TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Copyright 2001 Internet Security Systems (trademark) THE POWER TO PROTECT INTERNET THREAT & SOLUTIONS UPDATE for Oct 10th - Oct 12th, 2001 ISS X-Force Special Operations Group - -------------------------------------- CURRENT THREAT ASSESSMENT & THREAT FORECAST - -------------------------------------- AlertCon 1 Today, Oct 10th, 2001 AlertCon 1 For Oct 11th-12th, 2001 This Week's Focus: Bulletproofing your networks ************* - - We haven't seen or heard of any increase in the cyber threat as a result of the coalition bombing in Afghanistan. We are also not seeing any threat issue that requires any increased vigilance so we have reduced our threat assessment to AlertCon 1. Of course AlertCon 1 assumes the general chaotic, unregulated, insecure nature of the Internet so anyone connecting to it needs to be fully armored against the relentless assaults associated with it. AlertCon 1 in no way means 'you can relax now'. - - The appearance of Nimda.B has not had any adverse impact on our monitored networks on four continents. The major AV vendors have solutions on their sites. Worm and Virus activity associated with Nimda, SirCam, and other malicious code continue to plague unprotected networks. This is no time to be behind in updating anti-virus software. - -------------------------------------- Security Focus This Week - Bulletproofing your networks - -------------------------------------- - - Once again, bulletproof vests are not really bulletproof, but they are bullet resistant. There's no such thing as an absolutely bulletproof network either but we want your network to be resistant to the most common forms of cyber attack. Since some cyber fallout from the war on terrorism is a real possibility now is a good time to get your 'bulletproofing' campaign started. - - Thanks to David Berlind of ZDNet for the 'bulletproofing' analogy. <http://techupdate.zdnet.com/techupdate/filters/rcplus/0,14178,6021509,0 0.html> - - Today we'll look at response solutions. Tomorrow we'll explore ways to improve the behavior of the people using our networks and on Friday we'll wrap it all up. - --------------------------------------- SOLUTIONS - --------------------------------------- - - The most effective response is one you do in advance, to a threat, not to an actual attack. Since we know that our networks and information are vulnerable to everything from hackers to hurricanes to terrorists it's imperative to do something before disaster strikes. - - OK, so much for the soapbox. Now back to the real world. - - Detecting attacks is only the beginning of the battle; as everyone with IDS knows. It quickly dawns on people who install intrusion detection that now they have to do something about all these alarms. - - Assuming you have a focal point that is contacted by your detection provider: - -- Are call rosters up to date and deep enough to ensure that someone will answer if the primary contact person is not available? - -- Do the people manning the alarms know who to call (24x7) to get the problem fixed in a hurry (e.g., Sys admin, Net admin, etc.)? - -- Is the security team empowered to direct immediate countermeasures (patch a system, take it off line, etc.)? - -- Does your team or organization have the skill sets required to combat a cyber emergency or investigate a compromise, or do you need outside help like ISS' Emergency Response Team? - -- Does your Security team have a list of other important contacts/decision makers (e.g., your public relations shop, HR, legal counsel)? - -- Do you have an established procedure for contacting local law enforcement? - -- Do you have a procedure in place for capturing and applying lessons learned? - - As you can see, beginning a response to cyber attack involves an action checklist of immediate actions but there are also long term solutions to consider. While these will differ from company to company they should always include these elements: timely notification, stopping the attack, assessing the damage, recovering any missing data or functionality, determining and removing the reason the attack was successful, preventing it from happening again. - - Everyone also gets around to the 'identify the hacker' issue, assuming there is one. The FBI says that at least 80% of our cyber threat comes from our own employees and yet we tend to assume it's some hacker out there in anonymous cyberspace because we'd rather not think it was somebody we work with. If you are serious about finding the hacker and taking administrative and/or legal action, you should call in a professional team of forensic investigators from either the local or state police, the FBI, or some commercial firm that specializes in this kind of mission (to include ISS). HR and legal counsel need to be wrapped up in this line of inquiry from the outset. - - You should have a recovery plan as part