Security Incidents mailing list archives
RE: Incident investigation methodologies
From: pfft <col_panic2 () yahoo com>
Date: Mon, 14 Jun 2004 06:40:08 -0700 (PDT)
--- Harlan Carvey <keydet89 () yahoo com> wrote:
Agreed. So if we assign response scenarios based upon criticality of data, we can provide administrators with a template for each type of situation.Agreed. However, consider this...rather than assigning response scenarios based on criticality of data, the response activities should be passed on policy...and the policy should identify critical systems. A matter of semantics, perhaps, but policies and procedures are a critical part of incident response, particularly in a corporate environment. They also play a critical role in the LEO environment.
I'll buy that.
I think the question then becomes, do we need to have separate templates based on the activities, or can we create a single template for, say, the most critical systems, and that same template can be used for all less-critical systems?
If a single template simplifies things, then I think that is best. I just think administrators may shy away from a complex forensic procedure on non-critical systems, so the parts that apply to all systems should be highlighted as such and things like memory dumps can be left to those with the need, time and skill required.
What I've been trying to develop is a usable, verifiable, document procedure for collecting volatile data from live systems, to perform incident verification and identification.
Excellent idea. ===== __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/
Current thread:
- RE: Incident investigation methodologies, (continued)
- RE: Incident investigation methodologies Tim Hollebeek (Jun 10)
- Re: Incident investigation methodologies Harlan Carvey (Jun 14)
- RE: Incident investigation methodologies Gaydosh, Adam (Jun 04)
- RE: Incident investigation methodologies Steven Trewick (Jun 07)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- RE: Incident investigation methodologies Dave Paris (Jun 07)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- RE: Incident investigation methodologies Fiscus, Kevin (Jun 07)
- RE: Incident investigation methodologies pfft (Jun 13)
- RE: Incident investigation methodologies Harlan Carvey (Jun 14)
- RE: Incident investigation methodologies pfft (Jun 14)
- RE: Incident investigation methodologies Harlan Carvey (Jun 14)
- RE: Incident investigation methodologies pfft (Jun 13)
- Re: Incident investigation methodologies Valdis . Kletnieks (Jun 20)