|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: What to do if they ignore you
From: Harlan Carvey (keydet89
yahoo.com)
Date: Thu Apr 14 2005 - 05:18:52 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Skip,
> My company provides outsource security
> management/monitoring services.
>
> In early March we noticed that several of our
> clients that are in the
> same /16 block were getting persistent port 445
> probes from a couple
> of systems from a very large corporation's satellite
> office which is on the same /16 block.
>
> I have repeatedly called the companies security
> manager
[snip]
> Does anybody have any suggestions on what to do to
> make Goliath behave when you are David ?
Two things to consider:
1. Have you thought that maybe you've done all that
you can do?
2. Do you know the nature of these scans? Sure, you
can show the SecMgr at the offending company things
like firewall/IDS logs, but what does that tell him?
What are the probes leading to? My point is
this...right now, they're just probes...and the
offending company most likely bears no legal
liability. It may be the case that they're looking
into the situation...what happens if they do uncover
something sinister? Will they suddenly bear a legal
responsibility? I've worked for and with companies
that have done nothing, simply b/c doing something
might make them legally responsible.
I think that like most technical guys, you're feeling
put off and disrespected by their behaviour, and
that's understandable. But take a look at the big
picture...are these probes consuming inordinate
amounts of bandwith? Or are all they doing is filling
up your logs? The offending company may have
extremely limited resources, and this issue may be a
pretty low priority to them.
Just some thoughts...
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]