Slashdot Mirror

← Back to Stories (view on slashdot.org)

NIST Releases Guide to Cyber Attacks

Posted by CowboyNeal on from the get-a-security-plan dept.

treerex writes "NIST (the US National Institute of Standards and Technology) has just released a 148 page report entitled Computer Security Incident Handling Guide (PDF). It covers the gamut, from setting up a response team to dealing with specific types of attacks: DoS, trojans, worms, malicious code, and unauthorized access. While written by a team from NIST and the contractor Booz-Allen Hamilton (BAH), they appear to have taken input from CERT and luminaries like Spafford. It is an interesting read."

19 of 126 comments (clear)

  1. Re:Are these all the attacks? by ElGnomo · · Score: 5, Insightful

    I would think that if the majority of people did something so simple as to patch their machines, worms would posed half the threat they do now. So, yes, Education is a simple but effective measure to combat security exploits.

  2. Interesting! by dot-magnon · · Score: 5, Interesting

    This might be unnescessary for "professionals", people who know these things from before and work with it. But for the average sysadmin, this is just great! He/she could know how to:

    1. Find out what happened
    2. Close the breach
    3. Report the breach.

    If the sysadmin doesn't know how to do this, they also know where to seek help.

    I'll probably get messages back saying this is just dumb and generic, but it's better than not knowing anything at all. A lot better. All too few people know how to handle situations like this, and they will need somewhere to start.

    I'll give this thing a skim read (just read contents and some interesting paragraphs now) and get back to this ;)

    1. Re:Interesting! by randyest · · Score: 4, Informative

      As you will no doubt glean if you read the document completely, there are a lof of "Oh, and I forgot"'s in order -- that's why they made the doc and, presumably, why it's posted here. So, please hold the preemptive (and thus incomplete) summary. It's useful info for us all to read.

      Then again, looks like all the other threads below are mired in conversations about nukes, Amerika-bashing, and other offtopic stuff, so at least you're on topic.

      --
      everything in moderation
    2. Re:Interesting! by zensufi · · Score: 3, Insightful
      Exactly! It's like U.S. Army Manuals. They are very bland, general procedures for any platoon to follow to do things that a Green Beret team could do fluidly and efficiently without even thinking about it. They aren't written for the elite though, they are written for the common man.

      "What are the basic things I should do in this particular situation?"

      The idea is to write something that someone of an IQ of 100 can understand and implement without causing too many problems. Someone in another thread made a comment about how this might cause increased security risk because people will know the defenses against any possible attack. This is obviously not true. Any cracker will know anyway what the basic defenses are, and a good system admin will be flexible enough that this will not be a problem.

      --
      I have two eyes, I have two feet.
  3. IJDE by Anonymous Coward · · Score: 5, Informative

    The International Journal of Digital Evidence is also worth keeping up with, if this type of stuff interests you.

  4. Re:Are these all the attacks? by mefus · · Score: 3, Interesting

    Are we so naive to believe that following such advice will make us secure?

    I don't think you could have read the article in the time it took to make your condemnation of its intentions.

    I see only good things coming out of this. Especially in comparison to the SOP up until now. There is no accepted standardized stance but what is (probably) being proposed in this document. Publishing this is a positive step in that direction. It appears (based on a cursory glance through the contents) to be focused on incident response, but in that direction also lies the experience to foresee future events, and taking the appropriate action to forestall them.

    --
    mefus
    In Open Society, GPL Software frees YOU!
  5. Gleam Something From This by munch0wnsy0u · · Score: 5, Insightful

    Beyond the typical vapid governmental reports, this is a step in the right direction. Anything to create a buzz around security, especially computer security, will serve the public well. This is what needs to happen: standardization. The government has done a commendable job in creating standards for dealing with national security - why not extend that to computer security. All these posts that do nothing to note the fact that this is a good thing don't see past the .gov TLD

  6. BAH? by J3zmund · · Score: 4, Interesting

    Not too long ago, they were in hot water with the US Navy for letting some websites get hacked by leaving the default admin passwords in place. No joke, my friends work there!

    --

    It's all Hood
  7. Re:Are these all the attacks? by Davak · · Score: 5, Funny

    They also have a 1-800 number.


    Thank you for calling the US National Institute of Standards and Technology Security Hotline.

    Please say "HOLA" now if you espanol...

    Otherwise please select one of the following selections dealing with your security problem.

    Press 1 if you have suffered a DOS attack
    Press 2 if your network has been infected with a worm
    Press 3 if your site is being slashdotted
    Press 4 if 13 year olds have defaced your web site
    Press 5 if you are running windows as your server

    Press 666 if you are a missle silo control room and have realized that someone has gained root or administrative access on your control system

    Have a nice day.

  8. No...It's FOR federal agencies by waferhead · · Score: 4, Informative

    The fact that the guvmint machines are the easy targets is apparently the point.

    This if for federal agency use, and anyone elses.

    This also effectively says "You WILL do it like this" to the federal agencies.

    There will be a quiz.

