On Fri, 21 Feb 2003, Martin Hannigan wrote:
But what would you do with the information?
Let the noc know what's up so they can be more vigilant based on the the threat level.
I'm not trying to be sarcastic, because lots of people have been going through these same conversations. "Threat level" is different from an attack. Isn't your NOC normally vigilant? If the DHS lowered the threat level to "Green" would you stop monitoring your network just because the government says there is no more threat? Do you have more or fewer people on duty in your NOC as the government threat level goes up or down watching the big TV screens?
Perhaps even use different sets of ACL's on the edge, etc. It could also be used to explain an unexpected surge in traffic, calls, or other things. Ever look at some traffic stats and see a major surge and want to make sure you understand why?
Again wouldn't you also do all of these things "normally?" If an ACL is a good idea at "Orange" wouldn't you protect your network with those ACL's when the level is "Yellow." Or would you remove those ACL's when the threat level is reduced. How do would you explain to your management when you are hacked at level "Yellow" you had better ACL's, but you only used the good ACL's at level "Orange."
I'd take it serious and consider NBC as well as "cyberAttacks".
Secretary Ridge has said to keep the plastic sheets and duct tape in storage. Don't start sealing your house (or NOC) yet. The FEMA/Red Cross prepardness recommendations are a good idea irregardless of the alert level.