Firewall Wizards mailing list archives
Re: .gov/.mil threat ID
From: "Paul D. Robertson" <proberts () clark net>
Date: Tue, 26 Jan 1999 22:23:47 -0500 (EST)
On Fri, 22 Jan 1999, AI mailer v .1 alpha wrote:
I think the government and military may be the only organizations with the resources to respond to potential threats, but they still do not know how
Lots of commercial organizations respond to potential and actual threats and it happens every day. I'm not sure where you drew this conclusion from, but I don't accept it.
to effectively respond, or even to decide which events their threat detection systems log should be responded to. Apparently someone sent a "small number of probes" to a .mil site spoofed from one of my computers' addresses a few weeks ago, and they were quite paranoid about it. If the government can log but doesn't have the resources to decide what to do
"The government" is a lot of departments with a lot of machines and a lot of administrators, just like everyone else. It's always a choice between what resources to spend on a negligable threat, wheather it's people, money, or time. There are a lot of quite paranoid administrators out there, even in .com and .net. There are also a lot of .mil sites, some with more sensative and critical missions than others. Just like in the commercial world, that means that the threat profile of the day, as well as the risk/reward ratio of the current operational level dictates how to respond to what. Even then, it's always a matter of balancing the cost of dealing with an unsuccessful attempt against ignoring it, or making an example.
with that potential threat information, what good would it do a company with alot less resources? Or is the military just inept at their
It depends on the company's perception of the threat and what resources they want to use. For instance, if a criminal statute has been broken, then they can attempt to have most of the work done by the jurisdictionally correct government entity, if it's a civil law, or if a civil remedy seems more appropriate, then they can sick their lawyers on the offender. Sometimes they'll do both, and sometimes they'll decide it's not worth the expense.
analysis?
Analysis varies from person-to-person, and even day-to-day in the same person. Most of us do what we can to analyze, categorize and profile threats, events, and risks. Sometimes we do well, sometimes we do badly, and it really doesn't make a lot of difference who our employers are when we do it. Everyone fights to get INFOSEC resources budgeted, clueful administrative staff, and cooperation. If you have 5 probes or attempts a day, it's a lot easier to respond to each one than if you get 5,000. Attempting to generalize the response of "the government" (pick your favorite country), "the military", "big corporations", "educational institutions" other than in the case of specific common policy issues is a losing game. I've seen good and bad responses from all the TLDs I've contacted or who have contacted me. In some cases, the original contact was a less-clueful individual responding to a percieved direct threat, and a follow-up conversation with someone else later took only two sentences. Just like anywhere else, .mil has people who will correctly escallate to a higher authority for an incident, and people who will take action themselves. Either case may be valid for a particular installation, unit, or system. I wouldn't expect all of my co-workers to do the same level of analysis that I do prior to making a call simply because they don't all have the same level of experience that I have. I also wouldn't expect them to make the same recommendations to the lawyers that I would if it turned out to be worth persuing. I know it'd take them more time to decide that part of the process since it's not an easy and clearly-written policy decision, and they don't have a great deal of experience doing it. If you look closely at your own analysis of "spoofed packets", unless you've got traffic lots of all the packets, can you be totally sure it wasn't (a) a compromised host, or (b) a compromised service (such as an FTP bounce attack)? If the victim takes the tack that you're more likely to be (a) or (b) than either (c) a malicious site or (d) a blind spoof, then shouldn't they take the time to think about what a reasonable response to your potentially inept administrative capabilities, or potentially buggy vendor code? Heck, it's be pretty trivial to make a probe *look* like a blind spoof, and even create "network logs" that don't show the traffic. Given that, and given no logging upstream of your host, what exactly do you think an administrator should do? If you were probing them, then you're probably going to stop now, if you were compromised, perhaps you'll look closely at your machines now (or at least start logging connection attempts), and if not then they need to figure out how to proceede in such a way that any further attempts are met with the appropriate response. Unless an attacker has control of, or promiscuous access to either their or your network, upstream, or a common exchange point, a completely blind spoof would seem to be unproductive, so I'd be extremely skeptical of that analysis without further evidence to the contrary. Since it's not that obvious where the packets originated, I'd expect someone to take some time figuring out if and how to respond. I certainly would - mostly because it takes a few days to get the lawyers to dig up all the prosecutorial options in each jurisdiction. Of course I'd have you filtered out while we were looking :) Maybe you don't have network problems (or don't notice them if you do), or maybe all of yours have been fairly easy to resolve. That's not true of every incident, and if it isn't cut and dried, it takes good policies, procedures, and most of all clue in the right places. Sometimes you have them, sometimes you don't. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- .gov/.mil threat ID AI mailer v .1 alpha (Jan 26)
- Re: .gov/.mil threat ID Joseph S D Yao (Jan 27)
- Re: .gov/.mil threat ID Paul D. Robertson (Jan 27)
- <Possible follow-ups>
- RE: .gov/.mil threat ID Stout, Bill (Jan 27)
- RE: .gov/.mil threat ID Crumrine, Gary L (Jan 28)
- RE: .gov/.mil threat ID Paul D. Robertson (Jan 28)
- RE: .gov/.mil threat ID David Harley (Jan 29)
- RE: .gov/.mil threat ID Paul D. Robertson (Jan 28)
- RE: .gov/.mil threat ID Stout, Bill (Jan 28)