Security Basics mailing list archives
Re: When an incident has really happened.
From: aaa () bbb com
Date: Tue, 19 May 2009 18:33:54 -0600
I like Aaron's answer. To expand on it, your security experts have to sit down and define & document all of the known (for your systems) symptoms of attacks. Then train your frontline helpdesk staff (and networking experts, server experts etc) to treat everything as a potential breach until they can diagnose a cause. When an attack is identified, then they should be taught to escalate it to the appropriate security resource. As for reporting, everything that is treated as a potential or actual attack should be categorized, tallied and periodically (monthly, quarterly, semi-annually, whatever fits your organization best) to senior management. The report would include attacks averted by security processes ie: - anti-malware software scanning of desktops and servers found and treated x thousands infections - firewall was pinged/scanned x million times, - x million spam was blocked from inboxes vs 1/x valid emails allowed in - x attempts to inappropriately move sensitive data were blocked ie email unencrypted sensitive data, store unencrytped sensitive data on USB or laptops - "umpteen" invalid wireless (wifi) connection attempts were blocked - NAC blocked x hundreds connection attempts by unauthorized users/machines - NAC downloaded x thousands of security updates/patches before allowing authorized connections - any other relevant numbers you can easily aggregate and report The idea is to provide senior management with regular brief reports that they can easily understand that validate security expenses on an ongoing basis. That way when it comes time to cut/increase budgets they can't say "what have you done for me lately", because you've kept them up to date on a regular basis. ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- When an incident has really happened. Curt Shaffer (May 19)
- Re: When an incident has really happened. Aarón Mizrachi (May 19)
- <Possible follow-ups>
- Re: When an incident has really happened. aaa (May 20)