On Fri, Feb 21, 2003 at 12:21:04PM -0500, Sean Donelan wrote:
On Fri, 21 Feb 2003, Martin Hannigan wrote:
But what would you do with the information?
Let the noc know what's up so they can be more vigilant based on the the threat level.
I'm not trying to be sarcastic, because lots of people have been going through these same conversations.
Not a problem.
"Threat level" is different from an attack.
Pearl Harbor.
Isn't your NOC normally vigilant? If the DHS lowered the threat level to "Green" would you stop monitoring your network just because the government says there is no more threat? Do you have more or fewer people on duty in your NOC as the government threat level goes up or down watching the big TV screens?
The NOC is always vigilant. Based on different threat levels I think it's prudent and realistic to examine different staffing strategies, different views of alarms and datas, potentially different reactions, engaging LEA's on issues you may not normally engage on, etc. Example: DHS sets RED level. Reaction: Move some third level engineers into the SOC. Audit the DR plan if it's not on schedule to be audited. Audit the backup plans if not on schedule to be audited. Light the medium warm NOC to HOT NOC level.
Perhaps even use different sets of ACL's on the edge, etc. It could also be used to explain an unexpected surge in traffic, calls, or other things. Ever look at some traffic stats and see a major surge and want to make sure you understand why?
Again wouldn't you also do all of these things "normally?" If an ACL is a good idea at "Orange" wouldn't you protect your network with those ACL's when the level is "Yellow." Or would you remove those ACL's when the threat level is reduced. How do would you explain to your management when you are hacked at level "Yellow" you had better ACL's, but you only used the good ACL's at level "Orange."
I'd like to have a more standard application to risk analysis. As you know, security policy is always reviewed and risk analysis applied to determine how and what you are going to protect. Or not protect. I think these risk analysis' are now affected by these "new" threats, or in a lot of cases, threates that noone really paid much attention to before.
I'd take it serious and consider NBC as well as "cyberAttacks".
Secretary Ridge has said to keep the plastic sheets and duct tape in storage. Don't start sealing your house (or NOC) yet. The FEMA/Red Cross prepardness recommendations are a good idea irregardless of the alert level.
Secretary Ridge hasn't really established a credibility level. Not yet anyways. I respect what they are doing and understand they need time, but we all have businesses to run. If he says "Buy plastic and duct tape" I take that as he knows something we don't and it's reasonable to evaluate and re apply the risk analysis. I have my duct tape and plastic, but haven't applied it to the windows.