[anti-abuse-wg] Adding a "Security Information" contact?
- Previous message (by thread): [anti-abuse-wg] Adding a "Security Information" contact?
- Next message (by thread): [anti-abuse-wg] Adding a "Security Information" contact?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Suresh Ramasubramanian
ops.lists at gmail.com
Sat Jun 11 09:07:29 CEST 2022
Yes this simply adds to paperwork and extra coding. It should be relatively trivial with an abuse report / IR oriented ticketing system to separate out genuine DDoS from random desktop firewall complaints about port scans from spam reports from all the outright spam that directly reaches such accounts. From: anti-abuse-wg <anti-abuse-wg-bounces at ripe.net> on behalf of Carlos Friaças via anti-abuse-wg <anti-abuse-wg at ripe.net> Date: Saturday, 11 June 2022 at 12:28 PM To: Ángel González Berdasco <angel.gonzalez at incibe.es> Cc: gert at space.net <gert at space.net>, anti-abuse-wg at ripe.net <anti-abuse-wg at ripe.net> Subject: Re: [anti-abuse-wg] Adding a "Security Information" contact? Hi, (CSIRT hat on) I don't really agree with the vision where the taxonomy needs to be overloaded into object fields. I always perceived the abuse-c field already as the security-c. People interested in processing security/abuse issues will take messages received on the abuse-mailbox: seriously. Moreover, there are also irt objects. Regards, Carlos On Tue, 7 Jun 2022, Ángel González Berdasco via anti-abuse-wg wrote: > El mar, 07-06-2022 a las 13:14 +0200, Gert Doering escribió: >> Hi, >> >> On Tue, Jun 07, 2022 at 11:02:19AM +0000, Ángel González Berdasco via >> anti-abuse-wg wrote: >>> I don't think the problem would be to add a new attribute if >> needed. >>> The problem would be to *define* what should go there (and then get >>> everyone downstream to use that new attribute) >> >> This... so, what would you suggest? >> >> Gert Doering >> -- NetMaster >> -- > > I would use the Reference Security Incident Taxonomy (RSIT) as > the classification source, which is the taxonomy used by (most of) the > CSIRT community. See [1] > > So the PTY-MAXGROBECKER network could have: > > abuse-c: GROBECKER-ABUSE > > and the GROBECKER-ABUSE object: > abuse-mailbox: general at abuse.grobecker.info > abuse-mailbox-vulnerable: vulnerability-reports at abuse.grobecker.info > abuse-mailbox-fraud: fraudabuses at abuse.grobecker.info > > where 'vulnerable', 'fraud', etc. are the machine readable tags defined > in the RSIT for the values in the classification column. > > Thus, when CERT BUND wanted to report an unpatched Confluence, they > would have an incident of type: "Vulnerable ? Vulnerable System", find > that there is a 'abuse-mailbox-vulnerable' attribute and report it > there. > > Whereas if it was a phishing landing page (incident of type Fraud ? > Phishing), that would go to fraudabuses at abuse.grobecker.info (from > 'abuse-mailbox-fraud') > > But if it was a host sending out spam, (incident classification Abusive > Content ? Spam), having no "abuse-mailbox-abusive-content", it would > fall back to abuse-mailbox and direct it to > general at abuse.grobecker.info. > > > > Does something like this seem sensible to others? > > > Best regards > > > > 1- > https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force/blob/master/working_copy/humanv1.md > > -- > INCIBE-CERT - Spanish National CSIRT > https://www.incibe-cert.es/ > > PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys > > ==================================================================== > > INCIBE-CERT is the Spanish National CSIRT designated for citizens, > private law entities, other entities not included in the subjective > scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen > Jurídico del Sector Público", as well as digital service providers, > operators of essential services and critical operators under the terms > of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de > las redes y sistemas de información" that transposes the Directive (EU) > 2016/1148 of the European Parliament and of the Council of 6 July 2016 > concerning measures for a high common level of security of network and > information systems across the Union. > > ==================================================================== > > In compliance with the General Data Protection Regulation of the EU > (Regulation EU 2016/679, of 27 April 2016) we inform you that your > personal and corporate data (as well as those included in attached > documents); and e-mail address, may be included in our records > for the purpose derived from legal, contractual or pre-contractual > obligations or in order to respond to your queries. You may exercise > your rights of access, correction, cancellation, portability, > limitationof processing and opposition under the terms established by > current legislation and free of charge by sending an e-mail to > dpd at incibe.es. The Data Controller is S.M.E. Instituto Nacional de > Ciberseguridad de España, M.P., S.A. More information is available > on our website: https://www.incibe.es/proteccion-datos-personales > and https://www.incibe.es/registro-actividad. > > ==================================================================== > > -- > > To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg > -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20220611/db83d1e8/attachment.html>
- Previous message (by thread): [anti-abuse-wg] Adding a "Security Information" contact?
- Next message (by thread): [anti-abuse-wg] Adding a "Security Information" contact?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]