PART01

[ Pobierz całość w formacie PDF ]
.5.5.2 Formal and Informal Legal ProceduresOne of the most important considerations in dealing with investigative agencies is verifyingthat the person who calls asking for information is a legitimate representative from the agencyin question.Unfortunately, many well intentioned people have unknowingly leaked sensitiveinformation about incidents, allowed unauthorized people into their systems, etc., because acaller has masqueraded as an FBI or Secret Service agent.A similar consideration is using asecure means of communication.Because many network attackers can easily reroute electronic mail, avoid using electronic mailto communicate with other agencies (as well as others dealing with the incident at hand).Non-secured phone lines (e.g., the phones normally used in the business world) are also frequenttargets for tapping by network intruders, so be careful!RFC 1244 The Site Security Handbook 231There is no established set of rules for responding to an incident when the U.S.FederalGovernment becomes involved.Except by court order, no agency can force you to monitor, todisconnect from the network, to avoid telephone contact with the suspected attackers, etc.Asdiscussed in section 5.5.1, you should consult the matter with your legal counsel, especiallybefore taking an action that your organization has never taken.The particular agency involvedmay ask you to leave an attacked machine on and to monitor activity on this machine, forexample.Your complying with this request will ensure continued cooperation of the agency usuallythe best route towards finding the source of the network attacks and, ultimately, terminatingthese attacks.Additionally, you may need some information or a favor from the agency involved in theincident.You are likely to get what you need only if you have been cooperative.Of particularimportance is avoiding unnecessary or unauthorized disclosure of information about theincident, including any information furnished by the agency involved.The trust between yoursite and the agency hinges upon your ability to avoid compromising the case the agency willbuild; keeping tight lipped is imperative.Sometimes your needs and the needs of an investigative agency will differ.Your site may wantto get back to normal business by closing an attack route, but the investigative agency maywant you to keep this route open.Similarly, your site may want to close a compromised systemdown to avoid the possibility of negative publicity, but again the investigative agency maywant you to continue monitoring.When there is such a conflict, there may be a complex set oftradeoffs (e.g., interests of your site s management, amount of resources you can devote to theproblem, jurisdictional boundaries, etc.).An important guiding principle is related to whatmight be called Internet citizenship [22, IAB89, 23] and its responsibilities.Your site canshut a system down, and this will relieve you of the stress, resource demands, and danger ofnegative exposure.The attacker, however, is likely to simply move on to another system,temporarily leaving others blind to the attacker s intention and actions until another path ofattack can be detected.Providing that there is no damage to your systems and others, the mostresponsible course of action is to cooperate with the participating agency by leaving yourcompromised system on.This will allow monitoring (and, ultimately, the possibility ofterminating the source of the threat to systems just like yours).On the other hand, if there isdamage to computers illegally accessed through your system, the choice is more complicated:shutting down the intruder may prevent further damage to systems, but might make itimpossible to track down the intruder.If there has been damage, the decision about whether itis important to leave systems up to catch the intruder should involve all the organizationseffected.Further complicating the issue of network responsibility is the consideration that ifyou do not cooperate with the agency involved, you will be less likely to receive help from thatagency in the future.232 Part I: Managing Internet Security5.6 Documentation LogsWhen you respond to an incident, document all details related to the incident.This willprovide valuable information to yourself and others as you try to unravel the course of events.Documenting all details will ultimately save you time.If you don t document every relevantphone call, for example, you are likely to forget a good portion of information you obtain,requiring you to contact the source of information once again.This wastes yours and otherstime, something you can ill afford.At the same time, recording details will provide evidencefor prosecution efforts, providing the case moves in this direction.Documenting an incidentalso will help you perform a final assessment of damage (something your management as wellas law enforcement officers will want to know), and will provide the basis for a follow-upanalysis in which you can engage in a valuable lessons learned exercise.During the initial stages of an incident, it is often infeasible to determine whether prosecutionis viable, so you should document as if you are gathering evidence for a court case.At aminimum, you should record:All system events (audit records).All actions you take (time tagged) [ Pobierz całość w formacie PDF ]

Archiwum