Education, was => RE: Future trends

From: H C (keydet89at_private)
Date: Wed Oct 23 2002 - 06:31:45 PDT

Next message: Chris Budge: "RE: Future trends in computer forensics"

Previous message: JP Hodgins: "RE: Future trends in computer forensics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Amen to education. Most sysadmins are not focused on
> preservation of forensics evidence, be it for 
> prosecution purposes or technical investigation, but
> instead on stopping the attack and recovering.

You're so right!  And to be quite honest, that really
provides a great transition to the topics of the
exchange principle and evidence dynamics that Eoghan
mentioned.

If sysadmins are going to respond to incidents, they
need to understand a little more about the systems
they administer.  That way, they can collect the
information they need to in order to make appropriate
decisions.  Either that, or some sort of first
responder procedure needs to be employed (such a thing
has been documented here on SF), so that admins can
use it.  

That same info needs to be kept in mind when
investigating a possible compromise as well, be it a
virus, break-in, trojan, etc...the digital artifacts
that are exchanged can vary, and the first responder
needs to have the tools/knowledge on hand to collect
enough info to make an appropriate decision.

However, a more important decision needs to come from
senior management.  Is the business so important that
a machine needs to be put back into service w/o
performing a root cause analysis?  What happens?  Does
the machine get compromised again?  How is the system
put back into service?  Is it wiped and
re-ghosted/re-installed?  If the same or similar
system is put back into service, w/o a root cause
analysis and remediation steps (which is where things
like the exchange principle and evidence dynamics come
into play) then the compromise (hack, virus, etc) will
likely happen all over again.

Carv



__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Chris Budge: "RE: Future trends in computer forensics"
Previous message: JP Hodgins: "RE: Future trends in computer forensics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 06:44:18 PDT