Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: Getting Ready for the Holidays - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Getting Ready for the Holidays
We had a couple reports from readers, who tried to contact abuse departments or notify companies about breached systems, only to receive a "vacation" reply indicating that the systems are on autopilot until sometime next year.

Unless you turn off the systems, they will still need a bit of watching and caring. Do you have someone on call in case the burglar alarm goes off? Make sure you have someone checking the 'abuse' or 'security' mailboxes once a day (at least). You may have them even forwarded to a pager if you can filter the spam.

And while I am on the topic: Make sure you do actually have an 'abuse' and a 'security' alias for all of your domains. There are a number of aliases you should define for each of your domains:

RFC2142 provides a number of references to other RFCs, and suggests the following aliases:
  • postmaster@domain (RFC822). This should exist on all mail servers. You should also have postmaster@IP-Address-of-the-mail-server.
  • usenet@domain (RFC977). I know a lot of people will write to say differently. But I consider usenet dead for all practical purposes. You can probably do without this address.
  • abuse@domain
  • trouble@domain
  • noc@domain
  • security@domain
Take a look at your domain name and IP address whois entries and make sure they are current. For IP addresses, you may just find your ISPs contact info, which is fine as long as they notify you.

Spam to these addresses has become a problem. I don't think there is a great solution, as some of the mail sent to these mail boxes may include copies of spam messages (even if you don't send them, others may impersonate you and you still want to know. Abuse reports are one way you will find out).

I can't find a reference right now  (but I am sure someone will write with the correct RFC for it), but it is commonly suggested to also maintain a '/security' URL on all your websites. This URL should be used to provide contact information for security issues and information about security patches or such for any products you may offer. But this standard, while usefull, is not widely implemented (is it still a 'standard'?).

Last but not least: Have fun this weekend. I think I will run some network cable in my house (already got the big drill, but still need one more Home Depot trip for some conduit). The holiday security guide should be live sometime tomorrow. We got some great input.




I will be teaching next: Defending Web Applications Security Essentials - SANS Security West 2019

Johannes

3481 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!