[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
FW: ISS Security Alert v.2
I don't know how many of you are on the ISS mailing list - the information
seemed quite good.
=================================
Sarbari Gupta
CygnaCom Solutions
(703)848-0883 (voice)
(703)848-0960(FAX)
sgupta@cygnacom.com
=================================
-----Original Message-----
From: David Gerulski [mailto:dcg@iss.net]
Sent: Wednesday, February 09, 2000 6:12 PM
To: customerconnect@iss.net
Subject: ISS Security Alert v.2
TO UNSUBSCRIBE: email "unsubscribe customerconnect" in the body of your
message to MAJORDOMO@ISS.NET. Contact customerconnect-owner@iss.net for
help with any problems!
---------------------------------------------------------------------------
Dear ISS Customer Connect Recipient,
Recent Internet attacks have targeted a number of high-profile Internet
sites such as Yahoo!, Buy.com, E-Bay, Amazon and CNN Interactive. These
attacks are "Denial-Of-Service" attacks which are designed to bring down an
enterprise network or e-commerce site by flooding it with large amounts of
traffic, similar to hundreds of people repeatedly dialing a telephone number
to keep it busy.
While it is impossible to eliminate all risks from these attacks, Internet
Security Systems (ISS) recommends several steps that you should take if you
find your Internet site is under attack. ISS also recommends several steps
that you can take before an incident to reduce the risk and possible impact
of these attacks.
STEPS TO TAKE IF YOU ARE UNDER ATTACK:
* Assemble an Incident Response Team
* Get help from ISP and CERT
* Involve Law Enforcement authorities
* Monitor systems during the attack
DETAILS:
If you find yourself under attack, stay calm. Here are 4 concrete steps you
can take to keep control of the situation:
1. Assemble an Incident Response Team. This team should include senior
technical staff who can help formulate a plan of action, and should have
access to senior management who can authorize the action. One key role of
this team is to have a contact person to coordinate with other organizations
(e.g. CERT, below) during the incident.
2. Get help. Contact your Internet Service Provider (ISP) to inform them of
the attack. It is possible that the ISP can take action to block the
attacks before they reach your computer systems. Call the Computer
Emergency Response Team (CERT). You can email them at cert@cert.org or fax
them pertinent information at +1 (412) 268-6989. You can also contact ISS
at incidents@iss.net. Include information about:
* your name, telephone number, email address, and time zone
* the name and IP address of the system under attack,
* the apparent source of the attack (hostname or IP address)
* a description of the attack (methods, tools, etc)
3. Contact Law Enforcement authorities to inform them of the incident. You
may not be the only organization under attack, and they may be able to
provide technical assistance or contacts to help your response efforts. You
can help the law enforcement efforts by collecting system log information
from target systems. These logs may be important evidence that law
enforcement needs to take action; it is critical that this information be
collected and protected before it is accidentally (or deliberately) erased.
4. Monitor important systems during the attack using intrusion detection
software or services. This can help mitigate the attack, by discovering
actions that can be taken (e.g. installing security patches, expanding RAM
to help the OS to maintain performance during Denial-Of-Service attacks).
It can also help detect signs that this attack is more than a nuisance - for
example, that a Denial-Of-Service attack is a diversion intended to distract
your attention from an actual takeover of your systems. In particular, if
other organizations are under particular attack, check any of your systems
that might be similar for signs of that attack as well.
STEPS TO TAKE BEFORE AN ATTACK:
* Identify and empower an Incident Response Team
* Perform a security audit or risk assessment of critical systems to
identify risks
* Mitigate the risks discovered, by installing appropriate security
software
* Learn more about Internet security issues
DETAILS:
There are also several things that you can do before an attack that will
greatly improve your ability to respond to an incident:
1. Put together an Emergency Response Plan, and identify a team who will be
responsible for implementing it. Ensure that the team has senior management
contact, and the necessary technical skills. The ISS X-Force offers a great
deal of technical information useful for technical staff education at
http://xforce.iss.net/. If these skills are not available in-house, consider
outsourcing this from a company offering Emergency Response Services. ISS'
Emergency Response Services (ERS) are specifically geared to help companies
build and improve upon incident preparedness. This is achieved through
quarterly on site workshops with customers. This service then helps ISS'
Emergency Response Team be more effective with its 24x7 service in the event
that the client comes under attack. The Emergency Response Plan should
include an escalation policy, and you should educate your organization on
this policy.
2. Perform an audit of critical business systems, to identify possible
vulnerability to attack. Take appropriate action to mitigate any identified
risks - for example, by ensuring the Operating System is up-to-date. This
Security Assessment should include determining any dependencies (like ISP's
and Web hosting companies) and what their protection level is. It should
also examine network design for security resilience to Denial-Of-Service
attack.
3. Take action to mitigate risks that are discovered: for example, implement
proper security management infrastructure and applications. (e.g. Intrusion
Detection Systems, Vulnerability Scanning, Firewalls, VPNs, etc). Send
syslog information from your routers to an analysis machine to examine for
evidence of an attack. By watching for attacks, so you can detect and
respond to them early. The earlier you detect an incident, the earlier you
can respond to it.
4. To learn more about Distributed Denial Of Service attacks or about
Internet security issues in general, read the latest ISS X-Force Security
Advisories at http://xforce.iss.net. In particular, Advisory 43
http://xforce.iss.net/alerts/advise43.php3 discusses these attacks in great
detail.
INFORMATION FOR ISS CUSTOMERS:
On top of developing public security advisories, the ISS X-Force is always
researching, and developing countermeasures within all of our ISS SAFEsuite
and ePatrol Managed Security Service solutions to help protect against
Denial-Of-Service attacks especially from new, high risk attacks such as
Tribe Flood Network and trin00. ISS customers are advised to ensure that
ISS products are up-to-date: Internet Scanner, System Scanner, and
RealSecure have released Updates to help reduce the risk of these attacks:
SAFEsuite Security Assessment
An Internet Scanner X-press Update is available from
https://www.iss.net/update/InternetScanner/XPressUpdate3_1.xpu
A System Scanner X-Press Update is available from
http://www.iss.net/support/flexchecks/sscanner.php
SAFEsuite Intrusion Detection
An updated version of RealSecure (version 3.2.1) is available from
https://www.iss.net/cgi-bin/download/release/custDown.cgi
For more information on Denial of Service Attacks and a host
of other topics, join us for ISS Connect 2000: International User
Group and Security Summit this March 19th - 24th.
http://connect.iss.net
1-800-416-8749
*******************************************************************
ISS CONNECT 2000
International User Group and Information Security Summit
March 19-24, 2000 http://connect.iss.net
REGISTER TODAY!
*******************************************************************