BS ThreatCon Levels
Who else besides me thinks “ThreatCon” levels are bullshit? (not to be confused with vulnerability alerts) After checking out Slashdot this morning, I came across CERTStation, which attempts to aggregate current threat information into one page, entirely in Flash. I won’t get into how much Flash sites irritate me, as we can debate for days and not get anywhere on it. Who knows what the site’s true purpose is, selling you information in exchange for money or personal information? who knows..
But let’s talk about threat levels. Why is it that A/V vendors tend to have elevated levels than anyone else? How do they determine these threat levels? Current number of infected machines, virus propagation time? For real now, who really acts differently when all of a sudden the threat level goes from green to yellow, or yellow to orange? Not to mention, the colors don’t mean anything to me! What exactly is threatening me that I need to be more alert? Is it a new worm or exploit code that affects 99% of business systems? Come on, tell me! This is why I tend to be “always on alert,” which would equate to the color red. I am always thinking there will be something out there that will cause havoc for me so whatever that is, I want to be prepared for it. Staying on top of the latest vulnerabilities, identifying and analyzing the ones that affect me I can determine what is critical and what is not.
This is what ThreatCon Levels mean to me:
Current Threat Level:
ISC Handlers typically explain why their threat level is increased and is usually due to some new worm or virus or even a critical exploit being abused in the wild. Sometimes it is just about increased traffic such as spam or botnet activity causing some havoc on the Internet.
One nice thing about alert levels is it can validate what you’re seeing on your own network. An increase in port 38979 tcp on your firewall might raise your eyebrows, but once you find out that other people are seeing it as well, you might not care as much. Or perhaps a few DNS servers are acting funky in response to a botnet attack and some of your remote users look to you for answers. Likewise, if a threat level is increased due to say a Symantec Agent exploit worm, you might take a moment to evaluate whether this effects you.
As for AV companies, they tend to be higher, I think, because it can be marketing for them. Who best benefits from people scared that the virtual sky is falling? Those you pay for protection of course. :)
Really though, it is just all about knowledge and knowing what is going on in the world outside your network. No, we typically don’t do many things different when an alert level goes up when we’re not affected by the causes. But I will say I think it is rare that many companies are truly prepared when the proverbial shit hits the fan on the Internet. We’re often too busy meeting business demands to meet our own internal security/prepardness/monitoring/knowledge demands.
I would say pick any dashboards or threat levels you like and watch them over time, especially the reasons for their colors and movement. Find one or two (if any) that make ya feel a bit more informed and stick to them. Personally, I like the isc.sans.org site. Their handler’s are almost always informative and they seem to have a decent criterion for level movements.
Marcin,
You may be interested to see how we have tried to get round the issues surrounding threatcon levels at https://usp.hdaar.com/CERTStation-Dashboard/
By aggregating the different threatcons into a single dial we think we have smoothed out the impact of say anti-virus marketing. If our ‘Agglomerator’ ™ starts to shoot up it may be worth while checking round to see what is happening on the Internet, especially if your job depends on it. As an afterthought we are trying to wean the developers off flash but they do love it…..