Alan Robertson <[email protected]> >There seem to be a few easy solutions to this...
Right there you should question yourself. >Log into the switch and disable the port that corresponds to the cable >to pull. I can do that on even my cheap switches here at home. > >Put a rule in the site firewall to shut down the attacking IPs, or the >IP of the server in question. >If you don't have those passwords, you or they probably know who does. >And they can probably be reached in less than 35 minutes. Focus on this key point: "The Security team had discovered it, was confirming it, but they have suddenly been locked out of the exfiltration servers and the key KVM over IP switch. " Network access has been shut down by the intruders. That's a standard move by a sophisticated attacker when he is discovered. That's why the remote SOC suddenly finds itself in desperate need of a local physical boot on the ground as the clock nears midnight local time. >Interestingly enough, if the people calling are from the SOC and know >about the attack, they are associated with network security - and they >probably know how to access the switches (using whatever authentication >is used locally) and IP addresses of the switches and/or firewalls. >Because of this, my first thought might be to wonder if this is some >kind of a social engineering attack with me as the attack vector... >Independently validate who they are and that there is indeed such an >emergency... Indeed, they are just a voice on the phone at this point. Validate them by calling them back at the known number for the SOC. You will get a confirmation this is a real emergency. Tick, tick, tick, you spent some precious minutes on that call back. Did you do anything in parallel like run to your vehicle, or tell the proposal team staff what's up? >If it's real, and they don't know the access credentials, then there is >probably an emergency lock box with authentication information that it's >time to open... I think you are stuck thinking that that there are credentials known to the white hats. There aren't anymore, the attacker has changed access codes. Any lock box or sealed envelope with admin credentials is useless now. >The best answer I suppose is to refer them to the documented procedure >for dealing with an emergency security incident - which almost certainly >does not involve calling me ;-). Not that you would say that... The point of the scenario is to pose a no win situation. You can prevent X or Y from getting worse but a strong possibility you can't do both. Given that at 11pm, there is an hour left for the proposal team's deadline, a 20 minute transfer time, and a 35 minute round trip if all goes perfectly, there is also a temptation to try to get both done, but also risk failing both. The scenario forces you to make decisions. Describing those decisions gives the Interviewer a view on how you tackle problems, and how much you are able to think outside the box. The scenario is repeated below for other contestants :-) >On 5/9/2013 9:36 PM, unix_fan wrote: >> Scenario: >> >> You are working with a group putting together a a proposal. >> >> There are senior engineers and finance people in the group, whose primary >> role is to create PDFs, word files, and excel spreadsheets - the electronic >> artifacts of the proposal. You are the IT guy, your mission is to ensure >> the team gets the artifacts copied into the appropriate directory. You will >> them create one zip file and transmit to the customer's site. >> >> You have the instructions for how to transmit the files, you have the >> credentials entrusted to you, and you have wisely tested it beforehand so >> that you are confident it works. The transmit instructions specify that it >> has to be in one zip file, and no passwords should be required to open the >> resulting documents when they are unzipped at the customer's end. >> >> >> It's 11pm local time and the deadline for submission is an hour away, but >> the proposal team is finishing up. The team just told you that in five >> minutes you will have *all* the final docs in the team folder, and you can >> start zipping them up and transmitting. You know from past experience it >> will take approximately 20 minutes to complete a comparable size >> transmission. The customer has told you that midnight is a hard deadline as >> they have automated closing off network access. >> >> >> Dilemma: >> You get a frantic call from the remote Security Operations Center (SOC) on >> your work mobile phone. A sophisticated attack is under way exfiltrating >> significant amounts of your company's IP - engineering drawings, pricing >> information, etc. The Security team had discovered it, was confirming it, >> but they have suddenly been locked out of the exfiltration servers and the >> key KVM over IP switch. They found that you were working after hours and >> literally need a local "boot on the ground" to run over to the East Campus >> server room, and unplug a specific network cable. >> >> If you drive over there now, execute flawlessly and return, you estimate it >> will take you at *least* 35 minutes. >> >> Problem: >> What do you do? >> >> Describe your actions and thoughts - e.g how you prioritize and what your >> first step is. _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
