There seem to be a few easy solutions to this... But I'm an ignoramus -
so correct me ;-)
Log into the switch and disable the port that corresponds to the cable
to pull. I can do that on even my cheap switches here at home.
Put a rule in the site firewall to shut down the attacking IPs, or the
IP of the server in question.
If you don't have those passwords, you or they probably know who does.
And they can probably be reached in less than 35 minutes.
Interestingly enough, if the people calling are from the SOC and know
about the attack, they are associated with network security - and they
probably know how to access the switches (using whatever authentication
is used locally) and IP addresses of the switches and/or firewalls.
Because of this, my first thought might be to wonder if this is some
kind of a social engineering attack with me as the attack vector...
Independently validate who they are and that there is indeed such an
emergency...
If it's real, and they don't know the access credentials, then there is
probably an emergency lock box with authentication information that it's
time to open...
The best answer I suppose is to refer them to the documented procedure
for dealing with an emergency security incident - which almost certainly
does not involve calling me ;-). Not that you would say that...
On 5/9/2013 9:36 PM, unix_fan wrote:
No one answered, so I'll take a crack at it.
Atom Powers <[email protected]> writes
To: Michael Tiernan <[email protected]>
On May 7, 2013 9:15 AM, "Michael Tiernan" <[email protected]> wrote:
"Here's a situation,
[describe computer version of Kobayashi Maru problem].
This sounds like fun. What are some of your favorite "unwinnable" problems?
Scenario:
You are working with a group putting together a a proposal.
There are senior engineers and finance people in the group, whose primary role
is to create PDFs, word files, and excel spreadsheets - the electronic
artifacts of the proposal. You are the IT guy, your mission is to ensure the
team gets the artifacts copied into the appropriate directory. You will them
create one zip file and transmit to the customer's site.
You have the instructions for how to transmit the files, you have the
credentials entrusted to you, and you have wisely tested it beforehand so that
you are confident it works. The transmit instructions specify that it has to be
in one zip file, and no passwords should be required to open the resulting
documents when they are unzipped at the customer's end.
It's 11pm local time and the deadline for submission is an hour away, but the
proposal team is finishing up. The team just told you that in five minutes you
will have *all* the final docs in the team folder, and you can start zipping
them up and transmitting. You know from past experience it will take
approximately 20 minutes to complete a comparable size transmission. The
customer has told you that midnight is a hard deadline as they have automated
closing off network access.
Dilemma:
You get a frantic call from the remote Security Operations Center (SOC) on your work
mobile phone. A sophisticated attack is under way exfiltrating significant amounts of
your company's IP - engineering drawings, pricing information, etc. The Security team had
discovered it, was confirming it, but they have suddenly been locked out of the
exfiltration servers and the key KVM over IP switch. They found that you were working
after hours and literally need a local "boot on the ground" to run over to the
East Campus server room, and unplug a specific network cable.
If you drive over there now, execute flawlessly and return, you estimate it
will take you at *least* 35 minutes.
Problem:
What do you do?
Describe your actions and thoughts - e.g how you prioritize and what your first
step is.
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
