Security Incidents mailing list archives

Re: What to do if they ignore you

From: Harlan Carvey <keydet89 () yahoo com>
Date: Thu, 14 Apr 2005 03:18:52 -0700 (PDT)

Skip,

My company provides outsource security
management/monitoring services.

In early March we noticed that several of our
clients that are in the
same /16 block were getting persistent port 445
probes from a couple
of systems from a very large corporation's satellite
office which is on the same /16 block.

I have repeatedly called the companies security
manager


[snip]

Does anybody have any suggestions on what to do to
make Goliath behave when you are David ?


Two things to consider:

1.  Have you thought that maybe you've done all that
you can do?

2.  Do you know the nature of these scans?  Sure, you
can show the SecMgr at the offending company things
like firewall/IDS logs, but what does that tell him? 
What are the probes leading to?  My point is
this...right now, they're just probes...and the
offending company most likely bears no legal
liability.  It may be the case that they're looking
into the situation...what happens if they do uncover
something sinister?  Will they suddenly bear a legal
responsibility?  I've worked for and with companies
that have done nothing, simply b/c doing something
might make them legally responsible.

I think that like most technical guys, you're feeling
put off and disrespected by their behaviour, and
that's understandable.  But take a look at the big
picture...are these probes consuming inordinate
amounts of bandwith?  Or are all they doing is filling
up your logs?  The offending company may have
extremely limited resources, and this issue may be a
pretty low priority to them.

Just some thoughts...




------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Current thread:

What to do if they ignore you Skip Carter (Apr 13)
- Re: What to do if they ignore you Jose Maria Lopez Hernandez (Apr 14)
- Re: What to do if they ignore you Kyle Maxwell (Apr 14)
- Re: [incidents] What to do if they ignore you Tim Kennedy (Apr 14)
- Re: What to do if they ignore you Doug Rutherford (Apr 14)
- Re: What to do if they ignore you Byron L. Sonne (Apr 14)
  - Re: What to do if they ignore you Paul Schmehl (Apr 14)
- RE: What to do if they ignore you David Gillett (Apr 15)
- Re: What to do if they ignore you Rory (Apr 16)
  - Re: What to do if they ignore you David A . Ulevitch (Apr 16)
- <Possible follow-ups>
- Re: What to do if they ignore you Harlan Carvey (Apr 14)
- RE: What to do if they ignore you Nigel van Houten (Apr 14)
- Re: What to do if they ignore you Harlan Carvey (Apr 14)
  - RE: What to do if they ignore you Blake Swopes (Apr 14)
  - Re: What to do if they ignore you Kyle Maxwell (Apr 14)
- Re: What to do if they ignore you Harlan Carvey (Apr 14)