Dan, This sounds like a great step forward. I've had the impression from several participants that they have been 'scared off' from asking questions of the 'newbie' variety by some Bart Simpson-esque responses (Doh!). A weekly "Incidents 101" would give the "newbie questions" a forum where hopefully the more experienced (whatever that mean) survivors can recognize the questions from their past and provide valuable input. Whether we like the environment or not, we are all in this thing together; it can only bode well if the level of expertise (except for those lurking black hats) is increased in this manner. A great idea. Thanks To: incidentsat_private cc: Subject: Administrivia... Hi list. I have been doing some thinking over the last week, specifically over the increasing number of "I think my machine got owned, what do I do" or "My IDS told me that I have a trojan, how do I clean it" messages. In many cases, I will reject the messages with pointers to some of the securityfocus articles, sans practicals, and "tool" sites (like sysinternals, nc, tcpdump, etc) that I am aware of. In some cases, the poster responds with more information, but still not enough. In others, they simply repost what they posted the first time. Occasionally, if the description sounds like something possibly novel, I let it through the first time in interests of speed. In the interests of trying to increase the level of discussion on this list, I would like to minimize these posts. I thought that a weekly "Incidents-Basics FAQ" might be useful. As I see all the posts I reject, I think I have a pretty good idea of what would be helpful, but the community on this list gives the value, therefore I would like to open this up to everyone. Feel free to respond to the list, or me privately, with suggestions. What I am hoping to develop is some of the most common questions, the simple answers, and where to go for more information. The thing I would like to keep in mind is that for many people thrust into a security response role from a standard admin role are unprepared, and don't even have a good idea of where to start. The goal of this FAQ is to give them a place to start. Thanks for the time. D ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 10:02:58 PDT