General; work and IT @ 27 Nov 2006 03:43 am by ayoi
I’m honoured to know that Mr Richard Bejtlich post a comment and maybe read my blog too. 
. Actually I bought Extrusion Detection and The real Digital Forensic. I’ve read Tao of Network security before. For Mr Richard Bejtlich, thanks for sharing your knowledge and your vast experience/ thoughts in these books. I do really appreciate the knowledge gained from reading these books.
Most of the ppl here thought that having a firewall is enuff to secure your network and only web defacement is considered as serious incident. There is no proper incident handling procedure, no proper security policy and many others. In fact if to make the defensible network characteristics as the benchmark, most of the network here are impossible to monitor. I dun want to comment about the personnel who handling/administrating their network. Just imagine :
Today we have and incident (I wonder why it has to be my shift for these things to happen) and the main problem is The Client change their IP without acknowledging us, it’s ok as the sniffing is still working, but this particular server has been defaced and there’s no exact timeframe when or from where the attack was. So for a start I just ask The Client to send us the access log of the defaced webserver. At least to get the idea of when/ and from where (I know this is not the proper way but with the limited resources and authorization that we had, whut else can I do?). So I ask The Administrator to send me the access log and called me when those log sent. A few moments later the phone ringing;
“Hello, have you sent the log to our email?”
“Actually I think I dun have to send the log la”
“Eh, Why?”
“There’s only one line in that log”
“One line? What do you mean by only one line?”
“Ya lor, there’s only one error that we’ve detected, so only one line lah”
“Aaaaaa?!! Err in that case just send the access_log that we’ve requested and the error_log (I can’t recall when I ask this log) as well to our email. Thanks”
[...] As I’ve learnt, to do a proper analysis on certain alerts/incidents/events, we shud analyze (if available) full content data ( prolly kinda hard for large scale, high bandwidth, limited storage networks), session data, statistical data (better network traffic instead of alerts statistic data I presume) and alerts data. Currently what all of us had is alert data even for incident investigation/analysis. But The Client report request sometimes beyond than whut we can provide. Just imagine whut it would be when incident like this happens [...]
[...] c). A network administrator who either didn’t aware of his task, do not bother of knowing his task properly or simply dun have any interest in the job itself. Yeap, this is the same Network Admin. [...]
[...] e). Incompetent Network Administrator (sorry to say this). But that happened a lot! [...]