  9. Corporate Incident Response Checklist by Jonathan+Quince · · Score: 5, Funny

    Guide for Sysadmins: Upon learning that your systems have been penetrated, proper incident response is as follows:

    1. Scream. Hold head between hands and moan.
    2. Check passport, one-way tickets to South American country of choice. Express relief that the emergency escape kit is still operational.
    3. Remember advising boss to recind deparmental policy of secure sticky-note-on-the-monitor storage for passwords. Recall boss' gales of laughter in response. Take hefty swig of Jack Daniel's.
    4. Remember advising boss to please not open random e-mail attachments. Recall boss' blank stare in response. Suck on barrel of .357 revolver for 5 minutes or until sufficiently calmed down.
    5. Remember pleading with boss to allow filtering executable attachments. Recall boss' response. Almost pull trigger.
    6. Resist urge to yank server out of rack and dump out nineth-story window.
    7. Advise boss of break-in. This starts the long chain of blame-passing that ends when the CEO sacks 5 random people in middle management and below.
    8. Sit back and watch the spin machine start the vital post-incident response protocol of figuring out who might know what happened and silencing them.
    9. ???
    10. Profit!
    --
    Microsoft Windows is, fittingly, the official Desktop OS of Olig
  10. Does it say... by Black+Parrot · · Score: 5, Funny


    ...what to do in case of a Slashdotting?

    --
    Sheesh, evil *and* a jerk. -- Jade
  11. Re:Are these all the attacks? by wwest4 · · Score: 4, Interesting

    right on. currently, in the real world, if there is no procedure then things are only done if they are "business critical." most suits think that security events are unlikely, so that means security is low-prio. Most IT depts since the tech bubble popped are no longer autonomous. They are low on cash, low on available man-hours, and tied into caring more about the company's core business in terms of cash out, and risk management be damned. with an SOP, the cost and effort are easier to nail down, it's a slightly easier sell, and any sysadmin worth his salt will at least try to sneak some of it into the day-to-day.

    another thing - the idea that uniform SOP means that things will be easier to hack is pure bullshit - what would anyone recommend to the unwashed vulnerable? Maybe it would sound like this:

    - run only necessary services
    - audit and change your passwords
    - follow security news and patch accordingly
    - use virus protection
    - consider an IDS
    etc.

    sounds a hell of a lot like best practices / standard procedure to me. and NONE of that shit makes it "easier to hack." sheesh.

  12. Text Version by Hal+The+Computer · · Score: 3, Informative

    You're going to need a text editor that supports lines longer than 80 charachters, but if you have one, I've made a decent zipped text file from the PDF for people with slow connections. As always NO WARRENTY WHATSOEVER.
    Computer Security Incident Handling Guide.zip (113K) (zipped text file)

    --

    int main(void){int x=01232;while(malloc(x));return x;}
  13. A good idea by unstable23 · · Score: 5, Insightful

    I think it's actually a good use of taxpayer money, which is the first time that I've said that in public.

    If nothing else, it provides a good framework to start from, especially small companies/non-profits etc, where they don't have the resources to hire a full-time crack security team. This helps them set priorities and useful business things like that.

    I'm really quite surprised people are being negative about it.

  14. Why is it? by treerex · · Score: 4, Insightful

    I don't understand why people immediately dismiss a report coming from NIST as being worthless USG noise while many of the same "arguments" against this paper could be made against books like Incident Response: Investigating Computer Crime or Counter Attack or any of the other n+1 books on this topic that exist.

    Harumph.

  15. Re:Are these all the attacks? by Flower · · Score: 3, Insightful
    Wow! Who would ever think that there should be a methodology for dealing with security incidents? We should all just run around and do our own thing and, of course, the problem will be resolved. And when we catch the guy, our lack of methodology will ensure that any evidence we acquire will be usable in court.

    I'm just going to leave it at that. Anything else is just going to be a derogatory rant. IHBT HAND

    --
    I don't want knowledge. I want certainty. - Law, David Bowie
  16. Speaking of Spafford.... by securitas · · Score: 3, Informative


    ... Here's an interview with Gene Spafford in two parts that outlines a lot of the issues that he's concerned with. It provides some background and insights into some of the thinking behind the guide. I found his views on the purpose of security technology especially interesting and somewhat unexpected. The same goes for his indirect criticism of Microsoft.

    Description courtesy of Bruce Schneier's Crypto-gram:

    Long and interesting interview with Gene Spafford, about the infosec threat landscape; privacy; the challenges of digital certificates, CRLs, public key infrastructure standards and interoperability; key escrow, backup and recovery; identity fraud; trust on the Internet; and the problems of security education today. Sample quote: "Security doesn't work as an add-on. It really needs to be built-in from the beginning."
  17. Limit outbound encrypted traffic? Damn straight! by Nonesuch · · Score: 4, Interesting
    "... Consider limiting outbound connections that use encrypted protocols, such as SSH, HTTPS, IPsec. Permitting unncessary encrypted connections may allow users to perform actions that security controls cannot monitor. For example, a user could establish a SSH connection to an external server and download illegal materials; because the connection is encrypted, network security controls would not determine the nature of the activity. Possible methods for limiting the traffic include firewall rulesets and URL filtering..."

    Who the hell wrote this crap?

    Apparently, somebody who knows how smart slacker geeks get their porn, and wants to put a stop to it.

    No really, blocking SSH/ESP and tracking HTTPS is a reasonable suggestion -- if anything, I'd say the above doesn't go far enough. The excerpted paragraph doesn't mention the more serious risks of SSH (port forwarding, tunneling, etc).

    I'm not particularly worried about a smart internal user establishing an SSH session to the Internet and downloading "illegal materials",

    I'm worried about the airhead secretary who brings in a floppy provided by her uberhacker boyfriend, and runs a rootkit, setting up an outbound SSH session providing him with a command prompt on her workstation...

    That's just one risk of permitting outbound crypto channels...

    --

    I do not deploy Linux. Ever.