Presentation is loading. Please wait.

Presentation is loading. Please wait.

Recovering from an Attack Version 0.1 March, 2003 Bill Woodcock Packet Clearing House.

Similar presentations


Presentation on theme: "Recovering from an Attack Version 0.1 March, 2003 Bill Woodcock Packet Clearing House."— Presentation transcript:

1 Recovering from an Attack Version 0.1 March, 2003 Bill Woodcock Packet Clearing House

2 If you’ve been listening at all… You’ll have understood by now that the best time to clean up…

3 If you’ve been listening at all… You’ll have understood by now that the best time to clean up… …is BEFORE an attack.

4 Points to Consider  Is the attack ongoing?  If so, should you stop it, or do you need to allow it to continue, in order to backtrack it to its source, or allow law enforcement to do so?  If it must be allowed to continue, can critical information be safeguarded without alerting the attacker?

5 Points to Consider  Is the attack destroying resources, or is there a significant risk that it will do so?  Is the attack exposing confidential information?  Is the attack exposing you to liability for facilitating further attacks against others?  Is the attack preventing your company from performing its core business?  Is the attack harming employee morale or public relations?

6 If the attack is a PERSON:  Have you removed access? Changed locks and passwords, and informed security guards?  Do you need to retrieve company property such as a laptop computer?  Do you need to inform any third parties, like cancelling a company credit card, or informing customers that the person no longer represents your company?

7 If the attack is a DoS:  Can you characterize the Denial of Service traffic load in some way which distinguishes it from your normal operational traffic?  If so, convey that information to your up- stream ISPs, and ask them to propagate it to their up-stream ISPs, while coordinating with law enforcement if feasible.  Think about what statement or incident or action or person might have incited the attack, and how to avoid doing so again.

8 If the attack is a VIRUS or WORM:  Find out how to identify infected machines.  Find out how to stop propagation or reinfection from the outside or from pockets within your organization.  Determine to what degree hosts need to be sterilized.  Download and install a fixed version of the vulnerable software.  Evaluate whether a more secure piece of software might be in order.

9 If the attack is a TROJAN HORSE  Educate your staff immediately. Let them know what it looks like, that they should be actively looking for it, and that the consequences of spreading it are very serious.  Identify affected machines.  Determine the method of sterilization.

10 If the attack is against SUPPORT INFRASTRUCTURE  Identify the affected resource (power, communications, cooling, transportation)  Minimize draw by shutting down less-needed equipment (lights, non-critical processes and machines, gradually increase temperature to ambient)  Identify backup hardware and bring it into effect.

11 If the attack is against a HOST  Identify the scope of the attack; has the attacker gained root? Do they have access to the entire file-system?  Are there special privileges accorded this host by others, which might be made more vulnerable thereby?  Can the system be isolated, or must it remain on-line?  What method is the attacker using to communicate with the host?

12 All of these problems can be responded to more quickly and effectively if you’ve…

13 Considered them and made a contingency plan, and…

14 All of these problems can be responded to more quickly and effectively if you’ve… Considered them and made a contingency plan, and… Prepared any resources like data backups or spare equipment which you’ll need.

15 Bill Woodcock woody@pch.net


Download ppt "Recovering from an Attack Version 0.1 March, 2003 Bill Woodcock Packet Clearing House."

Similar presentations


Ads by Google