Comments on: Lucky for NSM — Extracting files from TFTP packets in Wireshark

By: Marcin

Marcin — Wed, 14 May 2008 17:51:40 +0000

Candy.

By: Kenny

Kenny — Mon, 12 May 2008 14:39:30 +0000

You left out the most important part.

What was in those rar files?

By: Marcin

Marcin — Thu, 08 May 2008 20:34:58 +0000

@ CG: I did not bother, nor have time to investigate those details. The client also told us they reconstructed the attack and knew what vulnerability was exploited.

@ Sam: Dre could not have explained it any better for me. SLA or not, you have a personal stake (your job and reputation) whereas an MSSP merely has a contract.

By: dre

dre — Thu, 08 May 2008 20:19:08 +0000

@ Sam: Do you get an SLA for “degree of caring” with your providers? ;>

Honestly, there is a place for business-process outsourcing. For parts of the organization covered by SOX, GBLA, HIPAA, and PCI, I typically could care less if it’s MSSP or not most of the time.

The misconception of outsourcing/SaaS is that you have to outsource “everything”. Outsourcing the parts of your business that you care less about often makes sense. However, every company should still have an incident response plan and/or team that can deal with the most risky issues — for example, the risky scenario that the MSSP be fired on the spot due to a breach in their network that causes a breach in yours.

The difficulty that executives and security professionals have with concepts such as “scoping” and “segmentation” seem to bother me exponentially everyday. There is no silver bullet. There is no one true answer. Security is a process, not a product.

By: Sam Van Ryder

Sam Van Ryder — Wed, 07 May 2008 19:28:23 +0000

On your last comment about MSSP’s: Depends on your SLA. Hopefully, you have some recourse you can take because they didn’t meet the SLA.

By: CG

CG — Tue, 06 May 2008 13:33:13 +0000

Cool post, were you able to determine what the attacker used to exploit the server? depending on how they got in, that could point to bigger problems on the network.