Security Basics mailing list archives

Re: When an incident has really happened.

From: aaa () bbb com
Date: Tue, 19 May 2009 18:33:54 -0600

I like Aaron's answer.  To expand on it, your security experts have to sit down and define & document all of the known 
(for your systems) symptoms of  attacks.  Then train your frontline helpdesk staff (and networking experts, server 
experts etc) to treat everything as a potential breach until they can diagnose a cause.  When an attack is identified, 
then they should be taught to escalate it to the appropriate security resource.

As for reporting, everything that is treated as a potential or actual attack should be categorized, tallied and 
periodically (monthly, quarterly, semi-annually, whatever fits your organization best) to senior management. The report 
would include attacks averted by security processes ie:
- anti-malware software scanning of desktops and servers found and treated x thousands infections
- firewall was pinged/scanned x million times,
- x million spam was blocked from inboxes vs 1/x valid emails allowed in
- x attempts to inappropriately move sensitive data were blocked ie email unencrypted sensitive data, store unencrytped 
sensitive data on USB or laptops
- "umpteen" invalid wireless (wifi) connection attempts were blocked
- NAC blocked x hundreds connection attempts by unauthorized users/machines
- NAC downloaded x thousands of security updates/patches before allowing authorized connections
- any other relevant numbers you can easily aggregate and report

The idea is to provide senior management with regular brief reports that they can easily understand that validate 
security expenses on an ongoing basis.  That way when it comes time to cut/increase budgets they can't say "what have 
you done for me lately", because you've kept them up to date on a regular basis.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------

Current thread:

When an incident has really happened. Curt Shaffer (May 19)
- Re: When an incident has really happened. Aarón Mizrachi (May 19)
- <Possible follow-ups>
- Re: When an incident has really happened. aaa (May 20)