RE: Incident investigation methodologies

[pfft <col_panic2 () yahoo com>]

--- "Fiscus, Kevin" <kfiscus () allianttech com> wrote:
> Based on the circumstances, one must
> assess the risk vs. reward of performing certain
> actions versus and make a decision.  In some
> circumstances, it makes sence to take a production
> system off-line and in other cases, it doesn't.  In
> some cases, it may even make sence to simply monitor
> the situation and otherwise do nothing.

Agreed. So if we assign response scenarios based upon
criticality of data, we can provide administrators
with a template for each type of situation.
 
> If a web server, containing no critical informatin
> (isolated from the corporate network also) gets
> defaced, it may make sence to simply restore from
> backup.  (How do you determine what happened to
> prevent it from happening again?)

Simply restoring from backup will not prevent the same
compromise from occuring again, so we might want to do
some analysis to determine how the intrusion occurred
and prevent the system from being compromised as soon
as it is put back online. 

--snip--

> It seems like people keep wanting a 1-size-fits-all
> solution.  That is just not the case.

Agreed. This is the reason for assigning security
labels. We can use the same idea for response levels.
A compromise of a system with critical data should get
the full forensic examination, and merely internal
data should be reimaged and patched.

--

Jonathan Bloomquist, CISSP


        
                
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/