Logging is probably both one of the most useful and least used of all security forensic capabilities. In large enterprises many security teams rely on their IT counterparts to do the logging and then turn to the IT logging infra when they need log information. That in itself isn’t bad; however, the needs/requirements for IT may not be a 100% fit for a CIRT. Read on to find out how we handled it.
By Jason Kohn, Contributing Columnist
In the 20 years we’ve had to get used to the Internet, we’ve learned a lot about web security and our own role in keeping ourselves safe from the nastiest things out there. At the very least, most of us now recognize the need to install antivirus software on our computers and to keep that software updated.
When it comes to the other kinds of computers we use though – our ubiquitous smartphones and tablets – it’s a different story. According to a 2011 report by Canalys, just 4 percent of the smartphones and tablets shipped the previous year had some form of mobile security installed.
On April 10, 2013, a collective of politically motivated hacktivists announced a round of planned attacks called #OPUSA. These attacks, slated to begin May 7, 2013, are to be launched against U.S.-based targets. #OPUSA is a follow-up to #OPISRAEL, which were a series of attacks carried out on April 7 against Israeli-based targets. Our goal here is to summarize and inform readers of resources, recommendations, network mitigations, and best practices that are available to prevent, mitigate, respond to, or dilute the effectiveness of these attacks. This blog was a collaborative effort between myself, Kevin Timm, Joseph Karpenko, Panos Kampanakis, and the Cisco TRAC team.
If the attackers follow the same patterns as previously witnessed during the #OPISRAEL attacks, then targets can expect a mixture of attacks. Major components of previous attacks consisted of denial of service attacks and web application exploits, ranging from advanced ad-hoc attempts to simple website defacements. In the past, attackers used such tools as LOIC, HOIC, and Slowloris.
Publicly announced attacks of this nature can have highly volatile credibility. In some cases, the announcements exist only for the purpose of gaining notoriety. In other cases, they are enhanced by increased publicity. Given the lack of specific details about participation or capabilities, the exact severity of the attack can’t be known until it (possibly) happens. Read More »
Tags: advisories, ASA, botnet, botnets, Cisco Security, Cloud Computing, cloud security, data center security, DDoS, exploits, firewall, incident response, IPS, IPS signatures, malware, mitigations, security, targeted attacks, TRAC, vulnerability
The Compressed Pcap Packet Indexing Program (cppip) is a tool to enable extremely fast extraction of packets from a compressed pcap file. This tool is intended for security and network folk who work with large pcap files. This article provides a complete discussion of the tool and is split into two parts. The first part, intended for end-users, will explain in detail how to build and use the tool. The second part, intended for C programmers, covers cppip’s inner workings.
Cppip is a command line utility designed to make packet extraction from large pcap files extremely fast — without having to uncompress the entire file. It relies on pcap files that have been compressed using the freely available bgzip, a backward compatible gzip utility that boasts a special additive — the ability to quickly and cheaply uncompress specific regions of the file on the fly. You will find cppip quite useful if you work with large pcap files and have the need to extract one or more packets for subsequent inspection. As you’ll see, preparing your pcap files for use with cppip is a two step process of compressing the pcap file with bgzip and then indexing it with cppip. But before you can use cppip, you first have to install it. Read More »
Hello IP Surveillance Enthusiasts,
ISC West was held at Las Vegas between Apr 10-12, and we continued the engagements with our partners on Cisco Medianet Plugfest here. Plugfest was launched at ASIS Philadelphia in September 2012, and from then till now, we have been actively working on getting partners on-boarded into Cisco’s MSP Cisco Developer Network (CDN) program, evaluating the test results gathered during ASIS and making recommendations to partners on improving interoperability with the network.
At ISC West, we had the wonderful opportunity to touch base with many of our partners already in CDN, and the ones we are closely working with on the process.
These were the sessions/interactions we had on Plugfest at ISC West -