فا

‫ Computer Security Incident Handling in Six Phases- Recovery

IRCAR201105102
Date: 2011-05-31
We have studied the “Identification”, “Containment” and “Eradication” phases of incident handling process in the previous sections of “Computer Security Incident Handling in Six Phases” article. This section explains the “Recovery” phase which is the fifth phase of incident handling process.
 
Recovery Phase
In the Recovery Phase, your task is to return the system to fully operational status as soon as possible.
 
STEP 1: RESTORE THE SYSTEM
Speed is critical, but a misstep at this stage may allow the attacker to re-enter the system later.
 
Action 1.1: Restore from backups or reload the entire system
Some incidents, such as malicious code, may require a complete restoration of operation from backups. In this case, it is essential to first determine the integrity of the backup itself. In general, the idea is to restore from the most recent backup made before the system was compromised. Make every effort to ensure that you are not restoring compromised code. If no backups have been made prior to compromise, you may have to rebuild the system from CD-ROM or other trusted media and apply patches, or to obtain and use a backup from a similar system that has not been compromised.
 
STEP 2: VALIDATE THE SYSTEM
Management and users want to know whether the problem has actually been eradicated.
 
Action 2.1: Once the system has been restored, verify that the operation was successful and the system is back to its normal condition.
Ideally there is a system test plan to evaluate the system. More commonly, the system is run through its normal tasks while being closely monitored by a combination of techniques such as network loggers and system log files. A caveat: sometimes patches or techniques used to prevent a vulnerability, will cause the system to function differently than it did before the event.
 
STEP 3: DECIDE WHEN TO RESTORE OPERATIONS
Uncertainty about whether all malicious code has been removed can cause long delays.
 
Action 3.1: Put the final decision in the hands of the system owners.
We suggest that the management of an affected system and their system administrators make these decisions. Quite often, they will be sufficiently sensitive to security threats that they may wish to leave the system offline for a couple days to do an operating system upgrade or even to install additional patches.
 
STEP 4: MONITOR THE SYSTEMS
Back doors and other malicious code can be very well hidden.
 
Action 4.1: Once the system is back on line, continue to monitor for back doors that escaped detection.
 
Related Links:
 
References:
Computer Security Incident Handling: An Action Plan for Dealing with Intrusions, Cyber-Theft, and Other Security-Related Events, Version 2.3.1, Stephen Northcutt, SANS Institute, 2003

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 18 مرداد 1393

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها: 0