Slashdot Mirror

← Back to Stories (view on slashdot.org)

NIST Releases Guide to Cyber Attacks

Posted by CowboyNeal on from the get-a-security-plan dept.

treerex writes "NIST (the US National Institute of Standards and Technology) has just released a 148 page report entitled Computer Security Incident Handling Guide (PDF). It covers the gamut, from setting up a response team to dealing with specific types of attacks: DoS, trojans, worms, malicious code, and unauthorized access. While written by a team from NIST and the contractor Booz-Allen Hamilton (BAH), they appear to have taken input from CERT and luminaries like Spafford. It is an interesting read."

12 of 126 comments (clear)

  1. Are these all the attacks? by ObviousGuy · · Score: 2, Interesting

    So we establish "standard procedures" to deal with a standard gamut of attacks. That's great.

    Are we so naive to believe that following such advice will make us secure?

    --
    I have been pwned because my /. password was too easy to guess.
    1. Re:Are these all the attacks? by Anonymous Coward · · Score: 1, Interesting
      Are we so naive to believe that following such advice will make us secure?

      If anything, everyone following the same practices and procedures when under attack will make us all less secure.

      "OK, I just hit him with a SYN flood. Now he's going to do XXXX."

    2. Re:Are these all the attacks? by mefus · · Score: 3, Interesting

      Are we so naive to believe that following such advice will make us secure?

      I don't think you could have read the article in the time it took to make your condemnation of its intentions.

      I see only good things coming out of this. Especially in comparison to the SOP up until now. There is no accepted standardized stance but what is (probably) being proposed in this document. Publishing this is a positive step in that direction. It appears (based on a cursory glance through the contents) to be focused on incident response, but in that direction also lies the experience to foresee future events, and taking the appropriate action to forestall them.

      --
      mefus
      In Open Society, GPL Software frees YOU!
    3. Re:Are these all the attacks? by wwest4 · · Score: 4, Interesting

      right on. currently, in the real world, if there is no procedure then things are only done if they are "business critical." most suits think that security events are unlikely, so that means security is low-prio. Most IT depts since the tech bubble popped are no longer autonomous. They are low on cash, low on available man-hours, and tied into caring more about the company's core business in terms of cash out, and risk management be damned. with an SOP, the cost and effort are easier to nail down, it's a slightly easier sell, and any sysadmin worth his salt will at least try to sneak some of it into the day-to-day.

      another thing - the idea that uniform SOP means that things will be easier to hack is pure bullshit - what would anyone recommend to the unwashed vulnerable? Maybe it would sound like this:

      - run only necessary services
      - audit and change your passwords
      - follow security news and patch accordingly
      - use virus protection
      - consider an IDS
      etc.

      sounds a hell of a lot like best practices / standard procedure to me. and NONE of that shit makes it "easier to hack." sheesh.

  2. Interesting! by dot-magnon · · Score: 5, Interesting

    This might be unnescessary for "professionals", people who know these things from before and work with it. But for the average sysadmin, this is just great! He/she could know how to:

    1. Find out what happened
    2. Close the breach
    3. Report the breach.

    If the sysadmin doesn't know how to do this, they also know where to seek help.

    I'll probably get messages back saying this is just dumb and generic, but it's better than not knowing anything at all. A lot better. All too few people know how to handle situations like this, and they will need somewhere to start.

    I'll give this thing a skim read (just read contents and some interesting paragraphs now) and get back to this ;)

    1. Re:Interesting! by dot-magnon · · Score: 2, Interesting

      Oh, and I forgot - policy creation. Too many networks out there have zero security policy or a very bad existing one. This leads to a series of opportunities for intruders, and if these basic flaws are closed, they've taken a big step forward in securing their networks.

  3. BAH? by J3zmund · · Score: 4, Interesting

    Not too long ago, they were in hot water with the US Navy for letting some websites get hacked by leaving the default admin passwords in place. No joke, my friends work there!

    --

    It's all Hood
  4. Re:Why? by ryanr · · Score: 2, Interesting

    I haven't been able to read the report yet, but the government often employs really smart people to produce some excellent information on information security, which they then ignore.

  5. Re:first post by Anonymous Coward · · Score: 1, Interesting

    It's good that they did this. It amazes me how many Fortune 500 IT departments still don't know how to buckle down and protect a system.

    Like when Microsoft's Brazil site was hacked :D

  6. Looks like the Democrats could do with reading it by myowntrueself · · Score: 2, Interesting

    Major hack attack on the U.S. Senate

    --
    In the free world the media isn't government run; the government is media run.
  7. 7.2.2 INCIDENT PREVENTION by notetoi · · Score: 1, Interesting

    "... Consider limiting outbound connections that use encrypted protocols, such as SSH, HTTPS, IPsec. Permitting unncessary encrypted connections may allow users to perform actions that security controls cannot monitor. For example, a user could establish a SSH connection to an external server and download illegal materials; because the connection is encrypted, network security controls would not determine the nature of the activity. Possible methods for limiting the traffic include firewall rulesets and URL filtering..."

    Who the hell wrote this crap?

  8. Limit outbound encrypted traffic? Damn straight! by Nonesuch · · Score: 4, Interesting
    "... Consider limiting outbound connections that use encrypted protocols, such as SSH, HTTPS, IPsec. Permitting unncessary encrypted connections may allow users to perform actions that security controls cannot monitor. For example, a user could establish a SSH connection to an external server and download illegal materials; because the connection is encrypted, network security controls would not determine the nature of the activity. Possible methods for limiting the traffic include firewall rulesets and URL filtering..."

    Who the hell wrote this crap?

    Apparently, somebody who knows how smart slacker geeks get their porn, and wants to put a stop to it.

    No really, blocking SSH/ESP and tracking HTTPS is a reasonable suggestion -- if anything, I'd say the above doesn't go far enough. The excerpted paragraph doesn't mention the more serious risks of SSH (port forwarding, tunneling, etc).

    I'm not particularly worried about a smart internal user establishing an SSH session to the Internet and downloading "illegal materials",

    I'm worried about the airhead secretary who brings in a floppy provided by her uberhacker boyfriend, and runs a rootkit, setting up an outbound SSH session providing him with a command prompt on her workstation...

    That's just one risk of permitting outbound crypto channels...

    --

    I do not deploy Linux. Ever.