of your incident response plan or as a separate document that addresses how often you back up information critical to business continuity, where it is stored, and how to access it when needed. The physical security of your storage site and who can access it both physically and virtually also should be very carefully addressed. - - The end of this trail is the acquisition of special insurance that covers the loss of information systems and the data associated with them. - ------------------------------------- Attack Signatures - global IDS, midnight - midnight, previous day, % of total - ------------------------------------- Unauth Access Attempts 42.98% Protocol Decode 25.13% Denial Of Service 23.96% Suspicious Activity 04.76% Pre-Attack Probe 03.17% Back Doors 00.00% - ------------------------------------- Top Ten Destination Ports - global IDS, midnight - midnight, previous day, % of top ten (ports found at <http://www.iana.org/assignments/port-numbers> - ------------------------------------- 80 (http) 89.72% 25 (smtp) 04.10% 21 (ftp) 03.78% 443 (https) 00.98% 12754 (unassigned) 00.40% 139 (netbios-ss) 00.24% 15104 (unassigned) 00.21% 6723 (unassigned) 00.20% 69 (tftp) 00.19% 143 (imap) 00.18% - --------------------------------------- VIRUS, VULNERABILITY, NEWS UPDATES - --------------------------------------- - - Visit <http://www.iss.net> under 'Global Internet Threat Intelligence Service' - - According to Sophos <http://www.sophos.com/virusinfo/topten/> the top ten viruses in September 2001 were: 1. Nimda-A 71.2% 2. Sircam-A 11.4% 3. Magistr-A 03.7% 4. Magistr-B 03.0% 5. Hybris-B 01.5% 6. Apology-B 00.7% 7. VBS/Kakworm 00.7% 8. Floss 00.7% 9. Bymer-A 00.5% 10. Badtrans-A 00.4% - --------------------------------------- Defacement Watch - --------------------------------------- - - Alldas.de stats show that since April, 2000, the most defaced OS is Windows, with a total of 15,174 defacements reported, for 65% of the total. Linux is a distant second with 3936 defacements for 17% of the total. - - Alldas reports 102 sites defaced yesterday. This is roughly twice as many as the recent norm. Details can be seen at <http://www.alldas.de> under 'current month'. - - A spot check of yesterday's defacements shows little political content and the targets continue to show no real pattern other than they have vulnerable OS. There was no apparent relationship between the targets and the defacement messages. - --------------------------------------- NOTES, COPYRIGHT NOTICE, and DISCLAIMER - --------------------------------------- NOTE 1: Our web site has this information in more attractive format and graphics available to the public at no cost at www.iss.net <http://www.iss.net> under 'Global Internet Threat Intelligence Service'. Screen captures (Control/PrtSc) of the site's pages dropped into PowerPoint can be an effective way to communicate various aspects of the Internet threat, e.g. the graph depicting 'AlertCon Trends'. NOTE 2: We provide this information on Internet threat metrics, viruses, vulnerabilities, patches, and breaking news, in the spirit of PDD 63, to help security professionals wage the war against Internet threats more effectively. Information in this update derived primarily from global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research, and professional liaison. Other sources as noted. AlertCon 1 reflects the global, malicious, determined, 24 x 7 attacks experienced by all networks. AlertCon 2 means increased vigilance/action recommended due to a specific threat or concern. AlertCon 3 means increased attacks against specific targets or vulnerabilities on a scale that is unusually high, action required. AlertCon 4 reflects an Internet emergency for a target or group of targets whose business continuity may depend on some sort of immediate, decisive action. All summaries cover 24 hours the previous workday, GMT. Monday summaries may cover some weekend activity. Copyright 2001 Internet Security Systems, Inc. Permission is granted for the redistribution of the Internet Threat Update electronically. It is not to be sold or edited in any way without express consent of ISS. Refer comments or questions to [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Disclaimer: This information is subject to change without notice. Use of this information constitutes acceptance for use in an 'as is' condition. There are no warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. No other use authorized. FOIA Exemption 4. Dennis Dennis Treece Director, Global MSS Special Operations Group Internet Security Systems (ISS) 6303 Barfield Road Atlanta, Georgia 30328 404-236-4065 Cell 404-667-9345 Fax 404-236-2626 Internet Security Systems -- The Power to Protect -----BEGIN PGP SIGNATURE----- Version: PGP 6.5 iQA/AwUBO8R3yeOOe/7N9KJeEQJPEQCbB2MQjnvIQTQ/32aF7fI0Jf9dvu8AoN70 qjvYcqObge4HHj5gxNcuT0w5 =cylm -----END PGP SIGNATURE-----
