13.3 Evaluation

Previous page
Table of content
Next page


13.3 Evaluation

Once an incident has been detected, the next step is evaluation. Throughout this discussion we have used the term "incident" rather than "crime" or "attack" for a reason. Information systems are complicated. There can be any number of causes that explain strange behavior, not all of which qualify as a crime or attack. The purpose of this stage of incident response is to make that evaluation.

Sometimes, it will be clear that a computer incident is in progress. For example, the firewall and IDS may both be generating alerts that packets known to be associated with a particular attack have been detected. Or, a user may experience a screen message that says something helpful, such as, "j00@r3 0wNZ0R3d," a clear indication that something is amiss. Many times, however, the evidence is not so clear. A good deal of research may be involved to rule out possible explanations before the cause of suspicious symptoms can be ascertained.

It may even be the case that evaluation, containment, and investigation become one and the same step. If no other solution suggests itself, the same tools that are used to examine evidence can also be used to examine the state of your system during the behavior in question. Most of the time, however, a computer "crime" should be suspected only when there is conclusive evidence or all other possibilities have been eliminated.

The importance of this step cannot be overestimated. I have worked with more than one customer that was determined that every problem on their network was the result of some network attacker ruining their systems. In the long run, this fixation on a hoped-for cause is detrimental to speedy resolution of any incident. If you are convinced that there is a hacker, you will spend all your time looking for evidence of the attack and miss the fact that a simple configuration setting is causing your problems. Good incident response is logical and methodical and does not leap to conclusions.

Once an incident has been identified, the next step is to determine the scope of the incident as part of the evaluation process. This includes determining the number of affected systems and even the number of affected sites. At this point, the sensitivity of the target and the degree of threat that is brought against the target must also be evaluated. Initial estimates of the suspected cause of the incident, what the potential damage of the incident is, and the required time and resources should all be noted at this point. This information will lead to a decision being made with regard to the response strategy to choose.

After determining the scope of the incident, it is time to bring in any members of the incident response team who have not already been activated and whose skills are required for the resolution of the incident. In some cases, this may mean that the HR person deals with the press, the forensics expert begins the examination of any collected data, and the legal expert begins to consider the implications of the incident for the company and any satisfaction that can be obtained through criminal or civil courts.

When spreading the word of the incident, it is important to keep information about the incident as professional, clear, and concise as possible. There is a tendency when something big has occurred for people to react in an emotional way. This is not an advantage when working through an incident. Conclusions about what the cause of the incident is, if not known, should not be speculated. The "sky is falling" type of statement only tends to excite people and does nothing to keep people focused and attentive to the details that are important in successful incident resolution.

The rules of incident response must be made especially clear to anyone who needs to interface with the public or the media. While it is good policy to provide information to the media about an attack that might affect your company's image to the public, it is also important to be conservative regarding the information provided. There are several rules to assist you in this process, to include:

  • Interview only on your own time. Reporters will like to contact you at odd hours in the hope of receiving an unprepared report that may have exclusive information. All relations with the media should be through mechanisms that your company controls — such as prepared press releases.

  • Keep technical information to an absolute minimum. This serves two purposes. First, the person responsible for the attacks may be listening for information regarding their success; and second, too much information may motivate other copycat attackers to try their hand.

  • Avoid any speculation as to who is causing the incident. This will only serve to politicize the situation and may interfere with any investigation that occurs.


Previous page
Table of content
Next page
Network Perimeter Security. Building Defense In-Depth
Network Perimeter Security: Building Defense In-Depth
ISBN: 0849316286
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Cliff Riggs
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
MySQL Stored Procedure Programming
C & Data Structures (Charles River Media Computer Engineering)
Cisco Voice Gateways and Gatekeepers
Data Structures and Algorithms in Java
Quantitative Methods in Project Management
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy