Thursday, June 11, 2009

New papers in the SANS reading room

I have recently expanded my involvement with SANS by signing up as a Gold adviser. In addition to guiding students through writing their papers, advisers also review work that has been graded by the primary adviser. This endorsement creates an independent quality control review and makes it harder for sub-par papers to go through.

Some of the papers that I have reviewed recently are worth mentioning:

Robert Vandenbrink authored IOScat - a Port of Netcat's TCP functions to Cisco IOS. In the paper, he describes how to implement netcat-like functionality in Cisco IOS using the Tcl language. Any security pro should know about netcat and be familiar with how to use it, so a paper describing how to bring some of its functionality to IOS is a must read. 

As an aside: In a long and dark past, I also used to dabble with that language, and as a matter of fact, it is still the most popular download on this site. The tool I made is used by flightsim fananatics and is called PCProxy

Chris Mohan wrote Virtual Rapid Response Systems. The paper proposes to use virtual machines in incident response scenarios where there is no qualified handler on-site. While the approach may not scale up to large corporate environments without some tweaking, some of the ideas that were proposed are interested and can apply directly to users working for small and medium-sized enterprises.

As always with incident response, make sure that you keep records of what you do. Taking excellent notes is an absolute requirement, as is keeping track of the big pictures. I still develop a tool that assists with the latter: The application for incident response teams (AIRT) supports CSIRTS with the administrative overhead of incident response. The tool is currently in use by several national CSIRTs and institutes for higher education. If you are looking for an incident management product, please drop me a line and we'll talk.



No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.