Re: Compromised Server Policy

[Chad McDonald <chad.mcdonald () GCSU EDU>]

If at all possible, we rebuild the box.  Only when there is no backup, or we
are attempting to prosecute will we take another route.

Thanks,
Chad McDonald, CISSP
Chief Information Security Officer
Georgia College & State University
478.445.4473  Office
478.454.8250 Cell
478.445.1202 Fax

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt
Sent: Monday, May 16, 2005 1:39 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Compromised Server Policy

In cases where we are interested in preserving the evidence, we have the
compromised HD removed and a new system is built on a new HD.  The drives
have gotten so cheep now that this is not usually a problem.

If that can't be done, we have the contents of the machine tar'ed or zip'ed,
backed up somewhere and then the machine is rebuilt.

Sometimes, we just don't care :-)

One size does not fit all .. you have to look at what your trying to do and
make sure that your actions match.

Joel Rosenblatt

--On Monday, May 16, 2005 1:23 PM -0400 Buz Dale <buz.dale () USG EDU> wrote:

> Make sure if the compromised server contains critical information to
> follow "Rules of Evidence" (Such as documentation and secure handling
> of the compromised media.) and don't just wipe the machine. The more
people
>   touch and changes made to the original media, the harder it is to
> prosecute (or even figure out what happened.) Buz
>
> Penn, Blake wrote:
> > I would have to second Joel's sentiments here.  Having worked in web
> > hosting, I used to see incidents where dozens of servers were
> > compromised at a time.  Over time, we learned that a rebuild is the
> > only effective solution to remediate.  Once control is lost, it can
> > never
> > *REALLY* be regained except by a secure re-imaging.
> >
> > You may also want to include a snapshot of the compromised host in
> > your procedures.  Forensics on a replica of the compromised host (or
> > better yet, on the host itself - if replaceable) might yield some
> > insight into why the host was compromised in the first place.
> >
> > __________________________________
> > Blake Penn, CISSP
> > Information Security Officer
> > University of Wisconsin-Whitewater
> > (p) 262-472-5513 (f) 262-472-1285
> > e-mail: pennb () uww edu
> >
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Discussion Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt
> > Sent: Monday, May 16, 2005 11:55 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Compromised Server Policy
> >
> > Hi,
> >
> > Our policy is pretty much Nuke and Pave ... for individuals and servers.
> > We make exceptions if we have to - but most of those (exceptions)
> > turn back into compromised machines :-)
> >
> > Joel Rosenblatt
> >
> > Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS
> > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> > http://www.columbia.edu/~joel
> >
> >
> > --On Monday, May 16, 2005 12:52 PM -0400 "Jon E. Mitchiner"
> > <jon.mitchiner () GALLAUDET EDU> wrote:
> >
> >
> > > I am developing procedures when a server has been compromised.
> > > Instead of re-inventing the wheel again, I would like to solict
> > > procedures from other people on the list.
> > >
> > > Thanks in advance!
> > >
> > > Jon
> > >
> > > --
> > > Jon E. Mitchiner
> > > Special Projects Manager
> > > ITS, Gallaudet University
> > > (202) 651-5300
> > > (202) 651-5477 (Fax)
> > >
> > > **********
> > > Participation and subscription information for this EDUCAUSE
> >
> > Discussion Group discussion list can be found at
> > http://www.educause.edu/groups/.
> >
> > **********
> > Participation and subscription information for this EDUCAUSE
> > Discussion Group discussion list can be found at
http://www.educause.edu/groups/.
> > **********
> > Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.
> --
> ----
> Buz Dale                                buz.dale () usg edu
> IT Security Specialist              1-888-875-3697 (GA only)
> Board of Regents                    1-706-583-2005
> Office of Information and Instructional Technology University System
> of Georgia
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.



Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS Columbia
University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.