Re: Compromised Server Policy

[Greg Jackson <gjackson () UCHICAGO EDU>]

One added step, which has made our law-enforcement friends happier: When
we preserve an extract from a compromise and/or logs, we digitally sign
the extract and then write it to an CD-R, which we then keep in a safe.
This custody-chain stuff has been important in several cases.

BTW, if you haven't, it's interesting to have your local
electronic-crimes folks (especially the FBI ones, who are often young
and quite savvy and good) come talk to a pizza lunch for campus system
administrators. Nothing like actually having a chance to interact to
build trust, gain mutual understanding, etc. They'll do stock
PowerPoint, of course, most of it very boilerplate. But then they'll
take questions.

Joel Rosenblatt wrote:

> In cases where we are interested in preserving the evidence, we have
> the compromised HD removed and a new system is built on a new HD.  The
> drives have gotten
> so cheep now that this is not usually a problem.
>
> If that can't be done, we have the contents of the machine tar'ed or
> zip'ed, backed up somewhere and then the machine is rebuilt.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Attachment: gjackson.vcf
Description: