Congratulations, you've graduated. More seriously, our culture does us a disservice through the schooling process. Classes are great when the amount you have to learn is the majority of what can be taught in a classroom format (I suspect the magic number is 80%). However, once accumulated enough baseline knowledge, the mode fails dramatically. In this case, there is no class that will solve your problem, as your knowledge gaps are unique to you. At this point, the best way to learn experimentation, sharing your thoughts with others and willingness to be wrong (and have it pointed out to you in public forums).
I recognize, of course, that this is not directly helpful, so to address your current concern, consider the following workflow: 1) Is this truly the most critical issue on which you should focus? * I've found that I can do more good in an organization addressing patch management and workstation/server hardening than chasing packets down rabbit trails. This will depend, of course, on your specific environment and key skillset. 2) If it is the most critical, consider what the alert could be indicating. Decide if it truly is critical. * IP spoofing against your VOIP system could be part of a social engineering attack, a "free international call" attack, harvesting information from voicemails, etc... look for secondary indicators. * Port scans detection can include true port scans or can be an external app negotiating for a control or data channel. Do you need control/data channels to those sources? If not, kill the source and forget about it. 3) If you have to dig deeper (or just want to), review the actual packets. If you're weak on this, play with the free PCAPs at http://wiki.wireshark.org/SampleCaptures/ . * Packet reading is a high learning-curve activity. Whether it makes sense to build that skill depends on how easy it is for you and how interesting you find it. Personally, I'm stronger in other areas, so I focus there. Remember, most organizations select "best" practices and them implement them as poorly as possible. If you are the one and only admin in your organization, it is very likely that you should not be spending your time on these sorts of activities. (I have an entire presentation on why this is the case, but this is not the forum for such a rant.) Go back to point 1 several times a day to decide if this is what truly matters. Odds are that you'd be better served by finding ways to automate your daily, weekly or monthly tasks, communicating your concerns to nontechnical people and focusing on centralizing data management. Most smaller organizations often have so many ways for malicious people (inside or outside) to interfere with operations or steal data that network-based attacks are lower on the attacker's priority list. Build defenses and indicator traps along the most likely threat vectors and monitor those. Once you have reasonable certainty that they are clean, expand your program. If you learn anything new as you do this, share it with others. -Josh More On Thu, Aug 9, 2012 at 9:26 PM, Shaun Curry <[email protected]> wrote: > Hello everyone! > > I have difficult issue… I am sys admin and the one and only IT person for a > small organization. I have attended SANS courses and have listened to > pauldotcom for years now. I have been learning a lot in the area of network > security, but I need to fill a crucial gap in my knowledge. > > Here’s the scenario: > > I review my logs daily and started noticing some strange things. For > example, an “IP Spoof” with an internal IP address talking to my VOIP > server. I see port scans coming from facebook domain that are obviously > apps. > > I see things that alarm me; however, I don’t know how to verify the validity > of what I’m seeing. I know that sometimes you can get false positives and > sometimes an all in one IDS/IPS/Firewall can get it wrong. I’m feeling a > bit lost! I know that I can expect port scanning and I tend to ignore it. > But some of the other things I’m seeing just leave me very nervous… > > I’m doing my best and as far as I can tell it’s been working well, but there > has to be a good training course or two that I can take that will teach me > how to identify this stuff quicker and more easily. > > Do you just learn this stuff as you go? Is experience the key? > > If anyone has advice I’d appreciate it! I can’t be the first or only person > to reach this point…. > > > > Thanks! > > > > Shaun Curry > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
