Is your risk management plan as good as it gets?
Not all security incidents can be prevented, nor is it cost-effective to try. Each control should be evaluated on its own merits prior to implementation. Issues to consider: direct costs, training, decreased system performance and public perception. To help security managers implement recommendations is the just-released incident response guide by the National Institute of Standards and Technology (NIST) that emphasizes being prepared for various security breaches.
|
|
Avoiding the Trial-By-Fire Approach to Security Incidents
Experience shows that most organizations do not think about how to respond to a computer security incident until after they have been hit significantly. They have not assessed the business risk of not having formal incident-detection and response mechanisms in place. More often than not, organizations receive reports informing them that they are involved in an incident originating from some other party rather than identifying the incident themselves. This is called the trial-by-fire approach.
|
|
A Common Language for Computer Security Incidents
The Common Language Project was not an effort to develop a comprehensive dictionary of terms used in the field of computer security. Instead, our intention was to develop a minimum set of 'high-level' terms, along with a structure indicating their relationship (a taxonomy), which can be used to classify and understand computer security incident and vulnerability information. We hope these 'high-level' terms and their structure will gain wide acceptance, be useful, and most importantly, enable the exchange and comparison of computer security incident information. We anticipate, however, that individuals and organizations will continue to use their own terms, which may be more specific both in meaning and use. We designed the common language to enable these 'lower-level' terms to be classified within the common language structure.
|
|
State of the Practice of Computer Security Incident Response Teams (CSIRTs)
Although CSIRTs have been in existence since 1988, the development of CSIRTs and the incident response field is still in its infancy. It has not yet become a standardized field of practice but it is rapidly moving to a more standardized discipline. Many organizations are looking to formalize their incident response methodologies, processes, and organizational structures.
|
|
NT/2K Incident Response Tools
The tools presented in this paper are broken down three sections: Communications tools, tools for collecting volatile information, and tools for collecting non-volatile information. Each section will provide greater detail as to the type of information collected.
|
|
Developing an Effective Incident Cost Analysis Mechanism
When it comes to calculating damages from computer security incidents, some in the media will tell you that it is impossible to come up with a value. At the same time, others will tell you that the Melissa Virus caused $80 million in damages to US businesses. Who is right? Can these damages be calculated, and if so, how?
|
|
Starting from Scratch: Formatting and Reinstalling after a Security Incident
Missing files, corrupt data, sluggish performance, programs not working - any of these things could indicate a breach in network security. Once the breach has been identified and mitigated, the painful process of rebuilding and recovery begins. There is a point you reach in the recovery process, after you have done a little digging, put a finger on what might have gone wrong, where you come to the proverbial "fork in the road". Every security professional or systems administrator has faced the decision at some point in his or her career: is it better to try to repair the damage, or just reinstall the system and start from scratch?
|
|
Tracking Down the Phantom Host
Most information systems security professionals are familiar with the procedures for identifying malicious traffic among their routine data, and many of the same professionals are familiar with the forensic procedures required once you have identified a compromised host. But on more than one occasion, I have been asked how to locate a problem host when you are not sure where it is physically located.
|
|
Appropriate Response: More Questions Than Answers
So, just how far should security administrators go to protect their systems? What is an appropriate response to a detected security incident? Ask ten security professionals that question and you will most likely get ten different answers. Ask them more specific questions - such as, how do you handle active intrusions? Denial of service attacks? Probes? - and eventually you will be able to piece together their response set, a collection of reactions tailored to particular attacks or threats.
|
|
Calling the CyberCops: Law Enforcement and Incident Handling
It's now 3:00 AM and you're sitting at a console in your computer room at the office, staring at a new directory named "ADMROCKS." You've been hacked. Your personal data space has been violated. Some nameless script kiddie has made a mockery of your well-laid security plans. What are you going to do about it?
|
|
|
|
Detecting and Removing Malicious Code
Has it happened yet? The phone call, the e-mail, the page, or maybe you discovered it yourself. Something wasn't right: sluggish performance, too much network activity, a missing file. After a little investigating, the realization - you've been cracked. If this isn't familiar to you yet, odds are it will be in the future. Crackers have access to countless variations of malicious code: automated rootkits, trojans, viruses and specific exploits, all designed to breach your security. Detecting and removing these programs can be a daunting task, with little room for wasted time or error. In this article, I'll explain techniques readers can use to get their system back on-line and prevent it from happening again.
|
|
Detecting and Removing Trojans and Malicious Code from Win2K
The purpose of this article is to recommend steps that an administrator can use to determine whether or not a Win2K system has been infected with malicious code or "malware" and, if so, to remove it. This article will specifically address network backdoor Trojans and IRC bots, but the information delivered in this article should assist the reader in a variety of situations.
|
|
Going to the Source: Reporting Security Incidents to ISPs
My interest in abuse notifications began when Warez pirates started using my trustingly anonymous FTP server as their personal playground. I realized that my system needed to be locked against this type of intrusion and that I had failed to provide adequate safeguards. But I still felt violated - these people were intruding into a place where they knew they had no business.
|
|
Actions
Category Stats