Educause Security Discussion mailing list archives
Re: Compromised Server Policy
From: Chad McDonald <chad.mcdonald () GCSU EDU>
Date: Mon, 16 May 2005 13:55:24 -0400
If at all possible, we rebuild the box. Only when there is no backup, or we are attempting to prosecute will we take another route. Thanks, Chad McDonald, CISSP Chief Information Security Officer Georgia College & State University 478.445.4473 Office 478.454.8250 Cell 478.445.1202 Fax -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt Sent: Monday, May 16, 2005 1:39 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Compromised Server Policy In cases where we are interested in preserving the evidence, we have the compromised HD removed and a new system is built on a new HD. The drives have gotten so cheep now that this is not usually a problem. If that can't be done, we have the contents of the machine tar'ed or zip'ed, backed up somewhere and then the machine is rebuilt. Sometimes, we just don't care :-) One size does not fit all .. you have to look at what your trying to do and make sure that your actions match. Joel Rosenblatt --On Monday, May 16, 2005 1:23 PM -0400 Buz Dale <buz.dale () USG EDU> wrote:
Make sure if the compromised server contains critical information to follow "Rules of Evidence" (Such as documentation and secure handling of the compromised media.) and don't just wipe the machine. The more
people
touch and changes made to the original media, the harder it is to prosecute (or even figure out what happened.) Buz Penn, Blake wrote:I would have to second Joel's sentiments here. Having worked in web hosting, I used to see incidents where dozens of servers were compromised at a time. Over time, we learned that a rebuild is the only effective solution to remediate. Once control is lost, it can never *REALLY* be regained except by a secure re-imaging. You may also want to include a snapshot of the compromised host in your procedures. Forensics on a replica of the compromised host (or better yet, on the host itself - if replaceable) might yield some insight into why the host was compromised in the first place. __________________________________ Blake Penn, CISSP Information Security Officer University of Wisconsin-Whitewater (p) 262-472-5513 (f) 262-472-1285 e-mail: pennb () uww edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt Sent: Monday, May 16, 2005 11:55 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Compromised Server Policy Hi, Our policy is pretty much Nuke and Pave ... for individuals and servers. We make exceptions if we have to - but most of those (exceptions) turn back into compromised machines :-) Joel Rosenblatt Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel --On Monday, May 16, 2005 12:52 PM -0400 "Jon E. Mitchiner" <jon.mitchiner () GALLAUDET EDU> wrote:I am developing procedures when a server has been compromised. Instead of re-inventing the wheel again, I would like to solict procedures from other people on the list. Thanks in advance! Jon -- Jon E. Mitchiner Special Projects Manager ITS, Gallaudet University (202) 651-5300 (202) 651-5477 (Fax) ********** Participation and subscription information for this EDUCAUSEDiscussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.
-- ---- Buz Dale buz.dale () usg edu IT Security Specialist 1-888-875-3697 (GA only) Board of Regents 1-706-583-2005 Office of Information and Instructional Technology University System of Georgia ********** Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/. Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Compromised Server Policy Jon E. Mitchiner (May 16)
- <Possible follow-ups>
- Re: Compromised Server Policy Joel Rosenblatt (May 16)
- Re: Compromised Server Policy Penn, Blake (May 16)
- Re: Compromised Server Policy Buz Dale (May 16)
- Re: Compromised Server Policy Joel Rosenblatt (May 16)
- Re: Compromised Server Policy Chad McDonald (May 16)
- Re: Compromised Server Policy Greg Jackson (May 16)