Thursday, January 12, 2006

The need for IR training

This ComputerWorld article caught my eye this morning...I've done vulnerability assessments before, and I fully agree with all of these mistakes. They do, in fact, occur.

Each of the mistakes has earned it's rightful place in precedence. I started doing vulnerability scanning, commercially, in 1997. This has always included much more than simply running a scanning tool, but what occurred then continues today...we'd deliver our report, and most customers would thank us...and that was it. In some very few cases, some of the issues would be fixed, but mostly due to infrastructure changes, upgrades, etc.

The big one that jumps out at me know, though is number 5 - "Being unprepared for the unknown". To me, this is an issue of being prepared for incidents. The real world has all sorts of incident response capability. I've been on plains with rescue dogs that go to Washington, DC, once a year for testing...they'd been involved in the 9/11 search and rescue, and their condition is being tracked for any signs of health issues. We see cops and firefighters on the news. Ever hear of "smoke jumpers"? Heck, even the military is an "incident response capability" in and of itself.

So look around your IT shop right now. What's your incident response capability? If you're reading this, it's probably you. Are you prepared? How do you recognize or receive notification that an incident has occurred? Is it based on known signatures?

Are you prepared for zero-day exploits?

And don't think for an instant that you can't be prepared for these. I know what some of you are saying, that by definition, one can't be prepared for a "zero-day", because it isn't known. Well, I'm hear to tell're wrong. You're prepared if you know that not all malware processes appear in the Task Manager as "danger.exe" or "malware.exe". Do you know how to get more information about processes, about what's running on a system? Can you triage a system? Can you gather specific information from a system, so that you (or someone else) has a fairly complete snapshot of what's going on and can at least begin to figure out what's going on?

Here's another consideration...what do you watch at night? Are you a CSI fan? How about House? Watch a couple episodes of House and start thinking about how you'd perform a "differential diagnosis" of a system.

Looking at the ComputerWorld article one last time, I guess, in a way, my mind ties all of the mistakes back to training issues and misconceptions...chicken. Egg.


Anonymous said...

The unfortunate irony of this posting is that those who need it most won't be able to understand it. And they probably wouldn't care if they did, all they understand is "My computer done been broke, dadburnit!" Because, as you know, all technology nimrods are also hillbillies.

H. Carvey said...

Well, I can definitely see your perspective after visiting your blog. But I do believe that real live hillbillies will take offense at your comments. ;-)