18.2 Take Notes and Gather Evidence

   

The note-taking process should begin as soon as a problem is noticed. Because computer files can be altered , or deleted, by an attacker, the notes should be written on paper. The preferred method for this is a shared logbook reserved for security incidents.

It may not always be possible to use a shared logbook, especially in cases where technical staff is not onsite 24x7. A central logbook should still be maintained , and notes taken during a security incident should be transcribed to the logbook. This centralizes the process, making it easier to track down information in the future.

Logging of information is important because it demonstrates that the proper security procedures were followed. Logging is also important in the event authorities have to be contacted. Because the importance of a security incident is not always known until after the investigation is well under way, starting the logging process when the investigation opens helps to ensure there will be sufficient evidence for authorities.

There are four things that need to be included in all log records of a security incident:

  1. The time and date of the attack and follow-up actions

  2. The total amount of time spent working on the attack

  3. Names of those contacted during the investigation

  4. The systems and programs affected

The first item to be recorded in the log is the time and date that the attack was first noticed, as well as the time and date of any subsequent actions. Subsequent actions include phone calls, responses from the phone calls, escalations, actions taken, and so forth. All steps taken to resolve the security incident should have the time and date marked down, along with a brief description of the action.

Recording the total amount of time spent working on the attack is especially important if it is escalated through multiple levels, or has an ownership change (e.g., the night shift takes over the incident from the day shift). The amount of time each employee spent working on it, as well as the total amount of time organization-wide that was spent dealing with the attack, should be recorded.

Anyone contacted in the process of the investigation should be noted. This can be either phone or e-mail contacts, and it should include people from outside the organization who initiate contact. For example, if another administrator e- mails an organization to inform them a DoS attack is being launched from their servers, that should be noted.

Finally, record the names of systems that have been infected, as well as any applications that have been compromised by the attack. If the attack spans multiple network devices, record the network segment that was impacted. Of course, if the entire network is affected, through either a worm or a DDoS attack, then note that the entire network is affected, and also try to pinpoint what the original target was.

In addition to taking copious notes, it is important to gather log information as soon as possible. An experienced attacker will attempt to alter the log files to cover his or her tracks. If logging is properly handled, this will be extremely difficult to do; however, nothing should be taken for granted. The log files implicating the attacker should be removed from the syslog server and stored on a floppy or CD-writable disk as soon as possible. Again, the log files may be necessary as evidence if the attacker is caught and prosecution is an option.

The more information noted during an attack, the easier it is to create a postmortem and to contact authorities with the information gathered during the attack. More information also makes it easier to track down the attacker.

   


The Practice of Network Security. Deployment Strategies for Production Environments
The Practice of Network Security: Deployment Strategies for Production Environments
ISBN: 0130462233
EAN: 2147483647
Year: 2002
Pages: 131
Authors: Allan Liska

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net