RE: Incident investigation methodologies
From: pfft (col_panic2_at_yahoo.com)
Date: 06/14/04
- Previous message: Harlan Carvey: "RE: Incident investigation methodologies"
- In reply to: Harlan Carvey: "RE: Incident investigation methodologies"
- Next in thread: Harlan Carvey: "RE: Incident investigation methodologies"
- Reply: Harlan Carvey: "RE: Incident investigation methodologies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 14 Jun 2004 06:40:08 -0700 (PDT) To: incidents@securityfocus.com
--- Harlan Carvey <keydet89@yahoo.com> wrote:
>
> > Agreed. So if we assign response scenarios based
> > upon
> > criticality of data, we can provide administrators
> > with a template for each type of situation.
>
> Agreed. However, consider this...rather than
> assigning response scenarios based on criticality of
> data, the response activities should be passed on
> policy...and the policy should identify critical
> systems. A matter of semantics, perhaps, but
> policies
> and procedures are a critical part of incident
> response, particularly in a corporate environment.
> They also play a critical role in the LEO
> environment.
I'll buy that.
> I think the question then becomes, do we need to
> have
> separate templates based on the activities, or can
> we
> create a single template for, say, the most critical
> systems, and that same template can be used for all
> less-critical systems?
If a single template simplifies things, then I think
that is best. I just think administrators may shy away
from a complex forensic procedure on non-critical
systems, so the parts that apply to all systems should
be highlighted as such and things like memory dumps
can be left to those with the need, time and skill
required.
> What I've been trying to develop is a usable,
> verifiable, document procedure for collecting
> volatile
> data from live systems, to perform incident
> verification and identification.
Excellent idea.
=====
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
- Previous message: Harlan Carvey: "RE: Incident investigation methodologies"
- In reply to: Harlan Carvey: "RE: Incident investigation methodologies"
- Next in thread: Harlan Carvey: "RE: Incident investigation methodologies"
- Reply: Harlan Carvey: "RE: Incident investigation methodologies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
