Final Caveats

‚  < ‚  Free Open Study ‚  > ‚  

Those who are experienced in attack tracing know that tracing the source of attacks is by no means easy. Attackers usually do everything in their power to cover their tracks. One time-proven method they use is to " leapfrog " from one host to another to another. By the time an attack goes through six or seven intermediate hosts , it is very difficult to use the direct trace method let alone the indirect trace method. The reason we raise this point is not to discourage you, but rather to once again remind you that when you are dealing with attacks, you must usually make a large number of decisions.

First and foremost, adhere to your organization's policy concerning attack tracing. If the policy dictates that attacks must not be traced without prior approval from senior management, failure to adhere to the policy will be career limiting for you. If your organization's policy allows for tracing attacks, be careful to avoid wasting a lot of time pursuing every attack that occurs. Carefully analyze the costs and benefits first, remembering that the likelihood of success in an attack with multiple intermediate hosts is not great.

The information in this chapter could possibly motivate the would-be cybercop to devote even greater levels of effort in fighting cybercrime ‚ to nail every cybercriminal. We've seen plenty of speakers at information security conferences who posture themselves as cybercops, but in reality, unless someone works for an agency such as the FBI or Interpol, the cybercop mentality is likely to accomplish nothing more than annoying others, hindering cooperation between organizations, and resulting in foolish mistakes. Tracing attacks is not about being a cybercop; rather, it is something that one does from time to time as needs (and policy) dictate .

Finally, there is a big difference between responding to an incident and conducting an investigation (an examination of wrongdoing on the part of one or more employees ). In general, organizations that have an incident response capability do not authorize incident response personnel to also conduct investigations. Taking the liberty to conduct an investigation is likely to have all kinds of negative fallout, including legal implications (as discussed more fully in Chapter 7,"Legal Issues.") In short, understand your organization's policy as well as what you are and are not expected and authorized to do when you respond to incidents. And never forget to use good old-fashioned common sense.

Good luck!

What do you do if you conclusively pinpoint the source of an attack or attacks? We will now move on to a discussion of this and other legal issues in the next chapter.

‚  < ‚  Free Open Study ‚  > ‚  


Incident Response. A Strategic Guide to Handling System and Network Security Breaches
Incident Response: A Strategic Guide to Handling System and Network Security Breaches
ISBN: 1578702569
EAN: 2147483647
Year: 2002
Pages: 103

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net