August 2004 Mfg.Trust

Mfg.Trust is a monthly feature of the
            NCMS InfraGard Manufacturing Industry Association
                        Infrastructure assurance for manufacturers
                                    Powered by NCMS.

This Month - INTERNET STORM CENTER (ISC)
Local Action to Combat Global Threats

See the Resources Page for this Story 

Editor's Preface:

This month’s feature is written by Hans Erickson, CIO for the Detroit Chamber of Commerce. Hans originally penned this article for the Michigan InfraGard Chapter and graciously permitted its further distribution to NCMS associates. His interesting and informative views on the Internet Storm Center are sure to get your attention.

As usual, the Resources page that accompanies this article offers rich information for more study. See http://trust.ncms.org (Publications Index tab).

Editor

INTERNET STORM CENTER

The Internet experiences the same radical fluctuations of activity that our climate does. Sometimes the devastation in financial terms can be comparable. Because of this similarity, thousands of sensors serve the Internet Storm Center (ISC) in their efforts to monitor storms that brew on the Internet like the National Weather Service monitors our climate.

The SANS Internet Storm Center (ISC)- http://isc.sans.org/, is the Internet equivalent of weather.com. Here you can avail yourself of a variety of tools that provide a comprehensive view of ‘storm’ activity on the Internet from all over the world. Even better than the ability to view an amazing array of up to the moment statistics and trends that can alert you to upcoming and existing threats, this website provides additional benefits: you can participate and see the results of other participants! You are invited to submit your firewall logs to Dshield. Dshield provides a location to share intrusion information, as well as several tools to help automate the task.

Sharing your most private firewall information?!? Isn’t that the opposite of a good security practice??? Not at all. The community approach is one that our country is coming back to after a separation of powers that may have taken us too far into isolationism. Our law enforcement groups are working together now as never before under the guidance of the Homeland Security Department, because as we have been painfully shown by the events of 9/11, if our departments are communicating with each other effectively, we can do more to stop bad guys than if each department works alone.

On all fronts, whether physical infrastructure or Internet, much work needs to be done to combine our efforts toward a common good. The SANS Internet Storm Center is a tactical tool that can be applied by anyone in the business community as they work to fortify their own systems that will help to increase their level of awareness as well as contribute to the global body of knowledge on events and attacks that develop in minutes or hours.

It is important for all of us to realize that we can’t do this alone. SANS started the system in 1999 at the request of the White House in conjunction with Y2K efforts, and the system has proven valuable several times since. One example in 2001 was a rapid spike of probes to port 53 (DNS) that was observed escalating rapidly over a period of a few hours. It was recognized in a few hours, at which time notification was sent to a global community of security practitioners to inquire their experience with this event. Within 3 hours they had confirmation of an infection from an administrator in the Netherlands, who was able to send a copy of the worm in for analysis. Analysts determined the worms purpose and how it was accomplished, created a program to detect infection, and tested it in multiple sites. They also alerted the FBI of the attack. Within 14 hours after the spike was first noticed, ISC was able to warn over 200,000 people of an attack in process and advise them of corrective action.

While many private industry watchdogs are performing similar functions, the ISC is an all-volunteer based organization that provides the ability to interact without charge. The ISC gathers millions of intrusion detection log entries every day from sensors covering over 500,000 IP addresses in over 50 countries. Add yourself to this growing list of Internet sensors by going to http://www.dshield.org/signup.php

While you can submit your logs anonymously, by registering with the service, you can

• View the firewall logs you submit to the Dshield database over the last month.
• Have confirmation emails of your submissions sent to you.
• Enable the ‘Fightback’ function. Dshield will forward selected authenticated submissions to the ISP implicated when they detect that you have been attacked. Registered users can see a summary of Fightback messages that have been sent on their behalf.

In addition, National CERT’s, managed security service providers, ISP’s and large organizations are invited to become an ISC analysis and coordination center. If you would like to participate, send a note to isc@sans.org and describe the user community you serve.

LINKS

SANS Internet Storm Center (ISC)
http://isc.sans.org/

If you liked Mfg.Trust, please forward it to a colleague in your company!

For questions, comments, or for NCMS Alliance Partners to request their own FREE subscription to Mfg.Trust, send email to customercare@ncms.org

To unsubscribe, please send an email to listserv@listserv.ncms.org and insert the words "unsubscribe mfgtrust", without the quotes, in the BODY of the message. This is a moderated list.