It takes time to develop and deploy a comprehensive hardening plan. Meanwhile systems may already be compromised or may not be operating properly. They may be leaking information, be busy infecting other systems on your network, or even be part of coordinated attacks on other machines. Regardless of their security status, systems that are unstable due to hardware or power issues may be further weakened by your hardening efforts. Adding security controls to systems you no longer control, or toppling already subperforming servers, serves no purpose. Before you harden a current production system, you must determine if it s still your system to harden. You must make sure it is operating correctly. After you harden systems, you must have a way to determine if the steps you ve taken are keeping the system secure.
Stop and do this now. Test the system to determine its status. If you find evidence of an unauthorized intrusion, presence of malware of the presence of a root kit, or of evidence of attack, use approved methods to reclaim the system. Cleaning and reclaiming may entail obtaining and running special software, following instructions for removing files and reconfiguring settings, or wiping the hard drive and reinstalling. Next, ensure that the system is operating properly. This chapter provides the steps that will teach you how.
|Heads Up|| |
Before you attempt to recover a system that has been compromised, sit down and count the costs and the final results. You should consider which is more cost effective, to reinstall or to recover. Past experience suggests that the real cost of recovery is often more than double the initial estimate. The cost of reinstallation is often premised on a worst-case scenario. In other words, there is a tendency to underestimate the costs of system recovery and to overestimate the costs of reinstallation. In addition, it is wise to consider the possibility that a compromised machine may have hidden backdoors installed. When evidence of one successful attack is discovered , you must consider if it's possible that cleaning the system of some recognizable Trojan horse or other results may still leave hidden modifications or software that will allow an attacker to manage the system. There are no hard and fast rules that can be used to make the decision of recovery versus reinstall. You will have to weigh the cost and the risk.