> There may also be the possibility of power-fail subroutines executing as > the power is lost > performing some unknown action. I'm not sure about new systems but older > systems I > remember had several hundred milliseconds of DC carry over after AC was > removed and > I believe I recall specific bus signals used for power fail interrupt > routines. Also, a clean shut down might be required by a backdoor or a virus; I remember an old virus (boot-437 I think) that would encode the file system's table on disk so that restoring the boot sector/mbr with fdisk would wipe the virus along with the decoding routine, rendering the hard disk useless. A backdoor using a similar approach could cipher this tables but would only write down the correct decipher/key information to disk when a shutdown were to be initiated (it would, again, remove this information from disk after a clean boot). Unplugging the power cord might still preserve best the information on hard disk but you might loose important information that was only available on memory and that would be only updated with a clean shut-down. > > >Approach a) is sometimes > >necessary , for example, if there is an incident with a mission critical > >system that cannot be unplugged from the network or shut down (even if > >backups are available, sometimes bringing up a replacement system might > >take just too long or be extremely difficult because of specialized > >hardware availability). > > > > On the other hand, if the mission critical system holds sensitive data > or controls sensitive processes, > leaving it online implies allowing continued exposure of those sensitive > items. > > Probably obvious is the fact that leaving such a system online that is > subsequently used to > compromise or otherwise adversely affect other systems may expose one to > a liability suit. > Excellent observation, maybe the timeline should go like this: 1) Once there are indications of abnormal activity or behavior on a system, an online investigation should be initiated; at this point there would be still no indication of an intrusion (this is what happens anyway with system administrators or even users in the case of workstations, someone becomes suspicious and only after seeing some indications that the system might be compromised the alarm is sounded). Proceed to step 2. 1b) If security controls (IDS, firewalls) provides evidence that an intrusion is in progress, consider the system as potentially compromised and proceed to step 3. 2) If there is evidence or clear indications that the system might be compromised, recommend that the system be isolated immediately and formal forensic procedures initiated. Proceed 3) After receiving notification of a possible intrusion on the system, the company (owner of the system) should decide what action to take while taking into account the following order of importance: a) If possible and if prosecution and investigation is most important or legally required, unplug all power and communication links from the device and initiate formal forensic procedures (recording the state of the environment, initiating chain of custody procedures, etcetera) b) If possible and if system integrity is most important but prosecution and investigation is also required, initiate forma forensic procedures but using a clean shutdown. c) If system operation is most important above all and Company is assuming the risk, continue with online investigation and execute incident isolation procedures while a replacement system is put in place (isolation might include logical isolation trough vlan from the rest of systems in the same network segment, hardening firewalls, setting up sniffer and permanent monitoring from personnel). Some issues: Point 3 should be decided as fast as possible no matter the decision taken (forensic policies and procedures should be in place already). If taking decision C, could the company argue that by isolating the system it is not failing to perform with due diligence? Two cases for analysis: * A critical system in an airport that controls air traffic * The mail server of an ISP where no backup or replacement is available at the time Regards, Omar Herrera ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Mar 30 2003 - 07:30:21 PST