On Jan 17th a posting about the release of DHS's 2011 Analyst Desktop Binder was covered in a bunch of locations but it wasn't until now that I took a look. Thought I would pass it along in the event anyone wanted to read it (here). Aside from the monitored sites and keywords, noted below, a couple of other things should be noted.
1) Why are there common ID's and PW's for the systems that the analysts use? Seems to me that this would go against standard rules on attribution, etc.
2) Why are the passwords stored in the Binder for those accounts? Either they update the Binder every 90 days or no one changes the passwords. Seems like another violation.
3) I know full well the pains of managing security in a network, however, when you have to document your issues and release the Binder it might move one to fix the issues. On page 37 it shows that an invalid certificate should be "clicked through". I can only imagine it's a self signed cert.
4) Under the CyberSecurity phrases there are some really old ones in there. "Conficker", "2600", "Cain and Abel", etc. This is a shockingly old and small list of text identifiers of possible issues. I can only hope there is a much larger list that is actually monitored and kept up to date.
Keywords ca be found on page 20+