Establish sources of information

Once your filtered warnings system has been installed and configured, and you have Members subscribed to the WARP, you will need to locate and use reliable alert information sources. You will need to give this some consideration. Your purpose is to provide your Members with relevant and timely alerts - not with esoteric hyperbole. So you are looking for reliable and trusted sources - and ideally, you want the information to come to you rather than you having to go looking for it. There are many methods, and many sources you can use; but you will need to select what suits you, your resources, and your Members best. The biggest danger is simply trying to keep up to date with too much information. Many sources are listed below; and there are many others not included. Frankly, it will be worth monitoring as many as you can for a short period, and then ruthlessly eliminating those that don't give you a good return on your time.

Five potential methods:

Peer-to-peer with other WARPs
Mailing lists
RSS feeds
Blogs
URL change detection

NOTE: CPNI do not warrant the contents of these sources and accept no liability for any loss arising from the use of or inability to use the contents of these sources of information. See the WARP for Schools Toolbox terms and conditions.

1. Peer-to-peer (P2P)

The FWA software has an inbuilt P2P capability that will allow you to accept a feed from other trusted WARPs. In theory, this is the most time-effective method of receiving and sending out warnings to your Members - all you need do is look at the received warning (already parsed into the correct format for transmission) and simply decide whether it is relevant to your Members.

But high reliance on this approach requires a high degree of trust in the feeding WARP: trust that it does its warnings correctly, and trust that it doesn't miss any important warnings.

You can get a list of other WARPs (that is, potential P2P sources) from the WARP Register.

2. Mailing lists

Most of the national CERTs, and many of the leading security vendors, operate security mailing lists and/or RSS feeds - and it is certainly worth subscribing to a few of these. But be aware of the motives. National CERTs seek to protect their national infrastructures. The result is that they are highly reliable, but not always timely (most have a policy of not issuing a vulnerability notice until a patch or workaround is available). Security vendors, however, are ultimately seeking to promote their own products. As a result, there sometimes seems to be a race to see which vendor can get the most dramatic warning out first. In short, CERT warnings can seem to be understated, while vendor warnings can seem to be overstated. This, of course, applies whether you are subscribed to a mailing list, receiving an RSS feed, or simply looking at a press release.

List	URL	Type
AusCERT National Alerts Service	https://www.auscert.org.au/msubmit.html?it=3057	CERT
debian-security-announce	http://lists.debian.org/debian-security-announce/	Linux vendor
InfoSec News	http://www.infosecnews.org/mailman/listinfo/isn	Information security news articles
SecurityFocus	http://www.securityfocus.com/archive	Many lists; could be a case of 'too much information'
Ubuntu Security Announcements	https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce	Linux vendor

3. RSS Feeds

Many news sources now provide RSS feeds. This is useful since you will automatically receive information about a new story as soon as it is available. You will need an RSS reader for this. There are many free readers available, and some are already built into other products such as browsers and mail clients. The one you choose is ultimately simply a matter of personal preference.

The RSS feeds you take is also a matter of preference. It is worth subscribing liberally; but then ruthlessly eliminating all of those that aren't seriously useful. If you don't do this you are likely to find your time consumed unproductively, or - even worse - you'll stop looking at your feeds altogether.

RSS Feed	URL
CA Security Advisor Threat Alerts	http://www.my-etrust.com/alertservice/pg.aspx?f=mix
FreeBSD Security Advisories	http://www.freebsd.org/security/advisories.rdf
Full Disclosure (fulldisclosure) Mailing List	http://seclists.org/rss/fulldisclosure.rss
Gentoo Linux Security Advisories	http://www.gentoo.org/rdf/en/glsa-index.rdf
iDefense Public Vulnerability Disclosures	http://labs.idefense.com/rss/intelligence.rss.php?type=vulnerabilities
Latest Security Advisories (Microsoft)	http://www.microsoft.com/technet/security/advisory/RssFeed.aspx?securityadvisory
Mandriva Security Advisories Feed	http://www.mandriva.com/en/rss/feed/security
National Vulnerability Database	http://nvd.nist.gov/download/nvd-rss.xml
NOVELL: Security Solutions	http://www.novell.com/newsfeeds/rss/securitySolutions.xml
Oracle Security Alerts	http://www.oracle.com/technology/syndication/rss_otn_sec.xml
Packet Storm Security Advisories	http://packetstormsecurity.org/advisories.xml
Packet Storm Security Exploits	http://packetstormsecurity.org/exploits.xml
Red Hat Errata	https://rhn.redhat.com/rpc/recent-errata.pxt
SecurityFocus Vulnerabilities	http://www.securityfocus.com/rss/vulnerabilities.xml
Sophos latest virus alerts	http://feeds.sophos.com/en/rss2_0-sophos-latest-viruses.xml
Sun Alerts	http://blogs.sun.com/security/feed/entries/rss
US-CERT Current Activity	http://www.us-cert.gov/current/index.rdf
US-CERT Cyber Security Bulletins	http://www.us-cert.gov/channels/bulletins.rdf
US-CERT Technical Cyber Security Alerts	http://www.us-cert.gov/channels/techalerts.rdf

4. Blogs

Security blogs are an excellent means of keeping up to date with the latest thinking in security. Security bloggers are often big names in the security industry, and deliver cutting edge opinions and news. Whether they are a valuable source of information on latest threats and vulnerabilities is debatable; but it is worth having a look at a few and deciding for yourself. Once again, however, the danger is that monitoring interesting security blogs will vacuum up more spare time than you actually have...

Blogs often provide RSS feeds and can be incorporated into your RSS Reader. The following may be worth examining - but there are dozens of other very good blogs not included here.

Title	URL	Description
Light Blue Touchpaper	http://www.lightbluetouchpaper.org/feed/	Security Research, Computer Laboratory, University of Cambridge
Schneier on Security	http://www.schneier.com/blog/index.xml	A weblog covering security and security technology
Security Adviser	http://weblog.infoworld.com/securityadviser/rss.xml	Blog/RSS news from InfoWorld
Aviv Raff On .NET - Security	http://aviv.raffon.net/SyndicationService.asmx/GetRssCategory?categoryName=Security	Blog available as RSS
F-Secure Antivirus Research Weblog	http://www.fsecure.com/weblog/weblog.rdf	Weblog of F-Secure Antivirus Research Team (RSS)

5. URL Change Detection

If you sign up to a change detection service, you can be notified automatically whenever that page changes. This can be useful if you monitor the news index pages of selected security vendors or researchers. One change detection service can be found at http://www.ChangeDetection.com/. The best thing to do is experiment with what suits you - but the following few are examples you could examine.

Company	URL to monitor	Content
IBM Internet Security Systems	http://xforce.iss.net/xforce/alerts	ISS X-Force delivers information on threats and vulnerabilities
McAfee	http://www.mcafee.com/us/about/press/corporate_2007.html	McAfee's news index
Microsoft	http://www.microsoft.com/presspass/default.asp	Microsoft's news release page for journalist - you need to look for security relevance

Now that you have identified and established the sources you will use, the next step is to test your system.

Published : 19-Apr-2007

Terms and conditions