Comments on: BS ThreatCon Levels http://www.tssci-security.com/archives/2006/12/28/bs-threatcon-levels/ top secret/secure computing information Sat, 11 Oct 2008 12:40:33 +0000 http://wordpress.org/?v=2.2.3 By: Paul Hortop http://www.tssci-security.com/archives/2006/12/28/bs-threatcon-levels/#comment-228 Paul Hortop Tue, 20 Mar 2007 07:55:16 +0000 http://www.tssci-security.com/archives/2006/12/28/bs-threatcon-levels/#comment-228 Marcin, You may be interested to see how we have tried to get round the issues surrounding threatcon levels at https://usp.hdaar.com/CERTStation-Dashboard/ By aggregating the different threatcons into a single dial we think we have smoothed out the impact of say anti-virus marketing. If our 'Agglomerator' (tm) starts to shoot up it may be worth while checking round to see what is happening on the Internet, especially if your job depends on it. As an afterthought we are trying to wean the developers off flash but they do love it..... Marcin,

You may be interested to see how we have tried to get round the issues surrounding threatcon levels at https://usp.hdaar.com/CERTStation-Dashboard/
By aggregating the different threatcons into a single dial we think we have smoothed out the impact of say anti-virus marketing. If our ‘Agglomerator’ ™ starts to shoot up it may be worth while checking round to see what is happening on the Internet, especially if your job depends on it. As an afterthought we are trying to wean the developers off flash but they do love it…..

]]> By: LonerVamp http://www.tssci-security.com/archives/2006/12/28/bs-threatcon-levels/#comment-37 LonerVamp Fri, 29 Dec 2006 21:12:57 +0000 http://www.tssci-security.com/archives/2006/12/28/bs-threatcon-levels/#comment-37 ISC Handlers typically explain why their threat level is increased and is usually due to some new worm or virus or even a critical exploit being abused in the wild. Sometimes it is just about increased traffic such as spam or botnet activity causing some havoc on the Internet. One nice thing about alert levels is it can validate what you're seeing on your own network. An increase in port 38979 tcp on your firewall might raise your eyebrows, but once you find out that other people are seeing it as well, you might not care as much. Or perhaps a few DNS servers are acting funky in response to a botnet attack and some of your remote users look to you for answers. Likewise, if a threat level is increased due to say a Symantec Agent exploit worm, you might take a moment to evaluate whether this effects you. As for AV companies, they tend to be higher, I think, because it can be marketing for them. Who best benefits from people scared that the virtual sky is falling? Those you pay for protection of course. :) Really though, it is just all about knowledge and knowing what is going on in the world outside your network. No, we typically don't do many things different when an alert level goes up when we're not affected by the causes. But I will say I think it is rare that many companies are truly prepared when the proverbial shit hits the fan on the Internet. We're often too busy meeting business demands to meet our own internal security/prepardness/monitoring/knowledge demands. I would say pick any dashboards or threat levels you like and watch them over time, especially the reasons for their colors and movement. Find one or two (if any) that make ya feel a bit more informed and stick to them. Personally, I like the isc.sans.org site. Their handler's are almost always informative and they seem to have a decent criterion for level movements. ISC Handlers typically explain why their threat level is increased and is usually due to some new worm or virus or even a critical exploit being abused in the wild. Sometimes it is just about increased traffic such as spam or botnet activity causing some havoc on the Internet.

One nice thing about alert levels is it can validate what you’re seeing on your own network. An increase in port 38979 tcp on your firewall might raise your eyebrows, but once you find out that other people are seeing it as well, you might not care as much. Or perhaps a few DNS servers are acting funky in response to a botnet attack and some of your remote users look to you for answers. Likewise, if a threat level is increased due to say a Symantec Agent exploit worm, you might take a moment to evaluate whether this effects you.

As for AV companies, they tend to be higher, I think, because it can be marketing for them. Who best benefits from people scared that the virtual sky is falling? Those you pay for protection of course. :)

Really though, it is just all about knowledge and knowing what is going on in the world outside your network. No, we typically don’t do many things different when an alert level goes up when we’re not affected by the causes. But I will say I think it is rare that many companies are truly prepared when the proverbial shit hits the fan on the Internet. We’re often too busy meeting business demands to meet our own internal security/prepardness/monitoring/knowledge demands.

I would say pick any dashboards or threat levels you like and watch them over time, especially the reasons for their colors and movement. Find one or two (if any) that make ya feel a bit more informed and stick to them. Personally, I like the isc.sans.org site. Their handler’s are almost always informative and they seem to have a decent criterion for level movements.

]]>