Intranet Journal   Earthweb  
Images Events Jobs Premium Services Media Kit Network Map E-mail Offers Vendor Solutions Webcasts

   Intranet Journal Subjects
Search Earthweb

Privacy Policy



internet.com
IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

internet commerce
Be a Commerce Partner
















 

[ Home | Discussion Forum | How Do I... | Lotus Notes Intranets | Microsoft SharePoint | Products | Shopping  ]

free news!

Incident Response Planning and Management Page 2

Laura Taylor

Go to page: 1  2 

01/28/02

Printer Friendly Version

Tracking the Incident
For each system that is compromised, an incident tracking form should be filled out with as much information as possible. It is recommended that an incident form be created which outlines which details you'll be looking for. When the incident happens, the systems administrator simply fills out the form, before performing the recovery procedures.

The types of information that you will want to include on your incident tracking form are things like:

  • Host Name and IP Address
  • Operating System Name and Version Patch Level Found
  • Resident Applications (Versions and Patch Levels)
  • Log files reviewed (filenames and locations)
  • Evidence cited and Intruder Activity (files that have been changed, edited or removed, trojans)
  • Security Policy Breached (document what sections of your security policy has been breached e.g. Section 3.2 Password Confidentiality)
  • Stakeholders (who uses, owns, or is depending on this system e.g. departments, customers)
    •

    The Recovery Process
     Once the incident tracking form has been completed, recovery of the system can begin. The systems administrator should then move forward with the pre-documented recovery procedures. These procedures, which should have been drafted prior to the incident, should include information unique to your intranet and organization such as:

  • What media to use to install the system (and where to find the media)
  • Detailed installation procedures (or a pointer to the vendor installation guide)
  • License information for the operating system
  • License information for the applications
  • Special files that need editing (DNS, default router etc.)
  • Restoration of user data, accounts, and profiles
  • Restoration of symbolic links, mount points, or shares
  • Registry or kernel modifications
  • Restoration of high-availability or load-balancing functionality
    •

    Of critical important is not just restoring your systems, but in ascertaining the intruder's point of entry, and securing that entry point. Did the intruder enter your network through a buffer overflow attack? If that is the case, installing a stack security product on the appropriate systems can prevent this from happening in the future.

       "If you don't have a firewall
    now is clearly the time to
    procure one and install it"

    Were any setuid files exploited? If that is the case, the permissions on these files need to be corrected, or some alternative file should be put in their place.

    Were passwords compromised through a dictionary attack? You need to check and make sure your users are using secure passwords that used mixed-case characters and do not spell out words. Run a password cracker on your password lists and report weak passwords to management.

    If a firewall was installed and up and running, look at the log files for connection activity, and also look to make sure that that rules are configured properly. If too many holes were opened on the firewall to accommodate bellicose users, it's undoubtedly a good time to take back the firewall, tighten it up, and instruct the users on the merits of using a secure remote access VPN. If you don't have a firewall on your network, now is clearly the time to procure one and install it. A firewall pays for itself if it prevents even one incident from happening.

    There are endless possibilities for points of entry. Go through a list of the various possible attack scenarios and see if one seems to fit the picture of your network and systems.

    "Almost all the large
    technology companies
    have been victims of
    security incidents"

    After the incident has been cleaned up, it is probably a good time to start thinking about procuring and installing an intrusion detection or prevention system. The good news is that there are quite a few sophisticated network and host intrusion detection products on the market today. Figure out which products make sense for your organization, and make it a priority to install them, monitor them, and understand their reporting capabilities.

    Last, if your organization does not have the sources to recover from the incident, look for a consulting organization that specializes in incident recovery. When you interview these organizations, ask them what their action plan will look like. It is very possible they will not be able to give you references, even if they do a quality job, because many organizations do not want it revealed that they have suffered a security incident.

    The best thing you can do is learn from the recovery process so that you can minimize the possibility of future incidents. If it makes you feel any better, it might be worth noting that almost all the large technology companies have been victims of security incidents at one time or another (though many have been adept at keeping such reports out of the Wall Street Journal).

    Go to page: 1  2 




    Printer Friendly Version

    Of Interest
    · Intranet eXchange Discussion Board

    email this page

    Tutorials
    and more at:
    Intranet Journal's Tutorials
    Intranet Journal Favorites

    Creating a PHP-Based Content Management System

    The Spyware Guide

    Introduction to Microsoft SharePoint Portal

    Intranet Journal
    Part of the EarthWeb Network

    Managing Editor
    Intranet Journal
    Tom Dunlap

    EarthWeb Home Page
    Jupitermedia Home Page

    Media Kit



    internet.comearthweb.comDevx.commediabistro.comGraphics.com

    Search:

    Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

    Jupitermedia Corporate Info

    Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
    Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

    Solutions

    Whitepapers and eBooks

    Avaya Article: Developing Speech Grammars that Rock, Part 2: Grammar Tuning
    Microsoft Partner Portal: Hyper-V Vaults Microsoft into Virtualization Race
    Small Business Solution Exchange: The Pros and Cons of Outsourcing Enterprise Emails
    Avaya Article: JSR 289: SIP Servlet 1.1 Provides Significant Benefits for SIP Application Developers
    		   Microsoft Article: Build and Run Virtual Machines with Hyper-V Server 2008
    Internet.com eBook: Real Life Rails
    Internet.com eBook: Best Practices for Developing a Web Site
    MORE WHITEPAPERS, EBOOKS, AND ARTICLES

    Webcasts

    HP Webinar: Virtualization for Business Critical SAP on SQL Server
    Microsoft Partner Portal Video: Microsoft Gold Certified Partners Build Successful Practices
    		   Rackspace Hosting Center: Customer Videos
    MORE WEBCASTS, PODCASTS, AND VIDEOS

    Downloads and eKits

    IdeaBlade Download: DevForce EF--Developing for LINQ and the Entity Framework
    Microsoft Download: Silverlight 2 SDK
    30-Day Trial: SPAMfighter Exchange Module
    Iron Speed Designer Application Generator
    		   Microsoft Download: Silverlight 2 Developer Runtime (Windows)
    IdeaBlade Download: .NET Programming with DevForce Classic
    MORE DOWNLOADS, EKITS, AND FREE TRIALS

    Tutorials and Demos

    Online Demo: IBM Cognos 8 Business Intelligence Reporting
    		   MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES