Home page logo

nanog logo nanog mailing list archives

Re: Homeland Security Alert System
From: Martin Hannigan <hannigan () fugawi net>
Date: Fri, 21 Feb 2003 14:41:05 -0500

On Fri, Feb 21, 2003 at 12:21:04PM -0500, Sean Donelan wrote:

On Fri, 21 Feb 2003, Martin Hannigan wrote:
      But what would you do with the information?

Let the noc know what's up so they can be more vigilant based on the the
threat level.

I'm not trying to be sarcastic, because lots of people have been going
through these same conversations.

Not a problem.

"Threat level" is different from an attack.

Pearl Harbor.

Isn't your NOC normally vigilant?  If the DHS lowered the threat level to
"Green" would you stop monitoring your network just because the government
says there is no more threat?  Do you have more or fewer people on duty in
your NOC as the government threat level goes up or down watching the big
TV screens?

The NOC is always vigilant. Based on different threat levels
I think it's prudent and realistic to examine different staffing
strategies, different views of alarms and datas, potentially
different reactions, engaging LEA's on issues you may not normally
engage on, etc.

Example: DHS sets RED level. Reaction: Move some third level 
engineers into the SOC. Audit the DR plan if it's not on schedule
to be audited. Audit the backup plans if not on schedule to be
audited. Light the medium warm NOC to HOT NOC level.

Perhaps even use different sets of ACL's on the edge, etc. It could also
be used
to explain an unexpected surge in traffic, calls, or other things. Ever
look at some traffic stats and see a major surge and want to make sure
you understand why?

Again wouldn't you also do all of these things "normally?"  If an ACL is a
good idea at "Orange" wouldn't you protect your network with those ACL's
when the level is "Yellow."  Or would you remove those ACL's when the
threat level is reduced.  How do would you explain to your management when
you are hacked at level "Yellow" you had better ACL's, but you only used
the good ACL's at level "Orange."

I'd like to have a more standard application to risk analysis. 
As you know, security policy is always reviewed and risk analysis
applied to determine how and what you are going to protect. Or not

I think these risk analysis' are now affected by these "new" threats,
or in a lot of cases, threates that noone really paid much 
attention to before.

I'd take it serious and consider NBC as well as "cyberAttacks".

Secretary Ridge has said to keep the plastic sheets and duct tape in
storage.  Don't start sealing your house (or NOC) yet.  The FEMA/Red Cross
prepardness recommendations are a good idea irregardless of the alert

Secretary Ridge hasn't really established a credibility level. Not
yet anyways. I respect what they are doing and understand they need
time, but we all have businesses to run. If he says "Buy plastic
and duct tape" I take that as he knows something we don't and 
it's reasonable to evaluate and re apply the risk analysis.

I have my duct tape and plastic, but haven't applied it to the

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]