Educause Security Discussion mailing list archives
Re: Compromised Server Policy
From: Buz Dale <buz.dale () USG EDU>
Date: Mon, 16 May 2005 13:23:20 -0400
Make sure if the compromised server contains critical information to follow "Rules of Evidence" (Such as documentation and secure handling of the compromised media.) and don't just wipe the machine. The more people touch and changes made to the original media, the harder it is to prosecute (or even figure out what happened.) Buz Penn, Blake wrote:
I would have to second Joel's sentiments here. Having worked in web hosting, I used to see incidents where dozens of servers were compromised at a time. Over time, we learned that a rebuild is the only effective solution to remediate. Once control is lost, it can never *REALLY* be regained except by a secure re-imaging. You may also want to include a snapshot of the compromised host in your procedures. Forensics on a replica of the compromised host (or better yet, on the host itself - if replaceable) might yield some insight into why the host was compromised in the first place. __________________________________ Blake Penn, CISSP Information Security Officer University of Wisconsin-Whitewater (p) 262-472-5513 (f) 262-472-1285 e-mail: pennb () uww edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt Sent: Monday, May 16, 2005 11:55 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Compromised Server Policy Hi, Our policy is pretty much Nuke and Pave ... for individuals and servers. We make exceptions if we have to - but most of those (exceptions) turn back into compromised machines :-) Joel Rosenblatt Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel --On Monday, May 16, 2005 12:52 PM -0400 "Jon E. Mitchiner" <jon.mitchiner () GALLAUDET EDU> wrote:I am developing procedures when a server has been compromised. Instead of re-inventing the wheel again, I would like to solict procedures from other people on the list. Thanks in advance! Jon -- Jon E. Mitchiner Special Projects Manager ITS, Gallaudet University (202) 651-5300 (202) 651-5477 (Fax) ********** Participation and subscription information for this EDUCAUSEDiscussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
-- ---- Buz Dale buz.dale () usg edu IT Security Specialist 1-888-875-3697 (GA only) Board of Regents 1-706-583-2005 Office of Information and Instructional Technology University System of Georgia ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Compromised Server Policy Jon E. Mitchiner (May 16)
- <Possible follow-ups>
- Re: Compromised Server Policy Joel Rosenblatt (May 16)
- Re: Compromised Server Policy Penn, Blake (May 16)
- Re: Compromised Server Policy Buz Dale (May 16)
- Re: Compromised Server Policy Joel Rosenblatt (May 16)
- Re: Compromised Server Policy Chad McDonald (May 16)
- Re: Compromised Server Policy Greg Jackson (May 16)