What You Don't See On Your Hard Drive
This paper will address two security concerns that I found very interesting. They both have to do with things that are not in plain sight. The first security concern covers the issue of retrieving data that has been deleted. So many people have no idea about data that is left behind when you delete files or fdisk and format your hard drive. The second issue deals with hidden access and control of your computer. I will look at what a rootkit is and look at the recent development of rootkits designed for Microsoft Windows operating systems.
Read the Article
|
Windows Responders Guide
In this paper, we will discuss what are the issues one needs to consider during the initial response stage. There are critical evidence that need to be protected and gathered during the initial response stage. We will hence discuss what are the tools that can be used to gather the necessary evidence and how to collect them appropriately. Finally, we will explore areas that one needs to look out for during the investigation on the evidence collected.
Read the Article
|
Avoiding the Trial-By-Fire Approach to Security Incidents
Experience shows that most organizations do not think about how to respond to a computer security incident until after they have been hit significantly. They have not assessed the business risk of not having formal incident-detection and response mechanisms in place. More often than not, organizations receive reports informing them that they are involved in an incident originating from some other party rather than identifying the incident themselves. This is called the trial-by-fire approach.
Read the Article
|
A Common Language for Computer Security Incidents
The Common Language Project was not an effort to develop a comprehensive dictionary of terms used in the field of computer security. Instead, our intention was to develop a minimum set of 'high-level' terms, along with a structure indicating their relationship (a taxonomy), which can be used to classify and understand computer security incident and vulnerability information. We hope these 'high-level' terms and their structure will gain wide acceptance, be useful, and most importantly, enable the exchange and comparison of computer security incident information. We anticipate, however, that individuals and organizations will continue to use their own terms, which may be more specific both in meaning and use. We designed the common language to enable these 'lower-level' terms to be classified within the common language structure.
Read the Article
|
Dealing with External Computer Security Incidents
Dealing with computer security incidents is extremely difficult. There are many ways that incidents can occur and many types of impact they can have on an organization. There are no complete solutions, and the partial solutions that exist are expensive and resource intensive. However, the alternative-not dealing with security incidents-is yet more expensive, and using weak methods for dealing with incidents may only compound the damage that incidents cause. What is required is a long-term commitment to develop the capability to deal with security incidents, not just make short-term fixes of selected problems.
Read the Article
|
State of the Practice of Computer Security Incident Response Teams (CSIRTs)
Although CSIRTs have been in existence since 1988, the development of CSIRTs and the incident response field is still in its infancy. It has not yet become a standardized field of practice but it is rapidly moving to a more standardized discipline. Many organizations are looking to formalize their incident response methodologies, processes, and organizational structures.
Read the Article
|
NT/2K Incident Response Tools
The tools presented in this paper are broken down three sections: Communications tools, tools for collecting volatile information, and tools for collecting non-volatile information. Each section will provide greater detail as to the type of information collected.
Read the Article
|
An Introduction to Incident Handling
Incident handling is a generalized term that refers to the response by a person or organization to an attack. An organized and careful reaction to an incident can mean the difference between complete recovery and total disaster. This paper will provide a logical approach to handling two common forms of attack - virus outbreak and system compromise. The method that this article will propose includes the following sequence of steps that should be followed in the case of all types of attack.
Read the Article
|
Developing an Effective Incident Cost Analysis Mechanism
When it comes to calculating damages from computer security incidents, some in the media will tell you that it is impossible to come up with a value. At the same time, others will tell you that the Melissa Virus caused $80 million in damages to US businesses. Who is right? Can these damages be calculated, and if so, how?
Read the Article
|
Starting from Scratch: Formatting and Reinstalling after a Security Incident
Missing files, corrupt data, sluggish performance, programs not working - any of these things could indicate a breach in network security. Once the breach has been identified and mitigated, the painful process of rebuilding and recovery begins. There is a point you reach in the recovery process, after you have done a little digging, put a finger on what might have gone wrong, where you come to the proverbial "fork in the road". Every security professional or systems administrator has faced the decision at some point in his or her career: is it better to try to repair the damage, or just reinstall the system and start from scratch?
Read the Article
|
