2005-04-01

On Vulnerability Assessment, and Internet Reconnaissance

Today I will be discussing two completely unrelated topics, both involving very recent events.

Vulnerability Assessment
Yesterday, I was privileged to have a project of mine presented as part of the SANS WhatWorks series. Bill Geimer, my boss and the manager of the contract, presented along with the other engineer involved, Brent Duckworth. The presentation was an excellent outline of some of the challenges in implementing an enterprise-class vulnerability assessment/management system from a high level, as well as highlighting how to run such a project smoothly and properly. This was certainly one of the most successful InfoSec projects I've been involved with, and I was happy to see it highlighted to a global audience. By the close of the webinar, over 800 attendees had connected. I was pleased to see so many individuals interested in our work.

The presentation is still available online. If you're interested in effectively using vulnerability assessment tools in an enterprise or business environment, I highly recommend you listen to it. I will include a much more technical entry on designing effective vulnerability assessment tools in a later entry, once my research on Component-based Design of Vulnerability Assessment Tools with CORBA is complete in a few weeks. I would also be more than happy to answer any questions regarding the project here, but the reader should understand some specific questions may reveal sensitive information and will be deferred.

Internet Reconnaissance: TCP/1025
Moving on to a more serious and technical subject, one network that I monitor has seen an enormous increase in TCP/1025 scans. The network saw nearly 2.6 million requests for this service over the 24-hour period yesterday, from 10,820 unique sources, compared to just a few thousand in previous weeks. According to IANA, this port is reserved for "network blackjack," but I doubt 10,820 people suddenly got the internet gambling+hacking bug in the same day. This was mentioned yesterday in the Internet Storm Center's diary. If anyone has any helpful information on this, please contact the handlers at the ISC so this information can get compiled and analyzed quickly. This is the kind of activity that can precede (and has in the past) a huge attack that affects everyone.

No comments: