Educause Security Discussion mailing list archives
Re: Compromised Server Policy
From: "Penn, Blake" <pennb () UWW EDU>
Date: Mon, 16 May 2005 12:14:03 -0500
I would have to second Joel's sentiments here. Having worked in web hosting, I used to see incidents where dozens of servers were compromised at a time. Over time, we learned that a rebuild is the only effective solution to remediate. Once control is lost, it can never *REALLY* be regained except by a secure re-imaging. You may also want to include a snapshot of the compromised host in your procedures. Forensics on a replica of the compromised host (or better yet, on the host itself - if replaceable) might yield some insight into why the host was compromised in the first place. __________________________________ Blake Penn, CISSP Information Security Officer University of Wisconsin-Whitewater (p) 262-472-5513 (f) 262-472-1285 e-mail: pennb () uww edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt Sent: Monday, May 16, 2005 11:55 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Compromised Server Policy Hi, Our policy is pretty much Nuke and Pave ... for individuals and servers. We make exceptions if we have to - but most of those (exceptions) turn back into compromised machines :-) Joel Rosenblatt Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel --On Monday, May 16, 2005 12:52 PM -0400 "Jon E. Mitchiner" <jon.mitchiner () GALLAUDET EDU> wrote:
I am developing procedures when a server has been compromised. Instead of re-inventing the wheel again, I would like to solict procedures from other people on the list. Thanks in advance! Jon -- Jon E. Mitchiner Special Projects Manager ITS, Gallaudet University (202) 651-5300 (202) 651-5477 (Fax) ********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Compromised Server Policy Jon E. Mitchiner (May 16)
- <Possible follow-ups>
- Re: Compromised Server Policy Joel Rosenblatt (May 16)
- Re: Compromised Server Policy Penn, Blake (May 16)
- Re: Compromised Server Policy Buz Dale (May 16)
- Re: Compromised Server Policy Joel Rosenblatt (May 16)
- Re: Compromised Server Policy Chad McDonald (May 16)
- Re: Compromised Server Policy Greg Jackson (May 16)