Many SAs, particularly those w/ MS platforms, don't recognize an incident when one occurs, let alone know how to conduct effective incident response...hint: port scanning the box from the outside and comparing the results to a list of default trojan ports is *NOT* effective IR.

If you don't believe me, browse the posts on the Incidents and Security-Basics lists. While I know full well that this small minority isn't a fair representation of the whole, it does give you an idea of who's doing what. Now, imagine the validity of the CSI/FBI survey if these same folks who are posting are responding to the survey. How many incidents have been misreported? If someone's not capable of recognizing, let alone responding to an incident, how effective is their input to a survey going to be?

But you can't blame the SAs. It's management who decides how many SAs there will be, how much and what type of training to allow, and whether to take security seriously, as a whole. SAs do what they need to do...if they need to helpdesk functions (unlock accounts, install software, clean up virus infections, etc.) then they do. If management took security seriously, and made it a priority, then so would the SAs.

If you want SAs to report "incidents" to LE, raise your hand.

If you're an SA, and you want to have to interact with LE, raise your hand.

If you're a manager, and you think that it's in the best interests of your company/organization for one of your junior SAs to be the company rep to the LEOs, raise your hand.

Everyone with your hands up, please leave the room.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/364/11758#11758