February 14, 2017 at 10:22 pm
Comments posted to this topic are about the item What Would Do if Your Company Was Targeted?
February 15, 2017 at 1:13 am
It is essential to get buy in from colleagues within IT, colleagues outside of IT and the management. There must be awareness that there is a potential threat with reminder of policies (such as anti-phishing ones) redistributed. There must be support from the management team.
It must be treated like a threat to government and/or military. Raise the current security threat level, evaluate and respond. I have never been in the military (thanks to those who have served) but I have benefited from many products and processes that are directly attributable to it.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
February 15, 2017 at 7:54 am
There may be a problem with the link distributed in the email. When I clicked the link it was an invalid address. When I removed "%09" from the end it found the page.
February 15, 2017 at 8:33 am
timwell - Wednesday, February 15, 2017 7:54 AMThere may be a problem with the link distributed in the email. When I clicked the link it was an invalid address. When I removed "%09" from the end it found the page.
I had reported to webmaster (the ever present Gina) and they cannot change the link so she added the correct one to the bottom of the tutorial. Of course, if you are reading this then you knew that anyway!!!
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
February 15, 2017 at 9:24 am
Firstly, clarify what is meant by targeted?
Being told that there is a suspicion that your systems have been breached is not the same thing as having your employees targeted in a social engineering attack.
Similarly, if your Active Directory has been hacked then make sure that that breach is plugged before changing any logins or passwords.
Observe, Orient, Decide, Act in that order.
In the list I would automate the auditing of logins and role membership so that changes were highlighted in a proactive manner and also a history trail of changes was maintained.
Checking to make sure that SQL Server services have different accounts and those are only administrative accounts on a specific instance.
February 15, 2017 at 11:48 am
David, I left it vague because it often is. I get that context matters though!
February 15, 2017 at 11:55 am
... This is different than responding to an attack. When you can see the attack you can take immediate steps to fight the problem - blocking an IP range for example. It’s harder when the threat hasn’t materialized yet and you’re trying to be ready for anything. ...
Most organization don't even know they were hacked until weeks, months or even years after the fact. So, I don't know how likely it would be for an organization to be warned ahead of time and the threat be credible. Without details about what specific type of attack is to be expected, then I guess the best response would be to review the security protocols and processes from top to bottom and confirm everything is in place.
I recall back to the year following the Sep 11 attacks when TV news channels would display the color coded terror thread barometer. It would always hover at yellow or above and sometimes elevate into orange for nonspecific reasons. Red was supposed to indicate an actual terror events in process, which would be helpful, but it was unclear what the public was expected to do different on orange days that we weren't already doing on the yellow days.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
February 15, 2017 at 12:04 pm
Gary Varga - Wednesday, February 15, 2017 8:33 AMtimwell - Wednesday, February 15, 2017 7:54 AMThere may be a problem with the link distributed in the email. When I clicked the link it was an invalid address. When I removed "%09" from the end it found the page.I had reported to webmaster (the ever present Gina) and they cannot change the link so she added the correct one to the bottom of the tutorial. Of course, if you are reading this then you knew that anyway!!!
I have noticed the links in SSC emails do not go directly to the destination, they always go through an address with a bunch of number like this:
http://www.sqlcentral.com/links/1508806/358973 (which is the link to get to this discussion from today's email. The address I corrected was where that redirected to.)
Of course they can't replace the links in the emails that were already sent out, but can they fix that link (with all the numbers) to send everyone from that email to the right place?
Just curious...
February 15, 2017 at 12:08 pm
Eric, I agree that warnings are unlikely, but then I had it happen and made a note to write about it:-) I think its a decent mock exercise - security guys give you a scenario, what do you do?
February 15, 2017 at 12:50 pm
Andy Warren - Wednesday, February 15, 2017 11:48 AMDavid, I left it vague because it often is. I get that context matters though!
My apologies Andy, I didn't intend it to be an aggressive response, just an honest answer.
I definitely identify with the vagueness of the statement. One of the challenges is that organisations are reluctant to discuss such things, even with their internal staff. Without specifics you can only guess at what the vulnerability might be and burn huge amounts of time searching for potential leaks.
February 15, 2017 at 1:19 pm
Things like firewall settings and locked down permissions can drift over time, even if they shouldn't. So, a threat warning is a wakeup call and a good reason to call department heads and senior level staff into the war room to review the security policies and remediation plan.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
Viewing 11 posts - 1 through 10 (of 10 total)
You must be logged in to reply to this topic. Login to reply