Educause Security Discussion mailing list archives
Re: Compromised Server Policy
From: Greg Jackson <gjackson () UCHICAGO EDU>
Date: Mon, 16 May 2005 13:21:11 -0500
One added step, which has made our law-enforcement friends happier: When we preserve an extract from a compromise and/or logs, we digitally sign the extract and then write it to an CD-R, which we then keep in a safe. This custody-chain stuff has been important in several cases. BTW, if you haven't, it's interesting to have your local electronic-crimes folks (especially the FBI ones, who are often young and quite savvy and good) come talk to a pizza lunch for campus system administrators. Nothing like actually having a chance to interact to build trust, gain mutual understanding, etc. They'll do stock PowerPoint, of course, most of it very boilerplate. But then they'll take questions. Joel Rosenblatt wrote:
In cases where we are interested in preserving the evidence, we have the compromised HD removed and a new system is built on a new HD. The drives have gotten so cheep now that this is not usually a problem. If that can't be done, we have the contents of the machine tar'ed or zip'ed, backed up somewhere and then the machine is rebuilt.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Attachment:
gjackson.vcf
Description:
Current thread:
- Compromised Server Policy Jon E. Mitchiner (May 16)
- <Possible follow-ups>
- Re: Compromised Server Policy Joel Rosenblatt (May 16)
- Re: Compromised Server Policy Penn, Blake (May 16)
- Re: Compromised Server Policy Buz Dale (May 16)
- Re: Compromised Server Policy Joel Rosenblatt (May 16)
- Re: Compromised Server Policy Chad McDonald (May 16)
- Re: Compromised Server Policy Greg Jackson (May 16)