I l @ ve RuBoard |
Information gathering is a critical step in responding to a security incident. Information has to be gathered to determine the extent of the damage and the source of the attack. Gather information from the sources which are available. Other sources of information should be investigated and utilized as deemed appropriate. Review access logs and audit trails to identify the intruder's identity, origin, and what activities he or she performed while on the system. Increase MonitoringWhen an incident is discovered, any additional information gathering services should be started. Enabling more logging, accounting, or auditing can provide a more detailed view of the activities of the hacker. However, this requires that the hacker's activities continue after he is discovered . While the incident is in progress, activate auditing software and consider implementing a keystroke monitoring program if the system warning banner permits . This information is going to be vital to locating, apprehending, and prosecuting the attacker. Gather CounterintelligenceWhen a system manager suspects that his system is under attack or has been compromised, it is likely he'll be trying to gather information about the hacker. There is, however, a question about how much information gathering is legal. This will vary if the system being examined is managed by the system manager or the computer is owned by the company that is gathering the information. But if the hacker is coming in from another system, gathering information from that system creates a whole new set of issues. Of course, you don't have to worry about what is admissible in a court of law until the hacker is caught and goes to trial. Is it proper for a system manager to use counterintelligence techniques? The answer to this question may end up being defined in a court of law based on the policies and procedures you have in place. Adherence to and consistent interpretation of your policies are key to presenting a successful court case. Collect all the information available about the intruders from your system. Your company policy should indicate that in order to diagnose problems in response to a security incident, it may be necessary to collect information and examine files that would otherwise be considered private. This can include an examination of user files and e-mail. Remember, because the hacker is often using someone else's system to attack you, the system manager of the system from which the attack is coming may have no idea that the attack is underway. The system manager of this system may be experiencing system problems. If you are trying to gain information from counterintelligence measures in which you may use the same information-gathering commands as an attacker would use, the system manager of the system from which you're being attacked may interpret your activity as an attack. Therefore, automated counterintelligence measures should be discouraged. You should contact the system manager of the attacking system and enlist his support in tracking down the intruder. These are just a few of the questions you and your legal staff must ask and decide upon your answers. During a successful attack in progress, is it justified to penetrate the attacker's computer system under the doctrine of immediate pursuit? Is it permissible to stage a counterattack in order to stop an immediate and present danger to your property? These questions will also have to be answered by the courts. The distributed and interconnected design of the Internet make it difficult to track attackers. In the wake of highly publicized Internet attacks, the FBI has created new tools to enable them to rapidly respond to intrusions and automatically determine an attacker's network entry point and collect information on the attackers activities withing the constraints of the law.
|
I l @ ve RuBoard |