DOCUMENTING THE INTRUSION ON DESTRUCTION OF DATA

It is very important to document and inventory the tools needed for intrusion response due to the destruction of data—including ID software, back-ups and file-system-recovery tools. There is also a need to have written requirements for training IT staff on how to deal with intrusions. This can be SANS courses, CERT’s Software Engineering Institute, training offered for your intrusion detection tools, or even custom training developed in-house. Training should also include some form of regular fire drill.

Incident Reporting and Contact Forms

Documenting the intrusion (incident) on destruction of data is very important, not only as an aid for solving the intrusion problem, but also for an audit trail that may even be used in criminal proceedings. It is critical to capture as much information as possible and create forms enabling users who are not ID specialists to provide as much information as possible. Some of the important elements of incident reporting forms are:

• Contact information for person(s) discovering problem and/or responsible parties

• Target systems and/or networks. Know all about the systems under attack, including operating system versions, IP addresses, and so on.

• Purpose of systems under attack. Know which systems are used for (payroll, R&D, and so on), as well as some kind of a ranking of the importance of the system.

• Evidence of intrusion. Discover anything that is known about the intrusion, method of attacks used, source IP address of attacker, and network contact information for this address.

• List of parties to notify. This can include the technical contacts, internal legal contacts, and possibly the legal authorities.

Finally, when it comes to hardening your network against hackers, the best defense is to keep abreast of developing threats and test your system with due diligence. In other words, you need to seal off the leaks.