TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

I agree that it is already available on the Internet, BUT I think I do like to have it organized and from a reputable source. Maybe there should be a separate list for people who want to get the AlertCon. Anyways, it's not like there's a huge amount of bandwith being wasted here...

-----Original Message-----
From: George Milliken [mailto:gmillikenfarm9.com]
Sent: Tuesday, October 02, 2001 12:23 PM
To: Treece, Dennis (ISS Atlanta)
Cc: issforumiss.net
Subject: RE: AlertCon 1/1 Internet Threat and Solutions Update for 2-4
Oct 2001

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

This is old news already available on the Internet. ISS is wasting our
bandwidth and time regurgitating this material.

George

-----Original Message-----
From: owner-issforumiss.net [mailto:owner-issforumiss.net]On Behalf Of
Treece, Dennis (ISS Atlanta)
Sent: Tuesday, October 02, 2001 11:22 AM
To: Treece, Dennis (ISS Atlanta)
Subject: AlertCon 1/1 Internet Threat and Solutions Update for 2-4 Oct
2001

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any
problems!
----------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Copyright 2001 Internet Security Systems (trademark) THE POWER TO
PROTECT

INTERNET THREAT & SOLUTIONS UPDATE for Oct 2nd - Oct 4th, 2001
ISS X-Force Special Operations Group

- --------------------------------------
CURRENT THREAT ASSESSMENT & THREAT FORECAST
- --------------------------------------

AlertCon 1 Today, Oct 2nd, 2001
AlertCon 1 For Oct 3rd and 4th, 2001

Today's Focus: Preparing for Cyber Attacks During the War on Terrorism
*************

- - Nimda, Code Red, and Code Blue activity continue to be seen on our
monitored networks but at decreased levels.

- - AlertCon 1 may be our lowest alert level but it is not 'low'. It
assumes all malicious code in the wild, all vulnerabilities, all
misconfigured and unpatched machines, all overworked and under trained
network staffs, all weak passwords (or no passwords), all insider
mischief, and the 24 x 7 assaults of the world's hacker community.

- --------------------------------------
Recommended Security Focus
- --------------------------------------

- - Preparing for Cyber Attacks During the War on Terrorism. The link
below takes you to an excellent threat analysis by a group at
Dartmouth College's Institute for Security Technology Studies. It
makes excellent reading for Internet and Network security
professionals at this time. Every one of us should be developing
contingency plans for worst case scenarios to protect against, detect,
and respond to everything from politically motivated script kiddies to
aggressive cyber attacks specifically designed to deny services or
damage files in your company.

<http://www.ists.dartmouth.edu/ISTS/counterterrorism/cyber_attacks.htm>

Our thanks to Dartmouth College for permission to cite this link.

- ---------------------------------------
SOLUTIONS
- ---------------------------------------

Defense Against Cyber Attacks During the War On Terrorism:

- - The Dartmouth analysis suggests reasonable security measures for all
network security operations and security teams to focus on. I would
add to this that the fundamentals of network security have never
applied more; protect what you consider most critical to business
operations and continuity, make sure you have intrusion detection so
you'll know when people get around your defenses, and have a response
team and a response plan for that team to execute should a cyber
emergency happen in your network.

- - Another consideration strikes to the core of your perimeter
defense--inbound and outbound traffic are not threat equals, and you
should not treat them equally. Clearly, rules for inbound traffic
should be tighter. Either your router access control lists or your
firewalls should not be accepting inbound ports you don't use, or
accepting IP addresses you don't do business with.

- - Ask yourself this question: If we're not doing business with central
Asia (for example), why am I accepting traffic from them region?
Extend that thought to any region not on your customer list or routine
legitimate traffic logs. Strongly consider denying those IP blocks at
your gateways. Some research will need to be done to find the domains
and address blocks that define those areas but this is not difficult.
The rule of thumb to adopt in times like these is 'deny everything you
don't need'. If you go this route, you may want to consider allowing
e-mail from these address blocks so any legitimate customer can let
you know they are having trouble getting in. While it's true that a
determined attack can come from a spoofed address coming from a region
that is not blocked, that's an extra step that needs to be taken just
to reach you. For certain, you will be blocking the bulk of the
automated, broadcast threats from regions of the world you can safely
ignore.

- - Ports are just as important in your defensive strategy as IP
Addresses. We've been seeing attacks lately from ports in the 31,000
range, all 'unassigned'. You have to decide how much potential there
is for legitimate traffic in a high port like that but clearly, the
known Trojan ports
<http://home.tiscalinet.be/bchicken/trojans/trojanpo.htm> should be
blocked. Unusual ports should also be blocked unless there is a
clearly established need for them in your network. The link for common
ports is noted here: <http://www.iana.org/assignments/port-numbers>

- - One clear message to take from the Dartmouth study is that now is a
good time for a full court press to establish a good security and
disaster recovery posture for your networks and your Internet
connections. It will take additional resources both in the NOC that
has to implement the new security measures, in the IT Security Staff
that does the survey and makes the recommendations, and for outside
consultants in both these areas if you don't have the resources in
house.

