Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.4  Intrusion Detection
           9  3.4.4  Incident Response

Previous Topic/Section
Six-Step Incident Response Process
Previous Page
Pages in Current Topic/Section
1
Next Page
3.5  Security Baselines
Next Topic/Section

Reporting Incidents to Third Parties

Additionally, you may wish to take advantage of some third-party channels. For example, if you seem to have a new vulnerability on your hands, you might want to contact your application, OS or security product (firewall, IDS, etc.) vendors to see what information you might be able to share with them, to help them protect against (or respond to) this vulnerability. You might want to contact CERT347 or the BUGTRAQ mailing list, to report the flaw so that other white hats find out about it and can take appropriate action (if it’s been aimed at you, at least one black hat’s already got the exploit). Depending on the type and severity of the incident, you may also want to alert law enforcement personnel.

Additionally, these channels often have information about how to respond to certain threats, such as explanations of software bugs you might have missed and information as to which versions of the software have had the bug fixed, and where to get them. As far as viruses are concerned, you can also check with the primary anti-virus sites, which often make available (even to non-customers) information on how to recover from common virus infections.

A debate has raged recently on the issue of “disclosure”. If you find a bug, who should you inform, when should you inform them, and how much should you say? Again, this is one of those issues where many people have opinions, but there is not necessarily one blanket answer appropriate for all situations. If you inform everyone at the same time, and crackers who might not have known about the hole beforehand find out about it and create an exploit, you could potentially be liable under the Digital Millenium Copyright Act for an activity affecting cybersecurity. On the other hand, if you inform the vendor, months go by, and the vendor has not informed you of plans to fix the hole you found, you have reason to believe an exploit is likely to show up before a fix is. Let your organization’s policies, your conscience and perhaps your management be your guide.

Incident Response – Where To Start

To get you started, here are some resources:

SANS, at
http://www.sans.org, offers instructional documents, vulnerability alerts and the SANS Digest, a mailing list focused on computer security-related news and vulnerability reports.

BUGTRAQ at
http://www.securityfocus.com offers a variety of security information as well as the full-disclosure mailing list BUGTRAQ and archives of the list.

NTBUGTRAQ, at
http://www.ntbugtraq.com offers the NTBUGTRAQ mailing list about Windows vulnerabilities, archives of the list, and editorials about issues significant to security administrators.

CERT, at
http://www.cert.org offers a vulnerability database, informational documents and the CERT Advisory Mailing List. (Note that CERT is sometimes criticized for delaying the publication of vulnerability alerts; if you’re seeking the timeliest information, you may want to check the other sources first).


If you’re running UNIX or Linux, and would like a reference on “what to do if we’re compromised,” check out Bob Toxen’s Real World Linux Security348.


 __________________

347. http://www.cert.org

348. Toxen, Bob and Seth Fogie, Real World Linux Security, Prentice-Hall, November, 2000, http://www.nerdbooks.com/item.html?id=0130281875

Previous Topic/Section
Six-Step Incident Response Process
Previous Page
Pages in Current Topic/Section
1
Next Page
3.5  Security Baselines
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.