DataMuseum.dk

Presents historical artifacts from the history of:

DKUUG/EUUG Conference tapes

This is an automatic "excavation" of a thematic subset of
artifacts from Datamuseum.dk's BitArchive.

See our Wiki for more about DKUUG/EUUG Conference tapes

Excavated with: AutoArchaeologist - Free & Open Source Software. 

top - metrics - download
Index: T r

⟦8513d7fbc⟧ TextFile

    Length: 2123 (0x84b)
    Types: TextFile
    Names: »recovering.tex«

Derivation

└─⟦4f9d7c866⟧ Bits:30007245 EUUGD6: Sikkerheds distributionen
    └─⟦36857feb3⟧ »./papers/Security_Primer/primer.tar.Z« 
        └─⟦5c5f5f2d8⟧ 
            └─⟦this⟧ »recovering.tex«

TextFile

\section{Recovering From Disasters}

Incident recovery is  the final portion of the of the incident
handling process.  Like the other portions of incident handling, it is
not particularly difficult but is sufficiently intricate to allow for
many errors.

\begin{description}

\item[Telling everyone that is over.]  For a large incident, it is not
unusual to have contacted people at a dozen or more sites.  It is
important to let everyone know that you are done and to be sure to
give your colleagues the information that they need.  It is also
important that your staff knows that things are over so that they can
return to normal work.  Generally a lot of people need to thanked for
the extra hours and effort that they have contributed.

\item[Removing all Tools.]  Many of the tools that
were installed and using during an incident need to removed from the
system.  Some will interfere with performance.  Others are worth
stealing by a clever attacker.  Similarly a future attacker that gets a
chance to look at the tools will know a lot about how you are going to
track him.  Often  extra accounts are added for handling the incident.
These need to be removed.

\item[File and Service Restoration.]  Returning the file system to a
``known good state'' is often the most difficult part of recovery.
This is especially true with long incidents.


\item[Reporting Requirements.]  Often, especially if law enforcement
agencies have become involved, a formal report will be required.  

\item[History.]  After everything is over, a final reconstruction of
the events is appropriate.  In this way, everyone on your staff is
telling the same story.

\item[Future Prevention.]  It is important to make sure that {\em
all\/} of the vulnerabilities that were used in or created the
incident are secured. 

\end{description}



Just after an incident, it is likely to be a good time to create
sensible policies where they have not existed in the past and to
request extra equipment or staffing to increase security.  Similarly,
it is a logical time for someone else to demand stricter (nonsensical)
policies to promote security.