Chapter 11: Responding to and Recovering from Security Breaches

Introduction

In Chapter 10 we discussed the process of auditing and trying to find breaches on your system. We went over exactly what you need to do to try to catch an attack or exploit with the tools Microsoft provides you in Windows 2000. In this chapter we look at actual security incidents and how to respond to them, with a focus on the material that you can expect to see on the exam.

In a Microsoft world, you must get used to dealing with attacks, bugs, viruses, worms, and any other type of incident. Not only is Microsoft the leading provider of services worldwide, it is also the most exploited as well. This is not necessarily because Microsoft provides poorly designed software; it is because Microsoft products are the most used and distributed products in the world. Solaris, Linux, Apple, Novell, and Cisco IOS code all suffer the same types of problems, but Microsoft is the most widely used and therefore the most widely attacked. It also doesn't help that most of the attacks on Microsoft systems exploit the same areas over and over again, such as Visual Basic scripting and macro hacks, unchecked buffers and buffer overflows, and massive worldwide exploitation of system bugs and weaknesses not fixed by service packs or hotfixes. These factors, taken together, can cause any systems administrator massive headaches when his or her network is hacked. This being said, it is very important that you know not only how to audit your systems but to be aware of issues waiting around the corner in the form of malware and DoS attacks (the most common on a Microsoft network).

We end this chapter with a very in-depth look at how to perform solid incident response quickly, efficiently, and effectively.