Advanced Technology Laboratory
Security Checklist
Avoid Panic.
- Step away from the affected computers or networks. Find a
trusted, uninvolved colleague. Take a deep breath or
two. Don't take the attack personally.
- In many cases, a problem isn't noticed until hours or days
after it took place. Another few hours or days won't make a bit
of difference. The difference between a panicked response and a
rational response will.
- At least 50% of recovery situations are made difficult by
crucial log/tracking information destroyed during the initial
panic.
Assess the appropriate level of
response.
- No one benefits from an over-hyped security
incident. Proceed calmly.
Immediately hoard all available
information.
- Check accounting files, logs, etc.
- Write protect backup tapes if you read them.
Assess immediate corporate/date
risk.
- Determine what crucial information (if any) left the
company.
- Determine the level of future risk.
If necessary/appropriate,
disconnect compromised machines from the network.
Stop, Look, Listen.
With a creative colleague, and away from a keyboard, draw up a
recovery plan on a nearby whiteboard.
- Put out the fire, minimize the damage.
- Recover from backups
- Deal with the psychological fallout
- Run diffs and checksums
- Check timestamps
- Examine audit logs
- Look for squirreled-away files
Educate users and management on
the assessed risk and preliminary recovery strategy.
Implement the recovery
strategy.
If you determine the problem to
have come from outside your organization, report the incident to
the Computer Emergency Response Team (CERT) at +1-412-268-7090
(MILNET USERS: call SCC at 1-800-235-3155).
Last modified: Sat Oct 30 23:04:39 PDT 2004