This preview shows page 1. Sign up to view the full content.
Unformatted text preview: ing facility, or applying a patch.
This is properly called “following recovery procedures,” because just arbitrarily making
a change to the environment may introduce more problems. The recovery procedures
may state that a new image needs to be installed, backup data needs to be restored, the
system needs to be tested, and all configurations must be properly set.
Regardless of the specifics of the recovery procedures, before an affected system is
returned to production, you must first ensure that it can withstand another attack. It
doesn’t take long for word to get out within the hacker community that a weak system
is online. Trained information security personnel should test the system for vulnerabilities to provide information assurance. Vulnerability testing tools that simulate realworld attacks can help the team harden the system against a variety of attacks, including
those that were originally directed against it.
CAUTION An attacked or infected system should never be trusted because
you do not necessarily know all the changes that have taken place and the true
extent of the damage. Some malicious code could still be hiding somewhere.
Systems should be rebuilt to ensure that all of the potential bad mojo has
been released by carrying out a proper exorcism. What Can We Learn from This?
Closure of an incident is determined by the nature or category of the incident, the
desired incident response outcome (for example, business resumption or system
restoration), and the team’s success in determining the incident’s source and root
cause. Once it is determined that the incident is closed, it is a good idea to have a
team briefing that includes all groups affected by the incident to answer the following questions:
• What happened?
• What did we learn?
• How can we do it better next time?
The team should review the incident and how it was handled and carry out a
postmortem analysis. The information that comes out of this meeting should
indicate what needs to go into the incidence response process and...
View Full Document
- Fall '12