Advanced Technology Laboratory

Security Checklist

Avoid Panic.

• Step away from the affected computers or networks. Find a trusted, uninvolved colleague. Take a deep breath or two. Don't take the attack personally.
• In many cases, a problem isn't noticed until hours or days after it took place. Another few hours or days won't make a bit of difference. The difference between a panicked response and a rational response will.
• At least 50% of recovery situations are made difficult by crucial log/tracking information destroyed during the initial panic.

Assess the appropriate level of response.

• No one benefits from an over-hyped security incident. Proceed calmly.

Immediately hoard all available information.

• Check accounting files, logs, etc.
• Write protect backup tapes if you read them.

Assess immediate corporate/date risk.

• Determine what crucial information (if any) left the company.
• Determine the level of future risk.

If necessary/appropriate, disconnect compromised machines from the network.

Stop, Look, Listen.

With a creative colleague, and away from a keyboard, draw up a recovery plan on a nearby whiteboard.

• Put out the fire, minimize the damage.
• Recover from backups
• Deal with the psychological fallout
• Run diffs and checksums
• Check timestamps
• Examine audit logs
• Look for squirreled-away files

Educate users and management on the assessed risk and preliminary recovery strategy.

Implement the recovery strategy.

If you determine the problem to have come from outside your organization, report the incident to the Computer Emergency Response Team (CERT) at +1-412-268-7090 (MILNET USERS: call SCC at 1-800-235-3155).