Security Incidents mailing list archives
RE: Incident investigation methodologies
From: pfft <col_panic2 () yahoo com>
Date: Mon, 7 Jun 2004 17:25:05 -0700 (PDT)
--- "Fiscus, Kevin" <kfiscus () allianttech com> wrote:
Based on the circumstances, one must assess the risk vs. reward of performing certain actions versus and make a decision. In some circumstances, it makes sence to take a production system off-line and in other cases, it doesn't. In some cases, it may even make sence to simply monitor the situation and otherwise do nothing.
Agreed. So if we assign response scenarios based upon criticality of data, we can provide administrators with a template for each type of situation.
If a web server, containing no critical informatin (isolated from the corporate network also) gets defaced, it may make sence to simply restore from backup. (How do you determine what happened to prevent it from happening again?)
Simply restoring from backup will not prevent the same compromise from occuring again, so we might want to do some analysis to determine how the intrusion occurred and prevent the system from being compromised as soon as it is put back online. --snip--
It seems like people keep wanting a 1-size-fits-all solution. That is just not the case.
Agreed. This is the reason for assigning security labels. We can use the same idea for response levels. A compromise of a system with critical data should get the full forensic examination, and merely internal data should be reimaged and patched. -- Jonathan Bloomquist, CISSP __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/
Current thread:
- RE: Incident investigation methodologies, (continued)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- Re: Incident investigation methodologies Barry Fitzgerald (Jun 09)
- RE: Incident investigation methodologies Tim Hollebeek (Jun 10)
- Re: Incident investigation methodologies Harlan Carvey (Jun 14)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- RE: Incident investigation methodologies Gaydosh, Adam (Jun 04)
- RE: Incident investigation methodologies Steven Trewick (Jun 07)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- RE: Incident investigation methodologies Dave Paris (Jun 07)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- RE: Incident investigation methodologies Fiscus, Kevin (Jun 07)
- RE: Incident investigation methodologies pfft (Jun 13)
- RE: Incident investigation methodologies Harlan Carvey (Jun 14)
- RE: Incident investigation methodologies pfft (Jun 14)
- RE: Incident investigation methodologies Harlan Carvey (Jun 14)
- RE: Incident investigation methodologies pfft (Jun 13)