Re: What exactly is a sysadmin/security officers job

[Adam Shostack <adam () homeport org>]

        When an intrusion occurs, you hope like hell its not on a
production system with costs in the millions per minute of downtime.
(There are lots of these at financial institutions.)  If it is, you
audit the hell out of the transactions its generating.  If its not,
you backtrace the connection, close down the access point, and then do
cleanup.  Sometimes you let the police or CERT know, but they tend to
be bloody unhelpful.

        Actually tracking someone to the source is still fairly rare,
and many organizations don't want the negative publicity associated
with a break in.

        Until we de-stigmatize being broken into, we don't begin to
solve the problems.  Remember that less that 1% of attacks on DOD
systems were detected and reported.  We're not addressing the issues
right.

Adam


Jim Leo wrote:
| I've really enjoyed the Out-sourcing vs In-house debate thus far. 
| However, I'm curious, just exactly what do most of the 
| list-subscribers do when an attempt at intrusion occurs? Exactly what 
| is classified as an intrusion. Does using any one of the numerous 
| scanning tools out there (asmodeous, ISS, strobe, etc) constitute an 
| intrusion attempt, or just 'knob twiddling'? How does one deal with 
| it. And yes I know about management policy, I'm curious just what 
| others are doing in the security arena.
| Jim Leo
| admin () everett pitt cc nc us
| 


-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume