Definition of Incident Handling
Incident handling is the way of reacting to an incident/intrusion after the fact, or having a plan of how to handle an incident before it happens to speed up reaction time.
|
|
Incident Handling
|
|
Tracking Down the Phantom Host
Most information systems security professionals are familiar with the procedures for identifying malicious traffic among their routine data, and many of the same professionals are familiar with the forensic procedures required once you have identified a compromised host. But on more than one occasion, I have been asked how to locate a problem host when you are not sure where it is physically located.
Read the Article
|
Appropriate Response: More Questions Than Answers
So, just how far should security administrators go to protect their systems? What is an appropriate response to a detected security incident? Ask ten security professionals that question and you will most likely get ten different answers. Ask them more specific questions - such as, how do you handle active intrusions? Denial of service attacks? Probes? - and eventually you will be able to piece together their response set, a collection of reactions tailored to particular attacks or threats.
Read the Article
|
Calling the CyberCops: Law Enforcement and Incident Handling
It's now 3:00 AM and you're sitting at a console in your computer room at the office, staring at a new directory named "ADMROCKS." You've been hacked. Your personal data space has been violated. Some nameless script kiddie has made a mockery of your well-laid security plans. What are you going to do about it?
Read the Article
|
Detecting and Containing IRC-Controlled Trojans: When Firewalls, AV, and IDS Are Not Enough
This paper discusses IRC-based trojans as a distinctly underestimated class of malicious activity, and how real time security event monitoring is the key to identifying and containing similar compromises. It discusses the general methodology used to discover, track, and stop such malicious activity by presenting a real-world case study.
Read the Article
|
Detecting and Removing Malicious Code
Has it happened yet? The phone call, the e-mail, the page, or maybe you discovered it yourself. Something wasn't right: sluggish performance, too much network activity, a missing file. After a little investigating, the realization - you've been cracked. If this isn't familiar to you yet, odds are it will be in the future. Crackers have access to countless variations of malicious code: automated rootkits, trojans, viruses and specific exploits, all designed to breach your security. Detecting and removing these programs can be a daunting task, with little room for wasted time or error. In this article, I'll explain techniques readers can use to get their system back on-line and prevent it from happening again.
Read the Article
|
Detecting and Removing Trojans and Malicious Code from Win2K
The purpose of this article is to recommend steps that an administrator can use to determine whether or not a Win2K system has been infected with malicious code or "malware" and, if so, to remove it. This article will specifically address network backdoor Trojans and IRC bots, but the information delivered in this article should assist the reader in a variety of situations.
Read the Article
|
Going to the Source: Reporting Security Incidents to ISPs
My interest in abuse notifications began when Warez pirates started using my trustingly anonymous FTP server as their personal playground. I realized that my system needed to be locked against this type of intrusion and that I had failed to provide adequate safeguards. But I still felt violated - these people were intruding into a place where they knew they had no business.
Read the Article
|
Have Root, Will Hack
This story is true; only the names have been omitted to protect the (sort of) innocent. Monday, 7:15 AM: I log onto my Solaris box and start the day's regimen. After scanning my 245 email messages for anything that might require immediate attention, I settle in to do some log surfing. As I pull down the first log, I notice that the Perfmeter session I had running to monitor a remote Sun enterprise server has suddenly coughed up little "RIP" icons for each of the system parameters I was tracking. This can't be a Good Thing (TM).
Read the Article
|
Incident Management with Law Enforcement
Working with law enforcement may be the most interesting and challenging part of the computer security professional's job. Depending upon how well the professional prepares prior to a security incident, such an interaction can offer either a smooth, pleasant ride or a rough, rocky ride. This article will offer an overview of dealing with law enforcement agencies in security incident handling. It will offer some suggestions that will help to make private sector involvement with the cyber-police satisfactory and effective for both sides.
Read the Article
|
Moment's Notice: The Immediate Steps of Incident Handling
This article covers the topic of response, including matters of scale, operational constraints, appropriate countermeasures, legal concerns, and hints for proper implementation. While not technical in nature, this study of response procedures might give you some insight on how to handle the more ambiguous elements of systems security: human factors, policy, and time.
Read the Article
|
|
|
Page: 1 2 3 4 5 6
Members currently browsing this category:
|
|
