Information Technology Reference
In-Depth Information
x Eradication
x Recovery
5.3.1.
Preparation
When it comes to incident handling, planning is everything and preparation plays a
vital role. It is very important to have a policy in place that covers the organization's
approach to dealing with an incident. The policy usually covers the following items:
x If an incident occurs will the law enforcement officials be notified or will the
company be silent?
x If an incident happens will the company clean up the effects of the incident or
continue as nothing happened in order to catch the intruder?
x Direction for intra-organizations and other companies on that incident.
x The people working in the incident handling team should be chosen so that they:
x Are smart and experienced
x Are team players
x Can work under immense pressure
Training is critical for each member of the incident handling team.
Reaction time to an incident is absolutely critical. One way to minimize the reaction
time is using jump bags. This bag should be easily accessible and should contain
everything needed to respond to an incident, such as contact numbers, checklists,
network cables, hard drives, hubs and a PC with the necessary tools.
5.3.2.
Identification
Possible signs of an incident are listed below:
x IDS Alert
x Unexplained entries in a log file
x Failed logon attempts
x System reboots
x Poor system performance
5.3.3.
Containment
In containing an accident, the first thing to do is to secure the area and then a backup
should be made of all infected systems. Also passwords should be changed as soon as
possible to make sure a compromised account could not be used for re-entry into the
system by a remote hacker.
5.3.4.
Eradication
Before the system goes back online, an incident handler must make sure that the
problem is fixed and the vulnerability that the attacker used to compromise the system is
closed. It is not enough to simply recover the system and put it back online; the
underlying security mechanisms of the affected system must be altered, fixed or
upgraded to accommodate any new vulnerabilities. Once the system is recovered, it is a
good idea to run a vulnerability scanner against the affected system to see if the problem
Previous Page
Next Page
Cyberwar-Netwar: Security in the Information Age
Search WWH ::




Custom Search
Home