a greatly reduced price. Between 2005 and late 2009, Bi sold more than 35,000 copies valued at $700,000 on eBay and using the eBay and Pay Pal account names he had stolen as well as his own account.

Read more…

The year 2010 is behind us; a new year is beginning. Last year will not go down in history as a particularly good year from an information security perspective. Attacks funded and initiated by countries (particularly the Peoples Republic of China) continued to occur frequently. So many denial of service (DoS) attacks came from China that domain name registrars began to distance themselves from entities in this country. The Stuxnet worm, which surfaced last year, proved for the first time that a virus or worm could actually cause physical damage to SCADA systems and, unfortunately, was almost certainly only the harbinger of a new, more formidable generation of malware. Data security breaches continued to occur at an astounding rate, as exemplified by recent statistics from the Privacy Rights Clearinghouse–nearly 600,000,000 pieces of personally identifiable information have fallen into unauthorized hands since this organization began counting in 2005. No one could have guessed the amount of information leaked to the wikileaks.org Web site, allegedly because of the actions of Private Bradley Manning of the US Army. And nobody would have imagined the ferocity of the DoS attacks that wikileaks supporters launched against Visa, MasterCard, and other credit card companies after these companies quit allowing their credit cards to be used for contributions to wikileaks. U.S. Government security efforts continued to flounder haplessly, and no major federal cybersecurity-related legislation was passed in the U.S. last year. Efforts to get a global treaty on cybercrime in place failed. Crime rings operating in Eastern Europe, Brazil, and elsewhere continued to rake in large amounts of money through a plethora of computer crime methods.

Read more…

In many ways 2010 was a good year, yet in many ways it was a bad one. Part of the bad side was the loss of two standouts in the information security arena, Justin Peltier and Fred Villella.

Read more…

How should we practice information security risk management? Numerous methods, models and approaches abound, one of the foremost of which is the information security governance approach. This approach in essence says that to have a successful information security risk management effort, an information security manager must plan, strategize, organize, and establish and maintain relationships not only with executive-level management, but also with other closely-related functions such as audit and physical security as well as with key stakeholders.

Read more…