Intranet Journal
The online resource for intranet professionals
Tracking the Incident
For each system that is compromised, an incident tracking form should be filled out with as much information as possible. It is recommended that an incident form be created which outlines which details you'll be looking for. When the incident happens, the systems administrator simply fills out the form, before performing the recovery procedures.
The types of information that you will want to include on your incident tracking form are things like:
The Recovery Process
Once the incident tracking form has been completed, recovery of the system can begin. The systems administrator should then move forward with the pre-documented recovery procedures. These procedures, which should have been drafted prior to the incident, should include information unique to your intranet and organization such as:
Of critical important is not just restoring your systems, but in ascertaining the intruder's point of entry, and securing that entry point. Did the intruder enter your network through a buffer overflow attack? If that is the case, installing a stack security product on the appropriate systems can prevent this from happening in the future.
"If you don't have a firewall
now is clearly the time to
procure one and install it"
Were any setuid files exploited? If that is the case, the permissions on these files need to be corrected, or some alternative file should be put in their place.
Were passwords compromised through a dictionary attack? You need to check and make sure your users are using secure passwords that used mixed-case characters and do not spell out words. Run a password cracker on your password lists and report weak passwords to management.
If a firewall was installed and up and running, look at the log files for connection activity, and also look to make sure that that rules are configured properly. If too many holes were opened on the firewall to accommodate bellicose users, it's undoubtedly a good time to take back the firewall, tighten it up, and instruct the users on the merits of using a secure remote access VPN. If you don't have a firewall on your network, now is clearly the time to procure one and install it. A firewall pays for itself if it prevents even one incident from happening.
There are endless possibilities for points of entry. Go through a list of the various possible attack scenarios and see if one seems to fit the picture of your network and systems.
"Almost all the large
technology companies
have been victims of
security incidents"
After the incident has been cleaned up, it is probably a good time to start thinking about procuring and installing an intrusion detection or prevention system. The good news is that there are quite a few sophisticated network and host intrusion detection products on the market today. Figure out which products make sense for your organization, and make it a priority to install them, monitor them, and understand their reporting capabilities.
Last, if your organization does not have the sources to recover from the incident, look for a consulting organization that specializes in incident recovery. When you interview these organizations, ask them what their action plan will look like. It is very possible they will not be able to give you references, even if they do a quality job, because many organizations do not want it revealed that they have suffered a security incident.
The best thing you can do is learn from the recovery process so that you can minimize the possibility of future incidents. If it makes you feel any better, it might be worth noting that almost all the large technology companies have been victims of security incidents at one time or another (though many have been adept at keeping such reports out of the Wall Street Journal).