For those of you who are not aware; Sony currently has a job posting for a Manager of Incident Response.Where I come from they refer to that as closing the barn door after the horse has got out, They do need to start somewhere and all in all it sounds like a cool job for an experienced Incident Handler. They do mention SANS certifications. Of course they do put SANS certifications on the same level as CISSP and CISM, but it is a step.

My piece of advice for the new IR manager at Sony is to go back and review, and update, their incident response plans since the Sony response to this incident was farcical at best. Matthew Schwartz at InfoRiskTodayhas published a post describing Sonys 7 Breach Response Mistakes Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Assuming that Sony had an IR plan, and followed it, comparing this methodology to the Sony mistakes, it struck me that most of Sonys failures resulted from insufficient time spent in Preparation.

Most people think of preparation as making sure you have the proper preventive and detective controls in place to hopefully prevent, and if not, detect a breach. But preparation needs to include many other aspects including, an incident management framework, a response strategy, and a communication plan.

The incident management framework defines every aspect of your incident response team, from who the participants are to who is in charge to how the team communication will work. In most companies IR has become a technical IT function. While having the correct technical resources to respond to an incident is important, having the correct management structure in place to effectively manage the incident is equally important. Dont forget to include legal and communications functions in the incident response team. They will be indispensable in a public breach.

The response strategy comprises the processes and procedures that will be used in the case of an incident. One great way to develop these processes and procedures is to run table top exercises and mock incident exercises with the IR team. The output of these exercises should be moderately detailed plans to handle these incidents.By anticipating common scenarios in advance of an incident leads to the actual response to an incident being smoother and less stressful when an incident actually occurs. It is not possible to anticipate every conceivable incident, but think of the processes and procedures as building blocks that can be reused and modified in the case of a real incident.

An important part of any public incident is effective communication with the press and your external stakeholders such as customers and shareholders. An important part of this is going to be to get your legal and communications people on the same page as your executive. The time to be figuring out what you will and wont release publicly is not in the heat of an incident. In my experience this usually leads to paralysis and ultimately looks like you have something to hide or are trying to mislead. Much the same as your incident strategy, the communication plan is best divised in advance as part of the mock incidents and table top exercises. In my opinion communicating the truth, early and often, is the best approach. The communication function was where Sony fell down the worst, both with internaland external communications.

With this in mind it seems like a good time for all of us to review our IR plans in the light of some of the high profile breaches this year.

-- Rick Wanner - rwanner at isc dot sans dot edu- http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Last week, Korea Hydro and Nuclear Power, which runs South Korea's 23 nuclear plants, suffered a security breach in which personnel records, public health monitoring data, and reactor designs were obtained from the company's systems and posted online. The attacker, which linked to the materials on an anti-nuclear activist site, also threatened to release further information unless three of the company's plants were shut down by tomorrow.

Now, Korean investigators have identified a Chinese IP address as the source of the attacks and are asking the Chinese government for assistance in the investigation.

According to a report in The Korea Times, the attacks were routed through three different VPN service providers in the US, Japan, and Korea. By obtaining these records, the initial IP address that launched the attack were traced to the city of Shenyang, which is on the China-North Korea border. An article from Australia's ABC indicates that this city hosts one end of North Korea's main Internet connection to the outside world, which was severed earlier this week.

Read 3 remaining paragraphs | Comments


My wife is a Christmas music junkie. Starting right after Remembrance Dayevery moment in our house or car is filled with the sounds of Christmas music, either from her own iTunes collection (currently 623 songs and growing yearly), or streamed from the Internet or satellite radio. Every year there seems to be one song that becomes that ear worm and sticks with me for the entire Christmas season. A couple of years ago it was Oh Holy Night, another it was I Want a Hippopotamus for Christmas, this year I discovered a new one, at least to me. My Grown Up Christmas List. The song waswritten by Canadian David Foster and his then wife Linda Thompson-Jenner. It was originally recorded by David Foster with vocals byNatalie Cole in 1990, but probably the most famous version was recorded by Amy Grant in 1992, although it has been covered many times since. The jist of the song is that we should not be asking Santa Clausfor more stuff for Christmas, but that we our Christmas list should asktosolvesociety and the worlds problems. Definitely a good sentiment in these uncertain times.

Today I got thinking...if the ISC were to have a Grown Up Security Christmas list, what would be on it?

Please submit your ideas via the forum comments, or via our contact page.

-- Rick Wanner - rwanner at isc dot sans dot edu- http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Allegro RomPager HTTP Cookie Handling CVE-2014-9222 Security Bypass Vulnerability
Allegro RomPager CVE-2014-9223 Buffer Overflow Vulnerability
Reflecting XSS Vulnerability in CMS Contenido 4.9.x-4.9.5
FreeBSD Security Advisory FreeBSD-SA-14:31.ntp
Cisco Security Advisory: Multiple Vulnerabilities in ntpd Affecting Cisco Products
[SECURITY] [DSA 3110-1] mediawiki security update
Stored XSS Vulnerability in CMS Serendipity v.2.0-rc1
Internet Storm Center Infocon Status