- - Another concurrent avenue to consider is special insurance designed
to cover Internet and Network related damage or loss. Marsh is
accepted as one of the leading pioneers in this field.

Nimda Solutions:

- - Re-install patches previously instructed by ISS and software vendors
for IIS vulnerabilities, etc.

- - Get management involved to help you marshal the resources you need
to patch everything and keep it patched. Remember that whenever OS are
installed or reinstalled if the patches are not also included you have
left gaping holes in your network. The same is true for anti-virus
updates. All patches from the date of the OS you are installing must
be manually researched and installed. The Microsoft 'mega patch' at
the link below is a big help in this effort.

- - Users everywhere are reminded that one of the features of Nimda is
randomly booby-trap web sites throughout the Web. Opening an infected
site invites Nimda infection via Java script. Networks with strong,
updated gateway protection notify the user and strip the malicious
logic from the packet stream. Small office and home networks may have
less protection but should be moving rapidly towards commercial
anti-virus solutions.

- - Microsoft's web site has the full solution set for its products at
this site:
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec
urity/topics/Nimda.asp>

- - All the major anti-virus vendors now have Nimda solutions. Aris has
an excellent write-up on the Worm and some further links to security
solutions:
<http://aris.securityfocus.com/alerts/nimda/010919-Analysis-Nimda.pdf>

- -------------------------------------
Attack Signatures - global IDS, midnight - midnight, previous day, %
of total
- -------------------------------------

Unauth Access Attempts 36.61%
Protocol Decode 36.44%
Denial Of Service 15.22%
Suspicious Activity 06.67%
Pre-Attack Probe 05.05%
Back Doors 00.02%

- -------------------------------------
Top Ten Destination Ports - global IDS, midnight - midnight, previous
day, % of top ten (ports found at
<http://www.iana.org/assignments/port-numbers>
- -------------------------------------

80 (http) 89.44%
25 (smtp) 04.48%
21 (ftp) 03.56%
139 (netbios-ss) 00.55%
123 (ntp) 00.40%
143 (imap) 00.38%
15104 (unassigned) 00.35%
443 (https) 00.28%
69 (tftp) 00.28%
12754 (unassigned) 00.27%

- ---------------------------------------
VIRUS, VULNERABILITY, NEWS UPDATES
- ---------------------------------------

- - Visit <http://www.iss.net/> under 'Global Internet Threat
Intelligence Service'

- ---------------------------------------
Web Defacements
- ---------------------------------------

- - Alldas.de stats show that since April, 2000, the most defaced OS is
Windows, with a total of 15,033 defacements reported, for 65% of the
total. Linux is a distant second with 3744 defacements for 16% of the
total.
- - Alldas reports 39 web defacements yesterday, Sept 30th. These
numbers are below average.
- - A spot check of yesterday's defacements shows the Brazilian group
ere.corp putting up its pro Bin Ladin / anti US message again, this
time on a French site (www.dic.fr). The page has not changed since
last week. <http://defaced.alldas.de/mirror/2001/10/01/www.dic.fr/> .
This group's defacement of a Taiwanese site yesterday (acorp.com.tw)
showed a similar message but in one line of text and no graphics.
http://defaced.alldas.de/mirror/2001/10/01/acorp.com.tw/ . It appears
the targets of the defacements were random sites with weak security.

- ---------------------------------------
NOTE, DISCLAIMER AND COPYRIGHT NOTICE
- ---------------------------------------

NOTE: Our web site has this information in more attractive format and
graphics available to the public at no cost at <http://www.iss.net/>
under 'Global Internet Threat Intelligence Service'. Screen
captures (Control/PrtSc) of the site's pages dropped into PowerPoint
can be an effective way to communicate various aspects of the Internet
threat, e.g. the graph depicting 'AlertCon Trends'.

We provide this information on Internet threat metrics, viruses,
vulnerabilities, patches, and breaking news, in the spirit of PDD 63,
to help security professionals wage the war against Internet threats
more effectively. Information in this update derived primarily from
global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research,
and professional liaison. Other sources as noted. AlertCon 1 reflects
the global, malicious, determined, 24 x 7 attacks experienced by all
networks. AlertCon 2 means increased vigilance/action recommended due
to a specific threat or concern. AlertCon 3 means increased attacks
against specific targets or vulnerabilities on a scale that is
unusually high, action required. AlertCon 4 reflects an Internet
emergency for a target or group of targets whose business continuity
may depend on some sort of immediate, decisive action. All summaries
cover 24 hours the previous workday, GMT. Monday summaries may cover
some weekend activity.

Copyright 2001 Internet Security Systems, Inc. Permission is granted
for the redistribution of the Internet Threat Update electronically.
It is not to be sold or edited in any way without express consent of
ISS. Refer comments or questions to <dtreeceiss.net> . Disclaimer:
This information is subject to change without notice. Use of this
information constitutes acceptance for use in an 'as is' condition.
There are no warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk. No other use
authorized. FOIA Exemption 4.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]