BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

You've Been Breached: Now What?

From: security curmudgeon <jericho () attrition org>
Date: Tue, 21 Dec 2010 01:23:51 -0600 (CST)


---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=228800744

By Adam Ely
InformationWeek
December 18, 2010

No one likes to think about database breaches, but the fact is, they 
happen. Rather than cross your fingers and hope for the best, create an 
incident response plan ahead of time. Without a plan, you may destroy 
critical evidence that could be used to prosecute the offender. You might 
also overlook just how the incident occurred, leaving you exposed to 
future breaches.

Log analysis is an essential component of an incident response plan. 
You'll want to review logs from the compromised machine or machines and 
from other sources, including network devices and access control systems.

A number of log types--transaction, server access, application server, and 
OS--can all provide valuable information to retrace what occurred. If your 
database administrator has enabled transaction logs--and it's a big 
if--start there because they're a rich source of information.

Your first goal is to understand what data has been extracted, which will 
help you gauge the current risk to the company. Then examine what else the 
attacker may have tried to do. As you review logs, look for queries that 
would match the data known to be exported. If you don't have any evidence 
to match against, gather up the database administrator, application 
developer, and anyone else who knows normal application and database 
activity. Get a conference room, display the logs on a projector, and have 
them help you look for anomalies such as unusual queries that applications 
or administrators wouldn't normally make.

[...]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/
Previous By Date Next
Previous By Thread Next

Current thread: