Pipkin D.L. Halting the Hacker. A Practical Guide to Computer Security / Review the Incident Response Plan

Computers & Technology
Education & Reference
Business & Investing
Science & Math

Halting the Hacker. A Practical Guide to Computer Security
Authors: Pipkin D.L.
Published year: 2002
Pages: 160-161/210

<< Previous page
Table of contents
Next page >>

I l @ ve RuBoard

Review the Incident Response Plan

Regardless of the philosophy of responding to a security incident, there must be a preplanned response. An incident response plan will establish management procedures and responsibilities to ensure a quick, effective, and orderly response to security incidents. Incident response is not usually a revenue-generating activity, so this makes it difficult to obtain necessary resources. However, careful and intelligent planning and justification can be key to illustrating the scope of the issues. All of the business implications should be evaluated and a policy based on business decisions should be created.

The incident response plan should be the best-defined section of security procedures, yet it rarely is. The usual excuse is that the response will depend on the type of the attack. Specific incident handling procedures are often created for specific types of incidents. These usually evolve from best practices and address simple intrusions such as computer viruses, compromised user authentication, or system scanning or probing. This may be true for the specifics. However, in general, the response to a security incident will be the same. Even though you cannot predict the kind of security incident to which you may fall victim, you can prepare for the type of outage you could experience and plan your response accordingly . Your outage will either be a system outage or a data outage. The attack will come from either a live attacker, a programmed threat, or both. In any case, the response process will be the same.

The response plan should contain certain topics to adequately prepare the organization for responding to an incident.

Hackers come prepared with the tools and knowledge they need to do battle. It is up to the system manager to be just as well-organized with pre-planned responses and contingency plans. This ground work should be laid before the system manager finds his system under attack. When your system is going down in flames and all eyes are upon you is no time to be searching for solutions.

A good incident response plan will have defined and prioritized the response processes. It will have defined ownership of the process and contain basic check lists for each process.

I l @ ve RuBoard

Preserve the State of the Computer

Capturing the state of the system at the time of the incident by making a backup copy of logs, damaged or altered files, and files left by the intruder, will capture a picture of what has been done to the system. Any hacker tools which have been loaded on the system will be recorded. This captured data, and the information derived from it, is the evidence which will be needed to stop and prosecute the hacker.

Re-creating the activities of a hacker is a difficult and time-consuming task and deters organizations from prosecuting. Skilled hackers will employ the methods highlighted in this chapter and hop from one system to another, increasing the difficulty of synchronizing logs from many machines to create an accurate picture of the hacker's activities.

Destructive Hacker Tools

Today, some hacker tools monitor their environment and self-destruct if they perceive that they have been detected . Some of the ways a tool will monitor for discovery is if the system is shut down or if it is unable to access the Internet. So, to avoid alerting these smart tools, it is best to crash the system and remount the system disks onto another system so that the code has no chance to take its responsive actions. At this time, the exact images of the disks can be copied .

I l @ ve RuBoard