18.4 Remove the Problem

Previous page
Table of content
Next page
   

After a problem has been contained, thoroughly investigated, and all evidence has been gathered, the next step is to remove the problem. Removing the problem means that full system restore has to be completed. A good attacker will often create multiple back doors into a system, allowing the attacker easy access back into the device, and possibly the network.

Because it is almost impossible to find all of these back doors created by an attacker, it is important to completely restore the system that was affected. If an accurate estimate can be made of the time and date the attacker penetrated the system, then the system can be restored from a backup prior to that date. If an accurate time cannot be estimated, then a full operating system restore should be completed, and the data restored from backup should be carefully monitored . In fact, if an administrator is unsure of the data integrity, it might not be a bad idea to place the server on an isolated network segment and monitor it closely. If an attacker has buried a method of back door access on the device, it should respond to unusual ports, or even attempt to contact the attacker.

Before any data restoration is done, a system has to be cleaned. If it is a server, the hard drives should be fully formatted. If it is a network device, such as a router or switch, it should be reset to factory defaults before restoring the configuration file.

If the attack occurred as a result of a vulnerability in a particular application, patches for that application should be downloaded and installed on all systems that run the application ”or the application should be temporarily disabled while the code is reviewed.

If the problem occurred as a result of a security misconfiguration, then the deployment process needs to be reviewed to ensure that the mistake is not being duplicated , and similar devices on the network should be examined to ensure they are not susceptible to the same attack ”or have already been subject to the same attack.

After the problem has been removed, extra vigilance should be paid to the rest of the network, to make sure the attacker was not able to gain access to another network device. Once an attacker is inside the network, it is easier to gain access to other network systems. Systems within the same VLAN should be thoroughly audited , and the log files should be closely examined looking for any anomalies that might point to the attacker gaining access to other systems.

This type of thorough audit will help to ensure that the attacker is not able to repeat the steps taken to enter the network in the first place. It also gives administrators confidence that the network was not further compromised.

   

Previous page
Table of content
Next page
The Practice of Network Security. Deployment Strategies for Production Environments
The Practice of Network Security: Deployment Strategies for Production Environments
ISBN: 0130462233
EAN: 2147483647
Year: 2002
Pages: 131
Authors: Allan Liska
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
Special Edition Using Crystal Reports 10
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
Microsoft VBScript Professional Projects
Java Concurrency in Practice
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy