 |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Computer Security
|
|
Ensuring the security of your computer system and protecting against hackers, viruses and similar is paramount Intrusion Incidents - Remember you're not the first to be faced with an incident of this type so why not take advantage of the experience gained by others Emergency Response - Before you contact us While investigating an incident, information will be received from many sources. Your understanding of the problem will change. Your memory of events will become confused. Recording what you do and find will reduce confusion and will be essential if you wish to take an incident to the police. Get a notebook - preferably a hardback bound notebook like those used for recording laboratory experiments. Record details of phone calls, mail messages, commands typed, log file entries, and files found. Remember to include the date and time. Keep hard copies of pertinent information from the system. Keep electronic copies off-line. Create a back up of the system - Information on this backup will be important in investigating the problem, and vital if you need to involve the police at any stage Keep existing back-ups Evidence may be found that shows the intrusions started much earlier than first suspected. Existing back-ups represent a snapshot of the state of the system at various occasions in the past. These may yield useful information about the date of the attack, the mechanism used to gain entry and what use has been made of the system. Restrict use of email If the intruder returns they will often search mailboxes for signs that they have been noticed. When discovered, many intruders will attempt to remove evidence by destroying all the files on the system. Limit the use made of e-mail by people who know about the incident. If possible, use encryption to keep such communications private. Avoid keeping messages on machines or in places where they are likely to be found. Never use emotive words like "hacker" or "security": they are obvious phrases someone will search for. Investigating Incidents When a computer security incident is discovered it is tempting
to dive in and start investigating at once. However this course
of action is likely to ruin any chance of a possible prosecution
and may well destroy or confuse information that would have
allowed the cause of the incident to be discovered. The first
step must be to decide what is the most important outcome: to prosecute the offender; to restore the computer to service; to understand all details of the incident. Unless duplicate hardware and software are available then it is unlikely to be possible to achieve more than one of these aims. Preparing for Prosecution If the aim is to pursue a prosecution then it is vital to protect the information that exists on the computer. Returning to service To return the computer to service it will be necessary to repair all damage to it and restore its original function. In some cases this will involve reinstalling the system from scratch, either because of the seriousness of the damage that can be seen or in cases where it is impossible to determine the extent of the damage. Any incident where an intruder may have privileged access to the computer should be treated as the latter case as the software and operating system you use to investigate may well have been modified to conceal traces of the attack. There is also no point in restoring the system to the same state that allowed an intruder access. Even if the priority is to restore service then some investigation will be required to determine and remove the means of access Forensic Investigations Most incidents can be understood using standard operating system tools and simple processes. However in a few cases, understanding the full course of an incident will require an investigation of the past history of the computer looking for deleted files and other information retained by the system. This requires knowledge and tools of computer forensics. Forensic investigations are often performed by experts as part of a legal investigation. They know the procedures needed to produce evidence documented to the required standard and investigations for court purposes should be left to them. |