RFC1244 - Page 78

• Title: Site Security Handbook
• Author: J.P. Holbrook, J.K. Reynolds
• Date: July 1, 1991

Page Navigation:

1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75  76  77  78  79  80  81  82  83  84  85  86  87  88  89  90  91  92  93  94  95  96  97  98  99  100  101 

Printable Version: RFC1244.PDF

RFC 1244                 Site Security Handbook                July 1991


6.  Establishing Post-Incident Procedures

6.1  Overview

   In the wake of an incident, several actions should take place.  These
   actions can be summarized as follows:

      1. An inventory should be taken of the systems' assets,
         i.e., a careful examination should determine how the
         system was affected by the incident,

      2. The lessons learned as a result of the incident
         should be included in revised security plan to
         prevent the incident from re-occurring,

      3. A new risk analysis should be developed in light of the
         incident,

      4. An investigation and prosecution of the individuals
         who caused the incident should commence, if it is
         deemed desirable.

   All four steps should provide feedback to the site security policy
   committee, leading to prompt re-evaluation and amendment of the
   current policy.

6.2  Removing Vulnerabilities

   Removing all vulnerabilities once an incident has occurred is
   difficult.  The key to removing vulnerabilities is knowledge and
   understanding of the breach.  In some cases, it is prudent to remove
   all access or functionality as soon as possible, and then restore
   normal operation in limited stages.  Bear in mind that removing all
   access while an incident is in progress will obviously notify all
   users, including the alleged problem users, that the administrators
   are aware of a problem; this may have a deleterious effect on an
   investigation.  However, allowing an incident to continue may also
   open the likelihood of greater damage, loss, aggravation, or
   liability (civil or criminal).

   If it is determined that the breach occurred due to a flaw in the
   systems' hardware or software, the vendor (or supplier) and the CERT
   should be notified as soon as possible.  Including relevant telephone
   numbers (also electronic mail addresses and fax numbers) in the site
   security policy is strongly recommended.  To aid prompt
   acknowledgment and understanding of the problem, the flaw should be
   described in as much detail as possible, including details about how
   to exploit the flaw.



Site Security Policy Handbook Working Group                    [Page 78]