At 04:37 PM 10/22/2002 -0400, you wrote: >Amen to education. Most sysadmins are not focused on preservation of >forensics evidence, be it for prosecution purposes or technical >investigation, but instead on stopping the attack and recovering. It isn't >until later when someone tries to gather evidence than it's realized that >the sysadmins' well-intentioned actions rendered much evidence useless. >Management needs to be aware of this as well, to understand the competing >interests at work (quick return to service vs preservation of evidence) >and be able to make an assessment of the tradeoffs needed to best serve >the business/agency/etc interests. This is really the difference between Computer Forensics and Incident Response. Computer Forensics must be very detailed in its approach as it is primarily interested in prosecution as the final goal. Incident Response on the other hand is primarily interested in restoring the business functions of the systems with a secondary function of discovery (i.e., finding out where and how the hacker got in). It is important that a company develop good Security Policies/Procedures that indicate what users are to do upon discovery of an hack and how the system administrators are to handle it. If the goal is to ultimately prosecute, then the time taken to secure a solid image and document the initial "crime scene" will be part of the Security Policy for the company and everyone will be willing to wait out the time it takes to perform these initial critical steps. To expect an administrator (or other knowledgeable staff member) to perform these tasks when upper management is "on their backs" because the systems are down, is unrealistic. One thing about Security Policies though - it is very rare to find a company with even a basic one, without seeing a decent job done on issues like this. Just my $.02 worth based on my own experiences. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 06:08:12 PDT